Play interactive tour

Edit tour

Analysis Report ORDDER-238486-LBT.exe

Overview

General Information

Sample Name:	ORDDER-238486-LBT.exe
Analysis ID:	385266
MD5:	d320967a90e6a8fd824864c53dc02135
SHA1:	345e589b268690d6a3f34686cdd0af5368de376c
SHA256:	6e110b6474993b690f1bf6f2edc01446010ce9bef5375991693e2bffa81d14fd
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

ORDDER-238486-LBT.exe (PID: 1844 cmdline: 'C:\Users\user\Desktop\ORDDER-238486-LBT.exe' MD5: D320967A90E6A8FD824864C53DC02135)

schtasks.exe (PID: 5788 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ORDDER-238486-LBT.exe (PID: 5524 cmdline: C:\Users\user\Desktop\ORDDER-238486-LBT.exe MD5: D320967A90E6A8FD824864C53DC02135)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

chkdsk.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cmd.exe (PID: 7072 cmdline: /c del 'C:\Users\user\Desktop\ORDDER-238486-LBT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.valoremamma.com/cw3g/"], "decoy": ["qiuxi.ltd", "kylayagerartwork.com", "qzgay.com", "riverandroadfilms.com", "easislip.com", "ma3loomat.info", "babyuniverses.com", "ovvldbxmd.icu", "fthiscompany.com", "tabac-control.com", "x7exf2.com", "juxrams.info", "californialaserspinesurgery.com", "theindielawyer.com", "jxaotu.com", "epostakutun.com", "pappyjackburgershack.com", "fgafinancialgroup.com", "ddiesels.com", "thesixthdesign.com", "dunesrealtygroup.com", "thorntonhillshousecleaning.com", "xmgzj.com", "np9co.com", "sumerueduneed.com", "harveyvargas.com", "dpriew.com", "mama-hochet-seksa.site", "theforbiddentoybox.com", "manhassetcarwash.com", "dailyhealthyvibes.info", "flutterlashestoronto.com", "echelonfurniture.com", "moukarram.com", "burateamtr.net", "psicobiologiadelser.com", "theleave.club", "texasapartmentinvestorclub.com", "yul2.com", "peixotoepeixotos.com", "neflcounseling.com", "awatabi.com", "goodpractiz.com", "smileworkscorp.com", "oreshola.com", "xn--m3ciavumc0b2aba4gwjkb9e.com", "20dzb.com", "lovvlens.com", "awesomequery.com", "sohailacollection.com", "westglobaladvisors.com", "virginiaelderlawattorney.com", "sabariindustries.com", "ownyourmoan.com", "cricybuzz.com", "sapxml.com", "tndhaulingllc.com", "hrzqjd.com", "ortholasercenter.com", "suzukisunter.com", "geduvinware.com", "japmenthe.com", "pgdump.guru", "couplesofhouston.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.262648767.0000000002753000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8d28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x163ce0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x163f5a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14ac5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16fa7d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x145b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16f569:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14bc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16fb7f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14d3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x16fcf7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x164972:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1382c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x16e7e4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa6b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x16566b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1758ef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17859:$sqlite3step: 68 34 1C 7B E1 0x1796c:$sqlite3step: 68 34 1C 7B E1 0x172811:$sqlite3step: 68 34 1C 7B E1 0x172924:$sqlite3step: 68 34 1C 7B E1 0x17888:$sqlite3text: 68 38 2A 90 C5 0x179ad:$sqlite3text: 68 38 2A 90 C5 0x172840:$sqlite3text: 68 38 2A 90 C5 0x172965:$sqlite3text: 68 38 2A 90 C5 0x1789b:$sqlite3blob: 68 53 D8 7F 8C 0x179c3:$sqlite3blob: 68 53 D8 7F 8C 0x172853:$sqlite3blob: 68 53 D8 7F 8C 0x17297b:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: ORDDER-238486-LBT.exe PID: 1844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
9.2.ORDDER-238486-LBT.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.ORDDER-238486-LBT.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.ORDDER-238486-LBT.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
1.2.ORDDER-238486-LBT.exe.272d63c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDDER-238486-LBT.exe' , ParentImage: C:\Users\user\Desktop\ORDDER-238486-LBT.exe, ParentProcessId: 1844, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp', ProcessId: 5788

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.valoremamma.com/cw3g/"], "decoy": ["qiuxi.ltd", "kylayagerartwork.com", "qzgay.com", "riverandroadfilms.com", "easislip.com", "ma3loomat.info", "babyuniverses.com", "ovvldbxmd.icu", "fthiscompany.com", "tabac-control.com", "x7exf2.com", "juxrams.info", "californialaserspinesurgery.com", "theindielawyer.com", "jxaotu.com", "epostakutun.com", "pappyjackburgershack.com", "fgafinancialgroup.com", "ddiesels.com", "thesixthdesign.com", "dunesrealtygroup.com", "thorntonhillshousecleaning.com", "xmgzj.com", "np9co.com", "sumerueduneed.com", "harveyvargas.com", "dpriew.com", "mama-hochet-seksa.site", "theforbiddentoybox.com", "manhassetcarwash.com", "dailyhealthyvibes.info", "flutterlashestoronto.com", "echelonfurniture.com", "moukarram.com", "burateamtr.net", "psicobiologiadelser.com", "theleave.club", "texasapartmentinvestorclub.com", "yul2.com", "peixotoepeixotos.com", "neflcounseling.com", "awatabi.com", "goodpractiz.com", "smileworkscorp.com", "oreshola.com", "xn--m3ciavumc0b2aba4gwjkb9e.com", "20dzb.com", "lovvlens.com", "awesomequery.com", "sohailacollection.com", "westglobaladvisors.com", "virginiaelderlawattorney.com", "sabariindustries.com", "ownyourmoan.com", "cricybuzz.com", "sapxml.com", "tndhaulingllc.com", "hrzqjd.com", "ortholasercenter.com", "suzukisunter.com", "geduvinware.com", "japmenthe.com", "pgdump.guru", "couplesofhouston.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CqbqIOaf.exe

ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Show sources

Source: ORDDER-238486-LBT.exe	Virustotal: Detection: 34%			Perma Link
Source: ORDDER-238486-LBT.exe	ReversingLabs: Detection: 12%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CqbqIOaf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: ORDDER-238486-LBT.exe

Joe Sandbox ML: detected

Source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: ORDDER-238486-LBT.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: ORDDER-238486-LBT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: chkdsk.pdbGCTL source: ORDDER-238486-LBT.exe, 00000009.00000002.313395898.0000000001360000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.295541950.000000000E340000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: ORDDER-238486-LBT.exe, 00000009.00000002.313395898.0000000001360000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: ORDDER-238486-LBT.exe, 00000009.00000003.260762668.0000000000CA0000.00000004.00000001.sdmp, chkdsk.exe, 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ORDDER-238486-LBT.exe, 00000009.00000003.260762668.0000000000CA0000.00000004.00000001.sdmp, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.295541950.000000000E340000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_025B7BD0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_025B7BBF
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_025B8940
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_025B8930
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 4x nop then pop edi	9_2_00416CB3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	21_2_04726CB3

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.valoremamma.com/cw3g/

Source: unknown	DNS traffic detected: query: www.tndhaulingllc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.dailyhealthyvibes.info replaycode: Name error (3)

Source: unknown

DNS traffic detected: queries for: www.dailyhealthyvibes.info

Source: explorer.exe, 0000000A.00000000.292278972.00000000089B9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp, ORDDER-238486-LBT.exe, 00000001.00000002.262667212.0000000002767000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262667212.0000000002767000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: ORDDER-238486-LBT.exe, 00000001.00000003.221221240.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.L
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORDDER-238486-LBT.exe, 00000001.00000003.221179983.00000000056D6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: ORDDER-238486-LBT.exe, 00000001.00000003.221221240.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlj
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORDDER-238486-LBT.exe, 00000001.00000003.222445271.00000000056CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/de#6cN
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ORDDER-238486-LBT.exe, 00000001.00000003.222863618.00000000056A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlr-f
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com1
Source: ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: ORDDER-238486-LBT.exe, 00000001.00000003.227367591.0000000005697000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: ORDDER-238486-LBT.exe, 00000001.00000003.227367591.0000000005697000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comicta#
Source: ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comy
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: ORDDER-238486-LBT.exe, 00000001.00000003.217069141.0000000005698000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ORDDER-238486-LBT.exe, 00000001.00000003.217069141.0000000005698000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORDDER-238486-LBT.exe, 00000001.00000003.216897543.0000000005697000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn_
Source: ORDDER-238486-LBT.exe, 00000001.00000003.216700983.000000000569E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnia
Source: ORDDER-238486-LBT.exe, 00000001.00000003.216737907.00000000009FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnj
Source: ORDDER-238486-LBT.exe, 00000001.00000003.216897543.0000000005697000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnw
Source: ORDDER-238486-LBT.exe, 00000001.00000003.225079564.00000000056A3000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/.
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, ORDDER-238486-LBT.exe, 00000001.00000003.225337772.00000000056A4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/va
Source: ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vno
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, ORDDER-238486-LBT.exe, 00000001.00000003.214609146.0000000005693000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ORDDER-238486-LBT.exe, 00000001.00000003.214609146.0000000005693000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma
Source: ORDDER-238486-LBT.exe, 00000001.00000003.214609146.0000000005693000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ORDDER-238486-LBT.exe, 00000001.00000003.221221240.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comm
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041A060 NtClose,	9_2_0041A060
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041A110 NtAllocateVirtualMemory,	9_2_0041A110
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_00419F30 NtCreateFile,	9_2_00419F30
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_00419FE0 NtReadFile,	9_2_00419FE0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041A10A NtAllocateVirtualMemory,	9_2_0041A10A
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_00419F2E NtCreateFile,	9_2_00419F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE95D0 NtClose,LdrInitializeThunk,	21_2_04DE95D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9540 NtReadFile,LdrInitializeThunk,	21_2_04DE9540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE96D0 NtCreateKey,LdrInitializeThunk,	21_2_04DE96D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE96E0 NtFreeVirtualMemory,LdrInitializeThunk,	21_2_04DE96E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9650 NtQueryValueKey,LdrInitializeThunk,	21_2_04DE9650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9660 NtAllocateVirtualMemory,LdrInitializeThunk,	21_2_04DE9660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9FE0 NtCreateMutant,LdrInitializeThunk,	21_2_04DE9FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9780 NtMapViewOfSection,LdrInitializeThunk,	21_2_04DE9780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9710 NtQueryInformationToken,LdrInitializeThunk,	21_2_04DE9710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9840 NtDelayExecution,LdrInitializeThunk,	21_2_04DE9840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9860 NtQuerySystemInformation,LdrInitializeThunk,	21_2_04DE9860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE99A0 NtCreateSection,LdrInitializeThunk,	21_2_04DE99A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	21_2_04DE9910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9A50 NtCreateFile,LdrInitializeThunk,	21_2_04DE9A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE95F0 NtQueryInformationFile,	21_2_04DE95F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9560 NtWriteFile,	21_2_04DE9560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DEAD30 NtSetContextThread,	21_2_04DEAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9520 NtWaitForSingleObject,	21_2_04DE9520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9670 NtQueryInformationProcess,	21_2_04DE9670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9610 NtEnumerateValueKey,	21_2_04DE9610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE97A0 NtUnmapViewOfSection,	21_2_04DE97A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DEA770 NtOpenThread,	21_2_04DEA770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9770 NtSetInformationFile,	21_2_04DE9770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9760 NtOpenProcess,	21_2_04DE9760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DEA710 NtOpenProcessToken,	21_2_04DEA710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9730 NtQueryVirtualMemory,	21_2_04DE9730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE98F0 NtReadVirtualMemory,	21_2_04DE98F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE98A0 NtWriteVirtualMemory,	21_2_04DE98A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DEB040 NtSuspendThread,	21_2_04DEB040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9820 NtEnumerateKey,	21_2_04DE9820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE99D0 NtCreateProcessEx,	21_2_04DE99D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9950 NtQueueApcThread,	21_2_04DE9950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9A80 NtOpenDirectoryObject,	21_2_04DE9A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9A10 NtQuerySection,	21_2_04DE9A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9A00 NtProtectVirtualMemory,	21_2_04DE9A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9A20 NtResumeThread,	21_2_04DE9A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DEA3B0 NtGetContextThread,	21_2_04DEA3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE9B00 NtSetValueKey,	21_2_04DE9B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04729F30 NtCreateFile,	21_2_04729F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04729FE0 NtReadFile,	21_2_04729FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472A060 NtClose,	21_2_0472A060
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472A110 NtAllocateVirtualMemory,	21_2_0472A110
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04729F2E NtCreateFile,	21_2_04729F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472A10A NtAllocateVirtualMemory,	21_2_0472A10A

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_00A0C2B0	1_2_00A0C2B0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_00A09968	1_2_00A09968
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B0040	1_2_025B0040
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B38B0	1_2_025B38B0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B3FC0	1_2_025B3FC0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B45D8	1_2_025B45D8
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B02D2	1_2_025B02D2
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B02E0	1_2_025B02E0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B53B7	1_2_025B53B7
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B0006	1_2_025B0006
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B5021	1_2_025B5021
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B38A0	1_2_025B38A0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B495F	1_2_025B495F
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B4960	1_2_025B4960
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B5614	1_2_025B5614
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B3FBF	1_2_025B3FBF
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B8450	1_2_025B8450
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B1518	1_2_025B1518
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B1509	1_2_025B1509
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B45C9	1_2_025B45C9
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B5591	1_2_025B5591
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B4581	1_2_025B4581
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_0517FC00	1_2_0517FC00
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_0517C528	1_2_0517C528
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_00202050	1_2_00202050
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041D176	9_2_0041D176
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041E234	9_2_0041E234
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041EB2E	9_2_0041EB2E
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041DC4C	9_2_0041DC4C
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041E4A0	9_2_0041E4A0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_00402D87	9_2_00402D87
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_00409E40	9_2_00409E40
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6D466	21_2_04E6D466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB841F	21_2_04DB841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E725DD	21_2_04E725DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBD5E0	21_2_04DBD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2581	21_2_04DD2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E71D55	21_2_04E71D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E72D07	21_2_04E72D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA0D20	21_2_04DA0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E72EF7	21_2_04E72EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC6E30	21_2_04DC6E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6D616	21_2_04E6D616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E71FF1	21_2_04E71FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E7DFCE	21_2_04E7DFCE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E728EC	21_2_04E728EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBB090	21_2_04DBB090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E720A8	21_2_04E720A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD20A0	21_2_04DD20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E7E824	21_2_04E7E824
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61002	21_2_04E61002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAF900	21_2_04DAF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC4120	21_2_04DC4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E722AE	21_2_04E722AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6DBD2	21_2_04E6DBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E603DA	21_2_04E603DA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDEBB0	21_2_04DDEBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E72B28	21_2_04E72B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472DC4C	21_2_0472DC4C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472E4A0	21_2_0472E4A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04712D90	21_2_04712D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04712D87	21_2_04712D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04719E40	21_2_04719E40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04712FB0	21_2_04712FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472D176	21_2_0472D176
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472E234	21_2_0472E234
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472EB2E	21_2_0472EB2E

Source: C:\Windows\SysWOW64\chkdsk.exe

Code function: String function: 04DAB150 appears 39 times

Source: ORDDER-238486-LBT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CqbqIOaf.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ORDDER-238486-LBT.exe	Binary or memory string: OriginalFilename vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000001.00000002.271896465.000000000D2A0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000001.00000002.271896465.000000000D2A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000001.00000002.271697157.000000000D1A0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000001.00000003.233398612.000000000C9B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameComparisonResult.exe> vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000001.00000002.269210126.0000000007030000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe	Binary or memory string: OriginalFilename vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000009.00000002.312886293.000000000127F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000009.00000000.260034773.0000000000542000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameComparisonResult.exe> vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe, 00000009.00000002.313423844.0000000001366000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs ORDDER-238486-LBT.exe
Source: ORDDER-238486-LBT.exe	Binary or memory string: OriginalFilenameComparisonResult.exe> vs ORDDER-238486-LBT.exe

Source: ORDDER-238486-LBT.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: ORDDER-238486-LBT.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CqbqIOaf.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@2/0

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

File created: C:\Users\user\AppData\Roaming\CqbqIOaf.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp

Jump to behavior

Source: ORDDER-238486-LBT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: ORDDER-238486-LBT.exe	Virustotal: Detection: 34%
Source: ORDDER-238486-LBT.exe	ReversingLabs: Detection: 12%

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

File read: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDDER-238486-LBT.exe 'C:\Users\user\Desktop\ORDDER-238486-LBT.exe'
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process created: C:\Users\user\Desktop\ORDDER-238486-LBT.exe C:\Users\user\Desktop\ORDDER-238486-LBT.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDDER-238486-LBT.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process created: C:\Users\user\Desktop\ORDDER-238486-LBT.exe C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDDER-238486-LBT.exe'	Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ORDDER-238486-LBT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDDER-238486-LBT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: chkdsk.pdbGCTL source: ORDDER-238486-LBT.exe, 00000009.00000002.313395898.0000000001360000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.295541950.000000000E340000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: ORDDER-238486-LBT.exe, 00000009.00000002.313395898.0000000001360000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: ORDDER-238486-LBT.exe, 00000009.00000003.260762668.0000000000CA0000.00000004.00000001.sdmp, chkdsk.exe, 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ORDDER-238486-LBT.exe, 00000009.00000003.260762668.0000000000CA0000.00000004.00000001.sdmp, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.295541950.000000000E340000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 1_2_025B0895 push 00000037h; iretd	1_2_025B0897
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041D0D2 push eax; ret	9_2_0041D0D8
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041D0DB push eax; ret	9_2_0041D142
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041D085 push eax; ret	9_2_0041D0D8
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041D13C push eax; ret	9_2_0041D142
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_004169B0 push eax; iretd	9_2_004169C0
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Code function: 9_2_0041BDAD push edx; retf	9_2_0041BDAE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DFD0D1 push ecx; ret	21_2_04DFD0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472BDAD push edx; retf	21_2_0472BDAE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472D0D2 push eax; ret	21_2_0472D0D8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472D0DB push eax; ret	21_2_0472D142
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472D085 push eax; ret	21_2_0472D0D8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_0472D13C push eax; ret	21_2_0472D142
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_047269B0 push eax; iretd	21_2_047269C0

Source: initial sample	Static PE information: section name: .text entropy: 7.95061413978
Source: initial sample	Static PE information: section name: .text entropy: 7.95061413978

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

File created: C:\Users\user\AppData\Roaming\CqbqIOaf.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp'

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE6

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.262648767.0000000002753000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDDER-238486-LBT.exe PID: 1844, type: MEMORY
Source: Yara match	File source: 1.2.ORDDER-238486-LBT.exe.272d63c.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000047198E4 second address: 00000000047198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000004719B5E second address: 0000000004719B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Code function: 9_2_00409A90 rdtsc

9_2_00409A90

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe TID: 1956	Thread sleep time: -104611s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe TID: 4856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3508	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 204	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Thread delayed: delay time: 104611			Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 0000000A.00000000.291363948.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000A.00000000.291363948.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 0000000A.00000000.291010669.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.290352855.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000A.00000002.498634597.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000A.00000000.291363948.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000000A.00000000.291363948.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000A.00000000.291535281.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 0000000A.00000000.278520005.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000A.00000002.497135241.0000000004DF3000.00000004.00000001.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAL
Source: explorer.exe, 0000000A.00000000.290352855.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000A.00000000.277439986.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&w
Source: explorer.exe, 0000000A.00000000.290352855.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000A.00000000.290352855.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Code function: 9_2_00409A90 rdtsc

9_2_00409A90

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Code function: 9_2_0040ACD0 LdrLoadDll,

9_2_0040ACD0

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26CF0 mov eax, dword ptr fs:[00000030h]	21_2_04E26CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26CF0 mov eax, dword ptr fs:[00000030h]	21_2_04E26CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26CF0 mov eax, dword ptr fs:[00000030h]	21_2_04E26CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E614FB mov eax, dword ptr fs:[00000030h]	21_2_04E614FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E78CD6 mov eax, dword ptr fs:[00000030h]	21_2_04E78CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB849B mov eax, dword ptr fs:[00000030h]	21_2_04DB849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDA44B mov eax, dword ptr fs:[00000030h]	21_2_04DDA44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC746D mov eax, dword ptr fs:[00000030h]	21_2_04DC746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3C450 mov eax, dword ptr fs:[00000030h]	21_2_04E3C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3C450 mov eax, dword ptr fs:[00000030h]	21_2_04E3C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61C06 mov eax, dword ptr fs:[00000030h]	21_2_04E61C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26C0A mov eax, dword ptr fs:[00000030h]	21_2_04E26C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26C0A mov eax, dword ptr fs:[00000030h]	21_2_04E26C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26C0A mov eax, dword ptr fs:[00000030h]	21_2_04E26C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26C0A mov eax, dword ptr fs:[00000030h]	21_2_04E26C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E7740D mov eax, dword ptr fs:[00000030h]	21_2_04E7740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E7740D mov eax, dword ptr fs:[00000030h]	21_2_04E7740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E7740D mov eax, dword ptr fs:[00000030h]	21_2_04E7740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDBC2C mov eax, dword ptr fs:[00000030h]	21_2_04DDBC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6FDE2 mov eax, dword ptr fs:[00000030h]	21_2_04E6FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6FDE2 mov eax, dword ptr fs:[00000030h]	21_2_04E6FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6FDE2 mov eax, dword ptr fs:[00000030h]	21_2_04E6FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6FDE2 mov eax, dword ptr fs:[00000030h]	21_2_04E6FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E58DF1 mov eax, dword ptr fs:[00000030h]	21_2_04E58DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26DC9 mov eax, dword ptr fs:[00000030h]	21_2_04E26DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26DC9 mov eax, dword ptr fs:[00000030h]	21_2_04E26DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26DC9 mov eax, dword ptr fs:[00000030h]	21_2_04E26DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26DC9 mov ecx, dword ptr fs:[00000030h]	21_2_04E26DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26DC9 mov eax, dword ptr fs:[00000030h]	21_2_04E26DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E26DC9 mov eax, dword ptr fs:[00000030h]	21_2_04E26DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBD5E0 mov eax, dword ptr fs:[00000030h]	21_2_04DBD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBD5E0 mov eax, dword ptr fs:[00000030h]	21_2_04DBD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDFD9B mov eax, dword ptr fs:[00000030h]	21_2_04DDFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDFD9B mov eax, dword ptr fs:[00000030h]	21_2_04DDFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E705AC mov eax, dword ptr fs:[00000030h]	21_2_04E705AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E705AC mov eax, dword ptr fs:[00000030h]	21_2_04E705AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA2D8A mov eax, dword ptr fs:[00000030h]	21_2_04DA2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA2D8A mov eax, dword ptr fs:[00000030h]	21_2_04DA2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA2D8A mov eax, dword ptr fs:[00000030h]	21_2_04DA2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA2D8A mov eax, dword ptr fs:[00000030h]	21_2_04DA2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA2D8A mov eax, dword ptr fs:[00000030h]	21_2_04DA2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2581 mov eax, dword ptr fs:[00000030h]	21_2_04DD2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2581 mov eax, dword ptr fs:[00000030h]	21_2_04DD2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2581 mov eax, dword ptr fs:[00000030h]	21_2_04DD2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2581 mov eax, dword ptr fs:[00000030h]	21_2_04DD2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD1DB5 mov eax, dword ptr fs:[00000030h]	21_2_04DD1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD1DB5 mov eax, dword ptr fs:[00000030h]	21_2_04DD1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD1DB5 mov eax, dword ptr fs:[00000030h]	21_2_04DD1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD35A1 mov eax, dword ptr fs:[00000030h]	21_2_04DD35A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC7D50 mov eax, dword ptr fs:[00000030h]	21_2_04DC7D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE3D43 mov eax, dword ptr fs:[00000030h]	21_2_04DE3D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E23540 mov eax, dword ptr fs:[00000030h]	21_2_04E23540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCC577 mov eax, dword ptr fs:[00000030h]	21_2_04DCC577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCC577 mov eax, dword ptr fs:[00000030h]	21_2_04DCC577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E78D34 mov eax, dword ptr fs:[00000030h]	21_2_04E78D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E2A537 mov eax, dword ptr fs:[00000030h]	21_2_04E2A537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6E539 mov eax, dword ptr fs:[00000030h]	21_2_04E6E539
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD4D3B mov eax, dword ptr fs:[00000030h]	21_2_04DD4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD4D3B mov eax, dword ptr fs:[00000030h]	21_2_04DD4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD4D3B mov eax, dword ptr fs:[00000030h]	21_2_04DD4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAAD30 mov eax, dword ptr fs:[00000030h]	21_2_04DAAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB3D34 mov eax, dword ptr fs:[00000030h]	21_2_04DB3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD36CC mov eax, dword ptr fs:[00000030h]	21_2_04DD36CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE8EC7 mov eax, dword ptr fs:[00000030h]	21_2_04DE8EC7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E5FEC0 mov eax, dword ptr fs:[00000030h]	21_2_04E5FEC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E78ED6 mov eax, dword ptr fs:[00000030h]	21_2_04E78ED6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB76E2 mov eax, dword ptr fs:[00000030h]	21_2_04DB76E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD16E0 mov ecx, dword ptr fs:[00000030h]	21_2_04DD16E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E70EA5 mov eax, dword ptr fs:[00000030h]	21_2_04E70EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E70EA5 mov eax, dword ptr fs:[00000030h]	21_2_04E70EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E70EA5 mov eax, dword ptr fs:[00000030h]	21_2_04E70EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E246A7 mov eax, dword ptr fs:[00000030h]	21_2_04E246A7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3FE87 mov eax, dword ptr fs:[00000030h]	21_2_04E3FE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB7E41 mov eax, dword ptr fs:[00000030h]	21_2_04DB7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB7E41 mov eax, dword ptr fs:[00000030h]	21_2_04DB7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB7E41 mov eax, dword ptr fs:[00000030h]	21_2_04DB7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB7E41 mov eax, dword ptr fs:[00000030h]	21_2_04DB7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB7E41 mov eax, dword ptr fs:[00000030h]	21_2_04DB7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB7E41 mov eax, dword ptr fs:[00000030h]	21_2_04DB7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6AE44 mov eax, dword ptr fs:[00000030h]	21_2_04E6AE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6AE44 mov eax, dword ptr fs:[00000030h]	21_2_04E6AE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCAE73 mov eax, dword ptr fs:[00000030h]	21_2_04DCAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCAE73 mov eax, dword ptr fs:[00000030h]	21_2_04DCAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCAE73 mov eax, dword ptr fs:[00000030h]	21_2_04DCAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCAE73 mov eax, dword ptr fs:[00000030h]	21_2_04DCAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCAE73 mov eax, dword ptr fs:[00000030h]	21_2_04DCAE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB766D mov eax, dword ptr fs:[00000030h]	21_2_04DB766D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDA61C mov eax, dword ptr fs:[00000030h]	21_2_04DDA61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDA61C mov eax, dword ptr fs:[00000030h]	21_2_04DDA61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E5FE3F mov eax, dword ptr fs:[00000030h]	21_2_04E5FE3F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAC600 mov eax, dword ptr fs:[00000030h]	21_2_04DAC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAC600 mov eax, dword ptr fs:[00000030h]	21_2_04DAC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAC600 mov eax, dword ptr fs:[00000030h]	21_2_04DAC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD8E00 mov eax, dword ptr fs:[00000030h]	21_2_04DD8E00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E61608 mov eax, dword ptr fs:[00000030h]	21_2_04E61608
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAE620 mov eax, dword ptr fs:[00000030h]	21_2_04DAE620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE37F5 mov eax, dword ptr fs:[00000030h]	21_2_04DE37F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB8794 mov eax, dword ptr fs:[00000030h]	21_2_04DB8794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E27794 mov eax, dword ptr fs:[00000030h]	21_2_04E27794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E27794 mov eax, dword ptr fs:[00000030h]	21_2_04E27794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E27794 mov eax, dword ptr fs:[00000030h]	21_2_04E27794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E78F6A mov eax, dword ptr fs:[00000030h]	21_2_04E78F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBEF40 mov eax, dword ptr fs:[00000030h]	21_2_04DBEF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBFF60 mov eax, dword ptr fs:[00000030h]	21_2_04DBFF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCF716 mov eax, dword ptr fs:[00000030h]	21_2_04DCF716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDA70E mov eax, dword ptr fs:[00000030h]	21_2_04DDA70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDA70E mov eax, dword ptr fs:[00000030h]	21_2_04DDA70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E7070D mov eax, dword ptr fs:[00000030h]	21_2_04E7070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E7070D mov eax, dword ptr fs:[00000030h]	21_2_04E7070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDE730 mov eax, dword ptr fs:[00000030h]	21_2_04DDE730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3FF10 mov eax, dword ptr fs:[00000030h]	21_2_04E3FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3FF10 mov eax, dword ptr fs:[00000030h]	21_2_04E3FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA4F2E mov eax, dword ptr fs:[00000030h]	21_2_04DA4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA4F2E mov eax, dword ptr fs:[00000030h]	21_2_04DA4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04E3B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3B8D0 mov ecx, dword ptr fs:[00000030h]	21_2_04E3B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04E3B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04E3B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04E3B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E3B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04E3B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA58EC mov eax, dword ptr fs:[00000030h]	21_2_04DA58EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA40E1 mov eax, dword ptr fs:[00000030h]	21_2_04DA40E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA40E1 mov eax, dword ptr fs:[00000030h]	21_2_04DA40E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA40E1 mov eax, dword ptr fs:[00000030h]	21_2_04DA40E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA9080 mov eax, dword ptr fs:[00000030h]	21_2_04DA9080
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDF0BF mov ecx, dword ptr fs:[00000030h]	21_2_04DDF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDF0BF mov eax, dword ptr fs:[00000030h]	21_2_04DDF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDF0BF mov eax, dword ptr fs:[00000030h]	21_2_04DDF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E23884 mov eax, dword ptr fs:[00000030h]	21_2_04E23884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E23884 mov eax, dword ptr fs:[00000030h]	21_2_04E23884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE90AF mov eax, dword ptr fs:[00000030h]	21_2_04DE90AF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD20A0 mov eax, dword ptr fs:[00000030h]	21_2_04DD20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD20A0 mov eax, dword ptr fs:[00000030h]	21_2_04DD20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD20A0 mov eax, dword ptr fs:[00000030h]	21_2_04DD20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD20A0 mov eax, dword ptr fs:[00000030h]	21_2_04DD20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD20A0 mov eax, dword ptr fs:[00000030h]	21_2_04DD20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD20A0 mov eax, dword ptr fs:[00000030h]	21_2_04DD20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC0050 mov eax, dword ptr fs:[00000030h]	21_2_04DC0050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC0050 mov eax, dword ptr fs:[00000030h]	21_2_04DC0050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E71074 mov eax, dword ptr fs:[00000030h]	21_2_04E71074
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E62073 mov eax, dword ptr fs:[00000030h]	21_2_04E62073
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD002D mov eax, dword ptr fs:[00000030h]	21_2_04DD002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD002D mov eax, dword ptr fs:[00000030h]	21_2_04DD002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD002D mov eax, dword ptr fs:[00000030h]	21_2_04DD002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD002D mov eax, dword ptr fs:[00000030h]	21_2_04DD002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD002D mov eax, dword ptr fs:[00000030h]	21_2_04DD002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBB02A mov eax, dword ptr fs:[00000030h]	21_2_04DBB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBB02A mov eax, dword ptr fs:[00000030h]	21_2_04DBB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBB02A mov eax, dword ptr fs:[00000030h]	21_2_04DBB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBB02A mov eax, dword ptr fs:[00000030h]	21_2_04DBB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E74015 mov eax, dword ptr fs:[00000030h]	21_2_04E74015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E74015 mov eax, dword ptr fs:[00000030h]	21_2_04E74015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E27016 mov eax, dword ptr fs:[00000030h]	21_2_04E27016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E27016 mov eax, dword ptr fs:[00000030h]	21_2_04E27016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E27016 mov eax, dword ptr fs:[00000030h]	21_2_04E27016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E341E8 mov eax, dword ptr fs:[00000030h]	21_2_04E341E8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAB1E1 mov eax, dword ptr fs:[00000030h]	21_2_04DAB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAB1E1 mov eax, dword ptr fs:[00000030h]	21_2_04DAB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAB1E1 mov eax, dword ptr fs:[00000030h]	21_2_04DAB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E269A6 mov eax, dword ptr fs:[00000030h]	21_2_04E269A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2990 mov eax, dword ptr fs:[00000030h]	21_2_04DD2990
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDA185 mov eax, dword ptr fs:[00000030h]	21_2_04DDA185
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E251BE mov eax, dword ptr fs:[00000030h]	21_2_04E251BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E251BE mov eax, dword ptr fs:[00000030h]	21_2_04E251BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E251BE mov eax, dword ptr fs:[00000030h]	21_2_04E251BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E251BE mov eax, dword ptr fs:[00000030h]	21_2_04E251BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCC182 mov eax, dword ptr fs:[00000030h]	21_2_04DCC182
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD61A0 mov eax, dword ptr fs:[00000030h]	21_2_04DD61A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD61A0 mov eax, dword ptr fs:[00000030h]	21_2_04DD61A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCB944 mov eax, dword ptr fs:[00000030h]	21_2_04DCB944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCB944 mov eax, dword ptr fs:[00000030h]	21_2_04DCB944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAB171 mov eax, dword ptr fs:[00000030h]	21_2_04DAB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAB171 mov eax, dword ptr fs:[00000030h]	21_2_04DAB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAC962 mov eax, dword ptr fs:[00000030h]	21_2_04DAC962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA9100 mov eax, dword ptr fs:[00000030h]	21_2_04DA9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA9100 mov eax, dword ptr fs:[00000030h]	21_2_04DA9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA9100 mov eax, dword ptr fs:[00000030h]	21_2_04DA9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD513A mov eax, dword ptr fs:[00000030h]	21_2_04DD513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD513A mov eax, dword ptr fs:[00000030h]	21_2_04DD513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC4120 mov eax, dword ptr fs:[00000030h]	21_2_04DC4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC4120 mov eax, dword ptr fs:[00000030h]	21_2_04DC4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC4120 mov eax, dword ptr fs:[00000030h]	21_2_04DC4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC4120 mov eax, dword ptr fs:[00000030h]	21_2_04DC4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC4120 mov ecx, dword ptr fs:[00000030h]	21_2_04DC4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2ACB mov eax, dword ptr fs:[00000030h]	21_2_04DD2ACB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2AE4 mov eax, dword ptr fs:[00000030h]	21_2_04DD2AE4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDD294 mov eax, dword ptr fs:[00000030h]	21_2_04DDD294
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDD294 mov eax, dword ptr fs:[00000030h]	21_2_04DDD294
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBAAB0 mov eax, dword ptr fs:[00000030h]	21_2_04DBAAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DBAAB0 mov eax, dword ptr fs:[00000030h]	21_2_04DBAAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDFAB0 mov eax, dword ptr fs:[00000030h]	21_2_04DDFAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA52A5 mov eax, dword ptr fs:[00000030h]	21_2_04DA52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA52A5 mov eax, dword ptr fs:[00000030h]	21_2_04DA52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA52A5 mov eax, dword ptr fs:[00000030h]	21_2_04DA52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA52A5 mov eax, dword ptr fs:[00000030h]	21_2_04DA52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA52A5 mov eax, dword ptr fs:[00000030h]	21_2_04DA52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E78A62 mov eax, dword ptr fs:[00000030h]	21_2_04E78A62
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E5B260 mov eax, dword ptr fs:[00000030h]	21_2_04E5B260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E5B260 mov eax, dword ptr fs:[00000030h]	21_2_04E5B260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA9240 mov eax, dword ptr fs:[00000030h]	21_2_04DA9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA9240 mov eax, dword ptr fs:[00000030h]	21_2_04DA9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA9240 mov eax, dword ptr fs:[00000030h]	21_2_04DA9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA9240 mov eax, dword ptr fs:[00000030h]	21_2_04DA9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE927A mov eax, dword ptr fs:[00000030h]	21_2_04DE927A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6EA55 mov eax, dword ptr fs:[00000030h]	21_2_04E6EA55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E34257 mov eax, dword ptr fs:[00000030h]	21_2_04E34257
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DC3A1C mov eax, dword ptr fs:[00000030h]	21_2_04DC3A1C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA5210 mov eax, dword ptr fs:[00000030h]	21_2_04DA5210
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA5210 mov ecx, dword ptr fs:[00000030h]	21_2_04DA5210
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA5210 mov eax, dword ptr fs:[00000030h]	21_2_04DA5210
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DA5210 mov eax, dword ptr fs:[00000030h]	21_2_04DA5210
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAAA16 mov eax, dword ptr fs:[00000030h]	21_2_04DAAA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAAA16 mov eax, dword ptr fs:[00000030h]	21_2_04DAAA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB8A0A mov eax, dword ptr fs:[00000030h]	21_2_04DB8A0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6AA16 mov eax, dword ptr fs:[00000030h]	21_2_04E6AA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6AA16 mov eax, dword ptr fs:[00000030h]	21_2_04E6AA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE4A2C mov eax, dword ptr fs:[00000030h]	21_2_04DE4A2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DE4A2C mov eax, dword ptr fs:[00000030h]	21_2_04DE4A2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E253CA mov eax, dword ptr fs:[00000030h]	21_2_04E253CA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E253CA mov eax, dword ptr fs:[00000030h]	21_2_04E253CA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DCDBE9 mov eax, dword ptr fs:[00000030h]	21_2_04DCDBE9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD03E2 mov eax, dword ptr fs:[00000030h]	21_2_04DD03E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD03E2 mov eax, dword ptr fs:[00000030h]	21_2_04DD03E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD03E2 mov eax, dword ptr fs:[00000030h]	21_2_04DD03E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD03E2 mov eax, dword ptr fs:[00000030h]	21_2_04DD03E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD03E2 mov eax, dword ptr fs:[00000030h]	21_2_04DD03E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD03E2 mov eax, dword ptr fs:[00000030h]	21_2_04DD03E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E75BA5 mov eax, dword ptr fs:[00000030h]	21_2_04E75BA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD2397 mov eax, dword ptr fs:[00000030h]	21_2_04DD2397
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DDB390 mov eax, dword ptr fs:[00000030h]	21_2_04DDB390
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB1B8F mov eax, dword ptr fs:[00000030h]	21_2_04DB1B8F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DB1B8F mov eax, dword ptr fs:[00000030h]	21_2_04DB1B8F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E5D380 mov ecx, dword ptr fs:[00000030h]	21_2_04E5D380
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6138A mov eax, dword ptr fs:[00000030h]	21_2_04E6138A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD4BAD mov eax, dword ptr fs:[00000030h]	21_2_04DD4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD4BAD mov eax, dword ptr fs:[00000030h]	21_2_04DD4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD4BAD mov eax, dword ptr fs:[00000030h]	21_2_04DD4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DAF358 mov eax, dword ptr fs:[00000030h]	21_2_04DAF358
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DADB40 mov eax, dword ptr fs:[00000030h]	21_2_04DADB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD3B7A mov eax, dword ptr fs:[00000030h]	21_2_04DD3B7A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DD3B7A mov eax, dword ptr fs:[00000030h]	21_2_04DD3B7A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04DADB60 mov ecx, dword ptr fs:[00000030h]	21_2_04DADB60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E78B58 mov eax, dword ptr fs:[00000030h]	21_2_04E78B58
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 21_2_04E6131B mov eax, dword ptr fs:[00000030h]	21_2_04E6131B

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Domain query: www.dailyhealthyvibes.info

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Memory written: C:\Users\user\Desktop\ORDDER-238486-LBT.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 190000

Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Process created: C:\Users\user\Desktop\ORDDER-238486-LBT.exe C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDDER-238486-LBT.exe'	Jump to behavior

Source: explorer.exe, 0000000A.00000002.482184242.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 0000000A.00000002.484549649.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 00000015.00000002.488620345.0000000006290000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000002.484549649.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 00000015.00000002.488620345.0000000006290000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000002.484549649.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 00000015.00000002.488620345.0000000006290000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.484549649.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 00000015.00000002.488620345.0000000006290000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Users\user\Desktop\ORDDER-238486-LBT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ORDDER-238486-LBT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.ORDDER-238486-LBT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ORDDER-238486-LBT.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery331	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion41	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDDER-238486-LBT.exe	35%	Virustotal		Browse
ORDDER-238486-LBT.exe	12%	ReversingLabs	Win32.PUA.Wacapew
ORDDER-238486-LBT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\CqbqIOaf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\CqbqIOaf.exe	12%	ReversingLabs	Win32.PUA.Wacapew

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.2.ORDDER-238486-LBT.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.comicta#	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.sakkal.comm	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnj	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnw	0%	Avira URL Cloud	safe
http://www.fontbureau.com1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn_	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.founder.com.cn/cnia	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/vno	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.agfamonotype.L	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.galapagosdesign.com/.	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/va	0%	Avira URL Cloud	safe
www.valoremamma.com/cw3g/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comy	0%	Avira URL Cloud	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.htmlj	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.tndhaulingllc.com	unknown	unknown	true		unknown
www.dailyhealthyvibes.info	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.valoremamma.com/cw3g/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comicta#	ORDDER-238486-LBT.exe, 00000001.00000003.227367591.0000000005697000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	ORDDER-238486-LBT.exe, 00000001.00000002.262667212.0000000002767000.00000004.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/de#6cN	ORDDER-238486-LBT.exe, 00000001.00000003.222445271.00000000056CE000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers	explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comalsF	ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, ORDDER-238486-LBT.exe, 00000001.00000003.214609146.0000000005693000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.comm	ORDDER-238486-LBT.exe, 00000001.00000003.221221240.0000000005695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, ORDDER-238486-LBT.exe, 00000001.00000003.225337772.00000000056A4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnj	ORDDER-238486-LBT.exe, 00000001.00000003.216737907.00000000009FD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnw	ORDDER-238486-LBT.exe, 00000001.00000003.216897543.0000000005697000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com1	ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/	ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn_	ORDDER-238486-LBT.exe, 00000001.00000003.216897543.0000000005697000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	ORDDER-238486-LBT.exe, 00000001.00000003.221179983.00000000056D6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.htmlr-f	ORDDER-238486-LBT.exe, 00000001.00000003.222863618.00000000056A8000.00000004.00000001.sdmp	false		high
http://www.fonts.com	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnia	ORDDER-238486-LBT.exe, 00000001.00000003.216700983.000000000569E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kr	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.coma	ORDDER-238486-LBT.exe, 00000001.00000003.214609146.0000000005693000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ORDDER-238486-LBT.exe, 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp, ORDDER-238486-LBT.exe, 00000001.00000002.262667212.0000000002767000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.come	ORDDER-238486-LBT.exe, 00000001.00000003.214609146.0000000005693000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comF	ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/vno	ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/H	ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.agfamonotype.L	ORDDER-238486-LBT.exe, 00000001.00000003.221221240.0000000005695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.come.com	ORDDER-238486-LBT.exe, 00000001.00000003.227367591.0000000005697000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	ORDDER-238486-LBT.exe, 00000001.00000003.217069141.0000000005698000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	ORDDER-238486-LBT.exe, 00000001.00000003.217069141.0000000005698000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/.	ORDDER-238486-LBT.exe, 00000001.00000003.225079564.00000000056A3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/va	ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	ORDDER-238486-LBT.exe, 00000001.00000003.220484294.0000000005695000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ORDDER-238486-LBT.exe, 00000001.00000002.267258525.0000000005780000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.292431218.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comy	ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comals	ORDDER-238486-LBT.exe, 00000001.00000003.223532515.0000000005695000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.htmlj	ORDDER-238486-LBT.exe, 00000001.00000003.221221240.0000000005695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385266
Start date:	12.04.2021
Start time:	09:16:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDDER-238486-LBT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/4@2/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 17.5% (good quality ratio 15.7%) Quality average: 72% Quality standard deviation: 32.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 103 Number of non-executed functions: 142
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 168.61.161.212, 52.147.198.201, 184.30.20.56, 20.50.102.62, 104.42.151.234, 104.43.193.48, 8.241.89.254, 8.241.79.254, 67.26.81.254, 8.241.89.126, 8.241.90.254, 92.122.213.194, 92.122.213.247, 104.43.139.144, 20.54.26.129, 20.82.209.183 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:18:08	API Interceptor	1x Sleep call for process: ORDDER-238486-LBT.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDDER-238486-LBT.exe.log Download File
Process:	C:\Users\user\Desktop\ORDDER-238486-LBT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp Download File
Process:	C:\Users\user\Desktop\ORDDER-238486-LBT.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.190351633985364
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBZtn:cbh47TlNQ//rydbz9I3YODOLNdq31
MD5:	7998EE71FA2B38B94B2AE0B52CD35517
SHA1:	473F5C5644A5BEB5A8A3E3901CFAE99D386B739C
SHA-256:	087A6BF8CD6B666D0CC664ADEE23ECC105B4AA50E852075C7B6A6C1504D4FFB1
SHA-512:	02DD37857C8DB34FB2F4BCCEF8B8A522277F00F0A81BA21535510947D77CB42FDA5C8EC86D1D4D33C102E2A4DE9F0833EEA8792ECD68427DCA94E57D28A349A4
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\CqbqIOaf.exe Download File
Process:	C:\Users\user\Desktop\ORDDER-238486-LBT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	843776
Entropy (8bit):	7.643368458338207
Encrypted:	false
SSDEEP:	12288:MWqVPMuk6Aws9YuUHxgf6X91ZLWKCiht0sJw5W5qY5QbTPSsXq60lKN7:M/kOs9YuUg4ZLukSkQbtXqYl
MD5:	D320967A90E6A8FD824864C53DC02135
SHA1:	345E589B268690D6A3F34686CDD0AF5368DE376C
SHA-256:	6E110B6474993B690F1BF6F2EDC01446010CE9BEF5375991693E2BFFA81D14FD
SHA-512:	25C64F2ED0F335214098F99D8EE244CDD4B439F3A93B75174AE84CF6EF0BEE2DBC8A32E5ECB777D9A934CBC86044242754BC143A20A3F3A8BD013278DC69700C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 12%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..8...........V... ...`....@.. .......................@............@.................................xV..O....`..$.................... ....................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...$....`.......:..............@..@.reloc....... ......................@..B.................V......H.......$}...u...............c...........................................0............(....( .........(.....o!.........................("......(#......($......(%......(&....N..(....o....('....&..((.....s)........s........s+........s,........s-............0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+...0......

C:\Users\user\AppData\Roaming\CqbqIOaf.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ORDDER-238486-LBT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.643368458338207
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ORDDER-238486-LBT.exe
File size:	843776
MD5:	d320967a90e6a8fd824864c53dc02135
SHA1:	345e589b268690d6a3f34686cdd0af5368de376c
SHA256:	6e110b6474993b690f1bf6f2edc01446010ce9bef5375991693e2bffa81d14fd
SHA512:	25c64f2ed0f335214098f99d8ee244cdd4b439f3a93b75174ae84cf6ef0bee2dbc8a32e5ecb777d9a934cbc86044242754bc143a20a3f3a8bd013278dc69700c
SSDEEP:	12288:MWqVPMuk6Aws9YuUHxgf6X91ZLWKCiht0sJw5W5qY5QbTPSsXq60lKN7:M/kOs9YuUg4ZLukSkQbtXqYl
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..8...........V... ...`....@.. .......................@............@................................

File Icon


Icon Hash:	cc92316d713396e8

Static PE Info

General
Entrypoint:	0x4b56ca
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6073A40D [Mon Apr 12 01:36:13 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5678	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0x1a324	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb36d0	0xb3800	False	0.954316460655	data	7.95061413978	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0x1a324	0x1a400	False	0.141489955357	data	3.0228794934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb6220	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xb6688	0x162a	PNG image data, 256 x 256, 8-bit colormap, non-interlaced
RT_ICON	0xb7cb4	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xba25c	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xbb304	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xcbb2c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xcfd54	0x5a	data
RT_VERSION	0xcfdb0	0x386	data
RT_MANIFEST	0xd0138	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2012
Assembly Version	8.1.1.15
InternalName	ComparisonResult.exe
FileVersion	8.1.1.14
CompanyName	Landskip Yard Care
LegalTrademarks	A++
Comments
ProductName	LevelActivator
ProductVersion	8.1.1.14
FileDescription	LevelActivator
OriginalFilename	ComparisonResult.exe

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 09:17:53.285132885 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:17:53.343862057 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 12, 2021 09:17:53.526925087 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:17:53.575629950 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 12, 2021 09:18:10.366118908 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:18:10.414875031 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 12, 2021 09:18:25.432631969 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:18:25.515925884 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 09:18:29.561774015 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:18:29.610610008 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 12, 2021 09:18:40.763766050 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:18:40.812427998 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 12, 2021 09:18:41.926345110 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:18:41.975071907 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 12, 2021 09:18:43.743885040 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:18:43.803793907 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 12, 2021 09:18:45.061738014 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:18:45.110645056 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 12, 2021 09:18:47.190340996 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:18:47.247328043 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:00.678936005 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:00.737627029 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:12.542879105 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:12.601038933 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:13.580023050 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:13.631684065 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:16.027453899 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:16.093424082 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:19.089356899 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:19.143817902 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:20.071320057 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:20.131479025 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:23.866743088 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:23.918381929 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:24.813545942 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:24.864968061 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:29.126115084 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:29.587069988 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:30.570658922 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:30.627811909 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:31.484775066 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:31.533787012 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:39.058592081 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:39.116033077 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:42.241744041 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:42.290544987 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:44.107295990 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:44.172200918 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:48.458297014 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:48.509835005 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 12, 2021 09:19:49.367945910 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:19:49.420788050 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 12, 2021 09:20:07.887948036 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:20:07.936563015 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 12, 2021 09:20:09.483056068 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:20:09.532433033 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 12, 2021 09:20:09.934425116 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 12, 2021 09:20:10.028915882 CEST	53	56132	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 09:19:29.126115084 CEST	192.168.2.3	8.8.8.8	0x9a	Standard query (0)	www.dailyhealthyvibes.info	A (IP address)	IN (0x0001)
Apr 12, 2021 09:20:09.934425116 CEST	192.168.2.3	8.8.8.8	0xb30d	Standard query (0)	www.tndhaulingllc.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 09:19:29.587069988 CEST	8.8.8.8	192.168.2.3	0x9a	Name error (3)	www.dailyhealthyvibes.info	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 09:20:10.028915882 CEST	8.8.8.8	192.168.2.3	0xb30d	Name error (3)	www.tndhaulingllc.com	none	none	A (IP address)	IN (0x0001)

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ORDDER-238486-LBT.exe PID: 1844 Parent PID: 5688

General

Start time:	09:17:59
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\ORDDER-238486-LBT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ORDDER-238486-LBT.exe'
Imagebase:	0x200000
File size:	843776 bytes
MD5 hash:	D320967A90E6A8FD824864C53DC02135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.262544972.0000000002701000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.262648767.0000000002753000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.263822373.00000000038AE000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5788 Parent PID: 1844

General

Start time:	09:18:20
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CqbqIOaf' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DD1.tmp'
Imagebase:	0x1360000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5924 Parent PID: 5788

General

Start time:	09:18:21
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ORDDER-238486-LBT.exe PID: 5524 Parent PID: 1844

General

Start time:	09:18:22
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\ORDDER-238486-LBT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ORDDER-238486-LBT.exe
Imagebase:	0x540000
File size:	843776 bytes
MD5 hash:	D320967A90E6A8FD824864C53DC02135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.312289231.0000000000FA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.313250588.0000000001300000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5524

General

Start time:	09:18:24
Start date:	12/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: chkdsk.exe PID: 6928 Parent PID: 3388

General

Start time:	09:18:42
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x190000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.482249275.0000000000310000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7072 Parent PID: 6928

General

Start time:	09:18:47
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\ORDDER-238486-LBT.exe'
Imagebase:	0x60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7092 Parent PID: 7072

General

Start time:	09:18:48
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ORDDER-238486-LBT.exe PID: 1844 Parent PID: 5688 ORDDER-238486-LBT.exeCOMMON

Executed Functions

Function 0517FC00, Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

'r?7, xrefs: 0517FDAE
'r?7, xrefs: 0517FDBC

Memory Dump Source

Source File: 00000001.00000002.267096279.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID:
String ID: 'r?7$'r?7
API String ID: 0-386573001
Opcode ID: ce60b90517faa3de4143b9e5e0afb55fcdc1e4bf3f4bd5aed15fca8e7a4ffdd3
Instruction ID: 2bffe362779ace7ba6b92d7a9a93174353c8bbcb7ddf422b4718017782b629ee
Opcode Fuzzy Hash: ce60b90517faa3de4143b9e5e0afb55fcdc1e4bf3f4bd5aed15fca8e7a4ffdd3
Instruction Fuzzy Hash: 6391F5B4E0420D9BCB18DFE9C585AAEFBF2BF88314F14C56AD418A7359D7349942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 025B3FC0, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd2a64fce9fbd240f897889be83e9877413bed6218411e83f233cd280dcae95
Instruction ID: 6c37e6dbf641a2aee5c0d07f31dae3699d356e0ee527a697e945cb23a8472f8d
Opcode Fuzzy Hash: 1fd2a64fce9fbd240f897889be83e9877413bed6218411e83f233cd280dcae95
Instruction Fuzzy Hash: 83D12734E052089FDB54CFA4E955BEDBBB2FF89300F209629E406BB294D7789941CB18

Uniqueness

Uniqueness Score: -1.00%

Function 025B3FBF, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde0f51491d5374a88acb45180e1af4fb83bbd23767a62eed77b88dc9b4603fe
Instruction ID: 2ca25f4c44b90454051f63587414c8fa3a1ae602d9828243d0d5a438357d6625
Opcode Fuzzy Hash: fde0f51491d5374a88acb45180e1af4fb83bbd23767a62eed77b88dc9b4603fe
Instruction Fuzzy Hash: 2AC12734E052099FDB54CFA4E955BEDBBB2FF89300F209629E405BB394D7789941CB18

Uniqueness

Uniqueness Score: -1.00%

Function 025B45C9, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdedde17a0bc1de678ebed5730ffc84a6a25003c8d8d149c2fc8a4f8e9c0ac4f
Instruction ID: ee1c3bed23e87b863b08e205e1604c3078d4e4b5b9c0a13b584b541c52fe14bc
Opcode Fuzzy Hash: fdedde17a0bc1de678ebed5730ffc84a6a25003c8d8d149c2fc8a4f8e9c0ac4f
Instruction Fuzzy Hash: 2C810674E012099FCB44DFE5D8545EEBBB2FF89300F20862AD816AB755DB349902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025B0006, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7de7f00c95e64c12a8cce9929b7c8623012f0d1735de1cba0cfded0ec5b906
Instruction ID: 8ffda5e005561a2b07c7907b2f295d331f492da237e0e7b153117a06e1a292b1
Opcode Fuzzy Hash: 0d7de7f00c95e64c12a8cce9929b7c8623012f0d1735de1cba0cfded0ec5b906
Instruction Fuzzy Hash: BD719B74E052498FCB06CFE9C8816EFBFB2BF89310F14C466D450AB295D7389946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 025B4581, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d3fafc12175132c3fc1a4e5e1af80792a23b83b508f1afa6e6992aa286b0a6
Instruction ID: 33b64ace66c4ded2a7713bf813be3e90c3547ded75343096ca55ef68c44b5c13
Opcode Fuzzy Hash: 00d3fafc12175132c3fc1a4e5e1af80792a23b83b508f1afa6e6992aa286b0a6
Instruction Fuzzy Hash: 7C71F274E012099FCB45DFE5D8545EEBBB2FF89300F20862AD816AB755DB389902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025B45D8, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dac5c57a1b938136dedea4eedbb5cc4778fe072aea7378e1b3839b028cf7963
Instruction ID: 6e2b1bb6c8c473e89f18b00ae0c85f83354483d4c0ede699f60cde87a848845e
Opcode Fuzzy Hash: 3dac5c57a1b938136dedea4eedbb5cc4778fe072aea7378e1b3839b028cf7963
Instruction Fuzzy Hash: 18710474E012099FCB44DFE5D8545EEBBB2FF89300F20862AD91AAB754DB349902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 025B0040, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc73aa6d161e54b0654db3461a97e44ae3ec298b744ea8b9cf56898ce4a1b090
Instruction ID: 1ceee67665d1074e641590e1bf02660ca1ad65cf213d0dc711603edd15f43467
Opcode Fuzzy Hash: dc73aa6d161e54b0654db3461a97e44ae3ec298b744ea8b9cf56898ce4a1b090
Instruction Fuzzy Hash: 74512474E0420A8FCB09CFE9C4846EFFBB6BF88310F54D92AD414A7294D7749A458FA5

Uniqueness

Uniqueness Score: -1.00%

Function 025B38A0, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ae8f695450ddef7fd7f516702f50808cb288b76b4f4fb5d436196a6989967d
Instruction ID: 866a25f554645bbf5d0d585a2d59a2dd20fdc5c206bdeea839dfb0cc2ee37dd0
Opcode Fuzzy Hash: 10ae8f695450ddef7fd7f516702f50808cb288b76b4f4fb5d436196a6989967d
Instruction Fuzzy Hash: 84518B70E16618ABCB44CFA9D9415DEFBF2FF8E310F24996AD405F7254DB3899018B28

Uniqueness

Uniqueness Score: -1.00%

Function 025B38B0, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa516d63ade7cac99bf271ee3242ecd94af3d7ddf63a73460cee11bf99f98555
Instruction ID: 961198f5bf7abbd51a535a913320c40b450cefc2560f2eb6d3a17ece25714ede
Opcode Fuzzy Hash: fa516d63ade7cac99bf271ee3242ecd94af3d7ddf63a73460cee11bf99f98555
Instruction Fuzzy Hash: 2B517B30E16618ABCB44CFA9D9415DEFBF2FF8E210F24996AD405F7254D7389900CB28

Uniqueness

Uniqueness Score: -1.00%

Function 025B7BD0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36a3288322c5bf6fe1e52b7ac5b965a7716adef927235aeaaac746ec4592d82
Instruction ID: 54efee65d2bd315d3c0936abbb0b8d1e4340a91bb15d086e6cb4c14d9ff8217f
Opcode Fuzzy Hash: c36a3288322c5bf6fe1e52b7ac5b965a7716adef927235aeaaac746ec4592d82
Instruction Fuzzy Hash: C7310371D45228DBEB12CFA5D488BEDFAF1BF8E306F148829E406B7290D7748945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 025B7BBF, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc8a8fb536f1a66f5cf0343517b2c24b7d3012fe273dc3fe449216d54b77d07
Instruction ID: 7b32b9b873fadd28007aad164cb02375a954f77dbb1cc7f4125af36178619c6f
Opcode Fuzzy Hash: 5dc8a8fb536f1a66f5cf0343517b2c24b7d3012fe273dc3fe449216d54b77d07
Instruction Fuzzy Hash: AC310571D05258CBEB16CFA8D488BEDFFB1BF8A306F144869E406B7291CB754984CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00A06B90, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00A06C00
GetCurrentThread.KERNEL32 ref: 00A06C3D
GetCurrentProcess.KERNEL32 ref: 00A06C7A
GetCurrentThreadId.KERNEL32 ref: 00A06CD3

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6743e9cc748ed99e559f6b4720eb2d372d9f0ee2b01b6d20ab6f3cb3bad16215
Instruction ID: 04b1bb8494664698723491acd0151fcb46c578dbb852cf5c1714317e4069f2bd
Opcode Fuzzy Hash: 6743e9cc748ed99e559f6b4720eb2d372d9f0ee2b01b6d20ab6f3cb3bad16215
Instruction Fuzzy Hash: FB5188B0D002888FDB54CFA9D6887DEBBF0FF88308F148459E059A7291DB755884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A06BA0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00A06C00
GetCurrentThread.KERNEL32 ref: 00A06C3D
GetCurrentProcess.KERNEL32 ref: 00A06C7A
GetCurrentThreadId.KERNEL32 ref: 00A06CD3

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 88e8033bf0b7b42564afd2deb496944edbde2999913feac8e86869f6d90a0618
Instruction ID: 8540fb4bff409196317a319666a7f7feb0299f9731ba04e42f97dbc5658038a0
Opcode Fuzzy Hash: 88e8033bf0b7b42564afd2deb496944edbde2999913feac8e86869f6d90a0618
Instruction Fuzzy Hash: 805154B0D002488FDB54CFA9D648B9EBBF0FF88318F248459E059A7290DB74A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 025B244F, Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 025B2686

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 50386e06cc1caf1a75bd80f5360e640758250d9416200312b384c0866c25476d
Instruction ID: 61fd4b8382b3b7adc89cdbe9d52610437571f4a6a17a01dc15f12ca45d4b10df
Opcode Fuzzy Hash: 50386e06cc1caf1a75bd80f5360e640758250d9416200312b384c0866c25476d
Instruction Fuzzy Hash: CE916C71D002198FDF11CFA8C8917EEBBB2BF48314F1585A9E809E7290DB749985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 025B2450, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 025B2686

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c2ee9f132d243b1aa3eb763c9b29059bfea38ddf5c12fa68b3ce1b6dba4e933d
Instruction ID: 3764fa89ce389561ba47dee16dcbecee890863a9f4aa6596eecee1b6d1727452
Opcode Fuzzy Hash: c2ee9f132d243b1aa3eb763c9b29059bfea38ddf5c12fa68b3ce1b6dba4e933d
Instruction Fuzzy Hash: 0D916C71D002198FDF11CFA8C8917EEBBB2BF48314F1585A9D809E7290DB749985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A0BBB8, Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A0BE0E

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ce462c4c0e051258d6ae507e719b4e63601021ef03ef68475410d849687cd7e8
Instruction ID: 59813e4d1e10d46ca945e3c8f25e0f61fad37a8839dc820d135e455d9074c027
Opcode Fuzzy Hash: ce462c4c0e051258d6ae507e719b4e63601021ef03ef68475410d849687cd7e8
Instruction Fuzzy Hash: F7814670A10B098FD724DF2AD55575ABBF1FF88304F008A2DD486D7A81DB75E845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A0DD8A

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9316b4738fddaeeed834589a1561211f1076fec448379380467a30d9a0827b6e
Instruction ID: 953d290894590e3b6bc10c1d754acf3794c58fedeb287e1182af4650d0ec013f
Opcode Fuzzy Hash: 9316b4738fddaeeed834589a1561211f1076fec448379380467a30d9a0827b6e
Instruction Fuzzy Hash: 4151B0B1D00349DFDB14CFA9D884ADEBBB5FF88314F24812AE819AB250D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A0DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A0DD8A

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ab7414356c74d2d7cf48c231d237ecc5f54b6c1c9d1d84ebd15e22fe4f85dca7
Instruction ID: 79c5848437e5347bb7b5f940f97b3ca98d46c666b9ef6343ff08061ba5e794c3
Opcode Fuzzy Hash: ab7414356c74d2d7cf48c231d237ecc5f54b6c1c9d1d84ebd15e22fe4f85dca7
Instruction Fuzzy Hash: 2941B0B1D103099FDF14CF99D884ADEBBB5FF88314F24852AE819AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 025B1EE1, Relevance: 1.6, APIs: 1, Instructions: 111processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 025B2686

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 550bfa7f4182a98eacba1cb625dc387e5670c59e1d297c55ccfa40073df782d3
Instruction ID: af4edfa17174747d1f941d8464f0757823970141cd9c99a937d15c2930e01fc4
Opcode Fuzzy Hash: 550bfa7f4182a98eacba1cb625dc387e5670c59e1d297c55ccfa40073df782d3
Instruction Fuzzy Hash: 8F413731900218DEDF25CFA4C894BDDBBB2BF45308F158599D809BB650C7745E89CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A06D51, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A06E4F

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18a5b4b5c44baee1461c79a2264ccd1a2ab0b8e6222c181e5b955f3bb2c169cf
Instruction ID: c84cb5039ef2f977a6ad8e006642da27fa64aa403baec7745fd652e08dc09b4f
Opcode Fuzzy Hash: 18a5b4b5c44baee1461c79a2264ccd1a2ab0b8e6222c181e5b955f3bb2c169cf
Instruction Fuzzy Hash: BD418876A00248AFCB01CFA9D844ADEBFF5EF89320F08805AE954A7261D3359915DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 025B21C7, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 025B2258

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4a08ba994414d26a2398c18e7014dc012993c87eb87fea567e1a3c3b04f5f73e
Instruction ID: b9edb66ba833113259acde61b606ca6271dd22c0e1a8bcceb8b9d65af9885b2a
Opcode Fuzzy Hash: 4a08ba994414d26a2398c18e7014dc012993c87eb87fea567e1a3c3b04f5f73e
Instruction Fuzzy Hash: F12113719003599FCB10CFA9D984BEEBBF5FF48314F10842AE919A7240DB78A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B21C8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 025B2258

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 29b5c8c98989ba1ca724280cba736390f3db6e530338e079c3cf83e59d936c1f
Instruction ID: 3064847c440514ad999fb0a0e2c15e9fb02ce4d1ed16437c2398cdf9fe4de7f7
Opcode Fuzzy Hash: 29b5c8c98989ba1ca724280cba736390f3db6e530338e079c3cf83e59d936c1f
Instruction Fuzzy Hash: B62113719003599FCB10CFA9C984BEEBBF5FF48314F10842AE919A7240D778A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A06DC0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A06E4F

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 53c740df799ae2537a1412761cc5f58c16019e81ccefd911119e46b79db20b12
Instruction ID: 7ff38ace3505f2f8f5a80dc0c6b6b8c934aea01cb697689af4be04aaebce9531
Opcode Fuzzy Hash: 53c740df799ae2537a1412761cc5f58c16019e81ccefd911119e46b79db20b12
Instruction Fuzzy Hash: FA2100B5D002489FDB10CFA9D984BEEBFF4EF48324F15841AE958A7210D378A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 025B22B7, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 025B2338

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7122b8b82040ddbe27df532997723934473d7dfb80916e70476f6920cbb0eba9
Instruction ID: 38aacab52ab478361a1cb678d2547cc8918eb9ce17c81dd526b45fee42ee6602
Opcode Fuzzy Hash: 7122b8b82040ddbe27df532997723934473d7dfb80916e70476f6920cbb0eba9
Instruction Fuzzy Hash: A52116719002599FCB10CFA9C8807EEBBF5FF48314F50842AE919A7250D7349945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B2028, Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 025B20AE

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 96a4624859aecd9bf2f4b6110bc759515a9e2eb51a299bc21c250826405529bd
Instruction ID: 2b675649790e328dcced805c11f2050b3a088f082a45e51c587f915d6b2301b0
Opcode Fuzzy Hash: 96a4624859aecd9bf2f4b6110bc759515a9e2eb51a299bc21c250826405529bd
Instruction Fuzzy Hash: 752137719002098FDB10CFAAC5847EFBBF5EF48328F14842AD959A7640DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B22B8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 025B2338

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: afc2741ff0e8f098f8716982dd08f0a3ac8a2fc388293068918ff5a1351d7857
Instruction ID: 8002ffe633e7e979c255888a89c1650a14311404b9c7431cff9c50faf20c0af1
Opcode Fuzzy Hash: afc2741ff0e8f098f8716982dd08f0a3ac8a2fc388293068918ff5a1351d7857
Instruction Fuzzy Hash: 2F2116719002599FCB10CFA9C8807EEBBF5FF48314F50842AE919A7250D7349945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B2030, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 025B20AE

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 522f25114741ee15d5402ccb3c9e51d829e46c408ad7f8a0b6b18cb1dff47bba
Instruction ID: b92402c5cc532c9959d59374c6aa7079a04e14463c39091da3da981df88d2248
Opcode Fuzzy Hash: 522f25114741ee15d5402ccb3c9e51d829e46c408ad7f8a0b6b18cb1dff47bba
Instruction Fuzzy Hash: 472107719002098FDB50CFAAC4847EEBBF5EF48328F14842AD959A7640DB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A06DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A06E4F

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ce557c7205b17230d2752cd9c258e7debd98570f5d0a8570c33f808de00f48af
Instruction ID: 9d8832a15a8f30f457226404feea8753be90e0d316ad497238d4ed788c0f00e9
Opcode Fuzzy Hash: ce557c7205b17230d2752cd9c258e7debd98570f5d0a8570c33f808de00f48af
Instruction Fuzzy Hash: EE21E2B5D002489FDB10CFA9D984ADEBBF8EB48324F14841AE914A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B2100, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 025B2176

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27b09ad8385058895f6fc06f29723bd95aa08b77e9cae6a76dde8cef440968f4
Instruction ID: ee83d0a77bee6338f5f031c4fd237543f2b980f300c7a454c6fa3539f36b3b0a
Opcode Fuzzy Hash: 27b09ad8385058895f6fc06f29723bd95aa08b77e9cae6a76dde8cef440968f4
Instruction Fuzzy Hash: 291144719002499FCF11CFAAD844BEFBBF5AF88324F14881AE919A7250C735A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A0BE89,00000800,00000000,00000000), ref: 00A0C09A

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 299c0e138993b3e9037f9abd6a03b68717d71e6306a9a4e5ed8a3ba76964bbaf
Instruction ID: 6407548ae18749b7d5a5b2c88b9c81c07f2b15dad62926df090b5751e77b2112
Opcode Fuzzy Hash: 299c0e138993b3e9037f9abd6a03b68717d71e6306a9a4e5ed8a3ba76964bbaf
Instruction Fuzzy Hash: ED1100B2D00209CFDB10CF9AD444BDEBBF8EB88324F15852AE919A7640C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C028, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A0BE89,00000800,00000000,00000000), ref: 00A0C09A

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d83b988e7e04065817f6920b9ee4346bd19410a6f60343dfd94c1f4807253f00
Instruction ID: 59a10cb4b874ca047044ddc609d4dfac6a97026f20396fbdd4059ff45024cd0b
Opcode Fuzzy Hash: d83b988e7e04065817f6920b9ee4346bd19410a6f60343dfd94c1f4807253f00
Instruction Fuzzy Hash: 3911F2B6D002498BCB10CFAAD484BDEFBF4EB88324F15851AD915A7240C375A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B2108, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 025B2176

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 67d9648496ce20ebf310048ef33550199b37cfe3caff00f159507c9b03a14140
Instruction ID: e65f9af99b141e7029a523fe9c18b6caec19c04f26f2fec93b1efee14a656f6a
Opcode Fuzzy Hash: 67d9648496ce20ebf310048ef33550199b37cfe3caff00f159507c9b03a14140
Instruction Fuzzy Hash: 9D1137719002499FCF10DFA9C8447EFBBF5EF88324F148819E915A7250C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B1F78, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 025B1FE2

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b1aeb31c6a190ca1d299c57f186c801a65eb1cad372ec89650bc507c4d3a0f65
Instruction ID: b6c42e9438c4c0e0136d70ad26ad744b0e53b9b8b12aed877319f3b91c71da4d
Opcode Fuzzy Hash: b1aeb31c6a190ca1d299c57f186c801a65eb1cad372ec89650bc507c4d3a0f65
Instruction Fuzzy Hash: 45114671E007498FCB10DFA9D4447EEBBF4AF88224F24882AD429A7240CB346944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0517F920, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 0517F990

Memory Dump Source

Source File: 00000001.00000002.267096279.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 83beb122c75dfa62fcfd47dd5fd0a7b758658169f8df8ebc603a6eca97079772
Instruction ID: f6454bc6bdcaceb65a8977ae516c2cb02887ae0a6ec8d4eb89ff43b633d1cc06
Opcode Fuzzy Hash: 83beb122c75dfa62fcfd47dd5fd0a7b758658169f8df8ebc603a6eca97079772
Instruction Fuzzy Hash: 691123B1C0065A9BCB10CF9AD844BDEFBF4FB48320F11811AE819B7600D734AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B1F80, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 025B1FE2

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4f2e49d9d54262f7f8d5227e4b97542d812f319667f089abc9313027fbc14d40
Instruction ID: 66550e82784300aa41bd1ae7525329f0c5d9a17ea192c9da11a91113a3325eaa
Opcode Fuzzy Hash: 4f2e49d9d54262f7f8d5227e4b97542d812f319667f089abc9313027fbc14d40
Instruction Fuzzy Hash: 97113A71D007498BCB10DFAAC4447DFFBF9EF88224F14881AD519A7240CB74A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A0BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A0BE0E

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e088521bcd83ce57187d04839d626f4002f590b10b0eac41a3de4e657253d0e9
Instruction ID: 9388a3aef24ac74dd81cd50467466e77ca86a8aedc8e671148b20232b25b3eb3
Opcode Fuzzy Hash: e088521bcd83ce57187d04839d626f4002f590b10b0eac41a3de4e657253d0e9
Instruction Fuzzy Hash: D21110B1C002498FCB10CF9AD544BDEFBF4EF88324F15841AD929A7650C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B6C44, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 025B6CA5

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0aa82fe122e8292c8d8de39583d90abd281463f729c50e899d00c7e5a52e112d
Instruction ID: d898983a0c2779887f505b3cadbebba968cab0ba4f0c9080137f4c6b815ad991
Opcode Fuzzy Hash: 0aa82fe122e8292c8d8de39583d90abd281463f729c50e899d00c7e5a52e112d
Instruction Fuzzy Hash: F611F2B58003499FCB10CF99D985BDEBFF8FB48324F14881AE954A7600C374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00A0DF1D

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 43fc276a436676a98d35670a7432930da00cefb7e73914270a724ade407d0125
Instruction ID: 1aaeedb0a522b0a283206a39bc53c78d104faeff07d812b71c0ff7403b50b7c3
Opcode Fuzzy Hash: 43fc276a436676a98d35670a7432930da00cefb7e73914270a724ade407d0125
Instruction Fuzzy Hash: 471133B69002498FCB10CF99D484BEEBBF4EF88320F14850AE855A7640C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00A0DF1D

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e1f36c02da60fee5cb568bfb8fc6996b9576b9ecf6e44e5dd3e0f011c36d2b30
Instruction ID: 7af85a389b7e6cdd36e546ba2b80a3cea86a1b3b40cdeffe26c9319dd8bb09c7
Opcode Fuzzy Hash: e1f36c02da60fee5cb568bfb8fc6996b9576b9ecf6e44e5dd3e0f011c36d2b30
Instruction Fuzzy Hash: 151112B58002498FDB10CF99D484BDEBBF8EF88320F10841AE915A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025B6C48, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 025B6CA5

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 421b691380ddf6f025091106fe0132e18fc57989274995a7c711a9e0040b82a6
Instruction ID: 2f9a7f96528e1890bc041a27ae784ed86394a5c696652e836e12f8c3f1554c66
Opcode Fuzzy Hash: 421b691380ddf6f025091106fe0132e18fc57989274995a7c711a9e0040b82a6
Instruction Fuzzy Hash: 8911E2B59003499FDB10CF99D988BDEBBF8FF48324F14841AE954A7600C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0098D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261880240.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdad928e5b02a4e84625fc6ca7fd5917aacb272d52c2f4e5284bc579c2189e5
Instruction ID: cea2253601cd53672dba107d9e6082d7f7a45838d6bb102db6bb595401b855a5
Opcode Fuzzy Hash: 4cdad928e5b02a4e84625fc6ca7fd5917aacb272d52c2f4e5284bc579c2189e5
Instruction Fuzzy Hash: CC213A71504240DFDB05EF14D9C0F17BB69FB88328F24856AE8054B38AC33ADC45D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0099D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261914563.000000000099D000.00000040.00000001.sdmp, Offset: 0099D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a6e6753cf6833566ab5c0642f06a2b56a5fc0cd62cf1040b395119729d0365
Instruction ID: c1ea80281b92a8c568d0990d772da74ecaa7e009a31ba0d7189327615643a2eb
Opcode Fuzzy Hash: c7a6e6753cf6833566ab5c0642f06a2b56a5fc0cd62cf1040b395119729d0365
Instruction Fuzzy Hash: 5121D475504344DFDF14DF28D9C4B26BB69FB88314F24CA69D84A4B246C73BD847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0099D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261914563.000000000099D000.00000040.00000001.sdmp, Offset: 0099D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5aacb093e683f170939c6b806fa6f5f9d1985bde8692a88c74397fcfdbf39a9
Instruction ID: abb96f13d0192bd26c5faef411bb322da4e97aa968d347b7b3d1f1e42ba06036
Opcode Fuzzy Hash: c5aacb093e683f170939c6b806fa6f5f9d1985bde8692a88c74397fcfdbf39a9
Instruction Fuzzy Hash: 4F210771504240DFDF05CF58D5C0B1ABB69FB84314F24CA69D8094B246C33AD846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0099D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261914563.000000000099D000.00000040.00000001.sdmp, Offset: 0099D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5c77900af0c3d52cce03c8f4a70b0856b5460d2b86d666034257bc073c58a5
Instruction ID: 170824e2dc7f1797a77430402b18f01c506800ef74ba52c5c98979d2b609a616
Opcode Fuzzy Hash: 5d5c77900af0c3d52cce03c8f4a70b0856b5460d2b86d666034257bc073c58a5
Instruction Fuzzy Hash: 44218E755093C08FDB02CF24D9D0B15BF71EB46314F28C5EAD8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261880240.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089f040691d95437d3e3945d9fc2aad68fd74f4be42516a5277ab229e787303f
Instruction ID: 59d36835cfa1fa1595adcd94ce1f771e97953331533294696b4de770684a703c
Opcode Fuzzy Hash: 089f040691d95437d3e3945d9fc2aad68fd74f4be42516a5277ab229e787303f
Instruction Fuzzy Hash: E211D376404280DFDB15DF10D5C4B16BF71FB94324F2886AAE8090B75AC33AD95ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0099D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261914563.000000000099D000.00000040.00000001.sdmp, Offset: 0099D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56df88b9b7a1166935ae8fa4ca7bf63e7314e17cb226e706ca627439ff04c8a
Instruction ID: 3d203cbd2ddbbae148f375ae70f42232af822ecfccd54bdc7ccfe05f14444132
Opcode Fuzzy Hash: d56df88b9b7a1166935ae8fa4ca7bf63e7314e17cb226e706ca627439ff04c8a
Instruction Fuzzy Hash: 92118B75904280DFDF15CF14D6C4B19BBB1FB84324F28C6A9D8494B696C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098D75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261880240.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9814de2c5eca6c36d3fa92b5b671f83d33779d3ae0984bef6295cf3435368e
Instruction ID: 89986361caf7503cb8d6aa75d2c89861a00bd1122a23802c778c6426ee13524f
Opcode Fuzzy Hash: 2f9814de2c5eca6c36d3fa92b5b671f83d33779d3ae0984bef6295cf3435368e
Instruction Fuzzy Hash: A901F7B140A3449AEB106A15CC80BA7BBDCEF41734F18881AED054B3C6D7789C44C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0098D75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.261880240.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb81e7959544a59be1a2a9657a290f02d82ef46b43237172f0fe37f37a3cfac3
Instruction ID: e0e4967fd2bdfc6d87483ad08cd4dc80ad0fd39cc2457b421e1dcf45fcadf3c6
Opcode Fuzzy Hash: bb81e7959544a59be1a2a9657a290f02d82ef46b43237172f0fe37f37a3cfac3
Instruction Fuzzy Hash: 45F06271405344AEEB108A15DC84BA2FFACEF41734F18C45AED085B386C3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0517C528, Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

5\Vi, xrefs: 0517C6F1
5\Vi, xrefs: 0517C6F8

Memory Dump Source

Source File: 00000001.00000002.267096279.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID:
String ID: 5\Vi$5\Vi
API String ID: 0-2705686536
Opcode ID: 20f7d6a6805e3d73e1122c54955ffc798ee31d987701dd1fdfc22eb8fe229c28
Instruction ID: 864e3fc17b67057160ba3f7687af734c3cfcd9d3fca1c7b83794f273062033ee
Opcode Fuzzy Hash: 20f7d6a6805e3d73e1122c54955ffc798ee31d987701dd1fdfc22eb8fe229c28
Instruction Fuzzy Hash: 1A71F5B4E00208DFCB08DFA9E5989ADBBB2FF88304F50956AE416BB354DB385941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 025B4960, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

=Y, xrefs: 025B4AF6

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID: =Y
API String ID: 0-3244594988
Opcode ID: a7bd13791f07d625cfd45eea8532f647d7b42f793f53130651e7e6c085847066
Instruction ID: b41760b42299ff1b14327d34bb5bdca33f212491ede0eab3563ad2b3ddbaa1bc
Opcode Fuzzy Hash: a7bd13791f07d625cfd45eea8532f647d7b42f793f53130651e7e6c085847066
Instruction Fuzzy Hash: 84415574E14209DFCB14CFAAD8556EEFBB2FF88200F20992AC115B7258D7789A01CF58

Uniqueness

Uniqueness Score: -1.00%

Function 025B495F, Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

=Y, xrefs: 025B4AF6

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID: =Y
API String ID: 0-3244594988
Opcode ID: 1941bcae26a4d46de86564ae0b740ba3d5bc51c529530d27abf1187a98721877
Instruction ID: 3e6c6a7c64e451645f2de5370d7994a116b70374aef8a8c72f18705c2ee5a434
Opcode Fuzzy Hash: 1941bcae26a4d46de86564ae0b740ba3d5bc51c529530d27abf1187a98721877
Instruction Fuzzy Hash: 99414574E14209DFCB14CFAAD8516EEFBF2BF88200F20992AC015B7258D7789A01CF58

Uniqueness

Uniqueness Score: -1.00%

Function 025B02E0, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

P-l2, xrefs: 025B0373

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID: P-l2
API String ID: 0-3678629926
Opcode ID: e2e40f69289b3a308f6defc645375a61d060eee287942c260489611961d02866
Instruction ID: f94e92cae1a2410d8484cbb32e89a14e88decff1aacd863a50bb76251a04c82d
Opcode Fuzzy Hash: e2e40f69289b3a308f6defc645375a61d060eee287942c260489611961d02866
Instruction Fuzzy Hash: 56316C71E11219DBDB08CFAAD940AEEFBB6FFC9310F24C52AE508B7294D7345A418B54

Uniqueness

Uniqueness Score: -1.00%

Function 025B02D2, Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

P-l2, xrefs: 025B0373

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID: P-l2
API String ID: 0-3678629926
Opcode ID: 83c66ca6a65a4dfca97c2a83fc6442000885a1cd1482cbd1bdbbd220ff8897ea
Instruction ID: 5fcc33a02dfd50380e0330cec4be73b3283280a1b6645b79f25f44adf59124c4
Opcode Fuzzy Hash: 83c66ca6a65a4dfca97c2a83fc6442000885a1cd1482cbd1bdbbd220ff8897ea
Instruction Fuzzy Hash: A4316CB1E11219DBDB08CFAAD941ADEFBB6BF89310F24C52AD408B72A4D7345A418B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e524df5c202e1be5bfbcf35fe48b0165526b6d21c5d01f15f2966e9b675c6e7
Instruction ID: 00111ef0d4e97aad82f06191c1d1fc5e130105105895b6650eb9e9e95cd08027
Opcode Fuzzy Hash: 6e524df5c202e1be5bfbcf35fe48b0165526b6d21c5d01f15f2966e9b675c6e7
Instruction Fuzzy Hash: 35525AB1980706CFD710CF14E4C85997BB1FB84329FD14A19D2625BAD0E3B865AEEF48

Uniqueness

Uniqueness Score: -1.00%

Function 025B8450, Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85c14ed18caaf64972f28c8c8314b047b130ad27dd578a75a792211f28a0f1a
Instruction ID: a329a970c3ac10bf6922b6a928b56a4700d828e4f4090ea9b525de9c08d5b273
Opcode Fuzzy Hash: c85c14ed18caaf64972f28c8c8314b047b130ad27dd578a75a792211f28a0f1a
Instruction Fuzzy Hash: 29E1ED717006058FDB1AEB76C464BABBBEBBF88304F14846DD105CB692CB35E806CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A09968, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262037944.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1989da9460543fdf9f787f3be1cd2d583a50e07c99be52f65988f94fa8e863c6
Instruction ID: c23c19221adfecfcbd5ff140b03a36ad0e07777b423fa3f1c350c111238a2df5
Opcode Fuzzy Hash: 1989da9460543fdf9f787f3be1cd2d583a50e07c99be52f65988f94fa8e863c6
Instruction Fuzzy Hash: E8A1AF32E1061ACFCF05CFB5D9445DEBBB2FF85300B15856AE905BB2A1EB31A915CB50

Uniqueness

Uniqueness Score: -1.00%

Function 025B5021, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034a7054176ea7a0e6cfe8e73565c7e65b74ba4249b0f1bbfef3481073ae2700
Instruction ID: db8e94f714bd90590b39d859379ee42ead4ab00b369a00e452863da427941bdc
Opcode Fuzzy Hash: 034a7054176ea7a0e6cfe8e73565c7e65b74ba4249b0f1bbfef3481073ae2700
Instruction Fuzzy Hash: B391F3B4E152098BCB09DFA9D9419EEBBF2FF89300F60946AD405BB254E7709901CF59

Uniqueness

Uniqueness Score: -1.00%

Function 025B1518, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e13cde92e39c75cb8f1fa9f81c058c435d25fcc013f5cf8d3ab07b2635c92b8
Instruction ID: c0527b20d1103b20ee2edfa58ca97f7ce7872e3cde2aa0e57b8c448036ca0716
Opcode Fuzzy Hash: 7e13cde92e39c75cb8f1fa9f81c058c435d25fcc013f5cf8d3ab07b2635c92b8
Instruction Fuzzy Hash: DF811974E00619CFCB54CFA9C990A9EFBB2BF89204F24C1AAD409A7355DB31AE41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 025B1509, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6366fb6578156e4fd9d3015b276ee6b301567571babe0bbaeda55a19f392477
Instruction ID: 5d12ee1bdb035a4de8ae63be3c46eda4ec1e01992c85b2528f6ad4642c21a558
Opcode Fuzzy Hash: c6366fb6578156e4fd9d3015b276ee6b301567571babe0bbaeda55a19f392477
Instruction Fuzzy Hash: 39812974E00619CFCB54CFA9C990AAEBBF2BF89204F24C1AAD409A7355DB319E41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 025B53B7, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e12640fbe9f8bcba35094513894c834d2b156f5ddb530501c8c2dd8cd61365
Instruction ID: b64e046de9a255cd151a24eacde6a02f6062cade03c2e0a0fb5e73e1ed2f9444
Opcode Fuzzy Hash: 65e12640fbe9f8bcba35094513894c834d2b156f5ddb530501c8c2dd8cd61365
Instruction Fuzzy Hash: 3C614971E0466ACBDB28CF6AC8407EEF7B6BFC9300F04D5AAC50DA6654E7305A858F44

Uniqueness

Uniqueness Score: -1.00%

Function 025B5591, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d544d79f388da1d682a3e9e8c9827139438b4a32ac862f6d3d66852fc601bc41
Instruction ID: 411bf56992acc0fb7efe037b10f76580e5b3327175af2738e951e5814f725bd2
Opcode Fuzzy Hash: d544d79f388da1d682a3e9e8c9827139438b4a32ac862f6d3d66852fc601bc41
Instruction Fuzzy Hash: 155125B5D0466ACBCB69CF65C8407DDF7B2BF89301F4096EAD109A2614E7309AC5CF48

Uniqueness

Uniqueness Score: -1.00%

Function 025B5614, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9df488ad6be767e2ab5a4acfc3d75ea21b6bc5cc44f641393cb2d6037daeaa
Instruction ID: f2ad3c9ae83cb686e59ff32cd544efadd1289832912906be39f47488d6b44ab3
Opcode Fuzzy Hash: 0d9df488ad6be767e2ab5a4acfc3d75ea21b6bc5cc44f641393cb2d6037daeaa
Instruction Fuzzy Hash: 6D514B71D1466ACBCB68CF65C840BDEF7B2BF99300F1096EAD109B3614E7709A958F48

Uniqueness

Uniqueness Score: -1.00%

Function 025B8930, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f5fcc5c2896460af8c0c9518f26afe93b0c1055a4a7d3d068ef77593a27a4b
Instruction ID: ad1833e406803078ae0894f5659e9b8470b6fddab65c2dd8e468571da9368209
Opcode Fuzzy Hash: 05f5fcc5c2896460af8c0c9518f26afe93b0c1055a4a7d3d068ef77593a27a4b
Instruction Fuzzy Hash: FB118B308042988BCB168BA4C45C7FEBFF5BF4E314F18646AD491B3290C7354945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 025B8940, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.262195164.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32655c220e25bc01a19227616936435993246a9c1dc296efca50db63e5e9378
Instruction ID: a00fb60cad2c782dfc44c24634bf21c855d4227d88d6e400fcd4a749540a015b
Opcode Fuzzy Hash: e32655c220e25bc01a19227616936435993246a9c1dc296efca50db63e5e9378
Instruction Fuzzy Hash: 98112730D052588BDF16CFA5C81CBEEBBF5BF4E305F18A46AD415B3290C7788944DA69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ORDDER-238486-LBT.exe PID: 5524 Parent PID: 1844 ORDDER-238486-LBT.exeCOMMON

Executed Functions

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB30(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A002, 0041A010
BMA, xrefs: 0041A01D, 0041A024

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041C820( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC40(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CEC0(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041B070(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: a31c2487d958de86685633fd431b3ef9c8f0d30197873f4edf114e6b439d7a00
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: A2015EB5D4020DBBDB10EBA5DC82FDEB7799B54308F0041AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB30(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f3f
0x00419f47
0x00419f7d
0x00419f81

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2E, Relevance: 1.5, APIs: 1, Instructions: 38
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00419F2E(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				asm("cdq");
				asm("sbb eax, 0x8bec8b55");
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E0041AB30(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f2e
0x00419f2f
0x00419f33
0x00419f3f
0x00419f47
0x00419f7d
0x00419f81

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e6201439ba4efcb818d4f4147caccbd546dc06c037ae135b72b781749656d8f4
Instruction ID: 1adbb55210acb948432d3095a1b342eb60c1b700227bfa7ab51c7586a9eca5ee
Opcode Fuzzy Hash: e6201439ba4efcb818d4f4147caccbd546dc06c037ae135b72b781749656d8f4
Instruction Fuzzy Hash: 0AF0E2B2214149ABCB08CFA8D994CEB77A9FF8C354B15864DFA1D93202D634E855CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A10A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A10A(intOrPtr __eax, void* __ebx, signed int __ecx, void* __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t18;

				_t28 = __edi - 1;
				 *((intOrPtr*)(__ebx + __ecx * 8 - 0x74aad13f)) = __eax;
				_t14 = _a4;
				_t6 = _t14 + 0xc60; // 0xca0
				E0041AB30(_t28, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t18 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t18;
			}

0x0041a10a
0x0041a10b
0x0041a113
0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b16c8d24a417a40b6dea3a2a6a88ea8db82a0f580bb1020dc28d376486e59c89
Instruction ID: f66a58966aa7db0cc0430b62013d42f3374272eea25fbe7f98275957db8d3706
Opcode Fuzzy Hash: b16c8d24a417a40b6dea3a2a6a88ea8db82a0f580bb1020dc28d376486e59c89
Instruction Fuzzy Hash: BFF0F8B2210208AFCB14DF99CC80EE777ADEF88354F118659BA1897241D630E821CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A110(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB30(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a063
0x0041a066
0x0041a06f
0x0041a077
0x0041a085
0x0041a089

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A90(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B9E0( &_v284, 0x104);
						E0041C050( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DC0(E00414D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a9b
0x00409aa3
0x00409aa5
0x00409aaa
0x00409aaf
0x00409ac2
0x00409ac7
0x00409ad0
0x00409adc
0x00409aef
0x00409af4
0x00409af7
0x00409b00
0x00409b12
0x00409b17
0x00409b1c
0x00000000
0x00000000
0x00409b1e
0x00409b22
0x00000000
0x00000000
0x00409b24
0x00000000
0x00409b22
0x00409b26
0x00409b29
0x00409b2f
0x00409b31
0x00409b3c
0x00409b41
0x00409b44
0x00409b51
0x00409b5c
0x00409b5e
0x00409b64
0x00409b68
0x00409b6b
0x00409b6b
0x00409b72
0x00409b75
0x00409b7a
0x00409b87
0x00409ab6
0x00409ab6
0x00409ab6

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
Opcode Fuzzy Hash: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082E8(void* __eax, void* __ebx, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				signed int _v1241029388;
				void* _t16;
				int _t17;
				long _t25;
				int _t30;
				void* _t33;
				void* _t35;
				signed int _t40;

				_t40 = _v1241029388 * 0x55;
				_t33 = _t35;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				E0041C5D0( &_v68, 3);
				_t16 = E0040ACD0(__ebx, _t40, _a4 + 0x1c,  &_v68); // executed
				_t17 = E00414E20(_a4 + 0x1c, _t16, 0, 0, 0xc4e7b6d6);
				_t30 = _t17;
				if(_t30 != 0) {
					_t25 = _a8;
					_t17 = PostThreadMessageW(_t25, 0x111, 0, 0); // executed
					_t42 = _t17;
					if(_t17 == 0) {
						_t17 =  *_t30(_t25, 0x8003, _t33 + (E0040A460(_t42, 1, 8) & 0x000000ff) - 0x40, _t17);
					}
				}
				return _t17;
			}

0x004082ea
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 77f823ab068c02a494d7727bb9ac2f3d1ed1ea61fde38d9ce077403da08c7228
Instruction ID: 897584240b962c2da7b0844b2fa2de19aa0a7d1e97656c2994369d2825e89f2f
Opcode Fuzzy Hash: 77f823ab068c02a494d7727bb9ac2f3d1ed1ea61fde38d9ce077403da08c7228
Instruction Fuzzy Hash: BD01B931A803287BEB20A6559D43FFE776CAB40B55F05401AFF04BA1C1D6A8691547E6

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				E0041C5D0( &_v68, 3);
				_t12 = E0040ACD0(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A460(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction ID: 1050077c77294267169ebb916dfae3a1405fb9879d8789690f6f999e3cf74240
Opcode Fuzzy Hash: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction Fuzzy Hash: AD01D831A8032877E720A6959C03FFE771C6B40F54F044019FF04BA1C1E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082B9, Relevance: 1.5, APIs: 1, Instructions: 32
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E004082B9() {
				void* _t3;
				void* _t4;
				void* _t6;
				void* _t8;

				asm("int 0xf9");
				asm("sahf");
				asm("loopne 0x79");
				asm("rcr bl, 1");
				_t4 = E0041B470(_t3, _t6, 0x11c6f95e);
				_t8 = _t4;
				asm("lock call 0x13051");
				return _t4 + _t8 + 0x1000;
			}

0x004082b9
0x004082bb
0x004082bc
0x004082be
0x004082c6
0x004082ce
0x004082cf
0x004082dd

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 7018b946ad3bf6bf78f8b201f8ef99212ddd68030328e473bec20e02757013f6
Instruction ID: 5138203c3456aa74b95ea99b985e5f0dee36f73b9cf20e2258cfc5c92fb34716
Opcode Fuzzy Hash: 7018b946ad3bf6bf78f8b201f8ef99212ddd68030328e473bec20e02757013f6
Instruction Fuzzy Hash: 87E0D83578161875E62045555D03FBE73189B90F01F54413FFF44F92C0E9FA681506E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A233, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041A233(void* __eax, void* __ebx, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				char _t12;
				void* _t20;

				asm("sbb al, 0xc8");
				asm("a16 xchg esp, eax");
				_pop(ds);
				_t9 = _a8;
				_push(0xdc77cecc);
				_t3 = _t9 + 0xc74; // 0xc74
				E0041AB30(_t20, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t12;
			}

0x0041a233
0x0041a235
0x0041a237
0x0041a243
0x0041a249
0x0041a24f
0x0041a257
0x0041a26d
0x0041a271

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2c4e4c11c0037717281d9be01543ac32827b17d2fa67c4acb5361bb3422de5f6
Instruction ID: 7c6580401478679eb1f5461c4b129f5dd4912b18456d3f995447beff3e88a94b
Opcode Fuzzy Hash: 2c4e4c11c0037717281d9be01543ac32827b17d2fa67c4acb5361bb3422de5f6
Instruction Fuzzy Hash: 3AE06D722002146BDB14EF59CC49EE7776DEF48760F114659FE1C9B241C631E9518AE0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A240(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB30(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a24f
0x0041a257
0x0041a26d
0x0041a271

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A200(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a217
0x0041a22d
0x0041a231

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A3A0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a3ba
0x0041a3d0
0x0041a3d4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A280(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB30(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a283
0x0041a29a
0x0041a2a8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 00000009.00000002.311502162.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: chkdsk.exe PID: 6928 Parent PID: 3388 chkdsk.exeCOMMON

Executed Functions

Function 04729F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,04724B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04724B87,007A002E,00000000,00000060,00000000,00000000), ref: 04729F7D

Strings

.z`, xrefs: 04729F6D, 04729F78

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 60568d6ad8e8a713bb99ea004360aab54a53390701c52e588069df9ef00bfd49
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 42F0BDB2210208ABCB08CF88DC94EEB77ADAF8C754F158248BA0D97240C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04729F2E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,04724B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04724B87,007A002E,00000000,00000060,00000000,00000000), ref: 04729F7D

Strings

.z`, xrefs: 04729F6D, 04729F78

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 14c266c5bc583661c2a097e4cb97278bf9d53eb33beb7ed058e1513c6fcda7ac
Instruction ID: 103820c8fa143e8fad3c94b3b1e2e707b9cf1a0e4b8bd91a9681cc9e86b0e218
Opcode Fuzzy Hash: 14c266c5bc583661c2a097e4cb97278bf9d53eb33beb7ed058e1513c6fcda7ac
Instruction Fuzzy Hash: 12F0E2B2614149ABCB08CFA8D994CEB77A9FF8C354B15864DFA1D93202D634E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04729FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(04724D42,5EB6522D,FFFFFFFF,04724A01,?,?,04724D42,?,04724A01,FFFFFFFF,5EB6522D,04724D42,?,00000000), ref: 0472A025

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 176e3d487a103108c92b8824ce4344b6d885245678e93c9210817660c8c251df
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F0F0A4B2210208ABDB14DF89DC94EEB77ADAF8C754F158248BA1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0472A10A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,04712D11,00002000,00003000,00000004), ref: 0472A149

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 288b619358dc1604251ee41a46a6c07d77510f438bb8813d71d7cd29326cdf38
Instruction ID: 037552a467ba6c315b6b8ea34f8d7697dd6dd6d9012bc47e5861f999b07bb625
Opcode Fuzzy Hash: 288b619358dc1604251ee41a46a6c07d77510f438bb8813d71d7cd29326cdf38
Instruction Fuzzy Hash: 3FF0F8B2610218AFDB14DF99CC84EE777ADEF88354F118659BA1897241D630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0472A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,04712D11,00002000,00003000,00000004), ref: 0472A149

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: fa39b291978de5b7fd43c3cdd2a6f029a172e7ee2f92146d971ac9650b4c7779
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: D6F015B2210218ABDB14DF89CC80EAB77ADAF88654F118248BE0897241C630F811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0472A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(04724D20,?,?,04724D20,00000000,FFFFFFFF), ref: 0472A085

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 870e58ba30604ecba23dba560f1f672ead0ab4fbdb50ad8b29a890afe8c389d3
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: D8D01776600214ABE710EB98CC89FA77BADEF48660F154599BA189B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04DE95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE95DA

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86b41222c7f6630afe78b51122e7153c14ab25a12bb6f0a01a074ad1fa469ee2
Instruction ID: df754de77f9e9a1e2cdae025d0dcecf94cd16973a4e44564104135734c398eef
Opcode Fuzzy Hash: 86b41222c7f6630afe78b51122e7153c14ab25a12bb6f0a01a074ad1fa469ee2
Instruction Fuzzy Hash: 519002A120200007611572594814616401B97E4245B53C021E20155A0DD565D8D17165

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE954A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce455bfdafd39d7d6cf93c7131c74d6029a667d852b6070de9932270a44364fa
Instruction ID: 2a4ae23954c9964d78c22a4fe7e1200b1f4c859de807eca0fa246b6b63466066
Opcode Fuzzy Hash: ce455bfdafd39d7d6cf93c7131c74d6029a667d852b6070de9932270a44364fa
Instruction Fuzzy Hash: 1D900265211000072115A6590B04507005797D9395353C021F2016560CE661D8A17161

Uniqueness

Uniqueness Score: -1.00%

Function 04DE96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE96DA

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d27a0c1a4ea3b1e6e9ad2526fb641c82f50f44c2d710f3524eb7a2fc08b1221d
Instruction ID: 72417c3ba5614affa8cc8f6d06dadac0c2065567325a8671dcfe4316538be91c
Opcode Fuzzy Hash: d27a0c1a4ea3b1e6e9ad2526fb641c82f50f44c2d710f3524eb7a2fc08b1221d
Instruction Fuzzy Hash: AC90027120100846F11062594804B46001697E4345F53C016A1125664D9655D8917561

Uniqueness

Uniqueness Score: -1.00%

Function 04DE96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE96EA

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 314a9523006a7e8cff023a2e74e0e71729e64e4e6a716b862e5358a8af665546
Instruction ID: 1f7d07984aad9c10c532441817074985f08ed230a2cdf0e18501e333ce4d01ef
Opcode Fuzzy Hash: 314a9523006a7e8cff023a2e74e0e71729e64e4e6a716b862e5358a8af665546
Instruction Fuzzy Hash: 6D90027120108806F1206259880474A001697D4345F57C411A5425668D96D5D8D17161

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE965A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a4b487a5f4ac4dbb5868f57fb45f63b965253943ec1a4367317948a68b50d6b
Instruction ID: 7acc13778ff4d16889f1e40173a7eeda9123d764870b7c29c00c65388152faf9
Opcode Fuzzy Hash: 0a4b487a5f4ac4dbb5868f57fb45f63b965253943ec1a4367317948a68b50d6b
Instruction Fuzzy Hash: 6690027120504846F15072594804A46002697D4349F53C011A10656A4DA665DD95B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE966A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1683d144e02d15d2fb342fadb37e359dbec0bccb391df9d7dd791e9b558747a6
Instruction ID: 0b40cf20fbb63802661c2596d7ac380c34d7de199d7277326c02957c78a2a0c6
Opcode Fuzzy Hash: 1683d144e02d15d2fb342fadb37e359dbec0bccb391df9d7dd791e9b558747a6
Instruction Fuzzy Hash: 8B90027120100806F1907259480464A001697D5345F93C015A1026664DDA55DA9977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE9FEA

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80a1ea6d05e4fe8056ea1fdb8af6dbb9008ada4f89ed4951f8d7b598bcbc8817
Instruction ID: 41d2a832ccbbd8776749efdd376c83869010a6cd3c5b9095bdb9adaf35d9112e
Opcode Fuzzy Hash: 80a1ea6d05e4fe8056ea1fdb8af6dbb9008ada4f89ed4951f8d7b598bcbc8817
Instruction Fuzzy Hash: 4290027131114406F12062598804706001697D5245F53C411A1825568D96D5D8D17162

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE978A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6611192d2a64458648d5bd37c462abe031d7a4c6357c05c2cc450071c55be64f
Instruction ID: b54723355b2d2e90532002450ba5d4642f9517b61a5ce8feb60e0f2f36543af5
Opcode Fuzzy Hash: 6611192d2a64458648d5bd37c462abe031d7a4c6357c05c2cc450071c55be64f
Instruction Fuzzy Hash: 4290026921300006F1907259580860A001697D5246F93D415A1016568CD955D8A97361

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE971A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ecccbfda50ba3d28335566e3e179b344a95ebfcc830a685b5097f9e6dce4113
Instruction ID: 4466fd4c20e15447032cca045d7d72a1bc1755a14ec7c9dc4b1663adddea6e27
Opcode Fuzzy Hash: 0ecccbfda50ba3d28335566e3e179b344a95ebfcc830a685b5097f9e6dce4113
Instruction Fuzzy Hash: F290027120100406F11066995808646001697E4345F53D011A6025565ED6A5D8D17171

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE984A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 088833894b3fc01151f8fcf776f98f074e63afa7e8d8001e91dc839e7925a941
Instruction ID: e9cb0c627a7abca14303ae8a5666ed3da0cedf32c21c70e6ac75e020f35652a5
Opcode Fuzzy Hash: 088833894b3fc01151f8fcf776f98f074e63afa7e8d8001e91dc839e7925a941
Instruction Fuzzy Hash: BB900261242041567555B25948045074017A7E4285793C012A2415960C9566E896F661

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE986A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2268443bdd72cc7d6cc7bd157fb7eb1d6721bab6468d84cb622015e3d5441c53
Instruction ID: da31e471f7eba5c6899194c68d7273bcea997d47641c59d75bbec56b0a462b55
Opcode Fuzzy Hash: 2268443bdd72cc7d6cc7bd157fb7eb1d6721bab6468d84cb622015e3d5441c53
Instruction Fuzzy Hash: FD90027120100417F12162594904707001A97D4285F93C412A1425568DA696D992B161

Uniqueness

Uniqueness Score: -1.00%

Function 04DE99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE99AA

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24c8147fe0ba0438bf1719285511d0992928235ffd6b62acb5f9e8f85a3ae2bc
Instruction ID: 365eda05a08fedfd7284df00400848a2b318328b8d33d7cbdeca1881fda4d7fd
Opcode Fuzzy Hash: 24c8147fe0ba0438bf1719285511d0992928235ffd6b62acb5f9e8f85a3ae2bc
Instruction Fuzzy Hash: EB9002A134100446F11062594814B060016D7E5345F53C015E2065564D9659DC927166

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE991A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 231106f4dfd863c2ab833a710916e08238e522d732ba9475b80dec3371f4a0b1
Instruction ID: 2080c48d30fdf69e092fb92e9a466dae9bc5830446c696942eab2b0e3a252afb
Opcode Fuzzy Hash: 231106f4dfd863c2ab833a710916e08238e522d732ba9475b80dec3371f4a0b1
Instruction Fuzzy Hash: 979002B120100406F15072594804746001697D4345F53C011A6065564E9699DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04DE9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE9A5A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89b28f068e46c9d19465f48fe583fb7f51677bd1d4b71c355050ca315eeea420
Instruction ID: 1dca3cb19f157302c5aad078f22813918b5d4c0164c8635f3b0059b4551d7a6c
Opcode Fuzzy Hash: 89b28f068e46c9d19465f48fe583fb7f51677bd1d4b71c355050ca315eeea420
Instruction Fuzzy Hash: FA90026121180046F21066694C14B07001697D4347F53C115A1155564CD955D8A17561

Uniqueness

Uniqueness Score: -1.00%

Function 04728C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 04728CF8

Strings

net.dll, xrefs: 04728CC1, 04728D47, 04728D1F, 04728D2B, 04728D53
wininet.dll, xrefs: 04728CAE, 04728CB7

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 2f27d3785f9c9ed14e478611ba59b5c9531a1638d36851a0121c834de7aa521b
Instruction ID: eeeb8f4a83df86deed127687cd16bad83ec2d9d38fc9a2a0072424d8bd9599b4
Opcode Fuzzy Hash: 2f27d3785f9c9ed14e478611ba59b5c9531a1638d36851a0121c834de7aa521b
Instruction Fuzzy Hash: 9E31D2B2500254BBD724EF64C984FA7B7B8AB88700F00811DE6295B341D731B654CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04728C47, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 04728CF8

Strings

net.dll, xrefs: 04728CC1, 04728D1F, 04728D2B
wininet.dll, xrefs: 04728CAE, 04728CB7

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 7359e1a1690e5be34768f049a4629ffc2458799109e11b301a0a93ee18b9f1dd
Instruction ID: 77988d85147238957f3b4625f8ea6a230dc52bf1abf6423bc192081e4f507549
Opcode Fuzzy Hash: 7359e1a1690e5be34768f049a4629ffc2458799109e11b301a0a93ee18b9f1dd
Instruction Fuzzy Hash: 7D21C1B1600254BBD720EF68C9C5BABBBB4AB48704F10811DEA19AB341D771B594CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0472A233, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04713AF8), ref: 0472A26D

Strings

.z`, xrefs: 0472A25C, 0472A268

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 029cf1389ba33c2133370b483b841463e5c455477f55677a24796b263ac80209
Instruction ID: e259720f14968efccad4313e41abee48525eb68510d6a516788cf842efac5c47
Opcode Fuzzy Hash: 029cf1389ba33c2133370b483b841463e5c455477f55677a24796b263ac80209
Instruction Fuzzy Hash: EFE06D726002146BDB14EF58CC48EE7776DEF48750F114658FD1C9B341C631E941CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 0472A240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04713AF8), ref: 0472A26D

Strings

.z`, xrefs: 0472A25C, 0472A268

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 4c737eacc636a69ebda909d15373e1f2899467a1c32b8c4946b93902991e59d0
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: A5E046B1610218ABDB18EF99CC48EA777ADEF88750F018658FE085B341C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 047182E8, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0471834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0471836B

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1aff5a58c48f44b3b30f2ad7d5f4c48eb0707c4138cbebbfa78e54f523a4d7c0
Instruction ID: b0518902c9ab54ff768edd22d59deb758a027c42bd853b81a914bda385c676bb
Opcode Fuzzy Hash: 1aff5a58c48f44b3b30f2ad7d5f4c48eb0707c4138cbebbfa78e54f523a4d7c0
Instruction Fuzzy Hash: D801DD319802287BFB20EA58DD46FBE777CAF40B55F154015FF04BA2C0D6947A0547E1

Uniqueness

Uniqueness Score: -1.00%

Function 047182F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0471834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0471836B

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: da21c3352d2c5d1e9cbb8f90683f5c8b4db3c1cabdf29c5ef604bd67f1c16db5
Instruction ID: f054109e236fe3354f5eefb7e43b9138aa7d8e4bed14e6180880284c5f1f91c3
Opcode Fuzzy Hash: da21c3352d2c5d1e9cbb8f90683f5c8b4db3c1cabdf29c5ef604bd67f1c16db5
Instruction Fuzzy Hash: 3F01A731A802287BF721AA989D06FBE776C6B40B55F154118FF04BA2C0E6947A0946F6

Uniqueness

Uniqueness Score: -1.00%

Function 047182B9, Relevance: 3.0, APIs: 2, Instructions: 32threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0471834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0471836B

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ff49512e19f1104aaeffa615e20ab8f1ad5cb3b5309ec63e4a25cf2a51f62f07
Instruction ID: f94ebea06914d8af8182d5594e993812e377b47e0964ecf74c8924e979d5006e
Opcode Fuzzy Hash: ff49512e19f1104aaeffa615e20ab8f1ad5cb3b5309ec63e4a25cf2a51f62f07
Instruction Fuzzy Hash: 71E02631B8161875FB20694C9C03FBE7328AB80F11F6A412AFF08EA3D0E5D1750906F2

Uniqueness

Uniqueness Score: -1.00%

Function 0471ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0471AD42

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: 103cfc6e23e4d8eb1260bd74b621351833da2e553b3ad4daacac19545a680832
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: 2A011EB5D4020DBBEB10EAA4DD45F9DB3789B54208F008195E90897240F671F7588B91

Uniqueness

Uniqueness Score: -1.00%

Function 0472A2AD, Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0472A304

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 843cfe55127c64177c08d7263dd4ca5bf83544a45ca2f9db41aa9c10fd736355
Instruction ID: 6eeb6625401ae2ffc8c86fb1ce19b9ea290b6ff76ca4eda0dd9ccc5aa9870310
Opcode Fuzzy Hash: 843cfe55127c64177c08d7263dd4ca5bf83544a45ca2f9db41aa9c10fd736355
Instruction Fuzzy Hash: AE01AFB2210108BFCB54CF99DC81EEB77AAAF8C354F158258FA0DE7640C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0472A2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0472A304

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: c93379bce0b3ec76049b99928f75a68e3c202e1f366d70516734e66ba4facf68
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 4C01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04728D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0471F020,?,?,00000000), ref: 04728DBC

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d7c86ff53196b198f54fffdd85eac4c0c0409264eedc67dc686797d0038a0737
Instruction ID: f6330d499872599d924dc0f9ff0e84af914051d5b1ffeb5db566c2e612d031f0
Opcode Fuzzy Hash: d7c86ff53196b198f54fffdd85eac4c0c0409264eedc67dc686797d0038a0737
Instruction Fuzzy Hash: A4E06D337803143AE22065A9AC02FA7B29CCB95B25F55002AFA0DEA2C0D595F40142A5

Uniqueness

Uniqueness Score: -1.00%

Function 04728D76, Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0471F020,?,?,00000000), ref: 04728DBC

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: b2f8d1b084af568a8d5834ffd1ea1513c138cdb02c2154a06b958efeb003185c
Instruction ID: 2474795621692d6b1a8234ad6fc335631542a2df9807ba5deb49a2180f968120
Opcode Fuzzy Hash: b2f8d1b084af568a8d5834ffd1ea1513c138cdb02c2154a06b958efeb003185c
Instruction Fuzzy Hash: 0CF092727907103AF230A56C9D02FA777988BA9B20F550229F74DEB3C0D995B40286A9

Uniqueness

Uniqueness Score: -1.00%

Function 0471F6D1, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,04718CF4,?), ref: 0471F6CB

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: edf614bc0793255f5a8b21bcfe6f8edee5b5195d61ef57c19045084bc5dbcd6b
Instruction ID: 7bd3b478a033bca3958e4772a892fc75f8dc16915cb7fe7c0760a4d1eaf63305
Opcode Fuzzy Hash: edf614bc0793255f5a8b21bcfe6f8edee5b5195d61ef57c19045084bc5dbcd6b
Instruction Fuzzy Hash: 6FE026A56503002BE710AEA4AE56FA23356AB19305F080068F58CAA3DAD925E1004A60

Uniqueness

Uniqueness Score: -1.00%

Function 0472A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04724506,?,04724C7F,04724C7F,?,04724506,?,?,?,?,?,00000000,00000000,?), ref: 0472A22D

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: f6ebe37872fada044fb3f7476d30c46fe1fe57d48980cb91eb8fd75ee1b90eae
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: F2E046B1610218ABDB14EF99CC44EA777ADEF88654F118558FE085B341C630F911CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0472A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0471F1A2,0471F1A2,?,00000000,?,?), ref: 0472A3D0

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 58ef22347055ef6a2baec80819d9cf08690099449e20b5526326a0819804441e
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: F1E01AB16002186BDB10DF49CC84EE737ADAF88650F018154BA0857241C930F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0471F697, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,04718CF4,?), ref: 0471F6CB

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a611c0daef0a60226ddfef927446f9ff73f35b68afb6837b7d8b1d3618e32ca2
Instruction ID: 6f94b78ea8e8a4871ff22c7822c6f95446859ae52fbbef7b81d3c6ec30c22e42
Opcode Fuzzy Hash: a611c0daef0a60226ddfef927446f9ff73f35b68afb6837b7d8b1d3618e32ca2
Instruction Fuzzy Hash: C4D05E767903043BF724FFA4AE16F2A32866B59625F090069FA5DEB3D7DD60E1014560

Uniqueness

Uniqueness Score: -1.00%

Function 0471F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,04718CF4,?), ref: 0471F6CB

Memory Dump Source

Source File: 00000015.00000002.483795571.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: 0b37701aab423a3b7234ad12970647607b2627b3a51a4a999573c18ee5414d2f
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: 4AD0A7717A03043BF710FEA89C07F2632CD5B54B04F490064FA48D73D3D950F0004565

Uniqueness

Uniqueness Score: -1.00%

Function 04DE967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04DE9694

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3b56e1ad9629d9a4ab3cc8794b5040ecfea1a0759fe4238570a86c4e3310c07
Instruction ID: 49906b7e4c79ce8db300c584f1f445e50d44fd9a1df715579336234a520a68a4
Opcode Fuzzy Hash: c3b56e1ad9629d9a4ab3cc8794b5040ecfea1a0759fe4238570a86c4e3310c07
Instruction Fuzzy Hash: 48B09BB19024C5C9F721E7614A08727791177D4745F17C056D2030651A4778D0D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04E5B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 04E5B305
The instruction at %p tried to %s , xrefs: 04E5B4B6
*** then kb to get the faulting stack, xrefs: 04E5B51C
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04E5B38F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 04E5B323
<unknown>, xrefs: 04E5B27E, 04E5B2D1, 04E5B350, 04E5B399, 04E5B417, 04E5B48E
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 04E5B47D
This failed because of error %Ix., xrefs: 04E5B446
a NULL pointer, xrefs: 04E5B4E0
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 04E5B2DC
*** Inpage error in %ws:%s, xrefs: 04E5B418
*** A stack buffer overrun occurred in %ws:%s, xrefs: 04E5B2F3
*** An Access Violation occurred in %ws:%s, xrefs: 04E5B48F
Go determine why that thread has not released the critical section., xrefs: 04E5B3C5
*** Resource timeout (%p) in %ws:%s, xrefs: 04E5B352
*** enter .exr %p for the exception record, xrefs: 04E5B4F1
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 04E5B476
*** enter .cxr %p for the context, xrefs: 04E5B50D
read from, xrefs: 04E5B4AD, 04E5B4B2
write to, xrefs: 04E5B4A6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 04E5B314
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04E5B3D6
The resource is owned exclusively by thread %p, xrefs: 04E5B374
The instruction at %p referenced memory at %p., xrefs: 04E5B432
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 04E5B53F
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 04E5B39B
The resource is owned shared by %d threads, xrefs: 04E5B37E
an invalid address, %p, xrefs: 04E5B4CF
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 04E5B484
The critical section is owned by thread %p., xrefs: 04E5B3B9

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: b41a3a56476afe94f145f8199933e1e68ce64cbf22c4516693cc2ef43f8ec497
Instruction ID: 49cf8d999b00c2b0b788b513e9b43e93afc8833c6c056f111f8df66a6bd52f9c
Opcode Fuzzy Hash: b41a3a56476afe94f145f8199933e1e68ce64cbf22c4516693cc2ef43f8ec497
Instruction Fuzzy Hash: 9381F535A00210FFEF265F059C4AD7B3B77AF46B5AF445044F904AB262E3A1B911DB72

Uniqueness

Uniqueness Score: -1.00%

Function 04E61C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04E61C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x4d848a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04DAB150();
				} else {
					E04DAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x4e9589c);
				E04DAB150("Heap error detected at %p (heap handle %p)\n",  *0x4e958a0);
				_t27 =  *0x4e95898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04E61E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04DAB150();
				} else {
					E04DAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E04DAB150("Error code: %d - %s\n",  *0x4e95898);
				_t113 =  *0x4e958a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04DAB150();
					} else {
						E04DAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04DAB150("Parameter1: %p\n",  *0x4e958a4);
				}
				_t115 =  *0x4e958a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04DAB150();
					} else {
						E04DAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04DAB150("Parameter2: %p\n",  *0x4e958a8);
				}
				_t117 =  *0x4e958ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04DAB150();
					} else {
						E04DAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04DAB150("Parameter3: %p\n",  *0x4e958ac);
				}
				_t119 =  *0x4e958b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04DAB150();
					} else {
						E04DAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x4e958b4);
					E04DAB150("Last known valid blocks: before - %p, after - %p\n",  *0x4e958b0);
				} else {
					_t120 =  *0x4e958b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04DAB150();
				} else {
					E04DAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E04DAB150("Stack trace available at %p\n", 0x4e958c0);
			}

0x04e61c10
0x04e61c16
0x04e61c1e
0x04e61c3d
0x04e61c3e
0x04e61c20
0x04e61c35
0x04e61c3a
0x04e61c44
0x04e61c55
0x04e61c5a
0x04e61c65
0x04e61c67
0x00000000
0x04e61c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04e61c67
0x04e61cdc
0x04e61ce5
0x04e61d04
0x04e61d05
0x04e61ce7
0x04e61cfc
0x04e61d01
0x04e61d0b
0x04e61d17
0x04e61d1f
0x04e61d25
0x04e61d30
0x04e61d4f
0x04e61d50
0x04e61d32
0x04e61d47
0x04e61d4c
0x04e61d61
0x04e61d67
0x04e61d68
0x04e61d6e
0x04e61d79
0x04e61d98
0x04e61d99
0x04e61d7b
0x04e61d90
0x04e61d95
0x04e61daa
0x04e61db0
0x04e61db1
0x04e61db7
0x04e61dc2
0x04e61de1
0x04e61de2
0x04e61dc4
0x04e61dd9
0x04e61dde
0x04e61df3
0x04e61df9
0x04e61dfa
0x04e61e00
0x04e61e0a
0x04e61e13
0x04e61e32
0x04e61e33
0x04e61e15
0x04e61e2a
0x04e61e2f
0x04e61e39
0x04e61e4a
0x04e61e02
0x04e61e02
0x04e61e08
0x00000000
0x00000000
0x04e61e08
0x04e61e5b
0x04e61e7a
0x04e61e7b
0x04e61e5d
0x04e61e72
0x04e61e77
0x04e61e95

Strings

heap_failure_listentry_corruption, xrefs: 04E61CD0
heap_failure_virtual_block_corruption, xrefs: 04E61C91
heap_failure_block_not_busy, xrefs: 04E61CA6
HEAP: , xrefs: 04E61C16, 04E61C3D, 04E61D04, 04E61D4F, 04E61D98, 04E61DE1, 04E61E32, 04E61E7A
heap_failure_buffer_underrun, xrefs: 04E61C9F
heap_failure_usage_after_free, xrefs: 04E61CBB
heap_failure_unknown, xrefs: 04E61C75
heap_failure_invalid_argument, xrefs: 04E61CAD
heap_failure_entry_corruption, xrefs: 04E61C83
heap_failure_invalid_allocation_type, xrefs: 04E61CB4
Parameter3: %p, xrefs: 04E61DEE
heap_failure_freelists_corruption, xrefs: 04E61CC9
heap_failure_generic, xrefs: 04E61C7C
HEAP[%wZ]: , xrefs: 04E61C30, 04E61CF7, 04E61D42, 04E61D8B, 04E61DD4, 04E61E25, 04E61E6D
heap_failure_buffer_overrun, xrefs: 04E61C98
heap_failure_multiple_entries_corruption, xrefs: 04E61C8A
Stack trace available at %p, xrefs: 04E61E86
Heap error detected at %p (heap handle %p), xrefs: 04E61C50
heap_failure_cross_heap_operation, xrefs: 04E61CC2
Parameter2: %p, xrefs: 04E61DA5
Last known valid blocks: before - %p, after - %p, xrefs: 04E61E45
Parameter1: %p, xrefs: 04E61D5C
heap_failure_lfh_bitmap_mismatch, xrefs: 04E61CD7
heap_failure_internal, xrefs: 04E61C6E
Error code: %d - %s, xrefs: 04E61D12

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: d69bb5589ae12188fad5707aa9374152e0f48e1cf15d09f142724d0171b9906a
Instruction ID: 9250b5a664e05194527c0f7153c163f822b189564b472406f4e32fc491091826
Opcode Fuzzy Hash: d69bb5589ae12188fad5707aa9374152e0f48e1cf15d09f142724d0171b9906a
Instruction Fuzzy Hash: D161C333A91144EFE717EB45D488A24B3E4EB04A75F09846BF50EAB381DA34FC51CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 04DB3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04DB3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04DB1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04DB1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04DB1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04DB1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04DB1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04DC4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E04DEF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04DF1370(_t276, 0x4d84e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E04DEBB40(0,  &_v68, _t170);
									if(L04DB43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E04DEBB40(_t257,  &_v68, _t243);
								if(L04DB43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04DF1370(_t278, 0x4d84e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04DC4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E04DEF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04DF1370(_v16, 0x4d84e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E04DEBB40(_t262,  &_v68, _t244);
								if(L04DB43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04DF1370(_t282, 0x4d84e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E04DEBB40(_t262,  &_v68, _t201);
							if(L04DB43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04DC4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E04DEF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04DF1370(_t280, 0x4d84e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E04DEBB40(_t267,  &_v68, _t245);
							if(L04DB43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04DF1370(_t284, 0x4d84e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E04DEBB40(_t267,  &_v68, _t224);
						if(L04DB43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x04db3d3c
0x04db3d42
0x04db3d44
0x04db3d46
0x04db3d49
0x04db3d4c
0x04db3d4f
0x04db3d52
0x04db3d55
0x04db3d58
0x04db3d5b
0x04db3d5f
0x04db3d61
0x04db3d66
0x04e08213
0x04e08218
0x04db4085
0x04db4088
0x04db408e
0x04db4094
0x04db409a
0x04db40a0
0x04db40a6
0x04db40a9
0x04db40af
0x04db40b6
0x04db40bd
0x04db40bd
0x04db3d83
0x04e0821f
0x04e08229
0x04e08238
0x04e08238
0x04e0823d
0x04e0823d
0x04db3da0
0x04db3daf
0x04db3db5
0x04db3dba
0x04db3dba
0x04db3dd4
0x04db3e94
0x04db3eab
0x04db3f6d
0x04db3f84
0x04db406b
0x04db406b
0x04db406e
0x04db406e
0x04db4070
0x04db4074
0x04e08351
0x04e08351
0x04db407a
0x04db407f
0x04e0835d
0x04e08370
0x04e08377
0x04e08379
0x04e0837c
0x04e0837c
0x04e0835d
0x00000000
0x04db407f
0x04db3f8a
0x04db3f8d
0x04db3f90
0x04db3f95
0x04e0830d
0x04e0830f
0x04db3f9b
0x04db3fac
0x04db3fae
0x04db3fb1
0x04db3fb1
0x04db3fb6
0x04e08317
0x04e0831a
0x00000000
0x04db3fbc
0x04db3fc1
0x04db3fc9
0x04db3fd7
0x04db3fda
0x04db3fdd
0x04db4021
0x04db4021
0x04db4029
0x04db4030
0x04db4044
0x04db4046
0x04db4046
0x04db4044
0x04db4049
0x04e08327
0x04e08334
0x04e08339
0x04e0833c
0x04db404f
0x04db404f
0x04db404f
0x04db4051
0x04db4056
0x04db4063
0x04db4063
0x04db4068
0x00000000
0x04db4068
0x04db3fdf
0x04db3fe2
0x04db3fe4
0x04db3fe7
0x04db3fef
0x04db4003
0x04db4005
0x04db4005
0x04db400c
0x04db4013
0x04db4016
0x04db4017
0x04db401b
0x04db401e
0x00000000
0x04db401e
0x04db3fb6
0x04db3eb1
0x04db3eb4
0x04db3eb7
0x04db3ebc
0x04e082a9
0x04e082ab
0x04db3ec2
0x04db3ed3
0x04db3ed5
0x04db3ed8
0x04db3ed8
0x04db3edd
0x04e082b3
0x04e082b6
0x00000000
0x04db3ee3
0x04db3ee8
0x04db3eed
0x04db3ef0
0x04db3ef3
0x04db3f02
0x04db3f05
0x04db3f08
0x04e082c0
0x04e082c3
0x04e082c5
0x04e082c8
0x04e082d0
0x04e082e4
0x04e082e6
0x04e082e6
0x04e082ed
0x04e082f4
0x04e082f7
0x04e082f8
0x04e082fc
0x04e082ff
0x04e082ff
0x04db3f0e
0x04db3f11
0x04db3f16
0x04db3f1d
0x04db3f31
0x04e08307
0x04e08307
0x04db3f31
0x04db3f39
0x04db3f48
0x04db3f4d
0x04db3f50
0x04db3f50
0x04db3f53
0x04db3f58
0x04db3f65
0x04db3f65
0x04db3f6a
0x00000000
0x04db3f6a
0x04db3edd
0x04db3dda
0x04db3ddd
0x04db3de0
0x04db3de5
0x04e08245
0x04db3deb
0x04db3df7
0x04db3dfc
0x04db3dfe
0x04db3e01
0x04db3e01
0x04db3e06
0x04e0824d
0x04e0824f
0x04e08254
0x00000000
0x04db3e0c
0x04db3e11
0x04db3e16
0x04db3e19
0x04db3e29
0x04db3e2c
0x04db3e2f
0x04e0825c
0x04e0825f
0x04e08261
0x04e08264
0x04e0826c
0x04e08280
0x04e08282
0x04e08282
0x04e08289
0x04e08290
0x04e08293
0x04e08294
0x04e08298
0x04e0829b
0x04e0829b
0x04db3e35
0x04db3e38
0x04db3e3d
0x04db3e44
0x04db3e58
0x04e082a3
0x04e082a3
0x04db3e58
0x04db3e60
0x04db3e6f
0x04db3e74
0x04db3e77
0x04db3e77
0x04db3e7a
0x04db3e7f
0x04db3e8c
0x04db3e8c
0x04db3e91
0x00000000
0x04db3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 04DB3DC0
Kernel-MUI-Language-SKU, xrefs: 04DB3F70
Kernel-MUI-Number-Allowed, xrefs: 04DB3D8C
Kernel-MUI-Language-Disallowed, xrefs: 04DB3E97
WindowsExcludedProcs, xrefs: 04DB3D6F

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: e4f10a44b28879259f1ac83b170e3dcc79609b082b4d699f0794f48be2db04b8
Instruction ID: 0087174655d86b568fad82bb8ca9d3eaa4580b10d71c01e29f3d2d5912316703
Opcode Fuzzy Hash: e4f10a44b28879259f1ac83b170e3dcc79609b082b4d699f0794f48be2db04b8
Instruction Fuzzy Hash: F4F15E72E00619EFDB11DF98C940AEEBBB9FF48754F15415AE946A7251E730AE00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04DA40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E04DA40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E04DAB150();
					} else {
						E04DAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04DAB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E04DAB150(", passed to %s", _t29);
					}
					_push("\n");
					E04DAB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x4e96378 = 1;
						asm("int3");
						 *0x4e96378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x04da40e6
0x04da40e8
0x04da40f1
0x04e0042d
0x04e0044c
0x04e00451
0x04e0042f
0x04e00444
0x04e00449
0x04e0045d
0x04e00466
0x04e0046e
0x04e00474
0x04e00475
0x04e0047a
0x04e0048a
0x04e0048c
0x04e00493
0x04e00494
0x04e00494
0x00000000
0x04e0049b
0x00000000

Strings

Invalid heap signature for heap at %p, xrefs: 04E00458
HEAP: , xrefs: 04E0044C
HEAP[%wZ]: , xrefs: 04E0043F
RtlAllocateHeap, xrefs: 04E00468
, passed to %s, xrefs: 04E00469

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 0dc5f779cdb7e4cc168253ddf22fef5d4bf33b14a8f51ad96af97b3aa24326d5
Instruction ID: 7491c92281b7318fd380e1913bde20abfef5eddf7c8285e2758d51e52df5e3f3
Opcode Fuzzy Hash: 0dc5f779cdb7e4cc168253ddf22fef5d4bf33b14a8f51ad96af97b3aa24326d5
Instruction Fuzzy Hash: 2F0128323012409FE325AB64F44DF6677E4DB40B38F19802FF0094B6829AA8F895C524

Uniqueness

Uniqueness Score: -1.00%

Function 04DD8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04DD8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x4e9d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x4e98464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x4e95780 & 0x00000003) != 0) {
							E04E25510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x4e95780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E04DEB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x4e97984; // 0x422ac8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x4e98464; // 0x74b10110
					 *0x4e9b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E04DD9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x4e95780 & 0x00000005) != 0) {
						_push(_t49);
						E04E25510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x04dd8e0f
0x04dd8e16
0x04dd8e19
0x04dd8e1b
0x04dd8e21
0x04dd8e7f
0x04dd8e85
0x04e19354
0x04e1936c
0x04e19371
0x04e1937b
0x04e19381
0x04e19381
0x04e1937b
0x04dd8e9d
0x04dd8e9d
0x04dd8e29
0x04dd8e2c
0x04dd8e38
0x04dd8e3e
0x04dd8e43
0x04dd8eb5
0x04dd8eb9
0x04e192aa
0x04e192af
0x04e192e8
0x04e192e8
0x04e192af
0x04dd8eb9
0x04dd8e45
0x04dd8e53
0x04dd8e5b
0x04dd8e5f
0x04dd8e78
0x04dd8e78
0x04dd8e7d
0x04dd8ec3
0x04dd8ecd
0x04dd8ed2
0x04dd8ed2
0x04dd8ec5
0x04dd8ec5
0x00000000
0x04dd8e7d
0x04dd8e67
0x04dd8ea4
0x04e1931a
0x00000000
0x00000000
0x04e19320
0x04dd8ea4
0x04dd8e70
0x04e19325
0x04e19340
0x04e19345
0x04e19345
0x04dd8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 04E1933B, 04E19367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 04E1932A
LdrpFindDllActivationContext, xrefs: 04E19331, 04E1935D
Querying the active activation context failed with status 0x%08lx, xrefs: 04E19357

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 08e42daa815be7044fd404f7713fde6ced268c72789e2c9a9fc9c25c8f177d39
Instruction ID: 7c8da442bf0c0b3a2c20d21e5890bc9bbffd5990734eecd9d6f0473c18cfd0a4
Opcode Fuzzy Hash: 08e42daa815be7044fd404f7713fde6ced268c72789e2c9a9fc9c25c8f177d39
Instruction Fuzzy Hash: F0412832A40315AFDB27BF098889A79B374FB00304F06456AF424570A1EB72BD80EFC1

Uniqueness

Uniqueness Score: -1.00%

Function 04DB8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04DB8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E04DB934A() != 0) {
								_t159 = E04E2A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x4e95780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E04E25510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x4e95780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E04DB849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E04DB8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E04DB8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x4e95c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x4e95c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04DC2280(_t92, 0x4e986cc);
															_t94 = E04E79DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E04DD61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x4e95c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E04DB8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x4e95c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x4e95c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E04DEF380(_t136, 0x4d81184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04DC2280(_t108, 0x4e986cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E04DD61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E04E79D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E04DBFFB0(_t118, _t156, 0x4e986cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E04DE9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x04db8799
0x04db879d
0x04db87a1
0x04db87a3
0x04db87a8
0x04db87c3
0x04db87c3
0x04db87c8
0x04db87d1
0x04db87d4
0x04db87d8
0x04db87e5
0x04db87ec
0x04e09bfe
0x04e09c00
0x04e09c02
0x04e09c08
0x04e09c0d
0x04e09c0f
0x04e09c14
0x04e09c2d
0x04e09c32
0x04e09c37
0x04e09c3a
0x04e09c3c
0x04e09c42
0x04e09c42
0x04e09c3c
0x04e09c02
0x04db87da
0x04db87df
0x04db87e3
0x00000000
0x00000000
0x04db87e3
0x04db87f2
0x00000000
0x04db87fb
0x04db87fd
0x04db87fe
0x04db880e
0x04db880f
0x04db8810
0x04db8814
0x04db881a
0x04db881c
0x04db881f
0x04db8821
0x04db8822
0x04db8824
0x04db8826
0x04db882c
0x04db882e
0x04e09c48
0x04e09c48
0x04db8834
0x04db8834
0x04db8837
0x00000000
0x00000000
0x04db8837
0x04db882e
0x04db883d
0x04db8840
0x04db8843
0x04db8846
0x04db8849
0x04db884c
0x04db884e
0x04db8850
0x04db8852
0x04db8854
0x04db8857
0x04db88b4
0x04db88b6
0x04db88b6
0x04db8859
0x04db8859
0x04db8859
0x04db8861
0x04db8866
0x04db886a
0x04db893d
0x04db8941
0x00000000
0x04db8947
0x04db8947
0x04db894a
0x04db894c
0x00000000
0x04db8952
0x04db8955
0x04db895a
0x04db895d
0x04db895d
0x04db895f
0x04db8961
0x04db8961
0x04db8968
0x00000000
0x00000000
0x04db896a
0x04db896b
0x04db896e
0x00000000
0x04db8970
0x04db8970
0x04db8970
0x04db8970
0x04db8972
0x04db8972
0x04db8974
0x00000000
0x04db897a
0x04db897a
0x04db897d
0x00000000
0x04db8983
0x04e09c65
0x04e09c6d
0x04e09c72
0x04e09c75
0x04e09c75
0x04e09c82
0x04e09c86
0x04e09c87
0x04e09c88
0x04e09c89
0x04e09c8c
0x04e09c90
0x04e09c95
0x04e09c97
0x04e09ca0
0x04e09ca3
0x04e09ca9
0x04e09ca9
0x00000000
0x04e09ca9
0x04e09ca3
0x00000000
0x04e09c97
0x04db897d
0x00000000
0x04db8974
0x04db8988
0x04db8992
0x04db8996
0x00000000
0x04db8996
0x04db894c
0x00000000
0x04db8870
0x04db887b
0x04db887d
0x04db887f
0x04db8881
0x04db8884
0x04db8884
0x04db8886
0x04db8889
0x04db888c
0x04db888e
0x04db8891
0x04db8891
0x04db8898
0x00000000
0x00000000
0x04db889a
0x04db889b
0x04db889e
0x00000000
0x00000000
0x04db88a0
0x04db88a8
0x04db88b0
0x04db88b2
0x04db88d3
0x04db88d5
0x00000000
0x04db88d7
0x04db88db
0x04db88dc
0x04db88e0
0x04db88e8
0x04db88ee
0x04db88f0
0x04db88f3
0x04db88fc
0x04db8901
0x04db8906
0x04db890c
0x04db890c
0x04db890f
0x04db8916
0x04db8917
0x04db8918
0x04db8919
0x04db891a
0x04db891f
0x04db8921
0x04e09c52
0x04e09c55
0x04e09c5b
0x04e09cac
0x04e09cc0
0x04e09cc0
0x04e09c55
0x04db8927
0x04db8927
0x04db892f
0x04db8933
0x00000000
0x04db88f5
0x04db88f5
0x00000000
0x04db88f7
0x04db88f7
0x04db88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x04db88fa
0x04db88f5
0x04db88f3
0x00000000
0x04db88d5
0x00000000
0x04db88b2
0x04db88c9
0x00000000
0x04db88c9
0x04db887f
0x04db886a
0x04db8857
0x04db8852
0x04db88bf
0x04db88bf
0x04db87aa
0x04db87ad
0x04db87ae
0x04db87b4
0x04db87b5
0x04db87b6
0x04db87b8
0x04db87bd
0x04db87c1
0x04db87f4
0x04db87fa
0x00000000
0x00000000
0x00000000
0x04db87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 04E09C18
minkernel\ntdll\ldrsnap.c, xrefs: 04E09C28
LdrpDoPostSnapWork, xrefs: 04E09C1E

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 679759fe42fe7d61299adf6351cfb0f2e6fd04045ba9ad872f834b635041d734
Instruction ID: 5a4f790ed106693341ae7a29f91859a9810b01cedddd857a6a0e81719f1c3046
Opcode Fuzzy Hash: 679759fe42fe7d61299adf6351cfb0f2e6fd04045ba9ad872f834b635041d734
Instruction Fuzzy Hash: A291C371A00216EBDF18EF59D4809FAB3B9FF45358B1441A9E986AB241EB30FD41DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E04DB7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E04DBCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E04DAC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x4e95780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04E25510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x4e95780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04DC7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04DC7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04E27016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04DC7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04DC7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04E27016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E04DDA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E04DAB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x04db7e4c
0x04db7e50
0x04db7e55
0x04db7e58
0x04db7e5d
0x04db7e71
0x04db7f33
0x04db7e77
0x04db7e77
0x04db7e79
0x04db7e79
0x04db7e7e
0x04db7f45
0x04e09848
0x00000000
0x04e09848
0x04db7f4e
0x04db7f53
0x04db7f5a
0x00000000
0x00000000
0x04e0985a
0x04e09862
0x04e09866
0x00000000
0x04e0986c
0x00000000
0x04e0986c
0x04db7e84
0x04db7e84
0x04db7e8d
0x04e09871
0x04db7eb8
0x04db7ec0
0x04db7ec0
0x04db7e9a
0x04e0987e
0x00000000
0x00000000
0x04e09884
0x04e0988b
0x04e098a7
0x04e098ac
0x04e098b1
0x04e098b6
0x04e098b8
0x04e098b8
0x04e098b9
0x00000000
0x04e098b9
0x04db7ea0
0x04db7ea7
0x00000000
0x00000000
0x04db7eac
0x04db7eb1
0x04db7ec6
0x04db7ed0
0x04e098cc
0x04db7ed6
0x04db7ed6
0x04db7ed6
0x04db7ede
0x04db7ee3
0x04e098e3
0x04e098f0
0x04e09902
0x04e098f2
0x04e098fb
0x04e098fb
0x04e09907
0x04e0991d
0x04e0991d
0x04e09907
0x04e098e3
0x04db7ef0
0x04db7f14
0x04db7f14
0x04db7f1e
0x04e09946
0x04db7f24
0x04db7f24
0x04db7f24
0x04db7f2c
0x04e0996a
0x04e09975
0x04e09975
0x04e0997e
0x04e09993
0x04e09993
0x04e0997e
0x00000000
0x04db7ef2
0x04db7efc
0x04db7f0a
0x04db7f0e
0x04e09933
0x00000000
0x04e09933
0x00000000
0x04db7f0e
0x00000000
0x00000000
0x00000000
0x04db7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 04E09891
LdrpCompleteMapModule, xrefs: 04E09898
minkernel\ntdll\ldrmap.c, xrefs: 04E098A2

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 1bbddf5e16dbe87f5bdb3fa256314371cdade0ab5ad68d13fa219b5b189792f7
Instruction ID: 4920a50371e9847505a3171d80eef2c20097ed892611eef64e8a14b0f96f7c44
Opcode Fuzzy Hash: 1bbddf5e16dbe87f5bdb3fa256314371cdade0ab5ad68d13fa219b5b189792f7
Instruction Fuzzy Hash: E551CE71600746DBE721CF68C984BAAB7A4FF84318F444559E9A29B3D2D774FD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DAE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04DAE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E04DAF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E04DE95D0();
						}
						if(_t78 != 0) {
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E04DEFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E04DEBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04DE9600();
					if(_t97 < 0) {
						goto L6;
					}
					E04DEBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L04DAF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E04DEBB40(_t83, _t102 + 0x24, _t78);
								if(L04DB43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E04DEBB40(_t84, _t102 + 0x24, _t94);
									if(L04DB43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x04dae620
0x04dae628
0x04dae62f
0x04dae631
0x04dae635
0x04dae637
0x04dae63e
0x04e05503
0x04e05503
0x04dae64c
0x04dae64c
0x04dae651
0x00000000
0x00000000
0x04dae661
0x04dae665
0x04e0542a
0x04dae715
0x04dae71a
0x04dae71c
0x04dae720
0x04dae720
0x04dae727
0x04dae736
0x04dae736
0x04dae743
0x04dae743
0x04dae673
0x04dae678
0x04dae67d
0x04dae682
0x04dae685
0x04dae692
0x04dae69b
0x04dae6a3
0x04dae6ad
0x04dae6b1
0x04dae6b2
0x04dae6bb
0x04dae6bf
0x04dae6c0
0x04dae6c8
0x04dae6cc
0x04dae6d5
0x04dae6d9
0x00000000
0x00000000
0x04dae6e5
0x04dae6ea
0x04dae6f9
0x04dae70b
0x04dae70f
0x04e05439
0x04e0545e
0x04e0545e
0x00000000
0x04e0545e
0x04e0543b
0x04e0543e
0x04e05440
0x04e05445
0x04e05472
0x04e05475
0x04e0548d
0x04e05493
0x04e054a9
0x00000000
0x00000000
0x04e054ab
0x04e054b4
0x04e054bc
0x04e054c8
0x04e054de
0x04e054fb
0x04e054e0
0x04e054e6
0x04e054eb
0x04e054eb
0x04e054de
0x00000000
0x04e054bc
0x04e05477
0x04e0547a
0x04e05480
0x04e05483
0x04e05486
0x04e0548b
0x00000000
0x00000000
0x00000000
0x04e0548b
0x00000000
0x00000000
0x00000000
0x00000000
0x04e05447
0x04e05447
0x04e05447
0x04e05447
0x04e0544e
0x00000000
0x00000000
0x04e05450
0x04e05452
0x04e05455
0x04e0545a
0x00000000
0x00000000
0x00000000
0x04e0545c
0x04e0546a
0x04e0546d
0x04e0546f
0x00000000
0x04e0546f
0x04dae70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 04DAE68C
InstallLanguageFallback, xrefs: 04DAE6DB
@, xrefs: 04DAE6C0

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 4f3ea751fcad14ca78da767b1888e8cea39728bcddd4bfe3d7c8b29ed3fe2cdf
Instruction ID: da02318748727f9ae5bde911e5e0f507733230edc7e32e9f9b5b33a53e51c614
Opcode Fuzzy Hash: 4f3ea751fcad14ca78da767b1888e8cea39728bcddd4bfe3d7c8b29ed3fe2cdf
Instruction Fuzzy Hash: A6518F71604356ABD714EF64C440ABBB3E8EF88718F05492EF995D7290F734EA44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DBD5E0, Relevance: 2.9, Strings: 2, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E04DBD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x4e9d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E04DB6600(0x4e952d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x4e97b9c; // 0x0
							_t281 = L04DC4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E04DEF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x4e97b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x4e97b8c; // 0x4229e0
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x422a90
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E04DC2280(_t200, 0x4e984d8);
									_t277 =  *0x4e985f4; // 0x423228
									_t351 =  *0x4e985f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x75110000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x423270
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x4231c0
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x423270
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x423ac0
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E04DBFFB0(_t287, _t353, 0x4e984d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E04DFCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E04DB6600(0x4e952d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E04DB7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x4e9b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E04E2E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x4e98472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x4e9b218; // 0x0
														asm("ror edi, cl");
														 *0x4e9b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04DC2280(_t250, 0x4e984d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L04DE3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E04DBFFB0(_t293, _t353, 0x4e984d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E04DE37F5(_t353, 0);
																}
																E04DE0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04DD9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E04DD02D6(_t174);
																}
																L04DC77F0( *0x4e97b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E04DDC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L04DBEC7F(_t353);
										L04DD19B8(_t287, 0, _t353, 0);
										_t200 = E04DAF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E04DEB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x4e9b2f8; // 0x610000
									if((_t206 |  *0x4e9b2fc) == 0 || ( *0x4e9b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x4e9b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04E56B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04E56AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E04DBE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L04DBEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E04DE9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E04DBE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L04DB8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E04DE3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x04dbd5f2
0x04dbd5f5
0x04dbd5f5
0x04dbd5fd
0x04dbd600
0x04dbd60a
0x04dbd60d
0x04dbd617
0x04dbd61d
0x04dbd627
0x04dbd62e
0x04dbd911
0x04dbd913
0x00000000
0x04dbd919
0x04dbd919
0x04dbd919
0x04dbd634
0x04dbd634
0x04dbd634
0x04dbd634
0x04dbd640
0x04dbd8bf
0x00000000
0x04dbd646
0x04dbd646
0x04dbd64d
0x04dbd652
0x04e0b2fc
0x04e0b2fc
0x04e0b302
0x04e0b33b
0x04e0b341
0x00000000
0x04e0b304
0x04e0b304
0x04e0b319
0x04e0b31e
0x04e0b324
0x04e0b326
0x04e0b332
0x04e0b347
0x04e0b34c
0x04e0b351
0x04e0b35a
0x00000000
0x04e0b328
0x04e0b328
0x00000000
0x04e0b328
0x04e0b326
0x04dbd658
0x04dbd658
0x04dbd65b
0x04dbd665
0x00000000
0x04dbd66b
0x04dbd66b
0x04dbd66b
0x04dbd66b
0x04dbd66d
0x04dbd672
0x04dbd67a
0x00000000
0x00000000
0x04dbd680
0x04dbd686
0x04dbd8ce
0x04dbd8d4
0x04dbd8da
0x04dbd8dd
0x04dbd8dd
0x04dbd8e0
0x04dbd68c
0x04dbd691
0x04dbd69d
0x04dbd6a2
0x04dbd6a7
0x04dbd6b0
0x04dbd6b0
0x04dbd6b5
0x04dbd6e0
0x04dbd6b7
0x04dbd6b7
0x04dbd6b9
0x04dbd6b9
0x04dbd6bb
0x04dbd6bd
0x04dbd6ce
0x04dbd6d0
0x04dbd6d2
0x04e0b363
0x04e0b365
0x00000000
0x04e0b36b
0x00000000
0x04e0b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04dbd6bf
0x04dbd6bf
0x04dbd6e5
0x04dbd6e7
0x04dbd6e9
0x04dbd6e9
0x04dbd6ec
0x04dbd6ec
0x04dbd6ef
0x04dbd6f5
0x04dbd6f9
0x04dbd6fb
0x04dbd6fd
0x04dbd701
0x04dbd703
0x04dbd70a
0x04dbd70a
0x04dbd70a
0x04dbd701
0x04dbd70d
0x04dbd710
0x04dbd710
0x04dbd6c1
0x04dbd6c1
0x04dbd6c1
0x04dbd6c6
0x04e0b36d
0x04e0b36f
0x00000000
0x04e0b375
0x04e0b375
0x04e0b375
0x00000000
0x04e0b375
0x00000000
0x04dbd6cc
0x04dbd6d8
0x04dbd6d8
0x04dbd6d8
0x00000000
0x04dbd6c6
0x04dbd6bf
0x00000000
0x04dbd6da
0x04dbd6da
0x04dbd716
0x04dbd71b
0x04dbd720
0x04dbd726
0x04dbd726
0x04dbd72d
0x00000000
0x04dbd733
0x04dbd739
0x04dbd742
0x04dbd750
0x04dbd758
0x04dbd764
0x04dbd776
0x04dbd77a
0x04dbd783
0x04dbd928
0x04dbd92c
0x04dbd93d
0x04dbd944
0x04dbd94f
0x04dbd954
0x04dbd956
0x04dbd95f
0x04dbd961
0x04dbd973
0x04dbd973
0x04dbd956
0x04dbd944
0x04dbd92c
0x04dbd78b
0x04e0b394
0x04dbd791
0x04dbd798
0x04e0b3a3
0x04e0b3bb
0x04e0b3bb
0x04dbd7a5
0x04dbd866
0x04dbd870
0x04dbd884
0x04dbd892
0x04dbd898
0x04dbd89e
0x04dbd8a0
0x04dbd8a6
0x04dbd8ac
0x04dbd8ae
0x04dbd8b4
0x04dbd8b4
0x04dbd8ae
0x04dbd7a5
0x04dbd78b
0x04dbd7b1
0x04e0b3c5
0x04e0b3c5
0x04dbd7c3
0x04dbd7ca
0x04dbd7e5
0x04dbd7eb
0x04dbd8eb
0x04dbd8ed
0x00000000
0x04dbd8f3
0x04dbd8f3
0x04dbd8f3
0x00000000
0x04dbd8ed
0x04dbd7cc
0x04dbd7cc
0x04dbd7d2
0x00000000
0x04dbd7d4
0x04dbd7d4
0x04dbd7d7
0x04dbd7df
0x04e0b3d4
0x04e0b3d9
0x04e0b3dc
0x04e0b3dc
0x04e0b3df
0x04e0b3e2
0x04e0b468
0x04e0b46d
0x04e0b46f
0x04e0b46f
0x04e0b475
0x04dbd8f8
0x04dbd8f9
0x04dbd8fd
0x04e0b3e8
0x04e0b3e8
0x04e0b3eb
0x04e0b3ed
0x00000000
0x04e0b3ef
0x04e0b3ef
0x04e0b3f1
0x04e0b3f4
0x04e0b3fe
0x04e0b404
0x04e0b409
0x04e0b40e
0x04e0b410
0x04e0b410
0x04e0b414
0x04e0b414
0x04e0b41b
0x04e0b420
0x04e0b423
0x04e0b425
0x04e0b427
0x04e0b42a
0x04e0b42d
0x04e0b42d
0x04e0b42a
0x04e0b432
0x04e0b436
0x04e0b438
0x04e0b43b
0x04e0b43b
0x04e0b449
0x04e0b44e
0x04e0b454
0x04e0b458
0x04e0b458
0x04e0b45d
0x00000000
0x04e0b45d
0x04e0b3ed
0x00000000
0x00000000
0x00000000
0x04dbd7df
0x04dbd7d2
0x04dbd7ca
0x04e0b37c
0x04e0b37e
0x04e0b385
0x04e0b38a
0x00000000
0x04e0b38a
0x04dbd742
0x04dbd7f1
0x04dbd7f8
0x04e0b49b
0x04e0b49b
0x04dbd800
0x04dbd837
0x04dbd843
0x04dbd845
0x04dbd847
0x04dbd84a
0x04dbd84b
0x04dbd84e
0x04dbd857
0x04dbd802
0x04dbd802
0x04dbd80d
0x00000000
0x04dbd818
0x04dbd818
0x04dbd824
0x04dbd831
0x04e0b4a5
0x04e0b4ab
0x04e0b4b3
0x04e0b4b8
0x04e0b4bb
0x00000000
0x04e0b4c1
0x04e0b4c1
0x04e0b4c8
0x00000000
0x04e0b4ce
0x04e0b4d4
0x04e0b4e1
0x04e0b4e3
0x04e0b4e5
0x00000000
0x04e0b4eb
0x04e0b4f0
0x04e0b4f2
0x04dbdac9
0x04dbdacc
0x04dbdacf
0x04dbdad1
0x04dbdd78
0x04dbdd78
0x04dbdcf2
0x00000000
0x04dbdad7
0x04dbdad9
0x04dbdadb
0x00000000
0x00000000
0x04dbdae1
0x04dbdae1
0x04dbdae4
0x04dbdae6
0x04e0b4f9
0x04e0b4f9
0x04e0b500
0x04dbdaec
0x04dbdaec
0x04dbdaf5
0x04dbdaf8
0x04dbdafb
0x04dbdb03
0x04dbdb11
0x04dbdb16
0x04dbdb19
0x04dbdb1b
0x04e0b52c
0x04e0b531
0x04e0b534
0x04dbdb21
0x04dbdb21
0x04dbdb24
0x04dbdcd9
0x04dbdce2
0x04dbdce5
0x04dbdd6a
0x04dbdd6d
0x00000000
0x04dbdd73
0x04e0b51a
0x04e0b51c
0x04e0b51f
0x04e0b524
0x00000000
0x04e0b524
0x04dbdce7
0x04dbdce7
0x04dbdce7
0x00000000
0x04dbdce7
0x00000000
0x04dbdb2a
0x04dbdb2c
0x04dbdb31
0x04dbdb33
0x04dbdb36
0x04dbdb39
0x04dbdb3b
0x04dbdb66
0x04dbdb66
0x04dbdb3d
0x04dbdb3d
0x04dbdb3e
0x04dbdb46
0x04dbdb47
0x04dbdb49
0x04dbdb4c
0x04dbdb53
0x04dbdb55
0x04dbdb58
0x04dbdb5a
0x04e0b50a
0x04e0b50f
0x04e0b512
0x04dbdb60
0x04dbdb60
0x04dbdb63
0x04dbdb63
0x00000000
0x04dbdb63
0x04dbdb5a
0x04dbdb3b
0x04dbdb24
0x04dbdb69
0x04dbdb69
0x04dbdb6c
0x04dbdb6f
0x04dbdb74
0x04e0b557
0x04e0b557
0x04e0b55e
0x04dbdb7a
0x04dbdb7c
0x04dbdb7f
0x04dbdb82
0x04dbdb85
0x00000000
0x04dbdb8b
0x04dbdb8b
0x04dbdb8d
0x04dbdb9b
0x04dbdb9b
0x04dbdb9d
0x04dbdba0
0x04dbdba2
0x04dbdba4
0x04dbdba7
0x04dbdba9
0x04dbdbae
0x04dbdbae
0x04dbdbb1
0x04dbdbb4
0x04dbdbb4
0x04dbdbb7
0x04dbdbba
0x04dbdcd2
0x04dbdcd4
0x00000000
0x04dbdbc0
0x04dbdbc0
0x04dbdbd2
0x04dbdbd7
0x04dbdbda
0x04dbdbdd
0x04dbdbdf
0x00000000
0x04dbdbe5
0x04dbdbe5
0x04dbdbee
0x04dbdbf1
0x04e0b541
0x04e0b544
0x00000000
0x04e0b546
0x04e0b546
0x00000000
0x04e0b546
0x04dbdbf7
0x04dbdbf7
0x04dbdbfd
0x04dbdbfd
0x04dbdbff
0x04dbdc0b
0x04dbdc15
0x04dbdc1b
0x04dbdc1d
0x04dbdc21
0x04dbdc21
0x04dbdc23
0x04dbdc23
0x04dbdc26
0x04dbdc29
0x04dbdc2b
0x00000000
0x00000000
0x04dbdc31
0x04dbdc34
0x04dbdc36
0x04dbdcbf
0x04dbdcbf
0x04dbdcc2
0x00000000
0x04dbdc3c
0x04dbdc41
0x04dbdc43
0x00000000
0x04dbdc45
0x04dbdc45
0x04dbdc47
0x00000000
0x04dbdc4d
0x04dbdc4d
0x04dbdc50
0x04dbdc52
0x04dbdc55
0x04dbdcfa
0x04dbdcfe
0x04dbdd08
0x04dbdd0a
0x04dbdd0c
0x00000000
0x04dbdd12
0x04dbdd15
0x04dbdd2d
0x04dbdd2f
0x04dbdd32
0x04dbdd35
0x00000000
0x04dbdd35
0x04dbdc5b
0x04dbdc5b
0x04dbdc5e
0x04dbdc61
0x04dbdc64
0x04dbdc67
0x04dbdc67
0x04dbdc6a
0x04dbdc6c
0x04dbdc8e
0x04dbdc8e
0x04dbdc91
0x04dbdc93
0x04dbdcce
0x04dbdcce
0x04dbdc95
0x04dbdc9c
0x04dbdc6e
0x04dbdc72
0x04dbdc75
0x04dbdc77
0x04dbdc79
0x04e0b551
0x04e0b551
0x00000000
0x04dbdc7f
0x04dbdc7f
0x04dbdc81
0x00000000
0x04dbdc83
0x04dbdc86
0x04dbdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x04dbdc88
0x04dbdc81
0x04dbdc79
0x04dbdc6c
0x04dbdc55
0x04dbdc47
0x04dbdc43
0x00000000
0x04dbdc36
0x04dbdc23
0x00000000
0x04dbdbff
0x04dbdbf1
0x04dbdbdf
0x04dbdb8f
0x04dbdb92
0x04dbdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x04dbdb95
0x04dbdb8d
0x04dbdb85
0x04dbdb74
0x04dbdc9f
0x04dbdca2
0x04dbdcb0
0x04dbdcb0
0x04dbdad1
0x04e0b4e5
0x04e0b4c8
0x00000000
0x00000000
0x00000000
0x04dbd831
0x04dbd80d
0x00000000
0x04dbd800
0x04e0b47f
0x04e0b485
0x00000000
0x04e0b485
0x04dbd665
0x04dbd652
0x00000000

Strings

(2B, xrefs: 04DBD69D
)B, xrefs: 04DBD8CE

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (2B$)B
API String ID: 0-2850463667
Opcode ID: 3e74199b0e381c26dba3f92622795d4502bb250ab22e2b7cfa41e4b7f1bd67a1
Instruction ID: d0a5891a47ae93264def3f29797929c30efa29cc92501467cacebdc691a9f108
Opcode Fuzzy Hash: 3e74199b0e381c26dba3f92622795d4502bb250ab22e2b7cfa41e4b7f1bd67a1
Instruction Fuzzy Hash: 2BE1AF30B00259CFEB24DF19C980BE9B7B2FF45318F1441A9D99A97290EB74BD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04DDFAB0, Relevance: 2.8, Strings: 2, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04DDFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E04DBEEF0(0x4e97b60);
					_t134 =  *0x4e97b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x4e97b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x4e97b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04DB6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E04DB76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04E48938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E04DAB150();
													}
													_t116 = E04E46D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E04DB75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x4e98638; // 0x0
																	_t122 = L04DB38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E04DB76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E04DB76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L04DDFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L04DB70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E04DDFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E04DDFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E04DDFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E04DDFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E04DDFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x4e97b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x4e97b84 = _t75;
						_t73 = E04DBEB70(_t134, 0x4e97b60);
						if( *0x4e97b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E04DBFF60( *0x4e97b20);
							}
						}
						goto L5;
					}
				}
			}

0x04ddfab0
0x04ddfab2
0x04ddfab3
0x04ddfab4
0x04ddfabc
0x04ddfac0
0x04ddfb14
0x04ddfb17
0x04ddfac2
0x04ddfac8
0x04ddfacd
0x04ddfad3
0x04ddfad3
0x04ddfadd
0x04ddfb18
0x04ddfb1b
0x04ddfb1d
0x04ddfb1e
0x04ddfb1f
0x04ddfb20
0x04ddfb21
0x04ddfb22
0x04ddfb23
0x04ddfb24
0x04ddfb25
0x04ddfb26
0x04ddfb27
0x04ddfb28
0x04ddfb29
0x04ddfb2a
0x04ddfb2b
0x04ddfb2c
0x04ddfb2d
0x04ddfb2e
0x04ddfb2f
0x04ddfb3a
0x04ddfb3b
0x04ddfb3e
0x04ddfb41
0x04ddfb44
0x04ddfb47
0x04ddfb4a
0x04ddfb4d
0x04ddfb53
0x04e1bdcb
0x04e1bdcb
0x04ddfb59
0x04ddfb5b
0x04ddfb5b
0x04ddfb5e
0x04e1bdd5
0x04e1bdd8
0x00000000
0x04e1bdda
0x00000000
0x04e1bdda
0x04ddfb64
0x04ddfb64
0x04ddfb64
0x04ddfb67
0x04ddfb6e
0x04ddfb70
0x04ddfb72
0x00000000
0x04ddfb78
0x04ddfb7a
0x04ddfb7a
0x04ddfb7d
0x04ddfb80
0x04e1bddf
0x04e1bde1
0x00000000
0x04e1bde3
0x00000000
0x04e1bde3
0x04ddfb86
0x04ddfb86
0x04ddfb86
0x04ddfb8b
0x04ddfb90
0x04ddfb92
0x04ddfb94
0x04ddfb9a
0x04ddfb9b
0x04ddfba1
0x04e1bde8
0x04e1bdeb
0x04e1bded
0x04e1beb5
0x04e1beb5
0x04e1bebb
0x04e1bebd
0x04e1bec3
0x04e1bed2
0x04e1bedd
0x04e1bedd
0x04e1beed
0x00000000
0x04e1bdf3
0x04e1bdfe
0x04e1be06
0x04e1be0b
0x04e1be0d
0x04e1be0f
0x04e1be14
0x04e1be19
0x04e1be20
0x04e1be25
0x04e1be27
0x04e1be35
0x04e1be39
0x04e1be46
0x04e1be4f
0x04e1be54
0x04e1be56
0x04e1bef8
0x04e1bef8
0x00000000
0x04e1be5c
0x04e1be5c
0x04e1be60
0x00000000
0x04e1be66
0x04e1be66
0x04e1be7f
0x04e1be84
0x04e1be87
0x04e1be89
0x04e1be8b
0x04e1be99
0x04e1be9d
0x04e1bea0
0x04e1beac
0x04e1beaf
0x04e1beb1
0x04e1beb3
0x04e1beb3
0x00000000
0x04e1bea2
0x04e1bea2
0x00000000
0x04e1bea2
0x04e1be8d
0x04e1be8d
0x04e1be92
0x00000000
0x04e1be92
0x04e1be8b
0x04e1be60
0x04e1be3b
0x04e1be3b
0x04e1be3e
0x00000000
0x04e1be40
0x04e1be40
0x04e1be44
0x00000000
0x00000000
0x00000000
0x00000000
0x04e1be44
0x04e1be3e
0x04e1be29
0x04e1be29
0x00000000
0x04e1be29
0x04e1be27
0x00000000
0x04ddfba7
0x04ddfba7
0x04ddfbab
0x04e1bf02
0x04ddfbb1
0x04ddfbb1
0x04ddfbb8
0x04ddfbbd
0x04ddfbbd
0x04ddfbbf
0x04ddfbbf
0x04ddfbc5
0x04ddfbcb
0x04ddfbf8
0x04ddfbf8
0x04ddfbfa
0x00000000
0x04ddfc00
0x04ddfc00
0x04ddfc03
0x00000000
0x04ddfc09
0x04ddfc09
0x04ddfc0f
0x04ddfc15
0x04ddfc23
0x04ddfc23
0x04ddfc25
0x04ddfc27
0x04ddfc75
0x04ddfc7c
0x04ddfc84
0x00000000
0x04ddfc29
0x04ddfc29
0x04ddfc2d
0x04ddfc30
0x04e1bf0f
0x00000000
0x04ddfc36
0x04ddfc38
0x04ddfc3b
0x04ddfc41
0x04e1bf17
0x04e1bf19
0x04e1bf48
0x04e1bf4b
0x00000000
0x04e1bf1b
0x04e1bf22
0x04e1bf24
0x04e1bf26
0x00000000
0x04e1bf2c
0x04e1bf37
0x04e1bf39
0x04e1bf3b
0x00000000
0x04e1bf41
0x04e1bf41
0x04e1bf41
0x04e1bf41
0x04e1bf45
0x00000000
0x04e1bf45
0x04e1bf3b
0x04e1bf26
0x00000000
0x04ddfc47
0x04ddfc47
0x04ddfc49
0x04ddfcb2
0x04ddfcb4
0x04ddfcb6
0x04ddfcdc
0x04ddfcdc
0x00000000
0x04ddfcb8
0x04ddfcc3
0x04ddfcc5
0x04ddfcc7
0x00000000
0x04ddfcc9
0x04ddfcc9
0x04ddfccd
0x00000000
0x04ddfccd
0x04ddfcc7
0x00000000
0x04ddfc4b
0x04ddfc4b
0x04ddfc4e
0x04ddfc4e
0x04ddfc51
0x04ddfc51
0x04ddfc54
0x04ddfc5a
0x04ddfc5c
0x04ddfc5f
0x04ddfc61
0x04ddfc63
0x04ddfc65
0x04ddfc67
0x04ddfc6e
0x04ddfc72
0x04ddfc72
0x04ddfc72
0x04ddfc72
0x04ddfc67
0x04ddfc61
0x00000000
0x04ddfc5a
0x04ddfc49
0x04ddfc41
0x04ddfc30
0x04ddfc27
0x04ddfc03
0x04ddfbcd
0x04ddfbd3
0x04ddfbd9
0x04ddfbdc
0x04ddfbde
0x04ddfc99
0x04ddfc9b
0x04ddfc9d
0x04ddfcd5
0x04ddfcd5
0x04ddfc89
0x04ddfc89
0x00000000
0x04ddfc9f
0x04ddfc9f
0x04ddfca3
0x00000000
0x04ddfca3
0x00000000
0x04ddfbe4
0x04ddfbe4
0x04ddfbe4
0x04ddfbe4
0x04ddfbe9
0x04ddfbf2
0x00000000
0x04ddfbf2
0x04ddfbde
0x04ddfbcb
0x04ddfbab
0x04ddfc8b
0x04ddfc8b
0x04ddfc8c
0x04ddfb80
0x04ddfb72
0x04ddfb5e
0x04ddfc8d
0x04ddfc91
0x04ddfadf
0x04ddfadf
0x04ddfae1
0x04ddfae4
0x04ddfae7
0x04ddfaec
0x04ddfaf8
0x04ddfb00
0x04ddfb07
0x04ddfb0f
0x04ddfb0f
0x04ddfb07
0x00000000
0x04ddfaf8
0x04ddfadd

Strings

(1B, xrefs: 04DDFAF1
*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 04E1BE0F

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (1B$*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-1355053472
Opcode ID: e5cb1072583b5fc08e9edc8c945c07ddeb0442837fb443cd64446bae98f4a950
Instruction ID: f38cfd42238535b7484bcda26eb3e82b6caae68e593424fb3d097642dbfb8d10
Opcode Fuzzy Hash: e5cb1072583b5fc08e9edc8c945c07ddeb0442837fb443cd64446bae98f4a950
Instruction Fuzzy Hash: 49A1D271B00605CFEB25DF69C890BAAB3A5FF48718F04456EE847DB690EB34F9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 04E6E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04E6E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E04E6BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E04E6BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E04E6AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E04DE9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E04E6A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E04E6A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E04DE9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E04E6A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E04E6A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E04DC2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E04DBB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E04DBFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E04DC7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E04E5FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x04e6e547
0x04e6e549
0x04e6e54f
0x04e6e553
0x04e6e557
0x04e6e55a
0x04e6e55c
0x04e6e55f
0x04e6e561
0x04e6e567
0x04e6e56b
0x04e6e7e2
0x00000000
0x04e6e571
0x04e6e575
0x04e6e577
0x04e6e57b
0x04e6e57c
0x04e6e57d
0x04e6e57e
0x04e6e57f
0x04e6e588
0x04e6e58f
0x04e6e591
0x04e6e592
0x04e6e592
0x04e6e596
0x04e6e59e
0x04e6e5a0
0x04e6e5a6
0x04e6e61d
0x04e6e61d
0x04e6e621
0x04e6e623
0x04e6e630
0x04e6e630
0x04e6e7e6
0x04e6e7eb
0x04e6e7ed
0x04e6e7f4
0x04e6e7fa
0x04e6e7ff
0x04e6e7ff
0x04e6e80a
0x04e6e812
0x04e6e812
0x04e6e5ab
0x04e6e5b4
0x04e6e5b9
0x04e6e5be
0x04e6e5c0
0x04e6e5c2
0x04e6e5c8
0x04e6e5c9
0x04e6e5cb
0x04e6e5cc
0x04e6e5d5
0x04e6e5e4
0x04e6e5f1
0x04e6e5f8
0x04e6e5f8
0x04e6e5d5
0x04e6e602
0x04e6e616
0x04e6e63d
0x04e6e644
0x04e6e64d
0x04e6e652
0x04e6e657
0x04e6e659
0x04e6e65b
0x04e6e661
0x04e6e662
0x04e6e664
0x04e6e665
0x04e6e66e
0x04e6e67d
0x04e6e68a
0x04e6e691
0x04e6e691
0x04e6e66e
0x04e6e6b0
0x00000000
0x04e6e6b6
0x04e6e6bd
0x04e6e6c7
0x04e6e6d7
0x04e6e6d9
0x04e6e6db
0x04e6e6de
0x04e6e6e3
0x04e6e6f3
0x04e6e6fc
0x04e6e700
0x04e6e700
0x04e6e704
0x04e6e70a
0x04e6e70a
0x04e6e713
0x04e6e716
0x04e6e719
0x04e6e720
0x04e6e761
0x04e6e76b
0x04e6e774
0x04e6e77a
0x04e6e77a
0x04e6e78a
0x04e6e791
0x04e6e799
0x04e6e79b
0x04e6e79f
0x04e6e7aa
0x04e6e7c0
0x04e6e7ac
0x04e6e7b2
0x04e6e7b9
0x04e6e7b9
0x04e6e7c7
0x04e6e806
0x00000000
0x04e6e7c9
0x04e6e7d1
0x04e6e7d8
0x00000000
0x04e6e7d8
0x00000000
0x00000000
0x04e6e722
0x04e6e72e
0x04e6e748
0x04e6e74c
0x04e6e754
0x04e6e756
0x04e6e75c
0x04e6e75c
0x00000000
0x04e6e75c
0x04e6e758
0x04e6e758
0x00000000
0x04e6e758
0x04e6e750
0x00000000
0x00000000
0x04e6e752
0x00000000
0x04e6e752
0x04e6e730
0x04e6e735
0x04e6e73d
0x04e6e73f
0x00000000
0x00000000
0x04e6e741
0x04e6e741
0x00000000
0x04e6e741
0x04e6e739
0x00000000
0x00000000
0x04e6e73b
0x00000000
0x04e6e73b
0x04e6e722
0x04e6e720
0x04e6e6b0
0x04e6e618
0x00000000
0x04e6e618

Strings

`, xrefs: 04E6E5D7
`, xrefs: 04E6E670

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 754c4a0f7097cec2044c9a7f544abff8a4bb537d1a66b91b33fa9e4f9e22f1f8
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 46918B756443419FE724CF29C840B6AB7E6AF84758F14992DF59ACA280E770F904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04E251BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04E251BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x4e805f0);
				E04DFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E04DBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E04E253CA(0);
						return E04DFD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E04DEF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E04DC3690(1, _t117, 0x4d81810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E04DEAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L04DC4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E04DEAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E04E2500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E04DE9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x04e251be
0x04e251c3
0x04e251c8
0x04e251cd
0x04e251d0
0x04e251d3
0x04e251d8
0x04e251db
0x04e251de
0x04e251e0
0x04e251e3
0x04e251e6
0x04e251e8
0x04e25342
0x04e25351
0x04e25356
0x04e2535a
0x04e25360
0x04e25363
0x04e25366
0x04e25369
0x04e25369
0x04e2536b
0x04e2536b
0x04e25370
0x04e253a3
0x04e253a4
0x04e253a6
0x04e253ab
0x04e253ab
0x04e253ae
0x04e253ae
0x04e253b5
0x04e253bf
0x04e253bf
0x04e25375
0x04e25396
0x04e253a0
0x04e253a0
0x00000000
0x04e25396
0x04e25377
0x04e25379
0x04e2537f
0x04e2538c
0x04e25390
0x00000000
0x04e25390
0x04e251ee
0x04e251f1
0x04e25301
0x04e25310
0x04e25315
0x04e25318
0x04e2531b
0x04e25320
0x04e2532e
0x04e25331
0x00000000
0x04e25331
0x04e25328
0x04e25329
0x00000000
0x04e25329
0x04e251fa
0x04e25235
0x04e25236
0x04e25239
0x04e2523f
0x04e25240
0x04e25241
0x04e25242
0x04e25246
0x04e25247
0x04e2524e
0x04e25251
0x04e25267
0x04e25269
0x04e2526e
0x04e2527d
0x04e2527e
0x04e25281
0x04e25282
0x04e25287
0x04e25288
0x04e2528a
0x04e2528f
0x04e25294
0x00000000
0x00000000
0x04e2529a
0x04e2529c
0x04e2529e
0x04e2529e
0x04e252a4
0x04e252b0
0x00000000
0x00000000
0x04e252ba
0x04e252bc
0x04e252bc
0x04e252d4
0x04e252d9
0x04e252dc
0x04e252e1
0x00000000
0x00000000
0x04e252e7
0x04e252f4
0x00000000
0x04e252f4
0x04e25270
0x00000000
0x04e25270
0x04e251fc
0x04e251fd
0x04e25202
0x04e25203
0x04e25205
0x04e2520a
0x04e2520f
0x00000000
0x00000000
0x04e2521b
0x04e25226
0x04e2522b
0x04e2521d
0x04e2521d
0x04e25222
0x04e25222
0x04e2522d
0x00000000

Strings

Legacy, xrefs: 04E25226
UEFI, xrefs: 04E2521D

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: dcbf041512791513db8c0b2f2b9c9c6dbc90a31c19bc9b55f4ede1b37f46b597
Instruction ID: d212a8f8c6269830e377de8626b7e27b2f265c673cb2063ee8b19414ae7b3da1
Opcode Fuzzy Hash: dcbf041512791513db8c0b2f2b9c9c6dbc90a31c19bc9b55f4ede1b37f46b597
Instruction Fuzzy Hash: 7E516E71E00719AFDB24DFA8CA40ABEB7F8FF48704F54542DE549EB291D671A901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04DDA61C, Relevance: 2.6, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04DDA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x4e80220);
				E04DFD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x4e97b9c; // 0x0
				_t55 = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E04DFD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x4e97b10 =  *0x4e97b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x4e9536c; // 0x4272e0
					if( *_t51 != 0x4e95368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x4e95368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x4e9536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E04DDA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x04dda61c
0x04dda61e
0x04dda623
0x04dda628
0x04dda62b
0x04dda62d
0x04dda648
0x04dda64a
0x04dda64f
0x04e19b44
0x04dda6ec
0x04dda6f1
0x04dda6f1
0x04dda655
0x04dda657
0x04dda65a
0x04dda65d
0x04dda662
0x04dda663
0x04dda667
0x04dda668
0x04dda66d
0x04dda706
0x04dda706
0x04e19bda
0x04e19be6
0x04e19beb
0x00000000
0x04e19beb
0x04dda679
0x04e19b7a
0x00000000
0x04e19b7a
0x04dda683
0x04dda6f4
0x04dda6f7
0x04dda6f9
0x04dda6fd
0x04dda6a0
0x04dda6a0
0x04dda6ad
0x04dda6af
0x04dda6b4
0x04e19ba7
0x04e19bac
0x00000000
0x00000000
0x04e19bc6
0x04e19bce
0x04e19bd1
0x04e19bd3
0x04e19bd3
0x00000000
0x04e19bd1
0x04dda6bd
0x04dda6c3
0x04dda6c6
0x04dda6d2
0x04dda701
0x04dda704
0x00000000
0x04dda704
0x04dda6d4
0x04dda6d6
0x04dda6d9
0x04dda6db
0x04dda6e1
0x04dda6e6
0x04dda6e8
0x04dda6e8
0x04dda6ea
0x00000000
0x04dda6ea
0x04dda688
0x04dda692
0x04dda694
0x04dda699
0x00000000
0x00000000
0x04dda69d
0x00000000

Strings

rB, xrefs: 04DDA6CB
rB, xrefs: 04DDA6C6, 04DDA6DB

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: rB$rB
API String ID: 0-529071143
Opcode ID: 64bb50139965f918eb6279a729a85ba910e4c2d441392826197beaac76b075d2
Instruction ID: ab0cfda29c9b0745a6d86d1e27c28c38a64ac63c990381c8fe31a44e50159e0d
Opcode Fuzzy Hash: 64bb50139965f918eb6279a729a85ba910e4c2d441392826197beaac76b075d2
Instruction Fuzzy Hash: 9A4149B5A40215EFDB15CF58C890BA9BBF2FB49304F15C06AE805AB395D774BD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04DCB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04DCB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x4e9d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04DC7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04E78CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04DE9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E04DEB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E04DECE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04DC7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04E78F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E04DEAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4e98628; // 0x0
								_v68 = _t77;
								_t78 =  *0x4e9862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4e98628; // 0x0
							_t116 =  *0x4e9862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x04dcb94c
0x04dcb956
0x04dcb95c
0x04dcb95e
0x04dcb964
0x04dcb969
0x04dcb96d
0x04dcb96d
0x04dcb970
0x04dcb974
0x04dcb97a
0x04dcbadf
0x04dcbadf
0x04dcbae2
0x04dcbae4
0x04dcbae6
0x04dcbaf0
0x04e12cb8
0x04dcbaf6
0x04dcbaf6
0x04dcbaf6
0x04dcbafd
0x04dcbb1f
0x04dcbb1f
0x04dcbaff
0x04dcbb00
0x04dcbb00
0x04dcbb03
0x04dcbb03
0x04dcbacb
0x04dcbacf
0x04dcbad0
0x04dcbad1
0x04dcbadc
0x04dcbadc
0x04dcb980
0x04dcb980
0x04dcb988
0x04dcb98b
0x04dcb98d
0x04dcb990
0x04dcb993
0x04dcb999
0x04dcb99b
0x04dcb9a1
0x04dcb9a5
0x04dcb9aa
0x04dcb9b0
0x04dcb9bb
0x04dcb9c0
0x04dcb9c3
0x04dcb9ca
0x04dcb9cc
0x04dcb9cf
0x04dcb9d3
0x04dcb9d7
0x04dcba94
0x04dcba94
0x04dcba98
0x04dcbaa3
0x04e12ccb
0x04dcbaa9
0x04dcbaa9
0x04dcbaa9
0x04dcbab1
0x04e12cd5
0x04e12cdd
0x04e12cdd
0x04dcbabb
0x04dcbabc
0x04dcbac2
0x04dcbac3
0x04dcbac3
0x04dcbac6
0x00000000
0x04dcb9dd
0x04dcb9dd
0x04dcb9e7
0x04dcb9e7
0x04dcb9ec
0x04dcb9ec
0x04dcb9f1
0x04dcb9f5
0x04dcb9fa
0x04dcba00
0x04dcba0c
0x04dcba10
0x04dcba10
0x04dcba12
0x04dcba18
0x00000000
0x00000000
0x04dcbb26
0x04dcbb26
0x04dcba1e
0x04dcba1e
0x04dcba23
0x04dcba25
0x04dcba2c
0x04dcba30
0x04dcba35
0x04dcba35
0x04dcba41
0x04dcba46
0x04dcba4c
0x04dcba50
0x04dcba54
0x04dcba6a
0x04dcba6e
0x04dcba70
0x04dcba74
0x04dcba78
0x04dcba7a
0x04dcba7c
0x04dcba8e
0x04dcba90
0x04dcba92
0x04dcbb14
0x04dcbb14
0x04dcbb16
0x04dcbb16
0x00000000
0x04dcba7c
0x04dcbb0a
0x04dcbb0d
0x00000000
0x00000000
0x00000000
0x04dcbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04DCB9A5

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 1111a13f528180354b894a19e2dbe3c9e04c2645693fbebf81bb31371a56459d
Instruction ID: 48717f49399249f1536836489918cb7726ccb5d883a855db452289b6ea94d65d
Opcode Fuzzy Hash: 1111a13f528180354b894a19e2dbe3c9e04c2645693fbebf81bb31371a56459d
Instruction Fuzzy Hash: E3516570A08342CFC720DF29D48192ABBE5FB88604F14896EE9C597355EB71FC40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04DAB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x4e7f7a8);
				E04DFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E04DFD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E04DED000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E04DEF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L04DFDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E04DEB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E04DEB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E04DEE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E04DEA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x04dab171
0x04dab171
0x04dab171
0x04dab171
0x04dab171
0x04dab176
0x04dab17b
0x04dab180
0x04dab186
0x04dab18f
0x04dab198
0x04dab1a4
0x04dab1aa
0x04e04802
0x04e04802
0x04e04805
0x04e0480c
0x04e0480e
0x04dab1d1
0x04dab1d3
0x04dab1de
0x04dab1de
0x04e04817
0x04e0481e
0x04e04820
0x04e04822
0x04e04822
0x04e04824
0x04e04824
0x04e0482a
0x00000000
0x00000000
0x04e04835
0x04e0483a
0x04e0483d
0x04e0483f
0x04e04842
0x04e04842
0x04e04842
0x04e04846
0x04e0484c
0x04e0484e
0x04e04851
0x04e04851
0x04e04853
0x04e04854
0x04e04854
0x04e04858
0x04e0485a
0x04e0485a
0x04e0485d
0x04e0485f
0x04e04861
0x04e04861
0x04e04866
0x04e0486b
0x04e0486e
0x04e04871
0x04e04876
0x04e04876
0x04e04878
0x04e0487b
0x04e04884
0x04e04884
0x00000000
0x04e0487d
0x04e0487d
0x04e04882
0x04e04889
0x04e04889
0x04e0488f
0x04e04891
0x04e048e0
0x04e048e2
0x04e048e4
0x04e048e4
0x04e048e7
0x04e048e7
0x04e048ed
0x04e048f4
0x04e048f6
0x04e04951
0x04e04951
0x04e04953
0x04e04953
0x04e04956
0x04e04956
0x04e04958
0x04e04959
0x04e04959
0x04e0495d
0x04e0495d
0x04e0495f
0x04e0495f
0x04e04965
0x04e04969
0x04e049ba
0x04e049ba
0x04e049c1
0x04e049c5
0x04e049cc
0x04e049d4
0x04e049d7
0x04e049da
0x04e049e4
0x04e049e5
0x04e049f3
0x04e04a02
0x00000000
0x04e04a02
0x04e04972
0x04e04974
0x00000000
0x00000000
0x04e04976
0x04e04979
0x04e04982
0x04e04983
0x04e04984
0x04e0498b
0x04e0498d
0x04e04991
0x04e04993
0x04e04999
0x04e0499d
0x04e049a2
0x04e049a2
0x04e049a2
0x04e04999
0x04e049ac
0x00000000
0x04e049b3
0x04e048f8
0x04e048fe
0x00000000
0x00000000
0x00000000
0x04e048fe
0x04e04895
0x04e0489c
0x04e048ad
0x04e048b2
0x04e048b5
0x04e048b7
0x04e048ba
0x04e048bc
0x04e048c6
0x04e048c6
0x04e048cb
0x04e048d1
0x04e048d4
0x04e048d8
0x04e048d8
0x00000000
0x04e048d8
0x04e048be
0x04e048c0
0x00000000
0x00000000
0x04e048c2
0x00000000
0x00000000
0x00000000
0x04e048c4
0x00000000
0x04e04882
0x04e0487b
0x04e04904
0x04e04906
0x00000000
0x00000000
0x04e04908
0x04e0490e
0x00000000
0x00000000
0x04e04910
0x04e04917
0x04e04917
0x00000000
0x04e04917
0x04dab1ba
0x04e047f9
0x04e047fc
0x00000000
0x00000000
0x00000000
0x04e047fc
0x04dab1c0
0x04dab1c0
0x04dab1c3
0x04dab1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 04E048AD

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 9655621e7d300ef6128306712d42481795b17bdd08e828cb476cedae0c0be658
Instruction ID: a9417ced91622c2641274ea629360ad994b69b78916e3e6fd3e93e10bff82077
Opcode Fuzzy Hash: 9655621e7d300ef6128306712d42481795b17bdd08e828cb476cedae0c0be658
Instruction Fuzzy Hash: 0851D771E0025A8EDF35DF64CA44BBDBBB1FF00714F1085ADEA699B2C1D77069819BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DD2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E04DD2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t233;
				signed int _t237;
				signed int _t248;
				signed int _t250;
				intOrPtr _t252;
				signed int _t255;
				signed int _t262;
				signed int _t265;
				signed int _t273;
				signed int _t279;
				signed int _t281;
				void* _t285;
				signed int _t286;
				unsigned int _t289;
				signed int _t293;
				signed int _t302;
				signed int _t306;
				intOrPtr _t318;
				signed int _t327;
				signed int _t329;
				signed int _t330;
				signed int _t334;
				signed int _t335;
				signed int _t337;
				signed int _t339;
				signed int _t341;
				void* _t342;
				void* _t345;
				void* _t346;

				_t339 = _t341;
				_t342 = _t341 - 0x4c;
				_v8 =  *0x4e9d360 ^ _t339;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t334 = 0x4e9b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t289 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t346 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t279 = 0x48;
				_t316 = 0 | _t346 == 0x00000000;
				_t327 = 0;
				_v37 = _t346 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t279 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t335 = 0xc0000106;
						goto L32;
					} else {
						_t334 = L04DC4620(_t289,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t279);
						_v52 = _t334;
						__eflags = _t334;
						if(_t334 == 0) {
							_t335 = 0xc0000017;
							goto L32;
						} else {
							 *(_t334 + 0x44) =  *(_t334 + 0x44) & 0x00000000;
							_t50 = _t334 + 0x48; // 0x48
							_t329 = _t50;
							_t316 = _v32;
							 *(_t334 + 0x3c) = _t279;
							_t281 = 0;
							 *((short*)(_t334 + 0x30)) = _v48;
							__eflags = _t316;
							if(_t316 != 0) {
								 *(_t334 + 0x18) = _t329;
								__eflags = _t316 - 0x4e98478;
								 *_t334 = ((0 | _t316 == 0x04e98478) - 0x00000001 & 0xfffffffb) + 7;
								E04DEF3E0(_t329,  *((intOrPtr*)(_t316 + 4)),  *_t316 & 0x0000ffff);
								_t316 = _v32;
								_t342 = _t342 + 0xc;
								_t281 = 1;
								__eflags = _a8;
								_t329 = _t329 + (( *_t316 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t273 = E04E339F2(_t329);
									_t316 = _v32;
									_t329 = _t273;
								}
							}
							_t293 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t335 = _v68;
								__eflags = 0;
								 *((short*)(_t329 - 2)) = 0;
								goto L32;
							} else {
								_t279 = _t334 + _t281 * 4;
								_v56 = _t279;
								do {
									__eflags = _t316;
									if(_t316 != 0) {
										_t233 =  *(_v60 + _t293 * 4);
										__eflags = _t233;
										if(_t233 == 0) {
											goto L30;
										} else {
											__eflags = _t233 == 5;
											if(_t233 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t279 =  *(_v60 + _t293 * 4);
										 *(_t279 + 0x18) = _t329;
										_t237 =  *(_v60 + _t293 * 4);
										__eflags = _t237 - 8;
										if(_t237 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t237 * 4 +  &M04DD2959))) {
												case 0:
													__ax =  *0x4e98488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E04DEF3E0(__edi,  *0x4e9848c, __ax & 0x0000ffff);
														__eax =  *0x4e98488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E04DEF3E0(_t329, _v80, _v64);
													_t268 = _v64;
													goto L26;
												case 2:
													 *0x4e98480 & 0x0000ffff = E04DEF3E0(__edi,  *0x4e98484,  *0x4e98480 & 0x0000ffff);
													__eax =  *0x4e98480 & 0x0000ffff;
													__eax = ( *0x4e98480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E04DEF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E04DEF3E0(_t329, _v76, _v36);
														_t268 = _v36;
													}
													L26:
													_t342 = _t342 + 0xc;
													_t329 = _t329 + (_t268 >> 1) * 2 + 2;
													__eflags = _t329;
													L27:
													_push(0x3b);
													_pop(_t270);
													 *((short*)(_t329 - 2)) = _t270;
													goto L28;
												case 6:
													__ebx =  *0x4e9575c;
													__eflags = __ebx - 0x4e9575c;
													if(__ebx != 0x4e9575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E04DEF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x4e9575c;
														} while (__ebx != 0x4e9575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x4e98478 & 0x0000ffff = E04DEF3E0(__edi,  *0x4e9847c,  *0x4e98478 & 0x0000ffff);
													__eax =  *0x4e98478 & 0x0000ffff;
													__eax = ( *0x4e98478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E04E339F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x4e96e58 & 0x0000ffff = E04DEF3E0(__edi,  *0x4e96e5c,  *0x4e96e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x4e96e58 & 0x0000ffff;
													__eax = ( *0x4e96e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t293 = _v16;
													_t316 = _v32;
													L29:
													_t279 = _t279 + 4;
													__eflags = _t279;
													_v56 = _t279;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t293 = _t293 + 1;
									_v16 = _t293;
									__eflags = _t293 - _v48;
								} while (_t293 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t237 =  *(_v60 + _t327 * 4);
						if(_t237 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t237 * 4 +  &M04DD2935))) {
							case 0:
								__ax =  *0x4e98488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t316 =  &_v64;
								_v80 = E04DD2E3E(0,  &_v64);
								_t279 = _t279 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x4e98480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x4e98480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E04DBEEF0(0x4e979a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E04DBEB70(__ecx, 0x4e979a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t211 = _v72;
											__eflags = _t211;
											if(_t211 != 0) {
												L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t211);
											}
											_t212 = _v52;
											__eflags = _t212;
											if(_t212 != 0) {
												__eflags = _t335;
												if(_t335 < 0) {
													L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
													_t212 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t289 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x4e97b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E04DBEB70(__ecx, 0x4e979a0);
										__eax = _v52;
										L36:
										_pop(_t328);
										_pop(_t336);
										__eflags = _v8 ^ _t339;
										_pop(_t280);
										return E04DEB640(_t212, _t280, _v8 ^ _t339, _t316, _t328, _t336);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t275 = _v56;
								if(_v56 != 0) {
									_t316 =  &_v36;
									_t277 = E04DD2E3E(_t275,  &_v36);
									_t289 = _v36;
									_v76 = _t277;
								}
								if(_t289 == 0) {
									goto L44;
								} else {
									_t279 = _t279 + 2 + _t289;
								}
								goto L14;
							case 6:
								__eax =  *0x4e95764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x4e98478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x4e98478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x4e96e58 & 0x0000ffff;
								__eax = ( *0x4e96e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t327 = _t327 + 1;
								if(_t327 >= _v48) {
									goto L16;
								} else {
									_t316 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("daa");
					asm("loope 0x6");
					asm("loope 0x6");
					asm("daa");
					asm("daa");
					_t285 = 0x25;
					asm("loope 0x6");
					_pop(_t345);
					asm("loope 0x6");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x4e7ff00);
					E04DFD08C(_t285, _t329, _t334);
					_v44 =  *[fs:0x18];
					_t330 = 0;
					 *_a24 = 0;
					_t286 = _a12;
					__eflags = _t286;
					if(_t286 == 0) {
						_t248 = 0xc0000100;
					} else {
						_v8 = 0;
						_t337 = 0xc0000100;
						_v52 = 0xc0000100;
						_t250 = 4;
						while(1) {
							_v40 = _t250;
							__eflags = _t250;
							if(_t250 == 0) {
								break;
							}
							_t306 = _t250 * 0xc;
							_v48 = _t306;
							__eflags = _t286 -  *((intOrPtr*)(_t306 + 0x4d81664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t265 = E04DEE5C0(_a8,  *((intOrPtr*)(_t306 + 0x4d81668)), _t286);
									_t345 = _t345 + 0xc;
									__eflags = _t265;
									if(__eflags == 0) {
										_t337 = E04E251BE(_t286,  *((intOrPtr*)(_v48 + 0x4d8166c)), _a16, _t330, _t337, __eflags, _a20, _a24);
										_v52 = _t337;
										break;
									} else {
										_t250 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t250 = _t250 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t337;
						__eflags = _t337;
						if(_t337 < 0) {
							__eflags = _t337 - 0xc0000100;
							if(_t337 == 0xc0000100) {
								_t302 = _a4;
								__eflags = _t302;
								if(_t302 != 0) {
									_v36 = _t302;
									__eflags =  *_t302 - _t330;
									if( *_t302 == _t330) {
										_t337 = 0xc0000100;
										goto L76;
									} else {
										_t318 =  *((intOrPtr*)(_v44 + 0x30));
										_t252 =  *((intOrPtr*)(_t318 + 0x10));
										__eflags =  *((intOrPtr*)(_t252 + 0x48)) - _t302;
										if( *((intOrPtr*)(_t252 + 0x48)) == _t302) {
											__eflags =  *(_t318 + 0x1c);
											if( *(_t318 + 0x1c) == 0) {
												L106:
												_t337 = E04DD2AE4( &_v36, _a8, _t286, _a16, _a20, _a24);
												_v32 = _t337;
												__eflags = _t337 - 0xc0000100;
												if(_t337 != 0xc0000100) {
													goto L69;
												} else {
													_t330 = 1;
													_t302 = _v36;
													goto L75;
												}
											} else {
												_t255 = E04DB6600( *(_t318 + 0x1c));
												__eflags = _t255;
												if(_t255 != 0) {
													goto L106;
												} else {
													_t302 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t337 = E04DD2C50(_t302, _a8, _t286, _a16, _a20, _a24, _t330);
											L76:
											_v32 = _t337;
											goto L69;
										}
									}
									goto L108;
								} else {
									E04DBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t337 = _a24;
									_t262 = E04DD2AE4( &_v36, _a8, _t286, _a16, _a20, _t337);
									_v32 = _t262;
									__eflags = _t262 - 0xc0000100;
									if(_t262 == 0xc0000100) {
										_v32 = E04DD2C50(_v36, _a8, _t286, _a16, _a20, _t337, 1);
									}
									_v8 = _t330;
									E04DD2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t248 = _t337;
					}
					L70:
					return E04DFD0D1(_t248);
				}
				L108:
			}

0x04dd2584
0x04dd2586
0x04dd2590
0x04dd2596
0x04dd2597
0x04dd2598
0x04dd2599
0x04dd259e
0x04dd25a4
0x04dd25a9
0x04dd25ac
0x04dd25ae
0x04dd25b1
0x04dd25b2
0x04dd25b5
0x04dd25b8
0x04dd25bb
0x04dd25bc
0x04dd25bf
0x04dd25c2
0x04dd25c5
0x04dd25c6
0x04dd25cb
0x04dd25ce
0x04dd25d8
0x04dd25db
0x04dd25dd
0x04dd25de
0x04dd25e1
0x04dd25e3
0x04dd25e9
0x04dd26da
0x04dd26da
0x04dd26dd
0x04dd26e2
0x04e15b56
0x00000000
0x04dd26e8
0x04dd26f9
0x04dd26fb
0x04dd26fe
0x04dd2700
0x04e15b60
0x00000000
0x04dd2706
0x04dd2706
0x04dd270a
0x04dd270a
0x04dd270d
0x04dd2713
0x04dd2716
0x04dd2718
0x04dd271c
0x04dd271e
0x04e15b6c
0x04e15b6f
0x04e15b7f
0x04e15b89
0x04e15b8e
0x04e15b93
0x04e15b96
0x04e15b9c
0x04e15ba0
0x04e15ba3
0x04e15bab
0x04e15bb0
0x04e15bb3
0x04e15bb3
0x04e15ba3
0x04dd2724
0x04dd2726
0x04dd2729
0x04dd272c
0x04dd279d
0x04dd279d
0x04dd27a0
0x04dd27a2
0x00000000
0x04dd272e
0x04dd272e
0x04dd2731
0x04dd2734
0x04dd2734
0x04dd2736
0x04e15bc1
0x04e15bc1
0x04e15bc4
0x00000000
0x04e15bca
0x04e15bca
0x04e15bcd
0x00000000
0x04e15bd3
0x00000000
0x04e15bd3
0x04e15bcd
0x04dd273c
0x04dd273c
0x04dd2742
0x04dd2747
0x04dd274a
0x04dd274d
0x04dd2750
0x00000000
0x04dd2756
0x04dd2756
0x00000000
0x04dd2902
0x04dd2908
0x04dd290b
0x00000000
0x04dd2911
0x04dd291c
0x04dd2921
0x00000000
0x04dd2921
0x00000000
0x00000000
0x04dd2880
0x04dd2887
0x04dd288c
0x00000000
0x00000000
0x04dd2805
0x04dd280a
0x04dd2814
0x04dd2816
0x00000000
0x00000000
0x04dd281e
0x04dd2821
0x04dd2823
0x00000000
0x04dd2829
0x04dd2829
0x04dd2831
0x04dd283c
0x04dd283e
0x00000000
0x04dd283e
0x00000000
0x00000000
0x04dd284e
0x04dd2850
0x04dd2851
0x04dd2854
0x04dd2857
0x04dd285a
0x04dd285c
0x04dd285d
0x00000000
0x00000000
0x04dd275d
0x04dd2761
0x00000000
0x04dd2767
0x04dd276e
0x04dd2773
0x04dd2773
0x04dd2776
0x04dd2778
0x04dd277e
0x04dd277e
0x04dd2781
0x04dd2781
0x04dd2783
0x04dd2784
0x00000000
0x00000000
0x04e15bd8
0x04e15bde
0x04e15be4
0x04e15be6
0x04e15be8
0x04e15be9
0x04e15bee
0x04e15bf8
0x04e15bff
0x04e15c01
0x04e15c04
0x04e15c07
0x04e15c0b
0x04e15c0d
0x04e15c0d
0x04e15c15
0x04e15c18
0x04e15c1b
0x04e15c1b
0x04e15c1e
0x00000000
0x00000000
0x04dd28c3
0x04dd28c8
0x04dd28d2
0x04dd28d4
0x04dd28d8
0x04dd28db
0x04e15c26
0x04e15c28
0x04e15c2d
0x04e15c2d
0x00000000
0x00000000
0x04e15c34
0x04e15c36
0x04e15c49
0x04e15c4e
0x04e15c54
0x04e15c5b
0x04e15c5d
0x04e15c60
0x04dd2788
0x04dd2788
0x04dd278b
0x04dd278e
0x04dd278e
0x04dd278e
0x04dd2791
0x00000000
0x00000000
0x04dd2756
0x04dd2750
0x00000000
0x04dd2794
0x04dd2794
0x04dd2795
0x04dd2798
0x04dd2798
0x00000000
0x04dd2734
0x04dd272c
0x04dd2700
0x04dd25ef
0x04dd25ef
0x04dd25ef
0x04dd25f2
0x04dd25f8
0x00000000
0x00000000
0x04dd25fe
0x00000000
0x04dd28e6
0x04dd28ec
0x04dd28ef
0x04dd28f5
0x04dd28f8
0x04dd28f8
0x00000000
0x04dd28f8
0x00000000
0x00000000
0x04dd2866
0x04dd2866
0x04dd2876
0x04dd2879
0x00000000
0x00000000
0x04dd27e0
0x04dd27e7
0x04dd27e9
0x04dd27eb
0x04e15afd
0x00000000
0x04e15afd
0x00000000
0x00000000
0x04dd2633
0x04dd2638
0x04dd263b
0x04dd263c
0x04dd263e
0x04dd2640
0x04dd2642
0x04dd2647
0x04dd2649
0x04dd264e
0x04dd2650
0x04dd2653
0x04dd2659
0x04dd26a2
0x04dd26a7
0x04dd26ac
0x04dd26b2
0x04e15b11
0x04e15b15
0x04e15b17
0x00000000
0x04dd26b8
0x04dd26b8
0x04dd26ba
0x04dd27a6
0x04dd27a6
0x04dd27a9
0x04dd27ab
0x04dd27b9
0x04dd27b9
0x04dd27be
0x04dd27c1
0x04dd27c3
0x04dd27c5
0x04dd27c7
0x04e15c74
0x04e15c79
0x04e15c79
0x04dd27c7
0x00000000
0x04dd26c0
0x04dd26c0
0x04dd26c3
0x04dd26c6
0x04dd26c6
0x04dd26c9
0x04dd26c9
0x00000000
0x04dd26c9
0x04dd26ba
0x04dd265b
0x04dd265b
0x04dd265e
0x04dd2667
0x04dd266d
0x04dd2677
0x04dd267c
0x04dd267f
0x04dd2681
0x04e15b49
0x04e15b4e
0x04dd27cd
0x04dd27d0
0x04dd27d1
0x04dd27d2
0x04dd27d4
0x04dd27dd
0x04dd2687
0x04dd2687
0x04dd268a
0x04dd268b
0x04dd268e
0x04dd268f
0x04dd2691
0x04dd2696
0x04dd2698
0x04dd269d
0x04dd269f
0x00000000
0x04dd269f
0x04dd2681
0x00000000
0x00000000
0x04dd2846
0x00000000
0x00000000
0x04dd2605
0x04dd260a
0x04dd260c
0x04dd2611
0x04dd2616
0x04dd2619
0x04dd2619
0x04dd261e
0x00000000
0x04dd2624
0x04dd2627
0x04dd2627
0x00000000
0x00000000
0x04e15b1f
0x00000000
0x00000000
0x04dd2894
0x04dd289b
0x04dd289d
0x04dd28a1
0x04e15b2b
0x04e15b2e
0x04e15b2e
0x04dd28a7
0x04dd28a9
0x04e15b04
0x04e15b09
0x04e15b09
0x04e15b09
0x00000000
0x00000000
0x04e15b35
0x04e15b3c
0x04dd28fb
0x04dd28fb
0x04dd26cc
0x04dd26cc
0x04dd26d0
0x00000000
0x04dd26d2
0x04dd26d2
0x00000000
0x04dd26d2
0x00000000
0x00000000
0x04dd25fe
0x04dd292d
0x04dd2930
0x04dd2935
0x04dd293e
0x04dd294f
0x04dd2957
0x04dd2962
0x04dd296e
0x04dd2972
0x04dd2973
0x04dd297a
0x04dd297b
0x04dd297d
0x04dd297e
0x04dd297f
0x04dd2980
0x04dd2981
0x04dd2982
0x04dd2983
0x04dd2984
0x04dd2985
0x04dd2986
0x04dd2987
0x04dd2988
0x04dd2989
0x04dd298a
0x04dd298b
0x04dd298c
0x04dd298d
0x04dd298e
0x04dd298f
0x04dd2990
0x04dd2992
0x04dd2997
0x04dd29a3
0x04dd29a6
0x04dd29ab
0x04dd29ad
0x04dd29b0
0x04dd29b2
0x04e15c80
0x04dd29b8
0x04dd29b8
0x04dd29bb
0x04dd29c0
0x04dd29c5
0x04dd29c6
0x04dd29c6
0x04dd29c9
0x04dd29cb
0x00000000
0x00000000
0x04dd29cd
0x04dd29d0
0x04dd29d9
0x04dd29db
0x04dd29dd
0x04dd2a7f
0x04dd2a84
0x04dd2a87
0x04dd2a89
0x04e15ca1
0x04e15ca3
0x00000000
0x04dd2a8f
0x04dd2a8f
0x00000000
0x04dd2a8f
0x00000000
0x04dd29e3
0x04dd29e3
0x04dd29e3
0x00000000
0x04dd29e3
0x04dd29dd
0x00000000
0x04dd29db
0x04dd29e6
0x04dd29e9
0x04dd29eb
0x04dd29ed
0x04dd29f3
0x04dd29f5
0x04dd29f8
0x04dd29fa
0x04dd2a97
0x04dd2a9a
0x04dd2a9d
0x04dd2add
0x00000000
0x04dd2a9f
0x04dd2aa2
0x04dd2aa5
0x04dd2aa8
0x04dd2aab
0x04e15cab
0x04e15caf
0x04e15cc5
0x04e15cda
0x04e15cdc
0x04e15cdf
0x04e15ce5
0x00000000
0x04e15ceb
0x04e15ced
0x04e15cee
0x00000000
0x04e15cee
0x04e15cb1
0x04e15cb4
0x04e15cb9
0x04e15cbb
0x00000000
0x04e15cbd
0x04e15cbd
0x00000000
0x04e15cbd
0x04e15cbb
0x04dd2ab1
0x04dd2ab1
0x04dd2ac4
0x04dd2ac6
0x04dd2ac6
0x00000000
0x04dd2ac6
0x04dd2aab
0x00000000
0x04dd2a00
0x04dd2a09
0x04dd2a0e
0x04dd2a21
0x04dd2a24
0x04dd2a35
0x04dd2a3a
0x04dd2a3d
0x04dd2a42
0x04dd2a59
0x04dd2a59
0x04dd2a5c
0x04dd2a5f
0x04dd2a5f
0x04dd29fa
0x04dd29f3
0x04dd2a64
0x04dd2a64
0x04dd2a6b
0x04dd2a6b
0x04dd2a6d
0x04dd2a72
0x04dd2a72
0x00000000

Strings

PATH, xrefs: 04DD2642, 04DD2691

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 26f7926bd30796bd12058650f78f5042d68e9306672e64c1fb1aa9bd2ce76750
Instruction ID: c3d023b9a5608beff6cbb36d28ab7214c8a46cfa770c8ebf07b0f77d6001209e
Opcode Fuzzy Hash: 26f7926bd30796bd12058650f78f5042d68e9306672e64c1fb1aa9bd2ce76750
Instruction Fuzzy Hash: D8C17C71E50219EBDB25EF99D880AEEB7B1FF48704F044069E841AB290E734BD41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DA2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04DA2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4e95350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4e97bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E04DE97C0();
				}
				if( *0x4e979c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x4e979c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04DD1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04DC7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E04E3FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04DE9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E04DDE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L04DFDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4e96901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4e96901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04DE9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E04DE95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04DC7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04DC7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04E27016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E04E3FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4e95350;
							if(_t109 != 0x4e95350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E04E3FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04E35720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x04da2d8a
0x04da2d8a
0x04da2d92
0x04da2d96
0x04da2d9e
0x04da2da0
0x04da2da3
0x04da2da5
0x04da2da8
0x04da2dab
0x04da2db2
0x04dff9aa
0x04dff9ab
0x04dff9ae
0x04dff9ae
0x04da2db8
0x04da2dc2
0x04dff9b9
0x04dff9be
0x04dff9bf
0x04dff9bf
0x04da2dcf
0x04dff9c9
0x04da2dd5
0x04da2dd5
0x04da2dd5
0x04da2dde
0x04da2de1
0x04da2e70
0x04da2e72
0x04da2e72
0x04da2de7
0x04da2deb
0x04da2e7c
0x04da2e83
0x04da2e85
0x04da2e8b
0x04da2e8d
0x04da2e92
0x04da2e92
0x04da2e85
0x04da2df1
0x04da2df7
0x04da2df9
0x04da2df9
0x04da2dfc
0x04da2dff
0x04da2e02
0x00000000
0x04da2e05
0x04da2e0c
0x04dff9d9
0x04da2e12
0x04da2e12
0x04da2e12
0x04da2e1a
0x04dff9e3
0x04dff9e9
0x04dff9f0
0x04dff9f6
0x04dff9f8
0x04dff9f8
0x04dff9f0
0x04da2e23
0x04dffa02
0x04dffa03
0x04dffa05
0x04dffa06
0x00000000
0x04da2e29
0x04da2e29
0x04da2e2e
0x04da2e34
0x04da2e3e
0x00000000
0x00000000
0x04da2e44
0x04da2e47
0x04da2e4d
0x00000000
0x00000000
0x04da2e4f
0x04da2e54
0x00000000
0x00000000
0x04da2e5a
0x04da2e5f
0x04da2e9a
0x04da2ea4
0x04da2ea5
0x04da2ea8
0x04da2eaf
0x04da2eb2
0x04da2eb5
0x04dffae9
0x04dffaeb
0x04dffaed
0x04dffaef
0x04dffaf7
0x04dffaf8
0x04dffafd
0x04dffaff
0x04dffb04
0x04dffb04
0x04dffaff
0x04da2ec0
0x04da2ec4
0x04da2ec6
0x04da2ec8
0x04dffb14
0x04dffb18
0x04dffb1e
0x04dffb21
0x04dffb21
0x04da2ece
0x04da2ece
0x04da2ece
0x04da2ed7
0x04da2e61
0x04da2e63
0x04dffa6b
0x04dffa71
0x04dffa76
0x04dffa78
0x04dffa8a
0x04dffa7a
0x04dffa83
0x04dffa83
0x04dffa8f
0x04dffa91
0x04dffa97
0x04dffa9d
0x04dffaa4
0x04dffaaa
0x04dffaaf
0x04dffab1
0x04dffac3
0x04dffab3
0x04dffabc
0x04dffabc
0x04dffac8
0x04dffacb
0x04dffadf
0x04dffadf
0x04dffacb
0x04dffaa4
0x04dffa91
0x04da2e6f
0x04da2e6f
0x04da2e5f
0x04dffa13
0x04dffa15
0x04dffa17
0x04dffa1f
0x04dffa21
0x04dffa22
0x04dffa25
0x04dffa28
0x04dffa2f
0x04dffa2f
0x04dffa2a
0x04dffa2a
0x04dffa2a
0x04dffa31
0x04dffa34
0x04dffa36
0x04dffa3c
0x04dffa3e
0x04dffa41
0x04dffa43
0x04dffa45
0x04dffa45
0x04dffa41
0x04dffa3c
0x04dffa4a
0x04dffa4f
0x04dffa51
0x04dffa53
0x04dffa56
0x04dffa5b
0x04dffa5e
0x00000000
0x04dffa5e
0x04da2e23

Strings

RTL: Re-Waiting, xrefs: 04DFFA4A

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: deaf7ed1a3cfc542c0970208f4f295150b2dce781ae70103d7a1e3a640f818ba
Instruction ID: 43b0de415a9ae5aaac07626cdc628a3772fee4de6d2e60bd4105d339df5c8769
Opcode Fuzzy Hash: deaf7ed1a3cfc542c0970208f4f295150b2dce781ae70103d7a1e3a640f818ba
Instruction Fuzzy Hash: 88612271B00604ABEB32DF69C880B7E77A1FB44328F1502AAE951973C0D734FE408791

Uniqueness

Uniqueness Score: -1.00%

Function 04E70EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04E70EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E04E6FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04E71074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04DE9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E04E6A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E04E6A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4e98b04 >> 0x14) + (_v44 -  *0x4e98b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04DC7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E04E6138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04DC7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E04E5FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4e98724 & 0x00000008) != 0) {
						E04E652F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E04E715B5(0x4e98ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x04e70eb7
0x04e70eb9
0x04e70ec0
0x04e70ec2
0x04e70ecd
0x04e7105b
0x04e7105b
0x04e71061
0x04e71066
0x04e71066
0x04e7106b
0x04e71073
0x04e71073
0x04e70ed3
0x04e70ed6
0x04e70edc
0x04e70ee0
0x04e70ee7
0x04e70ef0
0x04e70ef5
0x04e70efa
0x04e70efc
0x04e70efd
0x04e70f03
0x04e70f04
0x04e70f06
0x04e70f07
0x04e70f09
0x04e70f0e
0x04e70f14
0x04e70f23
0x04e70f2d
0x04e70f34
0x04e70f34
0x04e70f14
0x04e70f52
0x00000000
0x00000000
0x04e70f58
0x04e70f73
0x04e70f74
0x04e70f79
0x04e70f7d
0x04e70f80
0x04e70f86
0x04e70fab
0x04e70fb5
0x04e70fc6
0x04e70fd1
0x04e70fe3
0x04e70fd3
0x04e70fdc
0x04e70fdc
0x04e70feb
0x04e71009
0x04e71009
0x04e71015
0x04e71027
0x04e71017
0x04e71020
0x04e71020
0x04e7102f
0x04e7103c
0x04e7103c
0x04e71048
0x04e71050
0x04e71050
0x04e71055
0x00000000
0x04e71055
0x04e70f88
0x04e70f9e
0x04e70fa2
0x04e70fa9
0x00000000
0x00000000
0x00000000
0x04e70fa9
0x00000000

Strings

`, xrefs: 04E70F16

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: b74a29fd567307da477b44cf7631874a8d70552e8b7a7f3315df63279d32f2ca
Instruction ID: 9eb18de36a6eda7f712c9d394a80d91d384bb325e8278f27ab2636168527d818
Opcode Fuzzy Hash: b74a29fd567307da477b44cf7631874a8d70552e8b7a7f3315df63279d32f2ca
Instruction Fuzzy Hash: 9C519D712043429FE329DF28D884B2BB7E5EBC4768F04592DF99697290D670F905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04DDF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04DDF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04DC4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04DE9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04DE9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E04DE95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x422bc81a
							_t109 = L04DC4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000422b
								E04DEF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000422b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E04DE95D0();
										L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x04ddf0d3
0x04ddf0d9
0x04ddf0e0
0x04ddf0e7
0x04ddf0f2
0x04ddf0f4
0x04ddf0f8
0x04ddf100
0x04ddf108
0x04ddf10d
0x04ddf115
0x04ddf116
0x04ddf11f
0x04ddf123
0x04ddf124
0x04ddf12c
0x04ddf130
0x04ddf134
0x04ddf13d
0x04ddf144
0x04ddf14b
0x04ddf152
0x04e1bab0
0x04e1bab0
0x04ddf158
0x04ddf158
0x04ddf15a
0x04ddf160
0x04ddf165
0x04ddf166
0x04ddf16f
0x04ddf173
0x04e1baa7
0x04e1baa7
0x04e1baab
0x00000000
0x04ddf179
0x04ddf179
0x04ddf18d
0x04ddf191
0x04e1baa2
0x00000000
0x04ddf197
0x04ddf19b
0x04ddf1a2
0x04ddf1a9
0x04ddf1af
0x04ddf1b2
0x04ddf1b6
0x04ddf1b9
0x04ddf1c0
0x04ddf1c4
0x04ddf1d8
0x04ddf1df
0x04ddf1e3
0x04ddf1e6
0x04ddf1eb
0x04ddf1ee
0x04ddf1f4
0x04ddf20f
0x04e1bab7
0x04e1babb
0x04e1bacc
0x04e1bad1
0x04ddf215
0x04ddf218
0x04ddf226
0x04ddf22b
0x00000000
0x04ddf22b
0x04ddf1f6
0x04ddf1f6
0x04ddf1f9
0x04ddf1fb
0x04ddf1fb
0x04ddf1f4
0x04ddf191
0x04ddf173
0x04ddf152
0x04ddf203

Strings

@, xrefs: 04DDF124

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 07258c63bca55b045c88f147896674f42453cbf49c031f5e5557cb79a3efc0af
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 31519171605711AFD321DF29C840A6BBBF4FF48714F00892EF996976A0E774E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E23540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04E23540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x4e9d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04DE0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04E23706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E04DEFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04E23540;
						E04DEFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E04DFDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04E30C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E04DE97C0();
					}
					return E04DEB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04E23971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04E23884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E04DEFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04DE9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04E23787(_a4,  &_v352, _t80);
						}
					}
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E04DE95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x04e23552
0x04e2355a
0x04e2355d
0x04e23566
0x04e23567
0x04e2357e
0x04e2358f
0x04e235a1
0x04e235a5
0x04e2366b
0x04e2366b
0x04e2366d
0x04e23672
0x04e23679
0x04e23685
0x04e2368d
0x04e2369d
0x04e236a7
0x04e236b8
0x04e236c6
0x04e236c7
0x04e236dc
0x04e236e1
0x04e236e7
0x04e236e9
0x04e236e9
0x04e23703
0x04e23703
0x04e235b5
0x04e235c0
0x04e235c4
0x00000000
0x00000000
0x04e235ca
0x04e235d7
0x04e235e2
0x04e235e6
0x04e235e8
0x04e235f5
0x04e235fa
0x04e23603
0x04e23604
0x04e23609
0x04e2360a
0x04e23612
0x04e23613
0x04e2361e
0x04e23622
0x04e23628
0x04e2362f
0x04e2362f
0x04e23636
0x04e23638
0x04e2363b
0x04e23642
0x04e23642
0x04e23636
0x04e23657
0x04e23657
0x04e2365c
0x04e23662
0x04e23669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 04E2358F

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: bfbc76c2ad371aee57e71c186267889a33371351605a43589e9bf53798f3f892
Instruction ID: 65724e454e8a82d36f2ba88c5ba79c1114b4d68f7dc7a7680b01fa5ae20d7250
Opcode Fuzzy Hash: bfbc76c2ad371aee57e71c186267889a33371351605a43589e9bf53798f3f892
Instruction Fuzzy Hash: DB4137F1D0152D9AEB21DB60CD84FAEB77CEB44718F0045D5AA09AB140DB346E488FA4

Uniqueness

Uniqueness Score: -1.00%

Function 04E705AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04E705AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E04E707DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E04DE9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E04E6A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E04E6A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E04E71293(_t79, _v40, E04E707DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E04DC7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E04E6138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x04e705c5
0x04e705ca
0x04e705d3
0x04e706db
0x04e706db
0x04e706dd
0x04e706e3
0x04e706e3
0x04e705dd
0x04e705e7
0x04e705f6
0x04e70600
0x04e70607
0x04e70610
0x04e70615
0x04e7061a
0x04e7061c
0x04e7061e
0x04e70624
0x04e70625
0x04e70627
0x04e70628
0x04e70631
0x04e70640
0x04e7064d
0x04e70654
0x04e70654
0x04e70631
0x04e7066d
0x04e70674
0x00000000
0x00000000
0x04e70692
0x04e7069e
0x04e706b0
0x04e706a0
0x04e706a9
0x04e706a9
0x04e706b8
0x04e706d6
0x04e706d6
0x00000000

Strings

`, xrefs: 04E70633

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: ecd5a36a0db09571e2299c37dc20947b1812886957899fb71f6b37566c31a846
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 2031E032704345ABE720EF64CC84F9A77D9EB84768F044629FA59EB680D670F904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E23884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04E23884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04DE9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04DC4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04DE9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x04e23893
0x04e23896
0x04e23899
0x04e2389f
0x04e238a0
0x04e238a4
0x04e238a9
0x04e238ac
0x04e238ad
0x04e238ae
0x04e238af
0x04e238b1
0x04e238b4
0x04e238bb
0x04e238bc
0x04e238bd
0x04e238c4
0x04e238c8
0x04e238ca
0x04e238ca
0x04e238d5
0x04e2393e
0x04e23940
0x04e23942
0x04e23952
0x04e23954
0x04e23961
0x04e23961
0x04e23967
0x04e2396e
0x04e2396e
0x04e23947
0x04e2394c
0x00000000
0x04e2394c
0x04e238ea
0x04e238ee
0x04e238f8
0x04e238f9
0x04e238ff
0x04e23900
0x04e23902
0x04e23903
0x04e2390b
0x04e2390f
0x04e23950
0x00000000
0x04e23950
0x04e23915
0x04e2391d
0x04e2391d
0x04e23922
0x04e23926
0x00000000
0x04e23928
0x04e2392b
0x04e2392b
0x04e23935
0x04e23937
0x04e23937
0x00000000
0x04e23935
0x04e23926
0x04e238f0
0x00000000

Strings

BinaryName, xrefs: 04E238B4

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 18eccf35774420435efee92fa1296dd3678620adfaac588a7b81a19e2537df28
Instruction ID: c1f38b4210bbdecc8377aac0faee585b4c55d85b89c7e6da22aacb9faf61d82f
Opcode Fuzzy Hash: 18eccf35774420435efee92fa1296dd3678620adfaac588a7b81a19e2537df28
Instruction Fuzzy Hash: 76310872A0153AAFEB25DB68CA45D7BB774EB41B24F114169ED04A7680D734BE00CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DDD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E04DDD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4e9d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04DC4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E04DEB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E04DE98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E04DE95D0();
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x04ddd29c
0x04ddd2a6
0x04ddd2b1
0x04ddd2b5
0x04ddd2b6
0x04ddd2bc
0x04ddd2bd
0x04ddd2be
0x04ddd2bf
0x04ddd2c2
0x04ddd2c4
0x04ddd2cc
0x04ddd384
0x04ddd34b
0x04ddd34f
0x04ddd350
0x04ddd351
0x04ddd35c
0x04ddd35c
0x04ddd2d6
0x04ddd2da
0x04ddd2e1
0x04ddd361
0x04ddd369
0x04ddd36d
0x04ddd2e3
0x04ddd2e3
0x04ddd2e3
0x04ddd2e5
0x04ddd2ed
0x04ddd2f5
0x04ddd2fa
0x04ddd302
0x04ddd303
0x04ddd30b
0x04ddd30f
0x04ddd313
0x04ddd318
0x04ddd31c
0x04ddd320
0x04ddd379
0x04ddd37d
0x00000000
0x00000000
0x04e1affe
0x04e1b001
0x04e1b011
0x00000000
0x04ddd322
0x04ddd322
0x04ddd330
0x04ddd337
0x04ddd35d
0x04ddd339
0x04ddd33f
0x04ddd38c
0x04ddd38c
0x04ddd33f
0x04ddd349
0x00000000
0x04ddd349

Strings

@, xrefs: 04DDD303

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: eb6c54cee3bcc12f8c95922d00e306a2877790a677cc6df45476aee8499543e6
Instruction ID: 1f3d6d169f5c0ebe4ee6ff695b17399a747d1a8c10cc23f415d5e81b257b07eb
Opcode Fuzzy Hash: eb6c54cee3bcc12f8c95922d00e306a2877790a677cc6df45476aee8499543e6
Instruction Fuzzy Hash: A831B6B16493059FDB11DF28C980D6BBBE9FB85754F40092EF99483250E638FD04DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04DB1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E04DEBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E04DEA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E04DEA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04DC4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x04db1b8f
0x04db1b9a
0x04db1b9c
0x04db1b9e
0x04db1ba3
0x04e07010
0x04e07010
0x00000000
0x04db1ba9
0x04db1ba9
0x04db1bae
0x00000000
0x04db1bc5
0x04db1bca
0x04db1bcf
0x04db1bd0
0x04db1bd1
0x04db1bd2
0x04db1bd6
0x04db1bdc
0x04db1be0
0x04e06ffc
0x04e07000
0x00000000
0x04e07006
0x04e07009
0x04e07009
0x04db1be6
0x04db1bec
0x04db1c0b
0x04db1c0b
0x04db1c0c
0x04db1c11
0x04db1c12
0x04db1c15
0x04db1c1b
0x04db1c1f
0x04db1c31
0x04db1c33
0x04e07026
0x04e07026
0x04db1c21
0x04db1c24
0x04db1c24
0x04db1bee
0x04db1bee
0x04db1bf2
0x04db1c3a
0x04db1bf4
0x04db1bf4
0x04db1c05
0x04db1c05
0x04db1c09
0x04db1c3e
0x00000000
0x00000000
0x00000000
0x04db1c09
0x04db1bec
0x04db1be0
0x04db1bae
0x04db1c2e

Strings

WindowsExcludedProcs, xrefs: 04DB1BC5

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: c0999a0a79695cd16ac5470b2a17b21f1cbf1ce3fb222acd1c9de04171f55d07
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: EA21F836601119EBDB229E958850FAFB76DEF41794F054425F9959B200E630FD0097E0

Uniqueness

Uniqueness Score: -1.00%

Function 04DCF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DCF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x04dcf71d
0x04dcf722
0x04dcf726
0x04e14770
0x04dcf765
0x04dcf769
0x04dcf769
0x04dcf732
0x04e1477a
0x00000000
0x04e1477a
0x04dcf738
0x04dcf73a
0x04dcf73c
0x04dcf73f
0x04dcf746
0x04dcf778
0x04dcf7a9
0x04dcf7a9
0x04dcf754
0x04dcf75a
0x04dcf75d
0x04dcf75f
0x04dcf761
0x04dcf76f
0x04dcf771
0x04dcf771
0x04dcf76f
0x04dcf763
0x00000000
0x04dcf763
0x04dcf77d
0x04dcf7a3
0x04dcf7a5
0x00000000
0x04dcf7a5
0x04dcf77f
0x04dcf782
0x04dcf784
0x04dcf786
0x00000000
0x00000000
0x00000000
0x04dcf788
0x04dcf748
0x04dcf74d
0x04dcf78d
0x04dcf793
0x04dcf7b7
0x04dcf7bc
0x00000000
0x04dcf7bc
0x04dcf798
0x00000000
0x00000000
0x04dcf79d
0x04dcf7b0
0x00000000
0x04dcf7b0
0x04dcf79f
0x00000000
0x04dcf74f
0x04dcf74f
0x00000000
0x04dcf74f

Strings

Actx , xrefs: 04DCF73F

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: cbb88cd1075fbc46ddb1047a2d181d7e8bf1db4c1547521412192531d165cb0a
Instruction ID: 8dc294f34724c8f7b075f03f53c114cd1132d65ed9de6396b84d6b48b880659a
Opcode Fuzzy Hash: cbb88cd1075fbc46ddb1047a2d181d7e8bf1db4c1547521412192531d165cb0a
Instruction Fuzzy Hash: 09119D393846038BEB284F1D88907B67297BB86724F34452EE4A2CB7E1EA70F8419740

Uniqueness

Uniqueness Score: -1.00%

Function 04E58DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04E58DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4e80d50);
				E04DFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04E35720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L04DFDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L04DFDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E04DFD130(_t34, _t39, _t40);
			}

0x04e58df1
0x04e58df1
0x04e58df1
0x04e58df1
0x04e58df1
0x04e58df1
0x04e58df3
0x04e58df8
0x04e58dfd
0x04e58e00
0x04e58e0e
0x04e58e2a
0x04e58e36
0x04e58e38
0x04e58e3c
0x04e58e46
0x04e58e46
0x04e58e36
0x04e58e50
0x04e58e56
0x04e58e59
0x04e58e5c
0x04e58e60
0x04e58e67
0x04e58e6d
0x04e58e73
0x04e58e74
0x04e58eb1
0x04e58ebd

Strings

Critical error detected %lx, xrefs: 04E58E21

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: b61ea206b32f4462546978595155ab3609b9d03470805192c1597a3dfc605da8
Instruction ID: 2753a46e9fb45d04dc2f583f9833dd6b257c14860ed509c5e186e05a39e2104f
Opcode Fuzzy Hash: b61ea206b32f4462546978595155ab3609b9d03470805192c1597a3dfc605da8
Instruction Fuzzy Hash: EB117971E00348DBEF25EFA489057DCBBB1BB04318F20521ED96AAB2A1C7302601DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04E3FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 04E3FF60

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 2bc8d7f782e5a13612ee731600ffcf1a10dbc4054f0beac08cb1c84726722dc5
Instruction ID: 6af4381d0d723fd3f3ec0d8814b4e86e846e662bd366dded8c549eef617c6963
Opcode Fuzzy Hash: 2bc8d7f782e5a13612ee731600ffcf1a10dbc4054f0beac08cb1c84726722dc5
Instruction Fuzzy Hash: 96118E71A10544EFEF22EB50C949F9877B2FF0870AF158494F5096A2A1C739A944DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04E75BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04E75BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4e81178);
				E04DFD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04E74C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E04DED000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04E75542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x4e960e8;
								if( *0x4e960e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x4e960e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04DE9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04DE6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E04DEF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E04DEF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E04DEF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E04DEFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E04DEFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E04DEF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E04DEF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04E74CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E04DFD130(_t427, _t494, _t511);
				}
			}

0x04e75ba5
0x04e75baa
0x04e75baf
0x04e75bb4
0x04e75bb6
0x04e75bbc
0x04e75bbe
0x04e75bc4
0x04e75bcd
0x04e75bd3
0x04e75bd6
0x04e75bdc
0x04e75be0
0x04e75be3
0x04e75beb
0x04e75bf2
0x04e75bf8
0x04e75bfe
0x04e75c04
0x04e75c0e
0x04e75c18
0x04e75c1f
0x04e75c25
0x04e75c2a
0x04e75c2c
0x04e75c32
0x04e75c3a
0x04e75c3f
0x04e75c42
0x04e75c48
0x04e75c5b
0x04e75c5b
0x04e75c2c
0x04e75cb7
0x04e75cb9
0x04e75cbf
0x04e75cc2
0x04e75cca
0x04e75ccb
0x04e75ccb
0x04e75cd1
0x04e75cd7
0x04e75cda
0x04e75ce1
0x04e75ce4
0x04e75ce7
0x04e75ced
0x04e75cf3
0x04e75cf9
0x04e75cff
0x04e75d08
0x04e75d0a
0x04e75d0e
0x04e75d10
0x00000000
0x00000000
0x04e75d16
0x04e75d1a
0x00000000
0x00000000
0x04e75d20
0x04e75d22
0x04e75d25
0x04e75d2f
0x04e75d2f
0x04e75d33
0x04e75d3d
0x04e75d49
0x04e75d4b
0x00000000
0x00000000
0x04e75d5a
0x04e75d5d
0x04e75d60
0x00000000
0x00000000
0x04e75d66
0x04e75d69
0x00000000
0x00000000
0x04e75d6f
0x04e75d6f
0x04e75d73
0x04e75d79
0x04e75d7f
0x04e75d86
0x04e75d95
0x04e75d98
0x04e75dba
0x04e75dcb
0x04e75dce
0x04e75dd3
0x04e75dd6
0x04e75dd8
0x04e75de6
0x04e75dec
0x04e75dee
0x04e75df1
0x04e75df3
0x04e7635a
0x04e7635a
0x00000000
0x04e7635a
0x04e75dfe
0x04e75e02
0x04e75e05
0x04e75e07
0x04e75e10
0x04e75e13
0x04e75e1b
0x04e75e1c
0x04e75e21
0x04e75e22
0x04e75e23
0x04e75e25
0x04e75e2a
0x04e75e2c
0x04e75e2e
0x04e75e36
0x04e75e39
0x04e75e42
0x04e75e47
0x04e75e4d
0x04e75e54
0x04e75e54
0x04e75e54
0x04e75e2e
0x04e75e5c
0x04e75e5f
0x04e75e62
0x04e75e64
0x04e75e6b
0x04e75e70
0x04e75e7a
0x04e75e7a
0x04e75e7a
0x04e75e6b
0x04e75e7e
0x04e75e7f
0x04e75e7f
0x04e75e81
0x04e75e87
0x04e75e8b
0x04e75e8c
0x04e75e8c
0x04e75e8c
0x04e75e9a
0x04e75e9c
0x04e75ea2
0x04e75ea6
0x04e75f50
0x04e75f50
0x04e75f57
0x04e75f66
0x04e75f66
0x04e75f66
0x04e75f68
0x04e75f6a
0x04e763d0
0x00000000
0x04e75f70
0x04e75f70
0x04e75f91
0x04e75f9c
0x04e75f9e
0x04e75fa4
0x04e75fa6
0x04e7638c
0x04e76392
0x04e763a1
0x04e763a7
0x04e763af
0x04e763af
0x04e763bd
0x04e763d8
0x00000000
0x04e763d8
0x04e75fac
0x04e75fb2
0x04e75fb4
0x04e75fbd
0x04e75fc6
0x04e75fce
0x04e75fd4
0x04e75fdc
0x04e75fec
0x04e75fed
0x04e75fee
0x04e75fef
0x04e75ff9
0x04e75ffa
0x04e75ffb
0x04e75ffc
0x04e76000
0x04e76004
0x04e76012
0x04e76012
0x04e76018
0x04e76019
0x04e7601a
0x04e7601b
0x04e7601c
0x04e76020
0x04e76059
0x04e7605c
0x04e76061
0x04e76061
0x04e76022
0x04e76022
0x04e76022
0x04e76025
0x04e7602a
0x04e7602b
0x04e76031
0x04e76037
0x04e76038
0x04e7603e
0x04e76048
0x04e76049
0x04e7604a
0x04e7604b
0x04e7604c
0x04e7604d
0x04e76053
0x04e76054
0x04e76054
0x04e76062
0x04e76065
0x04e76067
0x04e7606a
0x04e76070
0x04e76075
0x04e76076
0x04e76081
0x04e76087
0x04e76095
0x04e76099
0x04e7609e
0x04e760a4
0x04e760ae
0x04e760b0
0x04e760b3
0x04e760b6
0x04e760b8
0x04e760ba
0x04e760ba
0x04e760ba
0x04e760ba
0x04e760be
0x04e760c0
0x04e760c5
0x04e760c5
0x04e760c5
0x04e760c6
0x04e760cd
0x04e76114
0x04e760cf
0x04e760cf
0x04e760d4
0x04e760d5
0x04e760da
0x04e760db
0x04e760e1
0x04e760e2
0x04e760e8
0x04e760f8
0x04e760fd
0x04e760fe
0x04e76102
0x04e76104
0x04e76107
0x04e76109
0x04e7610b
0x04e7610b
0x04e7610b
0x04e7610b
0x04e7610f
0x04e7610f
0x04e76117
0x04e7611a
0x04e7611f
0x04e76125
0x04e76134
0x04e76139
0x04e7613f
0x04e76146
0x04e76148
0x04e7614b
0x04e7614d
0x04e7614f
0x04e7614f
0x04e7614f
0x04e7614f
0x04e76153
0x04e76159
0x04e76159
0x04e7615c
0x04e76163
0x04e76169
0x04e7616c
0x04e76172
0x04e76181
0x04e76186
0x04e76187
0x04e7618b
0x04e76191
0x04e76195
0x04e761a3
0x04e761bb
0x04e761c0
0x04e761c3
0x04e761cc
0x04e761d0
0x04e761dc
0x04e761de
0x04e761e1
0x04e761e4
0x04e761e6
0x04e761e8
0x04e761e8
0x04e761e8
0x04e761e8
0x04e761e6
0x04e761ec
0x04e761f3
0x04e76203
0x04e76209
0x04e7620a
0x04e76216
0x04e7621d
0x04e76227
0x04e76241
0x04e76246
0x04e7624c
0x04e76257
0x04e76259
0x04e7625c
0x04e7625e
0x04e76260
0x04e76260
0x04e76260
0x04e76260
0x04e7625e
0x04e76264
0x04e76267
0x04e76269
0x04e76315
0x04e76315
0x04e7631b
0x04e7631e
0x04e76324
0x04e76327
0x04e7632f
0x04e76330
0x04e76333
0x04e7633a
0x04e7633c
0x04e76335
0x04e76335
0x04e76335
0x04e7633f
0x04e76342
0x04e7634c
0x04e76352
0x04e76355
0x04e76355
0x04e76359
0x00000000
0x04e7626f
0x04e76275
0x04e76275
0x04e76278
0x04e7627e
0x04e7627e
0x04e76281
0x04e76287
0x04e7628d
0x04e76298
0x04e7629c
0x04e762a2
0x04e7629e
0x04e7629e
0x04e7629e
0x04e762a7
0x04e762a7
0x04e762aa
0x04e762b0
0x04e762f0
0x04e762f0
0x04e762f2
0x04e762f8
0x04e762fd
0x04e762b2
0x04e762b2
0x04e762b2
0x04e762b5
0x04e762dd
0x04e762e2
0x04e762e5
0x04e762b7
0x04e762b8
0x04e762bb
0x04e762bd
0x04e762c0
0x04e762c4
0x04e762cd
0x04e762cd
0x04e762c0
0x04e762bb
0x04e762b5
0x04e76302
0x04e76303
0x04e76305
0x04e76305
0x04e76305
0x04e7630c
0x04e7630c
0x00000000
0x04e7627e
0x04e76269
0x04e75eac
0x04e75ebb
0x04e75ebe
0x04e75ecb
0x04e75ecb
0x04e75ece
0x04e75ece
0x04e75ed4
0x04e75ed7
0x04e75ed9
0x04e75edb
0x04e75edb
0x04e75ee1
0x04e75ee1
0x04e75ee3
0x04e75f20
0x04e75f20
0x04e75ee5
0x04e75ee5
0x04e75ee5
0x04e75ee8
0x04e75f11
0x04e75f18
0x04e75eea
0x04e75eea
0x04e75eed
0x04e75ef2
0x04e75ef8
0x04e75efb
0x04e75f0a
0x04e75f0a
0x04e75eed
0x04e75ee8
0x04e75f22
0x04e75f28
0x00000000
0x00000000
0x04e75f30
0x04e75f31
0x04e75f37
0x04e75f3a
0x04e75f3d
0x04e75f44
0x00000000
0x00000000
0x00000000
0x04e75f46
0x04e75f48
0x04e75f4d
0x00000000
0x04e75f4d
0x04e75dda
0x04e75ddf
0x00000000
0x04e75ddf
0x04e75dd8
0x04e75da7
0x04e75da9
0x04e75dac
0x04e75dae
0x00000000
0x04e75db4
0x04e75db4
0x00000000
0x04e75db4
0x04e75dae
0x04e75d88
0x04e75d8d
0x04e76363
0x04e76369
0x04e7636a
0x04e76370
0x04e76372
0x04e7637a
0x04e7637b
0x04e7637d
0x00000000
0x00000000
0x04e7637f
0x04e76385
0x00000000
0x04e76385
0x04e75d38
0x04e75d3b
0x00000000
0x00000000
0x00000000
0x04e75d3b
0x04e75d27
0x04e75d29
0x00000000
0x00000000
0x00000000
0x04e76360
0x00000000
0x04e76360
0x04e75c10
0x04e75c10
0x04e763da
0x04e763e5
0x04e763e5

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfdf2c554eb633097c7138b2c69b72aa575bdc6d6d995bb93aa7984a4427ed5
Instruction ID: 8f6bbb509c9233c1035779845ac9b505da9dcba29a0639a85a57a8cece3c711f
Opcode Fuzzy Hash: 1cfdf2c554eb633097c7138b2c69b72aa575bdc6d6d995bb93aa7984a4427ed5
Instruction Fuzzy Hash: 2A425F75E00619DFDB24CF68C880BA9B7B1FF45328F1581AAD94DEB241E734A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04DC4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04DC4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x4e9d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E04DDF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04DC6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04DC4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04DC6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M04DC45F8))) {
												case 0:
													_v568 = 0x4d81078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x4d811c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04DC4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E04DEF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E04DEF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E04DA52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E04DBEB70(1, 0x4e979a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E04DBAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E04DE95D0();
																			L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E04DEB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04DE3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E04DEB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x04dc4128
0x04dc4135
0x04dc413c
0x04dc4141
0x04dc4145
0x04dc4147
0x04dc414e
0x04dc4151
0x04dc4159
0x04dc415c
0x04dc4160
0x04dc4164
0x04dc4168
0x04dc416c
0x04dc417f
0x04dc4181
0x04dc446a
0x04dc446a
0x04dc418c
0x04dc4195
0x04dc4199
0x04dc4432
0x04dc4439
0x04dc443d
0x04dc4442
0x04dc4447
0x00000000
0x04dc419f
0x04dc41a3
0x04dc41b1
0x04dc41b9
0x04dc41bd
0x04dc45db
0x04dc45db
0x00000000
0x04dc41c3
0x04dc41c3
0x04dc41ce
0x04dc41d4
0x04e0e138
0x04e0e13e
0x04e0e169
0x04e0e16d
0x04e0e19e
0x04e0e16f
0x04e0e16f
0x04e0e175
0x04e0e179
0x04e0e18f
0x04e0e193
0x00000000
0x04e0e199
0x00000000
0x04e0e199
0x04e0e193
0x00000000
0x00000000
0x00000000
0x04dc41da
0x04dc41da
0x04dc41df
0x04dc41e4
0x04dc41ec
0x04dc4203
0x04dc4207
0x04e0e1fd
0x04dc4222
0x04dc4226
0x04e0e1f3
0x04e0e1f3
0x04dc422c
0x04dc422c
0x04dc4233
0x04e0e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04dc4239
0x04dc4239
0x04dc4239
0x04dc4239
0x04dc4233
0x04dc4226
0x04dc41ee
0x04dc41ee
0x04dc41f4
0x04dc4575
0x04e0e1b1
0x04e0e1b1
0x00000000
0x04dc457b
0x04dc457b
0x04dc4582
0x04e0e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x04dc4588
0x04dc4588
0x04dc458c
0x04e0e1c4
0x04e0e1c4
0x00000000
0x04dc4592
0x04dc4592
0x04dc4599
0x04e0e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x04dc459f
0x04dc459f
0x04dc45a3
0x04e0e1d7
0x04e0e1e4
0x00000000
0x04dc45a9
0x04dc45a9
0x04dc45b0
0x04e0e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x04dc45b6
0x04dc45b6
0x04dc45b6
0x00000000
0x04dc45b6
0x04dc45b0
0x04dc45a3
0x04dc4599
0x04dc458c
0x04dc4582
0x00000000
0x00000000
0x00000000
0x00000000
0x04dc41f4
0x04dc423e
0x04dc4241
0x04dc45c0
0x04dc45c4
0x00000000
0x04dc45ca
0x04dc45ca
0x00000000
0x04e0e207
0x04e0e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x04dc45d1
0x00000000
0x00000000
0x04dc45ca
0x00000000
0x04dc4247
0x04dc4247
0x04dc4247
0x04dc4249
0x04dc4249
0x04dc4249
0x04dc4251
0x04dc4251
0x04dc4257
0x04dc425f
0x04dc426e
0x04dc4270
0x04dc427a
0x04e0e219
0x04e0e219
0x04dc4280
0x04dc4282
0x04dc4456
0x04dc45ea
0x00000000
0x04dc45f0
0x04e0e223
0x00000000
0x04e0e223
0x04dc445c
0x04dc445c
0x00000000
0x04dc445c
0x00000000
0x04dc4288
0x04dc428c
0x04e0e298
0x04dc4292
0x04dc4292
0x04dc429e
0x04dc42a3
0x04dc42a7
0x04dc42ac
0x04e0e22d
0x04dc42b2
0x04dc42b2
0x04dc42b9
0x04dc42bc
0x04dc42c2
0x04dc42ca
0x04dc42cd
0x04dc42cd
0x04dc42d4
0x04dc433f
0x04dc433f
0x04dc42d6
0x04dc42d6
0x04dc42d9
0x04dc42dd
0x04dc42eb
0x04e0e23a
0x04dc42f1
0x04dc4305
0x04dc430d
0x04dc4315
0x04dc4318
0x04dc431f
0x04dc4322
0x04dc432e
0x04dc433b
0x04dc433b
0x00000000
0x04dc432e
0x04dc42eb
0x04dc434c
0x04dc434e
0x04dc4352
0x04dc4359
0x04dc435e
0x04dc4361
0x04dc436e
0x04dc438a
0x04dc438e
0x04dc4396
0x04dc439e
0x04dc43a1
0x04dc43ad
0x04dc43bb
0x04dc43bb
0x04dc43ad
0x04dc436e
0x04dc43bf
0x04dc43c5
0x04dc4463
0x04dc4463
0x04dc43ce
0x04dc43d5
0x04dc43d9
0x04dc43df
0x04dc4475
0x04dc4479
0x04dc4491
0x04dc4491
0x04dc4479
0x04dc43e5
0x04dc43eb
0x04dc43f4
0x04dc43f6
0x04dc43f9
0x04dc43fc
0x04dc43ff
0x04dc44e8
0x04dc44ed
0x04dc44f3
0x04e0e247
0x00000000
0x04dc44f9
0x04dc4504
0x04dc4508
0x04dc450f
0x04e0e269
0x00000000
0x04dc4515
0x04dc4519
0x04dc4531
0x04dc4534
0x04dc4537
0x04dc453e
0x04dc4541
0x04dc454a
0x04e0e255
0x04e0e255
0x04e0e25b
0x04e0e25e
0x04e0e261
0x04e0e261
0x04dc4555
0x04dc4559
0x04dc455d
0x04e0e26d
0x04e0e270
0x04e0e274
0x04e0e27a
0x04e0e27d
0x04e0e28e
0x04e0e28e
0x04dc4563
0x04dc4563
0x04dc4569
0x04dc4569
0x00000000
0x04dc455d
0x04dc450f
0x00000000
0x04dc44f3
0x04dc43ff
0x04dc4405
0x04dc4405
0x04dc4405
0x04dc42ac
0x04dc428c
0x04dc4282
0x04dc4407
0x04dc440d
0x04e0e2af
0x04e0e2af
0x04dc4413
0x04dc4413
0x00000000
0x04dc41d4
0x00000000
0x04dc41c3
0x04dc41bd
0x04dc4415
0x04dc4415
0x04dc4416
0x04dc4417
0x04dc4429
0x04dc416e
0x04dc416e
0x04dc4175
0x04dc4498
0x04dc449f
0x04e0e12d
0x00000000
0x04e0e133
0x00000000
0x04e0e133
0x04dc44a5
0x04dc44a5
0x04dc44aa
0x00000000
0x04dc44bb
0x04dc44ca
0x04dc44d6
0x04dc44d7
0x04dc44d8
0x04dc44e3
0x04dc44e3
0x04dc44aa
0x04dc417b
0x04dc417b
0x04dc417b
0x00000000
0x04dc417b
0x04dc4175
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8963a8d5f7182cdb40ca48a59baa56bc3868615d6131c26ea5177aa68f1d415c
Instruction ID: 9dd68c97a0bc11250b0fb4982182fd457743f8764246dbb085eb17eeaa146385
Opcode Fuzzy Hash: 8963a8d5f7182cdb40ca48a59baa56bc3868615d6131c26ea5177aa68f1d415c
Instruction Fuzzy Hash: ACF17F706083528BD724CF59C4A0A3AB7E1FF88718F14892EF4D6CB290E774E995DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04DD20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04DD20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x4e98714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E04DD2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E04DD2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E04DA58EC(_t240);
									_t221 =  *0x4e95cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x4e95cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E04DE4A2C(0x4e96e40, 0x4de4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E04DC7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x4d85c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E04DDF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E04DDF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E04E27016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L04DC2400(_t267 + 0x20);
															}
															L04DC2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E04DD2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E04DC2280(_t134, 0x4e98608);
									__eflags =  *0x4e96e48 - _t253; // 0x429d60
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E04DBFFB0(_t198, _t241, 0x4e98608);
										__eflags = _t253;
										if(_t253 != 0) {
											L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x4e96e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x4e98608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E04DD6B90(_t210,  &_v64);
										_t262 =  *0x4e98608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E04DDE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E04DE97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E04DE006A(0x4e98608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x4e98608);
												E04DEB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x4e96904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x4e96e48; // 0x429d60
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E04DBFFB0(_t198, _t240, 0x4e98608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E04DE00C2(0x4e98608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x8
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x04dd20a0
0x04dd20a8
0x04dd20ad
0x04dd20b3
0x04dd20b8
0x04dd20c2
0x04dd20c7
0x04dd20cb
0x04dd20d2
0x04dd2263
0x04dd2266
0x04e15836
0x04e15836
0x00000000
0x04dd226c
0x04dd226c
0x04dd2270
0x04dd2274
0x04dd20e2
0x04dd20e2
0x04dd20e6
0x04dd20ee
0x04e157dc
0x04e157de
0x04e157ec
0x04e157ec
0x04e157f1
0x04e157f3
0x04e157f8
0x00000000
0x04e157f8
0x04e157e0
0x04e157e4
0x04e157ea
0x00000000
0x00000000
0x00000000
0x04e157ea
0x04dd20f4
0x04dd20f4
0x04dd20f8
0x04dd20f8
0x04dd20fc
0x04dd2100
0x04dd2106
0x04dd2201
0x04dd2206
0x04dd220b
0x04dd220e
0x04dd22a9
0x04dd22ac
0x00000000
0x00000000
0x04dd22b2
0x04dd22b5
0x04e15801
0x04e15806
0x00000000
0x00000000
0x04e15810
0x04e15815
0x04e15818
0x00000000
0x00000000
0x04e1581e
0x04dd22bb
0x04dd22bb
0x04dd2218
0x04dd2218
0x04dd221c
0x04dd2220
0x04dd2222
0x04dd22c2
0x04dd22c4
0x04dd22dc
0x04dd22dc
0x04dd22e1
0x00000000
0x00000000
0x00000000
0x04dd22e7
0x04dd22c8
0x04dd22cd
0x04dd22d3
0x04dd22d6
0x04e15823
0x04e15825
0x04e15827
0x00000000
0x00000000
0x04e1582d
0x00000000
0x04e1582d
0x00000000
0x04dd2228
0x04dd2228
0x00000000
0x04dd2228
0x04dd2222
0x04dd2214
0x04dd2214
0x00000000
0x04dd2114
0x04dd2114
0x04dd2114
0x04dd211a
0x04dd211c
0x04dd2348
0x04dd234d
0x04e15840
0x04e15845
0x04e15848
0x04e1584e
0x04e1584e
0x04e15848
0x04dd2353
0x04dd2355
0x04dd2388
0x04dd2388
0x04dd2368
0x04dd236a
0x04dd236c
0x04dd238f
0x00000000
0x04dd236e
0x04dd236e
0x04dd218e
0x04dd218e
0x04dd2191
0x04dd2195
0x04e15a03
0x04e15a06
0x04e15a0c
0x04e15a0f
0x04e15a11
0x04e15a13
0x04e15a13
0x04e15a19
0x04e15a1f
0x00000000
0x04dd219b
0x04dd219b
0x04dd21a0
0x04dd2282
0x04dd2284
0x04dd2284
0x04dd2284
0x04dd2284
0x04dd21a6
0x04dd21a9
0x04dd21ac
0x04dd21ae
0x04dd21b3
0x04dd228b
0x04dd2290
0x04dd2379
0x04dd2296
0x04dd2298
0x04dd2298
0x04dd2290
0x04dd21b9
0x04dd21be
0x04dd22a2
0x04dd22a2
0x04dd21c4
0x04dd21c8
0x04dd21cc
0x04dd21d0
0x04dd21d4
0x04dd21de
0x04dd21e3
0x04e15a29
0x04e15a2c
0x00000000
0x00000000
0x04e15a3b
0x00000000
0x04dd21e9
0x04dd21e9
0x04dd21e9
0x04dd21ee
0x04dd21f1
0x04e15a45
0x04e15a4b
0x04e15a52
0x04e15a58
0x04e15a5d
0x04e15a5f
0x04e15a71
0x04e15a61
0x04e15a6a
0x04e15a6a
0x04e15a76
0x04e15a79
0x04e15a7f
0x04e15a83
0x04e15a85
0x04e15a87
0x04e15a87
0x04e15a8c
0x04e15a91
0x04e15a97
0x04e15a9f
0x04e15aa0
0x04e15aa1
0x04e15aa6
0x04e15aab
0x04e15ab1
0x04e15ab3
0x04e15ab9
0x04e15aca
0x04e15ad4
0x04e15ad4
0x04e15ade
0x04e15ade
0x04e15aab
0x04e15a79
0x04e15a52
0x04dd21f7
0x04dd21f9
0x04dd21fe
0x04dd21fe
0x04dd21e3
0x04dd2195
0x04dd236c
0x04dd2122
0x04dd2122
0x04dd2124
0x04dd2231
0x04dd2236
0x04dd2236
0x04dd2238
0x04dd2238
0x04dd2240
0x04dd2242
0x04dd2244
0x04e159fc
0x04dd218c
0x04dd218c
0x00000000
0x04dd218c
0x04dd224a
0x04dd224f
0x04dd2256
0x04dd2304
0x04dd2309
0x04dd230f
0x04dd231e
0x04dd231e
0x04dd231e
0x04dd2320
0x04dd2325
0x04dd232a
0x04dd232c
0x04dd233e
0x04dd233e
0x00000000
0x04dd232c
0x04dd2311
0x04dd2317
0x04dd231a
0x04dd231c
0x04dd2380
0x04dd2380
0x04dd2380
0x04dd2384
0x00000000
0x00000000
0x04dd2386
0x00000000
0x04dd231c
0x04dd225c
0x04dd225c
0x00000000
0x04dd225c
0x04dd212a
0x04dd2134
0x04dd2138
0x04dd213d
0x04e15858
0x04e15863
0x04e15863
0x04e15867
0x04e1586a
0x00000000
0x00000000
0x04e1586c
0x04e1586c
0x04e15871
0x04e15875
0x04e15877
0x04e15997
0x04e1599c
0x04e159a1
0x04e159a7
0x04e159a7
0x00000000
0x04e159a7
0x04e1587d
0x00000000
0x04e1588b
0x04e1588b
0x04e15890
0x04e15892
0x04e15894
0x04e15899
0x04e1589b
0x04e158a0
0x04e158a0
0x04e158aa
0x04e158b2
0x04e158b6
0x04e158be
0x04e158c6
0x04e158c9
0x04e1590d
0x04e15917
0x04e1591a
0x04e1591c
0x04e15920
0x04e15928
0x04e1592a
0x04e1592c
0x04e1592e
0x04e1592e
0x04e158cb
0x04e158cd
0x04e158d8
0x04e158e0
0x04e158f4
0x04e158fe
0x04e158fe
0x04e1593a
0x04e1593e
0x04e15940
0x04e15942
0x00000000
0x04e15944
0x04e15944
0x04e15949
0x04e1594e
0x04e1594e
0x04e15953
0x04e1595b
0x04e15976
0x04e15976
0x04e1597a
0x04e1597f
0x00000000
0x00000000
0x00000000
0x00000000
0x04e15981
0x04e15981
0x04e15981
0x04e15983
0x04e15988
0x04e1598d
0x04e15991
0x04e15991
0x00000000
0x04e1595d
0x04e1595d
0x04e15963
0x04e15965
0x00000000
0x00000000
0x00000000
0x00000000
0x04e15967
0x04e15967
0x04e1596b
0x04e1596d
0x00000000
0x00000000
0x04e1596f
0x04e15971
0x04e15971
0x04e15974
0x00000000
0x00000000
0x00000000
0x04e15974
0x00000000
0x04e15967
0x04e1595b
0x04e15942
0x04e15863
0x04dd2143
0x04dd2143
0x04dd2149
0x04dd214f
0x04dd22ec
0x04dd22f1
0x04dd22f6
0x00000000
0x04dd22f6
0x04dd2159
0x04dd2173
0x04dd2173
0x04dd217d
0x04dd2181
0x04dd2186
0x04e159ae
0x04e159b2
0x04e159b5
0x04e159b7
0x04e159ba
0x04e159cd
0x04e159d1
0x04e159d5
0x04e159d9
0x04e159db
0x00000000
0x00000000
0x04e159dd
0x04e159dd
0x04e159e1
0x04e159e4
0x04e159e7
0x04e159ee
0x04e159ee
0x04e159f3
0x04e159f3
0x00000000
0x04dd2186
0x04dd2164
0x04dd216d
0x00000000
0x00000000
0x00000000
0x04dd216d
0x04dd2106
0x04dd2266
0x04dd20d8
0x04dd20da
0x04dd20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5502defd627c4953a84dec325e755fb8bd67fab5d9a62806720c9d55e0a46cc2
Instruction ID: f5c9d19229543464eeaeeb9075183df0a81b7f3931afc8c7a4f1eb368f43a011
Opcode Fuzzy Hash: 5502defd627c4953a84dec325e755fb8bd67fab5d9a62806720c9d55e0a46cc2
Instruction Fuzzy Hash: F8F1D571748341AFDB25CF69C84076A7BE1BFC5328F04999EE8959B290E734F841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04DB849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04DB849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x4e7f9c0);
				E04DFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x4e97b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E04DBCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04DC2280( *[fs:0x30], 0x4e98550);
						_t139 =  *0x4e97b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E04DDF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E04DBFFB0(_t193, _t235, 0x4e98550);
								L5:
								return E04DFD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E04DA1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x4e97b9c; // 0x0
							_t235 = L04DC4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x4e97b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_t193 = E04DDA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags, _t237 - 0x58, _t237 - 0x39, _t237 - 0x74);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E04DBFFB0(_t193, _t235, 0x4e98550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L04DC77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L04DC77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x4e97b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x4e97b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E04DE37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x4e97b9c; // 0x0
									_t214 = L04DC4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E04DE37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x4e97b10 =  *0x4e97b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x4e97b04 =  *0x4e97b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L04DC77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L04DC77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x4e97b08 =  *0x4e97b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E04DE57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E04DEF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L04DC77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E04DDA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L04DC77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E04DE96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x04db849b
0x04db849b
0x04db849b
0x04db849b
0x04db849d
0x04db84a2
0x04db84a7
0x04db84b1
0x04db84d8
0x00000000
0x04db84b3
0x04db84c4
0x04db84c9
0x04db84cd
0x04db84cf
0x04db84cf
0x04db84d6
0x04db84e6
0x04db84e9
0x04db84ec
0x04db84ef
0x04db84f2
0x04db84f4
0x04db84fc
0x04db8501
0x04db8506
0x04db8509
0x04db86e0
0x04db86e5
0x04db86e8
0x04db86ed
0x04db86f0
0x04db86f2
0x04e09afd
0x04e09b02
0x04db84da
0x04db84df
0x04db84df
0x04db86fa
0x04db86fd
0x04db86fe
0x04db8701
0x04db8706
0x04db8709
0x04db870b
0x00000000
0x00000000
0x04db8711
0x04db8725
0x04db8727
0x04db872a
0x04db872c
0x04e09af0
0x04e09af5
0x04db8732
0x04db8732
0x04db8732
0x04db8735
0x04db8737
0x04db8515
0x04db8515
0x04db8518
0x04db851d
0x04db8537
0x04db8539
0x04db853c
0x04db853e
0x04db868c
0x04db8691
0x04db8699
0x04db869b
0x04db8744
0x04db8748
0x04db86a1
0x04db86a1
0x04db86a1
0x04db86a4
0x04db86a8
0x04e09bdf
0x04e09bdf
0x04db86ae
0x04db86b0
0x00000000
0x04db86b6
0x00000000
0x04e09be9
0x04db86b0
0x04db8544
0x04db854a
0x04db854d
0x04db8551
0x04db876e
0x04db8778
0x04db877b
0x04db8780
0x04db8557
0x04db8557
0x04db855d
0x04db855d
0x04db856b
0x04db856e
0x04db8570
0x04db8573
0x04db8576
0x04db8576
0x04db8579
0x04db857b
0x00000000
0x00000000
0x04db8581
0x04db85a0
0x04db85a2
0x04db85a5
0x04db85a7
0x04e09b1b
0x04e09b1b
0x04db862e
0x04db862e
0x04db8631
0x04db8631
0x04db8634
0x04db8636
0x04db8669
0x04db8669
0x04db866b
0x04e09bbf
0x04e09bc4
0x04e09bc8
0x04e09bce
0x04e09bce
0x04db8671
0x04db8671
0x04db8674
0x04db8676
0x04e09bae
0x04e09bae
0x04db8676
0x04db867c
0x04db867e
0x04db8688
0x04db8688
0x00000000
0x04db867e
0x04db8638
0x04db8638
0x04db863b
0x04db863e
0x04db863f
0x04db8642
0x04db8645
0x04db8648
0x04db864d
0x04e09b69
0x04e09b6e
0x04e09b7b
0x04e09b81
0x04e09b85
0x04e09b89
0x04e09ba7
0x04e09b8b
0x04e09b91
0x04e09b9a
0x04e09b9f
0x04e09b9f
0x04db8788
0x04db878d
0x04db8763
0x04db8763
0x04db8766
0x00000000
0x04db8766
0x04e09b70
0x00000000
0x04e09b70
0x04db8656
0x04db865a
0x04db865c
0x04db8752
0x04db8756
0x00000000
0x00000000
0x04db875e
0x00000000
0x04db875e
0x04db8662
0x04db8662
0x04db8662
0x04db8666
0x00000000
0x04db8666
0x04db85b7
0x04db85b9
0x04db85bc
0x04db85bf
0x04db85cc
0x04db85d1
0x04db85d4
0x04db85db
0x04db85de
0x04db85e0
0x04e09b5f
0x00000000
0x04e09b5f
0x04db85e6
0x04db85ea
0x04db86c3
0x04db86c5
0x04db86c8
0x04db86ca
0x04e09b16
0x00000000
0x04e09b16
0x04db86d6
0x04db85f6
0x04db85f6
0x04db85f9
0x04db8602
0x04db8606
0x04db860a
0x04db860b
0x04db860e
0x04db8611
0x00000000
0x04db8611
0x04db85f3
0x00000000
0x04db85f3
0x04db8619
0x04db861e
0x04db861e
0x04db8621
0x04db8622
0x04db8623
0x04db8625
0x04db862c
0x00000000
0x04db873d
0x00000000
0x04db873d
0x04db8737
0x04db850f
0x04db8512
0x00000000
0x04db8512
0x00000000
0x04db84d6

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1195a7f661da33fb08f277a2de9b0ad08bbe606edc41caf1ea3ba259f9bf805
Instruction ID: 4da785e23525517465a19083ef766f144e86fa4d6acee947dc6981e2fa2e8c0f
Opcode Fuzzy Hash: b1195a7f661da33fb08f277a2de9b0ad08bbe606edc41caf1ea3ba259f9bf805
Instruction Fuzzy Hash: 3FB109B0E00209DFDB15EF99C984AEDBBB9FF44308F10851AE456AB285E770AD45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04DD513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4e9d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E04DED0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04DC2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04DC4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E04DEF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E04DBFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x4e9b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E04DEB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x04dd5142
0x04dd514c
0x04dd5150
0x04dd5157
0x04dd5159
0x04dd515e
0x04dd5165
0x04dd5169
0x04dd516c
0x04dd5172
0x04dd5176
0x04dd517a
0x04dd517a
0x04dd517a
0x04dd517f
0x04e16d8b
0x04e16d8e
0x04e16d91
0x04e16d95
0x04e16d98
0x04e16d9c
0x04e16da0
0x04e16da3
0x04e16da7
0x04e16e26
0x04e16e26
0x04e16e2a
0x04dd51f9
0x04dd51f9
0x04dd51fe
0x04e16e33
0x04e16e33
0x04e16e39
0x04e16e3d
0x04e16e46
0x04e16e50
0x00000000
0x00000000
0x04e16e52
0x04e16e53
0x04e16e56
0x04e16e5d
0x00000000
0x00000000
0x00000000
0x04e16e5f
0x04e16e67
0x04e16e77
0x04e16e7f
0x04e16e80
0x04e16e88
0x04e16e90
0x04e16e9f
0x04e16ea5
0x04e16ea9
0x04e16eb1
0x04e16ebf
0x00000000
0x00000000
0x04e16ecf
0x04e16ed3
0x00000000
0x00000000
0x04e16edb
0x04e16ede
0x04e16ee1
0x04e16ee8
0x04e16eeb
0x04e16eed
0x04e16ef0
0x04e16ef4
0x04e16ef8
0x04e16efc
0x00000000
0x00000000
0x04e16f0d
0x04e16f11
0x04e16f32
0x04e16f37
0x04e16f3b
0x04e16f3e
0x04e16f41
0x04e16f46
0x00000000
0x00000000
0x04e16f4c
0x04e16f50
0x04e16f50
0x04e16f54
0x04e16f62
0x04e16f65
0x04e16f6d
0x04e16f7b
0x04e16f7b
0x04e16f93
0x04e16f98
0x04e16fa0
0x04e16fa6
0x04e16fb3
0x04e16fb6
0x04e16fbf
0x04e16fc1
0x04e16fd5
0x04e16fda
0x04e16fda
0x04e16fdd
0x04e16fe2
0x04e16fe7
0x04e16feb
0x04e16fef
0x04e16ff3
0x04dd520c
0x04dd520c
0x04dd520f
0x04dd5215
0x04dd5234
0x04dd523a
0x04dd523a
0x04dd5244
0x04dd5245
0x04dd5246
0x04dd5251
0x04dd5251
0x04e16f13
0x04e16f17
0x04e16f17
0x04e16f18
0x04e16f1b
0x04e16f1f
0x04e16f23
0x00000000
0x04e16f28
0x04dd5204
0x04dd5204
0x04dd5208
0x00000000
0x04dd5208
0x04dd5185
0x04dd5188
0x04dd518a
0x04dd518e
0x04dd5195
0x04e16db1
0x04e16db5
0x04e16db9
0x04dd519b
0x04dd519b
0x04dd519e
0x04dd51a7
0x04dd51a9
0x04dd51a9
0x04dd51b5
0x04dd51b8
0x04dd51bb
0x04dd51be
0x04dd51c1
0x04dd51c5
0x04dd51c9
0x04dd51cd
0x04dd51cd
0x04dd51d8
0x04dd51dc
0x04dd51e0
0x04e16dcc
0x04e16dd0
0x04e16dd5
0x04e16ddd
0x04e16de1
0x04e16de1
0x04e16de5
0x04e16deb
0x04e16df1
0x04e16df7
0x04e16dfd
0x04e16e01
0x04e16e05
0x04e16e09
0x04e16e0d
0x04e16e11
0x04e16e11
0x04dd51eb
0x04e16e1a
0x04e16e1f
0x04e16e21
0x04e16e23
0x00000000
0x04dd51f1
0x04dd51f1
0x00000000
0x04dd51f1

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a069f0275545ed8962e6a0a8e37742e364b407d5fa43b07a6c402dd8912374fb
Instruction ID: 9786f1412bfda8a0ef8fec67b0097bcfacefe3554ac145e7f6073fb2ae9e990a
Opcode Fuzzy Hash: a069f0275545ed8962e6a0a8e37742e364b407d5fa43b07a6c402dd8912374fb
Instruction Fuzzy Hash: 25C111756083819FD354CF28C590A6AFBF1BF88308F144A6EF8998B362D771E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04DD03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04DD03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x4e9d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E04DD0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E04DEB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E04DBB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x4e97c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E04DC7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E04DC7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E04E27016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E04DE9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E04E269A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x4e97c04 != 0) {
						_t118 = _v12;
						_t120 = E04E2A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x4e97bd8;
						if( *0x4e97bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E04DE95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E04DE99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E04E23540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E04DAB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E04DEAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x4e98474 - 3;
										if( *0x4e98474 != 3) {
											 *0x4e979dc =  *0x4e979dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E04DC7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E04DC7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E04E27016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x4e98708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x4e97b00; // 0x0
							asm("ror esi, cl");
							 *0x4e9b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E04DE95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E04DB7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x04dd03f1
0x04dd03f7
0x04dd03f9
0x04dd03fb
0x04dd03fd
0x04dd0400
0x04dd040a
0x04e14c7a
0x04dd0537
0x04dd0547
0x04dd0410
0x04dd0410
0x04dd0414
0x04dd0417
0x04dd041a
0x04dd0421
0x04dd0424
0x04dd042b
0x04dd043b
0x04dd043e
0x04dd043f
0x04dd043f
0x04dd0446
0x04dd0449
0x04dd044c
0x04dd044f
0x04dd0459
0x04e14c8d
0x04dd045f
0x04dd045f
0x04dd045f
0x04dd0467
0x04e14c97
0x04e14c9d
0x04e14ca4
0x04e14caa
0x04e14caf
0x04e14cb1
0x04e14cc3
0x04e14cb3
0x04e14cbc
0x04e14cbc
0x04e14cc8
0x04e14ccb
0x04e14cd7
0x04e14cda
0x04e14cdf
0x04e14cdf
0x04e14ccb
0x04e14ca4
0x04dd046d
0x04dd046f
0x04dd046f
0x04dd0471
0x04dd0476
0x04dd047a
0x04dd047b
0x04dd0483
0x04dd0489
0x04dd048d
0x00000000
0x00000000
0x04e14ce9
0x04e14cef
0x04e14d22
0x04e14d22
0x00000000
0x04e14d22
0x04e14cf1
0x04e14cf7
0x00000000
0x00000000
0x04e14cf9
0x04e14cff
0x00000000
0x00000000
0x04e14d05
0x04e14d07
0x00000000
0x00000000
0x04e14d0d
0x04e14d0f
0x04e14d14
0x04e14d16
0x00000000
0x00000000
0x04e14d1c
0x04e14d1c
0x04dd0499
0x04dd0535
0x04dd0535
0x00000000
0x04dd0535
0x04dd04a6
0x04e14d2c
0x04e14d37
0x04e14d39
0x04e14d3b
0x00000000
0x00000000
0x04e14d41
0x04e14d48
0x04dd0527
0x04dd052b
0x04dd052d
0x04dd0530
0x04dd0530
0x00000000
0x04dd052b
0x04e14d4e
0x04dd04ac
0x04dd04ac
0x04dd04af
0x04dd04b2
0x04dd04b7
0x04dd04b9
0x04dd04bb
0x04dd04bd
0x04dd04bf
0x04dd04c5
0x04dd04c9
0x04e14d53
0x04e14d59
0x04e14db9
0x04e14dba
0x04e14dbf
0x04e14dc2
0x04e14dc4
0x04e14dc7
0x04e14dce
0x00000000
0x04e14dce
0x04e14d5b
0x04e14d61
0x00000000
0x00000000
0x04e14d63
0x04e14d69
0x00000000
0x00000000
0x04e14d6b
0x04e14d6e
0x04e14d74
0x04e14d76
0x04e14d7c
0x04e14d7e
0x04e14d84
0x04e14d89
0x04e14d8c
0x04e14d8d
0x04e14d92
0x04e14d95
0x04e14d96
0x04e14d98
0x04e14d9a
0x04e14d9f
0x04e14da4
0x04e14da6
0x04e14da8
0x04e14daf
0x04e14db1
0x04e14db1
0x04e14daf
0x04e14da6
0x04e14d84
0x04e14d7c
0x00000000
0x04e14d74
0x04dd04d6
0x04e14de1
0x04dd04dc
0x04dd04dc
0x04dd04dc
0x04dd04e4
0x04e14deb
0x04e14df1
0x04e14df8
0x04e14dfe
0x04e14e03
0x04e14e05
0x04e14e17
0x04e14e07
0x04e14e10
0x04e14e10
0x04e14e1c
0x04e14e1f
0x04e14e35
0x04e14e35
0x04e14e1f
0x04e14df8
0x04dd04f1
0x04dd04fa
0x04e14e3f
0x04e14e47
0x04e14e5b
0x04e14e61
0x04e14e67
0x04e14e69
0x04e14e71
0x04e14e73
0x04dd0500
0x04dd0500
0x04dd0500
0x04dd04fa
0x04dd0508
0x04dd051d
0x04dd051d
0x04dd051f
0x04dd0524
0x00000000
0x04dd0524
0x04dd0515
0x04dd0517
0x04e14e7a
0x04e14e7c
0x00000000
0x00000000
0x04e14e85
0x00000000
0x04e14e85
0x00000000
0x04dd0517

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb232490d27e155368ce540aa6e7b68a7d265248ceac5599a16668e6e045f7e
Instruction ID: 2b29234e0c4f637fdeef005193b8f346b46a19bc5fd9009112b226698db1f6a0
Opcode Fuzzy Hash: abb232490d27e155368ce540aa6e7b68a7d265248ceac5599a16668e6e045f7e
Instruction Fuzzy Hash: 16912671F40255AFEF229B68C848FAD7BA4EB4172CF050265E951AB2E1EB74BD00C791

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04DAC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x4e9d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04DB6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E04DEB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x4e97b9c; // 0x0
					_t74 = L04DC4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04DE9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L04DC77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E04DEF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E04DE13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L04DC77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04DE9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x04dac608
0x04dac615
0x04dac625
0x04dac62d
0x04dac635
0x04dac640
0x04dac680
0x04dac687
0x04dac688
0x04dac689
0x04dac694
0x04dac694
0x04dac642
0x04dac64a
0x04dac697
0x04e17a25
0x04e17a2b
0x04e17a2e
0x04e17a30
0x04e17bea
0x04e17bea
0x00000000
0x04e17bea
0x04e17a36
0x04e17a43
0x04e17a48
0x04e17a4c
0x04e17a4e
0x00000000
0x00000000
0x04e17a58
0x04e17a5a
0x04e17a5b
0x04e17a5c
0x04e17a5d
0x04e17a63
0x04e17a64
0x04e17a6a
0x04e17a6c
0x04e17a6e
0x04e179cb
0x04e179cb
0x04e179ce
0x04e179d0
0x04e17a98
0x04e17a9b
0x04e17a9b
0x04e17a9e
0x04e17aa1
0x04e17bbe
0x04e17bbe
0x04e17bc0
0x04e17be0
0x04e17be0
0x04e17a01
0x04e17a01
0x04e17a05
0x04e17a07
0x04e17a15
0x04e17a15
0x04e17a1a
0x00000000
0x04e17a1a
0x04e17bc2
0x04e17bc6
0x04e17bc9
0x04e17bcd
0x04e17bcf
0x04e179e6
0x04e179e6
0x04e179eb
0x04e179eb
0x04e179ef
0x04e179f1
0x00000000
0x00000000
0x04e179f3
0x04e179f5
0x04e179ff
0x04e179ff
0x00000000
0x04e179ff
0x04e179f7
0x04e179fd
0x00000000
0x00000000
0x00000000
0x04e179fd
0x04e17bd5
0x04e17bd8
0x00000000
0x00000000
0x04e17ba9
0x04e17bac
0x04e17bb0
0x04e17bb1
0x04e17bb1
0x04e17bb6
0x00000000
0x04e17bb6
0x04e17aa7
0x04e17aaa
0x00000000
0x00000000
0x04e17ab2
0x04e17ab3
0x04e17ab5
0x04e17aec
0x04e17aef
0x04e17b25
0x04e17b28
0x04e17b62
0x04e17b64
0x04e17b8f
0x04e17b92
0x04e17b96
0x04e17b98
0x00000000
0x00000000
0x04e17b9e
0x04e17b9f
0x04e17ba3
0x00000000
0x04e17ba3
0x04e17b66
0x04e17b68
0x04e17ae2
0x04e17ae2
0x00000000
0x04e17ae2
0x04e17b6e
0x04e17b72
0x04e17b75
0x04e17b81
0x04e17b85
0x04e17b87
0x00000000
0x00000000
0x04e17b31
0x04e17b34
0x04e17b3c
0x04e17b45
0x04e17b46
0x04e17b4f
0x04e17b51
0x04e17b57
0x04e17b59
0x04e17b59
0x00000000
0x04e17b59
0x04e17b77
0x00000000
0x04e17b77
0x04e17b2a
0x00000000
0x04e17b2a
0x04e17af1
0x04e17af3
0x00000000
0x00000000
0x04e17afb
0x04e17afc
0x04e17afe
0x00000000
0x00000000
0x04e17b00
0x04e17b03
0x00000000
0x00000000
0x04e17b05
0x04e17b09
0x04e17b0d
0x04e17b0f
0x00000000
0x00000000
0x04e17b18
0x04e17b1d
0x00000000
0x04e17b1d
0x04e17ab7
0x04e17ab9
0x00000000
0x00000000
0x04e17abf
0x04e17ac1
0x00000000
0x00000000
0x04e17ac3
0x04e17ac6
0x00000000
0x00000000
0x04e17ac8
0x04e17acc
0x04e17ad0
0x04e17ad2
0x00000000
0x00000000
0x04e17adb
0x00000000
0x04e17adb
0x04e179d6
0x04e179d9
0x04e179dc
0x04e17a91
0x04e17a94
0x00000000
0x04e17a94
0x04e179e2
0x00000000
0x04e179e2
0x04e17a74
0x04e17a7a
0x00000000
0x00000000
0x04e17a8a
0x04e17a21
0x04e17a21
0x00000000
0x04e17a21
0x04dac650
0x04dac651
0x04dac656
0x04dac65c
0x04dac65d
0x04dac663
0x04dac664
0x04dac66a
0x04dac66e
0x04e179c5
0x04e179c7
0x00000000
0x04e179c7
0x04dac67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b0997b0d4bfefe45a38f8fc964a8e5cb4aa96bd5d806fc086da3a75a44bae7f
Instruction ID: 87004fa7862df12685ebf13f031f3f62a4a4eb0a83f273c66c1d19e97e7b1443
Opcode Fuzzy Hash: 8b0997b0d4bfefe45a38f8fc964a8e5cb4aa96bd5d806fc086da3a75a44bae7f
Instruction Fuzzy Hash: 6481A2757842019FDB25CE14C880E7A73E5FB84B98F19985EED859B260E730FD44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04E26DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04E26DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E04E26B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E04DC7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E04DE9AE0();
					_t87 = L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E04E2795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E04E2795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E04E2795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E04E2795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L04DC4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E04E26B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E04E26B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E04E26B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E04E26B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E04DC7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E04DE9AE0();
								L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L04DC2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L04DC2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L04DC2400( &_v52);
							}
							if(_v28 >= 0) {
								return L04DC2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x04e26dd4
0x04e26dde
0x04e26de1
0x04e26de3
0x04e26de6
0x04e26de9
0x04e26dec
0x04e26def
0x04e26df2
0x04e26df5
0x04e26dfe
0x04e26e04
0x04e26e09
0x04e26e0d
0x04e26e18
0x04e26e1b
0x04e26e22
0x04e26e2d
0x04e26e30
0x04e26e36
0x04e26e42
0x04e26e4d
0x04e26e50
0x04e26e55
0x04e26e5c
0x04e26e6e
0x04e26e5e
0x04e26e67
0x04e26e67
0x04e26e73
0x04e26e74
0x04e26e77
0x04e26e7c
0x04e26e7d
0x04e26e8e
0x04e26e93
0x04e26e9c
0x04e26ea8
0x04e26eab
0x04e26eac
0x04e26eb3
0x04e26ecd
0x04e26edc
0x04e26ee2
0x04e26ee5
0x04e26ef2
0x04e26efb
0x04e26f01
0x04e26f06
0x04e26f0b
0x04e26f11
0x04e26f1a
0x04e26f22
0x04e26f26
0x04e26f26
0x04e26f33
0x04e26f41
0x04e26f44
0x04e26f47
0x04e26f54
0x04e26f65
0x04e26f77
0x04e26f7c
0x04e26f82
0x04e26f91
0x04e26f99
0x04e26fa3
0x04e26fae
0x04e26fae
0x04e26fba
0x04e26fbb
0x04e26fbc
0x04e26fc1
0x04e26fc2
0x04e26fd3
0x04e26fd8
0x04e26fd8
0x04e26fdf
0x04e26fe8
0x04e26fee
0x04e26fee
0x04e26ff5
0x04e26ffb
0x04e26ffb
0x04e27004
0x00000000
0x04e2700a
0x04e27004
0x04e26eb3
0x04e26e9c
0x04e27015

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 2d0b0e2b01ad01be99f283be1de60a52420bb6f267c184ff4301ae27bd827a63
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 70715B71E00219EFDB11DFA9CA84EEEBBB9FF48714F104169E505A7250DB34BA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E3B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E04E3B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x4e97b9c; // 0x0
				_t124 = L04DC4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04DE9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E04DE95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E04DE95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L04DC77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04DE9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E04DE95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x4e97b9c; // 0x0
									_t92 = L04DC4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04DE9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E04DAA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E04E3E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E04E3E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E04DE95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x04e3b8d9
0x04e3b8e4
0x00000000
0x04e3b8e6
0x04e3b8f3
0x04e3b8f5
0x04e3b8f5
0x04e3b8f8
0x04e3b920
0x04e3b924
0x04e3b936
0x04e3b939
0x04e3b93d
0x04e3b948
0x04e3b9a0
0x04e3b9a0
0x04e3b9a4
0x04e3b9bf
0x04e3b9c4
0x04e3b9c6
0x04e3b9cd
0x04e3b9d1
0x04e3bad4
0x04e3bad8
0x04e3bada
0x04e3badc
0x04e3badc
0x04e3badf
0x04e3bae0
0x04e3bae2
0x04e3bae4
0x04e3baec
0x04e3baee
0x04e3baf0
0x04e3baf0
0x04e3baec
0x04e3bafb
0x04e3bafc
0x04e3bafe
0x04e3bb01
0x04e3bb01
0x00000000
0x04e3bb06
0x04e3b9d7
0x04e3b9db
0x04e3b9db
0x04e3b9de
0x04e3b9de
0x04e3b9e4
0x04e3b9e7
0x04e3b9ea
0x04e3b9ec
0x04e3b9ef
0x04e3b9f3
0x04e3ba1b
0x04e3ba1b
0x04e3ba23
0x04e3ba24
0x04e3ba27
0x04e3ba2a
0x04e3ba2b
0x04e3ba2e
0x04e3ba30
0x04e3ba37
0x04e3ba3f
0x04e3ba9c
0x04e3baa2
0x04e3bb13
0x04e3bb15
0x04e3baae
0x04e3baae
0x04e3bab3
0x04e3bab5
0x04e3baba
0x04e3bac8
0x04e3bac8
0x04e3baba
0x04e3bacd
0x04e3bacf
0x00000000
0x04e3bacf
0x04e3bb1a
0x00000000
0x04e3bb1c
0x04e3baa7
0x04e3bb11
0x00000000
0x04e3bb11
0x04e3baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x04e3ba41
0x04e3ba41
0x04e3ba41
0x04e3ba58
0x04e3ba5d
0x04e3ba62
0x00000000
0x00000000
0x04e3ba64
0x04e3ba67
0x04e3ba68
0x04e3ba69
0x04e3ba6c
0x04e3ba6f
0x04e3ba71
0x04e3ba78
0x04e3ba80
0x00000000
0x00000000
0x04e3ba90
0x04e3ba90
0x04e3ba97
0x00000000
0x04e3ba97
0x04e3b9f5
0x04e3b9f7
0x04e3b9f7
0x04e3b9fa
0x04e3ba03
0x04e3ba07
0x04e3ba0c
0x04e3ba10
0x04e3ba17
0x00000000
0x04e3b9f7
0x04e3b9a6
0x04e3b9a8
0x04e3b9af
0x04e3b9b3
0x00000000
0x00000000
0x04e3b9b9
0x00000000
0x04e3b9b9
0x04e3b94d
0x04e3b98f
0x04e3b995
0x04e3b999
0x04e3b960
0x04e3b967
0x04e3b968
0x04e3b96a
0x00000000
0x04e3b96a
0x04e3b99b
0x04e3b99e
0x00000000
0x00000000
0x00000000
0x04e3b99e
0x04e3b951
0x04e3b954
0x04e3b95a
0x04e3b95e
0x04e3b972
0x04e3b979
0x04e3b97d
0x04e3b97f
0x04e3b980
0x04e3b982
0x04e3b984
0x00000000
0x04e3b984
0x00000000
0x04e3b926
0x00000000
0x04e3b926

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac955e68c50d4cc2833d172aab2f3051654c4a34567cdd61684230a7db2a69d
Instruction ID: 0b6fa6732468b5298c0827d271c30055976d05881ec12ad4bf8d015bc61cbd18
Opcode Fuzzy Hash: dac955e68c50d4cc2833d172aab2f3051654c4a34567cdd61684230a7db2a69d
Instruction Fuzzy Hash: 90712272200B01AFE732DF15CC48F66B7E5EF4472AF114528E6968B2A2EB70F940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04DA52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04DA52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E04DBEEF0(0x4e979a0);
					_t104 =  *0x4e98210; // 0x422bb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E04DBEB70(_t93, 0x4e979a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E04DE9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E04DBEEF0(0x4e979a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E04DBEB70(0, 0x4e979a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x422bc802
								_t13 = _t104 + 0xc; // 0x422bbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E04DDF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E04DBEEF0(0x4e979a0);
									__eflags =  *0x4e98210 - _t104; // 0x422bb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4e98210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000422b
											_t95 =  *((intOrPtr*)( *_t37));
											E04E24888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E04DBEB70(_t95, 0x4e979a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E04DE95D0();
											L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E04DE95D0();
											L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E04DBEB70(_t93, 0x4e979a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E04DE95D0();
										L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E04DE95D0();
										L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000422b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x422bc802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E04DDF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x04da52a5
0x04da52ad
0x04da52b0
0x04da52b3
0x04da52b7
0x04da52ba
0x04da52bf
0x04da52c4
0x04da52cc
0x00000000
0x00000000
0x04da52ce
0x04da52d1
0x04da52d9
0x04da52dd
0x04da52e7
0x04da52f7
0x04da52f9
0x04da52fd
0x04e00dcf
0x04e00dd5
0x04e00dd6
0x04e00dd7
0x04e00dd8
0x04e00dd9
0x04e00dde
0x04e00ddf
0x04e00de0
0x04e00de1
0x04e00de2
0x04e00de2
0x04e00de5
0x04e00dea
0x04e00dec
0x04e00f60
0x04e00f64
0x04e00f70
0x04e00f76
0x04e00f79
0x04e00f79
0x00000000
0x04e00f64
0x04e00df2
0x04e00df7
0x04e00e04
0x04e00e04
0x04e00e0d
0x04e00e0d
0x04e00e10
0x04e00e1a
0x04e00e1c
0x04e00e4c
0x04e00e52
0x04e00e61
0x04e00e67
0x04e00e6b
0x04e00e70
0x04e00e76
0x04e00ed7
0x04e00edc
0x04e00ee0
0x04e00ee6
0x04e00eea
0x04e00eed
0x04e00ef0
0x04e00ef3
0x04e00ef6
0x04e00ef9
0x04e00efb
0x04e00efe
0x04e00f01
0x04e00f01
0x04e00f0b
0x04e00f12
0x04e00f16
0x04e00f18
0x04e00f18
0x04e00f1b
0x04e00f2c
0x04e00f31
0x04e00f31
0x04e00f35
0x04e00f39
0x04e00f3a
0x04e00f3c
0x04e00f3c
0x04e00f3f
0x04e00f50
0x04e00f55
0x04e00f55
0x04e00f59
0x04da52eb
0x04da52f1
0x04da52f1
0x04e00e7d
0x04e00e84
0x04e00e88
0x04e00e8a
0x04e00e8a
0x04e00e8d
0x04e00e9e
0x04e00ea3
0x04e00ea3
0x04e00ea7
0x04e00eaf
0x04e00eb3
0x04e00eb9
0x04e00eb9
0x04e00ebc
0x04e00ecd
0x04e00ecd
0x00000000
0x04e00eb3
0x04e00e1e
0x04e00e21
0x04e00e25
0x04e00e2b
0x04e00e2f
0x04e00e30
0x04e00e3a
0x04e00e3f
0x04e00e41
0x00000000
0x00000000
0x04e00e47
0x00000000
0x04e00e47
0x04e00df9
0x04e00dfe
0x00000000
0x00000000
0x00000000
0x04e00dfe
0x04da5303
0x04da5307
0x00000000
0x04da5309
0x00000000
0x04da5309
0x04da5307
0x04da52e9
0x04da52e9
0x00000000
0x04da52e9
0x04da530e
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086bbb495138ed65c2e2359e9993c40a68c2db47d3e0645be2efc54b2658f942
Instruction ID: aa4a8a3b125e555277397da2565038ea91cfa2107ac341646b5e8b7057429fcb
Opcode Fuzzy Hash: 086bbb495138ed65c2e2359e9993c40a68c2db47d3e0645be2efc54b2658f942
Instruction Fuzzy Hash: 9551BBB0245342EBEB21EF64D844B67BBE4FF44718F10491EE49A87690E770F854CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DD2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DD2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x4e98204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x4e98208; // 0x4e98207
				_t8 = _t57 + 0x4e98208; // 0x4e98207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x4e98450; // 0x4210f2
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x4e9821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x4e96d5c; // 0xffa10654
							_t72 =  *0x4e96d5c; // 0xffa10654
							_t75 =  *0x4e96d5c; // 0xffa10654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x4e96d5c; // 0xffa10654
							_t84 =  *0x4e96d5c; // 0xffa10654
							_t87 =  *0x4e96d5c; // 0xffa10654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E04DEF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x04dd2ae4
0x04dd2aec
0x04dd2aef
0x04dd2af4
0x04dd2af7
0x04dd2afd
0x04dd2b92
0x04dd2b92
0x04dd2b97
0x04dd2b9c
0x04dd2b9c
0x04dd2b03
0x04dd2b06
0x04dd2b09
0x04dd2b09
0x04dd2b0f
0x04dd2b15
0x04dd2b15
0x04dd2b1b
0x04dd2b1e
0x04dd2b21
0x04dd2b26
0x04dd2b29
0x04dd2b81
0x04dd2b84
0x04dd2c0e
0x04dd2c15
0x04dd2c24
0x04dd2c24
0x04dd2b8a
0x04dd2b8a
0x04dd2b8a
0x04dd2b8a
0x04dd2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x04dd2b4a
0x04dd2b4a
0x04dd2b4d
0x04dd2b53
0x00000000
0x00000000
0x04dd2b55
0x04dd2b58
0x04dd2bb7
0x04e15d1b
0x04e15d37
0x04e15d47
0x04e15d53
0x04dd2bbd
0x04dd2bbd
0x04dd2bbd
0x04dd2bb7
0x04dd2b5d
0x04dd2c2f
0x04e15d5b
0x04e15d77
0x04e15d87
0x04e15d93
0x04dd2c35
0x04dd2c35
0x04dd2c35
0x04dd2c2f
0x04dd2b65
0x04dd2b9f
0x04dd2ba2
0x04dd2b67
0x04dd2b67
0x04dd2b69
0x04dd2b6b
0x04dd2b6e
0x04dd2bc9
0x04dd2bcc
0x04dd2bcf
0x04dd2bd4
0x04dd2bd6
0x04dd2bd6
0x04dd2bdb
0x04dd2c02
0x04dd2c05
0x04dd2c07
0x00000000
0x04dd2c07
0x04dd2be0
0x04dd2c00
0x04dd2c3f
0x04dd2c3f
0x00000000
0x04dd2c00
0x04dd2be5
0x04dd2be7
0x04dd2bec
0x04dd2bf4
0x04dd2bf6
0x00000000
0x04dd2bf6
0x04dd2b70
0x04dd2b76
0x04dd2b2b
0x04dd2b2b
0x04dd2b2d
0x04dd2b2f
0x04dd2b32
0x04dd2b35
0x04dd2b3a
0x00000000
0x04dd2b40
0x04dd2b43
0x04dd2b45
0x04dd2b47
0x04dd2b4a
0x04dd2b4d
0x04dd2b53
0x00000000
0x00000000
0x00000000
0x04dd2b53
0x04dd2b78
0x04dd2b78
0x04dd2b7b
0x04dd2b7e
0x00000000
0x04dd2b7e
0x04dd2b76
0x04dd2ba5
0x04dd2ba5
0x04dd2ba8
0x04dd2bad
0x00000000
0x00000000
0x04dd2baf
0x04dd2baf
0x04dd2bc2
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d05793e36aa2b6b7d918bb759965bdab2dc36812ba601570c6de0b29886703
Instruction ID: 8e9d4e43330f573fd1662f3a22c86d7d1390e445a719f80b2f49c4c5a53ebea8
Opcode Fuzzy Hash: 53d05793e36aa2b6b7d918bb759965bdab2dc36812ba601570c6de0b29886703
Instruction Fuzzy Hash: BF519F76B001158F8B18DF1DC8809BDB7B1FF88701716849AE8969B368E674FE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E6AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04E6AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E04E6C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E04E6ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E04E6FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E04E6EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E04DC7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E04E61608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E04E71536(0x4e98ae4, (_t74 -  *0x4e98b04 >> 0x14) + (_t74 -  *0x4e98b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L04E6C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E04E6A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E04E4CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E04E6ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x04e6ae44
0x04e6ae4c
0x04e6ae53
0x04e6ae55
0x04e6ae5c
0x04e6ae64
0x04e6ae68
0x04e6ae75
0x04e6ae75
0x04e6ae78
0x04e6ae7a
0x04e6ae7c
0x04e6ae7f
0x04e6aea8
0x04e6aeab
0x04e6aead
0x00000000
0x00000000
0x04e6aeb3
0x04e6aeb8
0x04e6aebb
0x04e6aebd
0x00000000
0x04e6ae81
0x04e6ae88
0x04e6ae8f
0x04e6ae9b
0x04e6ae96
0x04e6ae96
0x04e6ae96
0x04e6aea0
0x04e6aea3
0x04e6aebf
0x04e6aebf
0x04e6aec3
0x04e6aec9
0x04e6af0d
0x04e6af14
0x04e6af3d
0x04e6af3d
0x04e6af41
0x04e6af44
0x04e6af67
0x04e6af67
0x04e6af6a
0x04e6afca
0x04e6afd1
0x00000000
0x04e6afd1
0x04e6af6c
0x04e6af6d
0x04e6af75
0x04e6af7c
0x04e6af7e
0x04e6af80
0x04e6af85
0x04e6af87
0x04e6af99
0x04e6af89
0x04e6af92
0x04e6af92
0x04e6af9e
0x04e6afa1
0x04e6afa3
0x04e6afa9
0x04e6afb0
0x04e6afb2
0x04e6afb4
0x04e6afbc
0x04e6afbc
0x04e6afb4
0x04e6afb0
0x00000000
0x04e6afa1
0x04e6af4f
0x04e6af57
0x04e6af5c
0x04e6af5e
0x00000000
0x00000000
0x04e6af60
0x04e6af64
0x04e6af64
0x00000000
0x04e6af64
0x04e6af1a
0x04e6af25
0x00000000
0x00000000
0x04e6af27
0x04e6af28
0x04e6af33
0x00000000
0x04e6aed0
0x04e6aed0
0x04e6aed2
0x04e6aee1
0x04e6aee4
0x00000000
0x00000000
0x04e6aee6
0x04e6aeec
0x00000000
0x00000000
0x04e6aefb
0x04e6af07
0x04e6afd3
0x04e6afdb
0x04e6afdb
0x00000000
0x04e6af07
0x04e6aed6
0x04e6aed8
0x04e6aedf
0x00000000
0x00000000
0x00000000
0x04e6aedf
0x04e6aec9

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9278bfe93e7e5690982d962496d8a86d020c43aa8853fc78472b67fb229e813b
Instruction ID: cf98d0ab5814d58b2b5d0de5ca995f24873bd1ae126fa2cd5e41e5695427319f
Opcode Fuzzy Hash: 9278bfe93e7e5690982d962496d8a86d020c43aa8853fc78472b67fb229e813b
Instruction Fuzzy Hash: 0641F871F802115BDB259B25C894B7BB3D9EF86798F04522DF817A7290DB34F841C791

Uniqueness

Uniqueness Score: -1.00%

Function 04DCDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04DCDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E04DACC50(E04DA4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E04DC7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E04E78ED6(_t102, _t98);
						}
						_t76 = _v44;
						E04DC2280(_t58, _v44);
						E04DCDD82(_v44, _t102, _t98);
						E04DCB944(_t102, _v5);
						return E04DBFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x4e98628; // 0x0
							_v28 = _t67;
							_t68 =  *0x4e9862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x4e98628; // 0x0
						_t105 = _v28;
						_t80 =  *0x4e9862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x4e6fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x04dcdbe9
0x04dcdbf2
0x04dcdbf7
0x04dcdbf9
0x04dcdbfc
0x04dcdc00
0x04dcdc03
0x04dcdc14
0x04dcdd54
0x04dcdd54
0x04dcdd54
0x04dcdc18
0x04dcdc1d
0x04dcdc1d
0x04dcdc32
0x04dcdc3b
0x04dcdc3e
0x04dcdc46
0x04dcdd5b
0x04dcdd62
0x04dcdd64
0x04dcdd67
0x04dcdd69
0x04dcdd6b
0x04dcdd6e
0x04dcdd70
0x04dcdd73
0x04dcdd73
0x00000000
0x04dcdc4c
0x04dcdc4e
0x04e13ae3
0x04e13ae8
0x04e13aea
0x04dcdce7
0x04dcdce9
0x04dcdcec
0x04dcdcee
0x04dcdcf0
0x04dcdcf3
0x04dcdcf5
0x04e13af2
0x04e13af5
0x04e13af5
0x04dcdd06
0x04dcdd08
0x04dcdd0b
0x04dcdd12
0x04e13b08
0x04dcdd18
0x04dcdd18
0x04dcdd18
0x04dcdd20
0x04dcdd23
0x04e13b16
0x04e13b16
0x04dcdd29
0x04dcdd2d
0x04dcdd36
0x04dcdd40
0x04dcdd51
0x04dcdd51
0x04dcdc54
0x04dcdc59
0x04dcdc59
0x04dcdc5e
0x04dcdc5e
0x04dcdc63
0x04dcdc66
0x04dcdc6b
0x04dcdc78
0x04dcdc7b
0x04dcdc81
0x04dcdc81
0x04dcdc83
0x04dcdc89
0x00000000
0x00000000
0x04dcdd7b
0x04dcdd7b
0x04dcdc8f
0x04dcdc8f
0x04dcdc92
0x04dcdc99
0x04dcdc9f
0x04dcdca5
0x04dcdcaa
0x04dcdcaa
0x04dcdcb3
0x04dcdcb8
0x04dcdcbb
0x04dcdcc1
0x04dcdccf
0x04dcdcd2
0x04dcdcd5
0x04dcdcd7
0x04dcdcda
0x04dcdcdc
0x04dcdcdc
0x04dcdce2
0x04dcdce4
0x00000000
0x04dcdce4

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37a514605cc7be0d2446a0543c85e624f4014cddb4e1357c42abc410d397d70
Instruction ID: a88c980035c7c50a78db0427695a0b84a19592d068b6371bbf0f48c049c37f20
Opcode Fuzzy Hash: e37a514605cc7be0d2446a0543c85e624f4014cddb4e1357c42abc410d397d70
Instruction Fuzzy Hash: E5517F71A00606DFCB14DF68C980AAEBBF6FB49314F20856ED995A7344EB70BD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DBEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04DBEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04DA9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04DA2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x04dbef4b
0x04dbef4d
0x04dbef57
0x04dbf0bd
0x04dbf0c2
0x04dbf0d2
0x04dbf0d2
0x04dbf0c2
0x04dbef5d
0x04dbef5f
0x04dbef67
0x04dbef6a
0x04dbef6d
0x04dbef74
0x04dbef7f
0x04dbef82
0x04dbef82
0x04dbef86
0x04dbef88
0x04dbef8c
0x04dbef8f
0x04dbef8f
0x04dbef8f
0x00000000
0x04dbef91
0x04dbef93
0x04dbefc4
0x04dbefc4
0x04dbefc4
0x04dbefca
0x04dbefd0
0x04dbf0a6
0x00000000
0x00000000
0x04dbf0af
0x04e0bb06
0x04e0bb0a
0x04dbf0b5
0x04dbf0b5
0x04dbf0b5
0x04dbf0b5
0x00000000
0x04dbefd6
0x04dbefd9
0x04dbf0de
0x04dbf0e2
0x04dbefdf
0x04dbefdf
0x04dbefdf
0x04dbefe5
0x04e0bafc
0x04e0bafc
0x04dbefe5
0x04dbefeb
0x04dbefed
0x04dbf00f
0x04dbf011
0x04dbf01a
0x04dbf01d
0x04dbf021
0x04dbf028
0x04dbf029
0x04dbf029
0x04dbf02c
0x00000000
0x04dbf02c
0x04dbeff3
0x04dbeff9
0x04dbf0ea
0x04dbf0ed
0x04dbf0ef
0x00000000
0x04dbf0ef
0x04dbf003
0x04e0bb12
0x04dbf045
0x04dbf049
0x04dbf051
0x04dbf09e
0x04dbf0a0
0x04dbf0a0
0x04dbf09e
0x04dbf053
0x04dbf064
0x04dbf064
0x04dbf06b
0x04e0bb1a
0x04e0bb1a
0x04dbf071
0x04dbf071
0x04dbf07d
0x04dbf082
0x04dbf08f
0x04dbf08f
0x04dbf009
0x04dbf00d
0x00000000
0x04dbf00d
0x04dbefd0
0x04dbef97
0x04dbefa5
0x04dbefaa
0x00000000
0x04dbefac
0x04dbefac
0x04dbefac
0x00000000
0x04dbefb2
0x04dbf036
0x04dbf03a
0x04dbf040
0x04dbf090
0x00000000
0x04dbf092
0x04dbf042
0x00000000
0x04dbf042
0x04dbefb7
0x04dbefb9
0x04dbefbc
0x04dbefb0
0x04dbefb0
0x00000000
0x04dbefbe
0x04dbefbe
0x04dbefc1
0x00000000
0x04dbefc1
0x04dbefbc
0x04dbefaa
0x04dbef91

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 52accd2fdd0786b3f3a8de4ec10ffceaa515e592e265cd7d0f0f64b47165499f
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 1151DA30B04649DBDB20CFA8C480BEEBBB1BF09314F1881A9C6D697291D375B989D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 04E7740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04E7740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E04DFD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E04DEF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04DC4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04DC4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E04DEF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04DC4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x04e7740d
0x04e7740d
0x04e77412
0x04e77413
0x04e77416
0x04e77418
0x04e7741c
0x04e7741f
0x04e77422
0x04e77422
0x04e77428
0x04e7742a
0x04e7742a
0x04e77451
0x04e77432
0x04e7744f
0x04e7744f
0x00000000
0x04e77434
0x04e77438
0x04e77443
0x04e77517
0x04e77517
0x04e7751a
0x04e77535
0x04e77520
0x04e77527
0x04e7752c
0x04e77531
0x04e77533
0x00000000
0x04e77533
0x00000000
0x04e77531
0x04e7754b
0x04e7754f
0x04e7755c
0x04e7755c
0x04e7755f
0x04e77560
0x04e77561
0x04e77562
0x04e77563
0x04e77568
0x04e7756a
0x04e7756c
0x04e7756d
0x04e7756d
0x04e7756f
0x04e77572
0x04e77574
0x04e77577
0x04e7757c
0x04e7757f
0x00000000
0x04e77551
0x04e77551
0x04e77551
0x04e77553
0x04e77553
0x04e77449
0x04e77449
0x04e7744c
0x04e7744c
0x00000000
0x04e7744c
0x04e77443
0x04e7750e
0x04e77514
0x04e77514
0x04e77455
0x04e77469
0x04e7746d
0x00000000
0x04e77473
0x04e77473
0x04e77476
0x04e77480
0x04e77484
0x04e7748e
0x04e77493
0x04e77493
0x04e77496
0x04e77499
0x04e774a1
0x04e774b1
0x04e774b5
0x00000000
0x04e774bb
0x04e774c1
0x04e774c1
0x04e774c4
0x04e774c5
0x04e774c6
0x04e774c7
0x04e774c8
0x04e774cd
0x00000000
0x04e774d3
0x04e774d3
0x04e774d6
0x04e774d8
0x04e774db
0x04e774dd
0x04e774e0
0x04e774e7
0x04e774ee
0x04e774ee
0x04e774f4
0x04e774f9
0x00000000
0x04e774fb
0x04e774fb
0x04e774fd
0x04e77500
0x04e77503
0x04e77505
0x04e77505
0x04e774f9
0x00000000
0x04e774cd
0x04e774b5
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: ad585882d68b5c81e9d2fcac1ef255e3ae21b74e063e09e9d26a1ba2ce4bc644
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 87518D71A40606EFDB25CF14C480A96BBB5FF45318F15C1AAE908DF215E371F946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DD2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04DD2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x4e7ff00);
				E04DFD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x4d81664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E04DEE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x4d81668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E04E251BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x4d8166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E04DD2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E04DB6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E04DD2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E04DBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E04DD2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E04DD2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E04DD2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E04DFD0D1(_t62);
				goto L28;
			}

0x04dd2990
0x04dd2992
0x04dd2997
0x04dd29a3
0x04dd29a6
0x04dd29ab
0x04dd29ad
0x04dd29b2
0x04e15c80
0x04dd29b8
0x04dd29b8
0x04dd29bb
0x04dd29c0
0x04dd29c5
0x04dd29c6
0x04dd29c6
0x04dd29cb
0x00000000
0x00000000
0x04dd29cd
0x04dd29d0
0x04dd29d9
0x04dd29db
0x04dd29dd
0x04dd2a7f
0x04dd2a84
0x04dd2a87
0x04dd2a89
0x04e15ca1
0x04e15ca3
0x00000000
0x04dd2a8f
0x04dd2a8f
0x00000000
0x04dd2a8f
0x00000000
0x04dd29e3
0x04dd29e3
0x04dd29e3
0x00000000
0x04dd29e3
0x04dd29dd
0x00000000
0x04dd29db
0x04dd29e6
0x04dd29e9
0x04dd29eb
0x04dd29ed
0x04dd29f3
0x04dd29f5
0x04dd29f8
0x04dd29fa
0x04dd2a97
0x04dd2a9a
0x04dd2a9d
0x04dd2add
0x00000000
0x04dd2a9f
0x04dd2aa2
0x04dd2aa5
0x04dd2aa8
0x04dd2aab
0x04e15cab
0x04e15caf
0x04e15cc5
0x04e15cda
0x04e15cdc
0x04e15cdf
0x04e15ce5
0x00000000
0x04e15ceb
0x04e15ced
0x04e15cee
0x00000000
0x04e15cee
0x04e15cb1
0x04e15cb4
0x04e15cb9
0x04e15cbb
0x00000000
0x04e15cbd
0x04e15cbd
0x00000000
0x04e15cbd
0x04e15cbb
0x04dd2ab1
0x04dd2ab1
0x04dd2ac4
0x04dd2ac6
0x04dd2ac6
0x00000000
0x04dd2ac6
0x04dd2aab
0x00000000
0x04dd2a00
0x04dd2a09
0x04dd2a0e
0x04dd2a21
0x04dd2a24
0x04dd2a35
0x04dd2a3a
0x04dd2a3d
0x04dd2a42
0x04dd2a59
0x04dd2a59
0x04dd2a5c
0x04dd2a5f
0x04dd2a5f
0x04dd29fa
0x04dd29f3
0x04dd2a64
0x04dd2a64
0x04dd2a6b
0x04dd2a6b
0x04dd2a6d
0x04dd2a72
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54daf7e9c3e2609a015c2500ff4cbbd578ec82956fb5783747f4559fdd872b65
Instruction ID: 8b8c07c6fc2abab68b44321448963bb934fa7f4817f78b4aca7dee8ab1c1bce7
Opcode Fuzzy Hash: 54daf7e9c3e2609a015c2500ff4cbbd578ec82956fb5783747f4559fdd872b65
Instruction Fuzzy Hash: 4A514771A0020AEFDF25DF95C880ADEBBB5FF48314F159095E815AB220D335E952DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DD4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04DD4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x4e9d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E04DEFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4e97bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E04DEB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04DC4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E04DACCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E04DEB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E04DEF380(_t67 + 0xc, 0x4d85138, 0x10) == 0) {
								 *0x4e960d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04DD4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04DD4E70(0x4e986b0, 0x4dd5690, 0, 0) != 0) {
					_t46 = E04DACCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04dd4d3b
0x04dd4d4d
0x04dd4d53
0x04dd4d58
0x04dd4d65
0x04dd4d6c
0x04dd4d71
0x04dd4d77
0x04dd4d7f
0x04dd4d8c
0x04dd4d8e
0x04dd4dad
0x04dd4db0
0x04dd4db7
0x04dd4db8
0x04dd4db9
0x04dd4dba
0x04dd4dbb
0x04dd4dc1
0x04dd4dc8
0x04dd4dcc
0x04dd4dd5
0x04dd4dde
0x04dd4ddf
0x04dd4de0
0x04dd4de1
0x04dd4de6
0x04dd4de7
0x04dd4de9
0x04dd4df3
0x00000000
0x00000000
0x04e16c7c
0x04e16c8a
0x04e16c8a
0x04e16c9d
0x04e16ca7
0x04e16cac
0x04e16cb2
0x04e16cb9
0x00000000
0x04e16cbf
0x04e16cbf
0x00000000
0x04e16cbf
0x04e16cb9
0x04dd4dfb
0x04e16ccf
0x04e16cd3
0x04dd4e32
0x04dd4e39
0x04e16ce0
0x04e16cf2
0x04e16cf2
0x04e16ce0
0x04dd4e3f
0x04dd4e41
0x04dd4e51
0x04dd4e51
0x04dd4e03
0x04dd4e03
0x04dd4e09
0x04dd4e0f
0x04dd4e57
0x00000000
0x00000000
0x04dd4e1b
0x04dd4e30
0x04dd4e5b
0x04dd4e5b
0x00000000
0x04dd4e30
0x04dd4e11
0x04dd4e11
0x04dd4e16
0x00000000
0x04dd4e16
0x04dd4e01
0x00000000
0x04dd4e01
0x04dd4da5
0x04e16c6b
0x00000000
0x04dd4dab
0x04dd4dab
0x00000000
0x04dd4dab

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8a4be7316e3e698dcd899af6f8b52a83b4591482599cb533b511f2764b1495
Instruction ID: 86fbe5779acd00f832b3430405e67b8cf1651f968013fff1cacabf96a81a4d58
Opcode Fuzzy Hash: 2e8a4be7316e3e698dcd899af6f8b52a83b4591482599cb533b511f2764b1495
Instruction Fuzzy Hash: 1141B171B40358AFEB31DF24CD80FAAB7A9EB45714F04409AE9459B280EB74FD44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD4BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04DD4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x4e9d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E04DACC50(_t86);
					L11:
					return E04DEB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x4e98504
				E04DC2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E04DEFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E04DEB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L04DC4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E04DACCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x4e98504
								E04DBFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E04DD4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x04dd4bad
0x04dd4bbf
0x04dd4bc2
0x04dd4bc6
0x04dd4bcd
0x04dd4bd9
0x04e167fe
0x04e16800
0x04dd4ccc
0x04dd4ccd
0x04dd4cb7
0x04dd4cc9
0x04dd4cc9
0x04dd4bdf
0x04dd4be5
0x00000000
0x00000000
0x04dd4beb
0x04dd4bef
0x00000000
0x00000000
0x04dd4bf5
0x04dd4bf9
0x04dd4c06
0x04dd4c0b
0x04dd4c17
0x04dd4c1c
0x04dd4c1f
0x04dd4c25
0x04dd4c33
0x04dd4c3d
0x04dd4c40
0x04dd4c43
0x04dd4c47
0x04dd4c4d
0x04dd4c53
0x04dd4c54
0x04dd4c55
0x04dd4c56
0x04dd4c5b
0x04dd4c5c
0x04dd4c63
0x04dd4c6b
0x00000000
0x00000000
0x04e16776
0x04e16784
0x04e16784
0x04e1679f
0x04e167a7
0x04e167af
0x04e167ce
0x00000000
0x04e167b1
0x04e167b7
0x04e167b8
0x04e167c1
0x04e167d3
0x04e167d9
0x04e167dd
0x04dd4c94
0x04dd4c94
0x04dd4c98
0x04dd4c9c
0x04dd4ca3
0x04e167f4
0x04e167f4
0x04dd4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x04dd4cb5
0x04dd4c79
0x04dd4c7e
0x04dd4c89
0x04dd4c8b
0x04dd4c8f
0x04dd4c8f
0x00000000
0x04dd4c89
0x04e167c3
0x00000000
0x04e167c3
0x04e167af
0x04dd4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123e34559783f000f88db7c730c694b1c5afdb073b2e0d7cfc22e2c80503377f
Instruction ID: fc608a79ef0284754b9a6feb37605664c7c14ce6c6dac066323b1a0afee77c63
Opcode Fuzzy Hash: 123e34559783f000f88db7c730c694b1c5afdb073b2e0d7cfc22e2c80503377f
Instruction Fuzzy Hash: 85419335B402299BDB21DF68C940BEA77B4FF45714F0105A9E948AB250DB74FE84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04DB8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04DB8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x4e9d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E04DEB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E04DBE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x4d81180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04DD1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E04DE3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E04DB8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x04db8a0a
0x04db8a1c
0x04db8a23
0x04db8a2e
0x04db8a30
0x04db8a36
0x04db8a3c
0x04db8a3e
0x04db8a4a
0x04db8a52
0x04db8a9c
0x04db8aae
0x04db8a58
0x04db8a5e
0x04db8a6a
0x04db8a6f
0x04db8a75
0x04db8a7d
0x04db8a85
0x04db8a86
0x04db8a89
0x04db8a93
0x04db8a99
0x04db8a9b
0x00000000
0x04db8aaf
0x04db8abe
0x04db8ac3
0x04db8acb
0x04db8ad7
0x04db8ae0
0x04db8af1
0x00000000
0x04db8af1
0x04db8acd
0x04db8ad5
0x04db8afb
0x04db8afd
0x04db8aff
0x04db8b07
0x04db8b22
0x04db8b24
0x04db8b2a
0x04db8b2e
0x04db8b3f
0x04db8b78
0x04db8b41
0x04db8b52
0x04db8b54
0x04db8b5c
0x04db8b74
0x04db8b74
0x04db8b5c
0x04db8b3f
0x04db8b5e
0x04db8b61
0x04db8b64
0x04db8b64
0x04db8b6c
0x04db8b6c
0x04db8b11
0x04e09cd5
0x04e09cd5
0x04db8b17
0x04db8b1a
0x04db8b1a
0x00000000
0x04db8ad5
0x04db8a89

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdf8b5455df5e9d05eeb7b25ef94e5bbd5b70f111d94fb396fc2792f626dc1d
Instruction ID: 0e7620d1fb8c42c6d58af86c94cc519aae55d55fd8d82e062d12426ae7c5e3f2
Opcode Fuzzy Hash: 2cdf8b5455df5e9d05eeb7b25ef94e5bbd5b70f111d94fb396fc2792f626dc1d
Instruction Fuzzy Hash: 654156B4A4022CDBDB24EF15C888AE9B7F8FB54300F1045D9E85A97241E770EE84DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E6AA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E6AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E04E6ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E04E6AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E04E6AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E04E4CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L04DC77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E04DC7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E04E6131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E04E4CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x04e6aa1f
0x04e6aa21
0x04e6aa23
0x04e6aa2b
0x04e6aa30
0x04e6aa36
0x04e6aa39
0x04e6aa42
0x04e6aa75
0x04e6aa7a
0x04e6aa7c
0x04e6aa7c
0x04e6aa88
0x04e6aa8a
0x04e6aa8f
0x04e6ab02
0x04e6ab04
0x04e6aa99
0x04e6aaa8
0x04e6aaaf
0x04e6aab3
0x04e6aacc
0x04e6aad1
0x04e6aad6
0x04e6aae0
0x04e6aaf3
0x04e6aaf9
0x04e6aafe
0x04e6aafe
0x04e6aaf3
0x04e6aad6
0x04e6aab3
0x04e6ab07
0x04e6ab0a
0x04e6ab11
0x04e6ab23
0x04e6ab13
0x04e6ab1c
0x04e6ab1c
0x04e6ab2b
0x04e6ab44
0x04e6ab44
0x04e6ab51
0x04e6ab51
0x04e6aa44
0x04e6aa47
0x04e6aa4c
0x00000000
0x00000000
0x04e6aa5a
0x04e6aa64
0x04e6aa72
0x00000000
0x04e6aa66
0x04e6aa66
0x04e6aa68
0x04e6aa6a
0x00000000
0x04e6aa6a

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: fbe0e3ba597575d2141fa224f219d242acf735ee7b15194156e5fd37766f7770
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 4831F332F401056BEB158B69CC45BBFFBABEF82394F159079E806B7291EA74ED00C650

Uniqueness

Uniqueness Score: -1.00%

Function 04E6FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04E6FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E04E6FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E04E70A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E04DC7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E04E61608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E04E72B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E04E6C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E04E6DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E04DC7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E04E6A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x04e6fde7
0x04e6fde8
0x04e6fdec
0x04e6fdee
0x04e6fdf5
0x04e6fdf7
0x04e6fdfc
0x04e6fe19
0x04e6fe22
0x04e6fe26
0x04e6fec6
0x04e6fecd
0x04e6fed5
0x04e6fee7
0x04e6fed7
0x04e6fee0
0x04e6fee0
0x04e6feef
0x04e6ff00
0x04e6ff02
0x04e6ff07
0x04e6ff07
0x00000000
0x04e6feef
0x04e6fe33
0x04e6fe55
0x04e6fe59
0x04e6fe5b
0x04e6fe5e
0x04e6fe69
0x04e6fe6d
0x04e6fe6d
0x04e6fe69
0x04e6fe35
0x04e6fe41
0x04e6fe41
0x04e6fe79
0x04e6fe8b
0x04e6fe7b
0x04e6fe84
0x04e6fe84
0x04e6fe93
0x00000000
0x04e6fea8
0x04e6feba
0x00000000
0x04e6feba
0x04e6fdfe
0x04e6fe01
0x04e6fe02
0x04e6fe08
0x04e6ff0c
0x04e6ff14
0x04e6ff14

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: c6be2f93720a16346e4e5f3a2a1f446655dc01ae86862fbbeb34c7ed4e65d0ab
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 8B310832780640AFD722DB68D854F6ABBEAEBC57A4F186459E4478B341DA74FC41C720

Uniqueness

Uniqueness Score: -1.00%

Function 04E6EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E04E6EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E04DC2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E04E6E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E04DAF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E04DBFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E04E6AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E04E6BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E04DC7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E04E5FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E04DBFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E04E6A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x04e6ea55
0x04e6ea66
0x04e6ea68
0x04e6ea6c
0x04e6ea6f
0x04e6ea72
0x04e6ea75
0x04e6ea7a
0x04e6ea7a
0x04e6ea7e
0x04e6ea80
0x04e6ea85
0x04e6ea8b
0x04e6eab5
0x04e6eabc
0x04e6eabf
0x04e6eabf
0x04e6eaca
0x04e6eace
0x04e6ead0
0x04e6eae4
0x04e6eaeb
0x04e6eaf0
0x04e6eaf5
0x04e6eb09
0x04e6eb0d
0x04e6eb1d
0x04e6eb2d
0x04e6eb38
0x04e6eb3d
0x04e6eb41
0x04e6eb4a
0x04e6eb60
0x04e6eb4c
0x04e6eb52
0x04e6eb59
0x04e6eb59
0x04e6eb68
0x04e6eb71
0x04e6eb71
0x04e6ea8d
0x04e6ea8f
0x04e6ea92
0x04e6ea97
0x04e6ea97
0x04e6ea9b
0x04e6ea9c
0x04e6ea9e
0x04e6eaa6
0x04e6eaa6
0x04e6eb7e

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 41a8e9b2402086f281d97688b171f997e12fa2e4bdf7ea72694e0573340bfb8a
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 3831E1366047059BD729DF28C880A6BB7AAFBC0354F04492DE59787280EF30F809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E269A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04E269A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x4e9d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L04DB6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E04E26BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E04DE9980() >= 0) {
							E04DC2280(_t56, 0x4e98778);
							_t77 = 1;
							_t68 = 1;
							if( *0x4e98774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x4e98774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E04DAB6F0(0x4d8c338, 0x4d8c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E04DE9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E04DE95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E04DBFFB0(_t68, _t77, 0x4e98778);
				}
				_pop(_t78);
				return E04DEB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x04e269b5
0x04e269be
0x04e269c3
0x04e269c9
0x04e269cc
0x04e269d1
0x04e269d3
0x04e269de
0x04e269e1
0x04e269ea
0x04e269f6
0x04e269fe
0x04e26a13
0x04e26a14
0x04e26a15
0x04e26a16
0x04e26a1e
0x04e26a26
0x04e26a31
0x04e26a36
0x04e26a37
0x04e26a40
0x04e26a49
0x04e26a4a
0x04e26a53
0x04e26a59
0x04e26a5d
0x04e26a5e
0x04e26a64
0x04e26a67
0x04e26a6a
0x04e26a6d
0x04e26a70
0x04e26a77
0x04e26a7d
0x04e26a86
0x04e26a89
0x04e26a9c
0x04e26a9f
0x04e26aa2
0x04e26aa5
0x04e26aaf
0x04e26ab1
0x04e26ab8
0x04e26ab9
0x04e26abb
0x04e26abe
0x04e26ac5
0x04e26ac5
0x04e26aaf
0x04e26a40
0x04e26a26
0x04e269fe
0x04e26ace
0x04e26ad0
0x04e26ad3
0x04e26ad8
0x04e26adf
0x04e26adf
0x04e26ae8
0x04e26aef
0x04e26aef
0x04e26af9
0x04e26b06

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8cf973c2625de9aeda9988b0236e7dd18905ff856828ab73b64d5be9490b73
Instruction ID: 88dcc5a4b749db65c86b3eb8716b0c8817affd86d95f2f86ecbe89e8518bb3f4
Opcode Fuzzy Hash: 3f8cf973c2625de9aeda9988b0236e7dd18905ff856828ab73b64d5be9490b73
Instruction Fuzzy Hash: B3419AB1E00218AFDB24DFA5C940BFEBBF4FF48708F04822AE955A7250DB34A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04DA5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04DA5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E04DA52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E04DE95D0();
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E04DBEB70(_t54, 0x4e979a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E04DE95D0();
								L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E04DBEB70(_t54, 0x4e979a0);
						}
						return _t52;
					}
					L5:
					_t33 = E04DEF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E04DBEB70(_t54, 0x4e979a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E04DE95D0();
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x04da5220
0x04da5224
0x04e00d13
0x04e00d16
0x04e00d19
0x04da522a
0x04da522a
0x04da522d
0x04da522d
0x04da5231
0x04da5235
0x04da5239
0x04e00d5c
0x04e00d62
0x00000000
0x00000000
0x04e00d6a
0x04e00d7b
0x04e00d7f
0x04e00d81
0x04e00d84
0x04e00d95
0x04e00d95
0x04e00d6c
0x04e00d71
0x04e00d71
0x04e00d9a
0x00000000
0x04da524a
0x04da524a
0x04da5250
0x04e00d24
0x04e00d35
0x04e00d39
0x04e00d3b
0x04e00d3e
0x04e00d50
0x04e00d50
0x04e00d26
0x04e00d2b
0x04e00d2b
0x00000000
0x04e00d55
0x04da5256
0x04da525b
0x04da5265
0x04e00da7
0x04da526b
0x04da526e
0x04da5272
0x04e00db1
0x04e00db4
0x04e00dc5
0x04e00dc5
0x04da5272
0x04da5278
0x04da527e
0x04da528a
0x04da528c
0x04da528d
0x00000000
0x04da5280
0x04da5282
0x04da5288
0x04da529f
0x04da5292
0x00000000
0x04da5292
0x00000000
0x04da5288
0x04da527e

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70218030719d8b73671ecf285cb67cce5dca8caa379fdcdad780cafe73b3f44e
Instruction ID: 0ab45073c5f27016b87dad5bba92d0d7e86c9bcf0ac510d905b486658515f459
Opcode Fuzzy Hash: 70218030719d8b73671ecf285cb67cce5dca8caa379fdcdad780cafe73b3f44e
Instruction Fuzzy Hash: A531F431351611FBDB25AF18E890B6677A5FF10768F118A19E46A0B1E0EB70F850CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 04DE3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DE3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04DB7B60(0, _t61, 0x4d811c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04DB7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04DC4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x04de3d4c
0x04de3d50
0x04de3d55
0x04de3d5e
0x04e1e79a
0x00000000
0x04e1e79a
0x04de3d68
0x04e1e789
0x04de3d9d
0x04de3da3
0x04de3daf
0x04de3db5
0x04de3dbc
0x04de3dc4
0x04de3dc9
0x04de3dce
0x04e1e7ae
0x04e1e7ae
0x04de3dde
0x04de3de2
0x04de3de7
0x04de3e0d
0x04de3e13
0x04de3e16
0x04de3e1e
0x04de3e25
0x04de3e28
0x00000000
0x00000000
0x04de3e2a
0x04de3e2f
0x04de3e37
0x04de3e37
0x00000000
0x04de3e37
0x04de3e31
0x00000000
0x04de3e31
0x04de3e20
0x04de3e20
0x04de3e35
0x00000000
0x04de3de9
0x04de3de9
0x04de3de9
0x04de3dee
0x04de3dfd
0x04de3dff
0x04de3e02
0x04de3e05
0x04de3e05
0x00000000
0x04de3df0
0x04de3de7
0x04e1e78f
0x04e1e794
0x04de3d79
0x04de3d84
0x04de3d89
0x04de3d8e
0x00000000
0x04e1e7a4
0x04de3d96
0x04de3d9a
0x00000000
0x04de3d9a
0x00000000
0x04e1e794
0x04de3d6e
0x04de3d73
0x00000000
0x04e1e7b5
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136e0296c5a32cc9f9e6e2ee4c4eecfa5e6491162acc1999959f7f7c7229de46
Instruction ID: 67a398ef787f1306ccc810b7d2fbac3351c9d01f81991602ad2240a921db22b7
Opcode Fuzzy Hash: 136e0296c5a32cc9f9e6e2ee4c4eecfa5e6491162acc1999959f7f7c7229de46
Instruction Fuzzy Hash: 30318F31B05615DBD729AF2EC841A7ABBF5FF95B10B05816AEC85DB360F630E840D790

Uniqueness

Uniqueness Score: -1.00%

Function 04E27016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04E27016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x4e9d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04E26B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04E26B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04DC7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04DE9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E04DEB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04DC4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x04e27016
0x04e2701e
0x04e2702b
0x04e27033
0x04e27037
0x04e2703c
0x04e2703e
0x04e27041
0x04e27045
0x04e2704a
0x04e27050
0x04e27055
0x04e2705a
0x04e27062
0x04e27062
0x04e2705a
0x04e27064
0x04e27064
0x04e27067
0x04e27071
0x04e27096
0x04e2709b
0x04e270a2
0x04e270a6
0x04e270a7
0x04e270ad
0x04e270b3
0x04e270b6
0x04e270bb
0x04e270c3
0x04e270c3
0x04e270c6
0x04e270cd
0x04e270dd
0x04e270e0
0x04e270e2
0x04e270e2
0x04e270ee
0x04e27101
0x04e270f0
0x04e270f9
0x04e270f9
0x04e2710a
0x04e2710e
0x04e27112
0x04e27117
0x04e27118
0x04e27118
0x04e270bb
0x04e2711d
0x04e27123
0x04e27131
0x04e27131
0x04e27136
0x04e2713d
0x04e2713e
0x04e2713f
0x04e2714a
0x04e2714a
0x04e27084
0x04e27088
0x00000000
0x04e2708e
0x04e2708e
0x04e27092
0x00000000
0x04e27092

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c52fd346722d245c25a5c07193b7ae5093131a1837d21f2cd1a433608ef519
Instruction ID: 5dd859594d73641d592476b908113b6e3a5731d64b2eeca8cf8bc2c956a4c3de
Opcode Fuzzy Hash: 96c52fd346722d245c25a5c07193b7ae5093131a1837d21f2cd1a433608ef519
Instruction Fuzzy Hash: 7131A2726047A19BC321DF68CA50E6AB7E9FF88704F044A2DF89597690E730F904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04DCC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E04DCC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04DC7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04E78D34(_v8, _t80);
					}
					E04DC2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E04DBFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04E78833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E04DBFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E04DEB180();
						if(_a4 != 0) {
							E04DC2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E04DCBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E04DCBB2D(_t16, _t15);
						E04DCB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E04DBFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E04DBFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E04DBFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x04dcc18d
0x04dcc18f
0x04dcc191
0x04dcc19b
0x04dcc1a0
0x04dcc1d4
0x04dcc1de
0x04e12d6e
0x04dcc1e4
0x04dcc1e4
0x04dcc1e4
0x04dcc1ec
0x04e12d7d
0x04e12d7d
0x04dcc1f3
0x04dcc1ff
0x04e12d88
0x04e12d8d
0x04e12d94
0x04e12d94
0x04e12d9f
0x04e12da4
0x04e12dab
0x04e12db0
0x04e12db2
0x04e12db3
0x04e12db4
0x04e12dbc
0x04e12dc3
0x04e12dc3
0x04dcc205
0x04dcc205
0x04dcc208
0x04dcc20e
0x04dcc211
0x04dcc216
0x04dcc219
0x04dcc21f
0x04dcc222
0x04dcc22c
0x04dcc234
0x04dcc23a
0x04dcc23f
0x04dcc245
0x04dcc24b
0x04dcc251
0x04dcc25a
0x04dcc276
0x04dcc27d
0x04dcc27d
0x04dcc25c
0x04dcc25c
0x00000000
0x04dcc25e
0x04dcc1a4
0x04dcc1aa
0x04dcc1b3
0x04dcc265
0x04dcc26c
0x04dcc26c
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 18760b35f58a91371d3048778a8c4a6f7c0e682fae8d4c22f24e2de82625da13
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 28312472B01547AEE704EBB4C880BE9F794FF46208F04415ED65C97201DB38BA49DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 04DDA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04DDA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x4e97b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x4e97b10 = 8;
					 *0x4e97b14 = 0x4e97b0c;
					 *0x4e97b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E04DDA990(0x4e97b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L04DDA840(__edx, __ecx, __ecx, _t52, 0x4e97b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x4e97b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x4e97b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x4e97b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L04DC4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x4e97b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E04DEF3E0(_t50,  *0x4e97b14, _t8 >> 3);
						_t28 =  *0x4e97b14; // 0x77f07b0c
						__eflags = _t28 - 0x4e97b0c;
						if(_t28 != 0x4e97b0c) {
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x4e97b14 = _t50;
						_t48 = _v12;
						 *0x4e97b10 = _t9;
						goto L6;
					}
					 *0x4e97b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x04dda713
0x04dda714
0x04dda717
0x04dda71d
0x04dda720
0x04dda722
0x04dda727
0x04dda74a
0x04dda754
0x04dda75e
0x04dda768
0x04dda76a
0x04dda773
0x04dda78b
0x04dda790
0x04dda792
0x04dda741
0x04dda741
0x04dda743
0x04dda749
0x04dda749
0x04dda732
0x04dda73a
0x04dda797
0x04dda79d
0x04dda7a3
0x04dda7a9
0x04dda7b6
0x04dda7bc
0x04dda7ca
0x04dda7e0
0x04dda7e2
0x04dda7e4
0x04e19bf2
0x00000000
0x04e19bf2
0x04dda7ed
0x04dda7f2
0x04dda800
0x04dda805
0x04dda80d
0x04dda812
0x04e19c08
0x04e19c08
0x04dda818
0x04dda81b
0x04dda821
0x04dda824
0x00000000
0x04dda824
0x04dda7ae
0x00000000
0x04dda7ae
0x04dda73c
0x04dda73e
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141813eca60aedb5ce93a05811ade9d7528d7c033eb109fc7dd413012c8f0afa
Instruction ID: 951dee63fd0a27b3539832d767dfbf224bfca469b8adaf0f3dd9b20c9c475dfa
Opcode Fuzzy Hash: 141813eca60aedb5ce93a05811ade9d7528d7c033eb109fc7dd413012c8f0afa
Instruction Fuzzy Hash: 9F31CDB1724205EBD711CF09D880F6977FAFB85711F14895AE00587384EBB8BD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04DD61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04DD5E50(0x4d867cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E04E79D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E04DAF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x04dd61b3
0x04dd61b5
0x04dd61bd
0x04dd61c3
0x04dd61c7
0x04dd61d2
0x04dd61ff
0x04dd61ff
0x04dd6201
0x04dd6207
0x04dd6207
0x04dd61d4
0x04dd61d9
0x00000000
0x00000000
0x04dd61df
0x04dd61e2
0x00000000
0x00000000
0x04dd61e6
0x04dd61e8
0x04dd61ee
0x04dd61ee
0x04dd61f9
0x04e1762f
0x04e17632
0x04e17635
0x04e17639
0x04e17640
0x04e1766e
0x04e17675
0x00000000
0x00000000
0x04e17681
0x04e17689
0x04e1768d
0x04e17691
0x04e17695
0x04e17699
0x04e176af
0x04e176b5
0x04e176b7
0x04e176b7
0x04e176d7
0x04e176dc
0x00000000
0x04e176dc
0x04e176a2
0x04e176a9
0x04e17651
0x04e17653
0x04e17653
0x04e17656
0x04e17656
0x00000000
0x04e17656
0x04e17644
0x04e17646
0x04e17648
0x04e17648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cad465b99fa355b4974f1493b51b2f2a3e6707bf53529c8d0e5a3eb0c9d399
Instruction ID: b9d2e7aec6793c8b0678993754d1a28cbee5fdb43dab0c67f34f2557435862c5
Opcode Fuzzy Hash: 45cad465b99fa355b4974f1493b51b2f2a3e6707bf53529c8d0e5a3eb0c9d399
Instruction Fuzzy Hash: 14318BB26093019FD320DF19C800B2AB7E5FF88B04F05496DE9989B361E7B0F844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04DAAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x4e9d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x4e97b9c; // 0x0
					_t53 = L04DC4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E04DEB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E04DEF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L04DB6C59(_t53, _t51, _t58) != 0) {
							_t28 = E04DD5E50(0x4d8c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E04DDB230(_v32, _v28, 0x4d8c2d8, 1,  &_v24);
								_t28 = E04DAF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x04daaa25
0x04daaa29
0x04daaa2d
0x04daaa30
0x04daaa37
0x04daaa3c
0x04e04458
0x04e04458
0x04e04472
0x04e04474
0x04e04476
0x04daaa64
0x04daaa74
0x04e0447c
0x04e04483
0x04e04492
0x04daaa52
0x04daaa54
0x04daaa5e
0x04e044a8
0x04e044ad
0x04e044af
0x04e044b6
0x04e044b6
0x04e044b9
0x04e044bc
0x04e044cd
0x04e044d3
0x04e044d6
0x04e044e1
0x04e044e1
0x04e044e6
0x04e044e8
0x04e044fb
0x04e044fb
0x04e044e8
0x00000000
0x04daaa5e
0x04e04476
0x04daaa42
0x04daaa46
0x04daaa48
0x04daaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88690ff194f860aca7df51fe21ecf8d974a015ac990671b7ee9a584ddad44c87
Instruction ID: da1f4ea185957c94726dba5182f86005c45720d84a93e9827f40ddc25dc93f5d
Opcode Fuzzy Hash: 88690ff194f860aca7df51fe21ecf8d974a015ac990671b7ee9a584ddad44c87
Instruction Fuzzy Hash: AB31A271A00219ABDF11AF65CD41A7EB7B9EF04704B01446AF901D7290E774BD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DE8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04DE8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x4e9d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04DD4E70(0x4e986e4, 0x4de9490, 0, 0);
					if( *0x4e953e8 > 5 && E04DE8F33(0x4e953e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x4e953e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x4e953e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x4d8bc46;
						_t48 = E04E27B9C(0x4e953e8, 0x4d8bc46, _t67, 0x4e953e8, _t70,  &_v140);
					}
				}
				return E04DEB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x04de8ec7
0x04de8ed9
0x04de8edc
0x04de8ee6
0x04de8ee9
0x04de8eee
0x04de8efc
0x04de8f08
0x04e21349
0x04e21353
0x04e2135d
0x04e21366
0x04e2136f
0x04e21375
0x04e2137c
0x04e21385
0x04e21390
0x04e21391
0x04e2139c
0x04e2139d
0x04e213a6
0x04e213ac
0x04e213b2
0x04e213b5
0x04e213bc
0x04e213bf
0x04e213c2
0x04e213c5
0x04e213c8
0x04e213cb
0x04e213ce
0x04e213d1
0x04e213d4
0x04e213d7
0x04e213da
0x04e213dd
0x04e213e0
0x04e213e3
0x04e213e6
0x04e213e9
0x04e213f6
0x04e21400
0x04e21400
0x04de8f08
0x04de8f32

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45d523672d2c8ae56f1e7574b721427cdf030c12d561774e5380c95d2ab0211
Instruction ID: 7cd50aebd3cc88996c6b3e4c0032eb552c3678e3ad9273f02a4cd54628f9c95f
Opcode Fuzzy Hash: a45d523672d2c8ae56f1e7574b721427cdf030c12d561774e5380c95d2ab0211
Instruction Fuzzy Hash: 504182B1D00218AFDB14DFAAD981AADFBF4FB48714F5041AFE549A7240DB746A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04DE4A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04DE4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x4e9d360 ^ _t62;
				_v8 =  *0x4e9d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E04DC2280(_t26, 0x4e98608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E04DBFFB0(_t41, _t51, 0x4e98608);
						L2:
						 *0x4e9b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E04DEB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E04DC2280(_t28, 0x4e98608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E04DBFFB0(_t42, _t53, 0x4e98608);
							if(_t53 != 0) {
								L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E04DBFFB0(_t41, _t51, 0x4e98608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x04de4a2c
0x04de4a34
0x04de4a3c
0x04de4a3e
0x04de4a48
0x04de4a4b
0x04de4a4d
0x04de4a51
0x04de4a9c
0x00000000
0x00000000
0x04de4aa3
0x04de4aa8
0x04de4aad
0x04de4ab1
0x04de4ade
0x04de4ae3
0x04de4a5a
0x04de4a62
0x04de4a6a
0x04de4a6e
0x04e1f203
0x04de4a84
0x04de4a88
0x04de4a89
0x04de4a8a
0x04de4a95
0x04de4a95
0x04de4a79
0x04de4a80
0x04de4af2
0x04de4af4
0x04de4af9
0x04de4aff
0x04de4b01
0x04de4b03
0x04de4b08
0x04e1f20a
0x04e1f212
0x04e1f216
0x04e1f216
0x04de4b08
0x04de4b13
0x04de4b1a
0x04e1f229
0x04e1f229
0x04de4b1a
0x04de4a82
0x00000000
0x04de4a82
0x04de4ab7
0x04de4acd
0x04de4acd
0x04de4ad5
0x04de4ada
0x00000000
0x04de4ada
0x04de4ac2
0x04de4acb
0x00000000
0x00000000
0x00000000
0x04de4acb
0x04de4a53
0x04de4a53
0x04de4a58
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b566e8248f40938cb92391d7f0e0f045abe13cc34605ac88096387f42c3ce1
Instruction ID: cc1d1a618f6397485e8f2d7a33f064cdbd2d1ffcec80fba69e41d29a57e68a1b
Opcode Fuzzy Hash: 17b566e8248f40938cb92391d7f0e0f045abe13cc34605ac88096387f42c3ce1
Instruction Fuzzy Hash: 2431F132306210DBDB21BF16C984B3AB7E4FB85B28F01192DE8964B291DB70FC04DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04DDE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04DDE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04DE9670() < 0) {
					L04DFDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4e97b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04DC4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M04DDE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x04dde730
0x04dde736
0x04dde738
0x04dde73d
0x04dde73e
0x04dde740
0x04dde749
0x04dde765
0x04dde76a
0x04dde76b
0x04dde76c
0x04dde76d
0x04dde76e
0x04dde76f
0x04dde775
0x04dde777
0x04dde77e
0x04e1b675
0x04dde784
0x04dde784
0x04dde789
0x04dde7a8
0x04dde7ac
0x04dde807
0x04dde7ae
0x04dde7ae
0x04dde7b1
0x04dde7b4
0x04dde7b9
0x04dde7c0
0x04dde7c4
0x04dde7ca
0x04dde7cc
0x00000000
0x04dde7d3
0x04dde7d6
0x00000000
0x00000000
0x04dde7ff
0x04dde802
0x00000000
0x00000000
0x04dde7f9
0x04dde7fc
0x00000000
0x00000000
0x04dde7f3
0x04dde7f6
0x00000000
0x00000000
0x04dde7ed
0x04dde7f0
0x00000000
0x00000000
0x04dde7e7
0x04dde7ea
0x00000000
0x00000000
0x04e1b685
0x04e1b688
0x00000000
0x00000000
0x04e1b682
0x00000000
0x00000000
0x04dde7cc
0x04dde7d9
0x04dde7dc
0x04dde7de
0x04dde7de
0x04dde7ac
0x04dde7e4
0x04dde74b
0x04dde751
0x04dde759
0x04dde761
0x04dde761

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78325804a84758cfc7f76e0874ec03d7fa3902cb8494b8fc825b8796e286ab56
Instruction ID: 058676641c98ff7f558dc1995bbdceb8e20b8322aad3bb88df0b0db09b4972d3
Opcode Fuzzy Hash: 78325804a84758cfc7f76e0874ec03d7fa3902cb8494b8fc825b8796e286ab56
Instruction Fuzzy Hash: 6D316D75A54249EFD744CF58D841F9AB7E4FB19314F14826AF908CB341E631ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DDBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04DDBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4e96100; // 0x8
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04DC2280(0xd, 0x188ef1a0);
				_t41 =  *0x4e960f8; // 0x0
				if(_t41 != 0) {
					 *0x4e960f8 =  *_t41;
					 *0x4e960fc =  *0x4e960fc + 0xffff;
				}
				E04DBFFB0(_t41, 0x800, 0x188ef1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x4e960f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04DC4620(0x4e96100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4e96100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x04ddbc36
0x04ddbc42
0x04ddbc45
0x04ddbc4a
0x04ddbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x04ddbc50
0x04ddbc50
0x04ddbc58
0x04ddbc5a
0x04ddbc60
0x00000000
0x00000000
0x04e1a4f2
0x04e1a4f6
0x00000000
0x00000000
0x00000000
0x04e1a4fc
0x04ddbc79
0x04ddbc7e
0x04ddbc86
0x04ddbd16
0x04ddbd20
0x04ddbd20
0x04ddbc8d
0x04ddbc94
0x04ddbcbd
0x04ddbcca
0x04ddbccb
0x04ddbccc
0x04ddbccd
0x04ddbcce
0x04ddbcd4
0x04ddbcea
0x04ddbcee
0x04ddbcf2
0x04ddbd00
0x04ddbd04
0x00000000
0x04ddbc96
0x04ddbcab
0x04ddbcaf
0x04ddbd2c
0x04ddbd2c
0x04ddbd09
0x00000000
0x04ddbd09
0x04ddbcb1
0x04ddbcb5
0x04ddbcbb
0x00000000
0x00000000
0x00000000
0x04ddbcbb

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c362877d320f3f89eb22834dcc6d1161a1215f4b172d2d73f90a8c86646ea6c2
Instruction ID: 0c1143334658bdb4b06b823e26a8589f34411b9e9711be1be24a22a002dcf298
Opcode Fuzzy Hash: c362877d320f3f89eb22834dcc6d1161a1215f4b172d2d73f90a8c86646ea6c2
Instruction Fuzzy Hash: E2310E72A006069BDB11DF69C4C07A673A4FB0831AF06017BED8ADB245EB38FD458B90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04DD1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E04DCF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04DC4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E04DCF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x04dd1dc2
0x04dd1dc5
0x04dd1dc7
0x04dd1dcc
0x04dd1dce
0x04dd1dd6
0x04dd1ddf
0x04dd1de0
0x04dd1de1
0x04dd1de5
0x04dd1de8
0x04dd1def
0x04dd1df0
0x04dd1df6
0x04dd1df7
0x04dd1dfe
0x04dd1e1a
0x00000000
0x00000000
0x04dd1e0b
0x04dd1e12
0x04dd1e12
0x04dd1e00
0x04dd1e00
0x04dd1e05
0x04dd1e1e
0x04dd1e23
0x04e1570f
0x04e15713
0x00000000
0x00000000
0x04e15719
0x04e15719
0x04dd1e2c
0x04dd1e2d
0x04dd1e2e
0x04dd1e2f
0x04dd1e31
0x04dd1e32
0x04dd1e35
0x04dd1e3d
0x04e15723
0x04e1573d
0x04e1573d
0x00000000
0x04e15723
0x04dd1e49
0x04dd1e4e
0x04dd1e4e
0x04dd1e09
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 879c19f8f149e1dd35267e25cf8ef7844e6f99fa13658c871c56b9c0c6254242
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 62217C7268011AFFD721CF99CC80EAEBBB9FF85784F114059E90597260DA34BE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04DA9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x4e7f6e8);
				E04DFD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E04E788F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E04DFD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x4e986c0; // 0x4207b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x4e986b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04DC2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E04E788F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E04DEAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x4e9b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x4e984c0;
										if(_t69 >=  *0x4e984c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04E79063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E04DA922A(_t82);
							_t53 = E04DC7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04E78B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x4e986c0; // 0x4207b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x4e986b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x4e986bc;
										_t72 = 0x4e986b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04DA9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x4e986c4;
									_t72 = 0x4e986c0;
									L18:
									E04DD9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x04da9100
0x04da9100
0x04da9100
0x04da9100
0x04da9102
0x04da9107
0x04da910c
0x04da9110
0x04da9115
0x04da9136
0x04da9143
0x04e037e4
0x04e037e4
0x04da9149
0x04da914e
0x04da914e
0x04da9117
0x04da911d
0x00000000
0x00000000
0x04da911f
0x04da9125
0x00000000
0x04da9151
0x04da9158
0x04da915d
0x04da9161
0x04da9168
0x04e03715
0x00000000
0x04da916e
0x04da916e
0x04da9175
0x04da9177
0x04da917e
0x04da917f
0x04da9182
0x04da9182
0x04da9187
0x04da9187
0x04da918a
0x04da918d
0x04da918f
0x04da9192
0x04da9195
0x04da9198
0x04da9198
0x04da9198
0x04da919a
0x00000000
0x00000000
0x04e0371f
0x04e03721
0x04e03727
0x04e0372f
0x04e03733
0x04e03735
0x04e03738
0x04e0373b
0x04e0373d
0x04e03740
0x00000000
0x00000000
0x04e03746
0x04e03749
0x00000000
0x00000000
0x04e0374f
0x04e03751
0x00000000
0x00000000
0x04e03757
0x04e03759
0x04e0375c
0x04e0375c
0x04e0375e
0x04e0375e
0x04e03761
0x04e03764
0x00000000
0x00000000
0x04e03766
0x04e03768
0x04e037a3
0x04e037a3
0x04e037a5
0x04e037a7
0x04e037ad
0x04e037b0
0x04e037b2
0x04e037bc
0x04e037c2
0x04e037c2
0x04e037b2
0x04da9187
0x04da9187
0x04da918a
0x04da918d
0x04da918f
0x04da9192
0x04da9195
0x00000000
0x04da9195
0x00000000
0x04da9187
0x04e0376a
0x04e0376a
0x04e0376c
0x04e0376c
0x04e0376f
0x04e03775
0x00000000
0x00000000
0x04e03777
0x04e03779
0x00000000
0x00000000
0x04e03782
0x04e03787
0x04e03789
0x04e03790
0x04e03790
0x04e0378b
0x04e0378b
0x04e0378b
0x04e03792
0x04e03795
0x04e03795
0x04e03798
0x04e03798
0x04e0379b
0x04e0379b
0x04da91a3
0x04da91a9
0x04da91b0
0x04da91b4
0x04da91b4
0x04da91bb
0x04da91c0
0x04da91c5
0x04da91c7
0x04e037da
0x04da91cd
0x04da91cd
0x04da91cd
0x04da91d2
0x04da91d5
0x04da9239
0x04da9239
0x04da91d7
0x04da91db
0x04da91e1
0x04da91e7
0x04da91fd
0x04da9203
0x04da921e
0x04da9223
0x00000000
0x04da9223
0x04da9205
0x04da9208
0x04da920c
0x04da9214
0x04da9214
0x04da91e9
0x04da91e9
0x04da91ee
0x04da91f3
0x04da91f3
0x04da91f3
0x04da91e7
0x00000000
0x04da91db
0x04da9187
0x04da9168

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08dbcba1422b591d5fa1da7336117c7f4d94093aee2083ccb8e7d3d7f29a75e9
Instruction ID: b1348c5b05e09522037ce2773855278c0af2ff6b94ba3c1ee8ae0673970d1844
Opcode Fuzzy Hash: 08dbcba1422b591d5fa1da7336117c7f4d94093aee2083ccb8e7d3d7f29a75e9
Instruction Fuzzy Hash: D131E3F1A01245DFEB21DF68C49CB9DB7F1BB49318F18898AC4056B291D334F990CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04DC0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04DC0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x4e9d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04DD9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E04DEB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E04E78A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04DD9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x4e9b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x04dc0055
0x04dc005d
0x04dc0062
0x04dc006c
0x04dc006f
0x04dc0074
0x04dc007a
0x04dc007a
0x04dc0080
0x04dc0080
0x04dc0087
0x04dc008d
0x04dc008f
0x04dc0093
0x04dc0095
0x04dc009b
0x04dc00f8
0x04dc00fb
0x04dc00fc
0x04dc00ff
0x04dc0108
0x04dc0108
0x04dc00a2
0x04dc00a6
0x04dc00b3
0x04dc00bc
0x04dc00c5
0x04dc00ca
0x04e0c01e
0x00000000
0x00000000
0x04e0c02d
0x04dc00d5
0x04dc00d9
0x04e0c03d
0x04e0c046
0x04e0c046
0x04dc00df
0x04dc00e2
0x04dc00ea
0x04dc00ef
0x04dc00f2
0x04dc00f6
0x04dc0111
0x04dc0117
0x04dc0117
0x00000000
0x04dc00f6
0x04dc00d0
0x04dc00d0
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4124deabce0df952e5ba80a9a9425fd77a21093e971c7e6e10364ca1d7041d1d
Instruction ID: cbdb7b4ecb36ef3efb846159db76848ce482557c3233994b777442ba14ccc01d
Opcode Fuzzy Hash: 4124deabce0df952e5ba80a9a9425fd77a21093e971c7e6e10364ca1d7041d1d
Instruction Fuzzy Hash: EE317A31701B05DFD726CF28C844B96B3E5FF88718F15866DE49A87A90EA35BC01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E26C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04E26C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04DC7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x4e97b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04DC4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E04DEF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04DC7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04DE9AE0();
						_t23 = L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x04e26c0a
0x04e26c0f
0x04e26c10
0x04e26c13
0x04e26c15
0x04e26c19
0x04e26c1c
0x04e26c21
0x04e26c28
0x04e26c3a
0x04e26c2a
0x04e26c33
0x04e26c33
0x04e26c3f
0x04e26c48
0x04e26c4d
0x04e26c60
0x04e26c65
0x04e26c69
0x04e26c73
0x04e26c79
0x04e26c7f
0x04e26c86
0x04e26c90
0x04e26c94
0x04e26ca6
0x04e26cb2
0x04e26cbd
0x04e26cbd
0x04e26cc3
0x04e26cc7
0x04e26ccb
0x04e26cd0
0x04e26cd1
0x04e26ce2
0x04e26ce2
0x04e26c69
0x04e26ced

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e78debc5d22faaad70f55ced68e696b6f56a7caaaeb6e1e68b7271fa48a7817
Instruction ID: a5e04ee796f71b4ce6502f6effbd398f7038d2cd138e4a1710d20dc1aac2f452
Opcode Fuzzy Hash: 3e78debc5d22faaad70f55ced68e696b6f56a7caaaeb6e1e68b7271fa48a7817
Instruction Fuzzy Hash: 5021BCB1A00655AFD711EF69D980F6AB7B8FF48708F0401AAF905C7790E634ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04DE90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04DE90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E04DFD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E04DDE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04DC4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E04DEF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E04DDA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x04de90af
0x04de90b8
0x04de90bb
0x04de90bf
0x04de90c2
0x04de90c2
0x04de90c8
0x04de90cb
0x04de90cd
0x04e214d7
0x04e214eb
0x04e214eb
0x00000000
0x04e214eb
0x04e214db
0x04e214e6
0x00000000
0x04e214f2
0x04e214e8
0x00000000
0x04e214e8
0x04de90d8
0x04de90da
0x04de90dd
0x04de90e5
0x00000000
0x04de9139
0x04de90fa
0x04de90fe
0x04de9142
0x00000000
0x04de9142
0x04de9104
0x04de9107
0x04de910b
0x04de9110
0x04de9118
0x04de9147
0x04de9148
0x04de914f
0x04de9150
0x04de9151
0x04de9152
0x04de9156
0x04de915d
0x04de9160
0x04de9168
0x04de916c
0x04de91bc
0x04de91be
0x00000000
0x04de91be
0x04de916e
0x04de9173
0x04de9176
0x00000000
0x00000000
0x04de917c
0x04de9180
0x04de91b5
0x00000000
0x04de91b5
0x04de9182
0x04de9185
0x04de9189
0x00000000
0x00000000
0x04de918e
0x04de9190
0x04de9198
0x00000000
0x00000000
0x04de91a0
0x00000000
0x04de91ad
0x04de91ad
0x04de91b0
0x04de91b1
0x00000000
0x04de9185
0x04de911a
0x04de911c
0x04de911f
0x04de9125
0x04de9127
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 96237b3a1d65525c30e7b7c33e7dc48eb3985197c057e926ac3d40e3c1463859
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 442192B1A01714EFDB21EF59C944EAAF7F8EB44354F1588AAE989A7200D331FD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04DD3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x4e984c4; // 0x0
				_v12 = 1;
				_v8 =  *0x4e984c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x4e984c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E04DEAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E04DEFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x4e984c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x4e984c4; // 0x0
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x04dd3b89
0x04dd3b96
0x04dd3ba1
0x04dd3bab
0x04dd3bb5
0x04dd3bb9
0x04e16298
0x04dd3bbf
0x04dd3bc2
0x04dd3bc3
0x04dd3bc9
0x04dd3bca
0x04dd3bcc
0x04dd3bcd
0x04dd3bd4
0x04dd3bd6
0x04dd3bdb
0x04dd3bea
0x04dd3bf7
0x04dd3bfb
0x04dd3bff
0x04dd3c09
0x04dd3c0a
0x04dd3c0b
0x04dd3c0f
0x04dd3c14
0x04dd3c18
0x04dd3c18
0x04dd3bfb
0x04dd3c1b
0x04dd3c30
0x04dd3c30
0x04dd3c3d

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a96aa13c42e0ef3e61121fef269e2fe45bf6b85a63890d187c64678f77090e
Instruction ID: 550df5a4a5b9dca6e3db514a3238b668811652d0f821607cab51c9227617795f
Opcode Fuzzy Hash: 85a96aa13c42e0ef3e61121fef269e2fe45bf6b85a63890d187c64678f77090e
Instruction Fuzzy Hash: A3219F72A00109AFD705EF58CD81BAAB7BDFF44708F150069E909AB261D775FD11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E26CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04E26CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04DC7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04DC7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4d85c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E04DDF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E04DDF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04E27016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04DC2400( &_v52);
								}
								_t21 = L04DC2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x04e26cfb
0x04e26d00
0x04e26d02
0x04e26d06
0x04e26d0a
0x04e26d0e
0x04e26d19
0x04e26d2b
0x04e26d1b
0x04e26d24
0x04e26d24
0x04e26d33
0x04e26d39
0x04e26d46
0x04e26d4f
0x04e26d61
0x04e26d51
0x04e26d5a
0x04e26d5a
0x04e26d69
0x04e26d6b
0x04e26d6d
0x04e26d6f
0x04e26d6f
0x04e26d74
0x04e26d79
0x04e26d7a
0x04e26d7f
0x04e26d82
0x04e26d88
0x04e26d89
0x04e26d90
0x04e26d94
0x04e26da7
0x04e26db1
0x04e26db1
0x04e26dbb
0x04e26dbb
0x04e26d90
0x04e26d69
0x04e26d46
0x04e26dc6

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ba2c440315a3ec655d3858a6b146de68e3dff25b996cfd652ac5b30cb9ab79
Instruction ID: d4d75eb4abb9619cae089fcf9e30bcba03f289e7bf32bae8b9980c846b703d47
Opcode Fuzzy Hash: 82ba2c440315a3ec655d3858a6b146de68e3dff25b996cfd652ac5b30cb9ab79
Instruction Fuzzy Hash: B221C572A042999BD711EF79CA44B67B7ECEF81748F08065AF940C7251EB34E508C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 04E7070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04E7070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E04E707DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E04E6AFDE( &_v8,  &_v12);
					E04E71293(_t38, _v28, _t60);
					if(E04DC7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E04E614FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x04e7071b
0x04e70724
0x04e70734
0x04e70738
0x04e7074b
0x04e7074b
0x04e70753
0x04e70753
0x04e70759
0x04e7075d
0x04e70774
0x04e70779
0x04e7077d
0x04e70789
0x04e70795
0x04e707a7
0x04e70797
0x04e707a0
0x04e707a0
0x04e707af
0x04e707c4
0x04e707cd
0x04e707cd
0x04e707af
0x04e707dc

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: ef7ce11056e4c226bdedaf9d035a022a82aff0d1889408389d0bb0cc8ebf463a
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 4A2126363042009FD705EF18C880B6ABBA5EFC4364F04856DF9959B385D730E909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04DCAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04DCAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04DC7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04DC7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04DC7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04DC7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04E27794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x04dcae78
0x04dcae7c
0x04dcae7e
0x04dcae81
0x04dcae86
0x04dcae8d
0x04e12691
0x04dcae93
0x04dcae93
0x04dcae93
0x04dcae98
0x04dcae9d
0x04e126a2
0x04e126b4
0x04e126a4
0x04e126ad
0x04e126ad
0x04e126b9
0x00000000
0x04e126bb
0x00000000
0x04e126bb
0x04dcaea3
0x04dcaea3
0x04dcaea3
0x04dcaeaa
0x04e126c0
0x04e126c9
0x04e126c9
0x04dcaeb3
0x04e126d4
0x04e126e1
0x00000000
0x00000000
0x04e126e7
0x04e126ee
0x04e126f0
0x04e126f9
0x04e126f9
0x04e12702
0x04e12708
0x04e12708
0x04e1270b
0x04e1270f
0x04e12711
0x04e12711
0x04e12725
0x04e12725
0x00000000
0x04dcaeb9
0x04dcaeb9
0x04dcaebf
0x04dcaebf
0x04dcaeb3

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: a8ea2c4d8c29d8990b013e7b2af1cd866c8c95259ea56e7d6d6a7537e2e59ba9
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 7E21CF71701686DFEB269B68C944B2577E9EF44348F1904E5DE049B7A2E774FC40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E27794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04E27794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x4e97b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E04DEF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04DC7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04DE9AE0();
					_t24 = L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x04e27799
0x04e2779a
0x04e2779b
0x04e277a3
0x04e277ab
0x04e277ae
0x04e277b1
0x04e277b1
0x04e277bf
0x04e277c4
0x04e277c8
0x04e277ce
0x04e277d4
0x04e277e0
0x04e277e0
0x04e277d6
0x04e277d6
0x04e277de
0x00000000
0x00000000
0x04e277de
0x04e277e5
0x04e277f0
0x04e277f3
0x04e277f6
0x04e277fd
0x04e27800
0x04e2780c
0x04e27818
0x04e2782b
0x04e2781a
0x04e27823
0x04e27823
0x04e27830
0x04e27831
0x04e27838
0x04e2783d
0x04e2783e
0x04e2784f
0x04e2784f
0x04e2785a

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0322f6ee4b7367e1e35956b0896bd54408eadb5626aa5a131b70b39a879699a8
Instruction ID: 9d0b7d7fcc9dff65cea1d5a895bee85c4fead2504edaf15cc743ae2f87d45f75
Opcode Fuzzy Hash: 0322f6ee4b7367e1e35956b0896bd54408eadb5626aa5a131b70b39a879699a8
Instruction Fuzzy Hash: 8621AE72A00614ABC725DF69D990EABB7B9EF48344F10056DF90AD7750E634E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04DDFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04DDFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E04DB76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x04ddfd9b
0x04ddfda0
0x04ddfda1
0x04ddfdab
0x04ddfdad
0x04ddfdb0
0x04ddfdb8
0x04ddfe0f
0x04ddfde6
0x04ddfde9
0x04ddfdec
0x04e1c0c0
0x04ddfdfe
0x04ddfe06
0x04ddfe06
0x04e1c0c8
0x04ddfe2d
0x04ddfe2d
0x00000000
0x04ddfe2d
0x04e1c0d1
0x04e1c0e0
0x04e1c0e5
0x04e1c0e5
0x04e1c0e8
0x00000000
0x04e1c0e8
0x04ddfdf4
0x00000000
0x00000000
0x04ddfdf6
0x04ddfdfa
0x04ddfe1a
0x04ddfe1f
0x04ddfe1f
0x04ddfdfc
0x00000000
0x04ddfdfc
0x04ddfdcc
0x04ddfdd0
0x04ddfe26
0x00000000
0x04ddfe26
0x04ddfdd8
0x04ddfddb
0x04ddfddd
0x04ddfde0
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 283a034dd3c0615c945d43f279b8df0aa9cd28982fd0513c16b27bd5d259db93
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 6D217972640A81DFD731CF49C540E66B7E5FB94B10F24816EE98A87620E730FD00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04DA9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x4e7f708);
				E04DFD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E04DE95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E04DE95D0();
				_t33 =  *0x4e984c4; // 0x0
				L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x4e984c4; // 0x0
				L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x4e984c4; // 0x0
				E04DC2280(L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x4e986b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E04DE95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E04DE95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04DA9325();
					_t50 =  *0x4e984c4; // 0x0
					return E04DFD0D1(L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x04da9240
0x04da9242
0x04da9247
0x04da924c
0x04da924e
0x04da9255
0x04da9257
0x04da925a
0x04da925f
0x04da925f
0x04da9266
0x04da9271
0x04da9276
0x04da9279
0x04da927e
0x04da9295
0x04da929a
0x04da92b1
0x04da92b6
0x04da92d7
0x04da92dc
0x04da92e0
0x04da92e6
0x04da92e8
0x04da92ee
0x04da9332
0x04da9333
0x04da9337
0x04da9338
0x04da933a
0x04da933a
0x04da933d
0x04da9342
0x04da9342
0x04da9345
0x04da9349
0x04da934e
0x04da9352
0x04da9357
0x04da92f4
0x04da92f4
0x04da92f6
0x04da92f9
0x04da9300
0x04da9306
0x04da9324
0x04da9324

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3743d87303ec7563dbbf13037527f29fcb588205188ea9bb1d0f3d3e65dc0e7a
Instruction ID: c1904eb97e0587309e009a709e0897891ccb8fe3823e7800dda0a655ed57a922
Opcode Fuzzy Hash: 3743d87303ec7563dbbf13037527f29fcb588205188ea9bb1d0f3d3e65dc0e7a
Instruction Fuzzy Hash: A9214A72251601DFD721EF28CA14F5AB7B9FF08708F1449A8E109876B1CB38F951CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04DDB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04DDB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04DC2280(_t12, 0x4e98608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E04DE00C2(0x4e98608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x04ddb395
0x04ddb3a2
0x04ddb3a5
0x04ddb3aa
0x04ddb3b2
0x04ddb3ba
0x04ddb3bd
0x04ddb3c0
0x04ddb3c4
0x04ddb3c9
0x04e1a3e9
0x04e1a3ed
0x04e1a3f0
0x04e1a3ff
0x04e1a403
0x04e1a409
0x00000000
0x00000000
0x04e1a40b
0x04e1a40b
0x04e1a40f
0x04e1a415
0x04e1a423
0x04e1a423
0x04e1a415
0x04ddb3d1
0x04ddb3e8
0x04ddb3e8
0x04ddb3d9

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df39aefa92417014471c2263f6fad72030be08ba5dfd51004d6d27109ad66e6f
Instruction ID: 017ed6d29d02ca8a08a19cfbc271f0f565f3cc18751c4bc7ac9397396e18a16c
Opcode Fuzzy Hash: df39aefa92417014471c2263f6fad72030be08ba5dfd51004d6d27109ad66e6f
Instruction Fuzzy Hash: EF1148337521109BDF199E158D81A7F7296FBC5338B25153ED916DB3D0D931BC02D690

Uniqueness

Uniqueness Score: -1.00%

Function 04E34257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04E34257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x4e808d0);
				E04DFD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E04E341E8(__ebx, __edi, __ecx, _t39);
				E04DBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x4e987e4;
					_t18 =  *0x4e987e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x4e95cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x4e987e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x4e987e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L04DA7055(_t31 + 0xfffffff8);
								_t24 =  *0x4e987e0; // 0x0
								_t18 = _t24 - 1;
								 *0x4e987e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x4e95cd0;
				if( *0x4e95cd0 <= 0) {
					L04DA7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x4e987e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x4e987e8 = _t30;
						 *0x4e987e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E04DFD0D1(L04E34320());
			}

0x04e34257
0x04e34257
0x04e34257
0x04e34259
0x04e3425e
0x04e34263
0x04e34265
0x04e34273
0x04e34278
0x04e3427c
0x04e3427f
0x04e34281
0x04e34287
0x04e342d7
0x04e342d7
0x04e342da
0x04e3428d
0x04e3428d
0x04e3428f
0x04e34292
0x04e34297
0x04e3429c
0x04e342a0
0x04e342a6
0x04e342a8
0x04e342ae
0x04e342b3
0x00000000
0x04e342ba
0x04e342ba
0x04e342bf
0x04e342c5
0x04e342ca
0x04e342cf
0x04e342d0
0x00000000
0x04e342d0
0x04e342b3
0x00000000
0x04e342a6
0x04e3429c
0x04e342dc
0x04e342dc
0x04e342e3
0x04e34309
0x04e342e5
0x04e342e5
0x04e342e8
0x04e342ee
0x04e342f0
0x00000000
0x04e342f2
0x04e342f2
0x04e342f4
0x04e342f7
0x04e342f9
0x04e34300
0x04e34300
0x04e342f0
0x04e3430e
0x04e3431f

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0a5febb755d387151db34d958b88139b717da998422685cecfb826b4dd0980
Instruction ID: 326b429ec0d00e9984037bbef229814761f94432dd4b48c34894792f74e1faac
Opcode Fuzzy Hash: 0d0a5febb755d387151db34d958b88139b717da998422685cecfb826b4dd0980
Instruction Fuzzy Hash: 93215B70611A01DFD716EF66D004654B7F1FF8631AB1092AAC119DB2E5DB35EC81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04E246A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04E246A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E04DEF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E04DDD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L04DC77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x04e246b7
0x04e246ba
0x04e246c5
0x04e246c8
0x04e246d0
0x04e246d4
0x04e246e6
0x04e246e9
0x04e246f4
0x04e246ff
0x04e24705
0x04e24706
0x04e2470c
0x04e24713
0x04e2471b
0x04e24723
0x04e24725
0x04e246d6
0x04e246d9
0x04e246db
0x04e246db
0x04e24732

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 50bd800a5a72a1cb95379ddccea83047783c35d8932f412f3be7e7e1574ba2de
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: A711E572604208BBDB159F6DD9808BEBBB9EF95304F10806EF984CB350DA319D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04DD2397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04DD2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x4e9848c != 0) {
					L04DCFAD0(0x4e98610);
					if( *0x4e9848c == 0) {
						E04DCFA00(0x4e98610, _t19, _t27, 0x4e98610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E04DD2581(0x4e98610, 0x4d850a0, _t26, _t27, _t28);
						E04DCFA00(0x4e98610, 0x4d850a0, _t27, 0x4e98610);
					}
				} else {
					L1:
					_t11 =  *0x4e98614; // 0x1
					if(_t11 == 0) {
						_t11 = E04DE4886(0x4d81088, 1, 0x4e98614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E04DD2581(0x4e98610, (_t11 << 4) + 0x4d85070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x04dd23b0
0x04dd23b6
0x04dd2409
0x04dd2415
0x04e15ae9
0x00000000
0x04dd241b
0x04dd241b
0x04dd241d
0x04dd2427
0x04dd242e
0x04dd2430
0x04dd2430
0x04dd23b8
0x04dd23b8
0x04dd23b8
0x04dd23bf
0x04dd23fc
0x04dd23fc
0x04dd23c1
0x04dd23c3
0x04dd23d0
0x04dd23d8
0x04dd23d8
0x04dd23dc
0x04dd23de
0x04dd23e1
0x04dd23e1
0x04dd23ec

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2f0ce1b5099c8873eb03d2975a2863df475362a3e1ea5c9e10adc0a0f7605d
Instruction ID: 44a60660b3ca43501c35a2f9d0867160ec5bff393634d5617bb8de24c899aabe
Opcode Fuzzy Hash: 1b2f0ce1b5099c8873eb03d2975a2863df475362a3e1ea5c9e10adc0a0f7605d
Instruction Fuzzy Hash: E4112B3274430067FB30BA2AAC80F25B2D9FB90724F14445EF502EB2D1D974FC019765

Uniqueness

Uniqueness Score: -1.00%

Function 04DE37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E04DE37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04DC2280(_t6, 0x4e98550);
				}
				_t29 = E04DE387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E04DBFFB0(0x4e98550, _t27, 0x4e98550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x04de37fa
0x04de37fc
0x04de3805
0x04de3808
0x04de3808
0x04de3814
0x04de3818
0x04de3846
0x04de3848
0x04de384b
0x04de384b
0x04de3852
0x00000000
0x04de3854
0x04de3856
0x00000000
0x00000000
0x04de3863
0x00000000
0x04de3863
0x04de381a
0x04de381a
0x04de381f
0x04de386e
0x04de386e
0x04de3871
0x04de3873
0x04de3873
0x04de3868
0x00000000
0x04de3868
0x04de3821
0x04de3826
0x00000000
0x00000000
0x04de3828
0x04de382a
0x04de3841
0x00000000
0x04de3841

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d99c6b3ff44ba79217d4767eeb162568905b9627118e84a1f203ee0a38a662d
Instruction ID: 580572ecadf6d60f65acdd4db115a6c3d44c05a0e855e84a7b28dd8327bd8b7c
Opcode Fuzzy Hash: 5d99c6b3ff44ba79217d4767eeb162568905b9627118e84a1f203ee0a38a662d
Instruction Fuzzy Hash: FA01C472A016119BD327AB1B9980A3ABBA6EFC6B50755406EED45CB211DB30E802C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E04DAC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x4e9d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E04DBEEF0(0x4e970a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E04E2F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E04DBEB70(_t29, 0x4e970a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E04DEB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E04E2F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x4e970c0; // 0x0
					while(_t38 != 0x4e970c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x4e9b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x04dac96a
0x04dac974
0x04dac988
0x04dac98a
0x04e17c9d
0x04e17c9f
0x04e17ca4
0x04e17cae
0x04e17cf0
0x04e17cf5
0x04e17cfa
0x04dac992
0x04dac996
0x04dac997
0x04dac998
0x04dac9a3
0x04dac9a3
0x04e17cb0
0x04e17cb7
0x04e17cbb
0x00000000
0x00000000
0x04e17cbd
0x04e17ce8
0x04e17cc5
0x04e17cc8
0x04e17cca
0x04e17cd0
0x04e17cd6
0x04e17cde
0x04e17ce4
0x04e17ce4
0x04e17cd0
0x00000000
0x04e17ce8
0x04dac990
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f29ec6b957db78c51f77772ffe4755b372a666fb9ad8050efc69e6dc3f2854
Instruction ID: b173110f485ea27fa7b3203d347f9ed1c2268d3413ecb7b02a88ea7bcd735c95
Opcode Fuzzy Hash: f4f29ec6b957db78c51f77772ffe4755b372a666fb9ad8050efc69e6dc3f2854
Instruction Fuzzy Hash: 7C112531350642EBDB14AF69CC45A6B77E1FB88A18B001569E886836A0DF20FC14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DD002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E04DC7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E04DC7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04DC7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E04DC7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x04dd0032
0x04dd0037
0x04dd0043
0x04e14b3a
0x04dd0049
0x04dd0049
0x04dd0049
0x04dd004e
0x04dd0053
0x04e14b48
0x04e14b5a
0x04e14b4a
0x04e14b53
0x04e14b53
0x04e14b5f
0x00000000
0x04e14b61
0x00000000
0x04e14b61
0x04dd0059
0x04dd0059
0x04dd0060
0x04e14b6f
0x04e14b6f
0x04dd0069
0x04e14b83
0x00000000
0x00000000
0x04e14b90
0x04e14b9b
0x04e14b9b
0x04e14ba4
0x00000000
0x00000000
0x04e14baa
0x00000000
0x04dd006f
0x04dd006f
0x00000000
0x04dd006f
0x04dd0069

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: d0e4903edbcb259ab6de4fd7e422101be328cde3b93b43f98d3250ed0f2a3083
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: BF11ED72341682DFE7238B28C948F3537E9EB8075CF0910A0DD058B7E2E368F841C660

Uniqueness

Uniqueness Score: -1.00%

Function 04DB766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04DB766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E04DDF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E04DDF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04DC4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x04db7672
0x04db767f
0x04db7689
0x04db76de
0x04db76de
0x04db768b
0x04db7691
0x04db7693
0x04db7697
0x00000000
0x04db7699
0x04db76a8
0x00000000
0x04db76aa
0x04db76ad
0x04db76b1
0x00000000
0x04db76b3
0x04db76b3
0x04db76b5
0x04db76ba
0x04db76bc
0x04db76bc
0x04db76c0
0x00000000
0x04db76c2
0x04db76ce
0x04db76ce
0x04db76c0
0x04db76b1
0x04db76a8
0x04db7697
0x04db76d9

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 8b21613379d09fe438f4a683c32a1b68a1bca55e9e246831a4e6c07703146e9a
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 23017132700219EFD761EE5ECC51E9B76ADEBC4760B250528B94ACB254DA60ED0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 04E3C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04E3C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04DE9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E04DE95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E04DE95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E04DE95D0();
				return L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x04e3c458
0x04e3c45d
0x04e3c466
0x04e3c468
0x04e3c469
0x04e3c46a
0x04e3c46b
0x04e3c46e
0x04e3c46f
0x04e3c471
0x04e3c476
0x04e3c476
0x04e3c47c
0x04e3c47e
0x04e3c480
0x04e3c480
0x04e3c483
0x04e3c484
0x04e3c486
0x04e3c488
0x04e3c48f
0x04e3c491
0x04e3c493
0x04e3c493
0x04e3c48f
0x04e3c498
0x04e3c49e
0x04e3c4ad
0x04e3c4ad
0x04e3c4b2
0x04e3c4b4
0x04e3c4cd

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 62139cc244a46a1fa5721bca80c032994f888b3e0ef235dbddc86aa1aad2c3e7
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: DD0196B2240605BFE721AF65CC94E62FB6DFF54359F104525F25453560C721FCA0CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04DA9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x4e985ec;
				E04DC2280(_t48, 0x4e985ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E04DBFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x4e9538c; // 0x77f06888
					if( *_t84 != 0x4e95388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x4e7f6e8);
						E04DFD0E8(0x4e985ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E04E788F5(_t80, _t85, 0x4e95388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x4e986c0; // 0x4207b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x4e986b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04DC2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E04E788F5(0x4e985ec, _t85, 0x4e95388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E04DEAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x4e9b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x4e984c0;
																			if(_t82 >=  *0x4e984c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04E79063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E04DA922A(_t99);
										_t64 = E04DC7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04E78B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x4e986c0; // 0x4207b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x4e986b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x4e986bc;
													_t87 = 0x4e986b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04DA9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x4e986c4;
												_t87 = 0x4e986c0;
												L27:
												E04DD9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E04DFD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4e95388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x4e9538c = _t51;
						goto L6;
					}
				}
			}

0x04da9082
0x04da9083
0x04da9084
0x04da9085
0x04da9087
0x04da9096
0x04da9098
0x04da9098
0x04da909e
0x04da90a8
0x04da90e7
0x04da90e7
0x04da90aa
0x04da90b0
0x04da90b7
0x04da90bd
0x04da90dd
0x04da90e6
0x04da90bf
0x04da90bf
0x04da90c7
0x04da90cf
0x04da90f1
0x04da90f2
0x04da90f4
0x04da90f5
0x04da90f6
0x04da90f7
0x04da90f8
0x04da90f9
0x04da90fa
0x04da90fb
0x04da90fc
0x04da90fd
0x04da90fe
0x04da90ff
0x04da9100
0x04da9102
0x04da9107
0x04da910c
0x04da9110
0x04da9113
0x04da9115
0x04da9136
0x04da913f
0x04da9143
0x04e037e4
0x04e037e4
0x04da9117
0x04da9117
0x04da911d
0x00000000
0x04da911f
0x04da911f
0x04da9125
0x00000000
0x04da9127
0x04da912d
0x04da9130
0x04da9134
0x04da9158
0x04da915d
0x04da9161
0x04da9168
0x04e03715
0x04da916e
0x04da916e
0x04da9175
0x04da9177
0x04da917e
0x04da917f
0x04da9182
0x04da9182
0x04da9187
0x04da9187
0x04da918a
0x04da918d
0x04da918f
0x04da9192
0x04da9195
0x04da9198
0x04da9198
0x04da9198
0x04da919a
0x00000000
0x00000000
0x04e0371f
0x04e03721
0x04e03727
0x04e0372f
0x04e03733
0x04e03735
0x04e03738
0x04e0373b
0x04e0373d
0x04e03740
0x00000000
0x04e03746
0x04e03746
0x04e03749
0x00000000
0x04e0374f
0x04e0374f
0x04e03751
0x04e03757
0x04e03759
0x04e0375c
0x04e0375c
0x04e0375e
0x04e0375e
0x04e03761
0x04e03764
0x00000000
0x00000000
0x04e03766
0x04e03768
0x04e037a3
0x04e037a3
0x04e037a5
0x04e037a7
0x04e037ad
0x04e037b0
0x04e037b2
0x04e037bc
0x04e037c2
0x04e037c2
0x04e037b2
0x04da9187
0x04da9187
0x04da918a
0x04da918d
0x04da918f
0x04da9192
0x04da9195
0x00000000
0x04da9195
0x00000000
0x04e0376a
0x04e0376a
0x04e0376a
0x04e0376c
0x04e0376c
0x04e0376f
0x04e03775
0x00000000
0x00000000
0x04e03777
0x04e03779
0x04e03782
0x04e03787
0x04e03789
0x04e03790
0x04e03790
0x04e0378b
0x04e0378b
0x04e0378b
0x04e03792
0x04e03795
0x00000000
0x04e03795
0x00000000
0x04e03779
0x04e03798
0x00000000
0x04e03798
0x00000000
0x04e03768
0x04e0379b
0x04e0379b
0x04e03751
0x04e03749
0x00000000
0x04e03740
0x04da91a0
0x04da91a3
0x04da91a9
0x04da91b0
0x00000000
0x04da91b0
0x04da9187
0x04da91b4
0x04da91b4
0x04da91bb
0x04da91c0
0x04da91c5
0x04da91c7
0x04e037da
0x04da91cd
0x04da91cd
0x04da91cd
0x04da91d2
0x04da91d5
0x04da9239
0x04da9239
0x04da91d7
0x04da91db
0x04da91e1
0x04da91e7
0x04da91fd
0x04da9203
0x04da921e
0x04da9223
0x00000000
0x04da9205
0x04da9205
0x04da9208
0x04da920c
0x04da9214
0x04da9214
0x04da920c
0x04da91e9
0x04da91e9
0x04da91ee
0x04da91f3
0x04da91f3
0x04da91f3
0x04da91e7
0x00000000
0x00000000
0x00000000
0x04da9134
0x04da9125
0x04da911d
0x04da914e
0x04da90d1
0x04da90d1
0x04da90d3
0x04da90d6
0x04da90d8
0x00000000
0x04da90d8
0x04da90cf

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074b3c0dfef24964a96207fb68352061bcd5274e29755b357a7a84e8c61b600c
Instruction ID: c0ead4f50303c14f28024f7ae10690de174b0d64c581352f66d93d0283c47251
Opcode Fuzzy Hash: 074b3c0dfef24964a96207fb68352061bcd5274e29755b357a7a84e8c61b600c
Instruction Fuzzy Hash: 7E01F4B3B012009FE3259F18D840B25BBE9FB45365F2145A6E2019B695C774FC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04E74015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04E74015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04DC2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04DC2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x4e986ac);
					E04DAF900(0x4e986d4, _t28);
					E04DBFFB0(0x4e986ac, _t28, 0x4e986ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E04DBFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x04e7401a
0x04e7401e
0x04e74023
0x04e74028
0x04e74029
0x04e7402b
0x04e7402f
0x04e74043
0x04e74046
0x04e74051
0x04e74057
0x04e7405f
0x04e74062
0x04e74067
0x04e7406f
0x04e7407c
0x04e7407c
0x04e7408c
0x04e7408c
0x04e74097

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f166acb943b9d526efca82703b211fabeb744f7c2192e8ab7d19abe2bbd196
Instruction ID: 4af24188cb908731b0708299fde285a6aebda824735b2a0201b2ed4afb9f1acf
Opcode Fuzzy Hash: 86f166acb943b9d526efca82703b211fabeb744f7c2192e8ab7d19abe2bbd196
Instruction Fuzzy Hash: 26018472741546BFE711AF69CD84E57F7ACFB49768B000629B50887A52CB24FC11CAF4

Uniqueness

Uniqueness Score: -1.00%

Function 04E614FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04E614FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4e9d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04DEFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04DC7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04e614fb
0x04e614fb
0x04e6150a
0x04e61514
0x04e61519
0x04e6151b
0x04e61526
0x04e6152c
0x04e61534
0x04e61537
0x04e6153a
0x04e61545
0x04e61557
0x04e61547
0x04e61550
0x04e61550
0x04e61562
0x04e61563
0x04e61565
0x04e6156a
0x04e6157f

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0bd48c0223970b1c9c3e79bf89f205392781aa5419b9bda94e6c914dd9fbae
Instruction ID: e8d65cd01e456cf22df110b52dce2ea59a2bf7a396099e4d346cd9476a10003a
Opcode Fuzzy Hash: ac0bd48c0223970b1c9c3e79bf89f205392781aa5419b9bda94e6c914dd9fbae
Instruction Fuzzy Hash: 3E018071A01258ABDB00EF69D841FAEB7B8EF44704F40405AB905EB280DA74EE00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04E6138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04E6138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4e9d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04DEFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04DC7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04e6138a
0x04e6138a
0x04e61399
0x04e613a3
0x04e613a8
0x04e613aa
0x04e613b5
0x04e613bb
0x04e613c3
0x04e613c6
0x04e613c9
0x04e613d4
0x04e613e6
0x04e613d6
0x04e613df
0x04e613df
0x04e613f1
0x04e613f2
0x04e613f4
0x04e613f9
0x04e6140e

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d178345fe895fd4c7285fd6de27c153dfe754531740d31734d5855bb41cc30e3
Instruction ID: e46628fc3cfd7a03c877e66156c55326e802a1560218eed96202b97527b7a522
Opcode Fuzzy Hash: d178345fe895fd4c7285fd6de27c153dfe754531740d31734d5855bb41cc30e3
Instruction Fuzzy Hash: A6019271A40218AFDB00EFA9D841FBEB7B8EF44700F40405BB901EB280DA74AE00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DA58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E04DA58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x4e9d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x4d85c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E04DA5943() != 0 &&  *0x4e95320 > 5) {
					E04E27B5E( &_v44, _t27);
					_t22 =  &_v28;
					E04E27B5E( &_v28, _t28);
					_t11 = E04E27B9C(0x4e95320, 0x4d8bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E04DEB640(_t11, _t17, _v8 ^ _t29, 0x4d8bf15, _t27, _t28);
			}

0x04da58fb
0x04da58fe
0x04da5906
0x04da590a
0x04da593c
0x04da593c
0x04da590c
0x04da590c
0x04da5911
0x00000000
0x04da5913
0x04da5913
0x04da5913
0x04da5911
0x04da591d
0x04e01035
0x04e0103c
0x04e0103f
0x04e01056
0x04e01056
0x04da593b

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4700df56d6aeca0bcb4b07a48460fbc6a2b2f00ab2008b51223ea152e214f9
Instruction ID: 5ab0fa0140bb465656dd98862dcb42501cbe279f92de54060171d99ef3bf0cba
Opcode Fuzzy Hash: 3c4700df56d6aeca0bcb4b07a48460fbc6a2b2f00ab2008b51223ea152e214f9
Instruction Fuzzy Hash: F9018431B10114FBE714EB25E9119BE77B9FB45234F94006AA805AB284DE20FD018651

Uniqueness

Uniqueness Score: -1.00%

Function 04E5FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04E5FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4e9d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04DEFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04DC7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04e5fec0
0x04e5fec0
0x04e5fecf
0x04e5fed9
0x04e5fede
0x04e5fee0
0x04e5feeb
0x04e5fef3
0x04e5fef6
0x04e5fef9
0x04e5ff04
0x04e5ff16
0x04e5ff06
0x04e5ff0f
0x04e5ff0f
0x04e5ff21
0x04e5ff22
0x04e5ff24
0x04e5ff29
0x04e5ff3e

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76c01a126bb876f9a914cd5e84472ebe4c3ee43a7dab3cc59ed925fa87389a2
Instruction ID: 012464929566038384f2445a75b665f7b105e8f0bb7ae2c41230a4c810be3e40
Opcode Fuzzy Hash: b76c01a126bb876f9a914cd5e84472ebe4c3ee43a7dab3cc59ed925fa87389a2
Instruction Fuzzy Hash: 68018871F01219ABDB14EB69D845FBEB7B8EF44704F40406AF901DB290D974A901C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04E5FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04E5FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4e9d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04DEFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04DC7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04e5fe3f
0x04e5fe3f
0x04e5fe4e
0x04e5fe58
0x04e5fe5d
0x04e5fe5f
0x04e5fe6a
0x04e5fe72
0x04e5fe75
0x04e5fe78
0x04e5fe83
0x04e5fe95
0x04e5fe85
0x04e5fe8e
0x04e5fe8e
0x04e5fea0
0x04e5fea1
0x04e5fea3
0x04e5fea8
0x04e5febd

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dacbcf8d92e63d3022d6541bd8d088faa5530ddecafea1403fcd19440297881
Instruction ID: 09fb6e52516b4773cb007fa808990b32992c2611dfba2cf9dc8754ef5d6869dc
Opcode Fuzzy Hash: 4dacbcf8d92e63d3022d6541bd8d088faa5530ddecafea1403fcd19440297881
Instruction Fuzzy Hash: A9018471F01219ABDB14EFA9D846FBEB7B8EF44714F00406AB900EB291DA74A901C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04E71074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E71074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E04E7165E(__ebx, 0x4e98ae4, (__edx -  *0x4e98b04 >> 0x14) + (__edx -  *0x4e98b04 >> 0x14), __edi, __ecx, (__edx -  *0x4e98b04 >> 0x14) + (__edx -  *0x4e98b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E04E6AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04DC7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E04E5FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x04e71074
0x04e71080
0x04e71082
0x04e7108a
0x04e7108f
0x04e71093
0x04e710ab
0x04e710ab
0x04e710c3
0x04e710cf
0x04e710e1
0x04e710d1
0x04e710da
0x04e710da
0x04e710e9
0x04e710f5
0x04e710f5
0x04e710fe

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c69c95529e6ac58a5ad868f93dec814a560416a0517f055cc65b129d9d59cc
Instruction ID: 2ba0c6051088c1c1aae4b7bddf3d873d08a4d60fe54274318d84d4cbeeca11c6
Opcode Fuzzy Hash: e6c69c95529e6ac58a5ad868f93dec814a560416a0517f055cc65b129d9d59cc
Instruction Fuzzy Hash: 0B014C726047429FD710EF68C840B1AB7D5FB84328F049629F886933A0EE70F844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04DBB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DBB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04DC7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04E27016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x04dbb037
0x04dbb039
0x04dbb03b
0x04dbb040
0x04e0a60e
0x00000000
0x00000000
0x04e0a61d
0x04dbb04b
0x04dbb04e
0x04e0a627
0x04e0a634
0x00000000
0x00000000
0x04e0a641
0x04e0a653
0x04e0a643
0x04e0a64c
0x04e0a64c
0x04e0a65b
0x00000000
0x00000000
0x00000000
0x04e0a66c
0x04dbb057
0x04dbb057
0x04dbb057
0x04dbb046
0x04dbb046
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: df122b1b61c9d303ed4504e68472e91c2796e8414ded476025b217f7016dd034
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 4A01D431300A84DFD322C75CD984FB677E8EB52B44F0944B2F926CBA91D628FC80C660

Uniqueness

Uniqueness Score: -1.00%

Function 04E78ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04E78ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x4e9d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04DC7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x04e78ed6
0x04e78ee5
0x04e78eed
0x04e78ef0
0x04e78efa
0x04e78f03
0x04e78f0c
0x04e78f15
0x04e78f24
0x04e78f27
0x04e78f31
0x04e78f43
0x04e78f33
0x04e78f3c
0x04e78f3c
0x04e78f4e
0x04e78f4f
0x04e78f51
0x04e78f56
0x04e78f69

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e30fb2315183e87646fcc6d10ac9d36d6e1fd8b32b918a856accc8a5d5dcb6
Instruction ID: 803fe05fa1c4b55d6e5f3b76c98941d0214e03d468dbddd4a02d7d0ae5db58fd
Opcode Fuzzy Hash: 40e30fb2315183e87646fcc6d10ac9d36d6e1fd8b32b918a856accc8a5d5dcb6
Instruction Fuzzy Hash: A7111EB0E00219DFDB04EFA9D545BAEB7F4FF08304F0442AAE519EB381E634A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E78A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04E78A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x4e9d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04DC7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04e78a62
0x04e78a71
0x04e78a79
0x04e78a82
0x04e78a85
0x04e78a89
0x04e78a8c
0x04e78a8f
0x04e78a92
0x04e78a95
0x04e78a9f
0x04e78ab1
0x04e78aa1
0x04e78aaa
0x04e78aaa
0x04e78abc
0x04e78abd
0x04e78abf
0x04e78ac4
0x04e78ada

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa8f2d6c43f22b106476f79484a1cdf6521d67549a3fc2868b94a5f3f3ff0a6
Instruction ID: 0d31910c622e2399d47ad807cc84cfd5c97eb06bc83a19a936be9d959fc8d962
Opcode Fuzzy Hash: 0aa8f2d6c43f22b106476f79484a1cdf6521d67549a3fc2868b94a5f3f3ff0a6
Instruction Fuzzy Hash: 6E012CB1A0121DAFDB00EFA9D9459EEBBB8FF48354F10405AF905E7341EA34AD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DADB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DADB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E04DADB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E04DAE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L04DAE8B0(__ecx, _t14, 0xfff);
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x04dadb64
0x04dadb66
0x04dadb6b
0x04dadbaa
0x04dadb71
0x04dadb76
0x04dadb7a
0x04dadba3
0x04dadb7c
0x04dadb87
0x04dadb8b
0x04e04fa1
0x04e04fb3
0x04e04fb8
0x04dadb91
0x04dadb96
0x04dadb98
0x04dadb98
0x04dadb8b
0x04dadb7a
0x04dadb9d
0x04dadba2

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 821525a28be149aa74917db6b8db0166d2951b5ea93aaf990838786c97e699c0
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 2AF0C2333416229BE3726A558884B2BA6A7DFC1A60F160835B2059BA84CA70EC1696E1

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DAB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04DC7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04DC7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04E27016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x04dab1e8
0x04dab1ea
0x04dab1f3
0x04e04a17
0x04dab1f9
0x04dab1f9
0x04dab1f9
0x04dab201
0x04e04a21
0x04e04a2e
0x00000000
0x00000000
0x04e04a3b
0x04e04a4d
0x04e04a3d
0x04e04a46
0x04e04a46
0x04e04a55
0x00000000
0x00000000
0x00000000
0x04dab20a
0x04dab20a
0x04dab20a
0x04dab20a

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 7c26b4beddcd713012543266c2b529d879a4119b6c55578f1f3c6ad3dd30d7e8
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 5201D632300580DBD322975DC904F597BA9EF81758F0840A3FA948B6F2E674F851C624

Uniqueness

Uniqueness Score: -1.00%

Function 04E3FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04E3FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x4e9d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04DC7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04e3fe96
0x04e3fe9e
0x04e3fea1
0x04e3fead
0x04e3feb3
0x04e3feb9
0x04e3fec3
0x04e3fed5
0x04e3fec5
0x04e3fece
0x04e3fece
0x04e3fee0
0x04e3fee1
0x04e3fee3
0x04e3fee8
0x04e3fefb

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0310d689061d243715f603843df9d95a957a4992b82e9423e9c08e8c2028a241
Instruction ID: 309324556ec042ceafe39cbe5100cf21fde81046409718f4cad692ce2d5d4e58
Opcode Fuzzy Hash: 0310d689061d243715f603843df9d95a957a4992b82e9423e9c08e8c2028a241
Instruction Fuzzy Hash: 2801FF70A00209EFDB14DFA9D546A6EB7F4EF04314F54419AB515DB382DA35E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E78F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04E78F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4e9d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04DC7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04e78f6a
0x04e78f79
0x04e78f81
0x04e78f84
0x04e78f8b
0x04e78f91
0x04e78f94
0x04e78f9e
0x04e78fb0
0x04e78fa0
0x04e78fa9
0x04e78fa9
0x04e78fbb
0x04e78fbc
0x04e78fbe
0x04e78fc3
0x04e78fd6

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1509471912253aedbe570f3f74ca9d5d0532d9af83e660b232ff983d18d1f7a
Instruction ID: ca41de5793f21ae46884609f4545df7e2f8d2d783e1ed2a744adec4cd9360b00
Opcode Fuzzy Hash: f1509471912253aedbe570f3f74ca9d5d0532d9af83e660b232ff983d18d1f7a
Instruction Fuzzy Hash: 0B01E174A0120DAFDB04EFB9D545AAEB7B4FF58304F50445AB905EB381EA74EE00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04E6131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04E6131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4e9d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04DC7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04e6131b
0x04e6132a
0x04e61330
0x04e61336
0x04e6133e
0x04e61341
0x04e61344
0x04e6134f
0x04e61361
0x04e61351
0x04e6135a
0x04e6135a
0x04e6136c
0x04e6136d
0x04e6136f
0x04e61374
0x04e61387

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8df03e6c4efd7b36a7f9fd8d943bccc69461f0b63ee7f64a087a92578d636a3
Instruction ID: 45c1dd91b1d8af5604876da0d64e908fb739babeb2ccfb87ddcceae66ffeab5e
Opcode Fuzzy Hash: f8df03e6c4efd7b36a7f9fd8d943bccc69461f0b63ee7f64a087a92578d636a3
Instruction Fuzzy Hash: 610131B1A41249AFDB04EFA9D545AAEB7F4FF08740F40405AB846EB381E674AA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04E61608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04E61608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x4e9d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E04DC7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x04e61608
0x04e61617
0x04e6161d
0x04e61625
0x04e61628
0x04e6162b
0x04e61636
0x04e61648
0x04e61638
0x04e61641
0x04e61641
0x04e61653
0x04e61654
0x04e61656
0x04e6165b
0x04e6166e

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f2c958f57059b51aaaa3bdc8b60ab43f487c58f779c53841c475703c88c11c
Instruction ID: 3d2e0fc44648618a65276dfc3d88b5a3f5ad51c0b75b9ab4081f15d65007b3ef
Opcode Fuzzy Hash: 93f2c958f57059b51aaaa3bdc8b60ab43f487c58f779c53841c475703c88c11c
Instruction Fuzzy Hash: 7AF062B1E01258EFDB04EFA9D505EAEB7F4EF04300F44405AA905EB391EA34AD00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04DCC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DCC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E04DCC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4d811cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E04E788F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x04dcc577
0x04dcc57d
0x04dcc581
0x04dcc5b5
0x04dcc5b9
0x04dcc5ce
0x04dcc5ce
0x04dcc5ca
0x00000000
0x04dcc5ca
0x04dcc5c4
0x04dcc5c8
0x00000000
0x00000000
0x00000000
0x04dcc5ad
0x00000000
0x04dcc5af

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac2c43a50699a483c405586c2c286bd97b19a0cf8a2b123eaf0dce09ce40ac9
Instruction ID: a09ef9acbf168537a2016ea16b6711a44215de1698bb0c1a8f3d4078892594aa
Opcode Fuzzy Hash: 2ac2c43a50699a483c405586c2c286bd97b19a0cf8a2b123eaf0dce09ce40ac9
Instruction Fuzzy Hash: 6BF0B4B2A356929FEB31DB14C01CB227BE4BB09F74F54446FD64D87205D7A4F880C251

Uniqueness

Uniqueness Score: -1.00%

Function 04E78D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04E78D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4e9d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04DC7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04e78d34
0x04e78d43
0x04e78d4b
0x04e78d4e
0x04e78d52
0x04e78d5c
0x04e78d6e
0x04e78d5e
0x04e78d67
0x04e78d67
0x04e78d79
0x04e78d7a
0x04e78d7c
0x04e78d81
0x04e78d94

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d383f76623390bd14f4d2ac27bc77cd426dcf4959e4f7cae8bdccbc56b36814
Instruction ID: 3fb192fbe758f62ff34d8b397fbf1ba2dd9f8fe5e1661bd07eff66c43b18aeb0
Opcode Fuzzy Hash: 9d383f76623390bd14f4d2ac27bc77cd426dcf4959e4f7cae8bdccbc56b36814
Instruction Fuzzy Hash: FAF03070B04609AFDB14EBA9D545A6E77B8FF18704F50809AE905EB291EA74E9008B64

Uniqueness

Uniqueness Score: -1.00%

Function 04E62073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04E62073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E04E5FD22(__ecx);
				_t19 =  *0x4e9849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4e98748; // 0x0
					if(__eflags <= 0) {
						E04E61C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4e98724 & 0x00000004;
							if(( *0x4e98724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4e98724; // 0x0
					return E04E58DF1(__ebx, 0xc0000374, 0x4e95890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x04e62076
0x04e62078
0x04e6207d
0x04e62083
0x04e620a4
0x04e620aa
0x04e620ac
0x04e620b7
0x04e620ba
0x04e620bc
0x04e620c9
0x04e620c9
0x04e620d0
0x04e620d2
0x00000000
0x04e620d2
0x04e620be
0x04e620c3
0x04e620c5
0x04e620c7
0x00000000
0x00000000
0x04e620c7
0x04e620bc
0x04e620d4
0x04e62085
0x04e62085
0x04e620a3
0x04e620a3

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6bcc630abcd78149f10c1f7aeeb03a19aa7dea6923a4cc891bd0923f07f84c
Instruction ID: fac7b0720671147bdd432dfd43fe4712801ea8c1f5c4bff2666026c266d26b21
Opcode Fuzzy Hash: ee6bcc630abcd78149f10c1f7aeeb03a19aa7dea6923a4cc891bd0923f07f84c
Instruction Fuzzy Hash: 91F0202A4611844BEF767F2620013E12BC0EB4A19DF0A38C6DA9257298C839AC83CB20

Uniqueness

Uniqueness Score: -1.00%

Function 04DE927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04DE927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E04DEFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E04DE92C6(_t11, _t14);
				}
				return _t11;
			}

0x04de9295
0x04de9299
0x04de929f
0x04de92aa
0x04de92ad
0x04de92ae
0x04de92af
0x04de92b0
0x04de92b4
0x04de92bb
0x04de92bb
0x04de92c5

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 9b6d8866798fda7e653a72040039f11df48c9a6885260bff6271636c524e7fef
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: CAE0E5723415006BEB21AF06CC90B533669EF82724F00407CB5001F242C6E5E80987A0

Uniqueness

Uniqueness Score: -1.00%

Function 04E78CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04E78CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4e9d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04DC7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04e78ce5
0x04e78ced
0x04e78cf0
0x04e78cfb
0x04e78d0d
0x04e78cfd
0x04e78d06
0x04e78d06
0x04e78d18
0x04e78d19
0x04e78d1b
0x04e78d20
0x04e78d33

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a47c7ac2ce71b225358039d239a8d32c0c28e45e2b87f24665c32c18a3c7ddb
Instruction ID: 3dba115ae64ee4109dbc9ec7646bfed8b1ad4dd5a1599f420a77b942d208e6eb
Opcode Fuzzy Hash: 6a47c7ac2ce71b225358039d239a8d32c0c28e45e2b87f24665c32c18a3c7ddb
Instruction Fuzzy Hash: 50F08970A05109EBDB04EBA9D955E6E77B8FF14314F50419AE515EB2C0E934FD00C754

Uniqueness

Uniqueness Score: -1.00%

Function 04DC746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04DC746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E04DBEB70(__ecx, 0x4e979a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E04DE95D0();
							L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x04dc746d
0x04dc746d
0x04dc746d
0x04dc7471
0x04dc7488
0x04e0f92d
0x04dc748e
0x04dc7491
0x04dc7495
0x04e0f937
0x04e0f93a
0x04e0f94e
0x04e0f953
0x04e0f956
0x04e0f956
0x04dc7495
0x00000000
0x04dc7488
0x04dc7473
0x04dc7478
0x04dc747d
0x04dc7481
0x00000000
0x04dc7481
0x04dc747d
0x04dc747a
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166321da3d37205ccb5184def0df89c04d093989d4dcf74c93087c2db927abcd
Instruction ID: 8597aee3a9da7e566cb3c520b87a2425d90dac3acd17ad087783d7e2bd05dcb1
Opcode Fuzzy Hash: 166321da3d37205ccb5184def0df89c04d093989d4dcf74c93087c2db927abcd
Instruction Fuzzy Hash: 6BF0B434708147EADF119BA8C440BB97BA2BF04318F44465DD491A7190F764F840CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04DA4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DA4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E04E788F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E04DCC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4d81030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x04da4f2e
0x04da4f34
0x04da4f38
0x04e00b85
0x04e00b85
0x04e00b89
0x04e00b9a
0x04e00b9a
0x04e00b9f
0x00000000
0x04e00b9f
0x04e00b94
0x04e00b98
0x00000000
0x00000000
0x00000000
0x04e00b98
0x04da4f3e
0x04da4f48
0x00000000
0x04da4f6e
0x00000000
0x04da4f70

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44222b850aae2d78395c6f9f387ad6c83fdec7bb845ab53fb5ce2e3dfaac3381
Instruction ID: 6ee77734935e6f16cffd00fc5228f70306db118a0df4fd46ca2fcb269e898a9c
Opcode Fuzzy Hash: 44222b850aae2d78395c6f9f387ad6c83fdec7bb845ab53fb5ce2e3dfaac3381
Instruction Fuzzy Hash: 08F0E232621A948FE771DB18D144B22B7E4EB00BBCF44A475D42587AA0D734FCC4CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04E78B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04E78B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4e9d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04DC7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04DEB640(E04DE9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04e78b67
0x04e78b6f
0x04e78b72
0x04e78b7d
0x04e78b8f
0x04e78b7f
0x04e78b88
0x04e78b88
0x04e78b9a
0x04e78b9b
0x04e78b9d
0x04e78ba2
0x04e78bb5

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa15477638f5855cbfc0f29c3390cabc453ac29497672ff896875db782d8f173
Instruction ID: b14be78dc4dff9279f7201635d122e916d1dccffe374c1005e988ecb7d329329
Opcode Fuzzy Hash: aa15477638f5855cbfc0f29c3390cabc453ac29497672ff896875db782d8f173
Instruction Fuzzy Hash: 20F05EB0B04259ABEB00EBA9D906E7E73A4FF04304F440499A905DB280EA74FD00C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04DDA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DDA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x4e97b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E04DEFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x04dda44b
0x04dda453
0x04dda472
0x04dda476
0x00000000
0x04dda493
0x04dda47a
0x04dda47f
0x04dda486
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45f6bfc75622aa990dfcc9b533589093d0be9ee3b0b0c88a03beb1655ff3622
Instruction ID: 817213956857698da665c4e8e7870f6f6df8af6f34ab4b68a54f740bf44ef8ed
Opcode Fuzzy Hash: c45f6bfc75622aa990dfcc9b533589093d0be9ee3b0b0c88a03beb1655ff3622
Instruction Fuzzy Hash: 32E09272B41421ABD2225B19EC00F6673ADEBD4655F0A4039E548C7254DA28ED01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 04DAF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04DAF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E04DDF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04DC4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x04daf35d
0x04daf361
0x04daf367
0x04daf372
0x04daf38c
0x04daf38c
0x04daf394

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 5f75aa062d6f76c348a65f4e72512293658754c2a20b3effff177229b60fa010
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: A6E0DF32A40218BBDF32ABD99E05FAABBBCEB48B60F0101D9F904D7150D561AE10C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 04DBFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DBFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x4d811a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E04E788F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04DC0050(_t14);
				}
			}

0x04dbff66
0x04dbff6b
0x00000000
0x04dbff8f
0x00000000
0x04dbff8f

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c7bbc5974538a0a84dd2d049a9f105eb59bb32ae3b08c033956b95126bb6a2
Instruction ID: 3673eadcbbc621527976835005b2a63d1037f742b8d2f3da0e9d731f6414583a
Opcode Fuzzy Hash: a6c7bbc5974538a0a84dd2d049a9f105eb59bb32ae3b08c033956b95126bb6a2
Instruction Fuzzy Hash: 13E0DFB0605204DFE735EB51D880FA937A8FB4A725F1AC01FE04ACB101C621F889C29A

Uniqueness

Uniqueness Score: -1.00%

Function 04E341E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04E341E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x4e808f0);
				_t5 = E04DFD08C(__ebx, __edi, __esi);
				if( *0x4e987ec == 0) {
					E04DBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x4e987ec == 0) {
						 *0x4e987f0 = 0x4e987ec;
						 *0x4e987ec = 0x4e987ec;
						 *0x4e987e8 = 0x4e987e4;
						 *0x4e987e4 = 0x4e987e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04E34248();
				}
				return E04DFD0D1(_t5);
			}

0x04e341e8
0x04e341ea
0x04e341ef
0x04e341fb
0x04e34206
0x04e3420b
0x04e34216
0x04e3421d
0x04e34222
0x04e3422c
0x04e34231
0x04e34231
0x04e34236
0x04e3423d
0x04e3423d
0x04e34247

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201959fb3f6c8acd2f662dc4a0fe2ffc218af6aeb119b0d2198efb33f89802c5
Instruction ID: 44a7e00aaa87fbc877fd24df6b708b0e3ccb23a7b7de0947d52f7524e91ad2f8
Opcode Fuzzy Hash: 201959fb3f6c8acd2f662dc4a0fe2ffc218af6aeb119b0d2198efb33f89802c5
Instruction Fuzzy Hash: D9F0F874A20704DEEBA1FF67A50470436A4FB4621AF10521A9105D72F9CB386C84CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04E5D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E5D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L04DAE8B0(__ecx, _a4, 0xfff);
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x04e5d38a
0x04e5d39b
0x04e5d3b1
0x00000000
0x04e5d3b6
0x00000000

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 049e1606e59dbd73ce217ea77a5aa9f56b969c51e7888e76f46df97e6fca0f07
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: E8E0C231380209BBEB225E44CC00FB97B16DB40BA4F108031FE085B6A0C675BCA1EAD4

Uniqueness

Uniqueness Score: -1.00%

Function 04DDA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DDA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x4e967e4 >= 0xa) {
					if(_t5 < 0x4e96800 || _t5 >= 0x4e96900) {
						return L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04DC0010(0x4e967e0, _t5);
				}
			}

0x04dda190
0x04dda1a6
0x04dda1c2
0x00000000
0x00000000
0x00000000
0x04dda192
0x04dda192
0x04dda19f
0x04dda19f

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99027a987f2d19554a9615236ad37a40ee0075a1b7dafff9e676fa3593f25dcb
Instruction ID: 94a59681a857c542b2061e1be44919f049bffb841370b06ef3d86af796eaace5
Opcode Fuzzy Hash: 99027a987f2d19554a9615236ad37a40ee0075a1b7dafff9e676fa3593f25dcb
Instruction Fuzzy Hash: 57D05B7126100157FE2E9760A955B2522D2EB88758F308C0FF1075B6E4DD64FCD59159

Uniqueness

Uniqueness Score: -1.00%

Function 04DD16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DD16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04DD1710(0x4e967e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04DC4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x04dd16e8
0x04dd16ef
0x04dd16f3
0x04dd16fe
0x00000000
0x04dd1700
0x04dd170d
0x04dd170d
0x04dd16f2
0x04dd16f2
0x04dd16f2
0x04dd16f2

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d0a71674c0dac48ef39895d0fd6f64d7a871e735a6b3c71e230361c93673a1
Instruction ID: 01f14a04b71377d332e41943e63205668efd9ba2c982c68af304bf5f5206241a
Opcode Fuzzy Hash: f5d0a71674c0dac48ef39895d0fd6f64d7a871e735a6b3c71e230361c93673a1
Instruction Fuzzy Hash: EFD0A771240100A2FE2E5B109C14B182261EB80B89F38005CF107594D0CFA0FC96E458

Uniqueness

Uniqueness Score: -1.00%

Function 04E253CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E253CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E04DBEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x04e253ca
0x04e253ce
0x04e253d9
0x04e253de
0x04e253e1
0x04e253e1
0x04e253e6
0x04e253f3
0x00000000
0x04e253f8
0x04e253fb

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: a6c525af9fc3232f6c9a18670296d9e810eb011945bb800dfb6b6007b6446ce7
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: EAE08C31A40684ABCF12EB48C750F9EB7F5FB44B04F140008A0095B660C624BC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04DD35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DD35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E04DBEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x04dd35a1
0x04dd35a1
0x04dd35a5
0x04dd35ab
0x04dd35ab
0x04dd35b5
0x00000000
0x04dd35c1
0x04dd35b7

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 496bbe24c3c0d1a2fe9e19bfa5e866c8bf10b1d7f1e14daf5b246443046ab0af
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 0ED0C931651185DAEB51AF50C61C7A877B2FB00318F5820A5988A06952C33ABA5AD606

Uniqueness

Uniqueness Score: -1.00%

Function 04DBAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DBAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x04dbaab6
0x04dbaabb
0x04e0a442
0x00000000
0x04e0a448
0x04e0a454
0x04e0a454
0x04dbaac1
0x04dbaac1
0x04dbaac6
0x04dbaac6

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: cefc97c3cb0b022707abf9941a093c3e588c3710e4a3d729f85d66d9c869a222
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: A1D0E939352A80CFD716CF1DC954B5577A4BB44B44FC544A0E541CBB61E62CE984CA10

Uniqueness

Uniqueness Score: -1.00%

Function 04E2A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E2A537(intOrPtr _a4, intOrPtr _a8) {

				return L04DC8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x04e2a553

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 616099dfce61a65a98173ff313a5968077fd7e7bbd022d156371014814b35326
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 57C01232180248BBCB126E81CC00F067B2AEB94B60F008014BA080B5618632E970EA94

Uniqueness

Uniqueness Score: -1.00%

Function 04DADB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DADB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04DC4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x04dadb4d
0x04dadb54
0x04dadb5f
0x04dadb56
0x04dadb56
0x04dadb5c
0x04dadb5c

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 4be2472a74d74c3527c748385a063fb7b2c4c74faa73bae491db6aab8ce40902
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 8CC08C303C0A01AAEB321F20CD01B4036B2BB10F05F4400A06301DA4F0DB78E811EA10

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DAAD30(intOrPtr _a4) {

				return L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04daad49

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 585cfba81d385391a6a105fcfc6b08e7dcbebb5e8c6b7789281d61885fe7e326
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 37C08C321C0248BBC7126A45CD00F017B29E790B60F000020B6040B6A18932E860D998

Uniqueness

Uniqueness Score: -1.00%

Function 04DD36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DD36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04DC4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x04dd36d2
0x04dd36e8
0x04dd36d4
0x04dd36e5
0x04dd36e5

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 0dee8ad2722be386c6533a248654ff4693c65d61b6711bc747387c0062cf488a
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: AAC02B70290440FBE7261F30CD10F147264F700A21F64035873204A4F0D528BC00D600

Uniqueness

Uniqueness Score: -1.00%

Function 04DB76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DB76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L04DC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x04db76e4
0x00000000
0x04db76f8
0x04db76fd

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: f97ea67f6ae0bbd12a6ae55fb92f6741984b740e3562a1bfefdfa6c6e3385990
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 92C08C706811C59BEB2A6B08CE24B203650BB48708F48019CBA820E4E1C368BC02D688

Uniqueness

Uniqueness Score: -1.00%

Function 04DC3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DC3A1C(intOrPtr _a4) {
				void* _t5;

				return L04DC4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04dc3a35

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 67bbb910533c69d0af5979fe48d137af4e194745249a3d90e7eed9fa6eba559b
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 60C08C32180248BBC7226F41DC00F017B29E790B60F000020B6040B5608532EC60D998

Uniqueness

Uniqueness Score: -1.00%

Function 04DC7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DC7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x04dc7d56
0x04dc7d5b
0x04dc7d60
0x04dc7d5d
0x04dc7d5d
0x04dc7d5d

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: de2b6faf362a91c785fa3083002590845434853e2555460fe729e458f1b5d5f7
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: FBB09234301942CFCF56DF18C080B1533E8BB44A40F8400D4E400CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 04DD2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04DD2ACB() {
				void* _t5;

				return E04DBEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x04dd2adc

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 42eb94dde065be37fddb0f3729faad8f356cbff2044669e3fe3b02a34748b049
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: DDB01232D10450CFCF02EF40C610B997331FB00750F054490900327930C228BC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04E3FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04E3FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04DECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04E35720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04E35720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04e3fdda
0x04e3fde2
0x04e3fde5
0x04e3fdec
0x04e3fdfa
0x04e3fdff
0x04e3fe0a
0x04e3fe0f
0x04e3fe17
0x04e3fe1e
0x04e3fe19
0x04e3fe19
0x04e3fe19
0x04e3fe20
0x04e3fe21
0x04e3fe22
0x04e3fe25
0x04e3fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04E3FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04E3FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04E3FE2B

Memory Dump Source

Source File: 00000015.00000002.485183868.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: true

Associated: 00000015.00000002.485783834.0000000004E9B000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.485799672.0000000004E9F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: ec78a5c30820f14c5cdc4bd81726b6716323583b4d6122616a5c6bde1cccaac6
Instruction ID: bd70a64668090379bd768afb484a0655ef35f9756c654f05383ddf8353ee67bd
Opcode Fuzzy Hash: ec78a5c30820f14c5cdc4bd81726b6716323583b4d6122616a5c6bde1cccaac6
Instruction Fuzzy Hash: 7FF0FC326401017FEB211A45DC06F337B5ADB44735F140714F624551D1DA62FC20D7F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ORDDER-238486-LBT.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations